Strengthening Risk Management in the Midst of Downturn Times

Increasing interest towards Risk Management improvement and timely identification of firms' failure are driving demand for the set-up of risk management principles, particularly within the financial and banking industries. Although there is no-one accepted definition for appropriate and infallible risk management principles, research in this field has led to identify best practices that have proven successful results at a variety of industries. Zooming into the Financial Sector, this case study is aimed to present six tips which have strengthened resilience to bankruptcy and economic losses at a leading European Bank which has depicted positive growth in the midst of the Downturn and world-wide economic recession.


Introduction
Increasing interest towards Risk Management improvement and timely identification of firms' failure are driving demand for the set-up of risk management principles, particularly within the financial and banking industries. Although there is no-one accepted definition for appropriate and infallible risk management principles, research in this field has led to identify best practices that have proven successful results at a variety of industries. Zooming into the Financial Sector, this case study is aimed to present six tips which have strengthened resilience to bankruptcy and economic losses at a leading European Bank which has depicted positive growth in the midst of the Downturn and world-wide economic recession.

The Banking Business and the Importance of Risk Management Policies
Financial Institutions' turnover is influenced by their risk management policies and the target risk profile they want to achieve in the market. For instance aiming towards a lowmedium predictable risk profile, jointly with geographical diversification can be key elements of differentiation for a firm to achieve a leading position ahead of other industry players. [1] The effectiveness of Risk management policies enacts as a firm's identity card, specifically in downturn times. This largely explains why seeking continuous improvement of risk management policies has stayed as a top priority for key industry players which have shown positive growth in the last years of financial turmoil.
"Risk Management means looking into the future" [2] Fuelled by increasing competition, more stringent regulations and higher levels of interconnection amongst different players, the marketplace is becoming more and more complex. Concerned with such trend, financial institutions have realized that if they want to survive, they need to rely on a robust risk management framework, given by corporate organizational policies and supported by sophisticated IT systems and technology.
Since 2008, financial markets have experienced sharp declines. [3][4][5]. Analyzing several consumer surveys allows us to conclude that consumers, particularly those who have been severely affected by the crisis, would rather have opted for higher levels of prevention and anticipation, supported by management schemes with enough level of risk management considerations. The aforementioned risk management considerations are playing a greater role in companies' overall strategy and strategic choices. Indeed, companies are increasingly realizing the need of relying on strong risk governance and a sophisticated hedging program. This trend is largely explained due to the fact that these are seen as essential elements of a robust financial risk management program that will help them secure resilience to the economic problems affecting the marketplace.

To what extent is ERM a "New" concept?
In the last years ERM has been gaining momentum as a new concept, a new trend, a MUST HAVE. But perhaps in the midst of everyone rushing-up to implement it, it is worth stopping for a second in order to understand its meaning and ask ourselves … is it really something new? ERM stands for Enterprise Risk Management but its real origin is unclear. Some associate the birth of this concept to the definition of the Integrated Risk Framework by the Committee of Sponsoring Organizations (COSO) back in September 2004. Others believe that the starting point was in the 1970s when most of the Management theories arised. Being factual it would even be valid the mindset that it is a concept that has been in place since the beginning of times, when the Romans traded goods with the Carthagians. So if we agree that companies have managed risk forever the question here is what can Enterprises do better to manage Risk? Or what have been the best practices in risk management that companies have pursued to achieve recognized success?
Anyone involved in line management makes risk based decisions on a daily basis. The desire of such decision makers would be to count on a reliable crystal ball that would allow them to opt for the choices that would derive profit maximization.
Far from being the aforementioned magic tool, going down the road of ERM involves setting a structured approach or a reference framework to manage risk at companies. As of today, many companies have already understood the value proposition and experienced its benefits -which mainly tackle improved controls, better communications and decisionmaking, and a common language for risks. [7]. Nevertheless, for other companies the concern is still there: is there significant justification for an ERM program? Would the company really make different decisions if it did have an ERM program? According to some literature, a good ERM program has proven to enhance the company value through reduced costs, decreased variability in financial results, enhanced market reputation, and improved business decision-making. Such dimensions can even be measured and what is more, the Credit Rating Agencies have started considering these factors as part of their company assessment process. [8]

Elements of a robust risk management framework
Generally speaking, a robust risk management framework tackles five dimensions [

Corporate governance = Positive risk culture
Relying on strong corporate governance that diffuses a positive risk culture from the top to the bottom of the organization is an imperative to set up a robust risk management framework. Unless the employees of a firm are aligned and somehow willing to contribute towards improving risk management at their workplace, the organization will not be able to manage risk appropriately. The whole organization, from the last employee to the most powerful member of the Board of Directors should see some benefits in managing risk, and as long as this happens, a positive risk culture can be promoted across the overall organization.
From another angle, a positive risk culture can also be understood as that which is characterized by individual accountability, creativity, transparency and honesty. As long as employees understand the importance of accomplishing the organization's risk management approach, have a clear view of what such policies mean and believe they are transparent and honest, they will feel more creative and a healthy attitude of constant challenging of decisions and ideas will arise from them towards improvement the management of risk at their workplace.

