View original document

The full text on this page is automatically extracted from the file linked above and may contain errors and inconsistencies.

Speech
Governor Randall S. Kroszner

At the Global Association of Risk Management Professionals Annual Risk Convention, New
York, New York
February 25, 2008

Improving Risk Management in Light of Recent Market Events
I am delighted to have been invited by GARP to share a few of my thoughts about risk management
practices at financial institutions. Recent events remind us that markets can be quite complex and
difficult to predict and that sound risk management is fundamental to the health and resiliency of
both individual financial institutions and financial markets generally. Today I want to highlight two
fundamental elements of sound risk management: information and incentives. These two elements
lie at the very heart of good risk management. Information is vital to good decisionmaking, and
incentives send the right signals and create beneficial outcomes both within individual institutions
and to the financial system as a whole.
I should note that my thoughts on recent events are preliminary. Because risk-management
challenges have affected a number of global institutions, we are working very closely with our
supervisory counterparts in other countries to learn from recent events and to coordinate with
financial institutions in determining what additional steps may need to be taken. As part of this
important international effort, we should seek to align market participants' incentives with our own
supervisory objectives; otherwise, behavior will not be altered appropriately and the proposed
remedies will not prove durable.
Key Elements of Sound Risk Management
As is well known to the impressive international group of risk professionals in this audience, models
are critical to understanding the nuances of risks embedded in complex financial transactions and
portfolios, but I am sure all of you would agree that sophisticated techniques cannot be relied upon
without the proper risk-management foundation. Integral to this foundation are timely and accurate
information and the will and ability to act on it. Since the fortunes of even the most technically
sophisticated financial institutions ultimately depend on the decisions and judgments of individual
managers and traders, senior management must ensure that the right incentives are in place so that
risk taking is appropriately captured in business-line performance evaluation and employee
compensation. Senior management must understand the risks assumed by each individual business
line and communicate the firm's strategy and risk appetite back down to those business lines. At the
same time, senior management must send each business-line manager clear signals about which risk
levels are tolerable and which practices are not acceptable. In this way, information and incentives
are threads of sound risk management that must be woven into the fabric of each firm's management
culture.
Enterprise-wide Risk Assessments
A good risk-management structure must encompass risks across the entire firm, gathering and
processing information on an enterprise-wide basis in real time. Good information is the lifeblood of
sound risk management. In short, you cannot manage your risks if you do not know what they are.
Managers of financial institutions need to ensure that they fully understand the risks assumed by
each of their institutions' business lines, and for that they need high-quality information--both
qualitative and quantitative. Aggregating information across a large, diversified financial institution
is not easy and should be done with appropriate care and with adequate resources for checking

timeliness and veracity. Risk managers should live by the adage "Trust but verify," being careful not
to rely on assessments or data from others without conducting proper due diligence.
It is also worth noting that financial institutions should gather a wide range of relevant information
before they see market troubles brewing. In other words, scrambling for information once
turbulence sets in is not good practice. Understanding a firm's true risk exposures requires
examining not just risks on the balance sheet, but also off-balance-sheet risks that are sometimes
more difficult to identify and often not so easy to quantify. Latent risks from certain complex
products and certain risky activities should be properly recognized, because they can manifest
themselves when market turbulence sets in. Stress testing and scenario analysis are of paramount
importance here.
Even when risks are properly identified and measured, that information needs to be presented to
senior management and to others in the firm who can use it in their decisionmaking, and presented
in a timely way. In other words, information should be adequately distributed both vertically and
horizontally. Adequate distribution of information allows for an enterprise-wide perspective on risks
that affect the whole organization. Information must be provided up to senior management, but their
views and analysis then must be sent back down through the business lines. To put it another way,
institutions should develop an "information circulatory system" to ensure the flow of information
that is crucial to the health of the firm.
It is also clear that financial institutions should draw on several types of information from various
sources when assessing their risks, particularly when dealing with complex products. No single
source of information is perfect or adequate. Management benefits from having a number of tools at
its disposal to assess risk positions that draw on differing underlying assumptions. Properly
designed, these tools offer different perspectives on exposures and are flexible enough to allow
perspectives on risk to change as business conditions change and new data become available.
Governance Structure
To ensure sound risk management, boards of directors and senior management at financial
institutions must also establish an overall governance and control structure that is credible, robust,
and consistent throughout the firm. It is critical that senior management set the tone at the top,
communicate it, and lead by example. This strategy should be clearly articulated and should be
recognizable in the actions of the firm's employees. Business lines should be held equally
accountable and there should not be any special treatment for "star" employees, even if they are
bringing sizable revenues into the institution in a particularly year.
While certain financial institutions may choose to conduct business on a decentralized basis, they
must always remember that in the end the exposures and obligations are rolled up and combined
into one consolidated legal entity. In addition, the institution's commitment to and emphasis on risk
management should be eminently visible--both within and outside of the organization. For example,
the firm should demonstrate that its risk managers have direct access to top management and play a
key role in decisionmaking. They also must be able to speak authoritatively about the risk profile
and risk-management strategy of the whole organization to market participants and counterparties.
Durability of Risk-Management Structures
Of course, risk-management structures are successful only if they are sturdy and durable. These
structures and their associated strategies should be embedded in the firm's culture and not be
dependent on just one or a few people. They should be part of the fabric of the organization, not just
a few catchy phrases repeated from time to time. For example, understanding and living up to the
firm's risk-management standards should be a prerequisite for advancement to a senior management
position.
Effective risk management remains sturdy and durable only if supported by strong and independent
risk functions that produce unbiased information. Having independent risk managers with a certain

