Risk management systems: Not fit for purpose
Many banks still can’t articulate a clear framework for taking on risk, and repairs to their failed risk IT systems are years from completion.
There have been an awful lot of reports into banks’ risk-management failures since 2008 and long lists of recommendations on how to improve things: so many that it’s a fair bet hardly anyone reads them anymore. But bank shareholders should read the latest two, produced last month by the leading international banks’ trade association, the Institute of International Finance. They’re shocking.
The larger of the two reports, Risk IT and operations: Strengthening capabilities, was compiled by McKinsey. It is based on quite a small sample of 39 leading banks that filled out questionnaires and 10 that submitted to more in-depth interviews. It is likely that a degree of self-selection would lead only the more proficient to volunteer assessments of their risk-management capabilities. Yet reading through the report is a far from reassuring experience.
Improvement is crucial
Improving risk-management systems is crucial for the industry. At the most obvious level, after the disaster of 2007-08, it became clear that banks’ systems were incapable of delivering a holistic view of their potential losses in the event of a sudden and sharp decline in a single asset class.
Today the IIF report shows that an enormous amount of work still remains to be done before risk IT systems can deliver this most basic requirement. It suggests that at many banks the quality of data gathered at the outset when putting on exposures might be inadequate; that this data is then stored in siloed systems that still can’t talk to each other – a problem particularly acute for banks that have been built from serial mergers and acquisitions – and that the internal models through which the data is calculated to provide risk reports to senior management are often inconsistent.
This is the fundamental stuff of banking. It has been rather overlooked in the rush by regulators to impose new capital requirements on banks, to limit leverage, demand higher liquidity buffers and curtail businesses such as proprietary trading.
It is just as well that regulators have been quick to require banks to carry more insurance. They have had an inside seat to see that the industry isn’t doing a particularly impressive job of improving risk management. Even worse, the banks seem to expect sympathy for the expense of upgrading their inadequate systems.
In fact, the cost of improving risk IT is peanuts compared with the costs banks’ shareholders and national economies bore from the near collapse of the financial system. The average firm surveyed by McKinsey spends $170 million annually on risk IT and operations now and expects to spend an extra $80 million each year for the next five years. Big deal. This is a core operating cost of being in the risk business. Banks must bear it in their margins, not dismiss it as an exceptional imposition by meddling outsiders. And if banks can’t manage risks properly, they shouldn’t take them on.
Regulators would do well to reinforce that point to bank managements, with the threat of requiring them to withdraw from businesses where they appear to be accumulating exposures they cannot manage because of inadequate risk IT and operations. Shareholders should press boards of directors on this issue too.
Shareholders should also take a close look at the second IIF report, Implementing robust risk appetite frameworks to strengthen financial institutions. This covers just a handful of case studies from Australian and Canadian banks that appear to lead the field in articulating a clear outline of how much risk, quantified in potential loss of earnings and economic capital, they are willing to take in aggregate and across different markets.
Again, this is the fundamental stuff of banking. Yet it appears that banks are struggling to make progress in establishing a clear notion of risk appetite as a central part both of day-to-day business conduct and of strategic planning about which markets to compete in and what returns to target.
Many banks are now promising shareholders that they will improve returns on equity that have come in below the cost of capital as banks coped with the immediate aftermath of the financial system breakdown of 2007-09. If those promises are not made in the context of an adequate risk appetite framework, however, shareholders must wonder if they are anything more than an undertaking to pile on more risk that banks are still ill equipped to manage.