As the financial crisis built to a crescendo in 2008, the board of Goldman Sachs decided it was time for something they didn’t yet have after nine years as a listed company: a chief risk officer (CRO). They didn’t need to look too hard, because someone was already doing the job in all but name. After his appointment as chief credit officer in 1999, Craig Broderick had subsequently taken on responsibility for overseeing market and operational risks as well.
“Craig had been the CRO for years – everyone knew it, and everyone relied on him to do it; we just didn’t have anyone with that title,” says David Viniar, who was chief financial officer of Goldman Sachs from 1999 to 2013. Both Viniar and Sarah Smith, who is today Goldman’s chief compliance officer, and was chief controller and accounting officer during Broderick’s time as CRO, say Broderick had made the job his own thanks to a talent for “looking around corners”.
The three of them were the senior participants at a meeting that took place in December 2006 – and which has since entered into Wall Street legend. As alarms started blinking in the market for subprime securities, senior managers decided to rein in the bank’s exposure: getting “closer to home” was the phrase Viniar famously used.
Broderick recalls the run-up to that decision: “The metrics were varied in their nature – there was a person in the credit group who first pointed out to me how significantly subprime arrears were ticking up, so that’s a data point. Robert [Berry, market risk manager] pointed out that the residuals we were retaining in the mortgage securitisation business were ticking up, and the price volatility associated with those was increasing.”
The bank declined to take on new positions and sold down or hedged existing ones – for instance, through buying credit default swaps (CDSs). While no bank that relied on wholesale funding was unscathed when markets began to fail completely during 2008, Goldman was better insulated than most from the credit losses that caused that collapse of market confidence.
The seeds of the bank’s successful crisis response had been sown several years earlier. Broderick’s assumption of responsibility for all three categories of risk during the years before 2008 allowed him to develop a comprehensive understanding of what makes risk management effective across the bank, in particular the need for each component part of the risk management infrastructure to do its bit.
“It really is a weak-link situation, where a deficiency in any one area will cause a problem across the entire process. [You must] have a really good controllers’ group giving you really good prices, and feeding those associated marks to the operations group that provides really good daily margining and feeds back missed margin calls to the risk group, so we know on a daily basis what is happening in that regard,” says Broderick.
It really is a weak-link situation, where a deficiency in any one area will cause a problem across the entire processCraig Broderick, Goldman Sachs
He adds a whole nexus of other activities that then gather around the pricing of market, credit, operational and liquidity risks: the legal team wrapping trades with the right documentation, the compliance team making sure client disclosure and other issues are correct, and the treasury managing the bank’s own collateral exposures.
Broderick says the bank’s unquestioning response to Viniar’s instruction at the December 2006 meeting demonstrated the effectiveness of this integrated system, and the degree of authority given to the risk management function by the culture of the firm.
“If one of our risk professionals would establish a trade limit or credit terms that were more conservative than a business person would like, and the business person complained up the chain – which they are entitled to do – the practice of the more senior management both inside and outside the risk group demonstrated more conservatism not less. So unless the risk person had been quite off in their initial assessment, probably they were going to be not only supported, but more than supported. That provided a disincentive to argue,” says Broderick.
For his part, Viniar says Broderick’s own good judgement and careful assessment of both risk and reward helped establish the risk team’s authority across the bank.
“Many people think of risk managers as people who say ‘no’. Craig’s goal was to find a way to say ‘yes,’ while mitigating the firm’s risk so it was always manageable. He was so well respected for it that, the times when he did have to say no, the people he was saying no to almost never challenged it because they knew he tried to find a way to yes – if he couldn’t, then there was just too much risk,” says Viniar.
Underpinning all of this process was the daily mark-to-market of Goldman’s books. Mark-to-market accounting has been a topic of some controversy within the banking sector ever since the crisis. William Isaac, a former chairman of the Federal Deposit Insurance Corporation, once claimed it exacerbated problems in the market by fuelling the downward spiral of asset fire sales during 2007 and 2008.
Broderick saw both sides of the argument in action at Goldman during the crisis. On the one hand, the bank found the market for syndicating leveraged loans had seized up in September 2007, and was forced to sell down much of its warehouse inventory at depressed prices based on its mark-to-market philosophy. In reality, the borrowers for many of the affected transactions continued to service the loans throughout the crisis.