amount of authority allows for clear, dispassionate thinking about the entire firm's risk profile, with
no favoritism toward any business unit. Senior management should encourage risk managers to dig
deep to uncover latent risks and point out cases in which certain business lines are assuming too
much risk. In other words, it is good to have a few people within the institution who--to paraphrase
a former Federal Reserve Chairman--know when to take away the punch bowl. Being the party
pooper, however, can be very difficult in any organization, and that is why it is crucial for the risk
manager to be known as an independent voice who is influential with top management.
Ensuring Adherence to Risk-Management Practices
Any successful organization needs to develop appropriate mechanisms to ensure adherence to and
sustainability of its risk-management structures, and incentives structures are a key mechanism for
this purpose. Appropriate incentives reward good behavior and penalize inappropriate behavior. Of
course, incentives work best when they are known well in advance, that is, when they serve as ex
ante signals of what should and should not be done. Naturally, in very large organizations it is
difficult for senior management to monitor each individual, so incentives need to be consistent,
permeate even the lowest levels of the organization, and remind each individual that his or her risktaking affects the whole enterprise.
Limits and controls can be useful tools for creating the right incentives and sending appropriate
signals, but they of course need to be tailored individually to each firm. Problems can arise when
incentives are not properly structured and appropriate "risk discipline" is not exercised--for
example, when limits and controls are not set or, if they are set, when adherence to them is not
monitored or enforced. Such controls are incentives for business-line leaders to assume only the
risks that the firm can absorb because they penalize those who try to take on excessive risk or
inadequate mitigation in the name of short-term profit maximization. One good practice is to have
reliable, interconnected enforcement mechanisms within the institution, mechanisms that can--and
will--enforce limits. An example is a good centralized treasury function.
Risk-Adjusted Performance Evaluation and Compensation
In trading and certain other activities, there is a tendency for business-line heads or individual
employees to focus on their short-term compensation and not think about the long-term risks that
their activities create for the firm. But it is the responsibility of senior management to provide the
proper incentives and controls to counter the potential for individuals within financial firms to
discount risks to the broader institution, and of course to ensure that nefarious activity is promptly
uncovered and stopped.
Clearly, it is up to financial institutions themselves--not bank supervisors--to decide how
compensation should be structured, but managers and boards of directors should understand the
consequences of providing too many short-term and one-sided incentives. They would benefit from
thinking about compensation on more of a risk-adjusted basis. Accordingly, I encourage institutions
to think about ways to alter existing compensation schemes to include some types of deferred
compensation, since the risks of certain investments or trades may not manifest themselves in the
near term. Thus, it makes sense to try to match the tenor of compensation with the tenor of the risk
profile and thus explicitly to take into account the longer-run performance of the portfolio or
division in which the employee operates. This type of compensation arrangement is already in use at
many nonfinancial firms.
Of course, star performers may prefer to have compensation more front-loaded and threaten to leave
a firm for another one that would not have the same longer-term risk-sensitive compensation
structure. It is important for firms to have the flexibility to choose how they reward their employees,
but it may be valuable to consider the development of industry-wide principles of sound risk
management that would touch upon incentive-compensation issues. Such principles could foster
market discipline in firms if investors were to view the principles as best practices and were to more
heavily discount the reported short-term earnings of firms that failed to adopt best practices.
Although reaching consensus on principles for compensation would be difficult, it seems well worth

