It is clear now that too many banks, during the years leading up to the credit crunch, employed a strategy combining a strong offense (aggressive investments) and a weak defense (little scrutiny). But a strong defense need not impede aggressive business growth. A robust risk management culture is marked by three characteristics:
Sustainable risk/return thinking. Top management and the front office itself must demonstrate clear thinking about risk/return trade-offs. Risk managers have two primary responsibilities: developing sustainable strategies and tactics to keep risk and return proportional, and providing top management with an independent control mechanism if front-office discipline fails.
To earn respect from the front office, risk managers must be of the highest caliber. They must be capable not just of challenging any negative swings in performance, but of helping executives understand the causes of peaks. Price limits for investment purchases or sales and other basic controls must be respected. Limit setting and limit monitoring must be accompanied by mechanisms with teeth; for example, risk managers must have the ability to fire regular violators of risk limits rather than just slapping their wrists. And traders must be forced to take holidays; rogue activities are much easier to check when the perpetrators aren’t on site to cover them up.
Usable, up-to-date information. Both the front office and top management must have reliable and consistent information on the positions and risks they are taking. Above all, risk managers must understand how the front office is or is not making money. Deconstructing the drivers of profit or loss needs to become the prevailing mentality. Discussions about new products, existing and new positions, and other issues must be broad and not restricted to methods for meeting quarterly targets or other short-term goals.
To go beyond the traditional role of “limit cop,” risk managers need to develop a deep understanding of whether the bank’s portfolio is overly concentrated in particular investments and whether the relationship between investments and their underlying value is transparent. In doing this, risk managers can determine what constitutes an early warning signal and what does not. If top risk management professionals do not have this authority and these tools, they will migrate elsewhere.
An in-depth oversight process. The auditing function often fails to provide independent and objective oversight. Instead, auditors see their assignment as a box-ticking exercise to ensure compliance, with limited critical review of potential weaknesses. That must change. A strong critical approach to each functional discipline must also be developed, involving far more insight and internal consultation beyond simply “checking the checkers.” After reviewing the securitization process, for instance, the internal audit team could identify and bring to the board’s attention potential flaws such as overreliance on rating agencies.
To accomplish this, auditors must possess not only extensive knowledge of the business — how the front office makes money — but also clear comprehension of the risk management discipline. In topnotch organizations, audit and finance teams blend strong process and IT know-how with an in-depth understanding of the business and risk. For example, audit teams investigate and validate mark-to-market positions, ensuring the integrity of information as it passes from one system to the next.
Audit findings then need to be acted upon. Audit items cannot be allowed to remain open quarter after quarter, with no consequences for the executive who fails to act on them. A more disciplined approach is required, with senior executives taking the leading role.
The ultimate goal is a culture that combines healthy risk taking with effective risk management. It takes a total, unmistakable, continual, and widely communicated commitment from the CEO to make this shift. Companies and banks that accomplish this will be much better equipped to weather the next set of economic storms.
Peter T. Golder is a principal with Booz & Company in London. He specializes in corporate strategy, restructuring, postmerger integration, and risk management for global banks and financial intermediaries.
Thorsten Liebert is a principal with Booz & Company in Frankfurt. He specializes in strategy definition, restructuring, and risk management for leading banks in Germany, the U.K., and Russia.