Resilience.

Trust.

Opportunity.

Halsey Keetch - Enterprise-Wide Risk Management: A Conversation with Tanveer Bhatti

Enterprise-Wide Risk Management: A Conversation with Tanveer Bhatti

Tanveer Bhatti is a model risk and enterprise risk specialist who has spent a substantial career in global banking with the likes of Citi, JPMorgan Chase and HSBC. A gifted and passionate mathematician, he contemplated pursuing a PhD in the subject before opting instead to begin a career in accountancy, moving subsequently into investment banking. From finance and valuations, he progressed into the emerging fields of model risk and quantitative analysis, leading to his becoming Global Head of Model Risk for one of the world’s largest universal banking groups.

HK:  Tanveer, a controversial question to start with, but given what happened a decade ago, was the financial crisis really down to a failure of risk management?

TB:  My response to the question may controversial, but it was down to a confluence of many things, key amongst which were over-lending to subprime customers against inadequate underwriting standards, and lapses in corporate risk governance, with greater emphasis ‘on partnering with the business’ than being a ‘policeman’. To expand, there were deficiencies in risk models that everyone had thought were working fine because expensive model validation staff had said so. Not pulling any punches, these analysts did not really understand the business and were therefore ineffective in challenging it. There was also a widely exposed, credibility-shredding failure on the part of the credit rating agencies, who themselves were over-rated as purveyors of an accurate view of the world. On top of that, it was a phase in the evolution of the global financial industry during which greedy bankers were only too keen to exploit all available regulatory, tax and accounting loopholes for their own commercial benefit. Loose, and sometimes vague, mark-to-market accounting standards permitted recognition of revenue on opaque transactions, which was what ultimately did for Lehman Brothers. Finally, there was the inability of regulators to attract top talent that might have adequately challenged the banks, and generally a fairly lax approach from regulators in general, as manifested in their fundamentally inadequate rules around prudential capital. So I don’t think it was solely a failure of risk management; rather, it was the inability of the whole industry at the time to orchestrate an effective enterprise-wide risk management process. In my opinion, if designed and implemented properly, enterprise-wide risk management could have identified and mitigated the impact of the crisis. I’d also mention the reliance, especially in case of some credit derivatives, on models that were far too simple to suit the purpose. It is from the crisis that the field of model risk management has evolved.

HKNext, a bit of an essay question: ten years on from, and as informed by the crisis and regulators’ subsequent response, how would you define the role and positioning of risk managers in today’s financial services industry?

TB:  Peter Bernstein, who wrote ‘Against the Gods’ (a book exploring the role of risk in our society), was right about the persistent tension between those who assert that the best risk-based decisions are based on quantification and numbers, determined by the patterns of the past, and those who base their decisions on more subjective degrees of belief about the uncertain future. With the crisis as a backdrop, the expectations placed on risk managers in terms of their duties and their versatility has risen dramatically. The crisis separated the risk management community into two buckets. There is the bucket labelled ‘must do better’ and the other is ‘can bring enormous value’. As regards those who fall into the first bucket, I think a clear lesson is that a successful replay of past approaches cannot be relied upon in the future. Their over-reliance on quantitative outputs from models that assume tomorrow will be more or less like today, or to put it another way, driving by looking at the rear-view mirror, hindered their ability to foresee capital-annihilating extreme tail events and the evaporation of liquidity, both of which we saw in quick succession during the financial crisis. Tail event risks and liquidity risks are not measured by the formerly ubiquitous risk measure – value-at-risk. VaR was catapulted into centre-stage by the Basel Committee on Banking Supervision that allowed it to be used for capital calculations, and by the Securities and Exchange Commission, that required a quantitative disclosure of market risk in banks’ annual reports. Because of the crisis, value-at-risk as a concept has taken a beating in recent years. Alan Greenspan said, in the aftermath of the crisis, that he too had failed to foresee, “the whole intellectual edifice… collapsed in the summer of last year because the data input into risk-management models generally covered only the past two decades, a period of euphoria. Had instead the models been fitted more appropriately to historic periods of stress, capital requirements would have been much higher, and the financial world would be in far better shape today, in my judgment.” The “intellectual edifice” was constructed largely by those I describe as being in the ‘must do better’ camp.

HK:  And what about the risk managers that can ‘add enormous value’?

TB:  Successful risk managers bring enormous value in seeking to creatively prognosticate a future they have never experienced. They apply greater focus and concern to what can happen 1 percent of the time. They also recognise that their job is to know when they don’t have a sufficiently transparent view of the risks applicable to a certain scenario to make an effective judgement. They have the experience to appreciate that models can add value, but they also know and accept that risks exist that the models are incapable of identifying. As a consequence of the crisis, such risk managers are now members of senior committees inside large firms. They are invited to senior executive management team meetings, and their opinions are sought frequently by the most senior leaders within these businesses. And you need both types of risk expertise, i.e. the quantitative and the intuitive, to cover all bases, or as many bases as possible. In this context, one can speak of two kinds of risks: (i) uncertainty in events that occur or can be considered to occur in mass-phenomena, versus (ii) uncertainty in one-off events. The former is described by the ‘Kolmogorov theory of probability’; the other by theories that deal with the probability of the result of a single events (for instance, Popper’s propensity theory, and the Dempster-Shafer theory of belief functions). Kolmogorov’s probability theory is widely taught and fairly well understood, in contrast to theories developed for non-repeatable events, which are naturally harder to define and comprehend. High-level risk managers should couch their valuable insights about risk in the language of non-Kolmogorov style theories, difficult though it may be.

