The Way Forward: Rebuilding Financial Risk Management (published in Risk Management Magazine April, 2009) by Vincent H. ONeilRebuilding faith and confidence in the financial services industry will take a long time, butthe best place to start is with financial risk management. This cannot be mere windowdressing; the end product has to be a risk management system that engages every financialinstitution employee from the CEO down. The current crisis can be traced to riskmanagement failures at every level, so it only makes sense that the solution should existthroughout all levels as well.Risk management should not be viewed as a department. Risk management is a system, anattitude and a climate-and everyone is a risk manager.With so many people working in risk management positions, with reams of rules regardingacceptable exposure, and with million-dollar modeling and monitoring technology, why doesfinancial risk management so often fail?When business is good, it is easy to assume that nothing is wrong and that nothing is goingto go wrong in the near future. Complacency can blind an institution to potential reverses,and it can stop people from speaking out when they think something might be wrong.Many of these people remain silent because they believe risk management is someoneelses job, or they doubt their own understanding of the situation they are observing. Asound risk management system trains and motivates employees at all levels to examinetheir own business practices, even when everything seems fine, and to raise any issues theymight find.The private sector is also an incentive-based world, however, and those incentives-ifproperly administered-usually yield improved performance. Unfortunately, they can alsocreate circumstances where employees and managers break or ignore the rules in a questfor further compensation.Individual and department-level incentives are effective motivators, but they can temptpeople to do the wrong thing. Employees can knowingly enter into bad deals in order toimprove their bonus numbers. Managers can fall into this trap as well, ignoring violations ofcorporate policy in the name of helping their departments meet assigned business goals. Atall levels, the institutions management must actively discourage the pursuit of short-termgains that violate the institutions rules or risk management fundamentals. Every employeemust be made to understand the genuine danger represented by bending the rules usingrecent examples ranging from the demise of Barings, formerly the oldest British merchantbank, to the current crisis.If not properly administered, incentives pose the additional threat of creating an unhealthyrisk management climate. In such an atmosphere, risk managers-and the rules they
enforce-come to be regarded as obstacles to be overcome or avoided. When not supportedby management, risk managers can become marginalized and the institutions rules can beignored. Such an atmosphere can have far-reaching effects: If the management fails toenforce risk management regulations, their employees can come to view all of theinstitutions rules as being open to interpretation.Ignorance is another hurdle to effective financial risk management. During the longeconomic boom of the 1990s, it was noted that many of the junior analysts in the financialindustry had no personal experience of a bear market. Although recent events have clearlydemonstrated that risky practices can have cataclysmic consequences, those lessons can bequickly forgotten.Unacceptable risk is frequently accepted by people who fail to recognize the hazard in thefirst place. Ignorance of the real consequences of a risk management failure can make aninstitutions risk regulations seem unnecessary, and even silly.Training is the answer to ignorance, and one of the most important goals of riskmanagement training is convincing all employees that the danger is real. Risk managementtraining must be an ongoing process, linking real-world case studies to explanations of theinstitutions control mechanisms. The recent examples of Lehman, Bear Stearns and thecontinual government bailouts serve as a reminder that risk management failures can costmany people their jobs.On a related note, technology has the capacity to create a kind of passive ignorance that isquite dangerous to an institutions risk awareness. While technological monitoring is avaluable tool, overreliance on technology can create risk "blind spots" where financialmodeling and risk-warning systems come up short. These blind spots can be missed if theemployees using these systems are not trained in risk management fundamentals. At thevery least, employees must be made to understand that the machines only do what theyare programmed to do, and that only humans can expect the unexpected.One final-and perhaps the most difficult-challenge is overcoming the culture of fear.Concern over "not measuring up" and "not rocking the boat" can cause individuals to remainsilent when they should speak out. Such silence strikes against the heart of the riskmanagement climate, which seeks to create teams of redundant watchers trained to raisethe alarm.Just as incentives can encourage individuals to make questionable deals, concern over a jobcan tempt employees to exaggerate the advantages of a potential transaction (or thecreditworthiness of a potential customer) in order to bring in the business and keep pacewith their colleagues. It is the duty of the institutions management to create anatmosphere where this will not occur.The marginalization of risk managers was mentioned earlier, but there is a similarcircumstance related to fear in which the risk managers are at fault. This is the case of co-opted risk managers, who so closely identify with the departments and people they monitorthat they fail to report violations of risk fundamentals. Risk managers are human and thefear of being regarded as interfering or unreasonable by the people they see every day cancause them to become nonentities. The risk management hierarchy must be on the lookout
