Risk Management Reflections and Lessons for the Future
Post-crisis progress has clearly been made, but there is still much work to be done to steer clear of subsequent financial disasters. What steps can financial institutions take to enhance risk culture and governance and to build better risk processes, analytics and expertise?
Friday, September 27, 2019
By Clifford Rossi
Having had a front-row seat to the excesses of the boom that fueled the financial crisis of 2008-2009, I've been asked over the years what suggestions I have for current and future risk managers in our industry. Though our sensitivity to the circumstances at the heart of excessive risk-taking in the years leading up to the crisis has diminished with the passage of time, we can still learn from past mistakes, particularly if we apply the right practices.
The industry's newfound focus on risk management, beginning in 2008, was driven largely by a survival mentality and regulatory requirements. While that brought much-needed attention and resources to the profession, it is not a foundation for effective risk management over the long run.
Risk governance, process, analytics and expertise are the keys to ensuring risk management becomes an essential part of a company's DNA, rather than merely a necessity-driven activity. In my final CRO Outlook column, I'd like to offer some observations and reflections on these four essential ingredients of risk management.
As Wells Fargo can attest, the three lines of defense model will not by itself save firms from excessive risk-taking. Strong culture and risk governance are prerequisites for effective risk management; all else is secondary. Indeed, without a culture that embraces risk management as an equal partner to the business, regulatory-imposed risk management structures will not hold up.
Speaking of supervisors, respectful and transparent relationships with regulators must be maintained. When troubles arise, these relationships will have long-term payoffs.
To match the increasing complexity of the industry and its ever-evolving risks, boards need to add members with direct industry risk management experience. Moreover, to resolve long-standing tensions between business, risk and audit professionals (which still lurk about in some corners of the industry), trusted relationships must be carefully crafted.
Behavioral issues must also be properly managed. Specifically, keep an eye out for senior management cognitive bias, as this can quickly steer a firm toward a path of risky decisions.
Avoid building silos in your risk processes. Risks are integrated, and the sooner this is recognized, the better the outcomes for your firm.
Risk management is situational and dynamic. This means you must carefully monitor small but important market and behavioral shifts, and build processes to capture these dynamics.
While firms must be aware of these shifts, they also need to beware of product morphing - i.e., unintended changes to product terms over time that fundamentally change both the borrower and the risk profile. (Think about the rise of option ARM products during the mortgage boom.)
Tracking risk is another critical process. Good, consistent risk reporting is, in fact, the risk manager's best friend, but doing it well isn't as easy as it appears.
Risk Analytics and Expertise
Keep in mind that all models are inherently wrong, partly because historical data rarely incorporates all possible scenarios. The best models are those that combine solid quantitative analytics with experience-based overlays.
Models, of course, must account for tail risks, which are notoriously unstable and are best measured by scenarios or simulations. Though machine learning holds much promise for risk management, firms must be wary of management-induced “shiny-object bias” that comes with complex models.
Risk professionals need to use disruptive technologies and perhaps find other tools to more effectively assess non-financial risks (e.g., cyber and operational), which have grown substantially over the past five years.
For both financial and non-financial risks, the continued development of risk expertise is vital. A great risk professional possesses the following qualities: (1) a balanced and logical temperament; (2) experience, over-the-cycle; (3) critical thinking; (4) analytical leanings; and (5) an action-driven mindset. What's more, on-the-job training is essential, because we are all at least accidental risk managers
The crisis taught me that once-great firms can lose their way quickly by casting aside their risk management capabilities as business conditions fluctuate. At some point in the future, there is a better than even chance that lapses in risk management will happen again, as economic and regulatory conditions change and as our memories fade from the last crisis.
Taking stock of the culture and governance in your firm - and building the type of processes, analytics and expertise that elevates the value of risk management - will go a long way to avoiding risk management blind spots that could put your firm in harm's way.
Clifford Rossi (PhD) is Professor?of?the?Practice and Executive?in?Residence at the Robert H. Smith School of Business, University of Maryland, and a Principal of Chesapeake Risk Advisors, LLC. He has nearly 25 years of experience in financial risk management, having held a number of C?level positions at major banking institutions. Prior to his current posts, he was the chief risk officer for Citigroup's North America Consumer Lending Division.