Sunday, February 22, 2009

Re-approaching risk management

I have been reading many good articles and write-ups on risk management that I do not know where to begin. Risk management takes priority in view of what has happened and now is as good a time as any in this organization to demonstrate, apply and implement the value of risk management.

The following are the list of articles, its excerpts and in the order of hierarchy and priority :

Setting the Tone

In the Fortune special report "What boards must do in a crisis", top consultants Ram Charan and Tom Neff say company directors have to roll up their sleeves in times like these and take a hard look at risk, targets, pay, and balance sheets.

"Boards have to spend more time thinking about the unthinkable -- scenarios that would have seemed irrational, maybe unimaginable, just a year ago. What if our lead bank disappears? What if we have a liquidity crisis? What if the Dow goes to 6,000? What if our stock keeps dropping and attracts raiders?

The other subject that boards need to focus more on is enterprise risk management. It's not just risk in the sense that banks need to focus on it, but what are the risks in our business model, what are the global risks that could affect our business? It's a holistic approach to the subject, and stress testing what we're doing."


Shaping Risk Management : Addressing qualities of risk managers, decision-making and culture

In another FT article, Personalizing Risk Management, part of a series of articles in Managing in a Downturn, a professor and executive in residence at the London Business School writes about how companies have evolved in managing risks and the shift in thinking about risk management that is required today.

"Personalisation of risk management does not mean throwing out the traditional systems and support structures. Rather, it means a subtle shift in emphasis from the management of a portfolio of risks to the underwriting of individual risk decisions. This approach is relevant across all sectors of the economy, not just to the world of financial services companies. "

The author suggests three approaches in personalizing risk management that I find has every relevance in this organization in its efforts to move forward with risk management:


  1. High-quality insight. Those who make decisions require good quality information, effective analytical tools and the competence to interpret this information. But it is rare for all these things to come together. It is more likely for decisions to be made with poor insight from self-interested sources, and with the relevant information fragmented across different parts of the company. Effective personalisation of risk management is, therefore, about building a system that puts the right information into the hands of those making decisions, and then transforming that information into insight through experience.
  2. Personal accountability. Effective risk management requires personal accountability, but most companies get this wrong as well. Sometimes there are too many decision makers, or the decision maker is too far removed from the action to feel any genuine responsibility. And often there is no link between the decisions taken and the rewards provided.
  3. Supportive culture. The informal norms of behaviour in a company – its culture – should support the principles of high-quality insight and personal accountability. But all too often, these informal norms end up undermining the effectiveness of decision making. Some companies exhibit a fear culture where bad news is hidden from top executives; some are purely mercenary, where everyone looks out for themselves; some suffer from chronic risk aversion, with almost zero tolerance for false-positive errors.
    Of course, there is no simple way to build a supportive culture. It takes many years of consistent messages and actions from leaders. But there are, nonetheless, a couple of basic principles that can be applied.

Risk Measurement : What It Is and What It Is Not

There has been numerous debates as to the usefulness of Value-at-Risk (VaR) as a mathematical model based on statistical assumptions in predicting risk. The basic VaR model, the parametric model, relies on the extent of historical data available for a market and asset class, and for as long as you think history repeats itself, then the parametric VaR is your best indicator of what your portfolio predicted risk would be.

The nature of the financial crisis that evolved from 2007 till now has been unprecedented and as Nicholas Nassim Taleb said in a McKinsey article "my idea in The Black Swan is to make people think of the unknown and of the potency of the unknown, particularly a certain class of events that you can't imagine but can cost you a lot; rare but high-impact events." Therein lies the limitation of VaR and assuming market risk events can be represented by a probability distribution with a certain confidence level.

This article Risk Mismanagement from the New York times reinforces my overall philosophy that while VaR is a means to quantify risks, we must understand the assumptions behind VaR and certainly should never be complacent in thinking that once VaR is in place and that would represents all of our risks.

