Rebuilding Financial Risk Management by Vincent H. O'Neil

(Published in Risk Management Magazine, April 2009)

Rebuilding faith and confidence in the financial services industry will take a long time, but the best place to start is with financial risk management. This cannot be mere window dressing; the end product has to be a risk management system that engages every financial institution employee from the CEO down. The current crisis can be traced to risk management failures at every level, so it only makes sense that the solution should exist throughout all levels as well. 

Risk management should not be viewed as a department. Risk management is a system, an attitude and a climate-and everyone is a risk manager. 

With so many people working in risk management positions, with reams of rules regarding acceptable exposure, and with million-dollar modeling and monitoring technology, why does financial risk management so often fail? 

When business is good, it is easy to assume that nothing is wrong and that nothing is going to go wrong in the near future. Complacency can blind an institution to potential reverses, and it can stop people from speaking out when they think something might be wrong. 

Many of these people remain silent because they believe risk management is someone else's job, or they doubt their own understanding of the situation they are observing. A sound risk management system trains and motivates employees at all levels to examine their own business practices, even when everything seems fine, and to raise any issues they might find. 

The private sector is also an incentive-based world, however, and those incentives-if properly administered-usually yield improved performance. Unfortunately, they can also create circumstances where employees and managers break or ignore the rules in a quest for further compensation. 

Individual and department-level incentives are effective motivators, but they can tempt people to do the wrong thing. Employees can knowingly enter into bad deals in order to improve their bonus numbers. Managers can fall into this trap as well, ignoring violations of corporate policy in the name of helping their departments meet assigned business goals. At all levels, the institution's management must actively discourage the pursuit of short-term gains that violate the institution's rules or risk management fundamentals. Every employee must be made to understand the genuine danger represented by bending the rules using recent examples ranging from the demise of Barings, formerly the oldest British merchant bank, to the current crisis. 

If not properly administered, incentives pose the additional threat of creating an unhealthy risk management climate. In such an atmosphere, risk managers-and the rules they enforce-come to be regarded as obstacles to be overcome or avoided. When not supported by management, risk managers can become marginalized and the institution's rules can be ignored. Such an atmosphere can have far-reaching effects: If the management fails to enforce risk management regulations, their employees can come to view all of the institution's rules as being open to interpretation. 

Ignorance is another hurdle to effective financial risk management. During the long economic boom of the 1990s, it was noted that many of the junior analysts in the financial industry had no personal experience of a bear market. Although recent events have clearly demonstrated that risky practices can have cataclysmic consequences, those lessons can be quickly forgotten. 

Unacceptable risk is frequently accepted by people who fail to recognize the hazard in the first place. Ignorance of the real consequences of a risk management failure can make an institution's risk regulations seem unnecessary, and even silly.  

Training is the answer to ignorance, and one of the most important goals of risk management training is convincing all employees that the danger is real. Risk management training must be an ongoing process, linking real-world case studies to explanations of the institution's control mechanisms. The recent examples of Lehman, Bear Stearns and the continual government bailouts serve as a reminder that risk management failures can cost many people their jobs. 

On a related note, technology has the capacity to create a kind of passive ignorance that is quite dangerous to an institution's risk awareness. While technological monitoring is a valuable tool, overreliance on technology can create risk "blind spots" where financial modeling and risk-warning systems come up short. These blind spots can be missed if the employees using these systems are not trained in risk management fundamentals. At the very least, employees must be made to understand that the machines only do what they are programmed to do, and that only humans can expect the unexpected.  

One final-and perhaps the most difficult-challenge is overcoming the culture of fear. Concern over "not measuring up" and "not rocking the boat" can cause individuals to remain silent when they should speak out. Such silence strikes against the heart of the risk management climate, which seeks to create teams of redundant watchers trained to raise the alarm. 

Just as incentives can encourage individuals to make questionable deals, concern over a job can tempt employees to exaggerate the advantages of a potential transaction (or the creditworthiness of a potential customer) in order to bring in the business and keep pace with their colleagues. It is the duty of the institution's management to create an atmosphere where this will not occur. 

