Board of Governors of the Federal Reserve System

I am delighted to have been invited by GARP to share a few of my thoughts about risk management practices at financial institutions. Recent events remind us that markets can be quite complex and difficult to predict and that sound risk management is fundamental to the health and resiliency of both individual financial institutions and financial markets generally. Today I want to highlight two fundamental elements of sound risk management: information and incentives. These two elements lie at the very heart of good risk management. Information is vital to good decisionmaking, and incentives send the right signals and create beneficial outcomes both within individual institutions and to the financial system as a whole.

I should note that my thoughts on recent events are preliminary. Because risk-management challenges have affected a number of global institutions, we are working very closely with our supervisory counterparts in other countries to learn from recent events and to coordinate with financial institutions in determining what additional steps may need to be taken. As part of this important international effort, we should seek to align market participants' incentives with our own supervisory objectives; otherwise, behavior will not be altered appropriately and the proposed remedies will not prove durable.

Key Elements of Sound Risk Management
As is well known to the impressive international group of risk professionals in this audience, models are critical to understanding the nuances of risks embedded in complex financial transactions and portfolios, but I am sure all of you would agree that sophisticated techniques cannot be relied upon without the proper risk-management foundation. Integral to this foundation are timely and accurate information and the will and ability to act on it. Since the fortunes of even the most technically sophisticated financial institutions ultimately depend on the decisions and judgments of individual managers and traders, senior management must ensure that the right incentives are in place so that risk taking is appropriately captured in business-line performance evaluation and employee compensation. Senior management must understand the risks assumed by each individual business line and communicate the firm's strategy and risk appetite back down to those business lines. At the same time, senior management must send each business-line manager clear signals about which risk levels are tolerable and which practices are not acceptable. In this way, information and incentives are threads of sound risk management that must be woven into the fabric of each firm's management culture.

Enterprise-wide Risk Assessments

A good risk-management structure must encompass risks across the entire firm, gathering and processing information on an enterprise-wide basis in real time. Good information is the lifeblood of sound risk management. In short, you cannot manage your risks if you do not know what they are. Managers of financial institutions need to ensure that they fully understand the risks assumed by each of their institutions' business lines, and for that they need high-quality information--both qualitative and quantitative. Aggregating information across a large, diversified financial institution is not easy and should be done with appropriate care and with adequate resources for checking timeliness and veracity. Risk managers should live by the adage "Trust but verify," being careful not to rely on assessments or data from others without conducting proper due diligence.

It is also worth noting that financial institutions should gather a wide range of relevant information before they see market troubles brewing. In other words, scrambling for information once turbulence sets in is not good practice. Understanding a firm's true risk exposures requires examining not just risks on the balance sheet, but also off-balance-sheet risks that are sometimes more difficult to identify and often not so easy to quantify. Latent risks from certain complex products and certain risky activities should be properly recognized, because they can manifest themselves when market turbulence sets in. Stress testing and scenario analysis are of paramount importance here.

Even when risks are properly identified and measured, that information needs to be presented to senior management and to others in the firm who can use it in their decisionmaking, and presented in a timely way. In other words, information should be adequately distributed both vertically and horizontally. Adequate distribution of information allows for an enterprise-wide perspective on risks that affect the whole organization. Information must be provided up to senior management, but their views and analysis then must be sent back down through the business lines. To put it another way, institutions should develop an "information circulatory system" to ensure the flow of information that is crucial to the health of the firm.

It is also clear that financial institutions should draw on several types of information from various sources when assessing their risks, particularly when dealing with complex products. No single source of information is perfect or adequate. Management benefits from having a number of tools at its disposal to assess risk positions that draw on differing underlying assumptions. Properly designed, these tools offer different perspectives on exposures and are flexible enough to allow perspectives on risk to change as business conditions change and new data become available.

Governance Structure

To ensure sound risk management, boards of directors and senior management at financial institutions must also establish an overall governance and control structure that is credible, robust, and consistent throughout the firm. It is critical that senior management set the tone at the top, communicate it, and lead by example. This strategy should be clearly articulated and should be recognizable in the actions of the firm's employees. Business lines should be held equally accountable and there should not be any special treatment for "star" employees, even if they are bringing sizable revenues into the institution in a particularly year.

While certain financial institutions may choose to conduct business on a decentralized basis, they must always remember that in the end the exposures and obligations are rolled up and combined into one consolidated legal entity. In addition, the institution's commitment to and emphasis on risk management should be eminently visible--both within and outside of the organization. For example, the firm should demonstrate that its risk managers have direct access to top management and play a key role in decisionmaking. They also must be able to speak authoritatively about the risk profile and risk-management strategy of the whole organization to market participants and counterparties.

