Integrated Risk Management from the Market Perspective:

Convergence of regulatory and industry views?

 

by

 

Chris Matten, Executive Director, PricewaterhouseCoopers

 

 

Introduction

The previous paper presented to this conference discussed the ways in which a supervisor might go about properly evaluating a bank’s financial performance and strength, and in this paper we will examine the efforts made by the supervisory community to achieve this goal and the current status within the industry.

[slide 1]

Although the paper described “money” as the ‘raw material’ which banks convert into products, I would contend that there are actually two raw materials – money and risk. Some products may involve involve money only – setting aside operational risk for the moment, a bank might take in one-year fixed rate time deposits and make one-year fixed rate loans to its own sovereign, all in the national currency. By doing so, it may avoid market risk (foreign exchange and interest-rate risk) as well as credit risk, but it is unlikely to cover its operating costs. To make a profit, banks must relax this constraint, and take on risk. Thus it may take in current accounts and overnight deposits, and lend to businesses, in a variety of countries. By taking on market and credit risk, it can boost its profits. There are also products that involve risk without any money being transferred (other than a fee), such as the provision of guarantees.

The paper correctly identifies that a measurement of accounting profit fails to take into account the risks involved in the business, and thus as a measure of financial health accounting profits are highly misleading. The paper also correctly identifies the processes which any well-managed bank should be adopting, and which would more accurately measure the true performance of that bank.

This is not unlike a manufacturing company omitting the cost of its raw materials when publishing its profit and loss statement. Nobody would take seriously a car company that omitted the cost of steel, rubber, plastics and aluminium from its P&L, even if it did include the labour cost of converting these into cars. But this is precisely what the omission of the cost of risk from a bank’s P&L does. We account for the money side of the equation – return on money lent less cost of money borrowed – and for the cost of converting raw materials into products (mainly people costs). We also account for the return on risk taken, but we omit one crucial ingredient – the cost of risk. Uniquely for financial institutions, the role of capital is not to fund the investment in fixed assets and working capital, but to underwrite the risk taken (the ‘unexpected loss’ or ‘economic capital’ referred to in the previous paper). The cost of risk is thus the cost of capital.

Leaving aside the perennial debate about the cost of capital, a more relevant and important question which must be asked is: what is the correct relationship between capital and risk? And therefore what is the correct quantum of capital?

Indeed, it would certainly be desirable if supervisors could remove all of the various ratios, rules and constraints that banks operate under and which, as noted in the previous paper, can distort the market and even lead to sub-optimal behaviour, and instead focus on whether the bank has appropriate procedures and methodologies for quantifying risk – and hence for quantifying capital. So the question we must poise today is: Is the banking industry anywhere close to establishing such a paradigm? And can the supervisory community rely on this as virtually the sole process for establishing whether a bank is prudently and properly run? As we will see, the Basel II proposals are an attempt at establishing precisely such a mechanism, but they are not without their challenges, both for supervisors as well as for banks.

 

State of play in the industry

[slide 2]

There is no doubt that the global financial industry has made enormous strides in developing methods to quantify risk, mostly over the past decade or so. While the understanding of the mathematics of market risk has been developing since the late-1950’s, measurement of credit risk is a much more recent development. Even fifteen years ago, we had neither the financial technology (a mathematical model of credit risk) not the computer technology to measure this risk.

Consequently, in areas where risk is actively observed in a liquid and dynamic marketplace – traded market risk and to a slightly lesser extent traded credit risk – there is a good understanding across the industry as well as a fairly well-developed set of standards. In market risk, for example, the industry standard is to measure value-at-risk by observing the potential change in  value of a portfolio over a one day period, using a 99% confidence interval. While different data sources may be used, and there are variations within the methodology used to measure the change (variance/covariance, historical simulation, Monet Carlo simulation etc), the numbers produced are telling us more or less the same message, and with a bit of skill and care, it is generally possible to compare numbers across different banks.

This is much less the case with the more illiquid risks. Without wishing to belittle the enormous progress made over the years by a large number of fine institutions, it is fair to say that the industry has not yet reached consensus on a standard for these. This is reflected in the software solutions available – while there are estimated to be over 2,500 software packages for traded market risk, there are only a handful for banking book interest rate risk, for example. Both banking book interest rate and non-traded credit risk are still poorly understood, at least in comparison with their traded cousins. One bank’s numbers may not be at all comparable with those produced by another bank.