“It meant selling down a lot of positions that ultimately recovered, and if we’d held on to [them], we would have made money on the way up. But our discipline was we sell with the market, we redeploy the capital, we preserve the liquidity, and if the market is going to head back up, you can buy, trade or take advantage of it when it does,” Broderick says.
And on the other hand, that discipline was what protected Goldman from more severe losses in subprime, where valuations on some collateralised debt obligations (CDOs) never recovered because there were such heavy default rates in the underlying assets. From Broderick’s perspective, that imperative trumps any temporary hit to P&L from selling positions that subsequently recover.
“At the end of the day, Mr Market is Mr Market. The market can be right or wrong fundamentally, but if the price at which you can sell is X, then X is where you need to price your books – where you can sell, or alternatively where you can hedge, buy CDSs in credit-spread terms, or put on other offsetting trades on a risk-adjusted basis. That’s the reality, not what you wish,” he says.
Viniar agrees with that conclusion, and says he “never for a minute” questioned the fair value approach: “It was so enormously beneficial to us during the crisis, because we saw things the minute they were happening. We saw them, we felt them, so we dealt with them.”
That message was included in the bank’s 2008 annual report, which noted: “The proper valuation of assets and liabilities, of positions and commitments, is essential if risk is to be managed effectively.” Interestingly, the report also acknowledged: “Our firm certainly didn’t get everything right, and there are some decisions we would prefer to take back.”
One of those, says Broderick, was the extent of Goldman’s involvement in the leveraged loan market. Even as market conditions became more challenging, he says, the firm concluded that “the leveraged lending market is still really busy, and we are not going to be sitting on the sidelines.” That meant Goldman was still closing large deals intended for syndication right up to the point when the market froze in September 2007.
“We were arguably overextended in the leveraged lending space – overextended in the form of both aggregate exposure and in the form of concentration to selected names. That, in retrospect, we would have tweaked,” he says.
Broderick witnessed the impact of excessive leverage and concentration at the very start of his career in banking, as a trainee lending officer with Chase Manhattan in 1981. Oil prices were high, and refining margins were growing. The banks that serviced the sector lent aggressively into the boom. When oil prices fell, many of the smaller independent exploration and production companies and offshore drillers in Dallas, Houston and Louisiana were wiped out.
Broderick worked with multinationals, so he didn’t have the authentic “beer-drinking out of a boot” experience of the independents, he jokes. Even so, his clients were hurt by the oil price meltdown.
“As an introduction to various risks, it was quite formative. I learnt the fundamentals of credit, the ratios and the qualitative factors, then applied [them] in real-life terms to a range of companies that experienced issues of various sorts… It brought home very clearly that there is risk across sectors, some of which companies control individually, some they can’t; some they can hedge effectively, a lot of which they can’t or don’t,” recalls Broderick.
From Chase, he moved to Goldman in 1985, and then to London a year later to help set up a European credit group for the bank. Broderick and his wife planned to stay three years initially, but the move was a success, and it was 13 years before he returned to New York as chief credit officer.
During that period, the team grew from just four to around 75 in Europe, plus another 25 in Asia. Broderick helped introduce eight of the UK’s 12 regional electricity companies to the corporate bond markets, before expanding Goldman’s reach across continental Europe. While the Scandinavian banking crisis provided him with another taste of sectoral risks, his work mainly involved securing credit ratings and market access for clients. That changed when his superior returned to the US, and encouraged Broderick to step up and lead the team.
“He said: by the way, you don’t know that much about managing fundamental derivatives and underwriting risks. If you want my job, you’d better learn quickly. I morphed into actually learning about how you set credit limits and assess trading counterparties, and what kind of settlement issues arise in foreign exchange versus commodities, and so on,” recalls Broderick.
Coping with stress
That adaptability again served Broderick well as Goldman itself began to change around him. When he first joined, he notes, the firm was very much in the traditional investment banking mould, focused on advisory and capital markets. Most of the market risk activity was confined to the J Aron commodity trading business acquired in 1981, which he says could not be described as a “fully built out” sales and trading function at that stage.
Over time, the balance changed markedly, with former J Aron executives including Lloyd Blankfein, Gary Cohn and Viniar’s successor as CFO, Harvey Schwartz, rising through the ranks to dominate the firm. The growing exposure to market risk put new demands on both risk management and control functions – in particular, the need for high-quality data. Without the right data, says Smith, a bank cannot know if it is managing all the risks, or the right risks.
