01 Mar 2009, Oracle, Operational Risk & Regulation
With the clouds having been building for a while, the Asia-Pacific region’s financial institutions are only just now being hit by the credit crunch. In this webinar, sponsored by Oracle Financial Services Software, industry leaders discuss how strong risk management practices and an integrated risk management approach can help firms weather the storm
OpRisk & Compliance: How do you foresee the impact of the financial crisis on Asia-Pacific banks taking shape in 2009? Saloni Ramakrishna, Oracle Financial Services Software: An interesting point is that, when we speak of ‘Asia-Pacific’, we are not referring to a single, homogenous group of countries. We are talking about blocs; we have Japan, Australia, Korea, Singapore and the Association of Southeast Asian Nations. So, the first point is to set the context. The second is that, given that global financial markets are a reality, there is bound to be an impact and we have started to see one. We were talking to the chief executive officer of a bank the other day and he provided an interesting insight as an answer to this question. He said that in the West the problem and its impact was first felt by the banks and then spread to the real industries, whereas in our part of the globe the impact is first on the real industries and then, as a result, on the banks. This is true for the exportorientated economies such as Japan. In China – while growth is positive – the government has issued a warning, saying this is still one of their toughest years this century. So, the impact is felt starting with real industry and working backwards to the banks.
Simon Page, China Bohai Bank: The impact of the financial crisis in China is very limited. The currency is not fully convertible, the banks are very liquid, the interbank market is very inactive and, therefore, there is not a great deal of contagion from a lack of confidence and there is strong belief that the government will prop up any failing banks, especially the bigger ones. It is unlikely there will be a financial crisis – but I agree with Saloni in that there is going to be a big economic impact. The real estate and export sectors are already struggling and have been for a year. Andrew Carriline, Westpac Banking Corporation: From an Australian and New Zealand perspective, the issue for the greater Asia region is whether what happened in Australia will be the bellwether for the region. It was useful to speak of a financial crisis to start with, but it is certainly no longer just a financial crisis. From where I sit, these events started almost two years ago with the liquidity crunch, as we know, moved through into a credit crisis, then an equity crisis and then became a capital crisis. As the environment has deteriorated in the US and UK, and it is our experience in Australia and New Zealand, the responses have been progressively more substantive. So our initial reaction when we thought it was a liquidity crisis and moved through into the credit markets was to scenariotest whether this was going to be as bad as 2000 and 2001. We then looked to see if it was going to be as bad as 1991–1992 and, having moved through that, the analysis now is what do we need to do to avoid a depression-type situation.
OpRisk & Compliance: Have the risk management approaches developed in US and European banks been ineffective in averting the crisis, and what is there to learn for Asia-Pacific banks? Carriline: There are a number of lessons. Financial institutions did not properly price for liquidity. They certainly did not stress their liquidity models sufficiently with maximum liquidity outflow models. The global financial system and the capital environment encouraged banks to pursue regulatory capital arbitrage strategies, which incentivised them to move good assets off their balance sheet and keep the bad ones. The whole subprime crisis reflected a loss of connection between origination and holding, so there was no incentive for quality in origination. The risk professionals allowed situations to develop where assets were held by financial institutions that either weren’t properly understood or not understood at all. There was overreliance on the rating agencies. Stress- and scenario-testing probably was not comprehensive or bearish enough. So there is a whole combination of factors – and there are probably many more – that suggest our risk practices have been found wanting.
Ramakrishna: Have the risk management approaches developed in US and European banks been ineffective? The answer has to be yes. That is the reason for the current situation. But, if you drill a little deeper, it is not that the original risk management systems themselves are faulty, but perhaps it was because of their siloed approach. I would pick four points from an approach or strategy point of view. The first is the large disconnect between the various risks – credit, liquidity, counterparty, operational – all operated as silos. The second is a disconnect between risk management and the other lines of business. Third is the black-box systems that did not throw up timely alerts and last, the improper evaluation of the operational risk involved in the launching of these new and exotic products. If there is one lesson to draw, it is that all risks are interconnected. I would go one step further and say that all risk and returns are interconnected. Viewing these in an integrated and holistic fashion is the most important lesson. Coming a close second is picking up early warning signals and alerts and actively managing them, rather than waiting for the disaster to strike and then running helter-skelter.
