During this tumult, I often see someone say, "we should pay risk management as much as the dealmakers". When I was in risk management and went to conferences, there were three common themes:
1. Risk management is not a model, but good judgment (don't quiz me!)
2. Good Risk management starts at the top (I should be on the Management Committee)
3. You need to pay for good risk management (give me a raise)
But the problem with paying risk management as much as the business lines is that risk management is about preventing improbable events from happening, and so it is very difficult to know if they are doing a good job. Someone might say, this is a great risk management system, but the problem is that for 8 years out of 10, there is no difference between a great and poor risk management system. Then, when the cycle does crash, and your crackerjack team of risk managers prevents the Commercial Real Estate disaster of 1990, you will find your team overconfident, and constraining Commercial Real Estate when it flourishes (ie, post 1990). The next area of interest, Telecom, had a different risk profile, and so your team will probably be focused on poor Commercial Real Estate--i.e., past risk management success on the 'big themes' is not as relevant as it may seem.
Any job that is difficult to monitor with hard data, does not encourage excellence, or highly motivated, smart people, to go there, for the simple reason that, without objective metrics to assess performance, a huckster who focuses on irrelevancies looks too much like someone who focused like a laser on the essentials. Excellence is relatively unrewarded in risk management, so the excellent tend not to go there. Not that there are not many excellent people in risk management, merely that, on average, the business lines are better.
A final point is that risk managers tend to be generalists, looking at a variety of businesses. For example, any risk manager with a modest amount of responsibility will be in charge of several very different products, like consumer and commercial loans. These loans have very different characteristics, as consumer loans tend to have high average charge off rates that very 2 or 3 fold over the cycle, where many commercial loan areas have near zero losses in good years, and 5 or 20% losses in bad years. The collateral is different, with different legal recourse when going after an individual’s assets versus a business where you often hold their property or inventory as collateral, leading to different recovery rates and timing. But this difference is true for really any level of detail. A loan to a Health Care provider would be very different than a loan to a hotel, even though they are both commercial’ loans. While there are common themes, such as standard financial ratios to examine, the key checklist of of bona fides vary by business line, and the business line managers tend to understand these nuances better than the generalist risk managers who independently evaluate them. Risk management is necessarily more big picture, and ignores many important line-specific information that materially affect a line’s prospects. Nonetheless, it’s value remains because of its independence.
So you have ‘risk management’, whose value as an independent oversight is necessary to keep people honest, but they are generally not as smart or knowledgable as the business line they are monitoring. Their quality is difficult to evaluate directly, as the infrequency of the events they are avoiding makes it impossible to tie a bonus to, say, the avoidance of a large loss. Thus ‘risk management’ professionals are more like audit than the business line, more rationalizers, and information reporting. Just as everyone says nice thing about police officers, but these people generally are not paid particularly well and they are generally not insanely bright, so it is with risk management.