LOOKING TO THE YEAR 2000 AND BEYOND:
A SUPERVISOR'S PERSPECTIVE ON RISK MANAGEMENT
Delivered to SIBOS at Helsinki Fair Center
September 24, 1998
Chester B. Feldberg
Executive Vice President
Federal Reserve Bank of New York
I am delighted to be here today and to share with
you some thoughts on the highly important, and very timely, subject of risk management. Without question, this is a subject whose time has come. Indeed, given the number of major mishaps we have witnessed in recent years, one could well argue that our collective focus on risk management has been, if anything, a little slow in coming.
As everyone in the room is well aware, the decade of the 90s has been a period of rapid and dramatic change in the financial services industry. And, not surprisingly, this change has posed difficult challenges for bank managers in responding to the ever evolving and ever more volatile risks in their operations. With increasingly larger multinational firms engaged in new and complex business activities that span the far reaches of the globe, the burden on head office management to manage and control their rapidly changing risk profiles has been a major challenge. Anyone with doubts on this score might wish to reflect on the Barings or Daiwa episodes -- or perhaps just consult with your own senior management teams, many of whom, I suspect, have dodged some bullets of their own, although presumably of a much smaller caliber.
The changing financial landscape has also posed major challenges for bank supervisors, who face the daunting task of having to develop, on a more or less real time basis, supervisory policies that are responsive to the rapidly changing financial environment, as well as hire and train the staff necessary to assure compliance with those policies. As head of bank supervision at the New York Fed through most of the 90s, and as a member of the Basle Committee on Banking Supervision since 1993, I have been lucky enough to have a front row seat for much of the action.
The theme I want to strike today is how important it is for the private and public sectors to work closely together in developing sound risk management practices for the financial industry. As I see it, we can, and must, coordinate our efforts through active dialogue, parallel study of the issues, and a process of consultation on major decisions, while still fulfilling our separate roles, responsibilities and authorities.
In my remarks this afternoon, I would like to focus on the following areas:
First, why I believe the development of effective risk management techniques is of such crucial importance in todays rapidly changing environment.
Second, what the banking industry and the supervisory community have been doing to respond to this need.
Third, what I see as some of the key challenges facing bankers and supervisors in managing risk going forward--with particular focus on the critical areas of operational and technology risks, which I know are of special interest to this group.
And finally, I feel duty-bound to comment on the challenges posed by what I perceive to be the greatest near-term operational risk of all--the Y2K problem. While much has been done, I am convinced that a major challenge still faces all of us, and it is far too early for any of us to be declaring victory.
Why Risk Management Matters
Let me turn first to the question of why robust, firm-wide risk management has become so critically important in recent years. To my mind, its a direct consequence of the incredible speed with which the financial industry is changing and becoming increasingly complex.
All of us are very familiar with the broad trends that are influencing and expediting the evolutionary process. These include deregulation, globalization, expanding competition, rapid technological advances, and a steady stream of financial innovations. While these trends have led to many new business incentives and opportunities, they have also created significant new challenges in the area of risk management. Let me touch on just a few:
Without question, financial innovation and deregulation have dramatically increased the volume, the interconnectedness, and the complexity of financial transactions, with risks capable of being instantaneously transferred around the world. Concurrently, institutions are applying increasingly complex strategies to highly exotic financial products that require sophisticated pricing, modeling, and measurement methodologies. In times of stress, a market downturn can quickly spill over from one market to another, potentially drying up liquidity, breaking down what appeared to be stable correlations across different risks, and disrupting carefully conceived hedging strategies. We are all very familiar with some recent high-profile situations where internal models and stress testing did not come even close to anticipating actual market developments.
As the financial services sector has become more global and more complex, we are also seeing many cases where products have been conceived by one entity in an organization, marketed by another, booked by a third, and hedged in a fourth, spanning the globe in the process. Moreover, multinational firms frequently are managed along major business lines, which do not always correspond neatly with the firms various legal entities. This growing trend has led to complex matrix management structures, resulting in significant managerial, as well as supervisory, challenges. And we need only look back to Barings as an example where head office management effectively lost control of one of its remote operations. And that case, while an extreme one, is not unique.
