The RMA Journal October 2015 44

F R A U D

inteRest RAte Risk

the new york chapter’s cro round table: 2015

EntErprisErisk

October 2015 The RMA Journal 45

Shut

terS

tock

, Inc

.

BY FRANK DEVLINThere was a sense of optimism as the new York Chapter of RMA’s 2015 Annual Chief Risk Officers Round table began. it was the evening of a beautiful pre-spring day following a brutally cold northeast winter; the recently released CCAR re-sults were generally seen as positive; and there was a full house at the Pricewa-terhouseCoopers auditorium for what moderator Dietmar serbee described as the chapter’s signature event of the year.

the progress the panelists spoke of was significant. the risk function is being welcomed more and more in strategy ses-sions, they said. stress testing and other requirements have made institutions more stable. Risk cultures are generally improving.

Of course, any meeting of risk profes-sionals can’t remain all rainbows and unicorns forever, and the panel mostly discussed serious concerns that are al-ready here and some that may be on the horizon. even in areas where progress is seemingly being made, complacency cannot be allowed.

“the system will continue to evolve,” said sid sankaran, executive vice presi-dent and chief risk officer, American in-ternational Group inc. “if we stand pat and say, ‘We’ve got this,’ it’s a mistake.”

“Part of what we’re paid to do is look at the downside and prepare for that,” said David A. Bawden, group managing director, chief risk officer Americas at UBs. Bawden made the comment while responding to an audience member. the question: should CROs presume that, in addition to whatever fallout accompanies a cyber breach, there will also be overre-action from shareholders and the media? “the short answer is yes,” Bawden said. “err on the side of assuming the worst.

“it’s not the state of mind you want to carry around with you day-to-day,” he conceded. But it’s a necessary part of the job.

that philosophy got no argument from sankaran. “CROs have to step up and say, ‘My job is to be the paid skeptic,’” he said.

As for advice to anyone thinking about

LiQUiDitY COnCeRns

F R A U D

Culture, cyber security, the recent stress-testing results,

and the importance of remaining vigilant were

among the topics discussed at the New York

Chapter’s annual chief risk officers event.

The RMA Journal October 2015 46

getting into the risk profession, sankaran had this advice: “study people. Have em-pathy for the good side of them but do understand their motivation. speak up when something threatens the enterprise. it’s generally less about math than it is about understanding people.”

Meanwhile, Attilio Meucci, firm-wide chief risk officer at kkR, advised, “Don’t go into risk because you think you’re go-ing to make money.

“Do it because whatever part of risk you practice, you enjoy,” he said. “Do it with a passion.” He also said that, for someone in his part of the financial in-dustry, studying performance attribution and “being able to dissect the downsides” could be a career booster.

Culture “there is such a thing as cultural risk, and cultural risk management,” Meucci said. serbee, a partner in PricewaterhouseCoo-pers’ Banking and Capital Markets prac-tice, asked how a strong risk culture can be developed.

“it’s a long-term commitment,” Bawden said. “it’s not something that you can address for a couple months and say you’re done with it. Make sure your actions reinforce what you’re saying [about culture to employees and other stakeholders]. Promote people and pay people based on what you’re saying.” in addition, he said, “You have to make your risk appetite clear.”

“Culture doesn’t magically appear be-cause you’ve got a new CeO,” said Robert A. Berry, chief market risk officer, Gold-man sachs. “it comes from people who’ve had a 10-, 20-year career, who’ve been promoted and rewarded” for performing in a way that is consistent with the orga-nization’s stated values. Award the right behaviors and “be very public” about it, Berry said, so the organization’s values are apparent. What you don’t want is an environment where employees “feel they are not responsible for consequences,” he warned. “Whatever role they are in, they have to feel accountable for the culture.”

sandra krieger, executive vice presi-dent and chief risk officer at the Federal

Reserve Bank of new York, said cultures have been getting stronger—from tone from the top, to the resources that are available to remediate, to working across the financial institution [when a problem is discovered] to see where similar issues could happen … but there is still plenty of work to do. (krieger said that her com-ments at the event were reflective of her own views and not necessarily those of the new York Fed.)

“Back in 2005 most banks would have said their risk culture is strong. Obvi-ously, in hindsight, they would have been wrong,” Bawden said. But by the same to-ken, the idea gaining currency lately that “risk cultures are completely broken,” he said, is also inaccurate. “neither of those two extremes is correct,” he added. “the cultures weren’t as good [as thought] in 2005 and [are] not as broken today.”

sankaran said culture is “easier to in-still in a singular business that has grown up in one central financial institution”—as opposed to, say, an acquisitive institu-tion that has been involved in various

mergers. “You see many different cultures in some financial institutions. that makes it harder to get this idea to every single person.”

