Have the high profile casualties of the finance sector strengthened the case for risk management, or merely exposed its limitations? Graham Buck looks at the evidence

Less than two years into the credit crunch, many of the finance sector’s former behemoths are coming to terms with their diminished status. Not only have they sustained massive losses, but only slowly is the full extent of the damage being revealed. In many cases, this means governments have been forced to provide life support by stepping in as the major shareholder and even nationalising.

Yet these were the same institutions that supposedly had sophisticated risk management processes in place. Does the speed and scale of their downfall indicate that risk management may not work?

UK Chancellor Alistair Darling spoke for many when he recently said that banks took on too much risk during the boom years, citing Royal Bank of Scotland’s now notorious acquisition of Dutch bank ABN Amro as an example.

As a result, the credit crunch marks the beginning of a new era that will see aggressive intervention from regulators to effectively restrict the risk appetite of those in the finance sector. The UK Financial Services Authority’s chief executive, Hector Sants, warned recently that its new regime would be much more interventionist than before. ‘People should be very frightened of the FSA,’ he said. More prudential regulation will involve hiring more supervisors, as the watchdog’s staffing level will rise by 30% this year.

Meanwhile, there has been no shortage of post mortems on why financial institutions failed so spectacularly in their management of risk. In one recent thesis, risk management consultants Shahid Chaudhri and Richard Griffiths noted that financial risks were understated, thanks to an extended period of moderate growth and low financial volatility since the end of the previous recession of the early 1990s. These benign conditions were taken to be ‘a permanent benefit of prudent central banking’.

But a more fundamental error was created by banks’ risk management models being generally based on a simplified assumption that markets fluctuated randomly following a ‘normal’ statistical distribution. Even complex models used to price more exotic models such as the notorious credit derivatives

were based on the same faulty assumption that the probability of extreme losses was only very low. Many of these overly simplistic models were developed from the modern portfolio theory; developed by Harry Markowitz in a paper published back in 1952. This postulated how risk averse investors could construct portfolios to maximise expected return based on a given level of market risk. Although a useful tool in stable markets (and widely adopted, as it proved easy to use), it failed in extreme market conditions, while more advanced techniques did not attract the same wide usage.

The big losses can also be partly attributed to the fact that risk analysis is not part of the culture for financial institutions, suggests Craig Ferri, managing director of decision analysis software group Palisade Europe. Instead, the culture of ‘profit at any cost’ is inherent in most of them, resulting in inappropriate incentive structures that reward short-term income generation over and above any other activity. This is reflected in the eye-watering bonuses paid in the City of London over recent years that are now sparking such a public backlash.

Another repercussion, particularly in the boom years of the past decade, has been an increased tolerance of risk.

“Company finance directors have become much more willing to agree the investment necessary for isk management projects

‘Over the past two years or so, many risk departments will have flagged up levels of uncertainty that, in previous times, would have been unacceptable,’ observes Ferri. ‘However, the relationship between risk managers and the bankers and traders they are supposed to monitor is, at best, uneasy.’

This has had two very damaging effects. Firstly, traders have regarded risk managers simply as individuals who do not earn any money for the bank. Secondly, not only have they been seen as over cautious, but also as having the authority to refuse deals and therefore prevent business being done – and bonuses being earned.

Combined with the priority given to profit objectives and the relatively calm markets of recent years, this meant that much advice on risk was ignored as a result. ‘While no one would deny that financial innovation should be encouraged, it needs to be tempered with a thorough analysis of the risks, as well as the benefits, that new products will offer; something that is common practice in many other industries,’ adds Ferri.

‘Lack of risk analysis moving forward will leave the financial industry ripe for – potentially heavy-handed – regulation. Far better that it demonstrates its willingness and ability to adapt to a severely altered economic landscape.’

Box-ticking and silos

Financial institutions may have had risk management procedures in place, but too many suffered from a silo mentality, and often these procedures were not embedded in their day to day operations and so failed to feature in key strategic decision making, suggests Stephen Roberts, leader of broker Marsh’s strategic risks practice.

‘The focus was on the box ticking element, with particular emphasis on Basle II, and was built into their financial models,’ he says. ‘But the risk management systems employed failed to take into consideration the organisation’s wider risk footprint. The heavy financial focus did not extend to strategic issues.’

Yet a survey carried out last year by Marsh on companies that suffered major drops in their share price found that in 87% of cases the sell-off was triggered by strategic issues rather than financial issues.

Other sectors are just as liable to focus on financial risk and neglect strategic risk. The silo mentality is not restricted to financial institutions, says Ian Sloggett, sales director of the energy division at banking software group, Temenos. It is also prevalent in other industries, such as energy, particularly where a company has different reporting lines.

