After the storm
A new era for risk management in
financial services

Sponsored by SAS


After the storm:
A new era for risk management in financial services

About this research

A

fter the storm: a new era for risk management in financial services is an Economist Intelligence
Unit report that explores the way in which risk management is changing at the world’s financial
institutions in response to the global financial and economic crisis. The report is sponsored by SAS. The
author was Phil Davis and the editor was Rob Mitchell.
The Economist Intelligence Unit bears sole responsibility for the content of this report. Our editorial
team executed the online survey, conducted the interviews and wrote the report. The findings and
views expressed in this report do not necessarily reflect the views of the sponsor.
Our research for this report drew on two main initiatives:
l We conducted an online survey of 334 executives from around the world in March 2009. The survey
included companies of a variety of sizes from the financial services industry. All respondents have a
primary focus on risk management.
l To supplement the survey results, the Economist Intelligence Unit conducted a programme of
qualitative research, comprising a series of in-depth interviews with industry experts.
We would like to thank the many people who helped with this research.
June 2009



© The Economist Intelligence Unit Limited 2009


After the storm:
A new era for risk management in financial services

Executive summary

A

lmost two years since the financial crisis first emerged from the sub-prime mortgage
business in the US, the repercussions continue to be felt. Despite unprecedented efforts by
governments, central banks and regulators, the cost to the global economy of the failure of the
financial system will be huge, and felt over an extremely long period. According to the latest
Financial Stability Report from the International Monetary Fund, global bank losses are likely
to exceed US$4.1 trillion. In their efforts to bail out the banking system and deal with wider
economic pain, public debt for the G20 countries will mushroom to more than 100% of GDP
in 2014.
The way in which financial institutions identify, assess and manage risks continues to fall under
intense scrutiny. The crisis has exposed the shortcomings of a whole host of risk techniques, and major
soul-searching is now underway to ensure that the risk and controls functions in financial institutions
will be more robust, authoritative and accountable in future. Regulators, too, are eyeing the risk
capabilities of the industry carefully, and considering the systemic implications of certain approaches
to manage risk more thoroughly.
In March 2009, the Economist Intelligence Unit conducted a global survey on behalf of SAS to
assess how risk management is changing in the world’s financial institutions. The survey attracted 334
participants from across the financial services industry. The report that follows presents the highlights
of those survey findings along with related additional insights drawn from industry experts and
commentators. Key findings from this research include the following:

We are seeing an erosion of confidence and a retreat from risk. The survey reveals an industry
that appears shell-shocked by the events of the past 18 months. There is limited confidence in the
ability of financial institutions to increase revenues or profitability over the next year, while less
than one-third of respondents say that they are seeing confidence returning to their business.
This erosion of confidence is having a dramatic impact on the kind of business that financial
institutions are willing to carry out, with a significant retreat to familiar, domestic business. More
than two-thirds say that they expect a greater focus on domestic business over the next year,
while less than one-third are increasing their focus on overseas developed markets, and just over
one-third on emerging markets.


© The Economist Intelligence Unit Limited 2009


After the storm:
A new era for risk management in financial services

Transparency is a common theme to proposed reforms. Asked about the initiatives that they thought
would be most beneficial to the financial services industry, respondents pointed to greater disclosure
of off-balance-sheet vehicles, stronger regulation of credit rating agencies, and the central clearing
for over-the-counter derivatives as being three among the top four that have the greatest potential
benefit. Although these are wide-ranging initiatives, there seems to be a common theme across all of
them – namely, the requirement for greater transparency and disclosure to facilitate the more effective
management of systemic risk issues.
Reforms to risk management within institutions will be far-reaching and comprehensive. Just onethird of respondents think that the principles of risk management in financial services remain sound.
In response to this, more than half of respondents say that they have conducted, or plan to conduct, a
thorough overhaul of their risk management. Key areas of focus, according to respondents, are likely
to be improvements to data quality and availability, the strengthening of risk governance, a move
towards a firm-wide approach to risk, and the deeper integration of risk within the lines of business.
Respondents say that the need for reform is being driven, in particular, by executive management, but

regulators are also starting to apply the pressure.
Culture, expertise and data are the weak points in companies’ risk management. Asked about the
barriers to improving risk management in their organisation, respondents point to poor data quality,
lack of expertise and a lack of risk culture among the broader business as being the most significant.
This theme of a lack of understanding between the risk function and the business certainly seems to be
significant. Asked about the areas where communication most needs improvement, respondents point
to the channels between the risk function and lines of business as requiring most attention. Elsewhere,
just 40% of respondents say that the importance of risk management is widely understood throughout
the company, suggesting that more needs to be done to embed risk culture and risk thinking more
deeply in the institution.
Respondents lack confidence in the ability of supervisors to formulate the right response to the
crisis. Just three in ten respondents are confident that policy-makers can formulate an effective
response to the crisis. Regulators, in particular, are singled out as being a potential weak spot, with
less than one-third rating their handling of the financial crisis as good or excellent (a lower proportion
than for either central banks or governments). In terms of specific regulatory interventions,
respondents are most confident in the ability of regulators to maintain overall stability of the financial
system, with 53% expressing confidence here. Far lower proportions are confident in their ability
to monitor credit ratings and prevent conflicts of interest (18%); secure the implementation of
compensation policies that support long-term shareholder value (24%); or co-ordinate the work of
regulators across borders (25%).



© The Economist Intelligence Unit Limited 2009


After the storm:
A new era for risk management in financial services

How do you currently rate the prospects for your business in the following areas over the next year?