And no matter how embedded a sound risk culture may be, sankaran said, there is always the unfortunate possibility of a rogue employee. “it really takes just one individual to break the trust of the public or cause a fine,” he said. “One person sitting in a chat room or underwriting a deal can basically take down the firm from a cultural standpoint.”

Cyber Security sankaran called cyber security “a big challenge not just for the financial in-dustry but for the economy as a whole.” Among the reasons, he said, were the speed of technological change, the fact that “the threats are constantly emerg-ing and evolving,” and the great need for more workers in the field. Citing a recent study by Raytheon and the national Cyber security Alliance, sankaran noted that there are 210,000

October 2015 The RMA Journal 47

unfilled cyber security jobs. that’s today. Going forward, Bawden

said, “the speed of technological change is going to be so much faster than any of us are accustomed to.”

Bawden mentioned a recent session at his bank that was focused on reacting to a cyber attack. With social media and the rapid spread of information, a bank might have only 24 minutes to react, whereas in the past it might have had 24 hours.

“You have to anticipate these events and how you’re going to respond,” he said.

in general—not just in cases of crisis—panel members said they wish there was more time to think and innovate. “the luxury of being able to think things through is becoming a more scarce re-source,” Bawden said.

krieger said one effort that could pay off when a crisis does arise is building up trust in your institution. “How much leeway you get depends on how much trust you have,” she said. earlier in the discussion, when serbee asked the panel to name the most pressing challenge for risk professionals, krieger said it was “building trust in financial institutions.”

Among Bawden’s biggest concerns are how banks will generate profits given the sustained low interest rates and, when interest rates do rise, credit risk. “Market risk has had its day,” he said, and now there is much talk of operational risk. “As rates move up, we’re going to see credit

risk emerge as a bigger risk. “i find it difficult to believe it will play

out smoothly,” he said.

DFAST/CCAR According to the Comprehensive Capital Analysis and Review results released in March, serbee said, “there is more post-stress capital in the system today than there was pre-stress capital before the crisis.” that being the case, he asked, “is the system safer?”

“individual institutions, if faced with the same circumstances [as they were in the crisis,] will fare better, so in that sense we’re safer,” Berry said. “But i don’t think we should be so arrogant to think we have the risk out of the system. it’s a different world today. there are plenty of things out there to still be worried about.”

“it’s safer, but there is concern about providing liquidity and how all the stimu-lus is going to unwind,” Bawden said. “Overall it’s safer, but there are serious questions.”

Berry said he was concerned about li-quidity of the market, not of individual institutions. “We require banks to hold much more capital and they are less able to provide liquidity to markets in times of stress,” he said. “Fragility is being built into the system. We’ve made capital a scarce resource. People will jealously guard those resources and use them on the assets perceived to have the highest returns, and those with the highest re-turns will tend to have the highest risk.”

And while low interest rates and quantitative easing have helped stabilize the economy and protect banks against losses, he said, that stability may end up being harmful to some institutions when the landscape changes. “if you’re not hav-ing small credit losses it’s a real problem because you learn from your mistakes,” he said. “Central banks have temporarily insulated us from risk.” Many workers in the industry have “no memory of the financial crisis or a time before that.

“it’s relatively easy to know the risk of a business or industry,” Berry said. “i don’t think we understand the systemic risk very well. the trigger could be cyber,

geopolitical. Will we be ready?“CCAR is a successful program,” he

continued. “it forces banks to improve. But we’re all running the same stress tests, and we’re all ending up with the same answer.”

Meucci said that CCAR has “raised the bar on safety,” which he characterized as a healthy situation. still, he said, the chal-lenge is to remember the importance of profitability amid all the regulatory and other concerns.

“in recent years, risk has become more focused on satisfying regulatory constraints,” Meucci said, but ultimately what affects his institution is “where the market is going and how can you build a smarter portfolio.

“the risk manager should not forget your job is to help maximize profits,” he said.

A Seat at the Table“Understand how your institution makes money,” Berry said. “that will get you into the strategy discussion.”

krieger said that “risk is not just defen-sive. Build it into the strategic planning.”

that has been happening, the panelists said. “in the last four or five years, CROs have been getting much more involved in strategy,” Bawden said. “the risk function is heavily involved in strategic decisions—which businesses make sense to exit, which businesses make sense to keep. it’s improved significantly.”

Frank Devlin is editor of The RMA Journal. He can

be reached at fdevlin@rmahq.org.

WiTh SoCiAl meDiA and tHe rapid spread of information, a bank migHt Have only 24 minutes to react, wHereas in tHe past it migHt Have Had 24 Hours.

“iN The lAST four or five years, cros Have been getting mucH more involved in strategy.”—david a. bawden, ubs