The current focus of risk management within banking can be summed up in one word: 'Basel'. Although the new Capital Accord produced by the Bank for International Settlements in Basel is only a consultation document at this stage, it is probable that this document will have become regulatory reality by 2005 or 2006. In fact, even in the Accord's current state of infancy, many banks are sitting up, taking notice, and starting to implement expensive and time-consuming 'Basel' programmes to ensure that their risk management function is able to satisfy the requirements of the Accord.
Those banks that currently have a strong risk management capability are very aware that risk management can be used to create a competitive advantage -- for example, if a bank is able to identify the high- and low-risk customers, it can price appropriately, and maximise risk-adjusted profitability within its specified risk appetite.
What Basel is doing, in effect, is narrowing this competitive advantage, so that nearly all banks will have risk tools, supported by the appropriate information, that allow good risk decisions to be made. Once this current competitive advantage has been eroded, banks that still want to use risk management as a differentiator will have to consider alternative ways of doing so.
They could choose to do this by trying to build more sophisticated risk models, and hence making better business decisions. However, the incremental returns from making better decisions diminish quickly, while the costs of developing and implementing leading-edge risk models are rising every year, as the models become more sophisticated.
It therefore seems likely that the major developments in risk management in the years beyond 2005 will be focused, not on making better decisions, but on making good decisions in a shorter time-span. The benefits from making the correct decision earlier are potentially massive -- for example, banks could reduce lending to a particular sector through earlier identification of a downturn, or close an operational risk loophole before it causes losses, rather than afterwards. Indeed, most -- if not all -- of the major losses within the banking sector over the past few years, from Barings through to Enron, could have been eliminated or greatly reduced with quicker decision-making, based upon the obvious or, in some cases, not-so-obvious warning signs.
How, then, will banks enable themselves to make good decisions faster? We expect to see three major areas of development in the years 2005--2010:
- Building advanced, dynamic models, using all available up-to-date information to predict and pre-empt changes in the risk environment.
- Equipping managers with the tools they need to make and implement risk-sensitive decisions in very short timescales.
- Redesigning the organisation to enable decentralised decision-making while retaining effective risk control.
Each of these areas, and some of the specific developments that can be expected, are explored further in of this article.
Building advanced, dynamic models, using all available up-to-date information to predict and pre-empt changes in the risk environment
As at 2002, the models used within banking vary in their strength from area to area: market risk models are generally close to real-time, using all available data to provide good predictions of market volatility; credit risk models vary in strength from KMV-type share-price analysis and monthly behavioural models to annual financial analysis and one-off application scorecards; operational risk models range from real-time fraud models through to expert-system scorecards, and models based on after-the-event loss data.
After 2005, we expect to see credit risk models taking in new data in real time for all customer types, and aggregating this at a portfolio level, as well as operational risk models that are genuinely forward-looking, and built on a sound statistical foundation.
Credit risk models taking in new data in real time for all customer types, and aggregating this at a portfolio level
Existing credit risk models vary widely in their level of sophistication across banks, and across different areas within a bank. The next few years will involve banks focusing on bringing all of their credit models up to a defined minimum level of sophistication, in order to satisfy the Basel Capital Accord. It is only after this minimum level has been achieved that the leading edge of credit risk modelling will start to move forward again.
For retail and small/medium enterprise (SME) customers, the current focus of the Basel Accord is on application scorecards. We hope and expect that the later consultation papers will provide for the more sophisticated behavioural scoring approach (using trends on the customer's current account to predict default rates) that many leading banks have already implemented. However, even in this case, a simply monthly behavioural calculation is likely to be sufficient to satisfy the Basel requirements.
Future behavioural scoring methodologies will still operate on a monthly cycle (reflecting the way that retail customer accounts behave), but will also allow intra-month updates to be performed when certain trigger events occur. For example, one of the strongest indicators in a scorecard may be whether the customer has had any dishonours (i.e. 'bounced' cheques) in the previous month: in this case, if a dishonour occurs within the month, the customer's score can be instantly adjusted to take this information into account. The bank can then immediately change its view on applications for further funds, and on whether to include this customer in current marketing campaigns.
For corporate customers, Basel is helping banks move towards consistent models that can be used in a variety of ways throughout the business, without specifying what type of methodology should be used.
There are currently a number of different options for scoring corporate customers: for example, external (i.e. agency-supplied) ratings, internal (i.e. bank-calculated) ratings, debt prices, and equity prices. On top of this, there is also the possibility of introducing high-level behavioural scoring methods, based on the company's payment patterns. All of these approaches have their value, and there are many real-life examples where one of these measures provided a warning of default that the other metrics missed.
