Risk Management: A Holistic Approach

Thomas Vartanian, a lawyer who counsels banks on risk management, likes to recall the story of two tugboats. On March 10, 1928, the vessels Hooper and Montrose, en route to New York from Virginia, were struggling off the New Jersey coast, each carrying three barges of coal. They never made it. Easterly gales overcame the six barges, and all were lost around noon, disappearing into the dark waters. Lawsuits followed. The tugboat company was found liable because its boats were deemed unseaworthyu00e2u20ac”not because of poor conditionu00e2u20ac”but due to their failure to deploy radio receivers on board. The radios were a new phenomenon at the time that had been adopted by many boats. Their absence prevented the tugs from receiving reports about worsening weather that would have allowed them to seek refuge in Delaware Bay.

Today, many banks may be in an analogous position regarding their risk management. They operate in an increasingly complicated business with unforeseen risks. Vartanian, a partner at the Washington, D.C. office of law firm Fried, Frank, Harris, Shriver & Jacobson, says the challenge is to adopt the best methods of assessing risk and use available means for minimizing it across the organization. This growing science has been dubbed enterprisewide risk management.

“Part of the process is at least going through the exercise to determine that you are always on the front end of adopting the best procedures, the best process, and using the best technology to protect yourself,” Vartanian says. “Because at the very leastu00e2u20ac”if you don’tu00e2u20ac”you can be found negligent.”

At the very worst, banks can sink themselves for failing to anticipate risk. Regulators in May 2002 found Allfirst Financial had failed to use proper internal controls to stop a rogue trader from conducting unauthorized transactions before significant losses occurred. The bank lost more than $700 million. Its parent company, Allied Irish Banks PLC, sold the bank to M&T Bank Corp. in order to disassociate itself from the mishap.

Even basic banking problems rarely come out of thin air. Early-warning indicators can be used to tell a bank that it needs to take action before things get out of hand. In 1999, many banks ignored the rise in speculative bond defaults, an early barometer for credit problems with bank loans, notes Peter Nakada, executive vice president at ERisk, a New York-based consulting firm. Instead, those banks continued to aggressively make loans into 2000. A year later, banks saw a rise in defaults in their portfolios.

While avoidable, these types of failures might not go away any time soon as bank continue to step into new business lines. Banking reform, such as the Gramm-Leach-Bliley Act, has allowed banks to expand into the brokerage business and underwrite insurance. Banks also are trying to keep pace with rapid technological change. Over the last five years, the Internet and other technologies have changed the ways banks operate. Much of a bank’s operations relies on vendors outside its walls. “An enormous amount of risk is created by simply outsourcing all of the business and all that control,” Vartanian says. “The bottom line is the bank has no ability to turn around and blame a technology provider, because in the eyes of the consumer, that’s your risk and you better make good and have an answer.”

Gone are the good old days when bankers were on the golf course by 3 p.m. on Fridays, says William Perotti, group executive vice president of the $9.6 billion Frost National Bank in San Antonio and former chairman of the Risk Management Association. “All of these new powers for banks have created additional risk which is well beyond credit risk and really into areas such as operational risk, market risk, and reputational risk,” Perotti says. “All those things are really systemic or enterprisewide.”

Banks embracing risk management are also doing so for other reasons. One is Basel II, the proposed accord for rewriting international bank capital rules. Under the proposal, U.S. regulators would require the top 10 U.S. banks to comply by the beginning of 2007. Another 10 U.S. banks are expected to willingly comply. In a break from the status quo, banks that can demonstrate they can measure their own risk would be permitted to help set their own capital requirements.

Indeed, many banks have appointed chief risk officers, such as Citigroup, J.P. Morgan Chase & Co., FleetBoston Financial Corp., National City Corp., PNC Financial Services Group, and Washington Mutual. And more banks are forming committees to monitor risk management.

“Those who have really embraced the concept are saying, ‘I want to make sure I have adequately priced for risk in all its forms,’” says Robert Zizka, a managing vice president at First Manhattan Consulting Group in New York. “The other force out there is the regulatory bodies that are pushing banks to get a more holistic view of risk.”

Another incentive for enterprise risk management is a push for better corporate governance at a time of heightened risk of shareholder litigation, numerous accounting scandals, and increased scrutiny of executives. With integrated risk measurement, banks can preserve value. In some cases, banks can get away with one mistake and recover from it. Many banks have done so, with their share price plunging but typically rebounding in 90 days, notes Suzanne Labarge, chief risk officer for Royal Bank of Canada. But second and third mistakes bring into question a company’s business strategy. In those cases, share prices drop and remain depressed until the bank again establishes its credibility, usually at least a year later. In many cases, those banks ended up being acquired instead. “You can’t continually make mistakes and live too long,” Labarge warns.