Policies = Procedures
The second key element of a sound risk management framework is to have in place a set of policies and procedures, which are consistent with the organizational culture and clearly defined, with enough level of detail.
In a simplified view, the output of a firm's risk management strategy is determined by the balance between the firm's commercial objectives (appetite for risk) vs. its risk contention goals (risk control). In other words, organizations look for profit maximization at the lowest risk possible. (Figure 1) Organizational processes are the means that a firm has to achieve its strategic goals. Therefore, firms' corporate policies should be well assembled, known by all and periodically updated not only with industry best practices, but also with the new regulation.

Data utilization = Efficient technology
Technology is changing the way people access and exchange information [10]. Information related to a firm's performance is a key success factor [11] and thus technological capability to extract such data can drive competitive advantage. [12].
Data collection and its enrichment are often tedious tasks but critical in any risk analysis phase. Such tasks have often a high manual processing component, which can be an inherent source of errors and productivity constraint. However, through technology and process automation, efficiency levels can significantly improve.
Timely and accurate information ease decision making, and therefore, counting on a well structured information management flow that incorporates advanced technology developments contributes extensively towards minimizing lead times whilst increasing a firm's level of pragmatism and effectiveness to meet its strategic objectives.
Additionally, it is worth referring, not only to the information gathering and processing dimensions, but also to how and when the information is communicated. Only when the information reaches the target recipient it can be utilized and in this context it is relatively obvious that automation can play a key role -let's assume that a piece of information is identified, checked, enriched and worked through; the outcome will only be useful if it reaches the right people at the right time which is achievable if there is for instance an automated process that can instantly distribute the information.

Risk measurement = Value-at-risk
The environment in which a firm operates is always subject to an uncertain level of risk, and it has to deal with it. A firm's know-how to measure risk levels is one of its main assets to understand to what extent it is worth to incur a certain risk and can even pre-empt a corporation from bankruptcy.
There are several risk measurement techniques which have been used for long. Some of the most common ones in the banking industry are:


Size of open positions  Degree of maturity mismatch in the net position  Assets' exposures The calculation of such measures often needs of many complex mathematical models. Furthermore, in some cases, their implementation at organizations is not easy. Therefore, since the late 1990s, companies have alternatively opted for another method: "Value-at-Risk" (VaR).
VaR calculates the risk of loss on a specific portfolio of financial assets. For a given portfolio, probability and time horizon, VaR is defined as a threshold value such that the probability that the mark-to-market loss on the portfolio over the given time horizon exceeds this value (assuming normal markets and no trading in the portfolio) is the given probability level [13]. See example in Figure 2. Histogram of daily hypothetic profits and losses over a long-term contract [14] At this point it is worth highlighting that whilst VaR provides the quantitative perspective, it needs to be complemented by a more qualitative dimension resembling the market changes ("what-if scenarios" or "stress tests").
It is also worth pointing out that despite VaR is used in front of other methods which are perceived less powerful and more complex and difficult to understand, it is also constrained and only valid within a set of assumptions. This is one of the reasons why it is adviced that every VaR model is backtested, validating that the actual results are aligned to the forecasts.

Supervision = Ongoing monitoring
The level of risk undertaken by a firm derives from its ability to monitor it. High capability to monitor risk helps to optimize the risk taking process. Risk monitoring should not only rely on the automated output of the VaR calculation, but should also be supported by a risk management function that is able to do a correct interpretation of the results. Risk monitoring aids in risk assessment and can result invaluable to senior management when they need to take a decision and they look for advice.
At this point it is worth pointing out that although risk monitoring has mainly focused on risk avoidance, there is another dimension: "the upside" or opportunity aspects for risk. This dimension is scarcely looked at, but on the other hand it can, if appropriately managed, derive significant level of profits.
Most frequent means to monitor risk consist on processes, reports, and discussion venues. However to ensure their reliability, these must be backed by a solid function of data management and a usable model.
All in all, monitoring implies tracking and thus, the more effort and time consuming this task requires, the later the relevant information will pop up and the lower the level of responsiveness to potential problems.

