Qualitative Aspects of Effective Risk Management

Good morning. I am delighted to be here for GARP's 5th Annual Risk Management Convention and to support, to the extent that I can, the work of your organization. It's gratifying to see the progress GARP has made in its short life toward promoting the visibility and quality of the risk management profession. I congratulate you on the progress you have made and wish you further success in the years ahead.

I have spent much of my own career in the field of risk management, and certainly the Federal Reserve has a keen interest in the matter. For those of us who have spent more than a few years in the business, it is easy to see the recent progress in the quantitative or scientific aspects of risk management as a result of data base and other technological advances. These increased capabilities have helped push financial theory and have opened doors and minds to new ways of measuring and managing risk.

These advances have also made possible the development of important new markets and products that have become widespread and essential to the risk management practices of both financial and nonfinancial firms. They have also made the practice of risk management far more sophisticated and complex. The application of mathematics and statistics, the collection and compilation of large amounts of data, and the analysis and characterization of the risks embedded in business activities today are much different--and in many ways more challenging--than they were not long ago.

While the enhanced quantitative dimensions of risk measurement may be quite visible (at least to practitioners of the art), their implications for the qualitative aspects of risk management may be less apparent. In practice, though, these qualitative aspects are no less important to the successful operation of a business--as events continue to demonstrate. As risk measurement practices advance, the full range of risk management practices needs to keep pace.

In my remarks today, I would like to highlight some of the advances in risk management that we have seen in recent years, particularly those related to the management and transfer of credit risk. These gains and the development of new and important markets have come about because of better risk-measurement techniques and have the potential, I believe, to substantially improve the efficiency of U.S. and world financial markets. However, as an economist, I also know there is no free lunch; some of the implications of these developments on the more fundamental elements of risk management must be considered and adequately addressed if the quantitative aspects are to work well. For obvious reasons, I will focus on the practices of large commercial banks.

Competitive and Innovative Markets
I would like to draw on some observations gathered from the Federal Reserve's role in banking supervision as we have worked to better understand recent practices by financial institutions to manage and transfer credit risk. I find the preliminary assessment to be informative, interesting, and at least somewhat reassuring; however, I also feel that it appropriately highlights vulnerabilities in market practices that must be carefully monitored and managed. Because much of the innovation in credit risk transfer involves credit derivatives, attention has been focused on transactions using these instruments and on credit default swaps (CDS), in particular. By way of note, the Federal Reserve also is participating in work commissioned last year by the Financial Stability Forum to gain a broader understanding of these issues. I look forward to the conclusions and assessment in this regard.

As most of you know, credit default swaps involve the sale, or transfer, of credit risk associated with a specific reference entity for a fixed term in exchange for a fee from the other counterparty (the "protection buyer"). Related instruments--synthetic collateralized debt obligations (CDOs)--entail similar arrangements, but are based on portfolios of exposures and are "tranched" in a manner typically seen in securitizations. Consequently, through CDOs, parties gain even greater flexibility in tailoring and marketing financial transactions to match the risk appetites of ultimate investors, or risk takers.

This market has grown rapidly in recent years, attracting increased attention among risk managers and leading to larger operations and higher staffing levels--particularly at dealer firms. The British Bankers Association, for example, reports that the notional value of credit derivatives has grown from less than $200 billion in 1997 to nearly $2 trillion in 2002. Our own bank Call Reports indicate that late last year U.S. commercial banks held credit derivatives with notional values of more than $800 billion, which may represent one-third of the global market. Trading of these instruments occurs mostly among some 1,200 large investment-grade "reference entities," with more liquidity, of course, among the most active fifty names than among the next several hundred. Most liquidity for CDS contracts is with five-year maturities, although participants are trying to expand market depth at longer terms. There are also efforts to push demand beyond investment-grade corporate names, for example to high-yield and middle-market sectors.

A key question--how much risk is being transferred?--has been difficult to answer due to the participation in the market of many types of regulated and unregulated investors and firms as well as the fact that participants simply reverse or close out one exposure by entering into an additional and offsetting one, as they do with other types of swaps. To be sure, notional amounts substantially overstate the level of risk transfer, but by most accounts, market participants seem to agree that the volume of risk transferred has been material. Anecdotally, some of the largest banks indicate they hedge about 15 percent of their investment-grade corporate credit. Standard and Poor's estimates the banking system globally has used credit derivatives to transfer the risk associated with some $300 billion of exposures. But S&P acknowledges that this estimate likely overstates the true level of risk transferred because CDS are almost exclusively written on low-risk, investment-grade credits, and because banks issuing CDOs typically retain the riskier tranches.

