Banks Can No Longer Leave Policy Risks to Chance

Bank holding companies over $50 billion were already staggering under the weight of the Federal Reserve Board's tough stress tests, but the load just got heavier.

In its August statement of "supervisory expectations," the Fed demands that big BHCs not only show how they will handle credit risk over the next nine quarters, but now also how they will handle reputational, strategic, and compliance risk and how they account for it in their capital equation. This is good news from a policy perspective: the stress tests since 2009 have been dangerously blind to risks other than credit risk. However, most BHCs have viewed reputational, strategic and compliance risks as acts of God, suffering them instead of managing them proactively like all the other risks to which banks are heir. That's no longer good enough, at least not if you want to pay dividends in 2014.

Despite the challenges of measuring these new risks, the Fed's edict is useful not only because it expands the supervisory risk horizon. It's also valuable because it forces bank boards and senior management to recognize the real value-add that comes with effective legal, policy and compliance risk management.

In virtually every large BHC, these divisions are viewed as necessary evils – cost centers that keep tort lawyers, Congress and other wolves at bay. For the industry as a whole, policy risk – the sum total of reputational, strategic, and compliance risk – is a critical strategic variable, and one that shouldn't be left to chance or delegated to staff without decision-making power or access to the board.

Astute risk management in each of these areas reduces real risk – think how much better mortgage finance today would look if banks had spotted reputational, strategic, and compliance risk before it flattened them. Effective risk management here also identifies opportunities – for example, forecasting regulatory outcomes in advance so the BHC wins first-mover advantage. In short, it's critical and the Fed is right to force BHCs to ramp up.

Even if your firm isn't subject now to the Fed's new stress-test standards, its requirements are a guide for any financial services firm that wants to epitomize best practices. Big BHCs may be the most regulated firms in this landscape, but every other financial institution is at just as much franchise risk. Astute risk management will tell nonbanks not only when their own regulators will come calling, but also which market opportunities are at hand due to all the rules piling up on the biggest BHCs.

The Fed rightly characterizes policy risk as a qualitative one, exempting it from the specific models, benchmarks and other protocols that otherwise drive the capital-planning process. But, just because these risks can't easily be quantified doesn't mean the BHC can take jump shots. The Fed demands a disciplined, documented risk-analytic process that comes up with measurable capital, revenue, and other bottom-line hits. Mitigation can't then be actions the bank will take "if needed" – i.e., if sued, we shall settle. Rather, the BHC must identify costs up front, take them into account in calculating dividends, or demonstrate meaningfully how these risks will be made to disappear or – more likely – diminish.

One more thing the Fed's done right: this analytical review of qualitative policy risk measurement and mitigation must be approved by senior management and, then, the board. This is right on two counts. First, it assures that these risks are taken seriously and gives legal, government relations and compliance staff the official credit they well deserve. Secondly, top-down scrutiny means bottom-up accountability, or it should at any firm operating according to best practice. As evident throughout the crisis, policy risk packs a formidable punch – the $100 billion or so in legal expenses to date Bloombergrecently estimated has been paid by the biggest banks makes this painfully clear.

To restore credibility and ensure capital adequacy, banks of all sizes need to do a better job anticipating, measuring and mitigating policy risk. This can be done without the rocket science trappings attendant to other risk management tasks. These risks can be better managed than others because success or failure can be better judged by the board and senior management when not obscured in fancy formulas and complex what-ifs. The Fed now tells senior management and the board to judge capital plans on their own and to come up with "economically intuitive" conclusions, not just to bless the quants. To know where your legal, reputational, strategic, and compliance risks lie, first do a timely, objective landscape based on your forecasts and, where possible, the outside expert judgment the Fed stipulates be consulted for key considerations. This landscape should define key risk factors and their likely impact in baseline, adverse and seriously adverse scenarios. From this disciplined review, the board can allocate resources, senior management will make the decision to act, and risk mitigation will begin with a far better focus far more quickly.

If it doesn't, prepare for bad news when the Federal Reserve reads the capital plan next January.

Karen Shaw Petrou is a managing partner at Federal Financial Analytics Inc.