"It takes a thief to catch a thief," says Diemer Salome, head of non-financial risk management at Rabobank. As part of a wide-ranging overhaul of the Dutch bank's group-wide risk management framework, it's an adage he and his colleagues have kept in mind.
The revamp comes in the wake of the Libor scandal, which has cost global banks and brokers billions of dollars in fines since 2012 for the rigging of benchmark interest rates. In October 2013, Rabobank admitted that 30 of its employees were involved in the misconduct and agreed to pay more than $1 billion to European and US regulators in fines.
As part of the settlement, the bank paid $96 million to the Dutch public prosecutor, $168 million to the UK Financial Conduct Authority, $475 million to the US Commodity Futures Trading Commission and $325 million to the US Department of Justice. When the fines were announced, Rabobank's executive chairman Piet Moerland immediately resigned, describing the events as "appalling".
Before the settlement, some might have found it difficult to believe that a firm known for agricultural lending and its co-operative banking model might find itself in trouble for taking part in the manipulation of interest rates. But with regulators critical of the bank's risk management, Rabobank set to work on a package of measures aimed at enhancing compliance, reducing risk and improving culture, including an effort to invest more responsibility and accountability in its frontline staff.
"I think the Libor event has been a wake-up call for the first line – how actual accountability feels if something goes wrong," says Salome.
Now, the bank is in the middle of a process begun in 2012 aimed at creating a consistent and effective risk management framework across its entire business. In the past, the policies, objectives, processes, controls and governance structures used for risk management were inconsistent across the group. Each of Rabobank's individual business units had its own risk management systems and controls in place – from domestic and international retail, to wholesale lending and financial markets.
The daunting task facing risk managers was to revisit a sprawling system of controls and reporting that spanned 40 countries and served 8.8 million clients. But beyond this complexity lay a more fundamental problem: finding a way to get the bank's first-line staff more engaged in the risk management process.
On the front line
Often, risk managers at banks are seen as naysayers, stepping on the toes of frontline staff with risk controls. At Rabobank, one of the goals of the new framework was to get the front line involved in risk management as early as possible: at the design stage. One obstacle to achieving this was convincing the bank's traders, salespeople and other staff in the first line that Rabobank was in fact exposed to similar operational losses as those suffered by other firms.
That's where the thieves came in; or at least, the people who had studied thieves closely.
Salome and his colleague, Pieter Emmen, group head of risk management at Rabobank, used experiences of previous op risk losses to raise awareness and develop controls around areas such as rogue trading. For instance, Rabobank called in a team from Dutch auditors KPMG that worked on the post-mortem of Kweku Adoboli's crippling 2011 rogue trading loss at UBS. The idea was to press traders to imagine what it would take for one of them to hide a big loss. "The first reaction was always, 'we are Rabobank – this would never happen to us'," says Salome.
However, after being continually challenged by the risk team, "[one] guy came back after a week and said, 'yeah I think I could; and I think I could do this without you even noticing'."
Once minds were opened as to how such a catastrophic loss might emerge, the bank's staff were in the right frame of mind to begin working together on risk controls, says Salome. "Starting this discussion [and] really challenging the front line ... it gave a huge push to the whole investigation on risk controls," he says.
In the past, Rabobank had a habit of managing risks on a reactionary basis, with business line risk managers creating new risk controls in response to specific problems they encountered. With many different risk managers doing this in different areas of the bank, the system quickly became very complicated, something that obscured the underlying problems, says Emmen. "The more controls you have, the more difficult it is to have any oversight."
Together with the bank's frontline staff, risk management sought to identify the real risks facing the bank's business and put in place key controls to manage them, removing the need for many redundant controls. Many of those controls were duplicative and others only addressed the symptoms, and not the causes, of problems. As part of the exercise, the bank's traders, salespeople and related staff identified risks that were likely in practice from their experience, with risk managers then translating those risks into fewer new and effective controls.
The team uncovered a huge number of redundant controls. In the residential mortgage sales area alone it pared back a whopping 150 risk controls to just nine. "You want to make sure you look at the key controls, instead of just ticking off 500 controls and saying 'I did it'. That's not risk management," says Emmen.
Salome gives the example of mis-selling – an area where the bank formerly expended a lot of effort making checklists relating to the behaviour of salespeople and their decisions. In practice, simply tracking the competence of the salesperson involved is a much more useful control, he says.
When it came to putting together the new control system, the involvement of the bank's front line was crucial, says Salome. "In this way, we ensure that the people actually having to execute the controls in the future had a very big say in designing the control framework," he says.
Indeed, Emmen says this has been crucial to fulfilling that most elusive risk management desire: getting first-line staff to own their risks. "The buy-in and the awareness makes it a lot easier to get it implemented effectively and efficiently," he says. "Throwing it over the fence and hoping it works is not the way to implement these kinds of complex processes."
Roles and responsibilities
Much has been written about the organisational flaws that have caused scandals such as Libor to occur. During the landmark trial of former UBS interest rate swaps trader Tom Hayes, which ended in August, the disgraced trader claimed never to have had any compliance training, meaning he was unaware that manipulating Libor constituted misconduct.
One of the major goals of the new framework is to clearly define roles and responsibilities for risk managers and business managers alike. This way, there can be no doubt as to whose responsibility it is to manage a particular risk.
"With all risk areas, we want to make a very clear split between the first-line responsibilities and the second-line responsibilities," explains Emmen. "In the past, it was a lot more blurred. Now we will make it very clear the first line is responsible for all the risks they take. We help them where we can, and we monitor, but they are responsible."
The approach means that risk managers have to adopt the approach of becoming what Salome calls "guardians" of the firm's risk profile, rather than sole owners of the risk. Risk managers at Rabobank are now responsible for "managing risk culture, managing risk awareness, [and] providing the tools to manage risk – but not stepping in to take the first line's responsibility", he adds.
By the end of the year, the new risk management framework and controls are expected to be embedded throughout Rabobank's rural and retail banking units. The process of harmonising risk controls across all the bank's business units began at the end of 2014 and Salome predicts it will be at least a further two years before it is completed – leaving the bank with a coherent risk management approach and set of group-wide risk controls for the first time.
Crucially, the new framework passes the 'use test'; in other words, the processes used for risk management internally would be in line with what is required by regulators, a sign of the full integration between risk and the business that regulators demand. When the new framework is fully implemented, Salome and Emmen expect the risk function to be completely integrated into the way Rabobank does business. "The new policy brings a holistic view on your entire risk control framework to make it as much one as possible, and to make it more efficient and a lot more effective," notes Salome.
While the Libor settlement acted as a catalyst for the overhaul, the current restructuring of Rabobank is helping to push things along. The bank has historically operated as a co-operative of 110 local member banks, each with its own individual banking licence and balance sheet. But under the group's restructuring, set to be completed by January 2016, all the different banks will operate under a single licence with a single balance sheet, streamlining governance and reducing costs.
Within this, Salome and Emmen say the systems now in place give the risk function higher quality information and a stronger say in informing business decisions than in the past. "You see those big key risks in [a new] product, then we get a good debate about them, instead of keeping on debating about a thousand controls," says Emmen.