Durability of Risk-Management Structures

Of course, risk-management structures are successful only if they are sturdy and durable. These structures and their associated strategies should be embedded in the firm's culture and not be dependent on just one or a few people. They should be part of the fabric of the organization, not just a few catchy phrases repeated from time to time. For example, understanding and living up to the firm's risk-management standards should be a prerequisite for advancement to a senior management position.

Effective risk management remains sturdy and durable only if supported by strong and independent risk functions that produce unbiased information. Having independent risk managers with a certain amount of authority allows for clear, dispassionate thinking about the entire firm's risk profile, with no favoritism toward any business unit. Senior management should encourage risk managers to dig deep to uncover latent risks and point out cases in which certain business lines are assuming too much risk. In other words, it is good to have a few people within the institution who--to paraphrase a former Federal Reserve Chairman--know when to take away the punch bowl. Being the party pooper, however, can be very difficult in any organization, and that is why it is crucial for the risk manager to be known as an independent voice who is influential with top management.

Ensuring Adherence to Risk-Management Practices

Any successful organization needs to develop appropriate mechanisms to ensure adherence to and sustainability of its risk-management structures, and incentives structures are a key mechanism for this purpose. Appropriate incentives reward good behavior and penalize inappropriate behavior. Of course, incentives work best when they are known well in advance, that is, when they serve as ex ante signals of what should and should not be done. Naturally, in very large organizations it is difficult for senior management to monitor each individual, so incentives need to be consistent, permeate even the lowest levels of the organization, and remind each individual that his or her risk-taking affects the whole enterprise.

Limits and controls can be useful tools for creating the right incentives and sending appropriate signals, but they of course need to be tailored individually to each firm. Problems can arise when incentives are not properly structured and appropriate "risk discipline" is not exercised--for example, when limits and controls are not set or, if they are set, when adherence to them is not monitored or enforced. Such controls are incentives for business-line leaders to assume only the risks that the firm can absorb because they penalize those who try to take on excessive risk or inadequate mitigation in the name of short-term profit maximization. One good practice is to have reliable, interconnected enforcement mechanisms within the institution, mechanisms that can--and will--enforce limits. An example is a good centralized treasury function.

Risk-Adjusted Performance Evaluation and Compensation

In trading and certain other activities, there is a tendency for business-line heads or individual employees to focus on their short-term compensation and not think about the long-term risks that their activities create for the firm. But it is the responsibility of senior management to provide the proper incentives and controls to counter the potential for individuals within financial firms to discount risks to the broader institution, and of course to ensure that nefarious activity is promptly uncovered and stopped.

Clearly, it is up to financial institutions themselves--not bank supervisors--to decide how compensation should be structured, but managers and boards of directors should understand the consequences of providing too many short-term and one-sided incentives. They would benefit from thinking about compensation on more of a risk-adjusted basis. Accordingly, I encourage institutions to think about ways to alter existing compensation schemes to include some types of deferred compensation, since the risks of certain investments or trades may not manifest themselves in the near term. Thus, it makes sense to try to match the tenor of compensation with the tenor of the risk profile and thus explicitly to take into account the longer-run performance of the portfolio or division in which the employee operates. This type of compensation arrangement is already in use at many nonfinancial firms.

Of course, star performers may prefer to have compensation more front-loaded and threaten to leave a firm for another one that would not have the same longer-term risk-sensitive compensation structure. It is important for firms to have the flexibility to choose how they reward their employees, but it may be valuable to consider the development of industry-wide principles of sound risk management that would touch upon incentive-compensation issues. Such principles could foster market discipline in firms if investors were to view the principles as best practices and were to more heavily discount the reported short-term earnings of firms that failed to adopt best practices. Although reaching consensus on principles for compensation would be difficult, it seems well worth the effort.

Reflecting Risk-Management Practices outside the Firm

Information and incentives play an important role not just within an institution, but also outside it. By this I mean the ability of the marketplace--and supervisors, when necessary--to gather information about financial institutions and give the right signals to bank management about risk taking. Naturally, this requires proper disclosure of information by the financial institution so that depositors, counterparties, shareholders, and other market participants can judge the riskiness of the institution and act accordingly. Institutions that are able to provide a continual and accurate flow of information to market participants generally benefit from such transparency. Certainly, this is an important part of the motivation behind pillar 3 of the new Basel II capital rules emphasizing the role of public disclosure. This benefit can be even more prominent during financial turbulence, when market participants become fearful of latent risks and "surprise" losses. Confidence in the risk-management practices of individual firms can be valuable in maintaining confidence in the markets in which they operate.

Risk-Management Performance during Recent Market Events
Although some of the risk-management techniques applied during the past nine months were successful, in other areas challenges remain. In risk identification and quantification, as well as liquidity-risk management, for example, the importance of information and incentives is evident.

