The Federal Reserve Board eagle logo links to home page

Remarks by Governor Laurence H. Meyer
Before the Bank of Thailand Symposium, Risk Management of Financial Institutions, Bangkok, Thailand
August 31, 2000 (U.S. eastern time)

Why Risk Management Is Important for Global Financial Institutions

I am very pleased to have been invited to address this symposium on the timely and important topic of risk management. Continuing increases in the scale and complexity of financial institutions and in the pace of their financial transactions demand that they employ sophisticated risk management techniques and monitor rapidly changing risk exposures. At the same time, fortunately, advances in information technology have lowered the cost of acquiring, managing, and analyzing data and have enabled considerable and ongoing advances in risk management at leading institutions worldwide. As this symposium illustrates, banks in many emerging market countries are also increasing their focus on risk management in an effort to build more robust and sound financial systems, to remedy weaknesses that were exposed by recent regional problems, and to position themselves to participate more fully in the global economy.

Why Risk Matters
Because taking risk is an integral part of the banking business, it is not surprising that banks have been practicing risk management ever since there have been banks--the industry could not have survived without it. The only real change is the degree of sophistication now required to reflect the more complex and fast-paced environment.

Even today, however, some simple rules continue to be critical to risk management, and I cite Barings as a negative example. By the simple act of separating front-office from back-office responsibilities, Barings could well have prevented the enormous losses that led to its failure. In addition, Barings' management never explored how Nick Leeson could have produced such high returns, even though the trading he was authorized to undertake was essentially riskless and thus should not have been so profitable. Had they questioned their "good fortune," Barings' management might have uncovered the hidden losses before they became large enough to bankrupt the firm. A third lesson from Barings is that the benefit of risk management is the losses it will prevent, not the additional revenues it will generate.

The Asian financial crisis of 1997 illustrates that ignoring basic risk management can also contribute to economy-wide difficulties. The long period of remarkable economic growth and prosperity in Asia masked weaknesses in risk management at many financial institutions. Many Asian banks did not assess risk or conduct a cash-flow analysis before extending a loan, but rather lent on the basis of their relationship with the borrower and the availability of collateral--despite the fact that collateral was often hard to seize in the event of default. The result was that loans--including, I might add, loans by foreign banks--expanded faster than the ability of the borrowers to repay. Additionally, because many banks did not have or did not abide by limits on concentrations of lending to individual firms or business sectors, loans to overextended borrowers were often large relative to bank capital, so that when economic conditions worsened, these banks were weakened the most.

The Asian crisis also illustrates the potential benefit of more sophisticated risk management practices. Many Asian banks did not adequately assess their exposures to exchange-rate risk. Although some banks matched their foreign-currency liabilities with foreign-currency assets, doing so merely transformed exchange-rate risk into credit risk, because their foreign-currency borrowers did not have assured sources of foreign-currency revenues. Similarly, foreign banks underestimated country risk in Asia. In both cases, institutions seemed to have assumed that stability would continue in the region and failed to consider what might happen if that were not the case. A greater willingness and ability of banks to subject their exposures to stress testing could have highlighted the risks and emphasized the importance of key assumptions. Had they conducted stress tests, some lenders might have seen how exposed they were to changes in exchange rates or to an interruption of steady economic growth.

Although avoiding failure is a principal reason for managing risk, global financial institutions also have the broader objective of maximizing their risk-adjusted rate of return on capital, or RAROC. This means not just avoiding excessive risk exposures, but measuring and managing risks relative to returns and to capital. By focusing on risk-adjusted returns on capital, global institutions avoid putting too much emphasis on activities and investments that have high expected returns but equally high or higher risk. This has led to better management decisions and more efficient allocation of capital and other resources. Indeed, bank shareholders and creditors expect to receive an appropriate risk-adjusted rate of return, with the result that banks that do not focus on risk-adjusted returns will not be rewarded by the market.

Risk management is clearly not free. In fact, as I will discuss, it's expensive in both resources and in institutional disruption. But the cost of delaying or avoiding proper risk management can be extreme: failure of a bank and possibly failure of a banking system.

A point too often overlooked, however, is that, by focusing on risk-adjusted returns, risk management also contributes to the strength and efficiency of the economy. It does so by providing a mechanism that is designed to allocate resources--initially financial resources but ultimately real resources--to their most efficient use. Projects with the highest risk-adjusted expected profitability are the most likely to be financed and to succeed. The result is more rapid economic growth. I want to emphasize that point. The ultimate gain from risk management is higher economic growth. Without sound risk management, no economy can grow to its potential.

