Risk Management Reports

The astrological forecast for risk management shows the quants in their ascendancy, with operational risk rising to meet the shooting star Sarbanes-Oxley, while Basel 2 remains as fixed on the horizon as she has been for the past five years. At least that’s the reading I heard at this year’s fifth annual GARP (Global Association of Risk Professionals) Conference in New York City.

This organization has been operating for just over five years and the history of its annual conferences, all of which I have attended and reported in Risk Management Reports, is a mirror of its ups and downs. In 2000 the conference logged 400 + registrants and GARP reported 10,000 non-dues-paying members. The key issues that year were capital adequacy (Basel 2), risk communications, liquidity, documentation, models and counterparty risk. 2001 saw a 25% leap in registrants to 500 and a reported 15,000 members. GARP announced a change in structure to paid memberships and the key issues were Basel 2 and the credibility of quantitative models. The following year registration remained the same (500+) while GARP reported 5,000 paid members and 17,000 free affiliates. The issues that year were Basel 2 (again), the future after Enron, weather hedging and trading greenhouse gas emissions. Last year (2003) was a critical watershed, following the split of many of GARP’s leaders and volunteers into the new Professional Risk Managers’ International Association (PRMIA). Registration dropped to 300+ and paid members to 2,000, even while the free affiliate membership climbed to 21,000. The major issues were the strength and weaknesses of econometric models, the importance of risk dialogues and, of course, Basel 2.

This year GARP rebounded. Conference registration jumped to 500+ and the association reported 27,200 affiliates and 5,200 paid members. Four half-day workshops bracketed two days of presentations, an intense concentration of information that featured 75 speakers. Of these 48 were practicing managers, primarily from financial institutions, with 14 representing universities, the government or associations and 14 representing vendors firms. The percentage of vendor speakers has dropped steadily from the second year’s (when I first reported it) 27.6% to this year’s 18.6%. It is refreshing to see an organization where its members speak for themselves and do not rely on vendor voices. That philosophy is expressed in GARP’s Mission Statement: “to be the leading professional association for risk managers, managed by and for its members, dedicated to the advancement of the risk profession through education, training and the promotion of best practices globally.”

Rich Apostolik, GARP’s President and CEO reported that 4,661 GARP members worldwide now hold its Financial Risk Manager certification and that more than 800 took the examination last year. (For information on the FRM, go to frm@garp.com)

GARP 2004 featured four familiar focal tracks: market risk, credit risk, operational risk and asset/liability management, the latter co-sponsored this year with the Society of Actuaries. This conference continued the exceptionally high quality of presentations and the no-less challenging (at least for this observer) language of quantitative analysis. Basel 2 topped the issue list again, with a member of the Basel Committee addressing the forum the first day and a member of the Board of Governors of the Federal Reserve speaking at the second day’s plenary session. Basel was referred to in 80% of the workshop presentations that I attended! Its eventual implementation will affect, first, banks throughout the world, second, other related financial institutions, and eventually, I think, most large corporations. Basel 2 is a concrete expression of the reality of economic globalization and the resulting need for global regulatory responses.

“Risk is hot!” That was the mantra of James Colica, the Senior Vice President, Global Risk Management, for GE Capital, in an engrossing and entertaining plenary presentation. He argued that risk management must be both a function and a process: a function that becomes part of an organization’s culture and has a “voice at the table,” and a process that embodies a systematic approach to the analysis of and response to risks. He confirmed, again, that visible CEO commitment to risk management is a critical condition precedent to its adoption. At GE, the function started in 1990 and has spread globally to all “products, countries and acquisitions.” It is also linked to a strong Six Sigma process. Colica’s approach is based on four foundation stones: “rigorous processes, intense focus on collections, proprietary digital analytic tools, and maintaining an experienced senior risk team.” He proudly noted that he had CROs in every business and in every country, losing only a few in the past years. His team averages 25+ years of experience! This “institutional memory” is, in his opinion, one of the most important assets of his program, including both ups and downs in corporate results (does GE ever have a down year?). In a refreshing aside, he noted that, for GE, judgment is as important as sophisticated quantitative skills.

GE’s acronym is DMAIC: “define, measure, analyze, improve and control.” Colica applies this acronym to the over 3,500 financial deals in the GE Capital database, using the information as both a control and a teaching tool. He implicitly recognizes the opportunity as well as the downside in risk.

Colica was preceded on the first day by an afternoon workshop presentation from Rob Ceske, the Chief Risk manager for GE’s Corporate Treasury. Rob emphasized the interlinkage management and the corporate response to Sarbanes-Oxley. Ceske commented that many of GE’s units use the “Control Self-Assessment” (CSA) approach developed by the Institute of Internal Auditors. Overall, based on these two presentations, GE represents a successful application of risk analysis and risk response.

