Risk Management Reports

The Sixth Annual Conference of the Global Association of Risk Professionals (GARP) was an exercise of Basel on the brain. The draft Basel II accords from the Bank for International Settlements in Switzerland completely dominated the four pre- and postconference workshops, the seven plenary presentations and the 57 breakout sessions, so much so that I left with the sense that I had descended into an Alice’s Wonderland in which the Queen of Hearts was the BIS! Not that this was unexpected: Basel II has been a primary discussion point in every GARP session since its inception in 2001.

Indeed, one of the first speakers, Nicholas Le Pan, Canada’s Superintendent of Financial Institutions and Vice Chairman of the Basel Committee on Banking Supervision, used Lewis Carroll’s tale as an analogy for his talk on Basel II. For this room-full of quants, Le Pan argued that while the new accord “encourages stronger risk management in banking,” it is “more than a compliance exercise” and is “not just quantitative.” He laid great stress on the use of judgment, not just numbers and models, in the “pragmatic use of pooled data.” Operational risks lack the data so useful in building sophisticated econometric models for credit and markets risks, forcing greater reliance on qualitative approaches. He cited two other issues for banks facing new regulations on operational risks. The first is the “home-host” supervision problems affecting banks domiciled in one jurisdiction but operating in many others. For success, banks and their supervisors must be open, flexible and willing to communicate. The second issue is the need to validate the processes adopted by individual banks, and Le Pan strongly urged those present to visit the BIS website (www.bis.org) to share and review information. Le Pan’s introductory speech was persuasive, literate and amusing, creating, at least in my mind, increased confidence in the value of Basel. He left me with the impression, however, that we may have been following a large White Rabbit down holes and through doors all these years, always just behind him. The final Basel II remains elusive.

He was seconded the following morning by an equally convincing presentation by Andrew Crockett, President of JPMorganChase International. He recapped the history of the Basel effort, from the Herstatt Bank collapse in 1974, when the committee was founded, to Basel I in 1992, which set the first guide for risk-based capital adequacy, and thence to the current deliberations on Basel II. Throughout, Crockett argued, it has been a collaborative and global process, built on the principles that it is voluntary, professional, comprehensive (all aspects of risk management), and inclusive.

Basel II is the result of this fresh focus on operational risks. Because these risks are complex and involve special situations as well as a host of new technologies in hedging, securitization and diversification, the accord has been delayed and now is planned to take effect in 2007. Crockett acknowledges that an Achilles Heel for the entire effort is the lack of consistent and credible worldwide accounting standards. But, he went on, the past decade of work is remarkable for progress toward global standards, a fresh understanding of operational risks by practitioners, and markets better equipped to control habits.

Crockett concluded with a suggestion that some large banks might be asked to issue subordinated debt to support their capital, debt more easily monitored by other banking institutions for portfolio VaR. He also suggested that sound public policy may require banks to increase capital to cover “social effects.”

At this point, despite the convincing arguments of these two leaders, one a banker and the other a regulator, I had a nagging sense that all this concern about Basel II might lead to an over-focus on capital and an under-focus on those more important and elusive assets, reputation and public confidence. Andrew Crockett alluded to this concern with his comments on “social effects.” But I did not hear others pick up on them.

Perhaps this is a condition common to organizations these days. A crisis occurs. Both industry and government respond. Then new regulations and guides inevitably concentrate attention on correcting the causes that led to the crisis. Post-Herstatt and other situations, we have Basel I and II, concentrating on the adequacy of capital. After Enron, WorldCom and others, Sarbanes-Oxley commands our attention and we focus on compliance. Then COSO issues its new ERM framework and we are drawn to controls. If there is anything that enterprise risk management teaches us, it is that we must return to viewing the enterprise as a whole, recognizing the interests of all its stakeholders, and that we cannot be derailed by reacting to the latest concerns of the public.

Early in the conference, three past winners of GARP’s Risk Manager of the year offered their comments on trends and challenges for the discipline. Robert Mark, CEO of Black Diamond, led off with a provocative list that deserves detailed discussion. Consider these ideas:

1. Increasing harmonization between banking and insurance (despite CitiGroup’s recent sale of its remaining insurance assets!)
2. Continuing ascendancy of the Chief Risk Officer, tempered by a growing potential for personal legal liability
3. Continued difficulty in measuring the actual “value added” by risk management (something I’ve been harping on for several years: can we measure the return on risk management investments by means other than just reduced capital requirements?)
4. More reliance on rating agencies to rate the quality of risk management efforts (but are they up to this task?)
5. Greater disclosure of risk information
6. Massive new demand for non-analytical risk information (acknowledging that most of us are not quants)
7. New emphasis on developing “generally accepted risk principles”

Glenn Labhart, an independent consultant, followed with one of the few remarks at this conference about the effects of Section 404 of Sarbanes-Oxley and the new COSO Risk Management Framework (see RMR, December 2004). I was pleased to hear his note on the global growth of “risk intelligence” that addresses both the potential gains and potential losses that are the outcomes from decisions. Finally, Bill Martin, the Global Head of Investment Risk Management at INVESCO, warned that, as “risk management” becomes the “current hot buzzword,” it also becomes more political. To him, “analysis is the core” of the process, a “way of looking forward” and “finding comfort in uncomfortableness.” That’s a memorable phrase that, at least to me, says much about the process. Uncertainty is the perpetual fog surrounding what we do, and risk analysis is the infrequent shaft of sunlight that lets us to press forward. Like using sonar, GPS and radar combined: we still can’t see where we’re going but we have a new idea of how to proceed! Martin also warned CROs against becoming a “BOO,” a Business Obstruction Officer. Good advice.