“The Buncefield oil depot explosion shows the potentially devastating impact of a low probability event

Those sectors that are a little ahead of the field in their thinking include telecommunications, says Roberts, due partly to its own experience of boom and bust at the start of the decade. Telecoms companies are now relatively sophisticated in, for example, their assessments of the potential offered by joint venture partnerships and measures to reduce the rate of ‘churn’ so that existing customers are retained as new ones are added.

Multinationals with diverse locations around the world and complex supply chains have also been able to raise their game. ‘Because of their diversity, complicated issues are forced onto the table and risk management is better embedded as a result,’ he adds.

The suddenness and sharpness of the downturn has seen a doubling over the past year in the number of inquiries received by Marsh from companies interested in risk management. At the same time, Roberts says company finance directors have become much more willing to agree the investment necessary for risk management projects. ‘Organisations no longer regard it as a discretionary spend, but a proactive tool that can help prevent nasty surprises.’

A major motivator is the evidence from the finance sector of what can be lost. A serious repercussion from the lack of due diligence and proper risk assessment is that the City’s competitive edge is now in danger. Outspoken private equity boss Jon Moulton of Alchemy Partners has warned that financial services, the only industry where the UK remains a world leader, could move out of London.

Meanwhile a new financial landscape will be marked by ‘plain vanilla banks that people trust; that just do loans and savings – banks that regulators can regulate,’ he predicts. Indeed, the FSA’s Sants admitted that stifling innovation could well be the price paid for closer regulation.

Mike Bush, head of product development for software and consultancy group Business Control Solutions (BCS) hopes that this is an overly pessimistic scenario. He was among the founders early last year of the Operational Risk in Investment Banking Operations (ORIBO) Forum, which aims to organise regular meetings for key industry figures to establish standards that will reduce operational risk in investment banking operations.

‘The real focus for us is what people define as being operational risk,’ he observes. ‘Traditionally, it was how much capital you set aside to convince the regulator of your financial stability. There is, however, now much more of a focus on the money you set aside for all of your various activities.’ There is also less talk about new formulas and yield curves, as the focus shifts to accountability and transparency and from numbers to issues.

‘The banks put together a hefty regulatory reporting bank, which effectively was a great big data dump,’ says Bush. ‘But the regulator was unable to take any meaningful data from this mass, nor detect systemic risk.

‘My hope is that there is sound thinking behind the proposed concept of a global regulatory body, but it’s very idealistic. There is a need for recognition that there is simply too much information to process. It has to be replaced with a focus on less, but more specific data.’

“There has been no shortage of post mortems on why financial institutions failed so spectacularly in their management of risk

Banging the drum

Enterprise risk management (ERM) offers companies in both the finance and non-finance sectors a means of capturing the issues involved in executing their various business processes. But measuring the actual value of both risk management and ERM is a relatively recent development. Standard & Poor’s announced last May that ERM assessment is to be added to its credit ratings analysis for non-financial corporations and AIRMIC’s report on quantifying ERM’s benefits was published last summer.

These initiatives should help dispel a common perception that risk management adds a further layer of constraint to everyday activities. This was captured in Nassim Nicholas Taleb’s best seller The Black Swan, comments Stuart Selden, manager of the business risk consulting group at FM Global.

‘If you’ve read his analogy of 9/11, you’ll remember his observation that, had a regulation been passed a day earlier that all airline cockpit doors were henceforth to be locked, then the tragedy could have been averted. But the decision would also have provoked enormous criticism.’

He suggests that assessing the value of a company’s risk management processes rests largely on assessing all of its business activities, and the potential losses and scenarios that active risk management has helped either to avoid or mitigate.

‘For example, the loss of a key supplier who can’t be immediately be replaced will produce losses that insurance can’t fully compensate for. Inability to deliver your product to market means a loss of reputation as well as a loss of revenue.’

A classic example that he cites is the delayed launch of Boeing’s 787 Dreamliner. Production was held up by strikes, poorly-trained workmen, computer glitches and, most embarrassingly, problems encountered by subcontractors carrying out extra work who were unable to obtain basic components.

Selden would also like risk management to focus less on the probability of events and more on their potential impact. ‘An event that is seen as low probability tends to be dismissed, but an example like the Buncefield oil depot explosion shows the potentially devastating impact of a low probability event.’

He agrees that risk management role has been regarded more as a means of implementing requirements rather than as proactive. However, he believes that if it is seen ‘actively working at the coalface’ it will be taken more seriously.

Roberts adds that the major public expenditure projects being planned by many countries will further encourage the development of risk management. ‘In emerging markets such as Dubai, Abu Dhabi, Poland and the Baltic States, there is a drive to ensure that best practice is employed. For finance to be realised for their key projects, companies must demonstrate that risk management is in place and they have confidence in their systems.’

But the cause of risk management will also be helped by risk managers banging the drum more loudly, adds Selden. ‘Risk management is regarded most seriously in companies where they have been most vocal in proclaiming its virtues, and gained the respect of operations managers.’