Future methods for predicting default rates for corporate clients will use the most up-to-date information available in each of these areas -- as well as analysis of the markets in which the company trades, and the potential impact of economic events (for example interest rate movements) on the company. It will only be by combining information from all of these sources into a single model that a truly robust measure of likelihood of default can be produced. Banks that develop and implement these models early will have a competitive advantage -- able to spot the warning signs of default earlier, they will be able to limit their exposure, or trade out of it completely.
For most banks, portfolio modelling is performed as an after-the-event analysis to determine the capital requirements of an existing portfolio. Macro-economic modelling is often performed within a completely separate section of the bank, and outputs from the two areas are rarely considered together. Given banks' current focus on Basel, there are unlikely to be any major changes in the way that portfolio modelling is performed until the underlying models have reached the required levels of maturity.
Beyond 2005, portfolio modelling will be used much more actively before major deals are taken on (in the same way that new trades are currently analysed for market risk), to identify the impact on the portfolio, and hence to set a more accurate marginal risk-adjusted price (or reject the deal, where appropriate). Combining portfolio modelling with outputs from macro-economic analysis will produce a true up-to-date view of portfolio risks, allowing management to consider the effects of possible risk scenarios (such as economic downturns) and potential mitigating actions (such as sale of parts of the portfolio). Again, banks that are able to react to economic events earlier than others will secure a competitive advantage over their peers.
Operational risk models that are genuinely forward-looking, and built on a sound statistical foundation
Operational risk models are less well developed than market and credit risk models. In fact, according to a PA survey last year, less than 20% of banks currently have quantitative operational risk models of any type in place.
Even those banks that do have quantitative models typically base these on crude exposure indicators (for example, trade volumes, revenues or costs) or on historical loss data. Unfortunately, basing a risk model solely on the history of losses is rather like driving using only the rear-view mirror: it may produce useful information from time to time, but much larger problems that are ahead will be ignored until it is too late. Basel itself is reinforcing this trend, strongly encouraging banks to collect and analyse operational loss data, and thereby helping to create a generation of backward-looking models.
There are, nevertheless, some encouraging signs. In its latest consultation papers, Basel has introduced a more forward-looking 'scorecard' option amongst its list of recognised models, and a few market-leading banks (for example ANZ in Australia, assisted by PA Consulting) have already implemented approaches of this kind. These 'scorecard' models include loss data, but also structured assessments of the bank's control environment, and forward-looking risk indicators,. Typically, the indicators that are used include people factors (e.g. staff turnover), process factors (e.g. number of reconciliation errors), and system factors (e.g. amount of unscheduled system downtime).
Unfortunately, banks have not been collecting these indicators and loss data for a sufficiently long period to apply a statistically rigorous process to the development of these models. (Note: if sufficient data were available, regression analysis could be used to determine which factors most accurately predict the future occurrence of losses, and therefore deserve the greatest weighting in the scorecard.) So, at present, the models have to be based on experience and expert judgement regarding which factors are most important in driving operational risk. In this regard, operational risk today is in much the same position as credit risk some years ago, where the first credit scorecards were built as expert systems, with statistical analysis coming much later.
After 2005, however, sufficient data will be available to perform statistical analyses on operational risks, enabling the current generation of models to be significantly refined, and giving bank executives (and regulators) much greater confidence in their prediction of losses. Banks with reliable, forward-looking operational risk models will not only be able to identify potential problems and address them before they create losses, they will also be able to move confidently into new businesses and grow existing ones, satisfied that they understand the full range and complexity of risks involved.
Equipping managers with the tools they need to make and implement risk-sensitive decisions in very short timescales
Having dynamic risk models that provide early warning of problems is one thing -- having the systems in place to take action as a result is quite another. In order to take advantage of their new risk models, and secure competitive advantage, banks will also develop new monitoring systems that deliver information to managers in real time. With that information, managers will be able to take decisions -- either to change internal policies and processes, or, where appropriate, transfer the risks. Both of these routes will imply changes to the way that banks currently manage their business.
Real-time risk monitoring systems will provide management with access to the information they need to run their businesses
In 2002, the majority of risk monitoring still provides 1980s-style reports in an electronic format. So, although the medium is new, the content is not, and users are supplied with the same reports that they have always received (albeit faster than before), with little additional sophistication in the analysis.
