I bet most of your average risk manager's job is not about measuring, monitoring and reporting, for decision-making, but for appearances: to investors, regulators, analysts. Most risk managers don't get invited to the 54th floor corporate board room until regulators appear, then magically they are praised to high heaven. Often this includes obtusely patronizing remarks about how smart they are by senior management in the face of these outsiders, as if, hiring some cast-offs from Los Alamos clearly means there are no problems here! You can't fool people who know lots of math! Bottom line: there are lots of clueless, but high IQ/Education risk managers out there in every firm, which clearly should comfort no one.
The Fed's latest opus, done in conjunction with the G-12ish central banks, has created the Senior Supervisors Group Issues Report on Risk Management Practices, in the process highlighting that risks are still with us. Nothing it says is really untrue, but nothing is new to anyone with a little experience in the field. The specifics are very relevant to the subprime crisis, as if no-money-down mortgage pool CDOs are incipient. It's kind of like the airplane regulations: as if anyone could get away with 9/11 with mere box cutters today (the prospect of imminent death would create an avalanche of crazed vigilantes; pre 9/11 everyone thought it would be a layover in Cincinnati).
We learn that
Some firms’ business models also relied on excessive leverage.ORLY? Would have been nice to read about that pre 2006.
Firms also failed to realize that two important sources of funding, securities lending and money market funds, could impose further demands on firm liquidity during periods of stress.
I doubt there's a banker with rank of VP or above who does not understand that now. Hindsight's pretty good everywhere.
Then there's the
the stature and influence of revenue producers clearly exceeded those of risk management and control functions.
Always has been, always will be. A full-time risk manager is like a figure skater. The best are well compensated, the other 99% are obscurities with status and power about the same as you average LAN administrator.
Alas, this is optimal! Consider a full time risk manager is paid to keep bankers honest, from taking too much risk. They are preventing people from taking on new business, because the risk of default is not 2%, but 4%. Now, such a warning is very difficult to validate, the power of any test to validate is beyond your average risk manager's business life in his current occupation. Thus, as quantitative as risk management is in theory, in practice it is very non quantitative, because the big risks presented by crises happen so infrequently.
This invites a lot of posturing. Many top risk managers are ex-regulators, esteemed academics, or have fancy degrees. When you can't measure the output, you measure inputs. The bottom line is and always has been the degree to which those directly affecting revenue, the business line managers, accurately amortize the expected losses of any capital investment. Their long run success depends on that outcome, which is often binary: heads they win, tails they are fired.
Of course, at the top, these executive's success is less dependent on actual success, because these people are managing people who manage businesses, and so, like Robert Rubin, you can make $100MM without actually knowing he had a lot of mortgage paper on his balance sheet (details!). That's an independent issue, why the managers of managers get paid so much (I'm think there's room for improvement here). For the business line, the guy actually creating the business, at least 3 layers below the CEO, his risk management is essential.
In contrast, the full time risk manager is a dilettante. He does cursory reviews of perhaps 20+ different business lines and so is clueless to the real issues, because anyone spending 1/20th the time on something you do that actually has alpha, and delivers profits (ie,is actually valuable, and so not obvious), cannot be understood with such minimal focus. Yet, he's the guy you show to regulators, or investors, when talking about risk management. Reality is very decentralized, and its a convenient fiction to think that risk can be centralized and managed by the Board, or someone not working in the business day in and day out. Clearly this problem is only worsened if we think about delegating risk management to regulators, who are even further removed.
I think it's a fiction to think one can meaningfully present the risk of any collective via a concise table of numbers. A senior executive should emphasize they prioritize the validation of expected loss forecasts within each business line (at KeyCorp, we had 130 lines of business, and many of these were composites), by obligor (counterparty) rating and collateral (eg, secured by property, or unsecured?). They should note new activities have extra layers of cushion applied to these expected loss estimates. They should then present a set of examples of how risk is broken down in a particular business line (say, indirect auto lending), including actual and expected loss rates by as much granularity as possible (crosstabbing by 5 risk grades, 3 collateral types). They should also highlight any changes to the methodology, because innovation involves change, and data will not be available; that is understandable. The changes should be based on some kind of theory or analogue, or story. This helps the outsider understand why they are doing this, and how it can be validate (ie, why shouldn't people make a down payment? Because house prices always rise!).
They should then invite the analyst to ask for another example, based on the business or product of their choosing, which would imply each line was ready to present their risk. The request would then entail someone from, say, Media Lending, to come up, and explain how they slice up risk, how they validate their loss forecasts by the granularity they present (including lines, loans, and letters of credit), and how pricing, revenue sharing with cash management, and costs of funds, relate (this can highlight conflicts of interest). The presentation should be amenable to a 30 minute presentation; if that is not possible, then clearly they do not have it under control. By letting the outsider choose, they can be confident their questions would be answered similarly if they did this on another business line.
They should note that no one gets a bonus for revenue generated the prior year, but rather, as that revenue is amortized over the life of its duration. If that's a day, fine, but no one walks away making a bonus off capitalized revenue that has not yet occurred.
Risk in any diverse financial organization cannot be summed up by a third party into a scalar. The essence of risk is like the essence of productivity: the parochial knowledge, processes, and incentives of very diverse activities. This is necessarily a detail oriented issue, and the big risks are bad assumptions, not bad math. That is, it was not copulas, or correlations, that screwed up subprime, but the assumption housing prices, in aggregate, would not fall. That's a bad assumption, based on understandable but flawed logic. You cannot appreciate these bad assumptions merely by adding up all their flawed implications and comparing them to total bank capital.