Even so, it seems to me that such risk management practices are important in governing credit risk in large banking organizations and, in many respects, reducing systemic risk, as well. Despite the common practice by banks that issue CDOs to retain much or all of the first-loss or "expected-loss" tranche, such banks have at least reduced their previous, full credit exposure. Moreover, the sale and purchase of CDS also allow banks to manage concentrations and to further diversify their portfolios. In the event of highly unexpected defaults among investment-grade firms, a hedged bank's losses will be reduced. The experience with credit derivatives in the Enron, World Com, and Parmalat events, indicate that these new risk products can work effectively.

One aspect that we, as bank supervisors, find encouraging about the growth of credit risk transfer activity is the diversification benefit it provides--and its potential for greater economic efficiency. Certainly, not all of the risk transferred by banks has left the banking sector. S&P estimates that roughly one-half of this risk remains in the banking sector. The insurance sector, including reinsurance firms, has been a major participant among nonbank firms. Among banks, the belief is that those in Europe and Asia have been net sellers of credit protection, particularly with respect to North American borrowers. Such credit flows, whether within or outside the banking system, should help enhance the geographic diversification of the protection-seller and add liquidity to the debt offerings of the reference firms.

By distributing risks more broadly among the major players--banks, insurance companies, hedge funds, and private asset managers--these transactions would seem almost by definition to add to the diversity and strength of financial markets and reduce risk concentrations. By their design, derivative instruments segment risk for distribution to parties most willing to accept them. A key point, however, is that these parties are also able to do so by successfully absorbing and diffusing any subsequent loss. In any event, reducing or more evenly redistributing the risk within the banking system--where such credit risk has been traditionally concentrated--would seem to be a clear benefit.

A second question that is certainly of interest to you as risk management professionals is whether participants recognize and understand the underlying risks. It is important to recognize that the market for credit default swaps is dominated by large institutions and private investors that have specialized expertise in credit analysis and significant historical performance records. Participants will always adjust their positions and move in and out of markets as they gain experience, and there will certainly be lessons to learn along the way. We will learn them, and hopefully we will deal with them well--as we have so far. But we have little evidence, to date, that suggests there are material weaknesses in the knowledge and understanding of the major market-making dealers.

That said, I would offer one critical caveat regarding the potential for a large group of market participants to place an over-reliance on external ratings and key modeling assumptions. In particular, the pricing and risk management of the increasingly complex credit risk transfer instruments and trading strategies rely on credit risk models and supporting assumptions, including assumptions about the degree of default correlations between different reference entities. Although these future correlations cannot be measured, correlations during periods of normal conditions can change greatly during periods of stress. Time will tell how robust these models are and whether they will perform well.

Market participants must consider whether there is a concentration of reliance on a small set of risk management frameworks or approaches in the Credit Risk Transfer (CRT) market. This issue arises in regard to the reported similarity of credit risk models and assumptions used by major market participants. Of course, there is nothing inherently wrong with convergence in risk management approaches. But in this case, given the widespread view that models are still in their relative infancy, the similarities are perhaps worth noting. This issue also arises in relation to the reliance on rating agency ratings and methodologies regarding CDO tranches and related structures. Ideally, all market participants that are investing substantial amounts in CDOs would have the capacity to undertake their own analysis of the risks, so that the rating agency ratings would function more as a supplement to these analyses. In practice, however, it is likely that substantial reliance will be placed on the rating agency's rating. Consequently, the risk judgments of many market participants are concentrated in the hands of a small number of public rating agencies.

In the context of commercial banking where past credit-related failures have had substantial and widespread effects, we also have close government supervision, that has focused primarily on risk management practices and controls relating to evolving market practices. I would not for a minute suggest that such oversight ensures that all will go well in the future. But it should help to reinforce effective risk management, and we are learning from the growing list of case studies.

Qualitative Aspects
This discussion of the role of derivatives in transferring credit risk serves to illustrate many important--and not always highly technical--aspects of risk management that cannot be overlooked. Some of these issues relate to the nascent features of that particular market, but they apply to other markets as well, and to the sheer complexity of measuring risk. Thoughts of legal risk, operational risk, reputational risk, counterparty credit risk, and model risk all come to mind. For their part, central bankers and bank supervisors must also consider the implications of new products, activities, and management innovations on financial markets, systemic risk, and their own prudential regulations. The combined implications of market innovations on all of these and other issues can be profound and challenging, but, I would submit, overall beneficial to market efficiency. We simply must manage the process well.

