Rebuilding Financial Risk Management

Published in Risk Management Magazine in April, 2009

http://www.rmmagazine.com/MGTemplate.cfm?Section=MagArchive&NavMenuID=304&template=/Magazine/DisplayMagazines.cfm&Archive=1&IssueID=334&AID=3875&Volume=56&ShowArticle=1

By Vincent H. O’Neil

Rebuilding faith and confidence in the financial services industry will take a long time, but the best

place to start is with financial risk management. This cannot be mere window dressing; the end product has

to be a risk management system that engages every financial institution employee from the CEO down. The

current situation can be traced to risk management failures at every level, so it only makes sense that the

solution should exist throughout all levels as well.

 Risk management should not be viewed as a

department. Risk management is a system, an attitude and a climate—and everyone is a risk manager. 

Everyone is a Risk Manager

Risk Management is Everyone’s Job

With so many people working in risk management positions, with reams of rules regarding acceptable exposure, and with million-dollar modeling and monitoring technology, why does financial

risk management so often fail? 

When business is good, it’s easy to assume that nothing is wrong and that nothing is going to go wrong in the near future.

Complacency can blind an institution to potential reverses, and it can stop people from speaking out when they think something

might be wrong. 

Many of these people remain silent because they believe risk management is someone else's job, or they doubt their own

understanding of the situation they are observing. A sound risk management system trains and motivates employees at all levels to examine their own business practices, even when everything

seems fine, and to raise any issues they might find. 

Managing in an Incentive-based World (1)

The private sector is also an incentive-based world, however, and those incentives—if properly

administered—usually yield improved performance. Unfortunately, they can also create circumstances where employees and managers break or ignore the rules in a quest for further

compensation. 

Individual and department-level incentives are effective motivators, but they can tempt people to

do the wrong thing.

Individual and department-level incentives are effective motivators, but they can tempt people to do the wrong thing.

Employees can knowingly enter into bad deals in order to improve their bonus numbers. Managers can fall into this trap as well, ignoring violations of corporate policy in the name of

helping their departments meet assigned business goals.

At all levels, the institution's management must actively discourage the pursuit of short-term gains that violate the

institution's rules or risk management fundamentals.

Every employee must be made to understand the genuine danger represented by bending the rules, using historical

examples ranging from the demise of Barings—formerly the oldest British merchant bank—to the events of 2008. 

Managing in an Incentive-based World (2)

If not properly administered, incentives pose the additional threat of creating an unhealthy risk

management climate. In such an atmosphere, risk managers—and the rules they enforce—come to be regarded as obstacles to be overcome or avoided.

When not supported by management, risk managers can become marginalized to the extent that the institution's

rules can be ignored.

Such an atmosphere can have far-reaching effects: If the management fails to enforce risk management

regulations, their employees can come to view all of the institution's rules as being open to interpretation. 

Managing in an Incentive-based World (3)

The Danger of Ignorance (1)

Ignorance is another hurdle to effective financial risk management.

During the long economic boom of the 1990s, it was noted that many of the junior analysts in the financial

industry had no personal experience of a bear market. Although recent events have clearly demonstrated that risky practices can have

cataclysmic consequences, those lessons can be quickly forgotten. 

Unacceptable risk is frequently accepted by people who fail to recognize the hazard in the first place.

The Danger of Ignorance (2)

Ignorance of the real consequences of a risk management failure can make an institution's risk regulations seem

unnecessary, and even silly. 

Training is the answer to ignorance, and one of the most important goals of risk management training is convincing

all employees that the danger is real.

Risk management training must be an ongoing process, linking real-world case studies to explanations of the

institution's control mechanisms. The recent examples of Lehman and Bear Stearns serve as a reminder that risk management failures can cost many people their jobs. 

The Danger of Ignorance (3)

On a related note, technology has the capacity to create a kind of passive ignorance that is quite dangerous to an

institution's risk awareness.

While technological monitoring is a valuable tool, overreliance on technology can create risk "blind spots" where financial modeling and risk-warning systems come

up short. These blind spots can be missed if the employees using these systems are not trained in risk management

fundamentals.

At the very least, employees must be made to understand that the machines only do what they are programmed to do,

and that only humans can expect the unexpected.  

The Culture of Fear (1)The final—and perhaps the most difficult—challenge is

overcoming the culture of fear. Concern over "not measuring up" and "not rocking the boat" can cause

individuals to remain silent when they should speak out.

Such silence strikes against the heart of the risk management climate, which seeks to create teams of

redundant watchers trained to raise the alarm. 

Just as incentives can encourage individuals to make questionable deals, concern over a job can tempt

employees to exaggerate the advantages of a potential transaction (or the creditworthiness of a potential

customer) in order to bring in business and keep pace with their colleagues.

It is the duty of the institution's management to create an atmosphere where this will not occur. 

