Banks still fall short on risk governance
The Institute of International Finance’s third annual survey of the enhancements banks have made to their risk governance frameworks in the aftermath of the financial crisis it is particularly timely coming so soon after JPMorgan spectacularly dropped the ball in its chief investment office.
Aside from the obvious macro risks pressing in on many banks, they now operate in treacherous, near-broken financial markets. Beyond a few areas of liquidity in the leading currency pairs and the rates markets of the few still sound sovereigns, markets in many government bonds, credit and equity are prone to gapping prices, wide bid-offer spreads and the periodic disappearance of two-way flows. The head of the markets businesses at one of the world’s biggest banks describes it thus: banks can see fires smouldering at the edge of the room and the exits are being closed.
This is a time when banks need clear and accurate pictures of their risk exposures from related asset classes in different business units, clear views on the correlation patterns between asset classes and the ability to get out from under. They need a culture of responsibility for the risks being taken to produce returns.
Patricia Jackson, partner and head of financial regulatory advice for Europe, Middle East India and Africa (EMIA) at Ernst & Young, which compiled the survey, offers some good news. More than half the 75 financial institutions surveyed say they have changed their risk appetite at board level. But that is the very least that investors and regulators are entitled to expect, given the evident failures the crisis exposed.
The bad news is that although banks have at least tried to define a risk appetite to board level, only one-third of those surveyed say that this is even linked to day-to-day business decisions being taken down through the organization and just a quarter say it is embedded into the business. The metrics being chosen to define a risk appetite, in terms of willingness to take loss of a certain amount of earnings or capital to achieve business strategy, might not allow for comparability across business units and subsidiaries. But that means apparent advances in risk governance aren’t much use. What is needed is a framework that can be allocated down through the business units.
Even more worrying, stuff is buried deep within. Ernst & Young finds that data aggregation is still a particular challenge for many banks. Extraction and aggregation of key data from multiple siloed systems and applications is difficult, particularly for firms that have grown through mergers and acquisitions, which is most of them. Several executives indicate that they are still challenged by the quality of the data and the ability to assess the correlation effects on an integrated basis. Three-quarters of banks surveyed still require manual intervention to aggregate counterparty exposure and only half can produce end-of-day reports aggregating counterparty exposure across business lines.
This is one of the vital building blocks for risk management. It’s all very well to make high-profile changes to governance at board level, but these are useless if those now responsible are being fed duff information.
Jackson says that banks’ boards of directors are struggling. She recounts a meeting with one director who complained of being dumped with 1,500 pages of uncollated risk reports from various business units in the run-up to one bank’s accounts committee meeting. It’s impossible to work out from such a mass of data what the most important concerns are to raise with senior management. An investor must surely wonder whether any bank that presents its directors with such a mass of raw data is being run by a management team that does not itself have a true picture of the aggregate risks it is running, or by one that wants to obscure the risks it is running. Neither is good.
A weakness of the report is the tedious complaint that new regulatory demands are driving up the complexity and cost of complying and reporting and so diverting scarce resources away from needed improvements in risk management. Sorry, but if banks can’t perform the risk management basics, they shouldn’t be in the business.
Regulators are also getting impatient. Many are starting to wonder if they’ve gone down the right road in using banks’ own internal risk models. One says: "Their use always leads to less capital. And banks say ‘yes, that’s because there’s less risk’. Well, I doubt that."
He’s right to.