Stability and greater economic growth, in turn, lead to greater private saving, greater retention of that saving, greater capital imports, and more real investment. All this, from sound risk management. Without it, not only do we lose these gains, but we also incur the considerable costs of bank disruptions and failures that follow from unexpected, undesired, and unmanaged risk taking.

Making Risks Matter to Owners and Managers
One might ask why many Asian banks made the mistake of paying little attention to risk. One answer, to which I have already alluded, is that the many years of strong economic performance by Asian economies lulled banks and their supervisors into complacency regarding risk. That is only part of the answer, however. We have learned that certain prerequisites must exist before bank owners and managers will pay attention to risk. At least some of these prerequisites were absent in many Asian countries. One prerequisite is that there be no implicit or explicit government guarantees for bank owners and managers. Their incentives to manage risk and avoid insolvency will be severely blunted if insolvent banks are merged with stronger banks or simply allowed to continue operating without owners losing their stake or managers losing their jobs. Similarly, bank creditors will exert no market discipline if they run no risk of loss on their claims on banks. Thus, guarantees for bank creditors will also blunt the incentive of banks to control risk. Market discipline also requires adequate accounting and disclosure standards, to enable bank investors to judge a bank's condition accurately.

An important complement to market discipline in promoting sound risk management is effective bank supervision. To be effective, though, bank supervisors must have the ability to assess a bank's condition, especially the condition of the loan portfolio, and they must have the authority to require adequate provisions for loan losses. After ensuring that loan loss reserves are adequate, supervisors must have the authority to close banks that are insolvent, wiping out owners or shareholders and removing management. Without such authority--and the willingness to use it--a country effectively has a policy of forbearance, even if officially it does not.

Another prerequisite for risk to matter is that there be no government-directed lending, because directed lending carries with it an implicit government guarantee. In Korea, for example, during many years of directed lending to the large chaebols, banks did not develop the skills to assess the risk of these, their largest borrowers. Even after the end of government direction and the implied guarantee, banks still did not insist on receiving full financial information from the chaebols. Consequently, banks could not assess the risk of these loans, even though the risk they faced had become substantial.

Prerequisites for Risk Management
There are also prerequisites for banks to develop the ability to measure and manage risk effectively. First, in order to measure risk, the country must have solid accounting and disclosure standards that provide accurate, relevant, comprehensive, and timely information so that banks can assess the condition and performance of borrowers and counterparties. To ensure accuracy, accounting systems need to be supplemented by auditing systems and backed up by enforceable legal penalties for providing fraudulent or misleading information to government agencies and outsiders. Banks also need reliable information on the credit history of potential borrowers and on macroeconomic and financial variables that can affect credit and other risks. Additionally, banks need a staff with sufficient expertise in risk management to identify and evaluate risk.

Implicit in most methods of evaluating credit risk is the assumption that the probability of repayment depends on the ability of the borrower to repay, in other words, that willingness to repay is not the issue. If repayment depends on whim, then its probability is difficult if not impossible to assess. Thus, an adequate legal system and "credit culture," in which borrowers are expected to repay and are penalized if they do not, are yet further prerequisites for sound and accurate risk management. The ability to seize the collateral of borrowers in default is essential if banks are to have the incentives and ability to mitigate risk. Without the legal infrastructure--the laws, courts, and impartial judges--necessary to enforce financial contracts in a timely manner, much of risk management would be for nothing, once the initial decision to extend credit was made.

Finally, the potential for conflicts of interest in risk management must be limited. In particular, regulations are needed that restrict and require disclosure of connected lending to bank owners, shareholders, or management. Without such regulations, the desire for personal gain may distort the incentives of bank owners and managers to manage risk appropriately.

Sound Practices in Risk Management
At this juncture, it might be useful if I shared with you developments and practices in one country. Of course, I am most familiar with my own. Throughout the past decade, the Federal Reserve has devoted increased attention to understanding the risk management practices of U.S. banks and has redirected its supervisory efforts to focus on management processes and areas of (perceived) greatest risk. The sheer complexity, volume, and pace of transactions in our largest institutions today demand that we evaluate their risks by reviewing the structure and effectiveness of their policies, procedures, and controls. While a certain level of "transaction testing" remains important to ensure that internal systems work and that controls are real, we can no longer take comfort in the safety of large, complex banks by independently assessing their overall condition at a specific point in time. Given the financial products on the market today, risk profiles of complex institutions can change too easily and quickly. We need the assurance that the practices that have kept an institution sound so far are likely to keep it sound in the foreseeable future.