Nicholas Nassim Taleb was quoted in this article :

"Wall Street risk models, no matter how mathematically sophisticated, are bogus; indeed, he is the leader of the camp that believes that risk models have done far more harm than good. And the essential reason for this is that the greatest risks are never the ones you can see and measure, but the ones you can’t see and therefore can never measure. The ones that seem so far outside the boundary of normal probability that you can’t imagine they could happen in your lifetime — even though, of course, they do happen, more often than you care to realize. Devastating hurricanes happen. Earthquakes happen. And once in a great while, huge financial catastrophes happen. Catastrophes that risk models somehow always manage to miss."

"What he cares about, with standard VaR, is not the number that falls within the 99 percent probability. He cares about what happens in the other 1 percent, at the extreme edge of the curve. The fact that you are not likely to lose more than a certain amount 99 percent of the time tells you absolutely nothing about what could happen the other 1 percent of the time. You could lose $51 million instead of $50 million — no big deal. That happens two or three times a year, and no one blinks an eye. You could also lose billions and go out of business. VaR has no way of measuring which it will be. "

Gregg Berman of RiskMetrics posits differently :

"Obviously, we are big proponents of risk models,” he said. “But a computer does not do risk modeling. People do it. And people got overzealous and they stopped being careful. They took on too much leverage. And whether they had models that missed that, or they weren’t paying enough attention, I don’t know. But I do think that this was much more a failure of management than of risk management. I think blaming models for this would be very unfortunate because you are placing blame on a mathematical equation. You can’t blame math."

Richard Bookstaber :

"Richard Bookstaber, a hedge-fund risk manager and author of “A Demon of Our Own Design,” ranted about VaR for a half-hour over dinner one night. Then he finally said, “If you put a gun to my head and asked me what my firm’s risk was, I would use VaR.” VaR may have been a flawed number, but it was the best number anyone had come up with."

The NYT article is a good for all risk managers to understand what VaR represents and its limitations with quotes from proponents and dissenters of VaR. Read on.

Sunday, February 15, 2009

Increasing Interest in Risk Management by CFOs

Financial Crisis Intensifies Interest in Risk Management Among CFOs was a survey commisioned by Towers Perrin to CFO Research Services, an affiliate of The Economist and CFO magazine, to gain insights on how companies view the seriousness of the financial crisis for their businesses.

For a complete view of the results of the survey and findings, please click here

According to Towers Perrin website, the findings that stand out are :

  • Only 4% of respondents perceived the recent financial market meltdown as having a severe impact on their financial prospects. Although the majority acknowledged that the crisis would dampen profit expectations and leave a potentially lasting dent in the world economy, only five respondents feared a major negative impact on their financial results.
  • Nonetheless, approximately 72% of respondents expressed concern about their own companies' risk management practices and ability to meet strategic plans. This suggests that finance executives, regardless of industry, perceive a need to invest in more effective risk identification, measurement and management procedures.
  • In a related finding, a sizable minority (42%) foresaw more energized involvement by boards of directors in risk management policies, processes and systems, and a comparable minority foresaw intensified employee-level engagement.
  • 61% expressed concern about raising short-term capital — a sobering percentage of the executives surveyed but hardly surprising given ballooning spreads in the commercial paper market.

Risk management practices on the top of the agenda for many CFOs


It is interesting that, despite the evident impact of the current financial crisis on liquidity and consumer confidence, more than half (55%) of the CFOs agree that they plan to put their risk management practices under a microscope and that this investigation will in many instances reach all levels of the organization, from the board down and from the shop floor up.
What Standard & Poor's stated so plainly when it announced the inclusion earlier this year of an explicit ERM component in its rating of corporate securities is echoed by America's leading finance executives: Effective risk management depends on effective risk culture — i.e., genuine awareness and control of risk throughout the organization, and genuine line-of-sight accountability.

FSA 2009 Financial Risk Outlook

The Financial Services Authority (FSA), the British financial services regulator, published its 2009 Financial Risk Outlook. For those who wish to read the 90 page report, please click here

The 2009 report, according to the Foreword, has a different structure in consideration of "the scale of the financial crisis and the uncertainty over the future of the financial system, in particular the banking system" and in view of the increased regulatory policies to contain financial risks.

