Spotlight on Risk Management

Dr. Robert Mark, CEO of Black Diamond Risk Enterprises, discusses risk management

Shelley Sessoms (SS): This is Dr. Robert Mark, CEO of Black Diamond Risk Enterprises, and we’re discussing enterprise risk management. Dr. Mark, tell me why the spotlight is on risk management today.

Dr. Robert Mark (RM): The answer to your question has multiple risk-governance dimensions.

First, there has been intense regulatory pressure to improve the quality of a firm’s corporate governance and risk management. This regulatory pressure arises in part due to high-profile global corporate failures such as Enron, as well as the contagion effects that have evolved from the failure to properly manage the risks associated with complex financial products on both the wholesale and retail sides of an organization.

Second, large expenditures on risk management have attracted a significant number of software and service providers to the lucrative part of the risk management space. There has been significant growth in the amount of internal and external resources dedicated to implementing regulatory programs such as the Basel II accord in the banking and securities industries as well as compliance programs such as the Sarbanes-Oxley Act. There is also a Solvency II effort underway to develop a risk-based regulatory capital regime for the insurance industry that is patterned after Basel II.

A significant effort has been made to implement the first pillar of Basel II, which calls for companies to calculate the minimum required regulatory capital. I believe that we will see a significant rise in expenditures associated with the second and third pillars of Basel II. The second pillar calls for the regulatory supervisor to examine the operational environments of banks and securities firms around the globe to ensure they are conducive to best practices for risk management and that risk measures are actually used in the management of the business. The third pillar sets minimum standards for the best practices for risk disclosure.

Third, rating agencies have also initiated a program to benchmark the quality of risk management as a key component of their credit-rating processes. Firms which fail to achieve sufficiently high scores on the quality of their risk management programs run the risk of having their credit ratings downgraded. Conversely, those firms that have implemented a superior risk management program have the potential of having their credit ratings upgraded.

SS: Knowing what has placed risk management in the spotlight, what would you say has caused risk management to become such a driver?

RM: The short answer is that risk management has gone mainstream. Risk management techniques are being used to drive business decisions in terms of product development, pricing and performance measurement as well as achieving desired risk-adjusted returns. For example, risk management tools are being used in the normal course of business as a critical input to trading and credit strategies as well as for determining the effectiveness of hedging strategies.

Sophisticated risk management programs have positively influenced the kinds of businesses that organizations engage in. Senior managers at sophisticated firms recognize that if your measures of risk can’t tell you where it pays to do business, then you’re at a disadvantage to someone with a better understanding. Those with the right culture, policies, methodologies and infrastructure will achieve a competitive edge. For example, in my prior roles as a Chief Risk Officer (CRO), I always worked hard to ensure that my risk management programs moved beyond a sole focus on governance toward also adding business value.

SS: Risk management is obviously useful in a number of instances. Could you explain the different types of measurable risk that are out there?

RM: As I see it, there are seven main types of risk. These risk types are neither mutually exclusive nor necessarily exhaustive. The risk types encompass market, credit, operational, reputation, business, strategic and insurance-related risk. The most readily measurable risks are the financial and insurance-related risks. Financial risk refers to the risk arising from market risk and credit risk.

Specifically, market risk is the risk that changes in financial markets prices or rates will affect the value of my portfolio. Market risks can be further divided into risk associated with equities, interest rates, commodities and foreign exchange as well as specialized products such as credit derivatives. Credit risk is the risk that a change in the credit quality of a counterparty will affect the value of the portfolio. Insurance-related risk refers to such things as underwriting risk, catastrophic risk, product lifecycle risk and longevity risk.

SS: Could you provide further detail on those risks that are more difficult to measure?

RM: Operational risk is not measured as well as financial risk. Operational risk refers to potential losses resulting from such things as human error, faulty processes and inadequate systems. Operational risk can evolve from internal or external sources.

Measuring operational risk has proven to be a significant challenge. For example, a key challenge has been to secure adequate levels of internal and external loss data to calculate the amount of operational risk. The challenge includes accounting for long modeling time horizons, a significant divergence of expert opinion with respect to self-assessment and lack of uniform global regulatory and data standards.

Reputation risk refers to such things as bad behavior, a faulty product or a failure to meet socially responsible norms. Business risk refers to the uncertainty about the demand for a product or the cost to produce the product. Strategic risk refers to the risk of significant investments for which there is high uncertainty about success and profitability.

It is worthwhile to point out that Basel II assigns regulatory capital solely for financial risk and operational risk. In other words, Basel II does not assign regulatory capital for strategic, reputation or business risks.

SS: In your terms, what are the characteristics at the core of a superior risk management approach?

RM: I have found it useful to focus on the quality of risk management in terms of the policy, methodology and infrastructure dimensions.

Characteristics of policies at the core of a superior risk approach include the idea that the tolerance for risk is integrated and consistent with business strategies and vice versa. Policies should also call for risk measures to be back-tested. It is also essential that policies call for limits on the amount-at-risk to be expressed in meaningful terms and reflect a desired tolerance for risk. Finally, policies should call for risk to be properly disclosed internally and externally on a drill-down and integrated portfolio-management basis.