Approaching the economic crisis: 2008 -today…
Although Risk Management has been for over a decade a central part of many organizations' strategic management [15], the trend towards adoption of more sophisticated techniques and technology, together with the bet for new models that can improve firms' Risk Management has been gaining pace. In general, the last years have seen rapid growth as concerns to the development and improvement of Risk Management tools which facilitate the evaluation of customers' credit worthiness, prediction of customer behavior and propensity of default [16][17][18][19][20][21]. Until 2008, a significant amount of investigation efforts within the financial environment had been towards providing assistance to banking agents on their daily decisions [22], but with the emergence of the economic crisis, researchers and practitioners began to strive even further to excel at their developments and come up with innovative and more diversified portfolios of Risk Management tools.
The economic downturn is seen as a worldwide phenomenon started in the US in 2008 and still ongoing. It is widely thought to be the result of a complex conglomerate of factors [23][24][25][26]. (Figure 3) Such factors have been triggered by mistakes or defaults in Regulation and monitoring, as well as in the market behavior. Low interest rates jointly with financial innovation and globalization trends have evolved towards leverage and underestimation of liquidity and credit risk. The outcome of this mix has been excess indebtedness and excess asset valuation which has derived into a context characterized by: bankruptcy, recession, inflation, collapse in the Stock Markets, currency exchange volatility, dramatic decreases of monetary policy rates, slowdown of demand and consumption, boost of unemployment rates and shortages in profits. In order to recover from the crisis, regulators and country heads worldwide have convened on the need of regulatory changes to reform the market risk -Basel III. But restructuring the financial sector jointly with strengthening international regulation policies are necessary but not sufficient conditions to reverse the economic situation. These need to be supported by financial institutions' risk management models.
Consequently, awareness of the fact that a risk culture can constitute a very important safeguard against financial losses and collapse has risen amongst industry players. In particular, Banks and most financial entities have demonstrated particular high interest in the last years on the implementation of appropriate operational and control models aimed at an adequate management of risk.

Seven dreadful mistakes in risk management
Beyond looking at the economic crisis from a pessimistic angle, it is undeniable the existence of a brink of light considering the whole context -indeed the financial turmoil of the last years can be seen as an opportunity for change and learning from own or peer mistakes [27].
 So, what are the lessons learned?  What have been the main mistakes that have led even former leading industry players to failure? (Figure 4)

"… lend, lend, lend … we'll first get hold of the customers and afterwards make a fortune out of the interest rates …"
Low interest rates  Excessive risk lending to others results in a sudden drought in available credit with catastrophic effects on business. Individuals are often more driven by their own interests, short-term impressive increases in market share and revenue, but under the assumption that this will continue for an indefinite period of time. Unfortunately, this attitude has a costforgetting the collective good of the whole group.

Inefficiency = Inefficient risk scoring techniques " … -This risk scoring model does not seem very accurate -… -Don't worry, just apply the thumb rule -…"
There is a high number of companies that use outdated, static or inflexible assumptions to elaborate their risk scoring models. It is key that such models are funded on the bases of a balanced combination of quantitative and qualitative data. On the one hand, quantitative data can be considered "the facts", but complementarily, the use of qualitative data can contribute to a more flexible and dynamic risk assessment processes.
Apart from that it is also a poor practice over-reliance on credit agency risk scoring. The right approach should be for companies to look for consistent and independent risk measurement methods, validating and challenging constantly their obtained results against those provided by others, for instance credit agencies.

Faulty management = Illiquidity derived from faulty management of assets and passive " … -ups, it seems the firm is losing liquidity -… well but competitors are going for it and as long as ASSETS = PASSIVE … it's fine …"
Wheras risk should be aligned to capital or liquidity positions, one of the mistakes incurred by companies is the failure to access cross-information. Such lack of information flowing fluently preempts that risk is managed by incentivizing business lines and consequently, it cannot be ensured that internal pricing reflects the current bear risk.

Disorders … in capital levels = Inadequate capital levels
" … if the capital level gets too low we'll see later on how to inject more from another source …" Within an increasingly regulated market, Banks and financial institutions could be forced to build-up capital and liquidity buffers in the good times to secure their survival in a Financial Crisis. Many companies which have gone bankrupt in the last years, incurred this mistake and failed to have such buffers filled at the required levels. Therefore this is a clear area where former industry players should have learned the lesson.

Uncovered counterpart = uncovered counterpart risk " … have you considered your counterpart risk? … -Do I really need it?"
Regardless the risk management function should be independent of day-to-day operations, risk components are not something that can be left out of the daily operations -risk limits, stop-loss limits, exposure limits and counterparty limits should be key elements covered by any business line and considered when defining targets and objectives.

Too complex … = Complex valuation of structured products
The role of structured products is mainly aimed at the design of investment products and customers' risk coverage. These products are highly subtle to market variations and therefore, too complex and time consuming methods for valuating these products allow more room for mistakes and less time to react to the volatility of the markets.

