Effective technology is an essential tool of the risk manager, but companies must also have a robust culture that values human judgement. This was the key message from Richard Thornburgh, Securities Industry Association chairman and chief risk officer for Credit Suisse Group, during his speech to the SIA's annual Technology Management Conference.
This year's conference theme, "Balancing Innovation With Compliance," could not be more appropriate for a conference focused on technology management. And it is also very relevant for risk managers, who must be effective in responding to change while complying with many significant regulatory reforms.
The discipline of risk management has become increasingly important and more complex. Among the factors driving this trend are:
- The rapid pace of innovation in financial engineering and the markets;
- Such major regulatory changes as BASEL II; and,
- The geopolitical uncertainties caused by terrorism.
As the Chief Risk Officer of the Credit Suisse Group for the past 18 months – and through my seat on the group management committee for the last eight years -- it is clear to me that effective technology and good judgment are essential tools of the risk manager.
At the same time, however, I'm convinced that it is even more important to have a robust culture of risk management within an organization.
Without a culture that emphasizes the value of comprehensive risk analysis in making strategic business decisions, the best tools that technology has to offer -- even combined with sound analytical judgment -- are bound to fall short of the goal of successful risk management. The corporate culture needs to recognize that risk management directly affects the ability of a financial institution to prosper and benefit its clients.
In short, risk management helps a firm to be more competitive in the marketplace. High-performing management teams understand and embrace the fact that risk management enhances their effectiveness by showing them where the potential opportunities and risks lie when certain market conditions prevail.
By carefully assessing market conditions, the firm's capital, and the potential value of financial instruments, a firm can maximize its investment returns. By controlling risks, institutions do not just limit their losses. They also gain greater productivity and improve the quality of their services. I believe that by doing this consistently, day in and day out, risk management can bolster the investing public's trust and confidence in our capital markets.
The importance of risk management has increased significantly over time.
We estimate the cumulative dollar value of operational risk management failures to be nearly $25 billion through the end of 2003. That includes losses from rogue trading, business interruption, fraud, and failures in execution, delivery, and process management. It also includes the front-page events that we've seen over the past two decades.
While such failures obviously can have large financial consequences, they can also can lead to even greater costs -- such as the loss of investor confidence in a company, its products and services, or its leadership. Ineffective risk management can destroy a company, and in the process inflict tremendous damage on the world's financial markets.
I want to turn now to elaborating on why the task of managing risks is becoming increasingly complex.
One reason is the increasingly strong linkages among capital markets around the world:
- Fourteen percent of the equities held by U.S. investors are in foreign markets.
- Total holdings of U.S. securities by foreign investors is almost $5.1 trillion.
- Last year, the value of U.S. investors' net transactions in foreign securities was nearly $44.6 billion; for foreign investors dealing in U.S. securities, it was $745 billion.
Our clients, too, rely increasingly on foreign markets. As a result, they have a greater need for sophisticated financial instruments that take into account foreign currency fluctuations, interest-rate differentials, and compliance with different tax codes and regulatory regimes.
A second reason why risk management is growing in complexity is financial engineering. Today, some of the most creative people in the world spend their working hours designing new strategies to help financial institutions separate, distribute, and hedge risks. As their solutions become more complex, approaches to controlling risk require greater sophistication.
A third factor affecting risk management is the changing nature of regulatory requirements. The BASEL II capital accord is having a major impact on global financial institutions. Its purpose: to better align regulatory capital with the economic risk profile of internationally active financial organizations.
To provide these dealers and banks with incentives to better measure and manage their risks, BASEL II introduces a meaningful recalculation of regulatory capital. The expectation is that BASEL II will result in a higher level of transparency and more sound risk management practices and techniques.
Finally, terrorism is a geopolitical reality that has changed the scope of operational risk assessment. Firms are meeting the risk challenges posed by terrorist threats with more elaborate business continuity planning.
