Quants working in risk management need to watch their backs. According to one narrative now being used to explain the industry's collective failure to spot the dangers lurking in credit markets, bank risk functions had been taken captive by statisticians, mathematicians and modellers. With the quants at the controls, there was an unhealthy obsession with risk measurement, while the nuts and bolts of risk management - limits, controls, governance, reporting and good old-fashioned common-sense and judgement - were allowed to rust away.
"Models have an important part to play within the spectrum of management opportunities, but to hand your risk function over to the quants - which some banks have done - is clearly mad," says a senior risk manager at one large UK bank. "Some institutions have been approaching risk in a purely mechanistic fashion, handing it over not just to quants but to computers - and intuitively there seems to be a link between the banks that took this route and the level of losses experienced. Our own losses haven't been extreme, and I think that's because we haven't thrown the management - the human element - out of the equation."
Put like that, it sounds as if a civil war is brewing within the risk profession between the quants and the managers. Not everyone sees it in such a 'them-and-us' way - but there nevertheless seems to be some agreement that the pre-crisis risk agenda had become too heavily skewed towards quantitative measurement. "There's a danger we've become so focused on getting things right, we are not doing the right things," says Carl-Johan Granvik, chief risk officer at Nordea in Helsinki. "The focus of both internal risk managers and supervisors has tended very much to be on the decimals in the calculations, rather than on taking a step back to look at where we are going."
A backlash now appears to be on the cards that could see quants and their models losing influence in risk functions, with a new emphasis being placed on pragmatic risk management instead. Chastened by the failure of models, banks want to go back to basics.
Robert Fiedler, a liquidity management expert with his own Frankfurt-based consulting business, ALM Lab, argues that having invested so much in risk management systems over the past five years, senior executives and board members have now lost confidence in the power of those tools. "They hired well-paid technical specialists to come up with magic numbers - like value-at-risk, for example - and believed those numbers would be a kind of panacea. That didn't work, and there has been an emotional reaction," he says.
Philippe Carrel, London-based executive vice-president for business development at Thomson Reuters, thinks this emotional reaction will result in a more considered shift in the risk management agenda: "I don't think risk has ever truly been managed. It has been quantified, assessed, documented and reported. But managing risk like you manage your expenses, or like you manage your strategy - that's something banks have still not been able to do, and that's the future of risk management. We're going to see fewer complex algorithms and a lot more human intervention."
The banking industry's love affair with quants and models didn't come from nowhere - and for many observers, the blame lies partly with Basel II. The new framework calls for regulatory capital to be set aside for market, credit and operational risk, three apparently distinct risk types. The rules encourage banks to calculate their exposure to each of those risks in a certain way, with the possibility of capital relief acting as an incentive to develop discrete internal models. No-one should now be surprised if banks failed to cope with a crisis in which market and credit risks overlapped with and reinforced liquidity and funding risks, argue some - they were too busy implementing their capital calculation systems.
"There was a crowding-out effect," says Tom Garside, global head of the finance and risk practice at Oliver Wyman in London. "I think people have been overwhelmed with a model-building imperative, and I think inevitably that can crowd out the step-back-and-think-about-it component of risk management, which is a very important part of any proper risk framework."
Even Basel II proponents have now become critics. The UK bank risk manager says he, along with many of his counterparts at other large institutions, lobbied in favour of risk-sensitive regulatory capital when the Basel Committee was planning to update its capital rules in the late 1990s. At the time, he recalls, there was a groundswell of opinion among leading banks that life would become much easier if the regulatory capital regime could be aligned with the way banks allocated capital internally.
"I was part of the call to align the two but I now think, as bankers, we were completely mad. There's no shadow of a doubt this is not the way forward. The crisis challenges all the basic assumptions that credit modelling and other forms of modelling are accurate and that internal models are an appropriate mechanism for regulation," he says.
Regulators are now facing intense political pressure to reopen Basel II's hood and start tinkering with the engine, and a series of revisions are expected to emerge over the coming year. The senior risk manager is dismayed: "I think the aims and aspirations for Basel II were admirable, but we've created a monster that clearly still needs feeding."
So, what does all of this knocking of quants and model-bashing mean in practice? It certainly doesn't mean the death of modelling: quantitative analysis is one of the industry's pillars, supporting everything from pricing and hedging to capital calculation and performance analysis, concedes Thomson Reuters' Carrel. It would be impossible to abandon it and start from scratch - and, indeed, technology vendors are looking to improve the capabilities and functionality of their systems to cope with current market conditions (see pages 106-108).
More to the point, says Oliver Wyman's Garside, models did all that was expected of them in some cases - they provided advance warning of a bursting credit bubble. As a result, some financial institutions succeeded in repositioning themselves ahead of the crisis. Even among banks that have suffered, the models may have done their job but positions were either too big to be cut quickly enough, or the risk function itself didn't have enough influence to force a substantial change in behaviour.