U.S. bank managers had earlier come to the same conclusion regarding their own abilities to control individual transactions and positions in their worldwide operations. As a result, they have invested steadily in developing prudent and understandable policies and in improving methods for measuring and managing risks, firmwide. As their institutions and activities grew, they needed a common measure to compare alternative uses of capital and to evaluate the performance of an expanding range of business lines. The now-familiar concept of RAROC helped greatly to fill that need. They also required a better process for maintaining quality results, providing management and employees with proper incentives, and detecting problems at an early stage. Along with their size and complexity, their demand for stronger and more objective methods of risk management increased. The financial institutions in the vanguard of risk management have tended to be those most active in international capital markets and derivative activities, where participants are most informed, transactions are most efficient, and data are most readily available. They were the ones that, most typically, had not only the expertise and resources to develop sophisticated systems for measuring and evaluating risks, but also the need to do so, given the complexity of their transactions and products. They needed to identify the key factors driving market volatility and to quantify the underlying risks in order to manage their positions and product lines.

For trading activities, the value-at-risk measure was an important breakthrough. It gives banks a measure of a portfolio's largest expected loss during a particular time period for a given level of probability. It provided a statistically sound and easily understood basis for managing market risk and, as you know, also served as the foundation for new regulatory capital requirements for internationally active banks. At most banks, though, market risk is relatively small. Measuring and controlling credit risk is typically far more important and, unfortunately, a much more difficult task.

In managing risk, banks must decide which risks to take, which to transfer, and which to avoid altogether. Market risks are easily transferred, often through swaps and other derivative products. Unless the institution believes it has a comparative advantage in accepting a particular risk, it is typically sold. During the past decade, the five-fold increase in the notional volume of derivative transactions, to nearly $35 trillion for U.S. banks alone, reflects the demand for risk-mitigating products in this area. Certain other risks, such as operating risks and the chance of various idiosyncratic losses, can be reduced through insurance, diversification, and internal controls.

Accepting credit risk, though, is fundamentally the business of banking and is the activity which most banks see as their principal competitive advantage. Typically, financial market participants have far less information than banks do about the credit quality of individual borrowers, and the terms and conditions of the borrowing arrangements are often complex and structured case-by-case. Credit card loans and certain other retail credits are a notable exception.

In recent years, leading banks have devoted increased attention to measuring credit risk and have made important gains, both by employing innovative and sophisticated risk modeling techniques and also by strengthening their more traditional practices. For example, a popular vendor model measures default risk by applying option theory to the market value of a borrower's equity share price and calculates the probability of a negative net worth. That approach has the important feature of incorporating market assessments of risk into the analysis and is often used to validate a bank's independent view.

Other models, including most internal models of banks, take a more direct approach to calculating the fundamental elements of credit risk. They estimate the probability a borrower will default, based on numerous measures of its stated financial strength; the bank's exposure given a default, reflecting any unused commitments of the bank to lend; and the expected loss given default, taking into account any collateral or other loss-mitigating features of the credit agreement.

Combined, these measures reveal the expected loss, which a bank must know to underwrite and price a credit correctly, as well as to establish adequate loss reserves. However, it is the volatility of this loss and the contribution of the credit to the volatility of the bank's cash flow on a firm-wide, portfolio basis that is crucial to evaluating capital adequacy. As you can imagine, the process of modeling credit risk is still as much art as science for most banks, requiring many assumptions and subjective judgments as well as substantial amounts of data. Testing the sensitivity of a model's results to these decisions and maintaining the integrity of the process from start to finish will be a constant challenge.

Nevertheless, leading institutions around the world have made substantial progress in measuring risk in recent years, and we expect much more progress in the years ahead as both the regulatory and banking communities devote more attention and resources to the topic. The continually declining cost of technology for storing and analyzing data will help greatly to encourage firms to create the databases necessary to understand credit risk better. This decade may see a watershed for risk management as institutions make far greater use of information. Indeed, I fully anticipate that the revised Basel capital accord now under development will link capital requirements more closely to a bank's own internal evaluation of risk.

For most institutions, though, success in risk management does not require sophisticated models, nor will models alone suffice. Clearly, all banks must take advantage of new technologies and keep pace with market innovations to remain competitive and to survive. That need points to ever more sophisticated risk measurement and management practices. Nevertheless, adhering to the fundamental principles of risk management and adapting sound practices to one's own situation will remain key. As I indicated earlier, the experience throughout the world with bank failures and other financial crises demonstrates time and again that violations of traditional and long-known management principles produce the largest losses. I gave some examples of this earlier. Technology and financial innovation facilitate risk management and accommodate more sophisticated risk exposures. Financial models are tools and the environment around them must still be properly managed and controlled. I cannot overstate that point. The most sophisticated risk management techniques are useless if the operating environment and management incentives are deficient or if fundamental risk management principles are ignored.

