A battery of regulation was supposed to have encouraged banks to look at their complete spectrum of risk and to put in controls to ensure they were not vulnerable. Then the crisis hit … Andrew Leslie writes

Before the words ‘credit crunch’ and ‘financial crisis’ became part of everyday vocabulary, the financial services sector was widely held to be ahead of everyone else in taking a risk-based, organisation-wide approach to management. It is debatable whether this was driven more by regulation than by business imperatives, but there is little doubt that the regulators were a powerful force. In particular, the Basel II accords, with their insistence on rigorous linkage between risk and capital allocation were a key factor. In their wake, the need to identify, analyse and manage risk on an enterprise-wide basis became an imperative.

In theory, the banks should have known their risks, held adequate reserves against their materialisation, and been able to respond to a looming crisis by adjusting exposure. This, after all, is what ERM is about: knowing the spectrum of risks an organisation faces and managing them across the enterprise as a whole.

What, then went wrong? There are as many answers to that question as there are commentators. But a clear warning of what might happen was given by Sheila Bair, chairman of the US Federal Deposit Insurance Corporation (FDIC) to the 2007 Risk Management and Allocation Conference in Paris.

‘A critical point that everyone must keep in mind is that the Basel II framework was developed and debated during a very benign period of economic growth and strong bank profitability.

‘The recent trouble in US sub-prime mortgages is a clear reminder of how fast and decisively market conditions can change. It points to the danger of thinking that banks will have enough lead-time to ramp up their capital as economic conditions deteriorate.’

Presciently, she then went further in outlining the risks that Basel II’s advanced approaches could pose in relying on banks’ ability to rate their own risks, culminating in a reminder of the limitations of human abilty.

‘I believe the lesson here is that these products (a reference to CDOs and other derivatives) and markets pose risks and stresses that may be impossible to quantify. It's easy to assume that banks and supervisors will set a principles-based approach to build an appropriate level of stress into the advanced capital calculations. But I fear that in reality, the lag in identifying and understanding changes in market practices will make this very difficult.’

Arguments as to whether the inability to quantify risk, inadequate parameters for stress testing, flawed regulation, misplaced strategy or other factors were to blame for the meltdown, or indeed whether it was operational risk management rather than ERM that was to blame, are little more than the old debate about angels and pin heads. The fact remains, as Paul Hopkin, AIRMIC’s technical director, puts it: ‘There is a wide perception that risk management has failed, and that risk is bad. But taking risk is essential. It is not risk management that has failed, but its application.’ Or, as risk consultant Tim Yeates pithily summarises: ‘There is nothing wrong with ERM. There are, however, one or two things wrong with human beings.’

“Risk management can have a huge impact in saving costs.

The interaction of people, he continues, is infinitely complex. ‘Our starting point should be humility, a recognition of our inability to measure the impact of collective human behaviour.’

This is a good perspective from which to begin reconsidering the virtues of ERM in looking at a complete spectrum of risk. ‘There’s a lot of mystique around ERM,’ says Hopkin. ‘The Turnbull report more or less required it, and that has been around for ten years. When you are complying with Turnbull, you are doing ERM.’

But the danger is that ERM turns into an exercise in compliance, rather than being seen as essential and valuable in its own right, and this may be one of the chief lessons to be drawn from the financial crisis. Yeates draws an analogy from the kitchen: It is all to easy, he says, to concentrate on the recipe book and ignore the expertise of the cook. The only real risk managers are the CEO and the board. This is why ERM must be integrated with the governance of the whole organisation.

What can the risk manager do? He has to soldier on, says Hopkin. He has to sell the benefits of ERM and emphasise the value of having risk management aligned with the organisation’s activities. Above all, with the recession looming large, the efficiency message needs to be stressed. Risk management can have a huge impact in saving costs. Successful ERM gives the board the information they need to prioritise their risks.

To this end, what happened to the banks may be able to give guidance as to how to improve ERM. Avoid group-think, says Yeates, and take a lesson from mathematicians, who know that assumptions are very vulnerable. Risk is an infinitely expandable notion over a period of time. Compartmentalising it, or relying on short-term planning, is dangerous.

Quantification of risk is important, says Hopkin, but it must leave room for judgement. Risk management helps organisations to position themselves against what can really hurt them. Know the business, analyse where the essential dependencies lie, find the core processes and what can seriously impact them - and form a view.

This is all very well, but another lesson from the banking meltdown is that risk management has to be listened to, if it is to do any good. On a strategic level, says Hopkin, the risk manager has to be heard. It is a terribly difficult area for the risk manager to get into, he says. The CEO or CFO take the decisions, and it can be very, very difficult to persuade them.

‘This is the huge challenge,’ he says. ‘To get boards to think more carefully and holistically about the risks they face.'