Aaron Brown, a risk manager at Greenwich-based hedge fund AQR Capital Management, and a former credit risk manager at Morgan Stanley, has a similar take on it. "At the end of 2005 and in early 2006, the models - as bad as they were - showed the need for major additional capital. Correlations were going up, spreads were going up, all kinds of things were happening in the market that showed a need for extra capital, and this was at a time when bank stock prices were at all-time highs and they could have raised capital very cheaply. But they didn't. They were all thinking about stock buybacks instead," he notes. "In a sense, the system worked in every way except nobody paid attention. People just didn't trust the models. Possibly, the result of all this is that next time, they will trust them."
Instead of getting rid of the models, banks need to find a better way to use them, says Nordea's Granvik. One of the problems is that models can give the illusion of confidence - it's tough for senior executives or board members to have a debate about a VAR number or to understand how reliable it really is. Granvik argues banks need to start asking themselves simpler questions and use simpler metrics: "One of the problems with the current crisis is that so many people discovered they were in a business that was a million miles away from their home turf - and I think more questions need to be asked about that: is this a business we should be in? Do we understand it, can we manage it, what are the risks we are taking here?"
Granvik argues rather than giving decision-makers numbers such as VAR, which purport to show how much money can be lost by a single trader, desk or portfolio at a given level of confidence, banks should spend more time looking at gross exposure numbers. "Banks should have started by asking what their total exposure to the US subprime market was, and - once they had a figure - they should then have asked whether that was a good thing for them to have, regardless of what the models were telling them," he remarks.
Thomson Reuters' Carrel agrees. He illustrates the problem with the hypothetical example of a German bank that has sunk money into a Swiss fund of funds, which is in turn invested in hedge funds that hold portfolios of collateralised debt obligations (CDOs), which contain mortgage-backed securities referenced to US subprime mortgage loans. "How is it going to help you to calculate the VAR of the fund of funds, or the hedge funds, or even the CDO? It won't do anything. You'll have beautiful maths but it's not going to measure the risk factors to which you are really exposed," argues Carrel.
He urges banks to go back to basics - to bring together a group of accountable individuals at the highest level of the institution and have them ask the kinds of simple questions highlighted by Nordea's Granvik. But he sees some practical changes starting to occur now. At the tactical level, a number of firms are creating new roles for a kind of super-auditor - a post that would have responsibility for reviewing the operations of the risk function itself and ensuring it is doing what it's supposed to. As things stand, existing audits tend to be carried out by staff who lack the expertise and authority to be a guarantor of the risk function's effectiveness, says Carrel.
At the strategic level, he expects the very largest banks to start dismantling the universal banking organisational model - as UBS announced it would do on August 12. Carrel argues the integrated model is an obstacle to effective capital allocation within a bank and - perhaps more importantly - makes the risk profile of the institution opaque to external stakeholders. "As banks start to really look at how to manage risk effectively, I think they're realising the only way to do so is to have specific business activities with specific risk profiles and to manage them separately. After all the mergers we've seen in recent years, I think we're now going to see de-mergers," he remarks.
The UBS reorganisation, which will see the bank split into separate investment banking, wealth management and asset management divisions, isn't a de-merger, of course, and Nordea's Granvik offers a word of caution: "If you have separate divisions drawing on a single stock of group capital with no group-level consolidation of risks, it might just make matters worse. If you're going to do it, you either need to consolidate the risks really well at the group level or take it through to its bitter end and actually make each division its own company with its own capital."
OP RISK GOES BACK TO BASICS
It's not just within market and credit risk that quants have taken a battering in recent months - the EUR4.9 billion rogue trading loss suffered by Societe Generale in January this year has also prompted calls for operational risk managers to refocus on the nuts and bolts of management, rather than the minutiae of measurement. As with market and credit risk, it is Basel II that again gets some of the blame.
George Clark, chairman of the executive committee at the Institute of Operational Risk, argues that because operational risk was a less mature discipline than market and credit, it became defined to a large extent by the way people saw the new regulatory framework - and many banks came to focus on the first of its three pillars, which lays out how banks can calculate their own minimum capital requirements, rather than the second and third, which tackle supervisory review and disclosure.
"Basel II was really all about Pillar II, and some people recognised that from the start. What they were saying all along was 'it's about risk frameworks, it's about context, it's about people' - all that kind of management stuff. Pillar I was really just an add-on, but regulators allowed the debate about it to run unchecked, so people have approached it in a very unbalanced way," says Clark.
He is now concerned the elaborate operational risk frameworks that banks have built will not deliver much in the way of actual risk management. Clark has visited two major international banks in the past 12 months and seen little evidence that frameworks are actually implemented in a way that will change their behaviour - a problem he attributes to poor project management skills in the risk profession.
The problem risk managers now face is that they have exhausted the patience and resources their banks had allocated to them, he says: "I suspect risk managers will be spending more time on the basics - and that's partly because they have less money to fix the underlying problems in their systems. It will become even more important for them to use the fundamental skills they have, working with the businesses, asking questions, doing root cause analysis - all the traditional things you expect from risk management that may have been neglected in recent years."