The marginalization of risk managers was mentioned earlier, but there is a similar circumstance related to fear in which the risk managers are at fault. This is the case of co-opted risk managers, who so closely identify with the departments and people they monitor that they fail to report violations of risk fundamentals. Risk managers are human and the fear of being regarded as interfering or unreasonable by the people they see every day can cause them to become nonentities. The risk management hierarchy must be on the lookout for cases like this and should consider a rotational system that prevents long association from becoming a problem. 

Given all the factors opposing a proper risk management culture, attempting to overcome them all can seem daunting. But by following four concrete steps, any risk manager can begin to win the fight. 

1. Senior Management Emphasis 

Senior management must take the lead in creating a risk management climate that encourages every employee to study, understand and monitor risk. This cannot be a one-time, or even a once-a-year, thing. Creating a risk management climate is an ongoing effort. 

The CEO as chief risk officer: Although the institution can still have a chief risk officer, the entire senior management team must be seen promoting risk awareness. This will not only motivate subordinates to do the same but also serve to reinforce the importance of this effort. One possible route is to treat this like an internal advertising campaign, with posters and videos showing various employees, from senior management on down, stating, "I am the chief risk officer." 

Frequent, meaningful reminders: Senior management has a role in creating a sustainable level of risk awareness and should take the opportunity to provide some of the instruction themselves. From breakfast speeches to classroom-style training to off-site seminars, there are numerous ways for leaders to reinforce the institution's dedication to risk management. 

Do not lead them into temptation: As mentioned earlier, bonus-based incentives can lead people astray, and sometimes for seemingly good reasons. Only senior management can create an atmosphere in which employees will choose to forgo a questionable business transaction that would have helped them earn a reward. Only senior management can convince employees that obeying corporate regulations will not place their jobs in jeopardy-disobeying them will. 

Enforce the rules: All the words in the world will not create risk awareness if violations are not corrected. Remedial training and verbal reprimands can reinforce an institution's risk management system, but they must be backed up with more serious punishment including termination when appropriate. 

2. Training at All Levels 

Building an inclusive risk management system is not an easy task. Overcoming complacency and ignorance is often a function of motivation, and so the training must convince employees that risk management is important-both to the institution and to the individual. 

Offer a free, recognized and transportable risk management certification course: This is an excellent way to motivate employees at all levels to learn the fundamentals of risk management. It can be an internal program, an external certification or a combination of the two. Offering certification, regardless of rank or job, will go a long way toward creating risk awareness at all levels. Best of all, the employees who complete the course and receive this certification will fully understand the importance of risk management and know what to look for in terms of risky or fraudulent behavior. 

Sustained training: The training effort, though containing some mandatory instruction at set time intervals, must be more than an annual or quarterly requirement. Middle and junior management can take part in this without making the time burden onerous. Using a series of brief lessons, middle managers can reinforce the message that the danger is real by citing examples taken right from the news that show how people who were not in "risk" jobs made (or could have made) a difference. 

Constant reminders: Flash videos, wall posters and junior management talking points can serve as frequent reminders of the importance that the institution places on risk awareness. To gain the proper impact, these reminders could be focused on the consequences of failed risk management, citing the number of jobs lost and legal penalties incurred. This can do a lot to reinforce earlier training showing the dangers of adopting an "everybody is doing it" attitude. 

3. Monitoring 

Most of the risk management structure already in place will remain, including the risk managers themselves and the technology that measures risk exposure. As recent events have demonstrated, merely appointing a risk hierarchy and installing risk management software is not enough, even if this system is fully understood and obeyed. One of the key benefits of establishing a risk management climate in which every employee acts as a risk manager is the exponential increase in monitoring performed by the extra sets of trained eyes. 

4. Corrective Action 

All the rules, managers and software in the world will not create an effective risk management system if that system has no teeth. One sure-fire way to ruin a risk management system (and destroy the effectiveness of risk managers) is to tolerate repeated violations. Punishing violations is not always easy, particularly when the offending party is perceived as a star or rainmaker, but allowing these transgressions to continue brings the entire system into question. Corrective action can range from re-training to termination, but it must take place and the reality of its presence must be understood by employees at all levels. 

Vincent H. O'Neil was employed as a risk analyst for FleetBoston Financial and Bank of America for seven years. A West Point graduate, he has been involved in risk management for most of his working life and is now a full-time novelist.