I pick these as the two big lessons. One is looking at risk as a holistic and interconnected idea, and the other is the capability to pick up early warning alerts and act immediately. Page: In Europe, risk management was focused on creating diversity, and the mantra was that if you can diversify your portfolio then that is good. We did that through repackaging, securitising of assets and the selling of assets and, despite the fact it is a good idea, it has now become part of the problem. The risk management approaches that we designed in the late 1990s and the early years of this century have been about creating securities, looking to markto- market and taking market values or for assets, and the net effect of that process, combined with Basel II and IAS39. I recently heard somebody describe Basel II as procyclicality on speed, and I think it is. The combination of those things has created real volatility and real amplitude to an otherwise pretty standard economic cycle. The other thing is that we have excess reliance on models. Most models assume distributions. We only had small pieces of data and assumed distributions around them and they were big leaps of faith. It was the best we could do at the time but perhaps we overly relied on it. Fundamentally, where risk management failed is that it did not ask the ‘what if’ questions. Risk management is about asking the questions that nobody else wants to ask; what if this happened or what if that happened? For a long time that did not happen. If you were the guy who talked about the downside, then you got shot down. That culture was allowed to breed for too long.
OpRisk & Compliance: Are banks in the Asia-Pacific region geared to proactively avert or minimise a financial tsunami? Is a well-thought-out, integrated risk management approach a possible solution? Thomas Barothy, UBS Global Wealth Management & Business Banking: Asian banks have one advantage, and that is timing. They can now learn some of the lessons widely. For example, UBS published a 50-page shareholder report on UBS’s write-downs, which was actually the summary of a much bigger report for the Swiss banking regulator. So, there is a lot of data available where banks and risk managers can learn and apply the lessons to their own organisations. In that sense, Asian banks have an advantage to get their risk management right.
Carriline: Two examples of integrated risk show how the unfolding of the crisis created events or circumstances where integrated risk and a capacity to operate in that way has been of benefit. The first has been that, in Australia, we had the banks with fairly significant margin lending books. For those that aren’t familiar with that, it is essentially a loan secured against equities; the loan to a particular valuation ratio. Those loans historically have never suffered any losses because in ordinary equity markets there was always sufficient liquidity to get out of your debt before the equity value deteriorated. What happened in the current crisis on a number of occasions is that the equity stock gapped and, in some cases, a company would go into a trading halt, and when it came out of trading halt its share price immediately dropped 75%. In a situation where you have equity markets generally deteriorating rapidly, individual stocks gapping at 75%, and you are not sure whether your margin lending loan agreement allows you to close out that loan immediately, or whether you have to give one day’s notice or seven days’ notice, then you tell me whether you are dealing with credit risk, market risk or operational risk? You are just dealing with risk. Being able to do that in an integrated fashion really brought home the benefits of that activity. The second part is in relation to collateral management. I will not go into that in any detail but it is essentially the same problem. With very volatile markets and significant amounts of volume of collateral moving between institutions on a daily basis, you cannot delineate between market, credit and operational risk, but are just dealing with the events as they occur. Finally, integrated risk is very closely aligned to culture. And when it is aligned to culture, risk management will be exercised by every single person in the organisation. There are great risk skills outside of the risk team. They need to be utilised but that subtly changes some of the roles and responsibilities of the risk team to manage those information flows and guide them, and that has become quite a priority over the past 18 months.
OpRisk & Compliance: How good is the risk data that firms have? Can it throw up timely alerts to avert the crisis?