Rate on a scale of 1 to 5, where 1=Significantly positive and 5=Significantly negative.
(% respondents)

1 Significantly positive

2

3

4

5 Significantly negative

Revenue growth
10

24

36

24

8

Profitability
9

24

35


25

7

Share price
5

16

47

26

6

Relations with customers
13

43

32

11 1

Relations with investors
7

35


40

14

4

Capital adequacy
15

36

32

15

3

The business environment for financial services
No one working in the financial services sector will forget the near-collapse of the financial system in
late 2008. Just as market participants during the oil shock of the early 1970s and the crash of 1987 were
shaped by their experiences, so will be those who witnessed the stomach-turning events of last year.
Since those momentous times, there have been intermittent signs of recovery in the world economy
and predictions of doom have become fewer and less frequent. Nevertheless, confidence is a fragile
creature. Financial services firms are still reeling from events and are mostly gloomy over the outlook
for the next 12 months. In an Economist Intelligence Unit global survey of 334 financial services
executives, just one third expect a positive outlook for revenues and profitability, while one quarter
expect a positive outlook for their share price.
One of the reasons for such pessimism is that globalisation, one of the key drivers of revenue
for multinational firms, is now seen to be under pressure. Amid a breakdown in global systems and
trade, there will be a much greater focus on domestic business, and 68% of market participants

questioned say that they expect an increased focus on business in their home market. North American
respondents, in particular, say they will be much more focused on domestic markets and much less on
emerging markets than other regions.
Alan Keir, global head of commercial banking at HSBC, notes that the lack of trust across borders has
become evident in everyday business. “Open accounts are working less and less well and old-fashioned
letters of credit [where the bank acts as an insurer] are coming back into fashion,” he says.
This, of course, raises concerns about financial isolationism. Retrenchment to domestic markets is
seen by many politicians and regulators as a way of containing risk, but in reality the opposite could
well be true. The events of the early 1930s, when the adoption of restrictive trade policies exacerbated
the Great Depression, are clear indicators of the dangers.
Over the next year, what change do you expect to the geographical focus of your organisation?
Please rate on a scale of 1 to 5, where 1=Significantly greater focus and 5=Significantly less focus.
(% respondents)

1 Significantly greater focus

2

3

4

5 Significantly less focus

Domestic market
35

32

26


5 2

Overseas developed markets
6

22

33

21

18

Overseas emerging markets
12



25

29

15

© The Economist Intelligence Unit Limited 2009

19



After the storm:
A new era for risk management in financial services

Trust in the rule-makers?
A second reason why respondents may appear pessimistic about their future prospects could be that
they generally lack confidence in the ability of regulators and governments to deal with the current
situation. Indeed, just 29% believe that policy-makers can form an appropriate response to the crisis.
Central banks are generally believed to have handled the crisis more creditably than governments or
regulators. Only one in five respondents thinks that industry itself has handled the situation well.
There is, however, very limited confidence in the ability of regulators to create a healthy, functioning
rules-based system. One-quarter or fewer have confidence in the ability of regulators to co-ordinate
their work across borders; put in place appropriate skills and expertise to keep pace with innovation in
banking; monitor risks associated with the shadow banking system; monitor credit rating agencies; or
mandate implementation of long-term oriented compensation policies.
Alan Greenspan, former chairman of the US Federal Reserve, says such expectations are, in any case,
not realistic. “The important lesson is that bank regulators cannot fully or accurately forecast whether,
How would you rate the handling of the financial crisis by the following stakeholders?
Rate on a scale of 1 to 5, where 1=Very good and 5=Very poor.
(% respondents)

1 Very good

2

3

4

5 Very poor


Central bank in your country/Eurozone region
9

34

31

22

4

Government in your country
7

28

28

27

10

Regulators in your country
7

25

30

24


14

Your industry sector
4

24

37

26

9

Your business
10

42

33

13 2

Your management team
15

46

27


9

4

Your risk management function
13

47

30

7 2

How confident are you in the ability of the regulators in the country in which you are based to carry out the following initiatives?
Rate on a scale of 1 to 5, where 1=Very confident and 5=Not at all confident.
(% respondents)

1 Very confident

2

3

4

5 Not at all confident

Maintain overall stability of the financial system
14


39

28

15

4

Co-ordinate work of regulatory bodies across borders
4

21

38

27

9

Put in place sufficient skills and expertise to keep pace with innovation in the banking system
4

26

33

25

12


Restore trust in the banking system
9

34

37

17

3

Monitor risks associated with shadow banking system
5

23

32

28

12

28

12

Require implementation of compensation policies that support long-term shareholder value creation
3

21


36

Monitor credit rating agencies and prevent conflicts of interest
3

16

32

35

14

23

14

Mandate greater disclosure from hedge funds
4

25

34

Implement effective guidance on liquidity management
7

35


35

19

4

Ensure that off-balance sheet vehicles are reflected in minimum capital requirements
5



31

37

19

© The Economist Intelligence Unit Limited 2009

7


After the storm:
A new era for risk management in financial services

for example, sub-prime mortgages will turn toxic, or a particular tranche of a collateralised debt
obligation will default, or even if the financial system will seize up,” he says. “A large fraction of such
difficult forecasts will invariably be proved wrong.”
Nevertheless, financial services firms do still put a great deal of trust and faith in rule-makers. More
than half are confident in the ability of regulators to maintain the overall stability of the financial

system, while 43% are confident in their ability to restore trust in the banking system.
An over-arching faith in regulators and other government agencies should not, however, supplant
a thorough re-appraisal of the mistakes of the past few years. Indeed, a great many firms are now
questioning their actions and examining whether their whole approach was flawed or whether just a
few key aspects of their approach to risk were founded on unsound principles.

Have conventional risk measures failed?
A highly sophisticated, globalised financial system has evolved over the past decade or so, with ever
more participants using a proliferation of instruments and strategies. Despite the complicated nature
of the system, the core belief persisted that the market knew best and where this proved not to be so,
existing risk measures would over-ride instinct.
But doubts have, unsurprisingly, crept in and many market participants and stakeholders believe
that existing risk measures have failed to some degree. Certainly this is what the survey reveals: less
than one-third thinks, for instance, that the principles of risk management in financial institutions
remain sound.
Peter Bernstein, founder of Peter L Bernstein Inc, an economic consultancy, says the doubts stem
from the shocking events of the recent past. “Does history really tell us anything about what lies
ahead? Relying on the long run for investment decisions is essentially relying on trend lines. But how
certain can we be that trends are destiny? Trends bend. Trends break. Today, in fact, we have no idea
where any trend lines might begin or end, or even whether any trend lines still exist.”

