This blog post originally appeared on TabbFORUM.
Risk can and should be seen as the core of a financial institution. The management of risk has become an industry in itself, led in turn by regulatory drivers, technological advancement, trading floor developments and quantitative research. In this blur of evolution, it is easy to lose sight of exactly what is required of the risk department, and it is worth taking a step back to refocus on what is important.
There has always been a risk function. The key to that function is ensuring that the firm takes risks commensurate with the risk objectives as spelled out by the management of that firm, and that there is sufficient liquidity within the organization to withstand those losses that are reasonably foreseeable.
When risk management was primarily concerned with prudence in granting loans and investment diversification, there were challenges – but these were generally well understood, to the extent that many of the quantitative methods used by funds without derivative exposure are more than 30 years old. The use of derivatives, however, introduced the need for a new level of analytics, started as an offshoot of the trading desks themselves, and moving through being a trading strategy to becoming the central plank of the regulatory reporting requirements across the world. These requirements now include:
- VaR (and various VaR derivative measures, such as VaR Shortfall)
- Stress testing
- Tail analysis
- Sensitivity analysis
- Liquidity stress testing
- Potential future exposure
The essence of the risk management function though, remains the same, ensuring that risks are in line with what is now known as the “risk appetite” and that there is sufficient liquid capital available to mitigate losses that will inevitably occur as a result of taking those risks. This is fundamentally a human activity, a fact that can become lost within the overgrown architecture of many modern risk infrastructures. The first step to re-establishing the function as an efficient, people-led one is to understand how badly planned technological deployments hamper that intention.
The key barriers to risk efficiency are:
- Too many disparate data sources leading to risk analysts spending much of their time ensuring that various systems have produced results and aggregating those results (a process that in itself often leads to significant loss of accuracy).
- Black-box processes make the validation of the risk results difficult to check. This is a particularly thorny issue, as results indicating no issues do not attract the same level of attention as results pointing to potential breaches of risk limits. Given the potential impact to the business, these investigations are conducted in pressurized situations.
- Regulatory reporting has increased in response to the crises that have hit the financial world, from Barings collapse to the recent credit crunch. As regulators seek to protect the system from individual firm failure, the amount of time spent complying with the rules has risen exponentially.
The dichotomy is that the need for technology has never been greater. The power and speed available now should enable risk systems that allow risk management to view, analyze, understand and communicate risk profiles in a way that promotes their function far above regulatory compliance and (back) into trading and portfolio strategy. To achieve this, the technological stack must enable certain core capabilities.
- Processes that can be automated should be both automated and subject to audit and reporting – manual aggregation leads directly to operational risk. Communication systems and protocols now exist that enable almost any systems to speak to each other, with reporting and feedback available. As long as reporting on these systems exist and are available as standard daily outputs, there should be little to no human involvement in data aggregation.
- Risk reporting should allow for “deep dive” investigation of the risk profile by risk analysts – this should be one of the core activities of the department and should allow sources of risk to be identified, whether those sources are related to the risk-generation process itself…
- Trade representation
- Market data
- Risk methodology
…or actual trading positions affected by:
- Individual, identifiable trades or positions
- Risk factors impacting the portfolio as a whole
- Risk management should be able to communicate both the risk position and the risk appetite across the organization – along with risk investigation; this should be the main activity for the risk department. It is exactly this communication that creates the platform for the chief risk officer and the board to determine the risk appetite itself, and to express that appetite in the terms and language of the risk reporting. It is equally important that the risk takers are kept informed of the same risk positioning in order that they use the risk system and its results as a critical input into decision making.
- Risk management needs the ability to make trade corrections on an intraday basis. In order to achieve the level of credibility required for risk to become a strategic tool, when errors in the input data are discovered, they must be corrected and the risk made accurate. The correction capacity for the risk analysts has to be built, in a compliant way, into the risk architecture.
The current technology makes the above possible, with the recent increases in computation speed, data storage capacity and quantitative sophistication all available to complement online reporting and communication. In short, the technology has finally caught up with the needs of the industry – as long as existing, inefficient infrastructure and the regulatory pull on resources allow for what is available to be deployed intelligently across the organization.
Risk management, as a central financial function, has never enjoyed as high a profile as it does at the moment, but it also has never had the barrage of issue to deal with simultaneously. As long as the technical designers remember that the technology must empower the human activity that is risk management, then the outcome can and should be truly effective and credible risk structures acting as the nervous systems of the firms they exist within.