What happens when risks become too global in scope and increasingly uncertain for a business to manage? This article explores the key steps to understanding the interrelationships between individual risks, and the importance of achieving a holistic view of risk that benefits banks’ bottom lines.
2020 has yielded a world in tumult. As summer has turned to autumn, historic wildfires continue to burn across California and the US Pacific Northwest, while hurricanes have churned in greater numbers in the Atlantic – both undeniable signs of climate change. Political protests and social unrest have likewise raged from Hong Kong and Minsk in Belarus to Santiago in Chile and Kenosha, Wisconsin. And the global Covid-19 pandemic continues to flare after bringing devastation to nearly every corner of the world and most of its economy to a stop.
The year’s extraordinary events have likewise upended the way risk management approaches are implemented among financial institutions. The Covid-19 pandemic has not only changed the nature of the risks investment banks must steel themselves for, but also the operating environment for the enterprise itself.
Indeed, the scope of these risks is different. Whereas the challenge was once a matter of modeling, data volume and processing capacity, today’s issues – public health crises, social unrest, climate change, infrastructural threats such as cyber crime, and many others – draw on completely external realms of knowledge. They are more widely distributed and larger in scope. Designing a risk framework to measure and manage them, therefore, takes on a whole new complexion.
For financial institutions, it is a question of finding, evaluating, disseminating and ultimately incorporating data into front-office decision-making that could never have been imagined before – as well as breaking down the boundaries around these knowledge sources, creating risk awareness and transparent views across different business units. Institutions increasingly need platforms that can deliver an integrated view of their holistic risk profile. Ultimately, they must enable chief risk officers (CROs) and senior management to reach better, more informed decisions on risk and how to assess and manage current risks in this new era.
It is critical for organizations to have a clear, measurable definition of their risk appetite, and to understand the interrelations between individual risk types and how they can improve their risk management processes in an operationally cost-efficient way. This begins with integrating audit, risk and compliance – each its own line of defence – into contributing to a more holistic process, availing new wins for the business in a period of volatility and uncertainty, while maintaining a protective long-term strategy.
The importance of a holistic approach
Most present-day enterprise-wide risk management frameworks are compartmentalized, driven by point solutions for the latest dictates from the Basel Committee on Banking Supervision or the International Organization of Securities Commissions, or newer market-specific regimes such as the Fundamental Review of the Trading Book. As a result, they can be increasingly overwhelming to manage, incorporating market scenarios and reporting outputs based on fine-tuning inputs and stressors – such as a new yield curve, interest rate reduction or corporate action – while aiming to understand the specific potential for knock-on effects or market contagion.
The consequences of this approach are manifold. While regulatory reporting has attracted significantly greater investment, it is usually deployed to simply catch up to the next requirement and often siloed within a particular desk or business unit. Even when these regulations are focused at an enterprise or balance sheet level, they typically require a particular perspective on cashflow modeling that is unique, meaning additional effort is needed to repurpose them for internal risk tolerances. All the while, this shift in capital has often come at the expense of true enterprise risk technology transformation. Being compliant has always been the first priority, which is understandable, considering the costs of non-compliance raise a reputational risk and significantly impact performance.
However, firms are beginning to notice this problem. Before the pandemic there was often a separation of compliance-related tasks and internal risk measures while CROs identified the enterprise stress-testing capabilities as a major area for improvement. The larger the bank, the more risks are managed in the silo of the risk type. For example, a large UK bank recently indicated it took three weeks for the effect of a change in market risk to be fully reflected in its calculations from the bottom up, and a week for the top-down stress-testing results. That latency creates a huge risk as the bank will be unable to react quickly when global risks affect all functions simultaneously, and with different effects on profit-and-loss capital and compliance measures.
For the purpose of enterprise risk data integration, as well as risk model interoperability, it is crucial for today’s organizations to seek a strategic approach and clear view of their risk tolerances within an enterprise risk management framework that could help their business succeed in times of crisis .
Adopting, and thriving from, a crisis mentality
2020 has proven a number of realities that, in the past, seemed merely theoretical. The universe of ‘known unknowns’ to be analyzed has grown far wider as a result of Covid-19, but it has also shown how exogenous global risks can manifest in hyper-local ways. To this extent, they must be accounted for as banks take stock of where to look for good investments, and where to steer clear.
Today, banks’ risk teams are building frameworks for analysis and activation. Pockets of innovation already exist on their research teams and even in certain product developments. These include balance sheet optimization, regulatory technology and artificial intelligence tools, and such products as weather derivatives, rainbow options and loan forgiveness programs. Similarly, there is a level of granularity in new alternative data that has the potential to provide pinpoint insight into some of these newer global risks. The question is how to leverage it.
