Post-crisis firms are focusing on the correlation of different risk types as they now recognize the need for a true total view of risk. In a Q&A, SunGard’s Marcus Cree explains the new drivers behind investment in risk technology and how the culture for risk management is changing to meet demands in the new regulatory environment.
Q. Are financial institutions still investing heavily on risk management even after three years have passed since the financial crisis began? Are there new drivers for the focus on risk management?
For the past few years financial institutions have largely focused on the lack of infrastructure and on mapping solutions rather than implementing them, so the majority of investment has been in consultancy. The main technical spend has yet to come about and has actually has been further delayed by the Dodd-Frank Wall Street and Reform Act (Dodd-Frank), which introduced a raft of new measures that are taking priority.
However, every crisis creates opportunity, and some financial institutions are looking for the business opportunities within Dodd-Frank as much as focusing on improving their own infrastructure requirements. They are going about this in two ways.
Firstly, banks are providing brokerage services such as central clearing and margin optimization, to allow the clients to settle derivative trades as they need and want to.
Secondly, banks can leverage the public focus on risk by creating a full infrastructure that can demonstrate the quality of their risk management practices and show the wider industry how stable they are. This focus on the quality of risk management capabilities is almost on par with actually competing with the costing out of the business because the wider market is worried about counterparty risk.
Q. How has the view of risk shifted since the crisis began and where does this view stand now?
Increasingly, firms have started to ask how different types of risks, particularly market and credit risk, sit together. This correlation of risk types has historically been an academic, though interesting, question, but now it’s a truly practical one.
For instance, with credit default swaps (CDS), a default in the market is a market event, whereas from a bond point of view, it is a credit event. The question for firms is, how do those risks correlate? This leads to other questions, including, have the calculations of risk been executed correctly? If not, do the technical systems allow these errors to be reported?
As a result, operational risk itself has become a focus because in addition to monitoring the risk correctly, firms also have to be able to prove the case to its stakeholders, whether they are senior management, rating agencies or external parties. Also, operationally, firms need to be able to show the detail, such as for how long market risk measures have moved into excess risk positions without being hedged. This requires sophisticated risk management systems.
This awareness comes as many firms create the role of the chief risk officer (CRO). Whether this is a new role or an existing one that has been “rebranded,” a CRO is generally expected to look at risk holistically and on an enterprise-wide basis.
Q. What is enterprise-wide risk management (ERM) really? How can a firm implement a holistic risk management strategy and what are the challenges and benefits in establishing a firm-wide risk strategy?
Previously, ERM came down to,”Do we have risk management everywhere?” This question was directly linked to the amount of the regulatory capital required.
Now, ERM has become more about how a firm can combine the various systems’ outputs, reporting methods and processes in a way that the regulators will find appropriate. However, this mode of ERM doesn’t actually expose the total risk or identify the real sources of risk.
Increasingly, we are finding that CROs are focused on establishing a single language to create a more cohesive risk culture across the organization. Common metrics are accepted by various departments, from trading desks through to risk managers and senior executives.
Of course, establishing such a common language and culture is raft with challenges, mainly due to the fact that firms have historically operated in silos. For instance, one silo sees risk in certain specific terms (sensitivity and durations), but another believes risk is best shown in unexplained and unexpected losses. A third silo only wants to look at risk in terms of Value at Risk (VaR). These disparate views create a situation where direct communication and understanding is difficult, if not impossible.
The core obstacle to changing this is that if risk has been treated as a function of capital charging, it has not actually affected the day-to-day strategic decision making. People are making decisions based on their own department’s requirements, which may have nothing to do with the firm’s general needs or risk appetite. While this allows a business to make decisions in a highly specific context, it fails to express the risk appetite, describe the remit to the risk takers, or create and monitor the risk limits.
An example would be the mortgage backed securities in the recent crisis. In hindsight, some people said that these models didn’t have correct correlation modeling and questioned how they were being priced. But their concerns went unheard because the ‘risk’ quants were in one silo, feeding information to only to the risk department, and the ‘trading desk’ quants were sitting separately with the desk and its preferred methods. Because of the silo culture, those voices couldn’t be heard and acted upon.
This explains why it is so important to break down those siloes and create an open culture of generating the best risk awareness. It doesn’t mean not taking risks; it means understanding and articulating the risks you take.
Q. How does an ERM strategy and improved risk mitigation practices help a firm comply with new regulation?
There are really two benefits: credibility and communication.
In the new regulatory environment, firms have to push out numbers that are acceptable to the risk takers and stakeholders throughout the day. The senior risk management and decision makers at the highest level have to be able to see the risk positions and how they are contributing to the total risk. That means firms need technology that can distribute critical reports in a read-only format, online, using current technology (even iPads) so that people can easily see where and what they are contributing to the overall risk of the firm.
That same view, showing the same risk metrics, has to be available to the risk controllers. They have the ability to correct errors as they are found and, in real time, update
It should be easy for them to identify problems and make and audit changes, all in real-time. Quickly updating and responding to recorded errors improves the credibility of the system. It also tightens up operations, reducing the implied operational risk. This requires technology that can provide sophisticated risk calculators, real-time capabilities, and online dashboards and communication mechanisms.
Q. Looking ahead, how do you see the risk management space evolving in the next three years?
Operational risk will become more important as firms realize that they must be able to report on risks and that this requires high quality risk management systems. Firms will move to a single platform with a common language for managing risk in a more holistic manner.
Specifically, CROs will become increasingly focused on full ERM from an operational risk perspective because they are responsible for the economic capital level. This measure combines credit, market and operational risk, and if the firm cannot lower operational errors due to inefficiencies, then it is effectively funding inefficiency rather than funding risks they actually want to take, which has to be unacceptable.
Finally, risk management itself will have to become a firm-wide activity, with the most risk-aware firms becoming the most preferred counterparties and therefore the most successful market players.