The marginalization of risk managers was mentioned earlier, but there is a similar circumstance, closely related

to fear, in which the risk managers are at fault.

This is the case of co-opted risk managers, who so closely identify with the departments and people they monitor that

they fail to report violations of risk fundamentals.

Risk managers are human, and the fear of being regarded as interfering or unreasonable by the people they see every

day can cause them to become nonentities.

The risk management hierarchy must be on the lookout for cases like this, and should consider a rotational system that

prevents long association from becoming a problem. 

The Culture of Fear (2)

What to Do?

Given all the factors opposing a proper risk management culture, attempting to overcome them all can seem daunting. But by focusing on four areas, organizations can build a top-down and bottom-up risk management system:

1. Senior Management Emphasis

2. Training at all Levels

3. Monitoring

4. Corrective Action 

Senior Management Emphasis (1)

Senior management must take the lead in creating a risk management climate that encourages every employee to

study, understand, and monitor risk.

This cannot be a one-time, or even a once-a-year, thing. Creating a risk management climate is an ongoing effort: 

The CEO as chief risk officer: Although the institution can still have a chief risk officer, the entire senior management team must be seen promoting risk awareness. This will not only

motivate subordinates to do the same, but also serve to reinforce the importance of this effort.

One possible route is to treat this like an internal advertising campaign, with posters and videos showing various

employees, from senior management on down, stating, "I am the chief risk officer." 

Senior Management Emphasis (2)

Frequent, meaningful reminders: Senior management has a role in creating a sustainable level of risk awareness, and should take the opportunity to provide some of the instruction themselves. From

breakfast speeches to classroom-style training to off-site seminars, there are numerous ways for leaders to reinforce the institution's

dedication to risk management. 

Do not lead them into temptation: As mentioned earlier, bonus-based incentives can lead people astray, and sometimes for

seemingly good reasons. Only senior management can create an atmosphere in which employees will choose to forgo a

questionable business transaction that would have helped them earn a reward. Only senior management can convince employees

that obeying corporate regulations will not place their jobs in jeopardy—disobeying them will. 

Senior Management Emphasis (3)

Enforce the rules: All the words in the world will not create risk awareness if violations are not corrected.

Remedial training and verbal reprimands can reinforce an institution's risk management system, but they must be backed up with more serious punishment—including

termination—when appropriate. 

Training at All Levels (1)Building an inclusive risk management system is not an easy

task. Overcoming complacency and ignorance is often a function of motivation, and so the training must convince

employees that risk management is important—both to the institution and to the individual. 

Offer a free, recognized, and transportable risk management certification course: This is an excellent way to motivate employees at all levels to learn the fundamentals of risk management. It can be an internal program, an external certification, or a combination of the two. Offering this

certification, regardless of rank or job, will go a long way toward creating risk awareness at all levels. Best of all, the

employees who complete the course and receive this certification will fully understand the importance of risk

management and know what to look for in terms of risky or fraudulent behavior. 

Training at All Levels (2)

Sustained training: The training effort, though containing some mandatory instruction at set time intervals, must be

more than an annual or quarterly requirement.

Middle and junior management can take part in this without making the time burden onerous.

Using a series of brief lessons, middle managers can reinforce the message that the danger is real by citing

examples taken right from the news that show how people who were not in "risk" jobs made (or could have made) a

difference. 

Training at All Levels (3)

Constant reminders: Flash videos, wall posters, and junior management talking points can serve as frequent reminders

of the importance that the institution places on risk awareness.

To gain the proper impact, these reminders could be focused on the consequences of failed risk management, citing the

number of jobs lost and legal penalties incurred.

This can do a lot to reinforce earlier training showing the dangers of adopting an "everybody is doing it" attitude. 

Monitoring

Most of the risk management structure already in place will remain, including the risk managers themselves and the

technology that measures risk exposure.

As recent events have demonstrated, merely appointing a risk hierarchy and installing risk management software is not enough, even if this system is fully understood and obeyed.

One of the key benefits of establishing a risk management climate in which every employee acts as a risk manager is the exponential increase in monitoring performed by the

extra sets of trained eyes. 

Corrective Action

All the rules, managers, and software in the world will not create an effective risk management system if that system

has no teeth.

One sure-fire way to ruin a risk management system (and destroy the effectiveness of risk managers) is to tolerate

repeated violations.

Punishing violations is not always easy, particularly when the offending party is perceived as a star or rainmaker, but allowing these transgressions to continue brings the entire

system into question.

Corrective action can range from re-training to termination, but it must take place—and the reality of its presence must

be understood by employees at all levels.  

About the Author

Vincent H. O'Neil was employed as a risk analyst for FleetBoston Financial and Bank of America for

seven years.

A West Point graduate, he has been involved in risk management for most of his working life.

He is also an award-winning novelist.

Website: www.vincenthoneil.com

Email: exile.florida@gmail.com