Harvard professor identifies six risk errors
Mr Bernstein, however, is principally referring to general market events. For individual companies and
markets, it may well be possible to pinpoint specific issues where risk measures failed. In the March
2009 edition of Harvard Business Review, René Stulz, professor of banking and monetary economics
at Ohio State University, identifies six ways in which risk has been mismanaged. First, he says, there
has been an over-reliance on historical data. The calamitous fall in asset prices and demand was
unimaginable to anyone basing their thinking on post-war performance alone.
Second, narrow daily measures, such as value at risk—probably the single most important measure
in financial services—have underestimated risks. The assumption behind a daily measure of risk is

that action can be taken quickly (through an asset sale) to remove that exposure. But, as the current
crisis has shown, this is impossible when markets seize up. Significantly, in the survey, one third of
respondents think that tools such as VaR have been shown to be no longer fit for purpose.
Investment funds have perhaps felt the effects of the failure of such risk measures most keenly.
Permal, the New York-based fund of hedge funds group, with US$21bn in funds under management,


© The Economist Intelligence Unit Limited 2009


After the storm:
A new era for risk management in financial services

says that some of its underlying funds were caught out. “VaR was widely estimated at 4-5% a month,”
says Omar Kodmani, senior executive officer at Permal. ”This rose by factors of two and three in the fall
of 2008, showing you can’t rely on absolute numbers. In other words, you can’t operate in a vacuum.”
Third, according to Prof Stulz, knowable risks have been overlooked. Managers who work in silos
may appreciate the risks to which they personally are exposed. But they may not see how risks being
run elsewhere in the business could affect them too.
It could be argued that credit risk – the risk measure most exposed by the devastation of CDO and
CLO values – is a knowable risk that has been overlooked. For even though banks were buying and
selling (and holding) billions of dollars of asset-backed instruments, there was little apparent will to
assess the risks involved.
The problem stems, in large part, from the time when banks started to sell their credit risk on to
third-party investors. Until the summer of 2007, most investors, bankers and policy-makers assumed
that this evolution represented progress that was beneficial for the economy. In April 2006, the
International Monetary Fund said that the dispersion of credit risk “has helped to make the banking
and overall financial system more resilient”.
Bankers were happy to earn fees at almost every stage of the “slicing and dicing” chain and further
benefited from regulators permitting them to make more loans. By early 2007, financial officers at the

UK’s Northern Rock, for instance, estimated that they could extend three times more loans, per unit of
capital, than five years earlier.
But many of the new products were so specialised that they were never traded freely. An instrument
known as “collateralised debt obligations of asset-backed securities” was a case in point. Instead of being
traded, most were sold to banks’ off-balance-sheet entities such as structured investment vehicles (SIVs)
or left on the books. It was in this sense that credit risk was effectively overlooked by many banks.
Please indicate whether you agree or disagree with the following statements.
(% respondents)

Strongly agree

Slightly agree

Neither agree nor disagree

Slightly disagree

Strongly disagree

The US government should never have repealed the Glass-Steagall Act
19

27

37

9

9


15

8

There needs to be a move away from the “originate-to-distribute” banking model and a return to old-fashioned, “buy and hold” banking
17

37

23

Regulators should intervene directly in compensation policies
12

25

16

22

25

The principles of risk management in financial services remain sound
8

25

25

30


13

The Basel II capital framework has been shown to be deficient
13

34

33

14

5

16

5

Risk measures such as VaR have been shown to be no longer fit for purpose
12

36

31

Not enough human judgment is being applied in risk management decisions
31

42


17

8 2

Risk management does not have sufficient authority in our organisation
16

30

24

18

11

Analytics have become too complex to assist in business decision making
12

35

28

19

5

Mark-to-market practices have exacerbated the financial crisis
26

34


20

12

8

It is not possible adequately to manage risk in financial services
4

18

20

29

29

We have relied too heavily on external providers for credit ratings
24



36

22

11

© The Economist Intelligence Unit Limited 2009


7


After the storm:
A new era for risk management in financial services

Fourth, concealed risks have been overlooked. Incentives have proved particularly dangerous
in this regard. Some traders and lenders may have enjoyed taking risky decisions that, in the short
term, appeared to be working out well for their organisations. But they had no incentive to report any
downside risk.
Nassim Taleb, professor of risk engineering at New York University and the author of The Black Swan:
The Impact of the Highly Improbable, explains the conflict. “Take two bankers. The first is conservative
and produces one annual dollar of sound returns, with no risk of blow-up. The second looks no less
conservative, but makes US$2 by making complicated transactions that produce a steady income,
but are bound to blow up on occasion, losing everything. While the first banker might end up out of
business, under competitive strains, the second is going to do a lot better for himself.” Prof Taleb says
this mismatch between the bonus payment frequency (typically, one year) and the time to blow up
(about five to 20 years) is the cause of the accumulation of positions that hide risk by betting massively
against small odds.
Fifth, there has been a failure to communicate effectively. It is dangerous, says Prof Stulz, when risk
managers are so expert in their field that they lose the ability to explain in simple terms what they are
doing. The board may develop a false sense of security by failing to appreciate the complexity of the
risks being managed.
Finally, risks have not been managed in real time. Organisations have to be able to monitor fastchanging markets and, where necessary, respond to them without delay.
Yet rapid and sophisticated responses are not necessarily an answer in themselves. Just under half
of respondents (47%) think that analytics have become too complex to assist in decision-making, while
almost seven in ten think that not enough human judgment has been applied in risk management.
Charles Beach, regulation and compliance partner at PricewaterhouseCoopers, says that while
quantitative risk measures remain an important part of the equation, a balanced and more forwardlooking approach, including the use of scenario-based assessments, should be developed to ensure

that assumptions embedded in risk measures are continually challenged. “As the appetite for more
aggressive risk-taking begins to return to the banking industry, those firms that have truly embedded
risk management into the fabric of business decisions will garner a clear competitive advantage,”
he explains. From the setting of strategy and risk appetite through to the execution and response
to the changing risk profile, the terms “risk management” and “management” should be considered
synonymous, he argues.

Regulators ignored key risk types
While few traditional measures have fallen completely out of favour, there is broad agreement that
regulation has been highly deficient. Six out of ten respondents, for instance, agree that mark-tomarket accounting practices have made the crisis worse. Meanwhile, just under a half of respondents
(47%) think that the Basel framework has been shown to be deficient. What should be taken into
account, however, is that Pillar 2 of the framework, which deals with the regulatory response to
the rules on capital adequacy, had yet to be fully implemented when the crisis struck. Moreover,
any assumption of its deficiency should be balanced against the variation in interpretation among
domestic regulators of the framework.


