Since the 2008 financial crisis, banks have apparently devoted more attention and resources to their risk management systems and processes. Stuart Witchell, senior managing director at FTI Consulting, heads up the international firm’s Asia-Pacific risk and investigations practice, and has been closely involved in the changes underway. He shares his views and conclusions with FinanceAsia.
Let’s be clear, do banks actually want to reduce risk?
Instead of seeing banks as monolithic bodies, it’s more useful to look at key groups within a bank to see how their priorities with regard to reducing risk may differ. For traders and those involved in the creation of “exotic” or risky financial products, despite some changes, their bonus-driven pay structures remain heavily weighted towards relatively short-term performance metrics, reducing the importance they place on systemic risks, or risks which aren’t directly tied to the business divisions they are involved in. For senior management, their position depends strongly on the need to try to keep risk at an acceptable level — although exposure to systemic risks remains difficult for them to assess.
Meanwhile, shareholders realise that some degree of risk is essential to any successful business: investors choose to invest in an enterprise because they want their investment value to increase. However, at the same time they face a much larger downside, because if risks are poorly managed by the bank, they could potentially lose all of their investment — leading them to wish for a more cautious approach to risk than the other two categories in the bank.
What lessons have been learned since 2008, and how have risk management systems, practices and understanding been improved? Have attitudes changed?
I think it is fair to say that there have been two major changes in risk management at banks: first, banks have started to pay more attention to systemic risk analysis, instead of just looking at the risk of individual business divisions or products in isolation from each other; second, investors and regulators have started to subject bank’s risk management processes to much greater levels of scrutiny, in order to be sure that the bank is being run in a responsible fashion.
Before the crisis, banks rarely viewed risk management as a crucial discipline or as a vital safeguard to protect against troubled financial times and limited liquidity. Instead, they tended to pay lip service to their commitment to “risk management” as something of a public relations tool, used to reassure clients, regulators and ratings agencies, without actually taking it as seriously as it should have been from a business sense — as the sidelining of the senior figures in Lehman’s risk management division in the months before its collapse showed.
What are the most costly risks for financial firms?
Of course, poor business decisions are the biggest risk for any firm, because good decisions underpin all business success and so everything else stems from these. For the other areas it depends on the type of risks and the size of the incident being considered.
Often it is only the headline figure of the financial loss which is publicised, but this can be small compared to the real loss in terms of damage to reputation, loss of customer confidence, closer attention from regulatory authorities. For financial firms, along with other professional services providers in general, much of the company’s worth is based on its record of success and the fact that it is perceived as a “safe” partner. Therefore, the reputation of the firm is integral to its success, and damage to its reputation can have serious ramifications for the whole company. However, reputational damage normally occurs from another trigger event, such as fraud, or computer hacking, or high-profile litigation, which can in turn trigger other negative events, and so these issues should not be considered in isolation, but rather as part of a whole-firm, holistic approach.
How can financial firms best minimise counterparty and settlement risks from transactions?
Unfortunately there is no magic bullet to solve the problems posed by counterparty and settlement risks. Furthermore, as companies, and financial firms in particular, become increasingly active in emerging markets (where legal and other contract enforcement frameworks are often weaker and more prone to improper influence) the risks posed by these issues are likely to increase.
But there are certain guidelines which can be followed. The most important is to know your partner and/or client, and to do adequate due diligence on them. Furthermore, as business is a dynamic environment, companies should also periodically look at their partners again, in order to assess whether there has been a change in their “riskiness”.
In general, how well qualified are compliance and IT departments to prevent fraud and other illegality?
It’s fair to say that most financial firms have significantly increased their expenditure on compliance in recent years. Compliance capabilities have improved, largely because banks have been forced to pay more attention to them by a more rigorous regulatory framework. However, this regulatory framework is largely based around normal transaction-based business in major, developed markets, where much of the process is routine. But the nature of risk in emerging markets is often qualitatively different from that in developed markets, relating much more to off-balance sheet risks, and what is unobserved, rather than simply not reported — as the recent RTO issues in China have shown. In these cases, a number of major investors have had their fingers burnt despite having compliance frameworks in place.
So it is in these more challenging areas that compliance groups need support. Thankfully it seems that compliance departments are aware of their own limitations and the areas where they lack capabilities, and so have increasingly been coming to us looking for support. I see this as a positive development.
What will be the effects of the 2010 Dodd-Frank Wall Street Reform and Consumer Financial Protection Act and other regulatory changes for reducing risk?
At this stage the regulatory framework for financial services is uncertain, with laws being passed in a number of countries, while detailed codes on the implementation of these laws have yet to be promulgated. To take the example of the Dodd-Frank Act, the text of the act runs to more than 2,300 pages and is one of the most complex pieces of legislation ever written. So we are still only at the very beginning of our understanding of its impact on the financial sector.
However, it is clear that those involved in the financial industry are sceptical about the benefits of regulatory changes. In fact, FTI Consulting carried out a survey of more than 300 company directors and 120 general counsels earlier this year, to which 94% of respondents stated that they thought the law needed to be re-evaluated, with only 24% believing that the act would be perceived positively in five years time. Indeed, 80% of directors believed that the implementation of the Dodd-Frank Act would ultimately “lead to increased oversight, reduced earnings and a less attractive capital market”. Perhaps the most useful indicator in the survey was that only17% of respondents believed that the act “will help create sound markets and benefit well managed companies”.
On the other hand, as shown by many instances in the past, even more important than the text of the regulations is the vigour with which they are pursued by the relevant authorities and the degree to which enforcement is made painful for those affected.
And it is also worth pointing out that many senior executives were concerned about the effect of the Sarbanes-Oxley Act after it was passed, although research has since shown that directors now believe that the provisions of the act have made corporate boards more effective.