Significant practical and analytic progress has been made in measuring financial risk on an integrated basis. Characteristics of methodologies at the core of superior risk solutions contain the idea that risk and stress-test methodologies are predictive of the actual losses and integrated across all risks and all books of business. Further, mathematical models should be properly vetted and positions should be properly valued. It is essential that the methodologies used to control risk should be tied into such things as economic and regulatory capital management, pricing and performance measurement.

A key challenge is to benchmark the quality of the infrastructure. A firm can have great policies and methodologies but will be unable to reap the benefits of them without a superior risk infrastructure. Characteristics of infrastructure at the core of superior risk solutions include the idea that the appropriate risk team is in place with the right skills. Also, a superior risk infrastructure calls for an integrated operational and risk-software environment. For example, a superior risk infrastructure calls for a risk platform that integrates data management, risk analytics and reporting in a flexible manner to provide the risk team with the appropriate tools to accomplish their mandate.

Organizations that have an integrated risk-data infrastructure are able to obtain a competitive advantage. For example, there is significant value to having timely access to market data, transaction data and legal data. Another key challenge is to develop useful reference data. Reference data is a broad term used by operations management. Reference data is costly to acquire and maintain, duplicative across the industry, and comprises a significant portion of the data content of financial transactions.

SS: Let’s expand on the infrastructure dimension. If you were introduced to someone who recently assumed the senior risk management position, how would you guide that person toward implementing an effective risk management infrastructure?

RM: I would first provide a road map that enables the organization to benchmark the quality of its risk infrastructure. In other words, I would look for any gaps between the organization’s current and desired risk infrastructure. An important component of a superior risk infrastructure is that the working environment supports a comprehensive corporate-risk program. This fosters a strong ethical culture that serves both the risk management organization as well as the business. The benchmarking exercise would examine the degree to which the organization has the appropriate people and operating elements in place to control and report on risk as well as serve the needs of the business.

Specifically, I would guide the new person to examine the quality of the people in the risk organization. The organization must have the ability to attract and retain talented personnel so that the appropriate people are in place to cover all the material risks. I would look at how the risk function is organized. For example, a superior approach to risk management typically calls for the CRO to report to a senior person with significant influence such as the chief executive officer. The CRO should have the appropriate authority to execute on material risk issues and be well-compensated. The heads of the various risk groups – such as market risk, credit risk, operational risk, policy and economic capital – should also be well-respected and have sound career paths.

I would also encourage this person to determine if the organization has implemented an effective and efficient front, middle and back office for the purposes of efficiently executing transactions as well as controlling all aspects of risk. I would emphasize that the infrastructure should enable the risk program to capture financial as well as nonfinancial risk data. An integrated data infrastructure avoids having incompatible islands of data. Further, it is a problem if an organization aggregates risk data at different times during the day from different places around the world because the aggregate enterprise risk information won’t be meaningful.

The infrastructure should also enable the firm to capture the standalone as well as the incremental risk of each transaction’s contribution to the overall risk of portfolio. The infrastructure should enable the risk program to be fully integrated into the day-to-day operations of the direct risk-takers. The day-to-day operations of direct risk-takers include analyzing a deal, pricing a deal, comparing the risk of the deal to limits, executing the deal, confirming and settling the deal as well as managing the overall business-unit risk.

SS: You mentioned the importance of data to a risk management approach. What are some of those key data characteristics that are indicative of a superior approach to risk data management?

RM: I focus on eight key data characteristics. These include the idea that data needs to be integrated across the enterprise. It also needs to have integrity that inspires confidence in those who use it. The data also needs to completely describe risk in the enterprise. It needs to be accessible so that users have rapid access to all the data they need. The data also needs to be flexible so that users can drill down wherever necessary to answer deeper questions about risk. It should be extensible; for example, the overall data structure should be able to easily accommodate new data. The data should be timely so that it is available soon after the completed transaction that produced it. And last, the data should be auditable  so that the organization can trace and verify it all the way back to the source. A deficiency in any of these characteristics will be a symptom of one or more problems with the underlying data architecture.

Second, each of the policy, methodology and infrastructure components of the risk program relies on being able to translate data into the right information for the organization. Best-practice policies can only be written with clear and detailed information about the operations of the business and the external market environment. Constructing superior methodologies relies heavily on having good data for both methodological development purposes as well as for back-testing exercises. For example, a necessary condition for publishing the amount-at-risk and the associated economic capital externally is to ensure that you have good data. In short, you need to avoid the “garbage in, garbage out” problem.

SS: A lot of what you’ve said about risk management sounds like common sense. So why aren’t some companies running effective risk management programs today? In your opinion, are they just set in their ways, or are they not educated enough about it?

RM: It is one thing to state your goals in terms of what you want your risk management program to accomplish, but it is quite another thing to actually have the policies, methodologies and infrastructure in place to get there. For example, you may have designed sophisticated policies but if your risk methodologies are poorly constructed, then the organization will not use these methodologies from both an offensive and defensive point of view.

SS: Who decides on those benchmarks in an organization?