Fundamental Elements of Sound Risk Management
The fundamental elements of sound risk management are easy to describe in the abstract but are far more difficult to apply case-by-case. Each situation is unique, built around the roles and capabilities of individuals and the structure, activities, and objectives of the institution. What works for one firm may, of course, be unsatisfactory for another. Moreover, in the context of a particular firm, the definition of a sound or adequate risk management system is ever changing, as new technology accommodates innovation and better information and as market efficiency grows. To remain competitive, institutions must adapt and constantly improve their process. That fact becomes clearer every day.

Apart from those contingencies, however, certain basics apply quite generally. In any institution, support for crucial programs must come from the top. Each entity's senior management and governing board must set the institution's risk appetite by establishing appropriate policies, limits, and standards and by ensuring that they are followed and enforced. Throughout the institution, risks must then be measured, monitored, and reported to key decisionmakers.

While the complexity and formality may vary widely among institutions, each firm should have clear procedures for assessing risk and evaluating performance over time. There must also be adequate accountability, clear lines of authority, and separation of duties between business functions and those involved in risk management and internal control. These elements, and others, are time-tested fundamentals of risk management that do not entail high technology or complex risk measurement techniques.

Getting There
I very much fear that institutions throughout the world view risk management--often "sophisticated risk management"--as a Holy Grail, without having a real understanding of its fundamental elements and how difficult it can be to impose them. This, I believe, is particularly true in developing countries with traditions or cultures that emphasize relationships more than legally enforceable obligations.

Moreover, even for organizations that operate in a culture--such as the United States--that is more risk-oriented, risk management techniques can threaten traditional ways and thoughts. Managers who are already in important decisionmaking posts and staff who do not yet have the technical skills necessary for risk management are especially likely to find change disruptive, mechanical, and lacking in the all-important qualities of judgment and experience that they, of course, already have in considerable abundance. Do not misunderstand me. I am not an opponent of experience and judgment, and I do believe that building a risk management system that is designed to be automatic is foolhardy. My point is that change is difficult at any institution or set of institutions. It is even more difficult if the change is not consistent with the cultural and institutional environment and/or the skills of the management and staff.

Difficulty with staff expertise is why the first steps for effective risk management probably should be the least technical and the ones with the best chance for payoff in the short run. I am thinking of accountability, clear lines of authority and responsibility, and--to avoid conflicts of interest--the crucial separation of business line management from risk management and internal control. As I noted earlier, the latter alone could have saved Barings.

The next step, I suggest, is to begin thinking about returns in terms of the risk-return nexus, the RAROC I noted earlier. Just that simple way of thinking about an investment decision goes a long way in improving risk management. The best deal--especially for leveraged institutions like banks--is hardly ever the one with the best rate of return. Rates of return are provided to compensate for risk. If rates of return are high, it is because they are compensating for a high level of risk. Risk means variability, and leveraged institutions like banks have little tolerance for loss. That is why banking institutions must reduce and manage risk exposures, think of yields on a risk-adjusted basis, and realize that financial leverage can magnify the impact of losses as well as gains.

A critical concern in developing a basic risk management process involves developing or attracting personnel with the skills necessary to apply risk management tools in meaningful ways. In the eighteenth and nineteenth centuries, bankers used to send their sons to work for competitors in financial centers in order to learn the latest techniques and then bring them home. Some of that still goes on--although not so much for relatives any more--with time often spent at the organization's own foreign branch or at a business school rather than at competitors. Expertise was also transferred in the past by local branches of foreign banks training local residents. In the twenty-first century these are all still excellent ways to import skills in banking in general and risk management in particular. Limiting foreign presence may be the worst thing for local banks--insulating them from competition and making the import of valuable human capital and expertise more costly.

Risk management implies significant limits on the ability of highly leveraged financial institutions such as banks to provide badly needed venture capital; it implies that financial systems need more than banks. They need nonbank financial institutions that are less leveraged than banks and have much longer term liabilities. They also need functioning capital markets, including foreign providers of long-term and equity capital. These other elements may constrain local banks, but they bring blessings, too. They create instruments and institutions that are stronger, more diversified, and easier to manage during periods of financial stress. They also provide greater stability to financial systems and alternative funding sources for borrowers.

Summing Up
Indeed, this may be a lot to load onto such a seemingly small concept as risk management, but the concept is not really so small. It is fundamental to sound banking and requires, I am afraid, a revolution in many of the world's banking systems. Risk exists and banks must accept risk if they are to thrive and meet an economy's needs. But they must manage the risks and recognize them as real. Risk matters. Whether or not it is temporarily ignored, it will eventually come out. Recognizing that fact and dealing with it will benefit lending institutions and the economies in which they operate. Indeed, given globalization, we must all adopt increasingly sophisticated risk management practices in the years ahead.

Return to topReturn to top

2000 Speeches