Reports of risk management failure are now as common as news of extreme weather, and no one is getting any better at forecasting either of them. As a result, the next London Whale disaster, Knight Capital Group trading fiasco or MF Global Holdings obituary should not be very surprising. Still, much progress has been made by financial institutions, asset managers and mutual funds — and by their boards, management and, most important, risk managers. We now have the opportunity to do something that will truly change the game: professionalize risk management.
Risk managers should be trained, licensed and regulated, just like accountants, lawyers and actuaries. Before anyone certifies the accuracy of financial statements, represents someone in a court of law or estimates a company’s pension liabilities, he or she needs to demonstrate a command of the subject matter, get a license and adhere to written professional standards. Yet risk managers, charged with risk oversight of the mutual funds in which one out of every four Americans is invested, or the retirement plans that often represent an individual’s entire savings, do not. There are no educational requirements for risk management, no need to demonstrate competency, no specific standards and no requirement of independence. It’s time for a change.
To begin, professional risk managers need a seat on financial company boards, and we already know what the results will look like. One of the reasons Canadian banks fared better in the past financial crisis is that they followed written risk standards promulgated by the government. These regulations require companies to use “a knowledgeable person with familiarity with risk management.” Taking a page from the Canadians, the Federal Reserve Board recently published new rules that require the board of every large financial institution to have a risk committee chaired by an independent director. Further, at least one member of that committee must have real risk management expertise.
Though the boards of most mutual funds are in the habit of hiring outside counsel when needed or contracting the services of accounting firms, they are unaccustomed to engaging experts to oversee risk on an ongoing basis. We should begin by defining what real risk management expertise and experience are, and then require boards to include someone with these qualities or to seek qualified advice as they make their decisions.
Risk managers cannot rely on the past to predict the future. Most risk models are based on historical performance and work well — up to a point. When radar tracks a moving plane, the plane’s destination is easy to predict as long as its speed and course are maintained. But constant vigilance is required given the many factors that can affect a plane in flight. So although certain risk models can offer valuable guidance, they should not lull management or investors into believing they can predict the future with extremely high levels of certainty.
Professionalizing risk management also means creating standards, including benchmarks that provide some basis for the comparison of risk. For example, most regulators require stress tests to determine the adequacy of capital reserves. The general approach is to stress a company’s portfolio based on predetermined scenarios. It would be far more interesting to know instead what would happen if regulators decided on a single benchmark portfolio and then had all financial institutions run it through their risk systems. Using this model, each company would produce hypothetical loan-loss reserve measures, value-at-risk and stress test results. The different systems would almost certainly produce different results. The benchmark portfolio would help regulators determine how institutions think about risk.
Risk managers should provide a much-needed perspective for strategic decision making. Today many risk managers have a seat at the management table, but few have a real voice. I recently moderated a panel in the U.K. and was surprised to learn that the chief risk officer of a major investment firm had the right to tell clients that he was not happy with the risk management of their portfolios. Hearing that, I couldn’t help but wonder what would have happened if the CRO of MF Global had informed shareholders that the CEO was “betting the firm.” The only way to put teeth into risk management is to make it independent and have the CRO report to the board. I look forward to the day when firms will have chief fiduciary officers with independent reporting responsibilities for audit, compliance and risk. Risk management must be transformed into a cornerstone of corporate governance and business strategy and fully integrated into executive decisions, organizational structures and corporate cultures.
David X. Martin is senior adviser to consulting firm Oliver Wyman and author of The Nature of Risk.