the effort.
Reflecting Risk-Management Practices outside the Firm
Information and incentives play an important role not just within an institution, but also outside it.
By this I mean the ability of the marketplace--and supervisors, when necessary--to gather
information about financial institutions and give the right signals to bank management about risk
taking. Naturally, this requires proper disclosure of information by the financial institution so that
depositors, counterparties, shareholders, and other market participants can judge the riskiness of the
institution and act accordingly. Institutions that are able to provide a continual and accurate flow of
information to market participants generally benefit from such transparency. Certainly, this is an
important part of the motivation behind pillar 3 of the new Basel II capital rules emphasizing the
role of public disclosure. This benefit can be even more prominent during financial turbulence,
when market participants become fearful of latent risks and "surprise" losses. Confidence in the
risk-management practices of individual firms can be valuable in maintaining confidence in the
markets in which they operate.
Risk-Management Performance during Recent Market Events
Although some of the risk-management techniques applied during the past nine months were
successful, in other areas challenges remain. In risk identification and quantification, as well as
liquidity-risk management, for example, the importance of information and incentives is evident.
A number of risk-measurement and risk-quantification challenges relate to valuation practices,
particularly with new products. As I noted in a speech last fall, firms should have greater motivation
for applying proper valuation practices as part of good risk management.1 At the center of these
practices is the ability to make appropriate judgments about the quality of information being used
for valuations. The process usually starts with an initial experimentation phase in which market
participants learn a great deal about the product's expected performance and risk characteristics,
preferably under different market conditions. Conducting due diligence about new products can be
costly and take time, but it is usually worth it. Unfortunately, in some recent cases new products
were developed very quickly and not properly road tested. In observing the valuation challenges, the
"Trust but verify" adage has equal application. Market participants must ensure that they do not
make valuation decisions based solely on excessive reliance on external ratings or evaluations, but
that they also undertake their own assessment. And I would suggest that the value of independent
due diligence on the part of market participants is especially high for newer and more-complex
products.
We all know that reductions in market liquidity played a large role in recent events, affecting the
valuation of financial products. As with other risk areas, a number of practices were applied over the
past nine months to identify and try to quantify the potential for disruptions in market liquidity.
Good practices included attempts by business lines and trading desks to embed market-liquidity
premiums or to apply market-liquidity haircuts in pricing models and valuations. That is, there was
an understanding that information in benign periods did not reveal the full set of potential outcomes,
and that disruption of market liquidity had the potential to affect market prices by driving down the
value of certain instruments and to create losses. Conversely, problems arose when some managers
did not make market-liquidity adjustments in their quantitative estimates and models and simply
relied on recent information from good times, when there was ample liquidity.
The Basel Committee's working group on liquidity began an exercise to review liquidity-supervision
practices early last year and just last week issued a public report that builds on the Basel sound
practices for managing liquidity risk issued in 2000. The report emphasizes that financial
institutions should conduct stress tests and contingency planning exercises to prepare for potential
problems in both funding and market liquidity, capturing market-wide events, events affecting
multiple markets or currencies simultaneously, and the combination of idiosyncratic and marketwide shocks. In conducting this analysis, firms should better integrate stress tests and contingency
funding plans.

As with other risk areas, weaker performance in funding and liquidity-risk management can
sometimes stem from inadequate information and poor incentives. During recent events, firmwide
liquidity-management strategies were most effective when they included proper incentives and all
relevant information, including information about the potential for certain exposures to be added to
a firm's balance sheet--so-called unplanned asset expansions.
Successful plans also contained information about the potential liquidity needs of individual
business lines and how those might affect funding for the entire organization. In other words,
individual business lines were instructed to evaluate their likely needs for funding and relate those
needs to the treasury function. In some cases, managers have considered the potential adverse
liquidity outcomes from engaging in certain businesses and therefore have decided to limit their
involvement or stay out of those activities altogether.
Concluding Thoughts
The banking industry has the primary responsibility for fostering a culture of effective risk
management, but of course supervisors have their own role to play in ensuring the safety and
soundness of individual firms and a viable financial system. Therefore, both should continue to
work hard to improve risk management in light of recent market events. U.S. supervisors are
cooperating with their counterparts in other countries to help the industry address risk-management
issues--bilaterally as well as through international forums such as the Basel Committee on Banking
Supervision and the Financial Stability Forum. I am delighted to represent the Federal Reserve in
both forums.
Of course, appropriate remedies will not be developed overnight and, when they are developed, may
take some time to implement. Institutions should make appropriate adjustments to risk management
and should do so thoughtfully and carefully. Indeed, firms should focus on long-term improvements
in their risk-management culture and remember that practicing good risk management is an ongoing
process that needs to be continually updated and reviewed for its efficacy.
Given the challenges in information flows and incentives I highlighted earlier, firms should devote
particular attention to these two areas. Even an institution that was relatively untouched by recent
events should remain vigilant about the next potential source of turbulence, to ensure that it is
prepared to analyze information about its risk exposures and distribute that information throughout
the firm. Going forward, therefore, senior management at financial institutions should ensure that
they have complete and timely information about risk and demonstrate the ability and will to act on
it. They should also be aware that the next crisis could come precisely in the area where they are
most exposed or have weaknesses. That is, a certain degree of humility is wise, because all firms
have a limited understanding of what might happen next.
All senior managers would benefit from taking a fresh look at the incentive structures within their
firm. For example, are all parties being compensated on a risk-adjusted basis that takes into account
longer-term performance? Is management able to determine how risk taking at the business-unit
level affects firm-wide risks? Do business units have the right incentives to consider their units' risk
taking in the context of the entire institution? These and other questions deserve attention, given
some of the risk-management challenges seen lately. But I am confident that the industry can find
appropriate solutions, and supervisors will assist them in those efforts.

Footnotes
1. Randall S. Kroszner, 2007, "Innovation, Information, and Regulation in Financial Markets,"
speech delivered at the Philadelphia Fed Policy Forum, Philadelphia, November 30. Return to text
Return to top