Explore This Section


Process & Progress in Risk Management

Presented by Anthony M. Santomero, President
Federal Reserve Bank of Philadelphia

BAI - Treasury, Investment, ALM and Risk Management Conference
New York, New York
October 28, 2002


As many of you may know, risk management is a topic close to my heart and my career as an academic, consultant, and now policymaker. For more than 25 years, I have written and worked extensively in the realm of financial risk and risk management in banking. More than once over this period my path has crossed the broad agenda of the BAI in this important area. Indeed, I was part of the advisory group that developed the Certified Risk Professional designation offered by BAI. And I still maintain my own risk manager certification to this day. So, in short, it is a pleasure to be here.

Today’s appearance is a repeat performance for me on this topic at a national BAI conference. In March of ‘96, I addressed your annual convention in Orlando on the state of risk management. At that time, I was hard at work on a “best practices” study, financed by the Sloan Foundation and conducted under the auspices of the Wharton Financial Institutions Center. Today’s talk is an excellent opportunity for me to reflect on the advances that the financial services industry has made since then, as well as the challenges that we still face.

But before I recount our journey, it is important to point out a subtle but substantive change that has occurred in this area since I began my study of risk management in the financial service sector. Now, both industry and regulators recognize that we share a vision and vested interest in enhancing the industry’s risk management strategies. As a result, a joint effort is taking place to raise risk management standards for the entire industry. As I will note in a few minutes, this is both a major advance and a substantial improvement for the industry and its regulation.

In my remarks this morning, I will emphasize three main points:

  • One, over our recent past, the practice of risk management has evolved as its own separate and distinct discipline.
  • Two, as this evolution has taken place, the financial industry has worked to improve risk management techniques, and regulators have indicated an increased commitment to risk focused examinations.
  • Three, as the industry evolves, risk management systems will need to improve even further and become a greater part of firms' decision-making process. In fact, an emphasis on risk management capability will be an increasing part of the supervisory process.

I will also look at what is needed to be successful in the effort to raise risk management standards. But before we embark on the future of risk management, let's look at where we have been.

Progress since my 1996 report

When I last addressed this audience, I talked about the then current best practices in risk management - what institutions were actually doing, and what had yet to be done. At the time, the industry had finally reconciled itself to the fact that banking is an inherently risky business. Institutions had gone from trying to avoid risk to developing techniques to manage different types of risk, with credit risk and market risk taking center stage. In each case, the risk was being identified and quantified.

For the most part, credit risk concerns centered on newly discovered concentrations. And the growing threat of volatility here and abroad led to new developments to measure and limit trading risk. In fact, it could be argued that industry interest in risk management as a profession developed almost by accident. While efforts were already underway to formalize the activity, the practice really received industry buy-in only when everyone realized the mistakes of the past — over-concentrations in credit and excessive trading risk levels.

Back then, lip service was given to operational risk too, but little analytical work had been done on the subject. Less quantifiable risks, such as reputation, regulatory, or strategic risk, were managed less formally or simply ignored. CEOs had these issues on their radar screens, but virtually no substantive analysis existed.

Risk aggregation was seen as a major issue for the industry; there was a clearly perceived need to install an organizational structure to oversee risk management at the firm level. But this was a new and controversial concept. The title 'risk czar' was being floated, but not everyone was sure where this function fit into the organizational structure. In fact, different organizations had different solutions to the management of firm-level risk.

Since then, much has been accomplished. Risk management has become an increasingly prevalent - and accepted - industry discipline. Firms have rushed to develop systems and install processes to manage the risks that are an inevitable part of the financial landscape. Firms now understand that risks of various types, embedded throughout their portfolios, must be managed both carefully and rigorously. Collectively, they impose an aggregate level of risk that can threaten the very solvency of the firm.

Now, risk assessment is a standard part of every deal, every strategic discussion, and every financial review. Firms recognize all risks are ultimately related and strive to focus their efforts on total enterprise risk. Moreover, a clear role for the firm-level risk manager has emerged. We have come a long way. Risk management systems have been developed and implemented as firms forged a new risk-management culture. And the result, at least in part, has been a decade of high earnings and overall stability in the banking industry.

In fact, the last decade can be distinguished by what did not happen, rather than what did. Volatile markets did not lead to the spectacular losses of past cycles. The Asian crisis left trading firms relatively unscathed. The technology industry bubble brought down no major financial institutions, and resulted in manageable credit losses. And profits, capitalization, and solvency ratios improved throughout the industry - despite the recent recession and a series of extraordinary domestic and international events.

In short, the past decade has proven the increased ability of the industry to manage risk and has demonstrated the benefits of substantially improved risk management capacity.

This has not been lost on regulators, who themselves have embraced the new discipline of risk management. The results of regulators' efforts are also evident. By the mid-90s, regulators had made the very practical move to risk-based examinations rather than just looking at point-in-time balance sheets and financial ratios.