In the legal arena, the financial industry has made, and continues to make, substantial progress, for example, standardizing netting agreements related to derivative instruments and reducing related misunderstandings and differences among institutions and legal jurisdictions. Understanding market practices, such as those related to settling transactions using "cheapest to deliver," and knowing for certain the specific legal entities that are the reference parties on credit risk swaps are also crucial, low tech elements of a successful risk management process. Uncertainties will exist in any complicated operation. They are typically greater when associated with innovation and they grow as product structures become more complex. We all need to recognize this.

Regarding models, aside from the technical parts, it's important to consider the less quantitative. For instance, are the inputs sound? Are the model parameters based on sufficiently robust and accurate data? Are the assumptions reasonable? One needs to understand the business and risk management principles, but that does not require a "quant." In modeling, "GIGO"--garbage in, garbage out--always rules.

Data integrity is growing in importance in effective risk management. In today's world of credit risk models, especially for centralized underwriting in areas such as consumer, mortgage, and small business credit, the responsibilities of data input may reside with the lending officer. To ensure effective underwriting, the culture and incentives for loan officers should support accountability for valid information going into a model.

In the "old days" when individual loan officers made credit decisions, any weaknesses in underwriting were confined to that lender's portfolio. It was the responsibility of loan reviewers to identify those weaknesses before losses became extensive. Today, the responsibility for effectively predicting defaults and loss given default resides with the senior credit officer responsible for the credit scoring model. When the underwriting results are then tested for reliability, it is critical to identify the root cause of errors due to model specifications and changes in customer behavior. The risk of centralized, model-based underwriting is that errors are no longer limited to the portfolio of a single loan officer. Rather, model errors can create significant systemic risks across that loan product portfolio. We are still trying to learn how to estimate these types of risks.

In our current regulatory efforts to develop internal rating-based capital standards for credit risk, we find that simply identifying and describing "minimum" data requirements can be a challenge. What is adequate and robust for a given purpose and what is not? Each company's practices are unique--as they should be. We do not wish to create the moral hazard and greater systemic risk associated with a highly specific, government-dictated procedure to measure risk. Rather, we want the discipline that can be gained from requiring that the input data and the parameters used for regulatory purposes are--as much as possible--the same as those used for business purposes, so that they can be market-tested. Differences among model results will occur, but both management and regulators must decide what is good enough for their respective purposes. Some answers are more judgmental than empirical. Experience, judgment, and a sound degree of prudence are all important.

In the old days, banking was often a smaller and certainly less complex business. In this smaller scale, management could gain a more direct "feel" about their customers, their exposures, and the related risk. And the potential consequences of making mistakes were typically small as well. If the bank had a bad loan underwriter, it could dismiss the person and proceed to clean up the mess. As many banking organizations have grown into much larger and far more complex institutions, that personal feel often gets lost. Their managements need the more sophisticated and systematic processes that risk modeling can provide, but they also need to ensure that an incorrect or weak model does not bring down the house. I would offer that success in this area often requires grey hair and keen intuition as well as highly developed analytical skills.

Beyond these points, accounting and disclosure practices must be considered as they relate to such matters as earnings volatility, customer suitability, and the incentives or disincentives they provide to risk managers. Fundamental elements of corporate governance must also be adequately addressed--and they naturally become more challenging as activities become more complex. Nevertheless, they cannot be ignored, given the corporate scandals of recent years and the legislated remedies that followed.

Recent failures of corporate governance--whether at Enron, Parmalat, or the New York Stock Exchange--have changed the landscape underlying many transactions conducted by financial institutions. The implications of the Sarbanes-Oxley legislation are now being felt throughout corporate America and are proving to be expensive to many firms. How much better, for all, had these few corporations behaved more responsibly all along! Responsible self-governance and sound corporate governance are much better and far less costly than rigid governmental-imposed rules. A greater awareness of business ethics and a reshaping of accounting practices and incentive packages should help. But risk managers must also play an active role in focusing on sound practices, and not just on expedience.