However, Basel is driving banks to create a great deal of additional data, both to support the development and maintenance of their risk models, and to satisfy the disclosure requirements under Pillar 3 of the proposed accord. In the short term, all this activity may simply increase the volume of standardised reporting, but, looking forward, it will also provide the infrastructure for a much more sophisticated approach to monitoring risks across a bank.
Beyond 2005, what the bank risk manager will need is not so much additional information (being already in danger of data overload), but guidance on the issues that require investigation. Therefore, we expect to see monitoring focused on trends and exceptions, rather than reporting the same data every day. In addition, systems will provide the ability to 'drill down' into the data to understand the issue, and what is driving it: so, for example, the system might highlight an increase in risk within a particular portfolio, and then offer the risk manager the ability to investigate whether the increase is being driven by an individual product or customer, or is the result of many small changes.
Much effort will also be devoted to performing 'what-if' analyses, enabling risk managers to see the full impact of various potential actions. For example, the credit manager will be able to view those customers whose risk-adjusted profitability is below certain levels, and see what would happen if parts of the customers' facilities were closed, or if new facilities were added. In this way managers develop a real understanding of the drivers of risk and value creation, and will act in appropriate ways to generate maximum value.
Having a more dynamic monitoring system can lead to substantial competitive advantage: the bank with the best and most timely monitoring systems will be the bank that can react ahead of the market, and can do so while reaction is still worthwhile. After all, it is little use trying to sell on debt once the market knows it is unlikely to be repaid, or to close down credit facilities once the customer has no alternative source of funds.
Bank risk policies, processes and systems will become more dynamic and flexible to support the risk manager
In the search for increased risk control, most banks have spent the last few years seeking to centralise, standardise and (where possible) automate risk processes. In this way, they have hoped to minimise the impact of human error, or of 'rogue' branch managers acting in contravention of bank policy. This trend is continuing even now in some markets, and to some extent will be encouraged by Basel's requirements for standardised approaches.
However, banks are increasingly finding that rigid standardisation, while useful in enforcing consistency, is preventing them from reacting quickly to changes in the risk environment. Parameters which have become 'hard-coded' into IT systems or operating processes (such as cut-offs for credit approval, or thresholds for dual authorisation of payments) become difficult to change on more than a very infrequent basis.
With risk models that are slow to react to changes in the environment, and monitoring systems that do not assist managers in making quick decisions, there is little demand to change these parameters. However, as models become more dynamic and monitoring systems more helpful, so managers will increasingly want to change these parameters frequently, taking on more risk when they are comfortable in doing so, and reducing it when they are not.
For example, a recent PA assignment involved developing more advanced credit scorecards for a major retail bank. Once these scorecards had been implemented, and management had developed confidence in their outputs, it became obvious that cut-off scores would need to be adjustable dynamically, in order that managers could change the level of risk they wished to accept.
As more advanced measurement and monitoring systems are developed, the number of areas in which this fluidity is required will increase. For example, the start of an economic downturn (identified through the dynamic behavioural risk models described earlier) may result in credit approval limits being reduced in the relevant industry sectors; and more cheques can be manually inspected from particular companies or geographical areas when fraud risks are perceived to be higher (e.g. during major sporting events in one city).
Moving forward, this kind of flexibility will become commonplace. Banks that are more open-minded and flexible in defining their risk policies will be better able to adjust to their environment, and hence less open to undesirable risks.
Risk transfer markets will be developed to become an everyday tool for business managers
Although the fundamental tools of risk transfer exist today, they are rarely used. Despite the alleged 'convergence' of market and credit risks, the buying and selling of credit assets and derivatives is not part of the standard day-to-day activity of business managers within most banks. Other possibilities, such as operational risk derivatives, have only recently been given real consideration outside of an academic environment.
Basel will help to set up the infrastructure that will make risk transfer easier and more desirable, through increasing market confidence in risk models and processes, and increasing banks' disclosures of risks. Nevertheless, it will take some time after Basel implementation before the credit derivatives markets become liquid (in bad times as well as good) and margins fall to sensible levels, and even more time before some of the more exotic possibilities come to fruition.
However, once that happens, credit and operational risks will begin to be treated more like market risks. The real test -- and the real benefit -- will be when these tools are taken out of the 'back room', and made available to front-line business managers. In these circumstances, the owner of a particular asset portfolio or the management of a major business line will be able to decide for themselves which risks they are comfortable with, and which they wish to transfer.
Particularly in early implementations, the initial risk transfer may be to a central trading group within the bank, or it may be directly into the external markets. In either case, the bank will have given its staff the ability to adjust their risk portfolio dynamically as new information arrives (provided by their new models and monitoring systems), and so maximise returns while staying within its risk appetite.
