Author: Bob Mark, July 20, 2016
This article first appears July 20, 2016 on the AmericanBanker; re-posted here with the permission of the author.
Before my current role, I served in senior risk management functions at some of the largest banks in the world, including as the chief risk officer at the fifth largest bank in Canada. Yet what was my credential to serve in those capacities?
I had proven experience in risk management elsewhere in the industry and a doctorate in applied math. But there was no exam I had to take, no related suffix after my name, no certification I needed to oversee extensive risk management programs at large financial institutions. If I had been a lawyer, I would have needed to pass the bar. No bank would have let me do their accounting if I weren’t a CPA. Doctors are thoroughly vetted. But the truth is risk managers — a crucial function inside banks and at other companies — have no professional standards of practice to validate their qualification.
And yet, such standards in the field of risk management would be tremendously valuable. Sophisticated financial engineering and best practice risk management have added significant value over the past 20 years, but financial engineering and the failure to make risk transparent in too many cases played a significant role in obscuring the true economic condition and risk-taking of financial companies in the run-up to the 2007-2009 crises.
In other industries, such professional standards are explicit, defining objectives professionals must meet to qualify for and maintain a credential. Those who must adhere to standards of practices — or SoP — often must pass a standard exam and have a prescribed period of training.
In risk management, there are certifications for professionals to seek. Among the organizations offering such programs are the Enterprise Risk Management Academy, the Professional Risk Managers’ International Association and the Global Association of Risk Professionals. But none of these are viewed as standard. More importantly, none of these groups’ certifications are required for CROs managing large risk programs.
The 2007-2009 financial crises uncovered major fault lines in risk practices and the need to establish professional risk management SoP. There are many cases where potential returns were not properly adjusted for risk. For example, the failure to accurately measure the potential for unexpected losses arising from a spike in risk factors and an increase in correlations between risk factors in stress markets led many to underestimate the risk.
If the banking industry — or any other sector — had a standard risk management certification, its criteria could be used as a guide for practitioners, rating agencies and regulators to assess and benchmark the quality of risk management in the policy, methodology and infrastructure dimensions.
We can benchmark the quality of risk management — and the qualifications of risk managers — by evaluating the answers to a series of targeted questions. These may include: 1) Is the tolerance for risk consistent with the business strategy and is the amount of risk made transparent both internally and externally? 2) Are the risk methodologies based on a standardized representation of cash flow obligations and are the risk models properly vetted? and 3) Are the appropriate people and operational processes (such as data, software, systems, and quality of personnel) in place to control and report on risk?
If similar risk management SoP were adopted across professions and industries, then risk management practitioners in one industry could more easily learn from practices in another industry. For example, the basic building blocks of finance in general and risk management in particular are individual financial contracts and their expected cash flows. If we closely examine the pattern of expected cash flows that are generated from a financial contract, then we would find that bankers implicitly follow standard algorithms when exchanging cash flows.
These implicit standard algorithms need to be made explicit and translated into a risk management standard. We can capitalize on modern infrastructural approaches to generate cash flows from contracts in an efficient and transparent manner. Creating a risk management standard for determining expected cash flows enhances an organization’s ability to measure its specific and systematic risk in both normal markets and stress markets. A risk management standard also enhances a regulator’s ability to measure systemic risk.
A standard can be constructed to represent almost all financial obligations at a high level of precision. The careful representation of cash flow obligations means that the most critical input to risk measurement can be performed with a high degree of confidence in the results. With such an approach, variations in risk measurement results will be based on practitioners making different assumptions about the risk factors (e.g. interest rates, default rates, etc.), not the contract data that goes into the models.
In summary, regulators and risk management practitioners need a more standardized set of risk management best practices, and a way to certify that a professional meets the qualification. A starting point is to construct a data and algorithmic standard for generating cash flow obligations capable of representing virtually all financial obligations with a high level of precision. This approach would improve transparency in financial markets, reduce complexity and model risk, and improving the operational efficiency of financial institutions.
Bob Mark is a managing partner at Black Diamond Risk Enterprises, and a key member of finRenaissance. He previously held senior trading and risk management positions at numerous large banks, and was the founding executive director of the master of financial engineering program at UCLA.
Interesting article and a timely one.
The Financial Risk Management discipline is clearly in need of clear SoP’s, describing not just expectations and performance standards for those who claim to be practitioners in the field, but also on tools of the trade.
In the article, you mentioned “For example, the basic building blocks of finance in general and risk management in particular are individual financial contracts and their expected cash flows. If we closely examine the pattern of expected cash flows that are generated from a financial contract, then we would find that bankers implicitly follow standard algorithms when exchanging cash flows. ” This is one area that is clearly very lacking in the Risk industry.
In fact, those exact requirements can be found in ACTUS (Algorithmic Contract Types Unified Standards), an open source initiative “to build a reference database that represents virtually all financial contracts as algorithms that link changes in risk factors (market risk, credit risk, and behavior, etc.)” (see www.projectactus.org)
This powerful data standards allow institutions and their risk practitioners to gain insights across the enterprise; and allow regulators to understand trends and perform analytics across the industry. Such tools are indeed sadly still lacking in our profession. Risk practitioners and regulators need to come together to support, adopt and promote initiatives such as ACTUS that would allow the profession to perform our work more effectively; and to meet the high standards expected by the public-at-large.