Accounting, Disclosure, and Market Discipline
Revelations of significant corporate governance and accounting failures, with Parmalat being the latest example, demonstrate that strong accounting, effective internal and external auditing, and transparent disclosure practices are critical concerns worldwide, not just in one part of the world, such as the United States. Events at the international level have renewed attention to the need for companies worldwide to implement high-quality corporate governance practices and accounting and disclosure standards, and for their external auditors to employ rigorous and sound international auditing techniques. Long before coming to the Federal Reserve, I had a strong interest and became involved in accounting, auditing, and internal control matters. This led to my serving on the Financial Accounting Standard Board's Emerging Issues Task Force and the Committee on Corporate Reporting of the Financial Executives Institute. I have continued to pursue this interest in my role as a Federal Reserve Board member and as chair of the Board's Committee on Supervisory and Regulatory Affairs. I would like, now, to turn to some of the recent accounting issues surrounding complex instruments and the role of financial disclosure in promoting risk management.

For starters, I am pleased to see movement in recognizing employee stock options grants as a business expense. At year-end 2003, thirty-five of the fifty largest U.S. bank holding companies that we closely monitor each quarter were taking this approach, a notable increase from the year before. Many nonbank firms are doing so as well, and we should expect to see many more companies do so in periods ahead. In my view, that is a useful step toward more accurately disclosing a company's true results, and one that should help rebuild investor confidence in financial statements.

The techniques for valuing financial derivatives--whether they be employee stock options, mortgage interest rate lock commitments, credit default swaps, or another type--are continuing to evolve. As these markets grow, fair-value estimates will only improve. In the process, firms of all types will face growing competitive pressures to manage risk more effectively and to make greater use of these and other products. Accounting rules and disclosure practices must keep pace. A frequently cited issue is the effect of current hedge accounting rules, which sometimes cause banks to recognize losses on credit hedges while ignoring, in earnings, the offsetting gains in the economic value of the asset hedged. This leads to greater earnings volatility and has understandably caused some banks to reassess, and in some cases scale back, their credit hedging activities.

If market discipline is to function, accounting boards themselves must find better, more-innovative solutions that more accurately capture the underlying economics of transactions. Moreover, with regard to securitizations, derivatives, and other innovative instruments that can transfer risk, it is not at all clear that accounting measures of a company's balance sheet at a given point in time are sufficient to reflect the company's financial risk profile.

As bank regulators, we recognize the need to strike the right balance in deciding what disclosure standards to promote. It is said that for every complex issue there is an answer that is simple, concise, and wrong. We would prefer to get it right. We need to identify the information that sufficiently informs investors of risk levels without being unduly burdensome and without revealing proprietary information. Much of the answer may involve disclosures about how risks are being managed and valued, drawing less on accounting information and more on information available in risk management reports. Disclosures need not be fully standardized; rather each firm should tell its own story.

One area in which improved disclosures by banking organizations are needed involves credit risk and the allowance for loan losses. As you know, there is a high degree of management judgment in estimating the loan-loss allowance, and that estimate can have a significant impact on an institution's balance sheet and earnings. Expanded disclosures in this area would improve market participants' understanding of an institution's risk profile and whether the firm has adequately provided for its estimated credit losses in a consistent, well-disciplined manner. Accordingly, I strongly encourage institutions to provide additional disclosures in this area. Examples include a breakdown of credit exposures by internal credit grade, the allowance estimates broken down by key components, more-thorough discussions of why allowance components have changed from period to period, and enhanced discussions of the rationale behind changes in the more-subjective allowance estimates, including unallocated amounts.

It is also important to note that the soon-to-be-released enterprise risk management (ERM) framework of the Committee of Sponsoring Organizations of the Treadway Commission, or COSO, should provide much needed guidance in the areas of risk management and internal controls and, thus, is of particular interest to bank regulators. The ERM framework, as proposed, requires an entity to identify the potential events that may affect its operations and requires the entity to systematically manage those risks with a particular emphasis on its risk appetite and strategic direction. The framework is predicated on the existence of sound controls and effective management. Successful application of the framework requires managers to consider both current and planned or anticipated operational and market changes and to identify the risks arising from those changes. Once these risks have been identified comprehensively, assessed, and evaluated as to their potential impact on the organization, management must determine the effectiveness of existing controls and develop and implement additional mitigating controls where needed. This is a critical step and if it is not performed properly, it may doom the entire process.

One of the weaknesses that we have seen is the delegation by management of both the development and the assessment of the internal control structure to the same risk management, internal control, or compliance group. It is important to emphasize that line management has the responsibility for identifying risks and ensuring that the mitigating controls are effective--and to leave the assessments to a group that is independent of that line organization. Managers should be expected to evaluate the risks and controls within their scope of authority at least annually and to report the results of this process to the chief risk officer and the audit committee of the board of directors. An independent group, such as internal audit, should perform a separate assessment to confirm management's assessment.

