Credit Edge

The Problems with Ritualistic Risk Management

Despite all the progress that banks have made in identifying, assessing and mitigating risks over the past 20 years, the shift away from the risk management status quo remains a work in progress.

Friday, July 8, 2022

By Marco Folpmers


Financial institutions and regulators have demonstrated their adaptability amid the volatile market conditions sparked by the pandemic, but COVID-19 also reminded us that there is still more work to be done with respect to moving away from traditional, outdated risk management practices.

In the minds of many, modern financial risk management was established 18 years ago, with the introduction of Basel II and its risk-sensitive parameters. Since that time, the quality of risk measurement, management and reporting has greatly improved.

It therefore comes as a surprise that some risk management activities remain “ritualistic” and do not seem to add any value to banks. These practices include, for example, narrowly-focused risk monitoring reports, the employment of minimal risk drivers to update risk models, and, most recently, the use of discounting curves that fail to take proper account of inflation risk.

marco_folpmers_square-Oct-28-2021-08-02-19-71-PMMarco Folpmers

Before we delve further into all the current practices that can be considered outdated and impractical – and provide advice on how those issues can be addressed – let’s first take a brief look at how we arrived at this stage.

Status Quo Risk Management vs. the Scientific Method

Rituals, of course, are nothing new. Indeed, they have been with us since the exceedingly early days of human civilization. In Greek and Roman antiquity, rituals were conducted for multiple reasons, but one of the most important ones was to appease the gods before an upcoming battle.

Cattle, for example, were ritualistically slaughtered; the thought was that if a life was sacrificed to the gods, they would return the favor by influencing a battle in a favorable way. The principle was “do ut des” – Latin for, essentially, “I give, so you give (back).”

But even in antiquity, the need to appease the gods was challenged by enlightened thinkers . For example, the philosopher Epicurus opined that if the gods existed, they wouldn’t need our offerings, because they already lived such a blessed existence.

In modern times, risk managers across industries have adopted the scientific method, which calls for causal relationships to be investigated and explained, rather than left to mysterious forces. Risks are carefully managed rather than superstitiously averted – regardless of whether they’re taken, say, in the name of battle or for a profit.

The financial risk management profession has evolved into a well-respected discipline that combines the best of qualitative and quantitative practices; credit risks, for example, are identified, statistically modeled and assessed to determine how much capital needs be set aside to cover residual risk.

That’s why it is very strange that there still seems to be an abundance of status quo risk management practices that to do not offer much value. Indeed, if you know where to look, they are not hard to find.

Strange But True: Outdated Practices

Of course, when I cite “ritualistic risk management,” I am not referring literally to the offering of cattle, but rather to the precise adherence to risk practices and traditions that actually do not help to effectively manage and reduce risk.

Examples of outdated risk management practices include the following:

  • Stubborn adherence to a limited set of risk drivers when updating models. While the world is changing rapidly and new risks materialize (e.g., geopolitical risks and disruption of supply chains), models are recalibrated or redeveloped without first looking at the possible need for a proper redesign.
  • Overreliance on discounting curves that neglect the new inflation regime. While inflation has soared recently and interest rates have increased, firms that use discounting practices do not take into account the new reality. In these instances, IFRS 9 expected credit losses are calculated based on obsolete curves.
  • Risk monitoring reports focused on minute parts of the portfolio. In practice, today, we often see risk reports where specific details are provided about small parts of a portfolio. Senior management, however, would be better served taking a comprehensive helicopter view about its pockets of material risks.
  • Neglectful concentration reports. This refers to financial institutions that focus on industry concentration while neglecting, say, concentration within the supply chain. Exposures to climate risk factors offer a further layer of concentrations that must be reported.
  • An inability, or unwillingness, to make proper adjustments to key risk factors as the market evolves. One example is when a through-the-cycle probability of default (PD) vector with six digits of precision is converted to point-in-time PD vector, with the help of a rough cycle factor (single digit) within IFRS 9 models. Sometimes, this happens even within an internal-ratings-based approach to modeling: e.g., extremely precise PDs are multiplied with an LGD that only contains stepwise increases of 10%.

There is reason to suspect that your firm relies too heavily on ritualistic risk management if two or more of the above examples sound familiar. You know you have problems when you ask, “why are we doing this,” and your risk management staff responds, “because this is how we have done it before.” Effective risk management should certainly take precedent over rituals.

Weeding Out Impractical, Ineffective Traditions

So, how should the risk manager respond after “status quo” risk management activities have been detected? There are basically two approaches: the diacritical method and direct intervention.

The former is the more subtle measure. The risk manager invites discussion, challenges to the status quo and demands more critical thinking. One can trigger the discussion by asking, “Given the current context of the portfolio, is this still the right way to model it, especially given that a model is an abstraction of reality?” Questions like this can trigger out-of-the-box thinking about the need to update the model design, instead of just recalibrating it.

In contrast, under the latter ("direct intervention") approach, the risk manager (particularly, e.g., the head of a risk department) passes immediate judgement on the relevance – or lack thereof – of a given risk report or model. In clear-cut cases, this may be the more appropriate approach – but it’s also, of course, a more intrusive style of management.

Parting Thoughts

Rituals are not useless. They can be a strong binding force in society (e.g., patriotism) or can help persons and institutions to cope with uncertainty and pain. Financial risk management, however, should be evidence-based and grounded in scientific methods. Moreover, it should be furthered by formal risk education, in which organizations like GARP play a key role.

Scientific methods are often developed in academia and applied in practice through risk management policies and standards. Supervisors expect banks to adhere to these standards, rather than, say, “offering cattle” to divert defaults.

The upcoming summer break should provide an ideal time to consider replacing impractical status quo practices with more effective risk management strategies. Risk managers should be mentally best prepared to think out-of-the-box after returning from their holidays.

My recommendation is to look at your employer’s risk management toolbox and ask yourself, how much of our approach calls for “sacrificing to the gods” and hoping for the best? If the answer clearly reveals an overreliance on outdated, ritualistic risk management, then consider whether problems could be resolved using either diacritical or direct intervention methods.


Dr. Marco Folpmers (FRM) is a partner for Financial Risk Management at Deloitte Netherlands.


BylawsCode of ConductPrivacy NoticeTerms of Use © 2023 Global Association of Risk Professionals