With details of the UBS incident still coming in, the topic of rogue trading was in the air as the Committee of Chief Risk Officers (CCRO) held its second annual risk summit in Houston on Sept. 21-23. It’s natural for a gathering of senior risk practitioners to engage in some “forensic risk management” to glean ideas about preventing future market-shaking collapses such as Enron, Long-Term Capital Management and the recent Lehman Brothers crisis. So while UBS wasn’t officially on the agenda, this fresh trading issue led to some probing of what had gone wrong and more importantly, how it had gone wrong.
If you’re not aware, the CCRO is a non-profit industry group focused on developing best practices for energy risk management, largely through a series of white papers in areas like internal risk reporting, credit risk, enterprise risk management and the like.
From a risk manager’s viewpoint, what is known so far about the UBS situation raises many questions, but overall suggests a lack of what speakers at the CCRO summit called “basic blocking and tackling.” It was a phrase that reappeared throughout the conference as the speakers discussed the art and science of ensuring effective risk management.
Blocking the feint
For instance, if fake trades are entered into a trading system accurately, it is difficult to determine that they aren’t real trades – the fraud would be revealed by trying to confirm the trade with the counterparty. Here both the risk manager and the risk technology play a role: the system can be set up to trigger a flag for the status of confirmations, and then the risk manager must review that data to find unconfirmed trades and related patterns. The sense at the conference was that attending to this kind of basic blocking and tackling could detect a UBS-style fraud, hopefully before a firm has suffered irreparable financial and reputational damage.
It’s an industry effort that has practical application. One speaker said senior management and the board of directors tend to take a great interest in their firm’s own risk practices after a UBS-type incident. He responds to this C-suite curiosity by demonstrating that his risk framework aligns with the recommendations of the CCRO’s white papers. He shows how he has established metrics for performance, as well as compliance and transparency across the enterprise, and then internal auditors vet his risk management functions to see if they meet the board’s requirements.
Tackling poor risk appetite habits
Communicating complex risk management metrics up the chain of command is frequently noted as a challenge for risk managers. Several different approaches were discussed at the meeting, including a five-point rating system for defining the dimensions of effective risk management, measuring everything from data and model quality and staff capability to policy enforcement- even “near-misses” where the company drifted into the danger zone. Such a rating of risk-related activities illuminates a firm’s risk appetite and its ability to respond to business changes, as well as facilitating a conversation about priorities for making risk functions more effective.
The conference looked at both sides of the coin: risk management versus business strategy; the gross-margin generators versus the gross-margin spenders; and the tensions between the two. As one attendee noted, spec trading may generate gross margin, but does that make it a good idea? When does the desire for profit eclipse a firm’s tolerance for the risk? Effective risk management means assessing the risks the firm takes on when chasing that upside and finding the right balance between an acceptable level of margin creation and an allowable level of risk.
Here technology can again play a role. The conference attendees were reminded that risk can’t be eliminated, but it can be transferred and transformed. How can this be achieved? Can it be passed on to the customer? Can it be hedged out into the market? The first goal is to make sure your measurement is right. The ability to aggregate risk data, from price volatility to creditworthiness to weather effects, can clarify the tradeoff between risk and reward. One speaker referred to it as establishing a mean level of risk, and then balancing the risk capital, or how much of the risk you are absorbing, against the value added by the transaction.
Moving toward the goal
Back to UBS: The key to successfully achieving this risk-reward ratio is to have good inputs, whether that means trading actions or other business decisions. Accurately determine what the risk actually is, then adopt good models for processing all that data to produce information that’s clear, accurate and actionable. Risk managers that bring together an aggregated, portfolio view can ensure that two separate functions within the organization don’t have differing views of the market. Often the risk management system is the first place this valuable and revealing information has been aggregated in an organization.
But the reality is that some risks can be measured while others are hard to quantify. A risk manager must contend with both types of risks, and communicate their relative value to decision-makers. While risk managers do trust their experience and insight, they also rely on systems that generate reliable analysis for decision-making. As one speaker put it, a Value-at-Risk (VaR) number results from hundreds of independent metrics – it’s not humanly possible for a risk manager to intuit what’s going on.
In this way, risk management goes beyond its policing role to also become a resource for the profit-seeking piece of the organization. Risk managers can balance their “traffic cop” duty with a system that generates viable risk metrics to allow the margin-generators to make money for shareholders.
The result is smart risk-taking, speakers said. Reassuring the board that risk management functions meet their compliance mandate in the wake of an incident like UBS is one thing; having the board seek you out because they value your insight is quite another. Be seen as a credible resource, one speaker said, and your metrics and insight can both have a valuable influence.