The Way Forward: Rebuilding Financial Risk

Management

(published in Risk Management Magazine April, 2009)

by Vincent H. O'Neil

Rebuilding faith and confidence in the financial services industry will take a long time, but
the best place to start is with financial risk management. This cannot be mere window
dressing; the end product has to be a risk management system that engages every financial
institution employee from the CEO down. The current crisis can be traced to risk
management failures at every level, so it only makes sense that the solution should exist
throughout all levels as well.

Risk management should not be viewed as a department. Risk management is a system, an

attitude and a climate-and everyone is a risk manager.

With so many people working in risk management positions, with reams of rules regarding
acceptable exposure, and with million-dollar modeling and monitoring technology, why does
financial risk management so often fail?

When business is good, it is easy to assume that nothing is wrong and that nothing is going
to go wrong in the near future. Complacency can blind an institution to potential reverses,
and it can stop people from speaking out when they think something might be wrong.

Many of these people remain silent because they believe risk management is someone
else's job, or they doubt their own understanding of the situation they are observing. A
sound risk management system trains and motivates employees at all levels to examine
their own business practices, even when everything seems fine, and to raise any issues they
might find.

The private sector is also an incentive-based world, however, and those incentives-if
properly administered-usually yield improved performance. Unfortunately, they can also
create circumstances where employees and managers break or ignore the rules in a quest
for further compensation.

Individual and department-level incentives are effective motivators, but they can tempt
people to do the wrong thing. Employees can knowingly enter into bad deals in order to
improve their bonus numbers. Managers can fall into this trap as well, ignoring violations of
corporate policy in the name of helping their departments meet assigned business goals. At
all levels, the institution's management must actively discourage the pursuit of short-term
gains that violate the institution's rules or risk management fundamentals. Every employee
must be made to understand the genuine danger represented by bending the rules using
recent examples ranging from the demise of Barings, formerly the oldest British merchant
bank, to the current crisis.

If not properly administered, incentives pose the additional threat of creating an unhealthy
risk management climate. In such an atmosphere, risk managers-and the rules they
enforce-come to be regarded as obstacles to be overcome or avoided. When not supported
by management, risk managers can become marginalized and the institution's rules can be
ignored. Such an atmosphere can have far-reaching effects: If the management fails to
enforce risk management regulations, their employees can come to view all of the
institution's rules as being open to interpretation.

Ignorance is another hurdle to effective financial risk management. During the long
economic boom of the 1990s, it was noted that many of the junior analysts in the financial
industry had no personal experience of a bear market. Although recent events have clearly
demonstrated that risky practices can have cataclysmic consequences, those lessons can be
quickly forgotten.

Unacceptable risk is frequently accepted by people who fail to recognize the hazard in the
first place. Ignorance of the real consequences of a risk management failure can make an
institution's risk regulations seem unnecessary, and even silly.

Training is the answer to ignorance, and one of the most important goals of risk
management training is convincing all employees that the danger is real. Risk management
training must be an ongoing process, linking real-world case studies to explanations of the
institution's control mechanisms. The recent examples of Lehman, Bear Stearns and the
continual government bailouts serve as a reminder that risk management failures can cost
many people their jobs.

On a related note, technology has the capacity to create a kind of passive ignorance that is
quite dangerous to an institution's risk awareness. While technological monitoring is a
valuable tool, overreliance on technology can create risk "blind spots" where financial
modeling and risk-warning systems come up short. These blind spots can be missed if the
employees using these systems are not trained in risk management fundamentals. At the
very least, employees must be made to understand that the machines only do what they
are programmed to do, and that only humans can expect the unexpected.

One final-and perhaps the most difficult-challenge is overcoming the culture of fear.
Concern over "not measuring up" and "not rocking the boat" can cause individuals to remain
silent when they should speak out. Such silence strikes against the heart of the risk
management climate, which seeks to create teams of redundant watchers trained to raise
the alarm.

Just as incentives can encourage individuals to make questionable deals, concern over a job
can tempt employees to exaggerate the advantages of a potential transaction (or the
creditworthiness of a potential customer) in order to bring in the business and keep pace
with their colleagues. It is the duty of the institution's management to create an
atmosphere where this will not occur.