There were key messages that are listed at the end of each section and I would like to draw attention to a few that I think bears relevance to this organization.

  • Setting the tone Senior Management should ensure appropriate risk management is undertaken and that there is a clear understanding of the underlying risks to their business model, particularly risks associated with complex hedging strategies. Firms need to satisfy themselves that key risks are appropriately managed and continually re-assessed as financial market and economic conditions evolve.
  • Measurement Stress testing and scenario analysis should form an integral part of firms’ risk management, business strategy and capital planning decisions. It is of particular importance in this unpredictable environment, when the financial sector is vulnerable to further shocks, that firms also consider the implications of deteriorating economic conditions and the long-term viability of and weaknesses present in their business models. In addition, the financial sector and economy will also remain vulnerable to potential shocks, such as a large-scale terrorist attack. Firms should continue to consider such risks in their business planning to ensure effective plans are in place for dealing with these shocks.
  • Liquidity Risk Firms need to be aware of the vulnerabilities of their capital arising from the closure of individual markets and ensure that they have diversified funding channels and a varied investor base within each funding source. They also need a clear understanding of the availability of liquid assets which could be converted to cash if funding is suddenly unavailable, and the extent of their over-reliance on such ‘liquidity through marketability’. Many financial institutions continue to face liquidity pressures. Firms
    need to manage liquidity risk to ensure any gaps are filled by appropriate funding strategies. Internal risk management of liquidity issues needs to be addressed and reported effectively.
  • Risk Management Is A Business Strategy Strategies need to be underpinned by strong risk management systems and controls for all areas of risk: credit; market and operational risk; conduct of business risks; compliance with relevant rules, codes and standards; and managing risks of fraud and financial crime.
  • Do Your Own Due Diligence As a credit rating represents only one opinion on the creditworthiness of a particular product, a rating should not replace appropriate due diligence. Investors should assess how much reliance is appropriate to attach to the ratings produced by third parties, in light of rating performance and other forms of risk assessment relevant for the security concerned. Factors such as liquidity risk and price volatility can be as important in making an appropriate decision, and should be considered alongside other relevant indicators regarding the creditworthiness of an investment. (Refer to previous posting on Lloyd Blankfein and the similarities)
  • Valuation Controls Systems and controls should also be in place to manage valuation difficulties and to ensure that questionable prices are identified. Appropriate governance procedures are also important when using non-independently sourced values.
  • Disclosures To enhance market confidence, it is important that firms provide sufficient disclosures about the key judgements and uncertainties concerning valuations and any reclassifications in the accounts.

Thursday, February 12, 2009

Lloyd Blankfein on Lessons Learnt

Much has been said about the financial crisis and the lessons that we should learn from the crisis.

Lloyd Blankfein, the CEO of Goldman Sachs, provided his opinion in the Comment section of FT here.

The lessons learnt :

Lesson #1 Risk management should not be entirely predicated on historical data. In the past several months, we have heard the phrase “multiple standard deviation events” more than a few times. If events that were calculated to occur once in 20 years in fact occurred much more regularly, it does not take a mathematician to figure out that risk management assumptions did not reflect the distribution of the actual outcomes. Our industry must do more to enhance and improve scenario analysis and stress testing.

Lesson #2 Too many financial institutions and investors simply outsourced their risk management. Rather than undertake their own analysis, they relied on the rating agencies to do the essential work of risk analysis for them. This was true at the inception and over the period of the investment, during which time they did not heed other indicators of financial deterioration.

Lesson #3 Size matters. For example, whether you owned $5bn or $50bn of (supposedly) low-risk super senior debt in a CDO, the likelihood of losses was, proportionally, the same. But the consequences of a miscalculation were obviously much bigger if you had a $50bn exposure.

Lesson#4 Many risk models incorrectly assumed that positions could be fully hedged. After the collapse of Long-Term Capital Management and the crisis in emerging markets in 1998, new products such as various basket indices and credit default swaps were created to help offset a number of risks. However, we did not, as an industry, consider carefully enough the possibility that liquidity would dry up, making it difficult to apply effective hedges.