Basel II has attempted to by-pass this problem. In the case of banking book interest rate risk, it has excluded it from the Pillar 1 measurement of minimum capital requirements, despite two attempts in the past to do so (although it is interesting to note that APRA in Australia will require the more sophisticated banks to hold capital against this risk under Pillar 1). The Basel Committee continues to try and push the agenda along, with an excellent paper issued in September last year[1] which sets out some guidelines for best practice.

In the case of credit risk, the Basel Committee has taken a different approach. While allowing banks to use their own in-house credit rating systems under the IRB approaches, the Basel II proposals stop short of allowing internal credit risk models to be used. It should be noted that internal credit ratings systems are not credit risk models – they can be used to derive the expected loss (or the mean of the probability distribution), but not the unexpected loss (measured as a function of the standard deviation). Risk is not what we expect to happen, it is the probability that the outcome will differ from our expectation, times the magnitude of the loss, and it is against this that we hold capital. The Basel Committee’s approach to this is simplistic, but pragmatic and understandable in the circumstances – the Basel II proposals contain a fixed formula for converting expected loss into unexpected loss, using for instance fixed correlation factors within each type of credit portfolio (in reality, correlation varies by individual exposure, and is mainly a function of concentration risk). Thus, although there may be differences in deriving the inputs to the risk model, all banks will be using the same model, and numbers reported by different banks should again be broadly comparable.

With operational risk, the picture is murkier still. This is a very new field, and new methodologies are evolving at a rapid pace. The Basel Committee has neither taken the approach of allowing bank’s to use their internal models (as with market risk) nor allowed banks to input their own risk parameters into a given model (as with credit risk), but will allow a variety of different approaches under the ‘Advanced Measurement Approach’, with very little in terms of standards and guidelines. Further compounding the difference is the fact that operational risk is not a risk that banks deliberately take on in order to earn a return on their equity (unlike both market and credit risk). Operational risk is present in all businesses, and as with any other kind of enterprise, banks would willingly eliminate all operational risk if it could be done in a cost-effective manner. There are thus two objections to the inclusion of operational risk in the Pillar 1 requirements under Basel II: a philosophical objection that operational risk simply does not belong in the catechism of banking risks that Basel II is meant to address, and a practical one that no standards exist, and thus the numbers reported by different banks will not be able to be compared with each other in any meaningful way.

The Basel Committee is determined however to see banks hold some capital in respect of operational risk. Their motivation seems predicated on the view that it is operational risk which has caused the biggest problems in the banking industry over the past decade (Barings is frequently cited, as is the more recent case of the foreign exchange trading scandal at the National Australia Bank). Thus, goes the argument, by forcing banks to adopt some form of operational risk capital, we can ensure that the industry is required to develop a number of practices, from which over time a standard should emerge. Contrast this to the approach in the early 1990’s to traded market risk, where the industry eventually proposed a standard in order to allay supervisory fears over the plethora of measures, and it was only after this standard was proposed and agreed that the supervisors moved to impose a capital charge that allowed the use of internal models.

 

Operational risk

But is operational risk really what many people believe it to be? The Basel Committee defines it as “the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events”. The operational risk which can easily be measured (as opposed to just managed) is to a large extent the normal “noise” of daily operations, and which is a cost of doing business. Some techniques exist to quantify the larger, more life-threatening events which the Committee is more worried about, but can these really be measured with any meaningful precision? This is not to argue that developments in managing and measuring operational risks within banks are a bad thing – far from it, if they improve operational awareness and the controls within the business. But are the “life threatening” events really ones that an organisation can measure by itself? It could be argued that the common thread across all of the so-called operational risk disasters over the past decade is not so much a failure of operational risk management (which is managed at a working level within the bank) but a failure of corporate governance. Can an organisation measure its own corporate governance? Indeed, it is one of the salient features of most, if not all, corporate governance failures that the organisation involved cannot know it is ailing – if it did, governance would not have failed in the first place (or else deliberate fraud has taken place).

The logical conclusion of this line of thought is a very interesting concept: maybe financial institutions should be required to hold capital as a function of the competence of their management? This is not such a radical idea, as it is in fact inshrined in Pillar 2 of Basel II.