Extreme scenarios = Lack of extreme scenarios
" … -what if …? -forget it; it will never happen .." In a high competitive and changing environment, such as the financial sector, it's an imperative for Banks and financial institutions to predict and prevent all potential challenges and threatening situations they may face at some point in time. Companies that have not defined severe, plausible and extreme scenarios in their management models have been more vulnerable and negatively affected by the crisis. Those organizations that have been better off, was because in the past the spectrum and range of possible risk scenarios they considered was more complete and consequently in difficult times they have had more margin to react and launch mitigation actions.
Having said this, the key to overcome such mistakes is based upon prudent management of risk, which entitles: 1. An organizational culture funded on prudent risk management 2. Prudent and anti-cyclic policies as concerns to provisions 3. Proactive risk management initiatives covering the whole credit life cycle; putting special emphasis on risk admission and monitoring processes

Six quick wins in risk management
After analyzing the root causes of the economic downturn and the main mistakes, it is time to provide some tips that have proven to be successful for a leading European Bank that, despite the challenging environment, has managed to excel in performance and obtain the 2011 Best Bank Award.
For this player, the quality in risk management is one if its core identity signs and thus, a top 1 line of action. For over 150 years, The Bank has combined prudency in risk management and advanced risk management techniques which have fostered recurrent and healthy turnover and value creation for its stakeholders.
The balance between The Bank's appetite for risk vs. risk control is driven by its business model and core principles: The Bank formalizes its presence through autonomous subsidiaries, both in terms of capital and liquidity, compatible with a common corporate control model. The shareholders' structure looks to be simple, minimizing the number of non-operative or instrumental subsidiaries.  The Bank relies on a powerful and advanced technology infrastructure and corporate tools -which enable an agile compilation and processing of the information -timely and in a standard format  The Bank's activity is framed within its social and reputational commitment, fully aligned with its strategic objectives.
All these principles are the main levers of The Bank's risk management guidelines. These can be summarized in six quick wins that for other industry players have turned into best practices ( Figure 5):

Independent risk management function
The Risk Management function has to be separated from daily operations. In this sense, The Bank counts on a Risks Management Unit, with its own Head of Department reporting directly to the Executive Board. Such Unit is responsible for risk admission and monitoring processes and acts on an autonomous way and thinking Global.

Heavily involved executive board
The Senior Management of The Bank is aware of the importance of Risk Management and thus, inspires such culture and principles to the rest of the organization.

Vanguard tools and systems
One of The Bank's core principles is: "Technology drives Operations" Within the Risk Management arena, this translates into The Bank's keenness on the use of vanguard tools and systems. Having the right technology allows The Bank to analyze and measure risks at an acceptable confidence level.

Integrated risk control and management
Risk must be identified, quantified and homogeneously managed according to a common magnitude (economic capital). The Bank tackles such risk control and management activities in an integrated way across the whole corporate structure:  every risk  in each Business line  at all geographic markets

Sustainable risk quality
In the last 20 years, The Bank has applied proprietary risk scoring methods to evaluate the risk of its customers and operations. Ensuring that The Bank does not incur risk over a predefined threshold, guarantees the sustainable development of its business.

Objective decisions
Decisions taken must be objective, taking into account contrast of opinions and avoiding decision making being exclusively restricted to an individual. The Bank pursues mancommunity decisions over credit operations both in the sales and risk areas.
As the objective of this chapter is not to describe in detail each of the aforementioned risk management guidelines, the main takeaway is that it is indeed critical for a firm to have in place some sort of core principles aligning its strategic objectives with its risk management model. Which specific principles are best suited at each particular organization is an open item that requires the organization an internal analysis.
For instance, although a risk management model could prove to be extremely successful for a leading player, it does not imply that the implementation of such guidelines by another competitor would prove the same degree of effectiveness.
In general, following industry best practices, lead to superior results than other techniques; nevertheless, the achievement of enhanced performance will only come by hand of ad-hoc and particularized risk management strategy.

Conclusions
This case study has outlined some reasons why Risk Management is important. Though the concept arised over a decade ago, the emergence of the economic crisis in 2008 has given thrust to organizations' adoption of risk management policies, specifically in the financial sector.
To date and during the downturn years we have evidenced common mistakes (the "seven dreadful mistakes"), that with the right risk management policies in place could have been avoided or at least ameliorated.
Nevertheless, in the midst of pessimism and underlying financial turmoil there is still room for hype and there are not only lessons to learn, but also quick wins that firms can put into practice to ease their recovery from the current situation.

Author details
Amparo Marin de la Barcena Group for Automation in Signals and Communications, Technical University of Madrid, Madrid, Spain