Thousands of reports are produced and distributed to hundreds of people who don’t know what they’re supposed to do with them

Over the past 20 years, everyone in the finance industry, and especially investment banks, has invested large amounts of money building extremely sophisticated risk-management systems and techniques. Of course, they were encouraged to do this by regulators who are responsible for defining risk management guidelines to be implemented at the company level.

But a much bigger influence was their own internal control and audit departments, driven by the widespread leitmotiv: let’s  prevent the company from any risk, measure everything, any sensitivity to any risk factor - and put limits on all indicators in order to cover all risk areas. And while we are on the subject of indicators and limits, throw in reports, limit breaches notification and closures, statistics, limit modifications, consumptions, calibration, and so on, and so on.

Risk management departments have become data producers and procedure performers as all controls, naturally, have to be carried out on a daily basis; thousands of reports are produced each day and distributed to hundreds of people who don’t even know what they’re supposed to do with them.

Most of the time, everything goes straight into the bin. At the same time, risk managers are so focused on producing all these reports on time, explaining figures and reviewing and calibrating hundreds of limits that, step by step, they become completely disconnected from what is really happening on their trading books or in the portfolios, and cannot even identify actual risk areas.

Then, in 2008, the big one occurred. Most investment banks and some investment companies faced serious problems. Some even collapsed and everybody was very surprised. Everything was supposed to be covered by the hundreds of thousands of risk reports and regulatory reports produced by every firm in the world.

Had something gone wrong? No, nothing had gone wrong. Not in risk management, at any rate, as all the reports were perfect. No: the crisis happened because a new risk - liquidity risk - suddenly appeared in 2008.

The industry reacted immediately across the board: let’s  develop new indicators, new stress tests, change the VaR models, produce new reports, build new systems, hire new people, spend more money, and so on. And that’s  it, we’ve done the job, liquidity is monitored on a daily basis, everybody’s happy; it won’t happen again.

Quite right, it won’t  happen again - in the same way. And that’s clearly the problem of most risk management tools and infrastructure commonly in place: it is all based on historical data, on the assumption that if our organisation or portfolios have weathered the storms of the past then they will be secure in the future as well.

Investment firms were a bit late in setting up such highly developed “risk factories” but they are currently speeding up the process, once again encouraged by regulators and even more so by their own internal auditors and controls. They are developing the same kind of tools and techniques as investment banks, thereby creating mass-produced risk reports, crammed with various indicators and limits that are distributed throughout the organisation and quickly end up in the bin.

Autumn 2012: the 2008 crisis is behind us but we are still in the middle of the euro-zone crisis and again many financial institutions are being badly hit. They are losing money on activities that were not meant to be risky, despite an extremely sophisticated risk management framework that was supposed to ward off any kind of crisis.

This leads us to a very simple conclusion: risk management has to be reinvented. Not that we have to get rid of everything we’ve been doing for years. Clearly, it makes sense to learn from the historical data, and it is extremely important to adopt and monitor all measures required by regulators. But in everyday practice, risk management needs to move from quantity to quality, from an historical to a prospective bias and ultimately from a control to an advisory capacity. As risk management in many organisations is considered as a brake on a company’s  development, this is definitely not going to be an easy task.

The first goal would be to define the role of risk management within the firm aside, of course, from its regulatory position.

The definition seems quite simple: its role is to guarantee that the firm runs its businesses smoothly to fit everyone’s requirements - from the firm and its senior management, to its clients and, of course, the regulators. As a result, risk management has to become an integral part of a company’s development and should be involved almost right from the start in any new product or project. That is the only way to set up the proper risk framework adapted to everyone’s needs and on which everyone agrees. Then control becomes evidence.

In organisational terms, it goes without saying that independence is crucial. No-one today disputes this. There is also no need to have so many risk managers producing piles of reports; production should be automatised as much as possible, but with a few high-level professionals who have the time and ability to identify sources of risk, signs of potential risk realisation, and hypothetical situations that could become fact. These professionals must also have the legitimacy within the company to be able to warn traders, investment managers and even executive managers of any risky situation.

This type of organisation should lead to a limited amount of risk indicators adapted to each specific portfolio or activity and that would be referred to as the key risk indicators. These should be used to monitor the firm’s activity and, ultimately, the company itself.

But, above all, the worst enemy of risk management is inertia and automatism. As an illustration, automatism means systematically applying the following rule: as soon as a portfolio is sensitive to a factor, one has to develop an indicator and establish a limit, whatever the sensitivity to this factor is. Inertia would mean keeping the indicator and its limit almost unchanged over a long time and being quite happy with it.

To avoid this, risk managers should focus on the factors that really have an impact on the portfolio at a given time and create a monitoring environment for them. But, at the same time, they should ask themselves: is the analysis I performed yesterday still valid and is my risk management framework still appropriate? The firm should never take its risk-management system and frameworks for granted; this is definitely an area that should be permanently under review and challenged by those who are a part of it but also by those who are using it or subject to its control.

This applies, of course, to all relevant departments as well as top management. But clients, especially clients of investment firms, should also involve themselves in this approach and take the initiative to challenge and question the risk frameworks their providers have set up, because they are the only guarantee that their money will be properly managed.

In conclusion, over the past two decades risk management has become a key function within most financial institutions; a risk department’s  legitimacy is no longer challenged but its role and thus its organisation and responsibilities definitely need to be reinvented. The sooner this happens, the better.