Ramakrishna: I love this question. I have heard this almost in every discussion I have had. People say they do not have good data. This is now the banker in me speaking. At the end of the day, a bank has only a few sets of data – transactions, contracts, customers, products, market data like interest rates, prices and, of course, collateral data. All the fairly wellmanaged banks will have a decent transactions and contract data as well as market data. The challenge really is in updated customer information and collateral information. These are the two big challenges, and of course the off-balance-sheet data. Will any bank have completely good data to start with? The answer is ‘no’ . They will have some data that is good and that is the place you start with and then put in place an actionable strategy to start enriching data. Coming to the second part, as Thomas said, data has to be transformed intelligently and associated intelligently for you to get the alerts and that is where a good integrated system helps. No amount of good data is going to help you unless you combine it, join it, associate it intelligently and find out early warning signals. That is where good systems come into picture in addition to data. A good and transparent system will enable you to look at intermediary warning or early warning signals. So I think getting good alerts is a lot more involved than good data. Carriline: The data itself is of no benefit at all even if it is perfect, unless you can use it in a way that gives you rich intelligence. When you are employing someone or engaging with someone to create the models or scenarios that are going to use the data, you need someone who is given free rein to speak broadly and be creative. That’s because anyone can think up a set of scenarios that are relatively standard extrapolations of what people know, but our experience over the past 18 months is that things happen that have never happened before. They would never have been scenario-planned in any set of scenarios based on extrapolations of known events. So, if you are going to get benefit out of your data, then the past months have shown us that you have to be really creative in your models and scenarios and, once you get to a scenario that you think is as bad as you can conceive, then double it and then probably double it again.
OpRisk & Compliance: How should firms go about building up their risk management skill set to ensure they are ready to meet the crisis if and when it hits Asia? Page: I have three thoughts on this. The first is something Andrew said earlier about risk culture. The sales team is a huge part of the risk management skill set. We have to leverage their knowledge, and I think that to achieve this in China is a huge task. And it is a prerequisite to manage risk properly, because they are where the early alerts come from and where the true understanding of the client sits. Changing that is about changing some key aspects of the Chinese culture, so some of that is very slow. In the meantime the first step is to change the incentive systems. The other point is that the analytical expertise of the risk management functions needs to be upgraded. My experience of the analytical expertise is that it is very statistically based and there are not enough risk managers around. Going back to Andrew’s point about thinking up the stress tests and then doubling it and doubling it again, that is a risk management skill and requires people with a risk management background. We have too many statisticians building out models and not enough risk managers. So bringing risk managers into the modelling process is very important. Finally, we need to make the board far more cognisant of the outcome of the risk management exercises. That will take much training because a lot of board members in China really have no clue about the tools, techniques and measurement systems, the margins for error, and so on, around the numbers they look at. So we are very wary when giving the numbers to our board, fearing that they may overreact. So we need to upgrade the board’s insight into risk management.
Ramakrishna: In addition to what has been said – and I think they are all good points – having a sound framework both in terms of policies and infrastructure that can lend itself to an enterprise view is the most important requirement. The second part is the investment in staff training. We do not have enough risk experts. The answer to that challenge perhaps is training staff. This training starts right from the top and looks at how to train decisionmakers, all the way to the staff that work with the risk applications and how they get the best business benefit out of it. One is to put the system in place and the second is to train the staff on it to get the best from it. Having a good infrastructure and framework allowing for a good enterprise view and investing in staff training – there are no short cuts here.
OpRisk & Compliance: What would be the top three initiatives that executives should do to increase the role of risk management in decisionmaking at the senior management and board level?
Ramakrishna: The top three initiatives for top management are, first, to invest in and enable laying down a framework on enterprise-wide view of risk, integrated with robust capital management. The second, given the interdependence of risk and returns, is to move to risk-adjusted returns and I would think that the lines of business, when they prepare their returns, should include the risk group in the exercise and present it together. Today the lines of business and the risk team are seen as two sides of the table, but the reality is that they are the same side. If top management brings them to the table together, that will improve the profile of risk as a function and also the business more generally. The third point is how to inculcate a positive risk culture and two steps towards this are to inculcate a transparency in systems, processes and open communication across the organisation about the risk governance and the risk appetite that the organisation follows. This will definitely help start off a positive risk culture, which will make a difference by making everybody understand that risk is an integral part of the business and it has to be given its due. Barothy: I would add one point to that, continuing on what Saloni said, and that is review the incentive systems. That is something risk management can do with human resources departments. Then, in addition, it is now the time to increase the profile of risk management. If you are working as a risk manager, there has never been a time like we are seeing right now when you get basically unlimited senior management attention. It is a great time to beef up risk management within your organisation.