While enterprise risk management can help prevent losses, it can also help banks identify, measure, and monitor risk, while introducing processes that can boost shareholder value. It can buffer earnings from losses, boost price-to-earnings multiples, or simply keep value up by avoiding damage to a company’s reputation. About two years ago, Royal Bank started a risk control and assessment model to measure operational risk throughout the bank. To Labarge’s surprise, the biggest losses came from transaction processing, not other areas identified as likely candidates by its internal audit department. The discovery allowed the bank to tighten procedures and reduce errors.

Knowing what risks to unearth is critical. “What bankers should be concerned about these days with enterprise risk management is whether they think they are pulling together all the risks facing their organization and whether they have the comfort that they are well understood and being properly managed,” Labarge says.

Unfortunately, evidence suggests that directors overall still have some catching up to do with the concept of enterprise risk management. About 45% of directors said their company did not have a formal enterprise risk management processu00e2u20ac”or any official system for detecting risk, according to a joint survey by the National Association of Corporate Directors and the Institute of Internal Auditors. Another 19% said they weren’t sure if their organization had a formal process of identifying risk. Though the sample of 178 directors was small, the numbers surprised Federal Reserve Board Governor Susan Bies, who gave a recent speech on corporate governance.

“These percentages indicate that there are companies out there that have directors who don’t understand their responsibilities as the representatives of shareholders,” Bies said. “The shareholders of those companies should be asking the directors how they govern an organization without a good understanding of the risks the company is facing and without knowledge of a systematic approach to identifying, assessing, monitoring, and mitigating excessive risk taking.”

To that end, it is critical to set up a structure that provides a way to communicate upward and downward in an organization, experts say. Bank executives have tended to overwhelm their boards with too much information, or else they have said too little. Key decisions have been doled out to chief executive officers, risk committees, and business leaders without the proper board oversight, says ERisk’s Nakada. Boards should be demanding clear, understandable reports that give a firm-wide view of risk across all the different risk types.

Nakada compares this single variable to the Rosetta Stone, the ancient tablet found in Egypt in 1799 that was a breakthrough in the research of hieroglyphics. Boards have been searching for a specific measure of risk across all risk types that allows them to understand the relationship of risk to risk capacity and risk return, he says. The measurement, or so-called risk-adjusted return on capital (RAROC), is essential to integrated risk management, as it allows the bank to assign reserves and economic capital to each risk.

This concept is more anecdotal than quantitative at smaller banks. At Frost National Bank, credit risk and market risk have formal measurements, while other facets, such as liquidity, transactions, operations, and compliance are detected through interviews with managers and anyone affected in their departments. “We are seeing what they are feeling,” Perotti says. “What they are reading. What they are hearing. We measure risk within each of those categories, then try to come up with a composite rating of risk in this company.”

In a way, the increasing adoption of enterprisewide risk management is a natural fit for banks, says William Austin, principal at Austin & Stanovich, a Douglas, Massachusetts, risk management consulting firm, and former vice president at FleetBoston. “A bank in every sense of the word is a risk manager,” he says. “It is managing the potential default of a creditor through different techniques; it’s managing its reputation through various avenues, such as PR and advertising. Banks are more of an enterprise risk management facility than are other types of businesses or industries.”

Who Do Youu00c2 Call?


New York, NY


Greg Chestnut


First Manhattan Consulting Group

New York, NY


James McCormick


Austin & Stanovich Risk Managers LLC

Douglas, MA


William Austin


Fried, Frank, Harris, Shriver & Jacobson

New York, NY


Thomas Vartanian


BearingPoint Inc.

McLean, VA


S. Kere Lewis


IBM Consulting

Boston, MA


John Connolly


CAP Gemini Ernst & Young

New York, NY


Keith Stock


Marsh Inc.

New York, NY


Lou Ann Layton


Deloitte Consulting

Minneapolis, MN


Patrick Bechdol


Weil Gotshal & Manges LLP

New York, NY


Robert Messineo



New York, NY


Peter Nakada


Join OUr Community

Bank Director’s annual Bank Services Membership Program combines Bank Director’s extensive online library of director training materials, conferences, our quarterly publication, and access to FinXTech Connect.

Become a Member

Our commitment to those leaders who believe a strong board makes a strong bank never wavers.