Time to rethink risk management? Global risk management report March 2009

Risk management has been on the top of the international regulatory agenda for some years already and as a consequence, many investment management institutions have established procedures for mitigating risk. However, the recent years’ financial crisis has toughened the focus on risk management from many angles. As a part of the research programme for 2009, and in order to clarify the state of risk management in a mid-/post-crisis perspective, SimCorp StrategyLab conducted in cooperation with The Nielsen Company in February/March 2009 a global risk management survey across the investment management industry. This article outlines and discusses the predominant findings of the survey and questions whether the time to rethink risk management has come.
by Editor-in-Chief Lars Bjørn Falkenberg

Download article as pdf

Seen in the light of the financial crisis, it is fair to assume that the risk management function has gained attention and recognition as a strategic discipline. However, this assumption cannot without modifications be confirmed by the results of the risk management survey.

RISK FUNCTION DECLINE IN STATUS

The SimCorp StrategyLab survey reveals that 50% of risk management functions report to organisational levels from executive management and downwards and the vast majority of the institutions have no intention of changing this in the future. In fact there seems to have been a slight tendency to move the risk function reporting line downwards in the organisation from the board of directors (-5% risk reports), CEO (-1% risk reports) to executive management level (+2% risk reports) and to the senior management level (+5% risk reports) during 2008. This, despite the fact that 76% of respondents said that the primary key to improving risk management functions was to increase the strategic influence of the risk function. And an additional 62% of respondents stated that executive management involvement is a primary key to improvement of risk management in the future.

Further, directly questioned, 37% pointed at insufficient strategic understanding of the risk function when identifying reasons of financial losses in the industry over the last two years. Finally, almost one in four of the risk management functions seem to be so poorly positioned that they can only to a lesser degree or not at all be said to contribute to the efficient use of or allocation of capital and resources in the institution they work for. One could consider whether the above findings are a significant contributor to the fact that 56% of all respondents called for a redefinition of the scope of the risk discipline, an integrated view on risk management (57%), stricter regulatory requirements (59%) and increased budget allocation (58%).

IMPROVEMENTS TAKE PLACE ON TACTICAL LEVELS - MORE STAFF AND COMPETENCIES REQUESTED

Regardless of reporting line, 58% of the institutions questioned increased the role and responsibility of the risk function during 2008. In line with this, the survey confirms that various categories of risk are being consolidated under the risk function. Strategic risk, operational risk, financial risk, compliance risk and reputational risk are all types of risk that are covered by the risk function in at least 76% of institutions. In addition, for the majority of respondents (min. 66%), all these types of risk are actively monitored on a frequent and systematic basis.

Most (69%) of respondents believe that the financial crisis will result in increased investment in staff and in competencies (60%) in the industry per se. This is supported by the fact that 63% claim that competence development/education is critical when it comes to improving the risk function. However, despite this relatively high percentage, only 32% believe that the financial crisis will give rise to a higher level of use of external consultants. This could indicate that improvements in the risk management area through competence development do not necessarily include bringing in outside expertise. On the contrary, competencies seem meant to be developed within the organisation.

MUST BE ‘MADE HERE’?

The vast majority of the financial institutions surveyed, process financial risk calculations/calculate key risk figures internally and for those that process the data internally, 93% intend to keep it that way. Only 10% of those that rely on an outsourced service intend to internalise the calculations in the future.

Key figures derived from risk management systems are primarily used for internal management reporting (49%), 12% also use the figures for asset and liability management, investment decisions (11%), regulation/compliance reporting (8%) and 14% of the respondents use the key figures for client reporting as well. It is fair to assume that there will be an increase in the importance attached to risk reports and their general usage in the future and, at the same time, that the investment management industry’s ability to produce reliable reports will be subject to scrutiny.

REAL TIME ISSUE

When it comes to the ability to process real-time data, there seems to be an issue in the industry. Close to one out of five of the respondents use systems and applications that are developed and maintained internally for management of market, credit, counterparty and operational risk (average 18.5%). However, quite a few respondents stated that they are not familiar with the brand names of the risk management software in use in their institutions (average 32.5%) and roughly 20% preferred not to disclose the brand names of the software they used. This adds to the assumption that the proportion of systems and applications that are developed and maintained internally for management of various types of risk are larger than 18.5% on average across risk types. Of those that state that their risk management software cannot process real-time data, an average of 39.5% across risk types rely on internal systems.

Another 25% of those that cannot process real-time data across risk types have best of breed, standalone risk management installations. When it comes to market risk, these installations are to a large degree represented in the very lower end of the rating scale (represent 40% of those that practically do not have the ability to work with real-time data). In addition, those institutions using best of breed and in-house systems, as well as those that did not know their risk management software brand names or were not prepared to reveal them, faced efficiency challenges. These applications are all represented in the lower end of the rating scale, when it comes to efficiency.


Measured against six criteria (adaptability to change, scalability, transparency, efficiency, ability to process real-time data and cost of ownership) only under half (47.8%) claimed to be satisfied with their risk management software installations. To put this in perspective, 17% of respondents also claimed that insufficient support by IT platform and by applications generally in use has caused direct financial loss over the last two years. In addition, 24% point out that insufficient data quality has caused financial loss during the same period of time. Risk management functions that report directly to the board of directors seem to realise this unfortunate correlation to a higher degree than those reporting to lower organisational levels. This tallies with the findings that 48% expect increased investments in IT applications, 46% in IT platforms as well as that 58% see these investments as key to improving risk management.