The marginalization of risk managers was mentioned earlier, but there is a similar
circumstance related to fear in which the risk managers are at fault. This is the case of co-
opted risk managers, who so closely identify with the departments and people they monitor
that they fail to report violations of risk fundamentals. Risk managers are human and the
fear of being regarded as interfering or unreasonable by the people they see every day can
cause them to become nonentities. The risk management hierarchy must be on the lookout
for cases like this and should consider a rotational system that prevents long association
from becoming a problem.

Given all the factors opposing a proper risk management culture, attempting to overcome
them all can seem daunting. But by following four concrete steps, any risk manager can
begin to win the fight.

1. Senior Management Emphasis

Senior management must take the lead in creating a risk management climate that
encourages every employee to study, understand and monitor risk. This cannot be a one-
time, or even a once-a-year, thing. Creating a risk management climate is an ongoing
effort.

The CEO as chief risk officer: Although the institution can still have a chief risk officer, the
entire senior management team must be seen promoting risk awareness. This will not only
motivate subordinates to do the same but also serve to reinforce the importance of this
effort. One possible route is to treat this like an internal advertising campaign, with posters
and videos showing various employees, from senior management on down, stating, "I am
the chief risk officer."

Frequent, meaningful reminders: Senior management has a role in creating a sustainable

level of risk awareness and should take the opportunity to provide some of the instruction
themselves. From breakfast speeches to classroom-style training to off-site seminars, there
are numerous ways for leaders to reinforce the institution's dedication to risk management.

Do not lead them into temptation: As mentioned earlier, bonus-based incentives can lead
people astray, and sometimes for seemingly good reasons. Only senior management can
create an atmosphere in which employees will choose to forgo a questionable business
transaction that would have helped them earn a reward. Only senior management can
convince employees that obeying corporate regulations will not place their jobs in jeopardy-
disobeying them will.

Enforce the rules: All the words in the world will not create risk awareness if violations are
not corrected. Remedial training and verbal reprimands can reinforce an institution's risk
management system, but they must be backed up with more serious punishment including
termination when appropriate.

2. Training at All Levels

Building an inclusive risk management system is not an easy task. Overcoming complacency
and ignorance is often a function of motivation, and so the training must convince
employees that risk management is important-both to the institution and to the individual.
Offer a free, recognized and transportable risk management certification course: This is an
excellent way to motivate employees at all levels to learn the fundamentals of risk
management. It can be an internal program, an external certification or a combination of
the two. Offering certification, regardless of rank or job, will go a long way toward creating
risk awareness at all levels. Best of all, the employees who complete the course and receive
this certification will fully understand the importance of risk management and know what to
look for in terms of risky or fraudulent behavior.

Sustained training: The training effort, though containing some mandatory instruction at set
time intervals, must be more than an annual or quarterly requirement. Middle and junior
management can take part in this without making the time burden onerous. Using a series
of brief lessons, middle managers can reinforce the message that the danger is real by
citing examples taken right from the news that show how people who were not in "risk" jobs
made (or could have made) a difference.

Constant reminders: Flash videos, wall posters and junior management talking points can
serve as frequent reminders of the importance that the institution places on risk awareness.
To gain the proper impact, these reminders could be focused on the consequences of failed
risk management, citing the number of jobs lost and legal penalties incurred. This can do a
lot to reinforce earlier training showing the dangers of adopting an "everybody is doing it"
attitude.

3. Monitoring

Most of the risk management structure already in place will remain, including the risk
managers themselves and the technology that measures risk exposure. As recent events
have demonstrated, merely appointing a risk hierarchy and installing risk management
software is not enough, even if this system is fully understood and obeyed. One of the key
benefits of establishing a risk management climate in which every employee acts as a risk
manager is the exponential increase in monitoring performed by the extra sets of trained
eyes.

4. Corrective Action

All the rules, managers and software in the world will not create an effective risk
management system if that system has no teeth. One sure-fire way to ruin a risk
management system (and destroy the effectiveness of risk managers) is to tolerate
repeated violations. Punishing violations is not always easy, particularly when the offending
party is perceived as a star or rainmaker, but allowing these transgressions to continue
brings the entire system into question. Corrective action can range from re-training to
termination, but it must take place and the reality of its presence must be understood by
employees at all levels.

Vincent H. O'Neil was employed as a risk analyst for FleetBoston Financial and Bank of
America for seven years. A West Point graduate, he has been involved in risk management
for most of his working life and is now a full-time novelist.