The Barings case also illustrates the need for effective risk management policies to control and guard against improper or fraudulent activities. When a firm enters new markets that few senior managers have experience in--or when the evolution of new products outpaces the institutions ability to review thoroughly the risks and rewards of each highly specialized product--the firm can be easy prey for a self-serving trader or loan officer who can exploit the lack of management experience and any control deficiencies.
Given the current environment, financial institutions face ever growing strategic and business risks. The rapid pace of deregulation, growing competition, and the major fixed costs in technology and skilled people that are required in order to be a major global player leave very little margin for error. Banks will have to think hard about which businesses to enter and whether the expected returns truly justify the large investments needed. And, without question, one key challenge facing major global firms will be the need to develop state-of-the-art risk management systems in order to effectively control their rapidly changing risk exposures.
How has the banking industry responded?
The good news is that the industry has been rising to the challenge. In the past few years there has truly been a revolution in how banks approach their management of risk. A major catalyst for this was the Group of Thirtys "Global Derivatives Study," which was undertaken in 1993. That report offered a number of principles for sound risk management, most of which are now considered to be the "A-B-Cs" on the subject, and no less relevant today than when they were first issued. Among the reports key principles were the following:
First, institutions should determine at the highest management levels the scope of their involvement in derivatives and the policies to be applied;
Second, institutions should create independent market and credit risk management functions with clear lines of authority that are separate from the dealing activities;
Third, only professionals with the requisite skills and experience should be permitted to transact deals, manage risks, or process, audit and control such activities;
And finally, institutions should employ management information systems that are capable of accurately measuring, managing and reporting on the various risks associated with derivative products.
From my vantage point, the industry in general has made good progress in implementing a stronger risk management environment along the lines advocated by the G-30 -- and not just for derivatives but far more broadly.
Operational and Technology Risks
In fact, much the same framework can be, and is starting to be, applied to operational and technology risks.
Operational risk is currently the frontier of new risk management thinking and techniques. The resources being channeled into operational risk directly reflect the lessons learned from past mishaps in financial markets. While work on operational risk is still at a rather embryonic stage, it is developing so rapidly that the Basle Committee conducted a survey of thirty banks late last year to learn how they are managing this risk--and we published our findings just two days ago.
One reflection of the early stage of development is that a standard definition of operational risk does not yet exist, although some common themes are evident. The survey indicated that the most important types of operational risk involve breakdowns in internal controls, information technology, and corporate governance; that operational risk can produce financial losses through error, fraud, or failure to perform in a timely manner; and that operational risk can also compromise the interests of the bank when, for example, individuals act outside their authority or behave unethically.
The recent Basle Committee paper also made some other interesting points:
As with market and credit risk, awareness of operational risk among bank boards and senior management appears to be increasing. Senior management is looking to harness the incentive structure of their firms -- involving compensation, promotions, and capital allocations -- to ensure that operational risk is managed well. And they see operational risk not just in businesses known to have large amounts of such risk, such as payments and settlements, securities processing and fiduciary operations, but in almost every facet of a banks activities.
Second, virtually all banks now assign primary responsibility for managing operational risk to the individual business line head. This represents a sea change in philosophy for many financial institutions. The traditional model is that of corporate-wide control staffs independent of the business line, with a somewhat adversarial "checks-and-balances" relationship between them. I believe that one lesson learned from the all-too-frequent fraud problems we have seen in recent years is that in a confrontation between business line and control staff, the deck is heavily stacked in favor of the business line -- given its revenue-generating capacity. Thus, if you can convince the head of a business line that controlling the operational risk of the unit will be a key determinant of the businesss overall success, you are much more likely to change the bias of the outcomes. And that is why the link to management incentives is such an important part of the picture.
Of course, in order to create meaningful incentives, you need measures of just how much risk there is. While the Basle Committee survey found that the development of operational risk measures is still at an experimental stage, many large banks are working hard to push the frontier out further.