As seen from a regulatory point of view, 48% directly state that they believe that authorities will, in the future, formulate requirements when it comes to the financial industry’s IT systems, data quality and applications in general. However, requirements are also expected from the shareholder side when it comes to IT in the investment management industry: Almost half of the respondents (47%) recognise the influence that the ability to store, process and report high quality, real-time data on risk exposure will have on the market value of financial institutions in the future. Given the fact that 17% of respondents assign responsibility for direct financial loss in the investment management industry throughout the last two years to insufficient support by IT-platform and by IT-applications in use as well as insufficient data quality, the relationship between IT, data quality and market value seems to be beyond doubt.

Thus, the fact that slightly more than one out of five respondents are very dissatisfied with the ability of their current risk management software to process real-time data supports a sense of urgency when it comes to improving or replacing installations.

WAITING FOR THE REGULATORS...

At present, multi-factor/statistical approach (APT™(1)-like) is the most commonly used method to measure market risk used by 49% of the respondents. Another commonly used measure is multi-factor/fundamental approach (Berra-like) used by 43%. Both approaches are often labelled ‘black boxes’ by market participants with a relatively low degree of transparency and customisation since the risk calculations are run by more or less closed, standard statistical models developed, maintained and supplied by external third party service providers.

The granular approach came third, used by 30% of respondents as the primary measure to monitor market risk. This approach enables a 100% customised composition of measures and methods.

When it comes to market risk indicators, Value at Risk comes in as the primary indicator used by 44% of respondents, ex-ante volatility is primarily used by 9% and stress scenarios are primarily used by 16% of respondents. Considering recent market turmoil, the use of stress scenarios is surprisingly limited. Also a bit worrying is that in total 12% of the respondents either do not know what risk indicators are most commonly used in their institution (6%) and that 6% use none of the above listed measures and methods as their primary indicators. However, it was the general perception among respondents that the measures and methods used at present are insufficient. 67% of the respondents state that a key to improving risk management is to redefine risk assessment models and methods. There seems to be a strong reason for this: 38% of respondents say that insufficient risk methods and techniques are a direct cause of financial loss in the investment management industry. As a consequence 52% of all respondents also state that they expect an increase in investment in implementing new risk assessment models and methods. Since the use of external consultants is thought likely to increase by only 32% of respondents, the primary input to establish better risk assessment models and methods has to derive from the institutions themselves or from other parties. Since at present the regulators are the investment management institutions’ predominant primary risk management advisor (29%), it is fair to assume that at least a part of the industry awaits for their regulators to drive future development when it comes to new risk assessment models and methods. This assumption is backed by the 38% of respondents who believe that tighter regulation of the financial sector will improve the quality of risk management. An additional 32% of respondents do not deny that regulators are a key to improving risk management in the investment management industry.

CONCLUSIONS

Due to the recent years’ financial crisis, the huge fall in asset values and the unprecedented defaults among highly rated financial institutions, it would be reasonable to assume that the investment management industry would reposition the risk management function to give an improved shelter for themselves and the assets they are mandated to manage. However, the result of this survey raises a question as to whether the right measures have been/will be put in place by the investment management industry itself in order to alleviate the range of risks that are facing the industry now and which will do so the future.

The findings of the survey point to the fact that the risk management function shows a slight tendency of moving downwards within institutions, with as many as 28% of the respondent institutions’ risk functions reporting in to the senior management level, well below the level of the board of directors. This is a fact despite the widespread perception that the risk management function should be much better affiliated with the strategic levels of the institutions for quite a few good reasons, (such as direct financial losses as a result of poor strategic understanding, among other things, etc.) to support this perception. Moreover, it seems that quite a few of the risk management functions do not create value for their institutions. Additionally, risk management functions generally request for additional human resources, training and competencies, increased budget allocation, better data, improved reporting, improved support by IT systems and applications, new risk management models and methods, just to mention some of the findings of the survey. More importantly, lack of meeting these requirements earlier are claimed to have caused direct financial loss through the last two years. Despite this cross-industry picture of a largely rather weak and vulnerable risk management platform, the role and responsibility of the majority of the risk management functions was extended during 2008.

This could indicate a tendency to seek to manage and alleviate risk by attempting to isolate it to the risk management function rather further down in the engine rooms of the investment management institutions. At the same time, managements request that the ‘risk management engines’ run even faster than they did before - despite the fact that there is now more work to do with the same amount of resources and competences.

Perhaps it is time to track if increased or improved governance of institutions is practicable. And at the same time it could be the moment to consider whether risk management is a strategic and integrated management discipline that entails all functions and systems in and outside of investment management institutions. And perhaps institutions should not wait for regulators to define and enforce new requirements on their industry. Perhaps the work to improve risk management should rather start now.

GLOBAL INVESTMENT MANAGEMENT RISK SURVEY 2009

METHODOLOGY

  • This survey is based on 90 CATI interviews with respondents from around the world.
  • The interviews were conducted during February and March 2009 by The Nielsen Company.
  • Respondents were randomly selected among investment management institutions.
  • Only one contact person per company was interviewed.
  • All contact persons had risk management as their primary field of work, and/or strategic responsibility and/or decision-making with risk management and executive or general management.
  • The questionnaire of 30 questions was created by SimCorp StrategyLab and was examined by The Nielsen Company prior to fieldwork.
  • SimCorp StrategyLab was not disclosed as the initiator of the study unless prompted by the respondent.
  • All respondent answers are anonymous unless they specifically agreed to have their answers attributed.