The anger at the Group of Twenty summit that almost took the form of riots in London, captured partially the anger of people whose pensions have been wasted away by bankers claiming to have the best risk management systems.
Most of these banks could rightfully claim to comply with the provisions of the much-vaunted Basel II. While the first Basel accord was set up to equalize the playing field between Japanese and US banks (at that time, US banks were cross that Japanese banks maintained lower levels of capital than them), the Basel II accord was a movement away from mandated stipulations to greater self-governance relying on sophisticated mathematical models based on historical bank data. Regulators felt that banks were better judges of their risk than them, and believed it advisable for banks to share their risk systems transparently with their clients to allow clients to obtain comfort directly about their counterparty risk. Regulators, in a sense, were trying to reduce direct involvement in oversight and specifically in prescribing capital requirements for banks.
I expect that after the current financial crisis, regulatory views on Basel II may change substantially. The financial crisis has exposed the inadequacy of this framework to predict—let alone minimize—risks. Most banks that are suffering were high on compliance with the accord stipulations. It surprises me that for all the controversy on executive compensation and scorn for greed, we have not heard enough people challenging the gaping holes exposed in the “holy grail” of the banks—their risk management systems.
Indian banks have not been scarred by the crisis. Let me provide a four-point framework for how I believe they should think on risk so they never get burnt.
* Existing paradigms stress quantification, measurement and reporting. We must remember that high-quality thermometers have never reduced fever. What is needed is governance, processes and right capabilities in risk managers. Robust quantification is necessary, but nowhere near being sufficient; in fact, over-quantification can actually confound and numb the mind. Elegant math needs to be a servant, not a master, and business intuition should not be allowed to be sacrificed at the altar of correlations and aggregations. Dealing with risk requires experience and judgement.
*Risk comes from not knowing what you are doing, said Berkshire Hathaway chief Warren Buffett. There is a truth in it for risk managers in banks. More comprehensive is not more comprehensible. When complexity of measurement goes beyond human comprehension, risk actually increases. Existing paradigms had started to encourage a false comfort in the sophistication of mathematical models and correlations. Simple metrics make one think more as one needs to interpret them. Models, once created, can make things too simple for those using them unthinkingly! It is confounding that regulators have encouraged the idea that banks can lend on the basis of ratings (that the issuers pay for) of external agencies and also use these ratings as the primary criteria for capital allocation. Bankers need to manage risk by analysing and thinking about risk—that’s their job, and they need to be fully accountable for their view.
* The real role of risk management is to ex ante anticipate what can go wrong and proactively probe suspicious patterns. For this, risk managers need to collect different types of data, develop capabilities to spot weak signals, aggregate them and notice patterns. As business becomes ever more complex, ex post measurement and interpretation does not provide sufficient insights into future perils. Some risk departments that I know spend a lot of time producing reams of paper that eventually are not read by anyone.
*Banks, like any other organization, are social organisms. Rules of social interactions, perceptions of power and propriety determine outcomes and decisions more than rule books and organograms. Risk is no different. Banks often have specialist risk departments that are expected to “police” businesses and escalate disagreement to top management. This is a frail setting. I will any day put my money on the “bread earning” business folks to win every tussle. The odds are staked against the specialist risk managers. They are not in the market and, hence, are not always current. Business is not obliged to share everything—especially information that is the source of competitive advantage and most probably crucial to the deal. Top management—the arbiters—has very little time and, very often, low attention spans. Decision making suffers. Risk needs to be made a partner in decision making, not its policeman. The journey from policeman to partner is not easy, but it is worth the pain. The richness of interaction between risk and business has to be increased. The best business people need to do stints in risk, and vice versa. Performance metrics of risk as well as business will need careful harmony between profit growth and protection. Too narrow a definition of performance accountabilities, accepted as a given, leads to increase in organizational transaction costs and needs to be challenged. We need to recognize the limits of slicing and dicing accountabilities so they don’t become dysfunctional. In a foreign bank that I know, I feel people sometimes spend more time arguing how to split the revenue from a deal among different business units more passionately than beating their competitors. The team is playing on the same side. When one person is responsible for originating, another for servicing and a third for risk, things can easily fall between the cracks.
Crises are big levellers. They are opportunities for the latecomers. Indian banks are relatively unscathed in the current crisis. They should take a lead in defining the new paradigm in risk management. Especially blessed are the much abused public sector banks—they have been careful in not overspecializing but have had a composite definition of performance accountability. The tide has come and gone, to paraphrase Buffett, and the world knows who all were swimming naked. Indian banks should go into the water with their trunks on.
Saurabh Tripathi is partner and director, Boston Consulting Group. These are his personal views. Comments are welcome at firstname.lastname@example.org