© The Economist Intelligence Unit Limited 2009


After the storm:
A new era for risk management in financial services

Robert Mark, a board member at the US-based Professional Risk Managers’ International Association
and chief executive of Black Diamond Risk, agrees. He says that the Basel framework ignored funding
liquidity, which essentially led to the downfall of Bear Stearns. “Basel looked at market, credit and
operational risk, but not at the controls on funding liquidity,” says Mr Mark. This encouraged many
institutions to ignore this risk, or assign it a low priority.
Mr Kodmani, for one, says some hedge funds “fell short” on liquidity risk management. “There were
no bids for a lot of instruments and the bid-offer spreads were meaningless. This meant the estimated

value of portfolios did not work.”
Typically, banks have put risk into three buckets: market, credit and operational. This suggests that
liquidity is not generally considered to be a separate risk. But other risk types have also been largely
overlooked in financial services.
Steve Fowler, chief executive of the Institute of Risk Management, says that traditional banking
risk measures are wrong-headed. “Operational risk, for a start, is an invented term,” he says. “It is
seen as ‘everything apart from market and credit risk’ and therefore doesn’t really matter.” He argues
that strategic risk is the key issue, whatever the industry. “In other industries, they look at business
objectives and strategies and align risks to those objectives. Bankers need to talk in those terms too.
Maybe there needs to be more cross-fertilisation between banks and other industries.”
Others argue that flexibility, rather than trying to identify the precise risk measure, is the critical
issue. BankWest, the Perth-based bank that was bought by Commonwealth Bank of Australia last year,
says there are no “right” or “wrong” models. “The important thing is to keep updating the models
to reflect greater understanding,” says Ed Bradley, head of strategic risk analytics. “We monitor the
performance of our models on a monthly basis. If the model deteriorates in predictive power, we
recalibrate or rebuild the model.”

Over-reliance on rating agencies
Just as regulators are condemned for their lack of foresight, so ratings agencies are singled out for
criticism. More than six out of ten respondents think that they have relied too heavily on external
sources for ratings. Some have posited that the problem lies in the fact that rating agencies were
never genuinely independent, but are essentially an arm of the same government that wished to see
the expansion of home ownership. “Given that government-approved rating agencies were protected
from free competition, they would not want to create political waves by rocking the mortgage boat,
engendering a potential loss of their protected profits,” says US economist Stan Liebowitz.
Given that these conflicts of interest were well publicised, perhaps market participants ought to
have been more wary. “Too few firms performed due diligence of their own,” says Mr Mark. “There was
certainly an over-reliance on them.” They should be just one of many inputs, he argues.

Financial institutions acknowledge the need for risk reform

A series of influential papers from 2008 highlight areas of complacency with regard to risk
management in many firms and product areas. The Senior Supervisors Group, Financial Stability Forum,
Institute of International Finance and Basel Committee all pointed to deficiencies in many financial
institutions’ risk management practices.


© The Economist Intelligence Unit Limited 2009


After the storm:
A new era for risk management in financial services

How would you rate the performance of your institution over the past year across the following categories of risk management?
Rate on a scale of 1 to 5, where 1=Very effective and 5=Not at all effective.
(% respondents)

1 Very effective

2

3

4

5 Not at all effective

Not applicable

Credit risk
18


36

26

11

7 2

Market risk
11

36

28

16

8 2

Operational risk
11

41

31

14 2 1

Regulatory risk (eg, risk of non-compliance)

21

41

27

8 21

Economic capital
13

37

28

13

3

5

Modelling risk (risk of bad models)
8

26

38

17


5

7

Liquidity risk
20

40

22

12

4 2

Fraud
19

35

28

10

4

4

Solvency risk
22


36

27

6

4

5

Underwriting/actuarial risk
10

25

30

10 2

22

Ability to aggregate risk at firm-wide level
9

29

35

19


6

3

Market participants themselves tend to agree with the criticism. Asked about the performance of
their institution across risk categories, more than half think they are effective at managing regulatory
risk, credit risk, liquidity risk, fraud and solvency risk. But they admit that their biggest weaknesses are
in modelling risk and the ability to aggregate risks at a firm-wide level.
Pressure to improve risk management comes most forcefully – by a significant margin – from
executive management, which has realised that inadequate risk measures from this point onwards
could be fatal to their companies. Many are keen to bolster their capabilities. GRS, a consultancy,
forecasts that, by the end of 2009, half of financial services companies will have a risk professional on
the board, compared with only 12% in July 2008.
Mr Beach says that this is critical, since effective risk management starts with strategy. “Although
aggressive risk-taking is currently out of favour, it will remain essential to value creation,” he
explains. “Explicit definition of the firm’s risk appetite is a fundamental part of developing an
effective strategy. How risk appetite is then cascaded into risk limits and risk-adjusted performance
measurement is equally important to ensure that front-office decision-making is truly linked to
strategy. Responsibility for risk management must lie primarily with the business, not over-relying on
the risk function.”
Others argue that firms must go further than strong board representation. Mr Fowler says that
while bank chief executives are no longer worried about losing their jobs for not taking enough risk
and not keeping up with competitors, little will change. One alternative, he says, could be shareholder
structures, one in which voting rights are conferred to long-term holders of equity only. “This group
would have more influence on policy and is likely to have a longer-term view,” he says.
One thing is sure: tackling risk issues will be a high priority for the foreseeable future. The aspect of
risk management that is likely to attract the most investment over the next 12 months is processes and
10


© The Economist Intelligence Unit Limited 2009


After the storm:
A new era for risk management in financial services

policy. These types of incremental investment, however, are distinct from developing new approaches,
which requires a great deal of thought, research and determination to really implement change.

New ideas and approaches to key risks
Given the weaknesses of some existing risk systems, there is likely to be less reliance in the future on
off-the-shelf solutions, received wisdom and box-ticking behaviour in general. Many institutions have
signalled that they are prepared to be radical and that they are even ready to welcome a substantial
increase in regulation.
The survey findings reveal, for instance, that just under half of respondents think that the US should
not have repealed the Glass-Steagall Act, which separated commercial from investment banking.
Michael Lafferty, chairman of the International Retail Banking Council, believes that they are on the
right track. “Politicians and regulators may come to realise that far too much attention has been given
to salvaging the failed universal bank model and not enough to finding a better retail banking model
for the future,” he says. “That model should be the stand-alone and highly disciplined retail bank.”
Surprisingly, one-third even believes that regulators should intervene in compensation policy.
However, Mr Greenspan is cautious about micro-management by regulators, arguing that regulators
should allow the market to work, not impede or second-guess it. “In my experience, what supervision
and examination can do is set and enforce capital and collateral requirements and other rules that are
preventative and do not require anticipating an uncertain future.”

