Turning On the Risk Management Switch

In the wake of a series of risk management failures, regulatory and control functions are converging, as they must, but the systems need more work.

As market conditions change, investors tune their strategies to risk on or risk off. In risk management, however, off is not an option. Five to seven years ago, the financial risk management switch was turned off in too many places, and we know how that turned out.

Risk management has certainly been turned on since the depths of the 2008–’09 crisis, but is it everything it needs to be to deal with whatever twist, turn or turmoil comes next? Recent events do not instill great confidence.

“Consider the failures of MF Global and Peregrine Financial, the risk management failures at J.P. Morgan, the abuses surrounding Libor or the financial threats from Europe,” U.S. Treasury Secretary Timothy Geithner said in July. “The work is not done. We still have unfinished business.”

Geithner made those remarks at a meeting of the Financial Stability Oversight Council, the superregulator created by the Dodd-Frank Wall Street Reform and Consumer Protection Act to look out for systemic risks. Two weeks later a software glitch at market maker Knight Capital Group touched off 45 minutes of stock market chaos. It was the latest of several incidents pointing to potentially devastating operational and financial vulnerabilities related to high frequency trading.

There will always be new risks to mitigate and adverse events to react to. But if the current risk management system looks too much like a game of Whac-a-Mole, there is, as Geithner suggested, much hard work to be done.

To be sure, risk management has come a long way. Financial institutions have raised the stature of risk executives and given them authority they previously lacked to sound alarms or veto initiatives deemed dangerous to long-term safety or profitability. Risk, compliance and audit responsibilities have been more precisely defined and better orchestrated.

Risk management and related control functions within a financial institution and regulatory supervision from outside are seen as two sides of the same coin. Risk managers talk to regulators, and both have lines of communication to boards of directors. The Securities and Exchange Commission has adopted “a policy to proactively engage senior management and boards to discuss critical business, risk and regulatory issues and support effective regulatory compliance and risk management,” Carlo di Florio, director of the SEC’s Office of Compliance Inspections and Examinations (OCIE), said at an agency compliance forum in Washington in January.

Achieving a consensus on governance is all to the good, and necessary to avoid repeating past mistakes. But it is not sufficient to deal with some of the thornier issues revolving around technology and the accelerating pace of change and innovation in financial markets.

The “first line of defense” for supervising risks should reside not in risk management departments but rather in business units, di Florio said. The frontline businesses are backed up by risk and compliance (the second line of defense) and, in turn, by internal audit.

At the Institute of Internal Auditors international conference in Boston in July, Wells Fargo & Co. deputy chief auditor Karl Riem described how the lines-of-defense approach applies to the validation and testing of financial models: Developers of the models are the first line, backed up by risk management and, ultimately, internal audit.

There is just one problem. Auditors have to understand quantitative modeling enough to “provide a strong and credible challenge” when appropriate, Riem said, and “finding talent is a war.” (Conversely, “quants don’t know audit,” said Riem, who recommends “basic skills training” to bolster that first line of defense.)

Regulators are similarly challenged, and they are competing for the same talent. The SEC’s di Florio pointed out that his agency has been “recruiting experts to deepen program knowledge” in derivatives, hedge funds and other specialties it has lacked.

One of those experts, Erozan Kurtas, an OCIE senior examiner focusing on quantitative algorithms and computerized trading, told a recent data modeling symposium at Stevens Institute of Technology in Hoboken, New Jersey, that “we need a robust risk and compliance process based on technical and quantitative analysis.” Because models and systems evolve faster than risk and compliance, “traditional compliance needs to become quantitative compliance. Financial engineering requires compliance engineering” — and compliance departments should be hiring quants.

As Nobel economics laureate Myron Scholes has said, “The regulations and rules that are put in place have to be as dynamic as those who are trying to innovate.” It is not an easy dynamic, and it will take time to get right.

Jeffrey Kutler is editor-in-chief of Risk Professional magazine, published by the Global Association of Risk Professionals.

Related