Modeling Risk
Friday, May 5, 2023
By Cristian deRitis
Motivating risk managers can be challenging. At best, they do their jobs well, make all the right decisions, back up their work with solid analytics and reasonable assumptions and … drumroll … nothing happens.
Indeed, when risk mangers do their job effectively, their companies don’t experience major losses or go bankrupt. Regulators don’t have any significant findings, and no negative media headlines are published. Business continues as usual.
Unlike new sales and higher revenue numbers, which are highly visible and easily celebrated, loss avoidance is theoretical and harder to appreciate. “It could have been worse” arguments related to loss mitigation can fall on the deaf ears of investors focused on “what is” rather than “what might have been.”
Given this reality, how can risk managers motivate themselves and their teams to stay focused and find meaning to operate at their full potential?
People First, Then Risk
Building a risk culture and a team that is fully engaged and committed is arguably much more important for managing risks than any of the data or mathematical models an organization may develop or acquire. Ultimately, it’s the actions – or inactions – of individuals that will drive the success or failure of any risk management program.
Though this may seem obvious, risk managers typically spend relatively little of their time thinking of the structure of their organizations, particularly when compared to designing risk monitoring reports or developing new statistical methods for measuring and forecasting financial risks. In part, this may be the result of their quantitative background and their training. Measurement and analysis may have been emphasized in their academic programs, with little importance given to organizational design and management.
The Ted Lasso Approach
Consider the typical “three lines of defense” risk management structure adopted by many banks and other institutions:
The setup is analogous to the formation of a soccer team, with offensive players, midfielders and a defensive line. Each group should be supporting the others to minimize the likelihood that the opposing team scores a goal. However, as the fictional coach on the hit TV series Ted Lasso continuously points out, this approach sounds good in theory but fails in practice without clearly defined roles.
If roles and responsibilities aren’t defined clearly, we run the risk of either having the three groups constantly clashing with each other or creating “donut holes” where one line of defense assumes that risk management responsibilities belong to another line – and vice versa.
What do the three lines of defense look like at a typical bank? Well, a bank might define an operational business unit as the first line of defense. This unit may consist of loan underwriters who are in direct contact with external customers, taking applications and making approval decisions based on pre-defined scorecards and lending rules.
The second line usually provides sufficient support to see to it that day-to-day procedures are being followed. Second line risk controllers might focus their attention on borderline cases where application data doesn’t conform neatly to the lender’s scorecard, ensuring that the organization isn’t inadvertently taking on more risk than intended.
The third line of defense typically consists of independent internal auditors who verify that the objectives defined by the board and risk committee are being met by the first and second lines.
The problem with this three-tiered approach is that we sometimes see overlap between the lines.
To be clear, the second line should have more of a consultative rather than an oversight role. If all the second line does is validate that the first line is following procedures, then its role isn’t all that different from the third line of defense.
Similarly, internal auditors should primarily be focused on independently verifying outcomes, rather than on operational specifics of how procedures are set and followed by the other lines.
Let’s Talk Incentives
Like a successful soccer team, the best organizational structure is one that is self-reinforcing. Responsibilities, incentives and disincentives need to be defined in such a way that all members in the organization “do the right thing,” acting on their own self-interest without relying on external oversight to force compliance. Ideally, rather than playing a punitive role, auditors and regulators should merely verify that all reporting was accurate and timely.
Cristian deRitis
In economic terms, the problem amounts to setting appropriate “incentive compatibility constraints.” Compensation and benefits need to be tied to benchmarks and other indicators. This will encourage the second and third lines of defense to provide effective challenges and oversight, rather than colluding with the first line to allow questionable deals to be approved that might inflate profits and bonuses in the short term at the cost of long-term losses.
Clawback provisions and long-dated equity grants or options are some of the traditional methods used to align incentives, though these too may be subject to risk managers “rolling the dice” for a larger short-term payoff.
A largely unexplored option would be to compensate managers with corporate bonds. Given their longer time horizon and the risk that principal may be lost in the event of a default, risk managers would have a large incentive to minimize the risk of losing this part of their compensation.
In addition to financial compensation, senior risk executives need to play to the strengths of their teams. Individual analysts may be motivated by the challenge of solving difficult quantitative problems with data and software tools. Defining goals related to developing a monitoring system and early warning indicators, for example, may encourage them to devote their best efforts to these specific tasks.
Indeed, the opportunity to work on interesting and challenging problems may provide a greater incentive than additional compensation. By understanding motivational techniques, an effective risk executive can design a team that develops its own rewards, as opposed to relying solely on acknowledgment from outside the team.
That said, recognition is also important. Risk managers want to know that their work is contributing to a greater purpose.
Chief executives can ensure that risk teams are valued and motivated by giving them a prominent place within their organizations and by empowering them with the ability to block deals or limit risk exposures.
Parting Thoughts
Recent bank failures have put risk management functions in the spotlight once again. While the best-case scenario for risk managers may be that nothing happens, the worst-case scenario is that they are blamed for the consequences of actions taken outside of their control.
A deeper investigation into recent bank failures will determine if the root causes were flawed business models that made risky bets on the economy or something more fundamental. Equally important will be an analysis of the organizational risk structure of the failed banks and the role that their boards played in establishing risk guidelines. (One question that needs to be answered: Were actions allowed to be taken without sufficient oversight and effective challenge?)
The multifaceted and ever-changing nature of risk is what draws many individuals to the field and keeps the work interesting and challenging. Developing new models for estimating tail risks or filling data gaps with new sources of information is exciting and important, but ultimately insufficient.
CROs needs to remember that people are the most important part of any risk management program. Keeping teams motivated with the right set of incentives and organizational structure enables all other risk management tools and models to be effective.
Cristian deRitis is the Deputy Chief Economist at Moody's Analytics. As the head of model research and development, he specializes in the analysis of current and future economic conditions, consumer credit markets and housing. Before joining Moody's Analytics, he worked for Fannie Mae. In addition to his published research, Cristian is named on two U.S. patents for credit modeling techniques. He can be reached at cristian.deritis@moodys.com.
•Bylaws •Code of Conduct •Privacy Notice •Terms of Use © 2024 Global Association of Risk Professionals