Once the world of finance (and the world beyond, too) learned about JPMorgan's earth-shaking $2 billion-plus trading loss from credit derivatives, the finger-pointing and the blame-gaming started. Where were the risk-management units? How and why weren't the risks of these large positions properly managed? How could what began as efforts to manage credit risks with portfolio hedges end up as shocking market losses and a three-headed monster out of control?
In financial institutions, in stable times, when profit engines hum and business is brisk, risk-management units remain quietly out of view. They aren't glamor-seeking or aren't permitted to be. You won't see risk-management "stars," as much as you do among the deal-doers in investment banking, particularly in M&A, venture capital or private equity.
Nonetheless, if they are doing their job, senior managers in risk management in normal times are as busy as ever. They touch all aspects of the institution's business. They are charged with managing risks of all kinds--including those related to exposures, counter-parties, borrowers, portfolios, trading positions, and balance sheets.
They are also responsible for anticipating unforeseen risks, "tail" or unexpected scenarios, or even catastrophic events. They must unveil plans to manage these scenarios. They must implement programs or procedures to reduce or minimize existing risks (positions, exposures, borrowings, etc.), if they conclude it is necessary.
When you read about a financial institution involved in a big deal, large transaction, an IPO, or a notable underwriting or learn about its revenue increases, new clients, and expansion to foreign sites, risk-management units are hardly mentioned, even if they are intimately involved in reviewing and approving all such business activity. On the other hand, when you hear about the sudden losses at or demise of such institutions as Washington Mutual, Lehman Brothers, or Bear Stearns, everybody--from pundits to regulators--asks, "Where was the risk-management unit?
"Why couldn't it have prevented the collapse or loss? Who approved the transaction, trade, client, counter-party, or deal? Why didn't it reduce the portfolio of loans or hedge the trading positions or notice the operations hiccups or problems in the documentation?"
Often in these upsetting moments, risk management becomes the scapegoat, and the problems, errors or flaws tend to be related to one or more among the following:
1) Lack of sufficient authority to enforce policies, procedures, limits, and approvals, because risk managers aren't empowered to hold the line with investment and corporate bankers, salesmen and traders.
2) Lack of proper information or delays in sharing details about borrowers, trading positions, balance sheets, and risk exposures (sometimes caused by a reluctance of business lines to admit to errors in judgment or by problems in systems in collecting and summarizing information quickly)
Risk-management units in many places sometimes spend as much time gathering data about clients and trades, ensuring the information is correct and up to date, as they do in analyzing counter-parties, markets, exposures, and portfolios and making the right decisions.
3) Inability to anticipate unforeseen or unusual risks, because of lack of understanding of markets and borrowers, because of too-complex trading and risk models, or the naive conviction that the worst cases won't happen.
4) Over-reliance on complex risk models, familiar techniques and conventional approaches. A reluctance to assess risky scenarios in new, unconventional, more appropriate ways.
5) Inability to quantify the true, actual scope of risks because of flaws or failures in some of the above and in information and analysis. Risk managers may not know the exposure, loan, or trade is as large as it is, because they can't quantify it properly.
6) Neglect because certain risks or risk functions were not prioritized, checked or given proper attention. Risk managers put the issue on the shelf and dismiss it until it is too late--after the big trading loss or after the client files for bankruptcy.
7) Errors in judgment, caused by inherent biases in decision-making or conflicts of interests. Risk managers are not able to assert themselves (and make decisions) independently because they are "trying to help" business and marketing managers achieve profit goals or are also trying to maximize revenues, returns and profits to get a share of bonuses.
At Lehman and Bear Stearns, risk managers weren't empowered or authorized to hold up the stop sign or call time out when their balance sheets grew to excessive levels of leverage or piled on too much in mortgage-related assets. Or risk managers, too, were delusional in their perception of mortgage markets or what they deemed were adequate levels of capital. Refco, the futures and commodities firm that went bankrupt in 2005, was a victim of accounting fraud by one of its own senior managers. At AIG, risk managers didn't have control over the activities of its financial-products subsidiary and made blatant errors in the analysis of mortgage-related risks.
At Merrill Lynch, we learned, risk managers simply lacked authority to control undisciplined trading activity. At Long Term Capital, traders acted also as risk managers and stubbornly believed in their models ("relative-value trading") without acknowledging the worst-case scenarios or "tail" events. At JPMorgan, it's too early draw conclusions. Risk managers, we know now, attempted to manage other portfolio risks. But it elected to use complex trades. In the process, overall risks spiraled out of control, partly because they didn't project extreme cases in the credit-derivatives markets.
The risk-management function at large financial institutions has evolved in many ways the past two decades. Once, risk management at banks and broker/dealers meant credit analysis, credit approvals, and reviews of counter-parties. Somewhere along the way (the early 1990s perhaps), risk management assumed responsibilities for credit and loan portfolios, trading-related counter-parties, collateral risks, country and political risks, and all forms of market risk from trading positions.
Today, at the largest institutions, risk management's domain is as expansive as the organization's business--touching almost all functions and expanding to all regions and businesses. In recent years, experts say risk managers must approach the role as "managers of enterprise risk" (the entire organization and all its functions), not just isolated credit and market risks in certain business areas.
Risk managers today and going forward will be asked to oversee, analyze, project, manage and reduce (if necessary) risks related to the following.
1) Credit and counter-party risks, which include the risks of lending money, doing any kind of business with corporations, individuals and government entities, and executing and maintaining securities and derivatives trades with the same. This includes long- and short-term risks, collateralized and unsecured risks.
2) Market risks, which include all forms of risks from trading and/or maintaining positions in all securities and derivatives transactions. This includes risks from positions related to market-making, brokerage, specialist, clearing, and proprietary-trading activities. And it includes long- and short-term trades or mere settlement or clearing activity.
3) Operations, systems, and processing risks, which include risks arising from executing trades, doing money transfers, collecting and sending out data, processing and clearing securities, accepting and holding collateral, and systems glitches.
4) Documentation, regulatory and compliance risks, which include all risks tied to legal and regulatory issues and the documentation behind all business activity.
5) Reputation risks, which was popularly added to the lists of risk management's responsibilities the past decade and includes reputation issues that arise from doing business with questionable clients or in certain areas around the world or doing business in a questionable way.
6) Country and political risks, which include risks in conducting businesses in certain countries and geographic regions.
7) Collateral risks, which include risks of accepting certain types of collateral in transactions (including securities, cash, and hard assets) and risks that the collateral is under-valued or not transferable in certain cases.
Risk-management units juggle all of these responsibilities, try as hard as they can to grasp, scope and quantify these risks, do all they can to project and anticipate worst cases, and are expected to have a plan for how to manage and reduce them. Miracle workers, some say, who must also have a solution, a game plan, an alternative, or simply a way out.
Over the past two decades from Drexel Burnham to Washington Mutual, we've seen it all, or always thought we saw it all, until the next shocking loss by another big institution. But through it all, while fingers pointed directly to risk managers, the role of risk management always emerged as important as ever.
See also CFN: Dimon and Bank Regulation, May 2012
CFN: Risk Management: Opportunities in 2012
CFN: Risk Management and MF Global's Demise, 2011