John Pierpont Morgan
This week’s BusinessWeek reports on changes in risk management within financial institutions in the wake of the subprime meltdown and Societe Generale rogue trader fiasco. Merrill’s new CEO, John Thaine, has created two new high-level risk manager positions reporting directly to him—and he is going to meet with them weekly. Morgan Stanley has appointed a new chief risk officer, Thomas Daula, reporting to the chief financial officer. Citigroup’s latest CEO, Vikram Pandit, promises to be a “hands-on participant” in risk management.
Is this the best BusinessWeek could come up with? That’s sad. Pandit’s “hands-on” pronouncement is nice, but it is what pretty much every CEO in the world has been saying for the past ten years. So what if there is some senior staff turnover at Morgan Stanley? It is not as if they didn’t have a chief risk officer before Daula took the post. As for Thaine and his two new senior risk managers, it sounds like new titles for existing market and credit risk management functions.
What is needed to cure risk management’s ills is fundamental structural changes, not window dressing for reporters. There are striking parallels between the sorry state of risk management today and that of the accounting profession a hundred years ago. Back then, there were no firm rules. Accounting was whatever the CEO wanted it to be, and reporting was optional. Most companies reported sporadically. Others simply didn’t report. JP Morgan was actually a pioneer of accounting, requiring his companies to release annual reports to shareholders based on fairly uniform standards. Are there any JP Morgans in our profession today?
I have written about some of the structural changes that need to take place in our profession, and I will write about others. For now, I would like to turn this over to you the readers. What do you feel ails our profession? More importantly, what solutions do you recommend? If you have ideas, I encourage you to post them here as comments.
There is a big difference between risk management and accounting. If you take the accounting statements of two banks, you will be able to a large extend just to compare the figures. According to the general opionion on this forum (there were such discussions in the past), it is not possible to compare two VaR numbers unless you have very similar portfolios over the same horizon, run the same models with the same parameters on the same systems. Therefore, from the point of view of the investors or of the general management, the VaR figures are something technical, more or less a part of the internal IT infrastructure of the bank, and as such can hardly be used as a basis for taking business decisions. Therefore it’s a lost battle. Some attempts to overcome this situation have been done. One could try to simplify and standartize the risk measures ala-Basel2. The regulators then press the banks to take business decisions (determine regulatory capital) based on these figures. However, the simplifications are from an economical point of view often rubbish, and numerous flows of the standarts chosen in b2 can be found.
I didn’t see the Businessweek article, but it sounds like the subliminal message is that subprime was a failure of risk management, and now we are going to fix the problem–fix risk management. No, that is a cover up. The problem is the bank executives who knew subprime was a time bomb built of predatory lending practices. They knew there would be fallout some day, but they did a cost-benefit analysis comparing how subprime would enhance their immediate bonuses against how it would detract from their bonuses down the road. They liked what they saw and did nothing. Risk management was and still is so much talk built around a few computer models no one pays attention to.
I’m not sure the question of how to fix risk management is well enough defined to be answered. Is it really broken? To say that, you need to say what function it is supposed to perform that it isn’t doing. I’m tempted to suggest building a microeconomic model of this. For example, who are the consumers of risk management? Not the shareholders, as Glyn and others point out in the loss of corporate control by equityholders. So are managers the consumers? Enron managers did not ‘need’ better risk management. They knew what they were doing, and likely at Soc. Gen. they also did not ‘need’ it if they already knew what was going on. Finance 101 tells us that with perfect information, equity prices would already incorporate the risks. Without perfect information, a larger risk premium is charged that is costly to the firm. The risk management function might be a way to convince the capital markets that there is more information than really exists, so is just a way to lower the cost of capital. A good microeconomic model could also show how the supply of risk management is fed by analysts hoping to get into trading, so that brings in principal/agent issues of multiperiod cozy relationships. What a tangled mess. But anyway, my point is I’m not sure that the goal of risk management has really been defined in a way that shows the incentives leading to the issues we have seen. A less mathematically oriented approach like Michael Porter’s Competitive Advantage showing the up- and down-stream influences might additionally show that what Business Week sees as a disaster is just normal responsesto a set of rules.
I agree risk management should be to protect shareholders (and maybe bond holders and maybe society at large). The problem is that these parties have little or no say in how risk management is run. I think risk management run for the benefit of management does some good. VaR reports may be ignored in some firms but not all, etc. Is the benefit worth the cost?
I would restrict risk management to being for the benefit of stockholders. Bond holders have bond covenants and legal protections. Society at large has regulators (Basel and risk management should not be one and the same thing). This is all academic. Risk management is run to benefit executives.