Redesigning the organisation to enable decentralised decision-making while retaining effective risk control
There is little point in providing managers with the information they need to make the decisions and the tools they need to execute them, if they do not have the authority to enforce the decisions they make, if they are weighed down by a bureaucratic approval process, or if their performance measurement and reward systems lead them to make different decisions thanto the ones the shareholders would like. Therefore, the banks that seek to make good decisions faster will also redesign their organisation and governance structures, to empower and incentivise their staff to make the right decisions.
Front-line staff will have much greater power to make decisions
The role of risk managers is often seen as laborious, slow and inefficient, holding the business back from selling more products, and alienating themselves from the business areas. The primary reason for this behaviour is that credit decisions frequently involve taking on an asset for a number of years; such decisions have historically been almost irreversible, and therefore subject to a large amount of scrutiny beforehand.
In the future, however, the risk transfer processes described above will help to allow any undesirable risks to be removed from a portfolio, so that bad decisions will not be catastrophic, but will be reversible, albeit at some cost to the organisation. As a result, it will be possible for banks to move away from lengthy approvals processes, towards more post-hoc monitoring.
This will mean that the role of the credit committee will change: rather than steering the bank through the twists and turns of individual credit applications, the committee's role will move more to being one of overall portfolio strategy and monitoring. For example, the credit committee will set overall limits for exposures to geographies, industries, and risk grades, and the front-line staff will be given more freedom to work within the agreed limits (much in the same way that market risk is currently managed).
In this way, front-line staff will be able to make fast decisions, to enable their bank to take advantage of the market opportunities much more quickly, as well as providing much better service to their customers than is currently the case (which customer, corporate or retail, would not prefer to deal with a bank that could give an immediate answer to their request for a loan?).
Risk management will become more integrated into the business areas, with a much smaller central management function
The flipside of this devolution to front-line staff will be a corresponding change in the nature of the risk management function -- gone will be the large central function, with hundreds of clerical staff checking the details of credit applications. In its place will be a much smaller group of technical experts, developing and maintaining risk models, setting policies and standards, and supporting senior executives in their portfolio-level decisions.
This does not imply a reduction in the risk management skills of the organisation -- quite the reverse. Whereas risk management is currently seen as a distinct profession and career path within a bank, it will increasingly just be part of the wide range of skills that a modern bank executive must have in order to succeed in his or her job. We therefore expect to see the emergence of a new breed of risk-enabled business managers, who can make sensible decisions, considering both risk and return, based on the full range of data.
Few of these people exist at present, and it will require lengthy training and development (for example, moving high-flyers between risk, finance, and the business line) to create them. It will take further time before bank executives are willing to trust these individuals to take major risk decisions on behalf of the bank, without prior approval. Yet when they do so, they will find that they have unleashed the full power of their risk models in creating competitive advantage, as well as saving significant costs in management overheads.
Banks will pay their staff for (risk-adjusted) value creation
It is obvious to the academic theorist that banks should pay their staff according to the value they create, and that this value should be calculated on a risk-adjusted basis. In this way, the incentives of individual staff are aligned to those of senior management and shareholders, and they are not encouraged to take undesirable risks in order to meet their targets for sales, profit, or any of the other measures commonly used to measure performance.
As we speak in 2002, however, only around 10% of banks worldwide pay their staff in this way, and only around another 20% even have plans to do so. This is perhaps understandable when we consider the large barriers, both practical and cultural, that have to be overcome before such a system can be introduced -- which may also explain why the 10% who do have such systems are predominantly large, sophisticated, American and British banks.
But whereas risk-adjusted remuneration is a luxury for leading-edge banks today, it will become a necessity for the vast majority of banks after 2005. Where decisions of potentially large consequence are being made 'on the fly' by individual members of staff, without several layers of management review and committee approval, it is vital that these individuals have their incentives aligned to shareholders, through appropriate value-based remuneration.
Market trading organisations from Barings and Sumitomo through to Allied Irish have discovered what happens when traders are incentivised in a way that encourages inappropriate risk behaviour; banks that make the same mistake in the credit and operational risk fields are likely to suffer the same results. However, those banks that do have all their staff focused on value creation, using their dynamic risk models and tools to make rapid changes in the bank's risk profile in response to -- and in anticipation of -- external events will see significant benefits, and superior shareholder returns over time. For that reason, the search for good, fast risk decisions is likely to occupy banks' minds for some time after Basel has become just an unpleasant memory.