“We both understood that very early on. My mission was to deliver not just clean financial statements, but all the information that went into them and that fed the risk systems, including the marking of all the positions. That was absolutely fundamental to Craig being able to make the decisions he made,” says Smith.
Time and again, Broderick credits the wider culture of the firm in providing him with the support he needed. He says Goldman consistently promoted people on the business side who had the best grasp of the risks their teams faced.
My mission was to deliver not just clean financial statements, but all the information that went into them and that fed the risk systems, including the marking of all the positions. That was absolutely fundamental to Craig being able to make the decisions he madeSarah Smith, Goldman Sachs
“It was not a coincidence that Lloyd was successively promoted up the chain, because he was really good at seeing the critical issues in his business area. It is not a coincidence that David Solomon ended up running a lot of the lending function in investment banking and then the firm, because when it came to his clients and understanding the risks in the lending space, he knew them as well as we did. It was a case of obviously supporting your better, more risk-sensitive professionals on the business side as well as the control side. It’s a powerful message and people react to it,” says Broderick.
He was also grateful for managerial support in the form of extra resources that allowed him to build out the risk management function during the 2000s, in terms of both technology and staff numbers.
“We brought our analytics capabilities up to what was then regarded as a pretty high standard in terms of stress-testing capabilities, consolidated aggregation metrics and other things that were ultimately shown to be really essential from a risk management perspective, but at the time were less the norm across the industry as far as we could tell,” he says.
And that in turn positioned Goldman well for what came after the crisis – the wave of new financial regulations requiring banks to manage their balance sheet to many more metrics than before. In Goldman’s case, that was magnified by its decision to acquire a banking licence in 2008, resulting in Federal Reserve registration and supervision.
Broderick’s view was that Goldman needed to look beyond individual regulatory changes that were, as he puts it, introduced “on a drip basis,” and recognise the larger and permanent regime shift. That meant building infrastructure to handle a full set of new requirements, rather than just responding to each new demand on an ad hoc basis. Ideally, it also meant developing those new systems with an eye to using them from an internal risk management perspective as well.
That is the philosophy we used with a lot of regulatory requirements – this is the new state of the world, and we have to obey these requirements. And while we are doing it, let’s see what we can do to make it useful as wellCraig Broderick, Goldman Sachs
Above all, his group applied that approach to the supervisory capital assessment programme (S-Cap) undertaken by the Fed in 2009 and originally trailed as a one-off remedy for banks’ undercapitalisation. Instead, it morphed into the annual comprehensive capital analysis and review (CCAR) process.
“We looked at S-Cap, and we said to ourselves, this is not going to be a one-time exercise, this is something that is going to recur in one form or another for a long time now, and we have got to build right away the structure to accommodate it. That is the philosophy we used with a lot of regulatory requirements – this is the new state of the world, and we have to obey these requirements. And while we are doing it, let’s see what we can do to make it useful as well,” recalls Broderick.
In the case of S-Cap, the upgrade to Goldman’s stress-testing capability meant the bank could isolate the impact of specific scenarios as and when needed – Broderick gives the example of a five-dollar increase in oil prices across the curve and across products.
“So, if in early Asia trading before New York opened, we saw a five-dollar spike in oil, I would know immediately in general terms in market risk what we were likely to make or lose, and in the counterparty space who were the major counterparties that would have the biggest losses, and therefore [where] we’d be expecting the biggest margin calls,” he says.
Court of public opinion
Aside from the overexposure to leveraged loans, Broderick mentions another key regret from the financial crisis: “We misunderstood the power of the court of public opinion, and could have been more sensitive to that and to the way the firm was perceived, and to the articulateness with which we explained our role within the industry.”
A major example of those negative headlines was Goldman’s relationship with AIG, which was bailed out by the US Department of the Treasury, and subsequently made a $12.9 billion payment to Goldman – mainly on CDS trades. Critics claimed Goldman was being bailed out by intermediary.
Broderick reiterates the points made in Goldman’s 2009 annual report: that the bank had a series of positions with AIG, each of which was acceptable individually, and its net risk after collateral was also moderate and carefully managed. What Goldman did not know was the extent to which AIG was insuring such a large portion of the subprime securities market across many different banks.
“You don’t really know, and you have no way of knowing, what their liquidity and net positions are. All you know is what they tell you and what things you find credible based on the available facts and information. We were talking to one of the largest and apparently most sophisticated financial institutions in the world, and they were saying ‘Why are you asking me? I should be asking you.’ It may seem obvious in retrospect, but it was not obvious at the time,” says Broderick.