Regulatory body sets out key issues
The Institute of International Finance report summarises the key
elements that firms should incorporate into their risk management
practices:

l Ensure that risk management does not rely on a single risk
methodology and analyse group-wide risks on an aggregate basis.
Mr Beach agrees that developing an integrated view of risk
across all risk types is essential. “A major challenge is to build a
comprehensive, joined-up perspective of the bank’s risk profile
across risk classes, products, counterparties and different
dimensions of the portfolio such as geography and industry
sector. Risk information flows should be improved. Risk reports
provided to the board and senior management need to be capable
of focusing on the firm’s current key risk issues rather than
providing a torrent of data which cannot realistically be digested
and used as a basis for effective decision-making.” Risk reporting
should be embedded into day-to-day management reports
rather than provided as a separate stream, he argues. Primary
responsibility for this should lie with the business, supported by
the risk function.
11

l Take into account the technical limitations of risk metrics,
models and techniques, such as VaR.
Mr Fowler agrees that constant attempts to measure everything
are doomed to failure. The logical conclusion of the process, he
says, is to arrive at a single number – an exercise which would be
meaningless. “Not everything that has value can be measured and
not everything that can be measured has value,” he explains. “How
can you numerically measure the long-term viability of a firm?”
l Ensure that the appropriate governance structure that has
been adopted and is actually implemented in managing day-today business.
Rating agencies are beginning to focus more on the quality of
a firm’s enterprise risk management practices. For example, in

2008, Standard & Poor’s now reviews the quality of enterprise risk
management as a new component in its reviews of credit ratings.
Performing classical siloed risk management will only qualify as
“adequate” in the new S&P model.
Mr Mark says the agencies would undoubtedly have had AIG
in mind when they changed their methodology. “It was the AIG
Financial Products area that created significant problems for AIG,”
he says. “They were the ones who wrote all the CDSs. The other parts
of AIG were essentially working well.”
© The Economist Intelligence Unit Limited 2009


After the storm:
A new era for risk management in financial services

Indeed, there are indications that regulators and policymakers, despite the political furore and public
anger, are not likely to intrude on company structures or compensation models. The key issues, according
to the Financial Stability Forum of national and international financial regulators, revolve around the
integration of risks, the measurement of risk (four out of ten in the survey, incidentally, say they practice
insufficient stress testing) and the lack of constant challenges to accepted methods in light of changing
market conditions.

A new template for rating instruments?
There are signs that the existing model for rating agencies could be starting to change.
Independent rating agencies, such as Egan-Jones, are starting to penetrate the market as the
inherent conflict of interest in the traditional model – where issuers pay for ratings and the
agencies are rewarded on volume – is called into question. There are several drivers for a shift
towards ratings paid for by investors rather than issuers, says Sean Egan, founding principal of
Egan-Jones. First, the Securities and Exchange Commission now officially sanctions independent
agencies, conferring credibility to companies like Egan-Jones. Second, US Congress may soon

debate a bill that would hold rating agencies liable for misleading ratings due to problems with
the models. Next, a series of whistleblowers have claimed that they were fired or demoted after
refusing to raise a rating or expressing doubts over one. Finally, fiduciaries may be at risk if they
rely on conflicted agents.
Mr Egan points to the potential competitive edge that banks and other investors can gain from
independent ratings. “Our ratings on Lehman Brothers were three to four notches below the big three
agencies just before it collapsed. Any money market fund using our rating would have known not to
hold Lehman commercial paper at that time.”

Transparency is the key to all progress
Many of the initiatives that respondents think would be most effective are related to transparency – for
example, greater transparency in off-balance sheet vehicles and interventions around valuation are
believed to be potentially effective.
But what does transparency actually mean? For Mr Mark, transparency means a firm having
easy-to-understand policies and then communicating them clearly. “It is important to identify
and disclose the biggest risks that the business faces,” he says. “It could be the top 50 and the
board focuses on the top ten of these. The management committee perhaps focuses on the top 20.
If something goes wrong, at least people will be smarter and wiser about the risks they are taking
and can do more next time.”
Every strategy should have a projected measure of risk and return, he says, and then a firm can
measure risk-adjusted performance. In addition, every mathematical model that can impact financials
should have an independent group reviewing it. “If a strategy has been developed on the trading floor,
it should have independent eyes to sign it off,” he adds.
In this sense, transparency is a prerequisite for good governance. And good governance is about
quality of management. Perhaps the only way for an outsider or a stakeholder to distinguish between
firms with good or poor risk management is by the quality of their people. “If an organisation has less
12

© The Economist Intelligence Unit Limited 2009



After the storm:
A new era for risk management in financial services

Which of the following proposed reforms do you think will be most beneficial to the financial services industry?
Select up to three.
(% respondents)
Greater disclosure of off-balance-sheet vehicles
34

Stronger regulation of credit rating agencies
31

Caps on leverage
29

Central clearing for over-the-counter derivatives
28

Expansion of regulatory oversight to other areas of financial services not currently regulated
25

Enhanced valuation processes for complex or illiquid assets
24

Increases to required capital reserves
23

Liquidity cushions
23


Enhanced disclosure around valuations
22

Reform of compensation systems (eg, bonus payment structures)
20

Greater clarity about where regulatory responsibilities lie
16

Supervisory colleges of cross-border regulators
10

Other, please specify
5

qualified and less well paid people with poorer career paths in the risk function than somewhere else,
then I would certainly trust it less,” says Mr Mark.

The risk function demands “a voice”
For measures to be effective, the risk function must be allowed to have a significant voice in the
organisation. At present, just under half of respondents think that risk management does not have
sufficient authority in their organisation.
This is, in part, a reflection of the personality types that tend to populate risk functions. Risk
management recruitment consultants say that HR departments are asking them for candidates with
stronger interpersonal skills who would have the courage and the influence to stand up to bullish
colleagues. “It’s a problem, because people are either very good at numbers or they’re very good
with people and to get someone with both is not easy,” says Dean Spencer from Barclays Simpson, a
recruitment consultancy.
However, Mr Fowler argues that the function’s role within the business is as important as the type

of people employed to discharge it. Its role should be to embed risk, he says, making sure that every
individual has personal objectives linked to risk. This has rarely been the case in the past. “In banking, the
risk function takes prime responsibility for dealing with risk, rather than for embedding risk management
throughout the business and this surely can’t be a sensible approach. The key is risk awareness and
creating a risk culture, not letting a single function deal with it as if it were a business line in itself.”