To create those measures, you need independent risk management staff to assess, monitor and control the risk. We have seen a move by banks to put in place operational risk staff with much the same expertise as the independent risk management staffs for market and credit risk. And, increasingly, we see these operational risk experts report to special committees, senior executives and the board of directors in much the same way as their market and credit risk counterparts.
The Basle Committee paper also touches on technology risk as one important type of operational risk. I believe that it would be a worthwhile exercise to apply the G-30 framework that works so well for operational risk in general to technology risk in particular. I think it will give rise to some questions worthy of serious consideration. For example, how well does senior management and the board of directors understand the technology risk of their organizations? How comfortable are they with the vocabulary of technology today?
How knowledgeable and accountable do business managers feel for the technology they use? How many see technology as integral to their business operations? My guess is that those of you involved in any type of processing business are well aware of the importance of technology. But how far up the senior corporate ladder does this awareness run?
How much attention is given to the measurement and reporting of technology risks? And does the organization set goals for technology risk and measure its progress against them?
These questions are all the more important because the frontier of operational risk is expanding, becoming increasingly relevant for those of you in the world of payments and settlements and information technology. A new generation of advances in the electronic world -- telecommunications in particular -- is starting to have a profound effect on financial intermediation and risk management as we have traditionally understood them. And, of course, we have only just begun to tap the potential of the Internet.
Without question, future electronic developments will pose a significant new challenge for the supervisory community, calling for close collaboration with the industry going forward.
Foreign Exchange Settlement Risk
Developments over recent years in the management of foreign exchange settlement risk are another example of the value of good coordination between the private and public sectors. Since the failure of Herstatt Bank in 1974 and other more recent events, including the liquidation of BCCI, the official sector and financial market participants alike have become more informed about the nature of risks that may arise from weaknesses in the management of FX settlement exposures.
In 1996, the BIS Committee on Payment and Settlement Systems issued a report on FX settlement risk which indicated that many banks were incurring significant, and unexpected, credit exposure in their FX settlement process -- exposure lasting at least overnight and often for several days. Given the vast size of daily FX trading, the potentially large settlement risks raised significant concerns for both bank supervisors and central bankers about bank safety and soundness, as well as about the stability, liquidity and efficiency of the exchange markets.
As you probably know, this same BIS Committee recently issued a follow-up report. It is clear from the new report that many international banks have made significant and encouraging progress in managing and controlling their FX settlement risks. But it is also apparent that more needs to be done. For example, the latest survey suggests that a majority of the banks surveyed continue to measure their FX settlement exposures in a manner that can lead to underestimation. Going forward, I would expect the international supervisory community to play an increasingly active role in efforts to reduce the level of settlement exposure incurred by the banking industry as a whole.
But, while important work remains to be done, I do believe that the settlement risk issue well illustrates how the official sector can play a lead role in identifying a key risk area and work with the industry to develop a viable approach to managing that risk on a global basis. To my mind, this is a good example of one of the principal comparative advantages enjoyed by the supervisory community. By virtue of our privileged knowledge of how all supervised firms manage their risk exposures, we are uniquely positioned to assess which practices are sound and which are not--and to provide constructive feedback to the industry.
At both the national and international levels, supervisors today are focusing their efforts on better understanding how banks are managing their various risks, and on raising the industry "bar" where necessary. Indeed, at the Federal Reserve, we have issued a number of "sound practices" papers to the industry in the past few years. These papers are based on extensive field research and discussions with market participants, and reflect our longstanding belief in the importance of close collaboration with the industry. The papers cover such diverse topics as information security, private banking, and more recently, credit risk modeling.
The Basle Committee on Banking Supervision has also issued several "sound practices" papers in the area of risk management, most recently on interest rate risk, internal controls, and disclosure. I think its fair to say that the general subject of risk management now ranks second, only to capital, on the Committees agenda. My expectation is that we will see a steady stream of "sound practices" papers from the supervisory community on a broad range of risk management-related issues. And I also expect to see closer collaboration between the industry and the supervisory community in the policy-formulation process. In fact, the Basle Committee is now actively pursuing ways to enhance its dialogue with private sector groups, such as the Group of Thirty and the Institute of International Finance.