Lesson #5 Risk models failed to capture the risk inherent in off-balance sheet activities, such as structured investment vehicles. It seems clear now that managers of companies with large off-balance sheet exposure did not appreciate the full magnitude of the economic risks they were exposed to; equally worrying, their counterparties were unaware of the full extent of these vehicles and, therefore, could not accurately assess the risk of doing business.

Lesson #6 Complexity got the better of us. The industry let the growth in new instruments outstrip the operational capacity to manage them. As a result, operational risk increased dramatically and this had a direct effect on the overall stability of the financial system.

Lesson #7 Perhaps most important, financial institutions did not account for asset values accurately enough. I have heard some argue that fair value accounting – which assigns current values to financial assets and liabilities – is one of the main factors exacerbating the credit crisis. I see it differently. If more institutions had properly valued their positions and commitments at the outset, they would have been in a much better position to reduce their exposures.

For Goldman Sachs, the daily marking of positions to current market prices was a key contributor to our decision to reduce risk relatively early in markets and in instruments that were deteriorating.

For the industry, we cannot let our ability to innovate exceed our capacity to manage. Given the size and interconnected nature of markets, the growth in volumes, the global nature of trades and their cross-asset characteristics, managing operational risk will only become more important.

Risk and control functions need to be completely independent from the business units. And clarity as to whom risk and control managers report to is crucial to maintaining that independence. (Cannot be emphasized enough)

Equally important, risk managers need to have at least equal stature with their counterparts on the trading desks: if there is a question about the value of a position or a disagreement about a risk limit, the risk manager’s view should always prevail. (The heart of any risk governance)

More generally, we should apply basic standards to how we compensate people in our industry. The percentage of the discretionary bonus awarded in equity should increase significantly as an employee’s total compensation increases. An individual’s performance should be evaluated over time so as to avoid excessive risk-taking. To ensure this, all equity awards need to be subject to future delivery and/or deferred exercise. Senior executive officers should be required to retain most of the equity they receive at least until they retire, while equity delivery schedules should continue to apply after the individual has left the firm.

For policymakers and regulators, it should be clear that self-regulation has its limits. We rationalised and justified the downward pricing of risk on the grounds that it was different. We did so because our self-interest in preserving and expanding our market share, as competitors, sometimes blinds us – especially when exuberance is at its peak. At the very least, fixing a system-wide problem, elevating standards or driving the industry to a collective response requires effective central regulation and the convening power of regulators.

Capital, credit and underwriting standards should be subject to more “dynamic regulation”. Regulators should consider the regulatory inputs and outputs needed to ensure a regime that is nimble and strong enough to identify and appropriately constrain market excesses, particularly in a sustained period of economic growth. Just as the Federal Reserve adjusts interest rates up to curb economic frenzy, various benchmarks and ratios could be appropriately calibrated. To increase overall transparency and help ensure that book value really means book value, regulators should require that all assets across financial institutions be similarly valued. Fair value accounting gives investors more clarity with respect to balance sheet risk.

The level of global supervisory co-ordination and communication should reflect the global inter-connectedness of markets. Regulators should implement more robust information sharing and harmonised disclosure, coupled with a more systemic, effective reporting regime for institutions and main market participants. Without this, regulators will lack essential tools to help them understand levels of systemic vulnerability in the banking sector and in financial markets more broadly.

Wednesday, February 11, 2009

Reinforcing skills required in risk management

Time and time again I have reinforced my views on what it takes to be a risk manager (not what it takes to build capability in risk management)

  1. Possess the visionary in where risk management should be and the depth required to ensuring "the trains work and arrive on time".
  2. Having a bigger picture of the organizational direction and the role of risk management in the organization.
  3. Recognize risk management trends that impacts how risk management is implemented in this organization
  4. Process-oriented in the application of risk frameworks, policies, controls and implementation and principle driven in applying risk management in the corporate context
  5. Analytical capabilities in understanding the business, how risks arises and the drivers of risk (both market and internal drivers), identifying risks, how risk impact the business from strategic, tactical and operational perspective, the risk return trade off in business decision-making and prescribing practical risk management solutions