RM: It’s a collaborative effort. The risk group should work collaboratively with its internal and external partners as well as the management committee and board to propose meaningful policy, methodology and infrastructure benchmarks.

SS: How do you determine if your risk measures are predictive?

RM: I would establish an objective series of tests to examine how predictive the measures are for each of the seven risks described earlier.

Let’s take one example in the market-risk area. A standard approach is to set market risk in terms of how much you can lose in a one-day period based on a confidence interval of 99 percent, say $10 million. This implies that if you have good measures of market risk, then you should expect that your losses will exceed the amount of projected risk, say $10 million, once every 100 days. In other words, if we assume there are 250 trading days in a year, then you should expect to have no more than three days per year in normal markets where your actual losses would exceed your predicted risk.

These tests of predictability should be tied into measures of interest to regulators, rating agencies, internal managers and the board. For example, the regulator will not trust your measure of market risk if your losses exceed the amount of risk six times a year. If you exceed your declared amount of market risk, say six times, then the regulator may force you to set aside more regulatory capital for market risk.

SS: We’ve talked about organizations that have been successful with effective plans. In your opinion, of those that currently lack effective risk management programs, what are the things they could do differently in the next six months to move forward?

RM: I would immediately work to ensure that the organization gains a clear picture of what it takes to develop a superior risk program. I would encourage them to ask questions such as: Are my policies right for the organization? Do my methodologies deliver results to help us achieve our goals? Do I feel that my infrastructure is where I want it to be relative to my objectives?

As for specific actions, I would first work to upgrade my policies, methodologies and infrastructure to achieve my intermediate six-month goals as well as to ensure that the short-term goals are harmonized with long-term ones. Secondly, I would figure out how to pull together an internal and external advisory group that would help me close the gap between where I am today and where I want to be in six months. I would then take a specific set of planned action steps with the support of my business partners and advisory group to close the gap. My longer term plans may take a year or two to complete, so I would want to make sure that that the organization is comfortable in terms of the timetable and expense it takes to close this gap.

I would ask the revenue generators to describe how they will use the risk information and ask them what type of risk tools they need in order to make certain revenue decisions. For example, I would ask what it takes for the revenue generators to use the risk information to price a deal.

SS: Do you find a lot of organizations are defensive or reactive with their risk management? Or are a lot of them moving toward being proactive with it?

RM: I believe that a well-designed risk management program works well from both a defensive risk governance point of view as well as from a proactive revenue generation point of view. There is now an accelerating trend toward proactively using risk tools to serve the needs of the revenue generators.

I would strongly recommend that a risk program should be evolved in deep partnership with the revenue generators in order to encourage proactive use of risk tools. Revenue generators are increasingly mining risk information and risk tools to obtain a competitive advantage. For example, I would take the time to talk to each of the business units, with the support of my internal and external advisory groups, to encourage them to use risk tools to develop new products that provide superior risk-adjusted returns. For example, I managed a corporate treasury function and deeply appreciated it when the internal and external infrastructure support functions met with me on a frequent basis to ensure that I was satisfied with their efforts to serve my business unit’s revenue-generation goals.

SS: I’m nearly finished, but I do want to ask you about a risk event we’re having in Hong Kong on Oct. 23. There will be between 75 and 100 attendees. At the end of the day, what kind of message do you want to leave with those folks? What do you want them talking about in the weeks after they return from the event?

RM: I’d like for them to think about how they would go about benchmarking the quality of their risk management programs. I’d like them to talk about how they would design an approach that would enable them to benchmark the quality of their risk management programs on a continuum that ranges from poor to adequate to superior. I’d also like them to think about what type of internal and external support that they would need to implement a risk management program from both an offensive and defensive point of view.

I would also hope that the attendees are motivated to gain a deeper practical sense of how to upgrade the quality of a risk management program from policy, methodology and infrastructure perspectives. How should they close the gaps in their risk management programs in the near term as well as in the longer term? How should they work with their internal and external advisors to develop a superior risk management program that provides a competitive business advantage and impresses regulators and rating agencies?

I would also encourage attendees to talk with their colleagues from other industries who are attending the conference. For example, banks and securities firms, as well as insurance companies, can all learn from one another in terms of modeling risk.

Another important issue is how to provide risk information to boards and management committees so they are engaged in a constructive dialogue. I would encourage attendees to work with their internal and external advisors to facilitate the offering of risk-education programs at the highest levels of their organizations. Risk education is an important part of the risk-communication process and has become a competitive necessity to ensure that the appropriate tone is set at the top.

Attendees should also think about how they might develop intangible risk management standards such as socially responsible investment benchmarks and ethical standards. For example, many firms have enhanced their reputation through investing a portion of their portfolio in renewable energy programs. Some firms have recently set up ethical committees within their business divisions to try to make sure that “soft” risks, such as unethical business practices, don’t slip through the mesh of “hard” risk analytic reporting. For example, Enron didn’t just fail because of improper accounting or alleged corruption at the top. The unrelenting emphasis on earnings growth and individual initiative, coupled with a shocking absence of checks and balances, tipped the culture.

Dr. Robert Mark, CEO, Black Diamond Risk Enterprises