Interestingly, as the financial system became more complex, regulators encouraged more private sector innovation, in the belief that markets are quite efficient at sorting out their own best practices. The Fed's own philosophy is that flexible yet watchful supervision, complemented by market discipline, is the best approach to ensure a safe and stable financial system.

Yet, more needed to be done on the regulatory front and still does. As you all know, as the industry's approach to risk management became more sophisticated, so did its systems and business practices. Early in this process regulation had to play catch-up. For example, capital arbitrage became a common practice, and this led regulators to reassess the very foundation of capital regulation framework instituted in the late 1980s.

The once-innovative regulatory regime established with the Basel Accord concentrated exclusively on credit risk but had only a handful of risk categories and totally ignored both trading and interest rate risk, as well as correlations across risk categories. Changes in the intervening decade attempted to retrofit the regulations by adding trading risk and interest risk considerations to the standards. But the results were never fully satisfactory. The outcome was both regulatory arbitrage and avoidance. In time, it became clear that the Basel I had become obsolete. Regulation had fallen behind, and it was time for something new.

Basel II

The Basel Accord's shortcomings prompted the BIS to revamp and update international capital regulation in the living document known as Basel II. In general terms, the goal of this effort is to update the earlier model of risk-related capital regulation in light of current market instruments and modern financial techniques.

Nonetheless, Basel II should be seen as quite distinct from predecessor regulations in at least one important respect. It is an effort to engage both the industry and the regulators in using advanced risk management techniques. This shows through in two important ways. First, whereas Basel I focused only on regulatory capital adequacy, Basel II gives equal consideration to minimum capital ratios, supervisory review, and market discipline. Second, substantial effort has been made to incorporate the risk management practices that firms actually use into the process and to increase the risk sensitivity of the minimum capital requirements.

While a considerable advance, Basel II has its critics. One common complaint is that the current proposal is too complex. Is it complex? Yes. However, the complexity reflects the underlying complexity of risk and risk management in modern banking institutions. Is it doable? I believe so. In fact, by proposing the use of a bank's own risk management system in the advanced internal risk based (or IRB) approach, Basel II engages the banking industry's risk management community in the determination of appropriate bank risk levels and regulatory capital ratios.

In its present form, the advanced IRB approach is designed to employ the advanced risk management systems that banks have in place for day-to-day operations in the determination of capital adequacy. Regulators will need to certify that the bank's systems are up to the task, and in many cases, this may require substantial improvement of the systems. However, the approach is one where banking firms and regulators will need to work together to improve the existing best practices in the industry. It is important to recognize that just as Basel I became obsolete, Basel II will not be the final word on risk management regulation. But it is a step forward in that its structure works to encourage the industry and regulators toward better risk management practices. In this way, the industry itself can lead in the evolution of risk management - as ultimately it should.

Some critics of Basel II feel that it crosses the line and makes bank regulators into bank managers. This is not our intention, and we recognize this is a potential danger that needs to be avoided. In addition, some bankers question whether regulators have the expertise to properly assess banks' systems. This is a legitimate concern, and it highlights the necessity of regulators everywhere to intensify their efforts in the areas of appropriate staff development and training.

While these are potential problems, we cannot gain the benefits of incorporating banks' internal risk management practices into regulatory capital unless regulators conduct appropriate analysis to ensure the adequacy of industry practice. Without sufficient supervisory review, it would simply be imprudent to defer to internal ratings for appropriate oversight of industry risk levels.

The banking industry is littered with firms that confidently talked the talk of safety and soundness but fell flat when it came to walking the walk. As regulators we need the assurance that risk management systems are in fact advanced in both theory and practice. This assurance can come only from supervisors' gaining first-hand knowledge of bank operations.

To illustrate this point, let me tell you about an experience I had during my days as a risk management consultant. I visited a major financial institution in New York to assess its approach to trading risk. The CEO assured me that the bank had a highly sophisticated VAR risk management system already in place. The CFO said they had just implemented it. The head of trading said they were about to implement it. And the traders --- well, they'd never heard of it.

So, in this case, senior management thought that it had an advanced trading risk management system in place and everything was under control. But the facts were that the organization had its traders taking million-dollar positions with few controls in place. You can see why regulators might get nervous.


As we advance to the future of risk management, the most important thing to keep in mind is that Basel II sets the stage for a joint effort and further advances in the science and art of risk management. Basel II sets the right incentives for the industry to continue to seek advances in risk management and for regulators to continue to improve their skills in assessing the adequacy of risk management systems in use. Together, industry leaders and regulators can work to raise the standards of risk management for the industry.

The next stage in this process is already at hand with the third round of quantitative impact studies, the so-called QIS 3. On the international level, a regulatory Accord Implementation Group has been formed to assure the industry that common approaches and a level playing field will emerge from the implementation process scheduled for the end of 2006 for internationally active banks.

The special and unique element of Basel II is that it allows for an internal risk based approach. The best banks will be able to step forward and define best practices for the industry. While earlier methods dictated across-the-board regulation, now regulators are looking to the industry for valid approaches and new insights. Perhaps under Basel II, bankers and regulators will build the true relationship of trust and understanding that did not emerge under Basel I.