Another regulator, Roger Cole of the US Federal Reserve Board and also Chairman of the Risk Management Group of the Basel Committee, addressed the “Advanced Measurement Approaches” (known as AMA) under consideration for application to the reduction of regulatory capital. He cited four basic challenges:

1. Create a positive corporate culture for operational loss events.
2. Develop comprehensive loss event data, a top priority.
3. Develop new analytics. (Here Cole echoed Bob Mark’s comment about convergence with the actuarial profession of the insurance industry.)
4. Create positive incentives for individual attention.

I emphatically agree with him on the last two but differ on the first two. I fear that a narrow focus on “loss events” may preclude taking advantage of unexpectedly favorable outcomes and new opportunities.

Cole went on to list what regulators seek in a bank’s AMA to operational risk:

1. A sound operational risk governance framework
2. Credible internal loss data
3. Careful use of external loss data
4. Application of scenario analyses, weighing procedures with relevance
5. Open description of analytics and their capability of capturing potentially severe “tail” loss events
6. An open business environment and its related control factors.

I have no doubt that this decade-long effort to incorporate operational risks within regulatory supervision of bank capital will result in major changes. Many will be good, leading to more efficient application of required capital to various operations. Banks that move toward their own “Advanced Measurement Approaches” will almost certainly be global leaders. Yet I have that nagging fear that all this conformity could lead to two unintended consequences. The first is a renewed “siloization” of risk management itself, a reversion to tactical approaches to market, credit and operational risk. We need to recognize the connections and correlations among them, avoiding a return to the compartmentalization of the past. The second is the possibility of an increase in systemic risk—one in which most of the major banks could follow one another off a cliff—something suggested by Avinash Persaud, of Gresham College, in London, in a paper at the 2001 GARP Conference (see RMR April 2001). His argument was that, in the attempt to limit volatility, too many banks might play follow-the-leader to avoid criticism, thus accentuating the risk of systemic downfall. His concerns have yet to be addressed by the banking and regulatory community.

I attended three other sessions that sparked my interest. The first was a discussion of lessons learned by JPMorganChase, presented by its Head of Corporate Operational Risk, Joseph Sabatini, someone I’ve heard and enjoyed in previous GARP conferences. It was the best operational RM session of this conference. He reported “significant progress” at his bank over the past five years. He has a framework and principles but he agreed with Robert Mark that he has yet to “prove” their value to the organization. Prior to 2000, operational risk was managed on a “cell” basis; today Sabatini treats “everyone in the bank as a risk-taker.” Essential to its success is the bank’s “Self-Assessment” process, “by far the most important element in the bank,” one that creates ownership of risks. JPMorganChase has moved from a “blame to a risk” orientation, in which the bank seeks a “no surprise environment,” meaning that whatever occurs, someone has considered it in advance. Sabatini also reported on the progress of the Operational Risk Exchange, a global consortium of twelve banks, now expanding to eighteen, that collects operational risk data for sharing with its participants. If this works, it will dramatically increase the operational data that serve AMA programs.

A second was the presentation of Linda Allen, Professor of Finance at the City University of New York. She addressed the “Cyclicality of Catastrophes in Operational Risk.” In the effort to validate operational risk quantitative models, there is always the problem of “extreme unexpected loss events.” She moved to a broader definition of operational risk than Basel II, one that includes strategic, reputational and business risks, preferring to define “operational” as “all except credit and market.” Allen was one of the few to note the possible unintended consequences of adopting Basel II: as an economy turns down, Basel II seems to dictate more capital, when more lending on less capital might well be the required macroeconomic response. Similarly, in a boom, Basel would permit less capital, when more might be required to dampen expansion. She also noted that extrapolation from past experience could be “inappropriate” in light of rapidly changing conditions and technologies. Her conclusion, with which I agree: “construct all models on macro-economic conditions.”

Gene Alvarez, formerly of the Bank of Tokyo-Mitsubishi, presented the third session and outlined his bank’s quantitative and qualitative approach. This was a disappointment. Dr. Alvarez carefully read each of his slides in full, a classic no-no. He continually referred to risk as something to be avoided, in stark contrast to other speakers who emphasized “risk taking.” He described an operational risk bureaucracy created from the top down, rather than built from the bottom up, leaving me with the impression of a bank buried beneath a landslide of obfuscation, heavy on meaningless works and controls. He avoided including any consideration of “reputation” as “it is a little difficult to quantify damages!” He ended his piece with the comment that “the Holy Grail of operational risk analysis is a capital calculation!” Isn’t there more to life than capital? And how can you possibly make intelligent investment decisions if your entire information base is made up of negative outcomes? His presentation was thoughtful and logical but, starting from flawed premises, it missed the point.

This year’s GARP conference, as its predecessors, was a challenging intellectual exercise. It also put me on the ropes physically! Day One started at 7:50 a.m. and ended eleven hours later at 6:50 p.m. Day Two was only slightly better, at almost nine hours. On the first day, by the first coffee break at 10:50 a.m., I was ready for lunch; by lunch, at 1:20 p.m., I was ready to call it a day, with five and a half hours to go! GARP pushes you to the brink. This conference had 325 paid registrants, part of a total GARP global membership of 40,000+, of which 9,000+ are paid members. They are split roughly one- third in North America, one-third in Europe and one-third in Asia. GARP’s financial risk management certification (FRM) now has almost 6,300 designees. Rich Apostolik, GARP’s President, announced the creation of two new initiatives. The GARP Risk Academy will offer a certificate in risk-based regulation and diplomas in six areas including credit, market, treasury and operational risks and regulation, plus governance and capital adequacy. A new Digital Library, under development with the publisher John Wiley, will have more than 1,500 readings for review and downloading within the next 18 months.

As usual, GARP’s annual conference was an exhausting but fruitful two days.