7 Chief Risk Officer Priorities for 2018

Last January I posted 7 Chief Risk Officer Priorities for 2017, based in part on the preceding December’s RiskMinds Conference in Amsterdam, a conference highlighting the worries and interests of Chief Risk Officers and their risk managers. A lot can happen in a year, so I have repeated the exercise. Some topics have carried over such as model governance. Others have evolved such as machine learning and blockchain, while some have taken greater precedence than we might have anticipated last year, for example the “risk management of economics”.

Let’s start at the top, with the bosses. 

i)                    “Am I the right sort of CRO ?”

Well, this was a surprise. As one CRO put it with a strong wholesale credit risk and market risk background, “Most CROs come out of Credit Risk, but risks are no longer all credit. Are the right people in charge?” With emerging non-financial risks, such as cyber, conduct and fraud, there was a feeling that CROs should draw on more diverse backgrounds than is currently the case.  

ii)                   Cybersecurity

Cybersecurity was discussed a lot. I learnt to hack gmail accounts c/o a CRO which I have since applied to good affect to scare my wife and kids. A guest speaker with the brilliant name of Freakyclown told us how he robbed banks. In truth though, cyber sessions were more lightly attended than some of the more traditional topic sessions. Perhaps this more reflected the audience than the topic, but the big popular news was a posse of insurers and reinsurers who offered the bank CROs their services of insuring (and reinsuring) their cyber risks provided they had decent cyber processes in place. It seems they have good experiences elsewhere, for example the telcos. The room practically stood up as one and wholeheartedly cheered !

On being asked what risk banks most overlooked, two members of the visiting insurance posse suggested almost in unison “disgruntled employees.” I know one or two of those.   

iii)                 Model Governance

While the headlines screamed cyber risk, the inside pages discussed “model governance”, or model risk or model management or other similar terms. On the face of it a dull topic, the sessions were popular and rightly so. Models run the world and it is right, given 2007/2008 events, that financial ones be managed and governed well. One leading systemically important financial institution noted their catalog of some 3000 models, with 50 people dedicated to - and another 50 in support of - the ECB’s TRIM [Targeted Review of Internal Models] supervision. The UK’s Prudential Regulation Authority too had, as part of its 2017 Stress Tests, focused on stress test model management, validation and governance. There is progress on all sides, with much credit given to the Federal Reserve’s SR11/7 “grandfather of model risk” guidance. Expect to see more over the coming year on this topic.

While there is progress, I maintain financial services including risk management lag other industries in “risk-aware” model governance. Augmented reporting and executable models passed from developers to validators to auditors to regulators is an eminently achievable goal, while current timescales of years, to submit and have approved (or rejected) model changes, are not ideal. Other stringently regulated industries, e.g. medical, robotics, automotive, cope better, offering more formal “standards” than typically found in financial “frameworks”.

iv)                 Machine Learning

Nothing stimulates risk management debate quite so much as machine learning. On one hand, discussions regale AI “hype” and repeat that teenage cultural mantra that “everyone talks about it, no one does it”. Also, the question is asked again and again whether machine learning methodology output can be reproduced. However, the pro-machine learning champions were assertive this year. As one pro-change CRO put it, “AI/machine learning is real, even on evolving regulations landscapes, through automated decision-making….. People who are afraid [of it] are wrong.” Another noted “an uplift of 25-30% in accuracy, including credit models”.

On the other hand, when it came to machine learning governance. “It could be overwhelming”; “the fact no one is talking about it means they’re not validating these models yet.”

On where machine learning can add most to financial risk, suggestions included market risk: “they’re simply nonlinear regressions”, not nearly so scary as they may appear, and are “as much a black box as a VAR, where the mystery is the data”. Responding to a question on applicability in credit and IFRS9 scenarios, one presenter noted “it’s coming, most obviously in the challenger models” and more generally can be useful in parameter identification when the appropriate parameter is not clear. The use of machine learning technologies for fraud detection is a given.

v)                   The Risk Management of Economics

“Economics is too important to be left to economists” was one of my favourite quotes. I like economists, a lot, but I like risk managers too and I find myself with split loyalties. The premise of this statement was the migration of quantitative risk management away from capital management to increased credit scenario focus with IFRS9 and CECL, while stress testing too continued to grow. Both lean heavily on economic models and “business-as-usual” stress testing now accompanies “traditional” shock-focussed CCAR-type regulatory stress testing. As one Head of Risk Strategy put it, “banks will have to review more economic forecasts and parameters than their own central banks and perhaps even the IMF.” “IFRS9 will shed a light on economists.” Maybe it will be a difficult time to be a macro-economist, the discipline currently also characterized by methodological debates, such as the challenge of rational expectation assumptions from non-equilibrium and behavioural “realities” while alternative simulation and machine learning forecasting techniques gather momentum. However, there are going to be plenty of jobs for econometricians and computational economists.

vi)                 Blockchain and Cryptocurrencies

Like machine learning, Blockchain, BitCoin and others can inspire passions among risk managers. That said, there wasn’t much attention throughout the conference agenda on these technologies: cyber was more in vogue. However, that lack of attention should interest the industry at large. As Bitcoin hit $16000 during the week, cryptocurrencies were considered “just another commodity” by the audience with cryptocurrency scarcity a key driver of volatility. There was Blockchain awareness, but also a feeling we’re still someway from the payment mechanism being mainstream, in part because the “standards”/”API”s helping Blockchains talk to each other are still some way off. However, people weren’t against the idea. Also, for those of us who worry about a cryptocurrency crash having significant economic risk, don’t. Exposure to cryptocurrencies is not too great, yet. Also, they’re not so anonymous as they seem, so quite useful to Governments surveying cryptocurrency transactions of criminals and other miscreants. Sssshhhhh !

vii)               Managing Regulatory Change

In the CRO Panel Session that initiated the conference, much discussion time was given to cyber risks. However, in the corresponding audience vote “managing regulatory change” was deemed the most worrisome risk keepawake. Perhaps this reflected the audience rather than the risk community at large, but equally sometimes unsexy topics like regulatory change perhaps really do just matter. Another curveball in the same survey was the mid-ranking of regulatory favourite credit risk among the problems at hand. As one CRO put it, “my budget allocation, significantly weighted to credit risk, is not reflective of the audience sentiment”. As the conference debated and discussed the Basel III Finalization announcements (what the press calls “Basel IV”), the audience mood was that standardized models were problematic, particularly in areas like counterparty risk, and the regulatory spaghetti of multiple regulators and regulations meant standardized models were limited in their bespoke application.

Conclusion

The mood looking to 2018 is generally positive. Trump, Brexit, China and Korea have not (yet) materialized in significant economic and risk shocks. However, there was a feeling, though only occasionally expressed in public, that we might be at an inflexion point between the era of regulated financial risk being supplanted by non-financial risks, and the traditional stabilizing force offered by risk managers should not evolve into complacency. As one challenger risk strategist noted, “the only constant is change, don’t sit on your laurels, we’re at the end of the Basel era. Open banking, PSD2, digitization, digitization are upon us. Don’t rearrange the deckchairs on the Titanic. Be more like Bruce Willis in Die Hard 4, and work out what the next ‘Big Short’ will be.” I’m on it !