Comments on some other presentations:

Operational Risk Governance David Keenan, the Global Head of Operational Risk Management at Barclays Capital, saw operational risk management as one means of responding to the new demands on governance and disclosure. He identified the “principals” and “agents” in operational risk, ranging from a broad list of stakeholders to the Board, executive management and employees. “Operational risk,” he argued, “permeates all levels and functions” of an organization, as it is “embedded in everything the business does. ”He discussed the variety of perspectives of these “principals,” from Basel 2 and Sarbanes-Oxley, to Turnbull (in the UK) and the FCICIA (in the US). His presentation used only seven slides, a welcome change from others, and concluded with four suggestions:

1. Don’t build a heavy central team – facilitate; don’t “do it for them,” and “have them sign off.”
2. Don’t treat operational risk like credit and market risk.
3. Don’t shadow manage: provide the right incentives and tools.
4. Embed, don’t add on: avoid bureaucratic approaches.

A Pragmatic Approach to the Management of Enterprise Risk Across the Organization Fred Bell, the Head of Enterprise Risk Assessment and Monitoring, at the Royal Bank of Scotland Group, gave a thoughtful summary of the application of ERM at this financial institution. It began, as do many others, with understanding the organization’s risk profile and developing an appropriate RM model. This bank’s structure is capped with a Director, Group Risk Management, to whom report seven officers: Risk Management Operations, Regulatory Risk, Enterprise Risk, Basel 2 & Credit Risk Systems Coordination, Credit Risk and Market Risk. He continued with communication and reporting requirements, the definitions of the bank’s risk categories, and, finally, how to derive “value” from the system. As with many others, however, his “values” were too soft and immeasurable. They were all highly desirable outcomes (“smoothing of revenue volatility,” “quality improvement,” or “risk transfer efficiency,”) but I see no way to measure these consistently or coherently. His paper illustrates the continuing question that this discipline faces: how to measure its effect on an organization?

Reinventing Risk Management Amy Woods Brinkley, the Chief Risk Officer of the Bank of America, suggested that risk management is “one of the most pivotal professions of our times.” This bank, like GE, uses Six Sigma as a quality control device and approaches the analysis of and response to risk with what she calls a “confident humility,” meaning that she is confident in her systems but humble enough to recognize that she will be surprised. Where is risk management going? She sees growing interaction among credit, market and operational risk management tools and techniques, newer and more liquid markets to aid in sharing these risks, and better data in all three areas to enhance forecasts. Yet her presentation was marred by her evident conception of “risk” as possessing only a negative side: things that go wrong. Where is the opportunity side? Where is the plus side of risk?

Several speakers commented on how a crisis can dramatically change the nature and calculations of risk. Susan Schmidt Bies, a Governor on the Board of the Federal Reserve Bank, referred to a forthcoming Federal Reserve study of global credit risk transfer, due later this year. Credit derivatives already account for over US$ 2 trillion (2003), and she asked how much “risk” is actually being transferred, when so much of this is subject to counterparty problems and the potential of a systemic breakdown. She lamented, “correlations can change dramatically in periods of crisis,” and too many credit models are built on these supposed correlations! Mike Gordy, also of the Federal Reserve (and the GARP Financial Risk Manager of the Year) suggested that “recovery risk” is too often an afterthought in most models, leading to a serious under-estimation of systemic problems.

Meeting the Challenge of Complexity Lesley Daniels Webster, Executive Vice President and Global Head of Market Risk & Head of Fiduciary Risk, at JPMorganChase, addressed four key focus areas in her bank. The first is prudent supervision, both internal and external. The second is continuous stress testing of models, projections and responses. The third is disclosure: “We should be prepared to come clean with risk results.” I agree completely with her but it is sad how few organizations will do this when the crunch comes! The latest example is the two-year delay of Royal Dutch/Shell Group to report to the public its reduction in oil reserves! Webster’s fourth key area is the participation of risk analysts supporting and organization’s strategic direction and its allocation of capital. Both require a synthesized view of all risks, a “common sense perspective. ” She mentioned “over-leveraging” as one of the continuing problems for financial institutions. The LTCM lesson has not been absorbed.

After some days of reflection following such an intensive barrage of information and ideas, I realize the importance of what was left unsaid. Peter Tufano, of the Harvard Business School, dropped a few tantalizing ideas in the opening panel discussion but they were lost in the avalanche of case studies and Basel commentaries. His first was the idea that we need better understanding of the way in which human beings actually behave when faced with different forms of uncertainty, before we can make risk management work. We need more research here, and I hope that GARP, other associations and academic institutions can collaborate. I refer to the challenging article by Nigel Nicholson, in the Harvard Business Review (July-August 1998) that I reviewed in RMR in November of that year. Nicholson argued that the human species may be “hard-wired” to respond to certain stimuli and that organizations must take these responses into consideration when developing new approaches to managing risks. Too many of our incentives and controls result in unintended (and adverse) consequences! Tufano’s second comment concerned the lack of concrete evidence that the practice of risk management actually adds any value to the organization. I add that we should go beyond the limited idea of “financial value” and look at reputation and stakeholder confidence. Are we too focused on quantitative measures? But if we shift, how do we measure results in the broader, softer, qualitative area? Perhaps GARP 2005 will schedule some speakers to address these two issues of behavioral risk management and measuring results.

As is evident from my report, the GARP annual conference continues to be a provocative session, one well worth the investment of time and money.