HKIt’s very interesting to hear you talk about things in the context of these theories. I guess risk remains as much a mathematical concept as it is a philosophical one. Is risk itself as a concept much further forward, in terms of its definition?

TB:  I certainly think so. In banking, for example, it is now accepted that the risk concept has moved beyond the traditional quantitative taxonomy of market, credit and model risk, into the realms of a holistic notion called ‘enterprise-wide risk’. To substantiate this, consider that the financial crisis was as much about faulty models as it was about ethics. Was it right to lend to folks whose credit history suggested they would not pay you back? At the height of the housing bubble, Citigroup CEO Chuck Prince said, “as long as the music is playing, you’ve got to get up and dance…”

HKWhich is famous for being one of the most hubristic phrases of the whole sorry affair…!

TB:  And yet it was a reflection of how the world was viewed at the time by the bankers leading the charge – a phrase almost entirely devoid of any recognition of the range of risks – economic, financial, ethical – that were, with hindsight, clearly on display. Perhaps an effective enterprise-wide risk management function would have stepped up and stopped him taking to the dance floor because of the increasingly discordant tune that was emerging! 

HK:  And where is risk right now, do you think?

TB:  As a concept, risk can be thought of in three categories: the first covers self-inflicted wounds generated internally, such as employee bad behaviour, badly-designed systems, lack of controls. Secondly, there are risks from doing your type of business and your choice of strategy in particular, such as the market and credit risks encountered by an investment bank. Finally, there are things caused by actors and factors on the outside of your business, such as macroeconomic and political risks. While the first can be managed using rules and monitoring processes, the other two, as underscored by the events of the crisis, require a very different approach involving open and frank discussions. It is the job of the enterprise risk function to bring all of the above together so as to provide the Board of Directors with the ‘Big Picture’. Therefore it’s an emerging function, but one with an increasingly important role.

HKWhere are the frontiers in theoretical thinking around risk in finance right now?

TB:  Let’s first agree on the terminology. The term ‘risk’ refers, often rather vaguely, to situations in which it is possible but not certain that some undesirable event will occur. For example, a risk is an unwanted event which may or may not occur. So heart attacks are one of the major risks that affect obese persons. Or, a risk is the cause of an unwanted event which may or may not occur: “A poor diet is the most important health risk in the UK.” Risk also has a quantitative sense, where risk is defined as the probability of an unwanted event which may or may not occur. For example, the risk that an obese person’s life is shortened by a heart attack is about 50 percent. We also have risk as the statistical expectation value of an unwanted event which may or may not occur. Some purist risk managers regard this as the only correct usage of the term. Finally, risk relates to a decision made under conditions of known probabilities – a ‘decision under risk’ compared with ‘decision under uncertainty’. When there is a risk, there must be something unknown, or something that has an unknown outcome. And so, knowledge about risk is knowledge about lack of knowledge. A decision is made ‘under risk’ if the probabilities are known and if they are unknown, under uncertainty’. In practice, rarely are probabilities known with certainty. Theoretical risk management discussions of ‘risk’ – known probabilities – involve tossing coins or rolling dice, where the odds are assumed to be known with certainty. In ‘real-life’ risk management – and this point is made even more important since the crisis – even if we make a decision based upon what we believe to be a known probability estimate, we are not certain that this estimate is perfectly correct, and so there is uncertainty. For that reason, almost all decisions are made ‘under uncertainty’. For practical purposes, risk managers must understand their simplifying assumption of treating risks that they confront in their day-to-day roles as a case of known probabilities, and they must acknowledge that this is an idealisation in risk management theory.

HK:  You’re saying that beyond a certain point, no one can ever manage all the risks implied by a given scenario.

TB:  It is possible that when the differential between uncertainty and known probabilities is multiplied by a large exposure – like a huge and opaque portfolio of mortgage-backed securities – the result may be significant and so violate the simplifying assumption.  A major risk management problem highlighted by the crisis is how to deal with the severe limitations of our knowledge of the behaviour of complex systems, such as unfolding contagion, the world economy, and climate change. These systems have many components, each of which may interact with the other in non-linear ways, making them highly unpredictable. Understanding how to make reasonably reliable statements, based on consideration of as many variable as possible, is one area at the frontier of risk management. Another frontier in risk management is the development, implementation and use of artificial intelligence in business decisions and processes.

HK:  Now this is a really exciting area, for obvious reasons, although my understanding is that AI’s applications are limited at present, despite all of the talk around the potential of the field.

