In December, I attended the Amsterdam RiskMinds Conference, which highlighted current priorities of Chief Risk Officers [CROs] and risk professionals. Having reflected over Christmas sherry and Mariah Carey New Year PR disasters, I consider 7 key CRO and risk priorities.

Do you agree ? Post your comments below.

i) Be “Chief Worrier”

The modern Chief Risk Officer was beautifully characterized by Bank of America Merrill Lynch’s Geoffrey Greener, a CRO who has travelled from the “dark side” of hedge fund proprietary trading to the comparative “light” of risk management. He services his “much simpler” organization, by being his customer's Chief Risk Officer or “Chief Worrier”.

An EMEA CRO, pointing to her Financial Conduct Authority personal liability, reiterated the point: “I worry about that 3am call, with a London Whale thing.”

ii) Learn about Cybersecurity

Cybersecurity was the conference future risk scenario of choice, but details of measuring it and bank mitigation were vague. A benevolent hacker, Robert Pritchard of www.thecybersecurityexpert.com, demonstrated a simple live hack of our hotel wifi, suggesting with a clever phishing email he could access our innermost files. Scary stuff.

One large bank Chief Technical Officer suggested human errors were more troublesome. “I see an instance every two weeks where someone pushes the wrong button or presses return and gets a wrong answer…… I have very rarely seen malicious error in comparison.”  

iii) Improve Model Risk and Governance

As one Credit Suisse modeller noted, models are perceived “as a threat” and “regulatory liability” post-2007. Some aspired to good reliable model-building, model management and “model governance”, but highlighted the dearth of identified industry model “standards”. Regulators guide but rarely specify, for example the Federal Reserve’s SR11-7 2011 edict, highlighting a need for a model risk management process attributing the financial crisis in part to model failures. Such themes are reiterated in other acronym-heavy regulations, e.g. EBA SREP CP/2014/14, TRIM (“Targeted Review of Internal Models”), RTS2016/03 (which encapsulates the "3 lines of defence"), and the November 2016 Bank of England Stress Test Results. They elevate the importance of model governance, to be more in line with established data governance in BCBS239 and Solvency II. 

In response, one Head of Regulatory Risk noted his organization's post-crisis inventory of 600 "important" models. In his case, managers gathered to ascertain their 65 "top 50" models, and overlay consistent design, build and review processes.

This is good, but our industry continues to lag others in “risk-aware” model governance as I and others have discussed elsewhere. I would also add the industry – perhaps less so in Risk departments - is adding further risk by wrapping complex layers of unsourced, unmaintained and legally questionable languages and applications, around systems which should strive for greater simplicity. Financial risk management can and should lead the industry in this regard. 

iv) Challenge Models

Many highlighted the importance of model review, or as some presenters termed it, challenger modelling. Regulations are more baked here, with CCAR promoting “benchmark or challenger models”, and SR11-7 favouring “benchmarking”. The Bank of England PRA, presenting their 2017 stress test framework at the conference, pinpointed model review and challenge as processes needing improvement, but they were preaching to the converted for the most part.

Some suggested challenger models could incorporate machine learning, perhaps too black box for current frontline regulatory calculations, but interesting for validation and potentially improving accuracy.

If I “benchmark” against other industries, I fear the financial services industry lacks an understanding of software verification – that the software – as opposed to the model – delivers true output. The aerospace industry boasts regulations such as DO178C which go far beyond anything in financial services.

v) Play Technology Buzzword Bingo

Tech jargon circulated the conference like Ryanair planes above Stansted Airport. We discussed at length big data, data science, machine learning, deep learning, FinTech, RegTech, distributed ledger, digitalization & automation.

BitCoin was deemed bad, BlockChain good; big data was deemed necessary and unnecessary. Data science was exciting yet dangerous, profitable for some, a timesink for others. Automation and digitalization was unstoppable, a Canadian CRO stating “we need to do digital to stay relevant”. His organization applied parallel “legacy” and “sidebank” infrastructures to their technology stacks, ensuring someone from his Risk Team participates in every “scrum”. Automation-inspired job cuts were taboo, though at least two Big 5 consultancies evangelized automated nirvanas practically devoid of people, except for their consultants and a couple of project managers.

Machine learning offered “considerable opportunities for automation” as one European CRO noted, but in keeping with the conference zeitgeist, a modeller warned “you say machine learning; I say overfitting.” One start-up CEO succinctly offered a third way: “On machine learning, you can’t see into the black box so it’s a trade-off between a model I can understand and another which may have better coefficients. Yes, overfitting is a big problem, but it is useful for fraud management.”

vi) Apply Heuristics in the Tail

The conference considered external guidance on the use, over-use and poor communication of statistics, an obfuscation of “common sense” by so-called “experts”. Author Nicholas Nassim Taleb noted “Your Grandmother’s Intuition about Tail Risk is Usually Right”, and he and Gerd Gigerenzer of the Max Planck Institute criticised the un-worldly assumptions of Markowitz mean-variance strategies, noting that a strategy of equal distribution of investments across funds (1/N) was more impactful in Markowitz’s own retirement.

Later model-centric sessions looked a little awkward after Taleb’s and Gigerenzer’s evangelism, but most accommodated their overall message. HSBC’s Head of Global Risk Strategy knocked me for six when discussing his organization’s stress testing strategy, saying it was “important to have historians, geographers and political scientists alongside the mathematicians in formulating scenarios.” As a Geographer, I am at last commercially useful. 

vii) Expand Operational Risk

Many presenters suggested the next crisis would likely come from an operational risk type event, something that comes from the world of uncertainty rather than that of quantifiable risk. Yet as Marco Folpmers summarised well, credit risk exposure was the dominant risk exposure in the EBA stress tests (83% of total risk exposure), but the next big crisis will likely not come from a credit event.

Furthermore, The Basel Committee has proposed retraction of its (Advanced Measurement Approach (AMA) to operational risk, preferring “Standardized Measurement Approach” (SMA). To be sure, AMA was perhaps too deterministic in its assessment of the tail, but to reduce the focus of analysis seems counterintuitive. Still, many banks professed to expanding their operational risk systems, because they incorporate the most concerning new risk categories (compliance, fraud, cyber, etc).

Concluding Comments

Being a CRO looks to be tough. You need a broad focus and must trust your specialists for specifics. Mitigating risk in the face of political change, economic instability, technological revolution and potentially environmental change is a challenge, but as one Head of Global Risk noted “it’s times like this that risk managers are made....”