Beyond the numbers: do banks manage risk?

June 14, 2012

By Rachel Wolcott

LONDON, June 14 (Thomson Reuters Accelus) – It may seem like a subtle difference, but most of what banks call ‘risk management’ is often more akin to ‘risk measurement’. It is a myth that banks are in possession of fancy gadgetry that allows them to measure risk on a minute-by-minute basis from a specialised risk-control tower and react to it effectively, thus averting catastrophe. Instead, the financial crisis and trading losses, such as JPMorgan’s $2 billion blow-up in May, have shown that by the time banks measure and understand their risks, it is too late. Risk management is not about controlling risk, but about offsetting its impact after the fact.

Far from being a powerful high-tech unit within a firm that is charged with hedging risks on a macro basis — the way, for example, that JPMorgan’s chief investment office has been portrayed — risk management is more fragmented and limited. That is why many banks were badly hit when Lehman Brothers collapsed in 2008. It was just too difficult to get a picture of what their positions, exposures and risks were, let alone manage them. This is because, in many cases, banks’ risk management still has more to do with number crunching and measuring risk for compliance and regulatory purposes, such as regulatory capital requirements, credit value adjustment and counterparty risk. Managing risk, however, is something few firms do well, and they are certainly unable to do so in a holistic way.“It is a statement of the blindingly obvious that you have to manage risk ex-ante, before the event, because if you try managing it after the event, you’re just mitigating stuff that’s already happened. If you’re going to try to manage risk, you need to do it before the event. All risk measurement is pretty much after the event. Just because you’ve upped risk measurement, doesn’t mean you’ve done much about risk management,” Tim Hodgson, head of Towers Watson’s Thinking Ahead Group, told Thomson Reuters.

Hodgson, and others, have said banks must move away from risk-measurement exercises and instead make predictions based upon risk and historic data. Risk management should involve the development of strategic plans, as well as a suite of contingency procedures to address a number of what-if scenarios.

“If you look at what’s happening in Europe, there is obviously a clear and present danger. If this thing blows it could be absolutely horrible. But because it’s there and it’s grinding away glacially before our very eyes, then you could almost assume that because it hasn’t happened yet. There hasn’t been enough thinking about if Spain defaults or Greece leaves the euro, then what? There haven’t been enough what-if scenarios,” Hodgson said.

Avoiding the tough questions

The models that banks use to measure their risk have come in for criticism since the financial crisis erupted and, again, have been highlighted by the recent JPMorgan losses. Much has been made of how banks’ value-at-risk (VaR) models are considered to be outmoded. Critics of VaR, a measure which is designed to estimate likely maximum portfolio losses based on statistical analysis of historical price trends and movement, argue it avoids low-probability events and is blind to true risk.

“When banks use these models to make risk management decisions they of course avoid considering very low-probability events, but the reality is the market doesn’t follow this normal distribution assumption or the standard assumptions. It happens that some extreme events are much more likely than what the models would predict,” said Marco Delzio, chief executive of Martingale Risk in Rome.

Banks are using models to do more stress testing and scenario analysis, but they are not going far enough with their analysis. They create scenarios and evaluate their mark-to-market positions under different market situations. These models, however, can be manipulated to make the world seem better and safer for bankers. Banks meanwhile avoid the big question: what if it all goes wrong? And they certainly are not preparing for that worst-case scenario.

Delzio said: “It is possible that we really consider an extreme event such that the bank would lose 100 percent of its capital. My opinion is that these events really exist in the market, but the bank could never consider at least officially these events otherwise it should stop trading. It is an artificial way to simulate the possibility that there could be some very negative events, but these events that are simulated are not sufficiently negative to be effective for risk measurement and risk management. The bank doesn’t really want to consider the possibility that things could go really wrong.”

Banks use models, such as VaR, to measure risk in a way that suits them and use those measurements to set their regulatory capital cushions and adjust leverage ratios. They avoid, however, delving into worst-case scenarios and preparing themselves accordingly. Again, measuring — rather than managing — risk means that when a worst-case scenario arises many banks are defenceless and spend years picking up the pieces, as is the case today at the Royal Bank of Scotland and many others.

Beyond the numbers

Since the advent of the financial crisis, risk management consultants have advised firms to get smarter about risk identification. Indeed, identifying and monitoring emerging risks has become a hot topic among professionals who increasingly understand that risk management has to be more than just running the numbers and printing out a report. Risk management will increasingly be called upon to predict risk scenarios and help senior management defend against them.

“You cannot approach any analysis purely from a quantitative perspective. The numbers only tell you one story and the numbers could be misleading. You need to have the qualitative side to that too and you need to marry that with common sense insofar as your knowledge of the business, its people and whether there is some issue that is percolating that you want to get ahead of. You will not find an internal audit group or compliance function that is effective if it only looks at one of those data points or doesn’t consider the qualitative things you need to think about that are outside the numbers,” said Dean Simone, partner and U.S. risk assurance leader at PwC.

Increasingly, Simone argues, banks are realising that risk management cannot solely be a data-driven exercise. Risk management may have started as a discipline with a dearth of data, which forced it to be more empirical in its identification of risk factors. But with access to massive amounts of data, risk managers have perhaps become too dependent on using data and models without looking at the numbers and asking: so what does this all mean?

Simone said: “Firms have to step back and look at how risk is evolving. The risk committees that are effective are cross functional, and it’s hard to do that in large organisations, not just financial services. The question is: how do you have an infrastructure around your risk management function that is able to pull together both data and qualitative factors and put it into some kind of infrastructure that allows you to have a common language to see where your risks are and then respond to them? That is hard to do and it is something companies are wrestling with.”


There is a certain amount of disagreement about whether the risk management function within banks has increased its influence since the financial crisis. Some consultants point to chief risk officers gaining more clout with boards of directors as an indication that risk management is in the ascendancy. They argue that firms’ senior managers are starting to understand that good risk management makes good business sense. Other market participants, however, have said that risk management still loses out to the interests of trading desks and investment bankers.

“Imagine if risk managers were empowered. You’ve got to be a very brave or very self-confident risk manager with understanding peers to challenge an area of a bank that has made $5 billion. If you make $5 billion people think you’re a genius. Unfortunately they forget about the risk management or it’s hard for the risk manager to ask questions about the reason why they made $5 billion and whether the firm is actually managing its risks properly,” one risk management consultant said.

(This article was produced by the Compliance Complete service of Thomson Reuters Accelus. <a href=” ions/regulatory-intelligence/compliance- complete/” target=_new”>Compliance Complete</a> provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 230 regulators and exchanges.)

No comments so far

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see