Risk feature: A bitter pill?

With so many in the financial sector caught unaware by the credit crunch, an urgent reassessment of its risk procedures is underway. Graham Buck looks at what changes might result

While it’s too early for any return to rude financial health, the spectre of imminent meltdown in the financial sector has at least lifted since the dramas of last autumn. So now the blame game has begun in earnest. Basel II was regarded as providing safeguards against financial institutions overreaching themselves, by ensuring capital adequacy sufficient to cover operational risk. Yet as a supposedly ‘dynamic’ measurement it has taken only a few years to be shown as wanting. And why was risk management methodology apparently so deficient that the industry could be spectacularly caught out by the sudden change from boom to bust?

The most spectacular failures, such as the demise of Bear Stearns, stemmed from oversight at the highest level, says S. Ramakrishnan, chief executive of Reveleus and Mantas products at Oracle Financial Services Software. “Even when the banks were making obvious mistakes, it looked to the CEOs as though things were actually working quite well. There was a failure at management level, with few questioning whether the company’s risk appetite was commensurate with the risk being taken on.”

Even where organisations took measures to offset risk, the methods employed are now seen as inadequate. The suddenness and severity of the financial crisis has, in particular, triggered much comment on the deficiencies of the Value at Risk (VaR) model that many relied on and the general trend towards securitisation. Michael Adam, of the banking industry business unit at SAP observes that VaR has the weakness of being a relatively short-term indicator that offers only poor historical simulation – although it does include historic data to provide a guide to what has happened and could happen, it typically relies too much on ‘normal’ market conditions and not enough stress was built into it.

“VaR captures the point at which investments go sour, but doesn’t measure how much the investor actually loses if the very worst occurs,” agrees Lisa Goldberg, executive director of analytic initiatives and talent at MSCI Barra, a provider of investment decision support tools and indices. “Standard methods used to calculate VaR rely on assumptions that are unrealistic when markets turn. For instance, returns are often assumed to be normal even though it is actually the non-normal ‘tail’ events that investors are most concerned about.”

But as Suhas Nayak, product director at Fernbach Software, points out, VaR didn’t fail all by itself, being only one of several techniques used to understand risk. “Although there was clearly over-reliance on it, which will now have to change, it was not the only culprit,” he says.

There is general agreement among IT practitioners in the industry that risk assessment in the financial sector also suffered from data overload. There was either too much data for companies to assimilate, or it was aggregated to such an extent that it became meaningless. Of course, there is a need to flag up those instances that may prove to be problematic and this will become ITs main support function in future, rather than endeavouring to process everything to death without a sufficient overview or control of the procedure.

VaR and other such mathematical models will cede position to stress tests of an organisation’s robustness in the face of real systemic crisis, or a relatively rare but high impact event. In boom times it can prove a tough job winning peoples attention for such tests, but as David Rowe, executive vice president of the capital markets and investment banking division at Sungard observes, “management should prove receptive over the next few years”.

Ignoring the message
The post-mortems now being conducted should perhaps recognise that risk management methodology was not so much a fault as the way it was employed, suggests Mike Bush, head of product management at BCS. So the red lights were flashing well ahead of the crash. Banks that dived headlong into the murky depths of sub-prime mortgages and credit default swaps (CDSs) were often warned that what they were doing was risky, but these exotic new hybrids offered good market returns. Only a few more cautious institutions – Canadian and Spanish retail banks like Santander being the prime examples – stood back from the fray.

“Additionally, ratings agencies awarded CDS products and similar ‘innovations’ with a AAA rating, so a herd instinct took over and banks invested in things that they didn’t fully understand,” says SAP’s Adam. “The reasoning was simple: ‘If others are making money then we have to join in!’” He has praise for Moody’s credit portfolio management model, KMV Portfolio Manager, as it offers early indicators of what is good credit and what is bad. But as he points out, the ratings agency itself appears to have paid insufficient attention to its own product.

So it would appear that during the boom years many risk management departments and their systems, but by no means all, did flag up the warning that good sense and prudence were being abandoned. Far too often however, those at the top failed to heed the message. Indeed, in some cases the response was to shoot the messenger. Earlier this year, for instance, it was revealed in Parliament that HBOS’s former head of regulatory risk, Paul Moore, warned that its lending practices verged on the reckless a few years ago, but he was famously quickly dismissed by the board.