A number of risk-measurement and risk-quantification challenges relate to valuation practices, particularly with new products. As I noted in a speech last fall, firms should have greater motivation for applying proper valuation practices as part of good risk management.¹ At the center of these practices is the ability to make appropriate judgments about the quality of information being used for valuations. The process usually starts with an initial experimentation phase in which market participants learn a great deal about the product's expected performance and risk characteristics, preferably under different market conditions. Conducting due diligence about new products can be costly and take time, but it is usually worth it. Unfortunately, in some recent cases new products were developed very quickly and not properly road tested. In observing the valuation challenges, the "Trust but verify" adage has equal application. Market participants must ensure that they do not make valuation decisions based solely on excessive reliance on external ratings or evaluations, but that they also undertake their own assessment. And I would suggest that the value of independent due diligence on the part of market participants is especially high for newer and more-complex products.

We all know that reductions in market liquidity played a large role in recent events, affecting the valuation of financial products. As with other risk areas, a number of practices were applied over the past nine months to identify and try to quantify the potential for disruptions in market liquidity. Good practices included attempts by business lines and trading desks to embed market-liquidity premiums or to apply market-liquidity haircuts in pricing models and valuations. That is, there was an understanding that information in benign periods did not reveal the full set of potential outcomes, and that disruption of market liquidity had the potential to affect market prices by driving down the value of certain instruments and to create losses. Conversely, problems arose when some managers did not make market-liquidity adjustments in their quantitative estimates and models and simply relied on recent information from good times, when there was ample liquidity.

The Basel Committee's working group on liquidity began an exercise to review liquidity-supervision practices early last year and just last week issued a public report that builds on the Basel sound practices for managing liquidity risk issued in 2000. The report emphasizes that financial institutions should conduct stress tests and contingency planning exercises to prepare for potential problems in both funding and market liquidity, capturing market-wide events, events affecting multiple markets or currencies simultaneously, and the combination of idiosyncratic and market-wide shocks. In conducting this analysis, firms should better integrate stress tests and contingency funding plans.

As with other risk areas, weaker performance in funding and liquidity-risk management can sometimes stem from inadequate information and poor incentives. During recent events, firmwide liquidity-management strategies were most effective when they included proper incentives and all relevant information, including information about the potential for certain exposures to be added to a firm's balance sheet--so-called unplanned asset expansions.

Successful plans also contained information about the potential liquidity needs of individual business lines and how those might affect funding for the entire organization. In other words, individual business lines were instructed to evaluate their likely needs for funding and relate those needs to the treasury function. In some cases, managers have considered the potential adverse liquidity outcomes from engaging in certain businesses and therefore have decided to limit their involvement or stay out of those activities altogether.

Concluding Thoughts
The banking industry has the primary responsibility for fostering a culture of effective risk management, but of course supervisors have their own role to play in ensuring the safety and soundness of individual firms and a viable financial system. Therefore, both should continue to work hard to improve risk management in light of recent market events. U.S. supervisors are cooperating with their counterparts in other countries to help the industry address risk-management issues--bilaterally as well as through international forums such as the Basel Committee on Banking Supervision and the Financial Stability Forum. I am delighted to represent the Federal Reserve in both forums.

Of course, appropriate remedies will not be developed overnight and, when they are developed, may take some time to implement. Institutions should make appropriate adjustments to risk management and should do so thoughtfully and carefully. Indeed, firms should focus on long-term improvements in their risk-management culture and remember that practicing good risk management is an ongoing process that needs to be continually updated and reviewed for its efficacy.

Given the challenges in information flows and incentives I highlighted earlier, firms should devote particular attention to these two areas. Even an institution that was relatively untouched by recent events should remain vigilant about the next potential source of turbulence, to ensure that it is prepared to analyze information about its risk exposures and distribute that information throughout the firm. Going forward, therefore, senior management at financial institutions should ensure that they have complete and timely information about risk and demonstrate the ability and will to act on it. They should also be aware that the next crisis could come precisely in the area where they are most exposed or have weaknesses. That is, a certain degree of humility is wise, because all firms have a limited understanding of what might happen next.

All senior managers would benefit from taking a fresh look at the incentive structures within their firm. For example, are all parties being compensated on a risk-adjusted basis that takes into account longer-term performance? Is management able to determine how risk taking at the business-unit level affects firm-wide risks? Do business units have the right incentives to consider their units' risk taking in the context of the entire institution? These and other questions deserve attention, given some of the risk-management challenges seen lately. But I am confident that the industry can find appropriate solutions, and supervisors will assist them in those efforts.

Footnotes

1. Randall S. Kroszner, 2007, "Innovation, Information, and Regulation in Financial Markets," speech delivered at the Philadelphia Fed Policy Forum, Philadelphia, November 30. Return to text