by Peter T. Golder and Thorsten Liebert
4/09/09
How to create a culture that combines healthy risk taking with effective risk management.
Audit findings then need to be acted upon. Audit items cannot be allowed to remain open quarter after quarter, with no consequences for the executive who fails to act on them. A more disciplined approach is required, with senior executives taking the leading role. The ultimate goal is a culture that combines healthy risk taking with effective risk management. It takes a total, unmistakable, continual, and widely communicated commitment from the CEO to make this shift. Companies and banks that accomplish this will be much better equipped to weather the next set of economic storms. Author Profiles:Peter T. Golder is a principal with Booz & Company in London. He specializes in corporate strategy, restructuring, postmerger integration, and risk management for global banks and financial intermediaries. Thorsten Liebert is a principal with Booz & Company in Frankfurt. He specializes in strategy definition, restructuring, and risk management for leading banks in Germany, the U.K., and Russia. |
Want to buy a pile of second mortgages with a loan-to-equity value of 99 to 1, and scant documentation on borrower qualifications? (By the way, those borrowers might not live in the homes they’re mortgaging.) And, sure, it’s possible the borrowers are lying about their income and job status. (But who cares?)
Today, even considering such a package seems ridiculous. Yet most of these loans, part of a fund sold by a major investment bank in 2006, received top-grade scores from rating agencies and enthusiasm from investors. Perhaps not surprisingly, several of the fund’s tranches are already a complete bust, and the rest are in shambles.
Perhaps the most outrageous aspect of this story is that its ending could have been predicted. Those bundles smelled toxic even in the midst of the bubble — for anybody who bothered to take a sniff. When common sense fails in so spectacular a fashion, it’s not just a gap in basic risk-assessment procedures. It’s a symptom of a systematic and cultural collapse.
How, then, can a financial-services firm, or any other company, adopt a more effective risk management system? The most serious gaps are related not to technology and models — that is, not to the risk management tools used to monitor investments and model equity strategies — but to people’s roles and the firm’s decision-making processes. In a number of institutions in the pre-crisis environment, the strong drive for profit led to veiled but intense pressures on risk departments to approve increasingly dangerous transactions. In turn, these assaults on caution weakened the risk management discipline throughout the company.
The banks that weathered the credit crisis relatively well were generally those whose risk management culture had remained strong. They had sharp and effective lines of defense against taking unnecessary chances, and they demonstrated a commitment to supporting capable individuals who exhibited risk awareness and set an example for others to follow. These companies view risk management as a positive capability, something that should be visible everywhere from the front office to headquarters, rather than viewing it as an obstacle to profits.
Understanding, defining, and actively managing an organization’s risk appetite requires a core of executive directors on the board who possess solid business and risk expertise. This group must appreciate the risks being taken and understand the risk/return trade-offs inherent in the creation of new financial products. Moreover, the board must accept the implications of major decisions on risk. In the mid-2000s, for example, most investment bank boards did not discuss the consequences of acquiring so many questionable mortgage investments and other similar instruments, which led to a huge increase in absolute leverage, nor did they discuss the unintended consequences of some bankers’ seemingly unlimited earning power. Instead, as reported by the New York Times in November 2008, top executives at banks such as Merrill Lynch & Company were allowed to order corporate watchdogs — the more squeamish at these firms and on their boards — to heel.
No individual specialist in a certain asset class, product, or function, whatever it might be, can be solely responsible for identifying and mitigating all possible causes of unacceptable losses. Modern investment banking products involve multiple asset classes that are treated separately but are interdependent; a decline in one can worsen declines in others. This means that at a portfolio level, dangerous correlations can exist among the many positions held both within and outside the firm. The goal is to ensure that no one assumes that risk is not his or her responsibility. One idea is to consistently place risk management executives on the trading floor, where they can offer opinions and recommendations on portfolios and newly planned investments. But only companies in which the authority of these executives is unquestioned, particularly in the front office, would choose to take that step.
It is clear now that too many banks, during the years leading up to the credit crunch, employed a strategy combining a strong offense (aggressive investments) and a weak defense (little scrutiny). But a strong defense need not impede aggressive business growth. A robust risk management culture is marked by three characteristics:
Sustainable risk/return thinking. Top management and the front office itself must demonstrate clear thinking about risk/return trade-offs. Risk managers have two primary responsibilities: developing sustainable strategies and tactics to keep risk and return proportional, and providing top management with an independent control mechanism if front-office discipline fails.
To earn respect from the front office, risk managers must be of the highest caliber. They must be capable not just of challenging any negative swings in performance, but of helping executives understand the causes of peaks. Price limits for investment purchases or sales and other basic controls must be respected. Limit setting and limit monitoring must be accompanied by mechanisms with teeth; for example, risk managers must have the ability to fire regular violators of risk limits rather than just slapping their wrists. And traders must be forced to take holidays; rogue activities are much easier to check when the perpetrators aren’t on site to cover them up.
Usable, up-to-date information. Both the front office and top management must have reliable and consistent information on the positions and risks they are taking. Above all, risk managers must understand how the front office is or is not making money. Deconstructing the drivers of profit or loss needs to become the prevailing mentality. Discussions about new products, existing and new positions, and other issues must be broad and not restricted to methods for meeting quarterly targets or other short-term goals.
To go beyond the traditional role of “limit cop,” risk managers need to develop a deep understanding of whether the bank’s portfolio is overly concentrated in particular investments and whether the relationship between investments and their underlying value is transparent. In doing this, risk managers can determine what constitutes an early warning signal and what does not. If top risk management professionals do not have this authority and these tools, they will migrate elsewhere.
An in-depth oversight process. The auditing function often fails to provide independent and objective oversight. Instead, auditors see their assignment as a box-ticking exercise to ensure compliance, with limited critical review of potential weaknesses. That must change. A strong critical approach to each functional discipline must also be developed, involving far more insight and internal consultation beyond simply “checking the checkers.” After reviewing the securitization process, for instance, the internal audit team could identify and bring to the board’s attention potential flaws such as overreliance on rating agencies.
To accomplish this, auditors must possess not only extensive knowledge of the business — how the front office makes money — but also clear comprehension of the risk management discipline. In topnotch organizations, audit and finance teams blend strong process and IT know-how with an in-depth understanding of the business and risk. For example, audit teams investigate and validate mark-to-market positions, ensuring the integrity of information as it passes from one system to the next.