The Year 2000
Let me close with some comments on the Year 2000 challenge -- which I regard as the biggest near-term operational and risk management challenge that we face.
I should not have to convince anyone here about the risks of Y2K, given the heavy dependence of your firms on automation technology. But unfortunately, its not enough that your own firm gets its Y2K program right. Your customers and counterparties must be there as well if markets are to perform as intended. Additionally, the infrastructure that ties us all together has to work. Without dependable communications, electrical power, transportation and other services that we routinely take for granted, not only financial markets but also entire economies could grind to a halt. Clearly, we are all in this together.
Financial supervisors have been leading the way on Y2K in many countries around the world. Over a year ago, the G-10 Central Bank Governors issued a statement declaring Y2K a global priority. At the same time, the Basle Committee on Banking Supervision released a paper highlighting many of the key issues and how they might be addressed. The Basle Committee also conducted a global survey on Y2K supervisory programs and the preparations being made by the banking community. That survey caught the attention of many supervisors who had not previously focused on the issue. And it led many of them to implement proactive programs to address the problem.
Since then, work has continued at a fast pace. Last April, the Basle Committee, and several other international supervisory groups, sponsored a Y2K roundtable. It attracted over 200 senior-level representatives from both the public and private sectors from over 50 countries. The success of that meeting led to the formation of the Joint Year 2000 Council. This Council, which is currently chaired by Governor Roger Ferguson of the Federal Reserve Board, is working aggressively to promote awareness of the Y2K issue where needed, to share information on effective ways to address the problem, and to cooperate to the maximum extent possible with related private sector initiatives -- such as the important work being done by the Global 2000 Coordinating Group -- which I understand was discussed earlier in this conference.
Y2K Progress to Date
How does the supervisory community view Y2K programs and progress to date? Many markets and financial organizations across the globe appear to have sound programs in place and to be making good progress. Others, however, have been slower to react. But once attention has focused on the issue and a clear appreciation of the risks associated with Y2K has emerged, energy and resources have been marshaled and the pace has quickened. Indeed, substantial progress is now being noted in many areas where little activity had been seen earlier.
Does this mean that the Y2K challenge has been met? Not by a long shot. Even those markets and organizations with good programs still have a lot of work to do to complete systems modifications, to test those systems thoroughly, and to develop contingency plans addressing areas that could be problematic. Those that are only now embarking on Y2K programs face tremendous pressure to get everything done in the time that is left. The only good news for those just beginning is that, in many instances, they are from areas less reliant on technology, making their task somewhat easier. Of course, if institutions that are more advanced in their Y2K efforts are willing to share information with those just starting out, the chances for all to succeed will be greatly enhanced.
Indeed, I cant underscore enough how important it is to share Y2K information with counterparties and customers. Increasingly, it is apparent that a successful Y2K program is one where existing business relationships remain intact. Financial transactions will occur normally only if there is someone operating normally on the other side. In the U.S. we are seeing unprecedented cooperation and sharing of information on Y2K among competitors, and such sharing seems to be on the rise.
With all of the good work going on, will there be problems? Almost certainly! Some organizations no longer have the time or resources to complete everything needed in order to be fully Y2K compliant. This will require them to make tough business decisions and to choose where to focus their limited resources in the time remaining.
On balance, how is the financial industry doing on Y2K? In my view, significant progress has been made, although there is still a considerable way to go. We are neither as bad off as some of the doomsayers would have us believe nor at a point where we can stop worrying. By working together and making sure that appropriate resources are being devoted to Y2K today, I am hopeful that most of the problems we face can be contained. But for those that may be lagging, failure to act quickly and decisively on this issue will not only put them in jeopardy but also could potentially threaten some markets, or even economies.
Given all that conceivably could go wrong, Im not prepared to rule out the possibility that year-end 1999 could produce a very different kind of "big bang." But if, on the other hand, our concerns prove unfounded -- and I certainly hope that they do -- the worst that will happen is that all of us will get to sit back and relax on that momentous New Years Eve and raise a toast to the new millenium, and to our very, very good fortune.