Implementing change – the process has already begun
Some institutions have already established working groups – sometimes at board level – and have been
13

© The Economist Intelligence Unit Limited 2009


After the storm:
A new era for risk management in financial services

Which of the following statements best describes your organisation’s current status with the review of its risk management in
response to recent market events?
(% respondents)
We have already conducted a thorough overhaul of our risk management
32

We intend to conduct a thorough overhaul of our risk management, but have not yet completed it
21

We have made some minor changes to our risk management
27

We intend to make some minor changes to our risk management, but have not yet completed them
12


We do not intend to make any changes to our risk management
5

We are waiting to see how the market develops before deciding whether to review our risk management
3

considering new and revitalised risk management ideas for some time. Others, meanwhile, are waiting
to see how markets in general and their market in particular will evolve.
More than half of respondents say that their firm has either completed or intends to complete a
thorough overhaul of its risk management post-crisis. Respondents from Asia-Pacific are most likely to
have already conducted a thorough overhaul of risk management.

Liquidity – closing the black hole
The most common initiatives being taken to strengthen liquidity risk management – the black hole that
was only discovered from the middle of 2007 onwards – are increasing liquidity buffers, strengthening
information systems and improving co-ordination between the treasury function and lines of business.
Permal, for one, has strengthened its approach to liquidity. It has upgraded liquidity risks and put
them on a par with market risk. It has imposed new standards and checklists, partly in response to
investor demand. “Requests for liquidity reports have escalated,” says Mr Kodmani. “Investors want to
know how quickly we can get out of hedge funds.” Permal has instituted guidelines on how much of its
What steps is your organisation taking to improve its management of liquidity risk? Please select all that apply.
(% respondents)
Increasing liquidity buffers
48

Strengthening information systems
45

Improving co-ordination between treasury function and lines of business

44

Strengthening contingency funding plans
38

Strengthening liquidity stress testing capabilities
37

Conducting independent review of internal policies
31

Strengthening management of intra-day liquidity risks
26

Improving management of foreign currency flows
23

Other, please specify
3

We are not taking any steps at present
5

Don't know/Not applicable
8

14

© The Economist Intelligence Unit Limited 2009



After the storm:
A new era for risk management in financial services

portfolio it can liquidate over one, three, six and 12 months.
On the other hand, Permal is not adjusting its market models. It says that drawdowns in the last
quarter of 2008 were in line with expectations posited by its head of risk and within tolerance levels,
given strong performance over the long term.
It is, though, looking more carefully at the operations and infrastructure of its underlying
portfolio funds. “We always had requirements regarding operational monitoring of managers, who
their counterparties are, the number of counterparties, the custodian and so on,” says Mr Kodmani.
However, the checklist has been extended to all managers following the collapse of Lehman Brothers
and the disintegration of the Madoff empire. “We are now both comprehensive and proactive, updating
all files regularly.”

Firms get stressed – and target more stringent testing
Respondents to the survey pointed to stress-testing as a particular area of weakness in their
processes. The solutions that they are working on to improve in this area include increasing the
severity of scenarios used, greater involvement of senior management and strengthening the link
with decision-making.
Mr Mark says stress-testing is a common area of failure. “Superficial stress testing is not sufficient.
It really has to be done in a smart way.” He typically runs eight stress tests when working with clients.
Some are hypothetical and some are based on known scenarios. “In the hypothetical tests, I create
a group of individuals from a company and they meet every two weeks. They consider what happens
if energy prices rises, if interest rates fall, if forex moves. We look at the possible effects on strategic
reserves, assets, strategies and so on.
BankWest, on the other hand, says that meaningful stress testing was always a facet of the risk
process but only in the past few months has it received more visibility. “In an extended benign
environment, to go to senior executives and ask them to consider a scenario where the property
Which of the following steps is your organisation taking to strengthen stress testing? Please select all that apply.

(% respondents)
Increasing severity of scenarios used
48

Increasing involvement of senior management in stress testing
39

Introducing or increasing frequency of ad hoc stress testing
36

Strengthening link between stress testing and decision-making
36

Increasing use of hypothetical scenarios
35

Increasing investment in data and IT infrastructure to enhance risk information
27

Introducing or increasing use of scenarios that take a firm-wide perspective
25

Introducing or increasing frequency of reverse stress testing (ie, working back from a plausible outcome)
19

Other, please specify
1

We are not taking any steps at present
10


Don’t know/Not applicable
12

15

© The Economist Intelligence Unit Limited 2009


After the storm:
A new era for risk management in financial services

Over the next year, what do you expect to be the three key areas of focus in the management of risk in your organisation?
Select up to three.
(% respondents)
Improving data quality and availability
41

Improving governance of risk
33

Developing “firm-wide” approach to risk
29

Embedding risk management within lines of business
28

Better and more sophisticated analytics
27


Improving communication and understanding between risk function and lines of business
24

Strengthening technology infrastructure
24

Linking risk management more closely with corporate performance
22

Building risk expertise at management level
19

Regulatory compliance (eg, with Basel II or Solvency II)
11

Recruiting experienced risk professionals
8

Training of existing risk professionals
8

Other, please specify
2

market drops 25% is a tough ask,” says Mr Bradley. “Now everyone is interested.” So for BankWest,
overhauling risk management has applied less to systems and more to communication and integration
of the systems into the strategic framework.
Data quality and availability are also being addressed by a large number of respondents to the
survey. Some have seen that this is a key issue for many years, although few can have known that they
were preparing for a financial downturn where data quality suddenly became a precious commodity.

BankWest, for instance, has been investing heavily to improve its data quality since 2001, when
meeting Basel requirements was recognised as a key performance indicator. At that time, it established
a committee to monitor and improve data. “The impacts of this initiative are simple, yet critical from a
risk perspective,” says Mr Bradley. The bank is rolling out a project, for example, to input data just once
and have it populate the whole system, while the system also rejects illogical inputs stemming from
human error.
Sometimes, meaningful change is little more than tightening up existing risk measures. BankWest
says that it always discouraged 100% mortgage lending to retail customers, but occasionally waived
requirements. This is now proscribed.