Risk managers need to be able to apply this knowledge not only to spot applications, but to spot them holistically. Once developed, these insights must be plugged into existing risk frameworks – whether counterparty credit risk, credit valuation adjustment risk, market and concentration risks, or others – and recalculated. There is a lot to do.
To that end, banks today pursue data integration projects that require data to be defined and used across departments. For example, calculation of the expected credit loss in International Financial Reporting Standard 9 (IFRS 9) for financial applications is different to the regulatory calculation for Basel III, where the definition of an exposure varies across risk type.
Design elements for a new landscape
Banks today are keen to express their capabilities in these new areas, but it’s not just about new knowledge. It is also about preparedness and, in particular, how their data infrastructure, governance frameworks and ability to deal with different languages and code allow them to share and amplify this information across the institution. The complexity lies in rote processing power, and also ownership: who is responsible across these data artefacts?
The intersection between risk organization, technology and data is what allows certain banks to push the envelope and deploy risk capital more thoughtfully, while remaining compliant. In 2020, we have seen windfalls in the regions of billions of dollars for those who could get ahead, as well as losses in the hundreds of millions for those left behind.
Achieving this new level of enquiry, understanding and scrutiny puts fresh demands on technology foundation: the data management platforms whose design will ultimately determine success or failure. Unlike regulations, there isn’t a point solution for climate change or pandemic risk management. Firms must get creative and, in the first instance, prioritize key objectives. These include:
- Establishing procedures to capture data flows throughout risk model construction and calculations
- Being able to adjust and port balance sheet-level models and analytics
- Creating an institutional language around this new data that can translate across desks, and beyond to industry and regulatory bodies.
Snapshots in time
The first of these is a data integrity question. More exotic inputs into risk data computation inevitably mean there will be more data volume, data frequency and data iteration. As processes mature, risk managers must be able to provide accurate insight – whether to their board, their CRO, traders or regulators – with respect to the decision tree and data lineage behind every output. Timing, sourcing and incorporation of data throughout model construction and calculations must all be captured without intervention.
This documentation sounds straightforward, but to ask CROs is quite the opposite. The problem stems from pre-2020 issues with risk management infrastructure and process integration across the enterprise. Without it, firms will be in the dark. How or whether internal risk tolerances are affected by new risk variables, as well as the end-reporting snapshot required by regulators, will remain too slow in developing to be able to act on fresh information.
Second, banks will be concerned with contextualizing new risks within their own balance sheet optimization activities. They will deploy more advanced analytical tools to project macro-level threats onto local isolated situations, and much of this will be dispersed across individual desks. These analytics will then be compared against the risk appetite set at an overall balance sheet level, so these must be shareable and actionable.
But the next natural question is tougher: just what is that internal risk appetite? Creating this linkage is a challenge when contractual cashflow modeling for the balance sheet can vary by desk, or by the flavor of regulation governing that desk. What’s more, the points of emphasis can shift within the enterprise over time.
Banks of all sizes are realigning their businesses today, with increased focus on certain risks and markets. As they do, they are seeking to define priorities that allow them to remain compliant but flexible, and maximizing what they do best. For instance, smaller and regional institutions may emphasise credit risk and leave funding and market risk to their larger partners. But every firm wants this level of dexterity, and technology that helps them make conscious, risk-informed decisions about where they are taking their business.
What is required to solve these issues is a flexible base: automated reconciliation that allows certain elements to be ported around different risk capabilities, providing predictable intermediate steps in data processing and scenario analysis without additional reconciliation cycles.
Building expertise through common language
Finally, firms must aim to develop greater understanding of these new risk vectors via translation between business and regulatory vocabularies. A holistic enterprise-wide risk-management process has been tricky to achieve in the past, and CROs often point out that the level of first-hand crisis experience across their companies has thinned over time. Ideas about new global risks such as pandemics or climate change may bring actuarial science, computational techniques and uncertainties that only specific clusters within the organization – or the world, for that matter – can understand. The further we project into the unknown, the more collective expertise is required.
Therefore, risk management data platforms must be designed to facilitate this collaboration among internal experts and external observers too. They are not just a place to store or process risk data, but a tool to make new risks more relevant to a greater audience.
All on the table
Not unlike the pandemic itself, there is and will continue to be a wide disparity of outcomes on the basis of belief in data, allocation of resources and imagination.
The bigger test coming out of this period will be how prepared institutions are for the next major event to rock the markets, or a particular corner of the markets to which some may have overweight exposure. It will be imperative for firms to examine these new exposures with precision, port their findings into an enterprise risk framework that can then disseminate that information, evaluate it holistically, achieving a transparent and overarching view of their risk profile and, ultimately, make prudent choices about how it can guide their business.
If 2020 has taught us anything, it is that all eventualities are now on the table. Enterprise-wide risk management frameworks must evolve to embrace them.