All firms are now moving to an enterprise risk concept… and that would include things like conductCraig Broderick, Goldman Sachs
The structuring and sale of CDOs that turned toxic in 2007 and 2008 was another example of conduct that Broderick says he would have liked to “reconsider”. While pointing out that there were plenty of other parties involved in (wrongly) analysing these products, he would nonetheless not want to see a repeat of the kind of structuring that took place before the crisis.
“It permitted too much leverage, it permitted too little transparency, it permitted too much correlation across the market. The underlying market and modelling assumptions proved not to be resilient,” he says.
This episode underscores the challenge for any bank to establish and maintain its own moral compass in a highly competitive business – something that may ultimately mean turning away deals or clients that other banks are willing to take on. Broderick says the bank has always sought to have its own internal standards that have been constantly “refined over time,” built in particular on the close relationship between risk, compliance and legal teams.
Nonetheless, there are clearly occasions when Goldman’s internal compass has broken. In recent months, it has been widely reported that the bank is co-operating with US authorities over the relationship between some of its bankers and a Malaysian client accused of plundering the country’s 1MDB sovereign fund.
The good news for Goldman is that the compliance team reportedly flagged concerns about the client. The bad news is that one or more bankers allegedly circumvented the compliance team to continue transacting with the client.
Unsurprisingly, Broderick picks out conduct risk, and especially the risks stemming from client relationships, as areas that CROs need to focus on – another being cyber risk. These are, he points out, very different from the traditional market and credit risks that show up in the daily marking of books, and they are also not confined to individual business units. That requires a shift towards a much broader approach to risk management.
“These risks are not easily quantified. You need to do a qualitative analysis and provide a forum for multiple inputs from different functions in the bank,” he says.
The bank appointed Gerald Corrigan to establish a business standards committee in 2010, and subsequently created a reputational risk committee in 2015. Broderick emphasises the role of these two committees, as well as the importance of the CRO’s direct reporting lines to both the chief executive and to Mark Winkelman, chair of the board’s risk committee, who also sits on the audit and governance committees.
According to Smith, Broderick’s own substantial contribution was in helping to integrate conduct risk into the bank’s pay structure, which represents a complex new departure for the sector generally.
“All firms are now moving to an enterprise risk concept, which pulls in non-financial risk along with financial risks, and that would include things like conduct. That means you have a much broader array of risks to think about whenever you promote and pay people and when you put risk processes and risk assessments in place. It is a much deeper well now than we used to think about 10 years ago,” she says.
The future of risk
As to another emerging exposure – cyber risk – Broderick sees it in terms that go well beyond high-profile hacking events. He says the CRO increasingly needs a deep understanding of market infrastructure, including payment systems and clearing houses.
“The CRO has to become more of an expert about technology and operating systems. You have to deal with the immediate risks, but also think about the long-term implications. It’s the same as how we reacted to new regulation after the crisis, we knew it was here to stay, so we prepared for the long term. It’s not enough just to come up with some one-time expedient responses,” he says.
Broderick is no stranger to technology, having majored in computer science along with finance, accounting and economics at the College of William & Mary. And he notes that his successor as CRO at Goldman, Robin Vince, has had plenty of hands-on experience of technology during his career, including a stint as chief operating officer for Europe.
As with conduct risk, Broderick says tackling cyber risks involves drawing in a wider range of people from across the bank. For example, he says, as algorithmic trading now moves too quickly for real-time human surveillance, the gap risk has grown accordingly. That means working not just with market risk specialists, but also with strategists and the operations team.
The debate is increasingly turning to the role of artificial intelligence and machine learning to manage and analyse the vast quantities of data that now feed into a bank’s risk engines. But today’s risk managers will be reassured to know Broderick still sees a central role for humans.
“You have to know the limitations of technology and apply judgement. The CRO of the future will know new technologies well, and will be able to make great use of them, but won’t over-rely on them,” he says.
In fact, it’s the people, as much as the risks he helped the firm avoid or the new techniques he developed, which are a particular source of pride. Broderick says he is especially pleased with the way the risk division kept a strong culture, which was passed on to each new generation of risk managers. That includes Vince, his own successor after he stepped down at the start of 2018: “I agreed to serve a handover period, but I can say that he was done in half of that – I could pretty much put my feet up!” Broderick jokes.