Obstacles to the new risk environment
Respondents to the survey consider the biggest barriers to improving risk management to be
insufficient quality of data, lack of risk culture in the organisation and a lack of risk expertise.
Paul Strebel, the Sandoz Family Foundation Professor, says that lack of expertise is a recurring issue.
“Boards dominated by professional board members, CEOs and former CEOs of other companies have
failed dismally. They bring no industry expertise to the table, have little of their own wealth at stake,
16

© The Economist Intelligence Unit Limited 2009


After the storm:
A new era for risk management in financial services

What are the three main barriers to improving risk management in your organisation? Select up to three.
(% respondents)
Insufficient quality of data
40

Lack of expertise

32

Lack of risk culture among broader business
31

Inadequate systems
30

Poor communication across organisational silos
30

Lack of investment
20

Insufficient data
17

Lack of authority for risk management
16

Lack of support among senior executives
14

Insufficient risk representation at senior management level
11

Insufficient risk representation at non-executive board level
7

Other, please specify

2

are too easily identify with the CEO/chairperson and go along with an increasing concentration of
power at the top. At the financial institutions with the biggest losses, the lack of industry expertise on
the board was almost always associated with a dominant CEO and/or chairperson.”
Meanwhile, John Legrand, managing director of Europe, Middle East and Asia Pacific at Eagle
Investment Systems, says that data, or lack of it, is the over-riding reason why risk systems fail to fulfil
their purpose. “One of the significant reasons for executives’ lack of insight into their business, and
their failure to understand the risks to which they were exposed, is the absence of a cohesive data
management strategy.” He notes that when Lehman Brothers filed for bankruptcy in September, it
took some buy-side firms weeks to establish their exposure. “But those firms with a centralised data
management system integrated with their accounting system(s) were able to determine their exposure
in a matter of hours.” He argues that there is a tendency for firms to think that, just by implementing a
risk or performance system, they are gaining control and visibility. However, this is not the case if they
fail to have control over the data that feeds these systems.
One reason for this gap is that data management does not always make it to the top of the pile
in terms of funding for new technology. “Unfortunately, it is typically a crisis situation that causes
firms to reassess their current strategies and look for ways to improve quality and prepare for other
unforeseen obstacles,” says Mr Legrand.

17

© The Economist Intelligence Unit Limited 2009


After the storm:
A new era for risk management in financial services

Conclusion


I

t is often only in times of crisis that genuine change does occur. Change is not merely desirable
now, it is critical to firms’ survival and their ability to compete in a marketplace that will inevitably
become more rules-based and hence more complicated.
The best firms with the brightest people embrace change. They will adapt and prosper in the new
environment. As we have noted in this report, confidence is currently low, and a lack of trust exists
alongside a lack of self-confidence. There is a great deal of hand-wringing currently taking place in
the industry, and soul-searching questions are now being asked. It is clear that some firms are asking
themselves whether everything that they previously believed to be right, is actually wrong.
On closer examination it is evident that many of their risk processes were sensible, and even
sophisticated, but sometimes poorly executed. At the same time, there have been some inexcusable
omissions, such as the lack of focus on liquidity and a dearth of processes around compensation.
But those who argue that we are fighting a losing battle and that it is impossible to adequately
measure risk are probably not going to prosper in the years to come. The truth is, firms need to improve
what they do, not abandon their principles.
They are increasingly recognising the need for new ideas and approaches. They should strike while
the iron is hot, and before old and inadequate ways become embedded again. Many firms have started
the long haul already and are revamping, replacing and recalibrating systems and processes, despite
the difficulties that cultural change confers.
Successful firms know that the answer to the big question of the past several months is not to take
risk off the table. Without taking clever, calculated, controlled risks, no firm can be successful. Risk, in
the final analysis, is not a function within a firm, it is the firm.

18

© The Economist Intelligence Unit Limited 2009


Appendix

Survey results

After the storm:
A new era for risk management in financial services

Appendix: Survey results
In spring 2009, the Economist Intelligence Unit conducted a survey of 334 senior risk professionals
from the financial services industry. Our sincere thanks go to all who took part in the survey. Please
note that not all answers add up to 100%, because of rounding or because respondents were able to
provide multiple answers to some questions.

How do you currently rate the prospects for your business in the following areas over the next year?
Rate on a scale of 1 to 5, where 1=Significantly positive and 5=Significantly negative.
(% respondents)

1 Significantly positive

2

3

4

5 Significantly negative

Revenue growth
10

24


36

24

8

Profitability
9

24

35

25

7

Share price
5

16

47

26

6

Relations with customers
13


43

32

11 1

Relations with investors
7

35

40

14

4

Capital adequacy
15

36

32

15

3

Over the next year, what change do you expect to the geographical focus of your organisation?

Please rate on a scale of 1 to 5, where 1=Significantly greater focus and 5=Significantly less focus.
(% respondents)

1 Significantly greater focus

2

3

4

5 Significantly less focus

Domestic market
35

32

26

5 2

Overseas developed markets
6

22

33

21


18

Overseas emerging markets
12

25

29

15

19

Please indicate whether you agree or disagree with the following statements.
(% respondents)

Strongly agree

Slightly agree

Neither agree nor disagree

Slightly disagree

Strongly disagree

We expect business conditions to improve within the next 12 months
10


40

18

21

12

We have outperformed our peers during the financial crisis
27

29

23

14

7

We are seeing confidence returning within our business
7

24

31

29

8


We are seeing confidence returning to our investor base
5

21

36

29

10

We are seeing confidence returning to our customer base
5

26

30

31

9

We are confident that policy-makers can formulate an appropriate response to the credit crisis
6

19

23

29


30

© The Economist Intelligence Unit Limited 2009

12


Appendix
Survey results

After the storm:
A new era for risk management in financial services

How would you rate the handling of the financial crisis by the following stakeholders?
Rate on a scale of 1 to 5, where 1=Very good and 5=Very poor.
(% respondents)

1 Very good

2

3

4

5 Very poor

Central bank in your country/Eurozone region
9


34

31

22

4

Government in your country
7

28

28

27

10

Regulators in your country
7

25

30

24

14


Your industry sector
4

24

37

26

9

Your business
10

42

33

13 2

Your management team
15

46

27

9


4

Your risk management function
13

47

30

7 2

Which of the following proposed reforms do you think will be most beneficial to the financial services industry?
Select up to three.
(% respondents)
Greater disclosure of off-balance-sheet vehicles
34

Stronger regulation of credit rating agencies
31

Caps on leverage
29

Central clearing for over-the-counter derivatives
28

Expansion of regulatory oversight to other areas of financial services not currently regulated
25

