Before my current role, I served in senior risk management functions at some of the largest banks in the world, including as the chief risk officer at the fifth largest bank in Canada. Yet what was my credential to serve in those capacities?
I had proven experience in risk management elsewhere in the industry and a doctorate in applied math. But there was no exam I had to take, no related suffix after my name, no certification I needed to oversee extensive risk management programs at large financial institutions. If I had been a lawyer, I would have needed to pass the bar. No bank would have let me do their accounting if I weren’t a CPA. Doctors are thoroughly vetted. But the truth is risk managers — a crucial function inside banks and at other companies — have no professional standards of practice to validate their qualification.
And yet, such standards in the field of risk management would be tremendously valuable. Sophisticated financial engineering and best practice risk management have added significant value over the past 20 years, but financial engineering and the failure to make risk transparent in too many cases played a significant role in obscuring the true economic condition and risk-taking of financial companies in the run-up to the 2007-2009 crises.
In other industries, such professional standards are explicit, defining objectives professionals must meet to qualify for and maintain a credential. Those who must adhere to standards of practices — or SoP — often must pass a standard exam and have a prescribed period of training.
In risk management, there are certifications for professionals to seek. Among the organizations offering such programs are the Enterprise Risk Management Academy, the Professional Risk Managers' International Association and the Global Association of Risk Professionals. But none of these are viewed as standard. More importantly, none of these groups’ certifications are required for CROs managing large risk programs.
The 2007-2009 financial crises uncovered major fault lines in risk practices and the need to establish professional risk management SoP. There are many cases where potential returns were not properly adjusted for risk. For example, the failure to accurately measure the potential for unexpected losses arising from a spike in risk factors and an increase in correlations between risk factors in stress markets led many to underestimate the risk.
If the banking industry — or any other sector — had a standard risk management certification, its criteria could be used as a guide for practitioners, rating agencies and regulators to assess and benchmark the quality of risk management in the policy, methodology and infrastructure dimensions.
We can benchmark the quality of risk management — and the qualifications of risk managers — by evaluating the answers to a series of targeted questions. These may include: 1) Is the tolerance for risk consistent with the business strategy and is the amount of risk made transparent both internally and externally? 2) Are the risk methodologies based on a standardized representation of cash flow obligations and are the risk models properly vetted? and 3) Are the appropriate people and operational processes (such as data, software, systems, and quality of personnel) in place to control and report on risk?
If similar risk management SoP were adopted across professions and industries, then risk management practitioners in one industry could more easily learn from practices in another industry. For example, the basic building blocks of finance in general and risk management in particular are individual financial contracts and their expected cash flows. If we closely examine the pattern of expected cash flows that are generated from a financial contract, then we would find that bankers implicitly follow standard algorithms when exchanging cash flows.
These implicit standard algorithms need to be made explicit and translated into a risk management standard. We can capitalize on modern infrastructural approaches to generate cash flows from contracts in an efficient and transparent manner. Creating a risk management standard for determining expected cash flows enhances an organization’s ability to measure its specific and systematic risk in both normal markets and stress markets. A risk management standard also enhances a regulator’s ability to measure systemic risk.
A standard can be constructed to represent almost all financial obligations at a high level of precision. The careful representation of cash flow obligations means that the most critical input to risk measurement can be performed with a high degree of confidence in the results. With such an approach, variations in risk measurement results will be based on practitioners making different assumptions about the risk factors (e.g. interest rates, default rates, etc.), not the contract data that goes into the models.
In summary, regulators and risk management practitioners need a more standardized set of risk management best practices, and a way to certify that a professional meets the qualification. A starting point is to construct a data and algorithmic standard for generating cash flow obligations capable of representing virtually all financial obligations with a high level of precision. This approach would improve transparency in financial markets, reduce complexity and model risk, and improving the operational efficiency of financial institutions.
Bob Mark is a managing partner at Black Diamond Risk Enterprises. He formerly held senior trading and risk management positions at numerous large banks, and was the founding executive director of the master of financial engineering program at UCLA.