 

Pillar 2

The implications of Pillar 2 have been largely overlooked in much of the debate around Basel II, as most banks and commentators have focussed on the seemingly much more complicated and challenging aspects of Pillar 1. Indeed, even in developed markets banks are really only now beginning to address Pillar 2 in a serious manner.

There are two aspects to Pillar 2 which are of particular interest here. The first is Principle 1, which requires banks to demonstrate to their supervisors that they have capital which is commensurate with their risks (and not just those covered by Pillar 1), and the second is Principle 3, which gives supervisors the power to demand higher capital levels than required under Pillar 1.

[slide 3]

Principle 1 is most interesting. It turns the concept behind capital adequacy regulation on its head. Previously, and under Pillar 1, the idea is that the supervisors establish a set of rules, and banks comply with those rules. We have seen with the 1988 Accord how this can lead to dissatisfaction on both sides. On the one hand, supervisors are frustrated by the degree of ‘regulatory capital arbitrage’ which the banks have entered into – the process by which a bank reduces its capital requirements in accordance with the rules, without a commensurate reduction in the actual risk undertaken. On the other hand, banks themselves are frustrated that the rules do not properly reflect their own attempts to manage their risks in a more sophisticated way. Although the new Pillar 1 attempts to address this by way of a more flexible and risk-sensitive approach, it still amounts to a set of rules. Principle 1 of Pillar 2 turns this around – it requires the bank to demonstrate to its supervisor that it can measure all of its risks, and can relate these risks to its own assessment of how much capital it requires.

This is very close to our ideal paradigm. If banks can demonstrate that they can measure all of their risks, and relate this to their capital, then why do we need Pillar 1 at all? Unfortunately, as we have seen, the industry is not there yet, and thus the supervisors continue to rely on Pillar 1. It may be possible to envisage a day – albeit one that is still a long way off – in which the onus is entirely on banks to demonstrate that they have everything under control, and that is all the regulation that is required. Indeed, this is what many of the leading banks were already arguing as the Basel Committee started its deliberations around revising the 1988 Accord. Since we can manage our business in a much better way than implied by the Accord, ran the argument of these banks, why do we need to be subject to capital adequacy regulations at all?

To achieve this goal, however, much work still needs to be done. There are a number of technical areas that still need considerable further development, as we have highlighted above. At the same time, however, banks will also need to demonstrate to their supervisors that they can be trusted to be left alone, and the history of regulatory capital arbitrage and other abuses over the past decade leaves a significant legacy to be overcome.

[slide 4

This would still leave the problem inherent in self-diagnosis which was referred to in the discussion of operational risk above. Principle 3 of Pillar 2 attempts to find a solution to this. Having, under Principle 1, demonstrated to their supervisor that they have all risks measured and related to capital, banks can still be required to hold higher levels of capital. To a certain extent this merely codifies the existing practice in a number of developed markets, but by making this part of the Basel II rules it goes beyond that to fix this principle as an integral part of the new global standard for banking supervision.

In theory, this could remove any remaining objections to our desired paradigm: firstly, the onus is on banks to demonstrate that they have risk under control, and then the supervisors can add something on top if they are still concerned. For example, if some of the other management tools referred to in the previous paper – such as adequate management accounts supported by a proper funds transfer pricing system – are not in place, or if there are lingering concerns over the quality of corporate governance, then this is the place to address them.

However, there remains another area of lingering concern: do the supervisors have the skills to implement Pillar 2 properly? This is not to disparage the many excellent people who work in this field, but we must recognise that in most countries this is something completely new. In studies carried out by PwC in Europe over the past year, the over-riding concern in respect of Pillar 2 is the lack of clarity as to how Pillar 2 will be implemented, and the fear that there will be a high degree of inconsistency between countries.

 

Conclusion

The ideal situation must surely be one in which banks are free to develop and implement their own risk management techniques. Risk management is always going to be a rich field of endeavour, and any attempt to codify ‘best practice’ or any other set of standards risks being left behind by events in the marketplace. There may indeed come a day when banks can set their own capital requirements commensurate with their risks, and when their supervisors trust them to do so. In the meantime, however, the industry still has a number of significant challenges to overcome, and it is entirely understandable that supervisors will wish to set rules for establishing minimum capital adequacy standards, however flawed these may be.