I’m not sure the question of how to fix risk management is well enough defined to be answered. Is it really broken? To say that, you need to say what function it is supposed to perform that it isn’t doing. I’m tempted to suggest building a microeconomic model of this. For example, who are the consumers of risk management? Not the shareholders, as Glyn and others point out in the loss of corporate control by equityholders. So are managers the consumers? Enron managers did not ‘need’ better risk management. They knew what they were doing, and likely at Soc. Gen. they also did not ‘need’ it if they already knew what was going on. Finance 101 tells us that with perfect information, equity prices would already incorporate the risks. Without perfect information, a larger risk premium is charged that is costly to the firm. The risk management function might be a way to convince the capital markets that there is more information than really exists, so is just a way to lower the cost of capital. A good microeconomic model could also show how the supply of risk management is fed by analysts hoping to get into trading, so that brings in principal/agent issues of multiperiod cozy relationships. What a tangled mess. But anyway, my point is I’m not sure that the goal of risk management has really been defined in a way that shows the incentives leading to the issues we have seen. A less mathematically oriented approach like Michael Porter’s Competitive Advantage showing the up- and down-stream influences might additionally show that what Business Week sees as a disaster is just normal responsesto a set of rules.
I agree that risk management is not accounting and that accounting has severe problems, but risk management could definitely benefit from some standardization. Wouldn’t a rule that the front office and middle office be totally separate career paths be a positive form of standardization, if adopted by all firms? I went and read the Businessweek article online and they applaud Goldman for a policy of having employees rotate back and forth between trading and risk management. I don’t think that is good. Shouldn’t there be some standards?
I was more addressing the difficulty of trying to standardize the mathematical finance part of it. As for back office to front office migration, I have not given it enough thought to have a conclusion. Here our manager in charge of VAR was a trader on the floor, and additionally we have had at least two analysts from risk migrate to trading so my company allows migration.
I don’t believe risk management standardization works very well. Glyn mentions the emergence of accounting standards as an example but that has at least two problems. First, those standards don’t work very well. Sure, one can neatly categorize items now, but the whole point of accounting was to get a clearer picture of a firm’s health and absolutely no professional bond trader (at least anywhere I’ve worked) is going to believe accounting statements without modification. For example, the standard of reporting many assets are the at lower of cost or market can make many numbers useless. Second, risk management is far more subjective than accounting approaches, with many things that are not standard in addition to items that you might not believe are priced correctly with standard models. For the latter, to some of us the guassian models to price credit tranches were obviously wrong, and we would be worse off being forced to use something so clearly incorrect.
I am not too concerned about standardization of analytics. Of all the failures Glyn mentioned, I don’t think a single one related to poor or non-standard analytics. I guess the issue is what needs to change in risk management to avoid things like the market timing scandal or the sub-prime abuses? I agree acccounting has huge problems. In some respects risk management is an attempt to address some of those problems.
I agree with you. But the only thing I can (actually I should use the past tense here cause I don’t do this right now) control is looking at the market risk of trading positions. For problems which are more important that sink companies like those you mention, thats what I would call something like operational risk and I just don’t see any obvious ways to address it. And I believe an analogy is that I would be the one making sure all the deck chairs are neatly arranged while we speed along on this ship called the Titanic.
Okay, there is a disconnect between what we do (monitor market risks, run models, etc.) and what we are blamed for by the media (not preventing sub-prime or market timing fiascos). Yes, it is convenient to bundle such sub-prime events under operational risk, but techniques for addressing operational risk don’t begin to address how to avoid such losses. Mostly operational risk managers seem consumed with quantifying operational risk for Basel II. What do we do? Do we EDUCATE the media and everyone else that it is not our function to address things like the next sub-prime mess? Or do we change what we are doing o become able to address the next sub-prime mess?
Some things just can not be fixed. The market timing scandal you mentioned may be an example. The only people who might know are the ones doing it, and without any visibility to risk management there is no way to control it or even know. There is no mystical ability to know what you don’t see. The only flag may be that profits for one group are larger than expected, but challenging business units for being profitable does not seem to be useful. The sub-prime mess is another issue that might assume disproportionate powers to control. The ones who knew something was wrong were serious economists like Martin Feldstein and Bob Schiller, and not those muppets speaking for the IB’s. A lot of the analyst’s entire work lives had not even spanned a housing cycle probably still being in high school in the early 1990s and were completely clueless as to what might happen. This is another topic but too many put up a fascade of economic knowledge when all they really do is skim the Journal, tweak it a little, and speak with conviction.
The market timing scandal broke because of a whistle blower. Should risk management extend to offering incentives for and protecting whistle blowers? I agree with powel that we either need to find ways to address these problems or tell people explicitly we are not addressing them.
I think, at least in the US, corporations are already required to have a system for receiving warnings from whistle blowers and ensure they are fairly treated.