Needless to say, we can expect that the discipline, tools, and methodology of risk management will continue to evolve as a result of globalization, client demands, marketplace improvements, regulatory reforms, and political realities.
The increase in complexity of risk management and the growing importance of doing it well have resulted in a sharp growth in I.T. expenditures.
- Financial insights, a consulting firm is forecasting nine-percent annual growth in risk management I.T. investments in North America between 2004 and 2009.
- That is nearly double the rate of growth for overall I.T. expenditures.
I should note that the cost of implementation of BASEL II for the Credit Suisse Group is estimated to be in excess of $100 million and current dedicated staff at C.S.F.B. for implementation is 90 plus F.T.E. (full-time equivalent).
By 2009, 45 percent of the risk-related I.T. expenditures will be for credit risks, according to financial insights.
- Twenty-Eight percent will be for data architecture.
- The remaining expenditures will be split among market risk assessments; anti-money laundering efforts, and operational risk analysis.
Since risk managers rely heavily on technology, they confront the typical roadblocks faced by any technology-dependent organization. They struggle with system capacity; with choosing, obtaining, and using the appropriate data; with avoiding obsolescence; and, with integrating technology efficiently and effectively throughout their organization.
In addition, there are technology barriers that are unique to risk management.
- Ernst & Young surveyed risk managers in 2001 and found the lack of an organization-wide consistency in risk-assessment methodology to be the greatest barrier.
- Other obstacles included: the lack of an early warning system linking financial and risk data; unclear definitions of risk tolerance and limits; and the inadequate integration of risk management into core business processes.
As the technology used in risk management has evolved, so, too, has the discipline of risk management itself.
- First, we've seen a convergence in risk measures used to assess a variety of risks, including strategic, market, business, and operational risks.
- Second, we have seen progress by the regulators in encouraging banks to use in-house models to determine their capital needs.
- These trends have evolved into an approach called "economic risk capital."
Economic risk capital – or ERC – represents the emerging best practice for measuring and reporting all kinds of risk across a financial organization.
It is called "economic" capital, because it measures risk in terms of economic realities, rather than potentially misleading regulatory or accounting rules. And it is "capital," because part of the measurement process involves converting a risk distribution into the amount of capital that is required to support that risk, in line with the institution's target financial strength (for example, credit rating).
While some risk components can be calculated with more certainty than others, ERC can be applied in principle to almost all types of risk, and to any business line. Economic capital, therefore, provides management with a standardized unit for decision-making. ERC offers a common reference point within a firm for identifying and pricing risk.
At the Credit Suisse Group, our decision-making process is decentralized among the various management divisions. We are organized in this manner because we believe it is important for risk-management decisions to be made as close to the clients and markets as possible.
To be sure, this structure creates a challenge for us: how to manage the potential for conflict between a decentralized decision-making process and the need for a firm-wide assessment of risk exposure.
Our solution lies in an approach that requires all divisions to use the same framework, principles, terminology, and measures. This enables us to combine the individual risk profiles into one comprehensive picture. We also have in place the appropriate group-wide risk limits, approval procedures, and discussion forums to ensure that the individual risk analyses by the divisions are effectively melded together.
In summary, while effective technology is an indispensable tool of risk management, it is insufficient by itself. Companies must have a robust risk culture. That means embedding the risk-management function into their core business processes. It means that risk managers must be partners in risk-return discussions. And, it means that companies must place a high value on both the ability to operate sophisticated I.T. Systems and the business judgment needed for sound business practices.
Nonetheless, it is clear that technology has a critical role to play in our industry – a role that is bound to continue to expand. Like any tool, technology doesn't work by itself but needs to be wielded with practiced skill and astute planning to reach meaningful goals.
Looking forward, the process of globalization is going to continue, and with it, the stakes involved in risk management will grow. Financial instruments will continue to push the boundaries of complexity. Disruptive events will occur, and regulatory structures will evolve. All of these developments will increase the technological demands on the securities industry – and all of you in this room will continue to be on the front lines of developing and managing our industry's effective response.