Internal audit's review should determine whether the firm is accomplishing its stated control objectives, in light of growth and changes in the firm's business mix as well as in regard to new customers, strategic initiatives, reorganizations, and process changes. Internal audit should also evaluate the entity's adherence to its control processes and assess the adequacy of those processes and its related disclosure practices in light of the complexity and legal and reputational risk profile of the organization. It is essential for internal audit to be staffed with personnel who have the necessary skills and experience to report on the degree of compliance with an entity's policies and procedures. Internal audit should test transactions to validate that business lines are complying with the firm's standards and should report the results of that testing to the board or the audit committee, as appropriate.

Although I have referred to internal audit, the key point is that strong internal controls, sound corporate governance, and effective disclosure practices require that periodic assessments of overall effectiveness be performed by an independent group. Then, as corporate disclosure practices evolve, market analysts must do their part to understand the information, while recognizing both its value and its limitations. Analysts need to make sure they are correctly using all available information. This includes understanding that some accounting practices may not result in the best presentation of economic reality and that other sources of information may provide more-accurate insight into a company's condition.

For example, current accounting rules for defined-benefit pension plans permit firms to use expectations of the long-term return on assets to calculate current-period pension costs. A spot rate is used to discount future liabilities. The discrepancies between the assumed and the actual returns are reconciled by gradual amortization. This smoothing feature can create large distortions between economic reality and the pension-financing cost accrual embedded in the income statement.

A recent study by Federal Reserve staff members indicates that "full disclosure" of the underlying details would not necessarily assist the analyst in reaching a "correct" judgment.¹ The study adopts the premise that most of what investors need to know about true pension-financing costs can be reflected in two numbers disclosed in the pension footnote. These two numbers are the fair-market value of the pension assets and the present value of outstanding pension liabilities. The study finds that these two numbers tend to be ignored by investors in favor of the potentially misleading accounting measures. Investors and analysts need to ensure that the information they are using most accurately reflects the organization under consideration. Also, bank employees who use financial statements of potential borrowers to make credit-related decisions need to understand the documents they are using and be able to identify potential shortfalls.

Too often, analysts have relied too heavily on projections and interpretations given to them by management. Recent events have injected more independence into the analysis process and should help wean many analysts from CFOs and investor relations departments. More-insightful and more-independent analysis by them can help greatly in promoting market discipline and identifying a company's true worth. That progress, in turn, strengthens the input data and the risk-measurement systems we all rely on.

Throughout its supervisory and regulatory efforts, the Federal Reserve is, indeed, looking more to market signals. For example, information contained in subordinated debt spreads, credit default swap spreads, KMV EDFs, and equity prices provide useful indications of the market's collective assessment of a company's underlying risk. In banks, this information supports credit judgments and overall measures of the institution's capital adequacy and credit risk. As regulators worldwide move to finalize new capital standards, the role of market information in risk management should grow further, particularly among the largest banks, as it will in our own oversight activities.

Before closing, I would like to take off my central banker hat and speak to you only as an industry observer and a former bank CFO. I want to simply note the historically low level of interest rates which are not within the work experience of many investment and risk managers. The typical response is to try to increase nominal yields and widen spreads. Thus, some banks have acted to extend portfolio durations and accept risk, given the steep yield curve, because statistics will likely tell you that the odds of a rate increase are greater than a further decline. We are also seeing some investors attempt to increase nominal yields by investing in lower-rated bonds. But the skills that this association's members practice, remind us that the goal should be appropriate "risk management," that is, given an organization's risk appetite, the attractiveness of higher yields must always be balanced against the increased level of risk in the transaction. And in times of turns in business and interest rate cycles, estimating these tradeoffs can be more difficult. That is not a prediction of near or future rate movements--just advice from an experienced manager of interest rate risk.

Conclusion
In my remarks this morning, I have sought to encourage you to continue your efforts to support the evolution of risk-management practices and heighten the degree of professionalism that every effective risk manager should demonstrate. I would like to leave by reminding all of you not to become so caught up in the latest technical development that you lose sight of the qualitative aspects of your responsibilities. Models alone do not guarantee an effective risk-management process. You should encourage continuous improvement in all aspects, including some I mentioned today--data integrity, legal clarity, transparent disclosures, and internal controls.

1. Julia Coronado and Steve Sharpe, "Did Pension Accounting Contribute to a Stock Market Bubble?" Brookings Papers on Economic Activity, July 2003.  Return to text

Return to top

2004 Speeches