Date: APRIL 17, 2015

“If a bank is serious about risk management, then it will be serious from the top down.” Before discussing this statement, it is important to understand the events that precipitated it. 

The chain of events that led to the global economic crisis are outlined in figure 1. The resulting global economic downturn led to a vicious cycle of companies failing or downsizing, thus leading to unemployment, which further reduced demand for goods and services. In addition, banks across the globe retrenched and in place of the liberal lending practices credit tightened across the board. Governments stepped in with fiscal support—the likes of which has never been seen in modern recorded history. And now, everyone waits to see what will happen with this never-before-tried experiment of flooding the world markets with government money.

What happened? Why did everything turn so bad so fast when it looked like the good times would go on unabated and it appeared that the very predictable five- and 10-year recession cycle had been overcome?

Different people like to point fingers at different culprits. Some experts put the blame on credit default swap instruments that were sold worldwide with promises of high returns and low risk. Others blame those who promoted mortgage access to people who normally would not qualify for a housing loan. But we believe that the issue is more fundamental: The world’s financiers lost sight of the requirement to manage risk effectively and, in many cases, it is questionable if the basics of risk management were ever put in place.

A Bank’s Business

The core business of a bank is to manage risk and provide a return to shareholders in line with the accepted risk profile. The credit crisis and ensuing global recession seem to indicate that the banking sector has failed to tend to its core business. If it had done so effectively, then credit default swaps would not have been bought up with so much eagerness. If the banks had attended to risk management, then there would not have been the flood on the U.S. market of cheap short-term interest rate mortgages that led to the so-called housing bubble and the ultimate wave of personal bankruptcies and home foreclosures.

A.T. Kearney believes that the framework for risk management in a bank is fundamentally no different today than it was prior to the credit crunch and recession. Indeed, the risk function lacks a certain business acumen, and continues to be considered a handbrake on growth. Chief economists and their macro perspectives are still divorced from the bank’s own strategy function. We believe that a return to managing risks—not ignoring them or believing they can be passed off—is the cure for the ailment that has hit the economy so hard. Let us therefore review what we call “The Seven Tenets of Risk Management” to see why the paradigm has neither been altered nor fundamentally changed in this new world order.

1. Establish a Language System to Discuss and Categorize Risk

A risk manager is overheard at a recent intra-departmental meeting: “The Basel II second pillar requires that we focus on the ICAAP, and it is inherent that the board of the bank fulfill their obligations in this respect and that sufficient oversight is provided by the SREP…” at which point many of the participants have no idea what the risk manager is talking about, but they are too afraid to ask questions so they nod their heads in polite agreement and hope no one will ask them for their personal opinion.

This scene is played out all too frequently at many banks. Each function within a bank has its own lingo and acronyms that are useful in the right format and context. Take them out of their natural environment and they cause untold confusion and misunderstandings. It is incumbent upon risk experts to translate risk issues into a language and terms that all inter-ested parties can understand, and it is the responsibility of the other functions to make the effort to understand.

2. Develop a “Big Picture” View of Risk Exposure and Focus on the Most Important

Not all risks are created or end equally. Banks need to be mindful of credit, market, and operational risks. Within the three main areas of risk, further stratification is embedded to allow for a comprehensive overall view of risk. Tools such as VaR (Value at Risk), Monte Carlo simulations, CFaR (Cash Flow at Risk), stress testing, and others are applied to judge the level of risk and subsequently the actions required to contain the risks. Yet within banks there is often a lack of tools and sophistication to keep pace with a rapidly changing set of products. At any point in time, one or more risk elements may be more relevant than others, but the bank needs to know its risk framework and monitor developments in real time to provide the right level of attention and action.

As a whole, Canadian banks seem to have fared better than banks in other countries. Canadian banks in general steered away from the credit derivative craze, adopting a more conservative approach as other banks were ambitiously buying the risky instruments. By taking the big picture view, Canadian banks avoided a major meltdown. According to a report by TD Bank: “There appears to be a more risk-averse culture in Canada running through government, the public and banks. Canadian banks benefited from prudent and disciplined risk-management practices, and higher capital ratios pre-crisis. The fact that Canada’s major investment banks were part of a large diversified financial services institution also played a role.”1

3. Centralize Ownership of Process and Decentralize Decision Making

Risk management can be most effective when it is applied consistently across the banking organization with policies and procedures developed by risk experts who have the training and experience for their specific country, area, and client mix. It is incumbent upon front-line officers to use the tools and processes to guide their daily interactions with customers. Interactions are clear. Answers are given in a timely manner and the responses leave no ambiguity about what the bank is able to do for its customer. 

