Thanks to regulations, financial institutions are now better off than prior to the financial crisis. But there are still areas that risk management practice needs to improve on, according to Independent Risk, Wealth and Asset Management Consultant and former CRO Philip Best.
Ten years after the financial crisis banks and financial institutions are much safer than they were: capital ratios have increased dramatically and liquidity management are much stronger than before the crisis. Another continuing trend is away from statistical models towards a more direct approach of assessing risk, based on scenario, or stress testing. In addition to these advances, there is now far more rigour across the industry in terms of being able to process evidence and making decisions. No longer should a bank make critical risk decisions based on a spreadsheet analysis produced by a bright risk analyst working alone. This has pros and cons but that is another discussion.
Regulation has made the financial service industry safer than it was pre-crisis
It is notable that the advances outlined above have been driven by regulation. Risk management functions have undoubtedly been focused on addressing the regulatory agenda and this has yielded a safer industry. The processes for managing market and credit risk are essentially the same as they ever were, except that measurement techniques have been updated to satisfy new regulatory standards. This makes sense as market and credit risks are the easiest of the risks to control. Regulation has appropriately shone a spotlight on liquidity risk management, making it a key pillar of the risk management framework.
Market, credit and liquidity risk management process followed regulation but are otherwise largely unchanged – with the exception of a welcome increase in the use of stress testing.
If we now turn our attention to operational and conduct risk management and ask ourselves how robust they are, the answer is less compelling. It is undeniable that the biggest losses experienced by financial institutions have been conduct related, the second largest, typically fraud or rogue trading, have been operational in nature. Conduct risk is firstly a cultural issue but is dependent on robust underlying process and controls, including operational risk management.
The most common regulatory concerns are around operational risk and culture. But a straw poll of CRO’s regularly yields the result that operational risk is their weakest suit. Why is this case? Perhaps because it’s difficult. Unlike market and credit risk it cannot be neatly tied down with a set of limits and supporting systems. Operational risk has to be embedded across the whole of the business and to be effective must become a key management tool for managing the business.
Conduct risk is weak and operational risk management practice has stagnated since the crisis and remain the poor cousin in most organisation’s minds to the more easily managed and “sexier” market and credit risks.
It is not only, however, because it is difficult. As an industry we need to recognise that it is often the poor relation of the sexier financial risks in terms of resources and infrastructure. As an industry we continue to under-invest in operational risk. This may well be self reinforcing as operational risk is often not embraced by the business as a whole and is not seen to add value. This naturally results in under-investment, which in-turn has resulted in under-developed operational risk management practice.
Culture is the single most important risk mitigant an organisation has. Risk culture is often conflated with conduct risk management for good reason; as good conduct naturally stems from a strong risk and customer focused culture. However, some CRO’s are reluctant to take on the business leadership role of establishing and maintaining a strong risk management culture.
Organisations struggle to make operational risk relevant and to add value.
In truth, since the crisis, the CRO agenda has been largely (and appropriately) dictated by regulation. Perhaps, as we look forward to the next 10 years, and the tsunami or regulation subsides, the CRO focus will turn to the challenge of delivering operational risk management that adds value and on the drive to strengthen and reinforce risk culture.
Philip has worked in the financial markets since 1985 and has held a number of senior positions in risk management, including Global CRO Barclays Wealth, CRO for Columbia Threadneedle and prior to which he was Head of Risk at UFJI London. Philip published one of the first books on VAR: Implementing Value at Risk, Wiley, 1998.