Enhanced valuation processes for complex or illiquid assets

24

Increases to required capital reserves
23

Liquidity cushions
23

Enhanced disclosure around valuations
22

Reform of compensation systems (eg, bonus payment structures)
20

Greater clarity about where regulatory responsibilities lie
16

Supervisory colleges of cross-border regulators
10

Other, please specify
5

20

© The Economist Intelligence Unit Limited 2009


Appendix
Survey results


After the storm:
A new era for risk management in financial services

How confident are you in the ability of the regulators in the country in which you are based to carry out the following initiatives?
Rate on a scale of 1 to 5, where 1=Very confident and 5=Not at all confident.
(% respondents)

1 Very confident

2

3

4

5 Not at all confident

Maintain overall stability of the financial system
14

39

28

15

4

Co-ordinate work of regulatory bodies across borders

4

21

38

27

9

Put in place sufficient skills and expertise to keep pace with innovation in the banking system
4

26

33

25

12

Restore trust in the banking system
9

34

37

17


3

Monitor risks associated with shadow banking system
5

23

32

28

12

28

12

Require implementation of compensation policies that support long-term shareholder value creation
3

21

36

Monitor credit rating agencies and prevent conflicts of interest
3

16

32


35

14

23

14

Mandate greater disclosure from hedge funds
4

25

34

Implement effective guidance on liquidity management
7

35

35

19

4

Ensure that off-balance sheet vehicles are reflected in minimum capital requirements
5


31

37

19

7

Which of the following statements best describes your organisation’s current status with the review of its risk management in
response to recent market events?
(% respondents)
We have already conducted a thorough overhaul of our risk management
32

We intend to conduct a thorough overhaul of our risk management, but have not yet completed it
21

We have made some minor changes to our risk management
27

We intend to make some minor changes to our risk management, but have not yet completed them
12

We do not intend to make any changes to our risk management
5

We are waiting to see how the market develops before deciding whether to review our risk management
3

21


© The Economist Intelligence Unit Limited 2009


Appendix
Survey results

After the storm:
A new era for risk management in financial services

Please rate the following issues in terms of the challenge they pose to your business.
Please rate on a scale of 1 to 5, where 1=Significant challenge and 5=Not a significant challenge.
(% respondents)

1 Significant challenge

2

3

4

5 Not a significant challenge

Not applicable

Credit risk
35

31


17

5

10

3

Market risk
28

39

19

8

51

Operational risk
14

28

35

15

8


Regulatory risk (eg, risk of non-compliance)
12

23

29

22

13 1

Economic capital
10

25

33

17

10

4

Modelling risk (risk of bad models)
12

22


29

20

9

8

Liquidity risk
21

28

24

14

12 2

Fraud
7

21

22

28

19


3

Solvency risk
8

17

22

21

27

5

Underwriting/actuarial risk
9

14

18

22

16

21

Ability to aggregate risk at firm-wide level
11


29

25

21

12

2

How would you rate the performance of your institution over the past year across the following categories of risk management?
Rate on a scale of 1 to 5, where 1=Very effective and 5=Not at all effective.
(% respondents)

1 Very effective

2

3

4

5 Not at all effective

Not applicable

Credit risk
18


36

26

11

7 2

Market risk
11

36

28

16

8 2

Operational risk
11

41

31

14 2 1

Regulatory risk (eg, risk of non-compliance)
21


41

27

8 21

Economic capital
13

37

28

13

3

5

Modelling risk (risk of bad models)
8

26

38

17

5


7

Liquidity risk
20

40

22

12

4 2

Fraud
19

35

28

10

4

4

Solvency risk
22


36

27

6

4

5

Underwriting/actuarial risk
10

25

30

10 2

22

Ability to aggregate risk at firm-wide level
9

22

29

35


19

6

© The Economist Intelligence Unit Limited 2009

3


Appendix
Survey results

After the storm:
A new era for risk management in financial services

What steps is your organisation taking to improve its management of liquidity risk? Please select all that apply.
(% respondents)
Increasing liquidity buffers
48

Strengthening information systems
45

Improving co-ordination between treasury function and lines of business
44

Strengthening contingency funding plans
38

Strengthening liquidity stress testing capabilities

37

Conducting independent review of internal policies
31

Strengthening management of intra-day liquidity risks
26

Improving management of foreign currency flows
23

Other, please specify
3

We are not taking any steps at present
5

Don't know/Not applicable
8

Which of the following steps is your organisation taking to strengthen stress testing? Please select all that apply.
(% respondents)
Increasing severity of scenarios used
48

Increasing involvement of senior management in stress testing
39

Introducing or increasing frequency of ad hoc stress testing
36


Strengthening link between stress testing and decision-making
36

Increasing use of hypothetical scenarios
35

Increasing investment in data and IT infrastructure to enhance risk information
27

Introducing or increasing use of scenarios that take a firm-wide perspective
25

Introducing or increasing frequency of reverse stress testing (ie, working back from a plausible outcome)
19

Other, please specify
1

We are not taking any steps at present
10

Don’t know/Not applicable
12

23

© The Economist Intelligence Unit Limited 2009



Appendix
Survey results

After the storm:
A new era for risk management in financial services

Over the next year, what do you expect to be the three key areas of focus in the management of risk in your organisation?
Select up to three.
(% respondents)
Improving data quality and availability
41

Improving governance of risk
33

Developing “firm-wide” approach to risk
29

Embedding risk management within lines of business
28

Better and more sophisticated analytics
27

Improving communication and understanding between risk function and lines of business
24

Strengthening technology infrastructure
24


Linking risk management more closely with corporate performance
22

Building risk expertise at management level
19

Regulatory compliance (eg, with Basel II or Solvency II)
11

Recruiting experienced risk professionals
8

Training of existing risk professionals
8

Other, please specify
2

What are the three main barriers to improving risk management in your organisation? Select up to three.
(% respondents)
Insufficient quality of data
40

Lack of expertise
32

Lack of risk culture among broader business
31

Inadequate systems

30

Poor communication across organisational silos
30

Lack of investment
20

Insufficient data
17

Lack of authority for risk management
16

Lack of support among senior executives
14

Insufficient risk representation at senior management level
11

Insufficient risk representation at non-executive board level
7

Other, please specify
2

24

© The Economist Intelligence Unit Limited 2009