As market conditions change, investors tune their strategies
to risk on or risk off. In risk management, however, off is not
an option. Five to seven years ago, the financial risk
management switch was turned off in too many places, and we
know how that turned out.
Risk management has certainly been turned on since the
depths of the 200809 crisis, but is it everything
it needs to be to deal with whatever twist, turn or turmoil
comes next? Recent events do not instill great confidence.
Consider the failures of MF Global and Peregrine
Financial, the risk management failures at J.P. Morgan, the
abuses surrounding Libor or the financial threats from
Europe, U.S. Treasury Secretary Timothy Geithner said in
July. The work is not done. We still have unfinished
Geithner made those remarks at a meeting of the Financial
Stability Oversight Council, the superregulator created by the
Dodd-Frank Wall Street Reform and Consumer Protection Act to
look out for systemic risks. Two weeks later a software glitch
at market maker Knight Capital Group touched off 45 minutes of
stock market chaos. It was the latest of several incidents
pointing to potentially devastating operational and financial
vulnerabilities related to high frequency trading.
There will always be new risks to mitigate and adverse
events to react to. But if the current risk management system
looks too much like a game of Whac-a-Mole, there is, as
Geithner suggested, much hard work to be done.
To be sure, risk management has come a long way. Financial
institutions have raised the stature of risk executives and
given them authority they previously lacked to sound alarms or
veto initiatives deemed dangerous to long-term safety or
profitability. Risk, compliance and audit responsibilities have
been more precisely defined and better orchestrated.
Risk management and related control functions within a
financial institution and regulatory supervision from outside
are seen as two sides of the same coin. Risk managers talk to
regulators, and both have lines of communication to boards of
directors. The Securities and Exchange Commission has adopted
a policy to proactively engage senior management and
boards to discuss critical business, risk and regulatory issues
and support effective regulatory compliance and risk
management, Carlo di Florio, director of the SECs
Office of Compliance Inspections and Examinations (OCIE), said
at an agency compliance forum in Washington in January.
Achieving a consensus on governance is all to the good, and
necessary to avoid repeating past mistakes. But it is not
sufficient to deal with some of the thornier issues revolving
around technology and the accelerating pace of change and
innovation in financial markets.
The first line of defense for supervising risks
should reside not in risk management departments but rather in
business units, di Florio said. The frontline businesses are
backed up by risk and compliance (the second line of defense)
and, in turn, by internal audit.
At the Institute of Internal Auditors international
conference in Boston in July, Wells Fargo & Co. deputy
chief auditor Karl Riem described how the lines-of-defense
approach applies to the validation and testing of financial
models: Developers of the models are the first line, backed up
by risk management and, ultimately, internal audit.
There is just one problem. Auditors have to understand
quantitative modeling enough to provide a strong and
credible challenge when appropriate, Riem said, and
finding talent is a war. (Conversely, quants
dont know audit, said Riem, who recommends
basic skills training to bolster that first line of
Regulators are similarly challenged, and they are competing
for the same talent. The SECs di Florio pointed out that
his agency has been recruiting experts to deepen program
knowledge in derivatives, hedge funds and other
specialties it has lacked.
One of those experts, Erozan Kurtas, an OCIE senior examiner
focusing on quantitative algorithms and computerized trading,
told a recent data modeling symposium at Stevens Institute of
Technology in Hoboken, New Jersey, that we need a robust
risk and compliance process based on technical and quantitative
analysis. Because models and systems evolve faster than
risk and compliance, traditional compliance needs to
become quantitative compliance. Financial engineering requires
compliance engineering and compliance departments
should be hiring quants.
As Nobel economics laureate Myron Scholes has said,
The regulations and rules that are put in place have to
be as dynamic as those who are trying to innovate. It is
not an easy dynamic, and it will take time to get right.