“Risk has to be everybody’s problem and at the very top of the organisation,” comments Sungard’s Rowe. “You might have good risk systems and good people, but Royal Bank of Scotland’s takeover of ABN Amro at the top of the market shows what happens if people in the boardroom ignore their message. Many individuals at the bank were urging caution at the time but their objections were overridden.

The two fundamental tasks of risk management are to ensure that the company’s trading position is under control and also that its survival is not being jeopardised. These essentials have too often been downplayed or disregarded. Over the past 15 years this has resulted in the failure of a number of financial institutions, even though for most of this period the economic climate has been benign. And if rogue trader Jérôme Kerviel’s activities at Société Générale emphasised one point it is that an organisation can have advanced risk management technologies in place, yet when the right information fails to reach the right person at the right time, there is the potential for disaster. Add to this the traditional segregation between the three basic parts of the organisation – front, middle and back office – and the silo system typical of financial institutions, which meant they too often lacked all of the data needed to properly assess risk. “There has also been a lack of desire to take risk reporting seriously,” says David Sherriff, chief operations officer for Microgen. “Banks and other institutions simply didn’t want to be left out, so back office and risk control ceded in importance to front office and sales.”

Regulation
It’s not necessarily the technology that has failed but rather the people and risk procedures. This is a deficiency that the industry is now racing to address, ahead of expected new regulation. The coming months will see governments impose a stricter set of capital adequacy requirements and restrict securitisation. Although the mood of total risk aversion that descended at the start of the credit crunch is now easing, the industry’s mood is likely to remain one of “conservatism and prudence”, according to Gavin Snell, managing director of consumer information services at Experian – that goes for the retail and wholesale side of banking.

Willi Brammertz, a risk specialist at FRS Global, is among those concerned that the increased regulations, following on from the FSA’s Turner Review, the G20 and EU Larosiére report, will themselves become a huge risk which, in addition to being very costly, will produce very meagre returns. He believes that regulators should devote greater attention to imposing a sound analytical infrastructure on the industry. “To take an example, the financial market lacks a clear definition of what a financial contract actually is. Having one would change the way that we carry out financial analytics and improve the way that banks analyse themselves,” he says. “People would have a better understanding of what exactly they are buying and selling. Many of those who bought collateralised debt obligations (CDOs) were smaller investors who really didn’t understand properly just what they were getting into.” The mooted centralised CDS clearing mechanisms should also help to unravel bad situations more easily in the future when they’re introduced later in the year, hopefully avoiding the systemic risk that the fall of Lehman Brothers and AIG’s travails placed upon the global economy in Autumn 2008.

Remake and remodel?
If risk management methodology has been found wanting, will this mean that the industry has to invest heavily in new IT programmes? Organisations are now seeking to integrate risk reporting and finance reporting, basing both on the same core data says the appropriately-named Sherriff, from Microgen. These new programmes will take between one year and three years to roll out fully and for a single integrated system to be set up. “Hopefully, there will be less of an atmosphere of panic by 2012 and a more stable economic climate,” he adds.

Regulatory change, with counter cylindrical accounting and more stress testing, is likely to continue for several years and the direction of many companies may well change as a result. This could result in further refinements becoming necessary for systems that have been swiftly installed. The industry’s focus will now be on which systems can best capture and interpret critical data that exposes the potential for significant losses, including those from fraud.

In many cases, existing models can continue to be utilised, claims Sungard’s Adam. However, some modification may be required for a greater emphasis than before on stress testing and developing potential ‘disaster’ scenarios. These include possibilities that might have seemed inconceivable only a couple of years ago, such as a near collapse in equity markets. “Many banks are now asking for Enterprise Risk Management (ERM) solutions as they have recognised the limitations of the silo approach towards all of their respective risks, where each is based on different data and sources,” he adds.

This near-term focus on ERM and improved liquidity is accompanied by longer-term progress towards a single banking platform for transactional systems and analytical systems. “Customers are able to pick and choose which specific solutions they place on this architecture,” says Adam. “A single infrastructure on which all the best solutions can sit will replace the previous patchwork.

Other technology changes will include the continuing emergence of data quality as a respected, standalone discipline, so companies know exactly what they are pushing into their risk engine. A more holistic view of risk and risk exposure will hopefully develop. The technologies are in place, but the banks need to start using them better – god knows they couldn’t do a worse job then they have up until now.

There may be some bitter pills to swallow in the move towards a new risk regime for the financial services industry – and perhaps an acceptance of lower, more stable returns in the near to medium-term – but hopefully the industry will be stronger for the post-crunch restructuring that is about to begin.