Banks have not learnt lessons on risk management
It is clear that the banks that paid huge sums to financial engineers to fill their balance sheets full of toxic waste stopped digging their way into that hole rather quickly after the shock of 2007 and 2008 and have spent the time since trying to dispose of assets and garner the financial wherewithal to write down or at least reserve against those they can’t sell.
They have also sought to reduce dependence on flighty, short-term funding in the wholesale markets. And all that is well and good, though it would be quite extraordinary for banks to do anything else after the Lehman crash.
It would be a mistake to deduce from all the effort being put into cleaning up the last mess, after it was cruelly exposed, that banks are inherently better risk managers now than they were between 2005 and 2007.
In between negotiating on behalf of international banks on the Greek bailout deal signed in July, the Institute of International Finance (IIF), the global banking industry’s leading trade association and lobby group, found time to put out two new reports on banks’ efforts to rebuild their risk-management capabilities.
They are the two most depressing reports Euromoney has read since the crisis struck because they reveal just how poorly, even by their own no doubt generous self-assessment, the banks have performed.
Risk IT and operations: strengthening capabilities was compiled by McKinsey on a sample of 39 large international banks that filled out questionnaires and 10 more that submitted to in-depth interviews. One can only assume that an element of self-selection must have been at work and that it will have been mainly the most proficient that volunteered their experiences. The report makes troubling reading.
In the run-up to the disaster of 2007 to 2008, many banks had originated or acquired portfolios of US housing loans that were deemed to be low-risk simply because they were diversified. They carried a mix of exposure to housing markets in many states. It was somehow deemed unlikely that these markets could ever all collapse at once and so the risks were deemed to be prudently managed.
Such judgements needed a common-sense check from senior management that could also take into account other sources of accumulating correlated exposure. It wasn’t just piling up in mortgage loan books. It was also in securitization warehousing and indirectly in SME loans secured against housing and even in interbank exposures.
It soon became clear that banks’ systems were incapable of delivering a holistic view of their potential losses in the event of a sudden and sharp decline in a single asset class.
The IIF report shows that an enormous amount of work still remains to be done before risk IT systems can deliver this most basic requirement. It suggests that at many banks the quality of data gathered at the outset when putting on exposures might be inadequate; that this data is then often stored in siloed systems that can’t talk to each other – a problem particularly acute for banks that have built from serial mergers and acquisitions – and that the internal models through which the data is calculated to provide risk reports to senior management are often inconsistent.
This is the fundamental stuff of banking. It has been overlooked in the rush by regulators to impose new capital requirements on banks, to limit leverage, demand higher liquidity buffers and curtail businesses such as proprietary trading. Investors in bank debt and equity have also fixated on capital ratios and drawn comfort from improvements in these. But low leverage is no protection if banks still can’t put on the right risks or gauge their aggregate exposures.
The average firm surveyed by McKinsey spends just $170 million annually on risk IT and operations now and expects to spend an extra $80 million above this each year for the next five years. Big deal. This is peanuts compared with the costs banks’ shareholders and national economies bore from the near collapse of the financial system. And it is a core operating cost of being in the risk business. Banks must bear it in their margins, not dismiss it as an exceptional imposition of meddling outsiders.
If banks can’t manage risks properly, they shouldn’t take them on. Regulators would do well to reinforce that point to bank managements with the threat of requiring them to withdraw from businesses where they appear to be accumulating exposures they cannot manage because of inadequate IT and operations. Shareholders should press boards of directors on this issue too.
Shareholders should also take a close look at the second IIF report, Implementing robust risk appetite frameworks to strengthen financial institutions. This carries just a handful of case studies from Australian and Canadian banks that appear to lead the field in articulating a clear outline of how much risk, quantified in potential loss of earnings and economic capital, they are willing to take in aggregate and across classes of risk.
Again this goes to the heart of banking. Yet it appears that banks are struggling to make progress in establishing a clear notion of risk appetite as a central part both of the conduct of day-to-day business and of strategic planning for which markets to compete in and what returns to target.