Risk Professional, February 2009

cover Story

mends that it be someone who is “bright; somewhat dissatis- People also need to understand where compensation and fied with the organization and culture as it is; understands a concerns about job security – particularly for risk managers significant part of the organization and how it operates; and – fit into this equation, and to determine if there are poten-has a vision as to how to change it.” That person does not tial conflicts of interest among risk managers who wear the necessarily need a risk background, he points out. hats of “compliance champion” and “business partner, as The third requirement on Deloitte’s list is building risk Harvard’s Mikes frames it. capabilities. Hida notes that developing valuation systems Both transparency and disclosure can be a tough sell on requires integration of multiple models. Says RiskMetrics’ Wall Street because many of its business models are consid-Berman, the historic separation of credit and market risk is ered proprietary. “If you look at other industries,” Berman “inappropriate for the strategies of today.” Companies also says, “transparency comes from consumer pressure, not can’t afford to rely “blindly,” on these tools, he says, adding, regulation. Investors need to ask for this.” “You can’t press a button and say, ‘predict the future,’ but An important question for boards, regulators and others you can allow a qualified professional to use judgment to is, “How does anyone know if a risk management program come up with estimates for the future.” is working?” says Lam. “You can’t have a good performance A manager is only as good as the tools he or she has to function, or risk management, without good performance work with. “These are “sophisticated and complex mod- measurements and good feedback.” The industry, he says, els,” says McKinsey’s Buehler. “But if you use models with has never really had that. Implementing these, he adds, historical data generated over a reasonably benign economic would go a long way toward reestablishing trust in enter-environment, you will come to the wrong conclusions.” prises and their risk management capabilities, not to mention

Lam is an advocate of dashboard reporting, or reporting helping to restore the financial industry’s damaged reputa-that integrates qualitative and quantitative data; internal tion.

CRO who never says no. Both lead to poor outcomes.

risk exposures and external drivers, and key performance and risk indicators. He has written about this, saying, “Over time, the databases, analytics, and reporting should be automated. These ‘electronic dashboards’ would be the risk analog to the touch-screen ‘Magic Map’ pioneered by CNN to show real-time voting trends by state . . . .”

“What gets measured, gets managed,” Lam notes.

Additionally, many agree that the credit crisis reinforced the need to account for the worst case scenario, the extreme, “black swan” type of rarity that options trader-turned-busi-ness school professor Nassim Nicholas Taleb has written and warned about. It’s shocking, in hindsight, that Wall Street models didn’t take into account the possibility that home prices could decline. As FHLB’s Feldman puts it, “We’re now living in the world of the improbable.”

On the fourth item on Deloitte’s recommended check-list, the need for transparency and disclosure, RiskMetrics’ Berman believes that “everyone should understand how a company views and manages risk.” Companies need to start discussing this at every level of the organization, a “ constant” dialogue on the question, “what are the risks we are taking?”

Stepping back and looking at the big risk picture, and where risk professionals fit into it, McKinsey’s Buehler says he has observed that “in organizations that get it right, the CRO has a seat at the table; reports directly to the CEO; has the ear of the CEO and is more of an adviser to the line organization than a policeman.” But this individual also has to have “the stature, authority and influence to make his or her will felt in the organization.”

Compliance -- once a driver of risk management programs – “is not risk management,” Lam is careful to point out. “It’s a small subset of operational risk.” He warns that if risk managers “spend the bulk of their time on this, they will end up missing the next credit crisis.

“Risk management is about the future, not about the past,” he says.

L.A. Winokur is a veteran business journalist based in the San Francisco area who has written for The Wall Street Journal, among other publications.