As a central bank responsible for the financial integrity of the financial system, the Federal Reserve sees the development of adequate risk management systems as an important part of its balanced approach to bank supervision. As such, evaluating a bank's ability to establish an appropriate risk management regime in the bank's culture has become a more important part of the bank regulation and supervision process.

That's why I urge you, as industry leaders, to keep pushing the analytics further, both to improve the discipline and to assure regulators that you know how to run an internal risk based system. Keep reaching higher, improving and enhancing your risk management systems.

To many in this audience, the challenges still facing us as bankers, regulators, and risk managers are well known. Everyone in this audience probably has his or her own list of projects that warrant industry attention. This is just part of the evolution of risk management.

Let me offer you my list, for what it is worth. On credit risk, while techniques have improved, much work still needs to be done on consistency, transparency of process, and the timeliness of review.

On the commercial loan side, data on actual outcomes are still too scarce. On the retail side, many of the risk models are largely proprietary and of unknown reliability. The recent controversy surrounding the regulators' approach to retail risk quantification speaks more to the lack of a consensus on a standard approach to retail risk management than anything else.

On the market risk side, many questions still require ongoing investigation and continual monitoring. The robustness of the models and systems continues to be questioned. Market valuations of complex instruments are subject to debate - perhaps now more than ever. And the estimated correlations across markets seem to change too frequently to provide a useful guide for risk-management purposes.

On operational risk, we have even less knowledge and capability, even though contingency issues seem to loom larger now than ever before. Basel II has included operational risk in pillar one but permits an advanced management approach to the setting of an appropriate capital level. Yet, little work has been done on measuring operational risk systematically, and insufficient public data exist to test the validity of different approaches.

However, perhaps the greatest challenge is the issue of appropriate risk aggregation. Whether it is the correlation of risks within product lines or across them, this is one area of significant disagreement. This was an open issue when I last addressed a national BAI audience, and it is still the subject of much discussion and debate.

As we know, risk aggregation presents a fundamental problem. What is the correlation across different credit exposures? How can we aggregate different types of risk to measure the firm's total exposure? What is the correlation across different types of risk? How can we add up the risks associated with September 11th, WorldCom, Argentina, and retail loan losses? Quantifying divergent risks and reaching some logical conclusion have proven to be a daunting task. We don't have all the answers yet, which is why we had better keep working.

But risk aggregation isn't the only open issue. We also need to figure out how to allocate capital within the firm to create incentive schemes that foster appropriate risk attitudes. And we need to address the pro-cyclicality of risk and any risk-based capital allocation system. This last issue remains a challenge. Exactly how stable should capital allocation algorithms be over a business cycle? And, does the answer to this question differ at the firm level and at the regulatory level? Another open issue is how organizations should be structured to reflect risk management priorities.

These are complex issues, and they raise questions we are still trying to answer. All of this suggests the status quo will not be good enough for tomorrow- indeed, it is probably not good enough for today. But, as risk managers, you know it never is.

Basel II, while a significant improvement, is just a step in an industry-wide movement toward better and more effective risk management. This is where the joint effort of industry leaders and regulators is invaluable. We must work together to make our best practices even better. It will take a lot of innovation and leadership from the industry. It will also take a lot of flexibility and direction from regulators.

Basel II sets a deadline of 2006 for implementation of adequate risk management systems, as I mentioned earlier. Meeting that deadline will require the same effort and speed of scientific advance that we have seen thus far. And it is imperative that risk management systems improve and become an even greater part of bank management's decision process. Indeed, the industry has already become more mindful of the new regulatory guidelines --- guidelines that hold the industry and its systems to a higher standard. But improvement in risk management practices is not just imperative because of regulatory mandate, it is a necessary component of good banking in a world of increasing complexity and evolution of the financial services industry.


In summation, the financial sector has come a long way in its risk management efforts. From the early days of simple ratios or simply risk avoidance, risk management has evolved into a complex, dynamic discipline of its own.

Basel II offers an unusual opportunity for banking issues to be resolved by those who will live with the result on a daily basis --- the bankers. It makes sense, and I believe it will be very effective. You, as bankers, know what is best for your banks. You will have the principal responsibility for setting your own course.

But there is more at stake here than the profitability and health of any single institution. The integrity and stability of the financial system is critical to the health of our economy. So, banks must be prepared to defend their own assessments and procedures to their regulators and the market. If you are using the internal ratings based approach, be prepared to provide concrete evidence and support for your systems. Regulators will expect it. I believe you have the capability to successfully innovate and restructure to meet the requirements of this new, more rigorous environment.

Banks and regulators should and will continue to work together to ensure risk management processes are sufficiently robust and ultimately effective. We can take pride in the fact that we have already done so much. Yet, we have much work ahead of us. It will not be easy, and it will not be completed overnight. I know that, as professionals, you are all capable. For you are more than just bank managers; you are truly risk managers.