for cases like this and should consider a rotational system that prevents long associationfrom becoming a problem.Given all the factors opposing a proper risk management culture, attempting to overcomethem all can seem daunting. But by following four concrete steps, any risk manager canbegin to win the fight.1. Senior Management EmphasisSenior management must take the lead in creating a risk management climate thatencourages every employee to study, understand and monitor risk. This cannot be a one-time, or even a once-a-year, thing. Creating a risk management climate is an ongoingeffort.The CEO as chief risk officer: Although the institution can still have a chief risk officer, theentire senior management team must be seen promoting risk awareness. This will not onlymotivate subordinates to do the same but also serve to reinforce the importance of thiseffort. One possible route is to treat this like an internal advertising campaign, with postersand videos showing various employees, from senior management on down, stating, "I amthe chief risk officer."Frequent, meaningful reminders: Senior management has a role in creating a sustainablelevel of risk awareness and should take the opportunity to provide some of the instructionthemselves. From breakfast speeches to classroom-style training to off-site seminars, thereare numerous ways for leaders to reinforce the institutions dedication to risk management.Do not lead them into temptation: As mentioned earlier, bonus-based incentives can leadpeople astray, and sometimes for seemingly good reasons. Only senior management cancreate an atmosphere in which employees will choose to forgo a questionable businesstransaction that would have helped them earn a reward. Only senior management canconvince employees that obeying corporate regulations will not place their jobs in jeopardy-disobeying them will.Enforce the rules: All the words in the world will not create risk awareness if violations arenot corrected. Remedial training and verbal reprimands can reinforce an institutions riskmanagement system, but they must be backed up with more serious punishment includingtermination when appropriate.2. Training at All LevelsBuilding an inclusive risk management system is not an easy task. Overcoming complacencyand ignorance is often a function of motivation, and so the training must convinceemployees that risk management is important-both to the institution and to the individual.Offer a free, recognized and transportable risk management certification course: This is anexcellent way to motivate employees at all levels to learn the fundamentals of riskmanagement. It can be an internal program, an external certification or a combination ofthe two. Offering certification, regardless of rank or job, will go a long way toward creating
risk awareness at all levels. Best of all, the employees who complete the course and receivethis certification will fully understand the importance of risk management and know what tolook for in terms of risky or fraudulent behavior.Sustained training: The training effort, though containing some mandatory instruction at settime intervals, must be more than an annual or quarterly requirement. Middle and juniormanagement can take part in this without making the time burden onerous. Using a seriesof brief lessons, middle managers can reinforce the message that the danger is real byciting examples taken right from the news that show how people who were not in "risk" jobsmade (or could have made) a difference.Constant reminders: Flash videos, wall posters and junior management talking points canserve as frequent reminders of the importance that the institution places on risk awareness.To gain the proper impact, these reminders could be focused on the consequences of failedrisk management, citing the number of jobs lost and legal penalties incurred. This can do alot to reinforce earlier training showing the dangers of adopting an "everybody is doing it"attitude.3. MonitoringMost of the risk management structure already in place will remain, including the riskmanagers themselves and the technology that measures risk exposure. As recent eventshave demonstrated, merely appointing a risk hierarchy and installing risk managementsoftware is not enough, even if this system is fully understood and obeyed. One of the keybenefits of establishing a risk management climate in which every employee acts as a riskmanager is the exponential increase in monitoring performed by the extra sets of trainedeyes.4. Corrective ActionAll the rules, managers and software in the world will not create an effective riskmanagement system if that system has no teeth. One sure-fire way to ruin a riskmanagement system (and destroy the effectiveness of risk managers) is to toleraterepeated violations. Punishing violations is not always easy, particularly when the offendingparty is perceived as a star or rainmaker, but allowing these transgressions to continuebrings the entire system into question. Corrective action can range from re-training totermination, but it must take place and the reality of its presence must be understood byemployees at all levels.Vincent H. ONeil was employed as a risk analyst for FleetBoston Financial and Bank ofAmerica for seven years. A West Point graduate, he has been involved in risk managementfor most of his working life and is now a full-time novelist.