As the financial crisis unfolded over the past two years, the role of risk management in banks made an attractive target. Do risk managers know what they're doing? How could they have been so blind (or incompetent!) to let the disaster happen? What sort of standards is the industry following and how could they have been so wrong?
Let me address the third question first. There is no common set of standards, whether government or industry. And maybe it's time that reality changes.
It is true that risk management in banking has come a long way over the past decade. The gray-haired banker who was put out to pasture in "risk management land" during the twilight of his career has been brought in to the middle office of most banks to play a junior partnership role with his front-office colleagues in the marketing function.
Market risk managers have been forced to look over their quant screens at the context in which their systems provide information.
As a function, however, risk management was neither an equal partner to the businesses they supported nor truly independent from the businesses on whose decisions they were meant to be objectively opining in order to protect the bank, its customers and shareholders.
As a result … well, we all know what happened. Risk managers took a lot of the rap for the current state of affairs, but they were put in a position that made it difficult to achieve any other outcome. Here's why:
- Lack of independence in final decision-making, as they were beholden to the CEO.
- Overreliance on the information provided by the risk systems because of lack of experience.
- Lack of a recognized industry qualification to demonstrate competence.
Let's focus on the last issue. How does anyone determine whether a risk manager in a bank is qualified or competent?
What benchmarks can we use to give us comfort that we are safe in his/her hands? What relevant experience can we look for in order to acknowledge his/her skills and judgment?
The answers to these questions would currently be highly subjective. The reason, in part, is the lack of an industrywide qualification that is globally recognized as a benchmark for risk management ability.
As a result, there is no minimum standard that we can look to in risk management circles that would give us comfort over a person's competency or skill.
Sure, we have a number of nonprofit organizations that are trying to fill this void — GARP, PRMIA and RMA, to name the most prolific right now — but no singular, respected body that can deliver an acceptable qualification.
And, quite frankly, until there is such a recognized global certification for risk managers, this function will not gain the respect it most certainly deserves.
How can we achieve this? The obvious way would be to get the interested parties together and agree on a single standard/qualification that each would both recognize and administer. This would need a handful of folks with a vision to do the right thing, and mean a few bruised egos on the way.
However, until this happens, and the impasse is overcome, "the certified risk manager" will be an unattainable standard.
