Risk management is a central part of a bank's operation. Most banks have an in-house risk management department and use external risk consultants. However a large part of risk management relies on technology. This can have its drawbacks. Bob McDowall asks: Is there too much reliance on computer-generated mathematical models?
A combination of increasing financial regulation and technology software development has led to significant advances in the quantitative aspects of risk management over the past 10 years. This has enabled financial services organisations to adopt more sophisticated approaches to risk management. Where does this leave qualitative risk management, the application of management skills, judgment, and the experience to assess and review of the risk management models?
Regulatory requirements have become more complex. More stringent regulation of risk management has been instigated by supranational institutions such as the Bank of International Settlements (BIS), the International Monetary Fund (IMF), and international banking and securities industry associations. Initiatives such as Basel II and Solvency II are, perhaps, the major manifestations of supranational initiatives of the past 10 years. They is evidence of the recognition that globally interconnected markets require regulation. Inadequate financial risk management in one market can contaminate other markets beyond one national boundary and the jurisdiction of national financial regulators. This realisation is reflected in national financial regulation.
Advances in technology applications have played an important role in furthering quantitative risk management. Database technology, improving data storage capability and capacity and ease of access has benefited financial risk management. Improved database technology has facilitated storage and accessibility to vast files of mathematical and statistical data, which may be interrogated and analysed rapidly and cost effectively. Financial institutions have deployed sophisticated proprietary mathematical models to assist in the management of the financial risk of their businesses and the enterprise as a whole. Significant advances in applications have improved the time, scale, ease, and cost of delivery of profiles and details of their risk exposure. Armed with the information generated by these applications, financial institutions are able to respond immediately to events and changing market sentiment.
Have technological advances responded to increased financial regulatory demands, or have the advances permitted the financial services regulators to increase the scope and sophistication of regulatory demands? Technological advances are inexorably intertwined not only with regulatory demands but also with financial businesses. For example, the reduction in the time line from conception to market debut of such new financial instruments as derivatives may be attributed in part to the ability of technology to stress test financial institutitions risk profiles under different scenarios to the satisfaction of internal compliance and financial criteria and external regulatory requirements.
X-HEAD: Human JudgmentQuantitative risk models should, of course, be varied and adapted in the light of experience and judgement. Although highly sophisticated tools are now available for managing the risk of the enterprise, the tools themselves should not make or drive risk management decisions. Human judgement and experience are still needed to tailor and refine these models for day-to-day use and service.
The qualitative aspects of risk management are at least as important as the quantitative tools for assessing the exposure of a financial institution. Qualitative factors should influence risk models and their measurements or risk assessments. Financial modelling should select and characterise the underlying data and the period for which the data is used. These are important inputs to the assembly of all risk models. For example, most banks have internal risk rating systems to which a variety of applications are applied; they may include identifying and tracking problem loans or determining loan approval requirements. Internal risk rating systems are used to assess the likely outcome of loans, in particular, the probability of default and the amount of the loss associated with an anticipated default. Such systems should extend application to factors that are beyond quantitative measurement, such as maturity of the prospective borrower, the lender's experience in different markets, and current economic conditions.
Qualitative risk management delivers a premium element to risk management because humans are better equipped to assess intangibles, which cannot readily be measured by quantitative tools. Qualitative risk management is the proactive form of risk management. It not only provides the premium value to risk management but also steers the current quantitative risk management model by providing input and feedback that influences the model's shape and design. However, qualititative risk management, or in layman's terms, human judgement, cannot function without the underlying quantitative risk management, and can only provide a premium service when supported by a strong and refined quantitative risk management model.
X-HEAD: Data IntegrityBoth quantitative and qualitative risk management rely on data integrity. Sustaining a high level of data integrity throughout an enterprise is an increasingly difficult challenge, especially because most enterprises are supported by diverse and fragmented systems. Disparate systems, which are the result of the rapid evolution of systems and periods of corporate acquisition, have to be consolidated to ensure the data integrity required for accountability. Improving the quality of data management is the only route to achieving more reliable and consistent information upon which to make qualitative decisions. Data integrity refers to the quality of the risk management files, tracking and monitoring of key customer characteristics, as well as the processes and controls for validating data.
Beyond data integrity, the clarity of documentation surrounding risk management contributes to qualitative risk management by setting out a financial institution's appetite for each risk category and including clear instructions on the calculation methodology. Such documentation should define the institution's limits in relation to capital, assets, and overall risk exposure.
Continuous review of their risk models is essential for financial institutions to ensure that the firms meet their risk profile objectives. Documentation is necessary to rationalise and explain decisions for changes in risk profiles and the risk models. It should demonstrate the thorough and well-considered application of qualitative risk management. Internal audit reviews should complement the documentation, ensuring that the changes in risk modelling and profile adequately reflect the changing mix and profile of the institution's business and customers.
Financial institutions are large, complex organisations, which have less feel about customers and their risk and exposure than small businesses do. They have to revise and strengthen any risk model that is weak or inadequate for the scope and scale of the business before it weakens or brings about the collapse of the financial institution. A systematic approach that is more sophisticated than quantitative risk models is rarely available without years of experience and even developed intuitive skills to support analytical skills.
How evident is qualitative risk management? We really do not know unless or until a risk event happens, which exposes lack of qualitative risk management beyond the confines of the enterprise. Financial institutions have to demonstrate the quantitative facets of their risk management capabilities in the course of regulatory reporting. There are several indications that qualitative risk management is not deemed as reliable as quantitative models and is not granted as much stature. Published regulatory guidance and the vocabulary of risk management in financial services has risk models at its heart. Financial institutions demonstrate their risk management competence by their ability to show at any one time their 'value at risk' or VAR in quantitative risk models, which satisfy mathematical stress testing. However, there seems to be a tacit assumption that testing and auditing of the quality of data has been absorbed into risk models.
The youthful work culture in the financial services sector is short on experience but is highly incentivised to deliver financial performance. The environment produces a rapid turnover of staff, which is voluntary in very successful times, especially amongst the more capable individuals, who are then in greater demand. Rapid turnover of people results in lack of corporate memory. Lack of corporate memory is manifest in the absence of knowledge and familiarity with the firm's customers and counterparties beyond what is available through data and often results in a lack of experience in operating a risk function in different market and economic climates.
Fortunately, corporate governance, the policies and procedures and management structure by which a corporation governs and operates its organisational structure and relationships, is highly dependent not on data alone but on the quality of data. Corporate governance encourages senior management to place more emphasis on the quality of the data, by which the management adheres to policies and procedures. Improved data quality will enable qualitative risk management to operate.
Technology is at the core of risk management. It delivers immediately for analytical purposes. However, technology developments and risk management models do not produce effective risk management if there is no qualitative input. Internal control, data integrity, transparent disclosure, and documentation, which clarifies and evidences governance policies, procedures, and decision making, are the clearest demonstration of qualitative risk management.
Bob McDowall is a senior analyst in the securities & investment practice of the US-based Tower Group, a research and advisory services company focusing on the global financial services industry.
Islamic Business and Finance 2008
