ABA Banking Journal Home

Don't outsource risk management to regulators

Solvency may be enough to please them, but it won't please shareholders

New risk management blogger Dan Borge says bankers can't surrender risk management to regulators by letting them impose a standardized solution. Bank managers must devise a risk management approach that fits their institution's unique circumstances. New risk management blogger Dan Borge says bankers can't surrender risk management to regulators by letting them impose a standardized solution. Bank managers must devise a risk management approach that fits their institution's unique circumstances.

Bankers should not fall into the trap of defaulting to the regulators' views on the risks of their business. Bank management must use its own judgment to make good risk/return tradeoffs that create value for customers and shareholders.

Regulators have besieged bankers with new and complex risk regulations in the aftermath of the financial crisis: Basel III; stress tests; risk-based compensation ... the list goes on.

Whether all this regulation is making the financial system safer and healthier is debatable. But what is not debatable is that the regulators are taking a much more active role in asserting and enforcing their own notions of what constitutes excessive risk in banking.

Two perspectives on risk that don't necessarily meet

As long as we have a deposit insurance system and a de facto "too big to fail" policy, regulators have little choice. They must work to prevent excessive risk-taking.

We can question their methods, but not their mission. And their mission is to avoid large losses in the system as a whole--not to generate high returns on capital for shareholders or to create added value for customers.

In other words, mediocre performance is fine with regulators so long as that bank manages to stay in business without government support.

Aiming for a higher target

Unlike regulators, bank shareholders are not satisfied with mediocrity. And one of the surest routes to mediocrity is to outsource risk assessments to the regulators.

Unfortunately, too many bankers may be doing just that. Complying with ever-expanding regulatory risk policies can be such a daunting task that some bankers neglect, postpone, or even abandon the implementation of their own enterprise risk management systems that are tuned to their shareholders' interests.

They hope that the regulators' risk assessments are good enough for making business decisions.

They are not.

It is not that regulators are mediocre risk assessors. Regulators have different interests than bankers and therefore they will define and measure risks to suit those different interests.

In particular, regulators focus on the downside, not the upside. They are criticized when banks go bust, en masse, but they do not share in the bonus pools of high-performing banks.

But bank shareholders care intensely about the upside because they expect bank management to make well-informed and intelligent risk/return tradeoffs.

To put it in sports terms, regulators always play defense. Bank managers must be able to play both offense and defense. This requires risk information and analytics that can identify and weigh the downside against the upside by looking at the full spectrum of possible outcomes.

Focusing on the forest

Regulators also focus their attention on the risks of the typical bank and the more extreme outliers from the typical bank. They are more interested in the aggregate effect of losses in the system as a whole than in the fate of individual banks (with the notable exception of too-big-to-fail institutions).

If a bank is not typical and is small relative to the whole system, its regulatory risk measures may be far off the mark and entirely unsuitable for making important business decisions.

A bank's shareholders are not interested in the typical bank. They are interested in their particular bank. And high-performing banks are rarely typical.

High performers differentiate themselves by:

• Carving out attractive niches in the marketplace.

• Demonstrating operational excellence.

• Introducing innovative products.

• Establishing and maintaining strong customer relationships.

• Attracting superior talent.

• Building other durable competitive advantages.

Among the most important competitive advantages of a perennial high-performer will be a strong risk management culture that has a much better view of its actual risk characteristics than any view based solely on regulatory risk measures.

Finally, regulatory risk measures have a very short shelf life.

Rapid changes in technology and markets can make them obsolete before the ink is dry. No matter how good they are, regulators will always be playing catch up.

Bankers who are risk savvy, nimble, and in touch with their markets should not need to look to regulators for their risk measures.

One trip, two routes. Who wins?

But what is a bank to do with two different versions of risk measures?

Regulatory compliance is not optional.  So regulatory risk measures cannot be ignored. But shareholders expect better, more relevant risk measures based on sound analysis and the seasoned judgment of management.

So how do bankers decide what to do when the regulators' risk measures conflict with management's risk measures?

I think the general rule should be to select individual business opportunities to maximize returns on required risk capital.  For each such opportunity, management would assess "required risk capital"  according to management's own view of risk.  However, management would do so while keeping aggregate regulatory capital measures in compliance with regulatory standards.

In other words, the objective is to maximize returns on risk capital as assessed by management. Regulatory capital standards are only relevant as a constraint at the aggregate level.  If regulatory capital is not a binding constraint, management is free to choose any and all opportunities that it thinks will add shareholder value.  If regulatory capital is a binding constraint, management should still prioritize opportunities by their contribution to shareholder value, but give preference those that produce the highest shareholder value per dollar of regulatory capital consumed.

This rule usually works because, for capital adequacy purposes, regulators are most concerned with entity-level risk measures (holding company and major subsidiaries) and are much less concerned with the relative profitability and risks of individual transactions or other granular business decisions.

This gives management considerable flexibility in choosing the specific menu of opportunities that create the highest value for shareholders while being in compliance with regulations. (Admittedly, I am oversimplifying here. Sometimes regulators are interested in the details--money laundering, for example.)

An open secret about risk management

In fact, though the examine for compliance with regulatory risk management standards, regulators want--and expect--banks to devise and maintain their own enterprise risk management systems. If you doubt this, read the various regulations related to capital adequacy, stress testing, and incentive compensation.

I am surprised to hear so many bankers say that they still do not have operational enterprise risk management systems that they can trust to inform their business decisions.

I wonder if they realize that they may be letting the regulators micromanage them into mediocrity.

Dan Borge

Dan Borge is the author of The Book of Risk and a consultant on strategy and risk management.  He was the principal architect of the first enterprise risk management system, RAROC (Risk Adjusted Return On Capital), at Bankers Trust, where he was head of strategic planning and a senior managing director. Prior to his banking career, he was an aerospace engineer at The Boeing Company. You can read more about Borge in a recent interview with ABA Banking Journal. You can also read a review of The Book of Risk here, "A Risk Management Book That Doesn't Make You Snore."

back to top


About Us

Connect With Us