A good example can be drawn from banks in Central Europe pre- and post-privatization. Prior to privatization and modernization, many banks had a decentralized business model and it was a public secret that the branch managers made up the rules and profited handsomely from insufficiently transparent business practices. This led to the failure of many banks in Central Europe. Post privatization, the banks focused on centralizing key processes around risk and then decentralizing decision making down to the branch level, with the knowledge that decisions would be made within the centrally developed framework; this provided safeguards against unwanted risk.

4. Drive the Process from the Top and Clearly Define Roles and Responsibilities

In the lead-up to the big bust—the credit crunch—banks were reporting record profits and the leaders were receiving bonuses for relatively short-term results. It seemed that everybody wanted in on the big profits and pay days, and little heed was given to people calling for curbing the growing risk profiles. The clear lesson: what the leaders in the organization do, not so much what they say, is what defines an organization’s behavior. Risk management in a bank is everyone’s responsibility, not just the risk department’s. Leadership must not only espouse a vision but also behave in a manner consistent with it and demonstrate to employees that prudent risk management is a cornerstone to success.

5. Quantify Risk Exposure and the Costs and Benefits of Managing Risks

The warnings were everywhere, renowned financial experts were quoted almost every day: The risks of credit derivatives are not quantified and nobody really knows how much is out there and what will happen when contracts come due. We know now at least to this point what has happened. Had individual organizations been looking appropriately at the risks of purchasing the seemingly too-good-to-be-true derivative instruments, perhaps they would not have taken them on with such zeal and the problem would have been more contained at the original source, which was the overheated mortgage market in the United States. Consistent and rigorous assessment of risk and quantification of the net benefits of appropriately dealing with the risk cannot be replaced with promises of above-average returns with no knowledge of the potential downsides.

A recent article in Fortune may have said it best when describing Blackrock, the large money management company.2 “When instruments get complicated, do your homework. In fact, at BlackRock, executives are constantly refining their models to stay one step ahead of the latest funky financial product from Wall Street’s wizards. ‘The firms that design securitized products are always conspiring against us with new, increasingly complex instruments,’ explains Rob Goldstein, who oversees BlackRock Solutions, which leases an ultrasophisticated technology platform to clients and has a team that helps companies analyze and run their portfolios. ‘It’s our mission to make sure they don’t win.’ On behalf of the Federal Reserve, BlackRock Solutions is managing troubled assets from AIG and Bear Stearns.”

Even the most sophisticated models will not make an organization 100 percent foolproof as BlackRock found when it misjudged the market for commercial mortgage-backed securities. Regardless, strong and rigorous analytical capabilities will lessen the chance of failure.

6. Embed IT Systems to Facilitate the Risk-Management Process

The value of IT appears to be increasing over time to banking organizations as the environment grows ever more complex—so there is no change in this variable in troubled times. However, the IT value will be realized only if IT systems development is driven by user needs and not vice versa. IT systems, if properly developed and used, can assist the company in risk management by providing control and compliance monitoring technology, databases, market and industry research and analysis tools, and communication tools. These are all critical tools that assist in the delivery of the required information to decision makers in the bank. This can happen if the IT systems are developed with the user’s needs in mind.

7. Embed a Risk-Management Culture

If a bank is serious about risk management, then it will be serious from the top down. Leadership will espouse a culture of responsible risk management through its behaviors and through the systems and programs it puts into place. In the run up to the financial crisis, organizations talked about good risk management; however, few in leadership positions espoused effective risk management, which is evident in the dismal failures in the financial sector. A risk-management culture can be embedded in the organization through training, communications and incentives (see figure 2).


Goldman Sachs, although not currently popular among the general populace, nevertheless has embedded a rich culture as noted in a Forbes article3: “Still, the special moxie of Goldman’s culture is to respond boldly and brilliantly to crises that threaten the franchise, and move through them to higher ground, more resolute and inner directed. This is a paean to its leadership… This is due to the GS culture; the risk control officers are treated as equal in authority to the risk takers. There is now a comprehensive effort to bolster what GS calls the ‘federation’—the empowering of the firm’s support staff, those less glamorous individuals once called back-office types. That description is banned under the new culture. Recruitment, training, and compensation are conceived to create a band of brothers and sisters honored for their contribution as much as some whiz kid trader or M&A banker. Smart. Very smart.”

Putting a Ribbon and Bow around Risk Management

Banks around the globe should review their risk-management practices with an eye toward assessing whether or not they fulfill these seven tenets. A structured review of the bank’s risk-management practices against these tenets will certainly provide a clear starting point for improving risk management in areas that are found to be wanting. The regulators will certainly impose new demands on the banking sector. A clear analysis can be the guiding light and a pre-emptive initiative for implementation of sustainable improvements to risk management that will secure shareholder returns over the short, medium, and long term and appease regulators demands.

Above all, a firm’s leadership should behave the way it wants its organization to behave. Or, as we stated at the outset of this article: if a bank is serious about risk management, then it will be serious from the top down.”  “