TB:  Let’s come back to AI, because it’s really a crucial aspect of the current risk discussion. Expanding on the frontiers in risk theory, risk management today is setting a new paradigm for applied statistics. The tool kit of theoretical and applied statistics deployed in real-life situations that are not constrained to laboratories, industrial production environments, and the social sciences, is risk management in its current guise. There are many risk management institutions popping up today – take for instance the Institute of Risk Management at Cambridge University – which point towards the formation of a whole new discipline. A new way of thinking about one of the most crucial aspects of human existence, and existence in general. Another thorny problem in risk management is dealing with dependence. The models available today – the Levy process, for instance – are good first-order approximations for more complex dependence structures for which we don’t yet have the intellectual tools to describe.  

HKIt’s an exciting field, albeit a confounding one, and highly technical as well. Wrapping one’s mind around the concepts themselves, let alone the mathematics, puts this in a highly academic realm. Clearly though, it’s a point of urgency for society to more clearly understand and apply risk management to daily life, forward-planning etc. You mentioned climate change and complex systems earlier, and these are clear and present issues for modern civilisation. What about enterprise risk as a possible cure-all, ultimately? Is it the panacea that it sounds like it could be, or just a cool job title?

TB:  I don’t think it’s a cool title. Some find it really confusing when you already have a Chief Risk Officer. What exactly is a ‘Head of Enterprise Risk’?? In all seriousness, I mentioned above how a proper implementation of enterprise-wide risk management could have reduced the effect of the financial crisis. Enterprise risk management expands the scope of risk management to every business risk of the firm. You need to think of all these risks and the impact they may have on each other, so you can build a total risk profile. Expansion in the scope of the function even includes things like competitor risk, strategy risk, and reputation risk, as the point of enterprise risk management is not only to identify threats to achieving the firm’s objectives, but also opportunities. It is not a panacea and I don’t think panaceas can exist by the very nature of an evolving risk environment. There is no ‘cure-all’, and hoping for one is counter-productive, in business and elsewhere.

HK:  Let’s face it – there is no ‘cure-all’ for climate change, given the complexity of the system involved.

TB:  Exactly. What you must do is try to reduce the residual risk to a level that is within your risk appetite, and keep it there. One final point I’d like to mention is that to operate an effective enterprise risk management process, you can’t just be a ‘rules’ person, and treat it as a compliance activity. Of course, rules-based compliance and controls have an important role, but you would be deluded in thinking that these are sufficient for an effective enterprise risk process. I know of an example of a Chief Risk at a large firm who had details of someone who displayed a pattern of inappropriate behaviour escalated to him, with all the consequences for reputation risk to the firm. This CRO’s course of action was to pass the matter to someone else. He couldn’t handle the situation personally, because it wasn’t covered in his rules-based approach to risk management. This is not the way forward.

HK:  We mentioned artificial intelligence earlier. What advances in risk management is technology enabling, and how are financial institutions making use of this?

TB:  Operating efficiency, cost containment and business transformation are some of the key areas where large firms are embracing artificial intelligence in a general sense. Although in focusing on the impact of new technologies on financial institutions, let’s not forget that the financial industry has an inglorious past, where innovation has occasionally outpaced the ability of senior managers and boards to keep up from a risk management standpoint, with catastrophic consequences. The advances in technology that are enabling enhanced risk management techniques have at the same time opened up new channels for criminals and cyber terrorists, who form an expanding set of players capable of exploiting the scalability of artificial intelligence to perform ever-larger attacks. Another area that concerns risk managers in relation to artificial intelligence is the potential violation of legal and societal norms. For example, whilst the use of intelligent machines for credit risk scoring has generated benefits, this comes with hidden biases. This is because the training data used is usually based on past decisions of humans. It is possible that algorithms may identify and therefore sustain ethnic, gender and other biases. These biases cannot be pinpointed to a particular line in the code because they are incorporated within the hundreds of thousands of interacting factors used by the learning algorithm. That’s a new risk management challenge, rather than an advantage. You might come across similar issues in the recruitment process, where digital hiring systems are making decisions based on previous human-made, and therefore bias-prone decisions. In addition, artificial intelligence systems are notoriously difficult to audit compared to traditional systems, because the underlying conditions that generated the outcome at the time may have changed by the time the audit takes place. This severely limits the auditor’s ability to provide meaningful opinions on issues that might arise. Finally, bear in mind, neural networks do not work with literal truths. They use statistical truths. Therefore, risk managers find it difficult to state with certainty that the system will work in all cases. In some real-life / real market applications, this may not be good enough. 

HK:  It sounds as though the risk manager will not find their role being entirely replaced by robots anytime too soon! What advice might you have for people starting their careers in risk management at this point?

TB:  So as to understand what is really involved, I’d recommend a bit of networking and discussion with people in the profession, like me! And prior to this, think about the relevance of your studies. When I was about to enter university, it was possible to have some reasonable belief that the contents of my degree would remain relevant to my career in business after I graduated. This may still be true for some areas of risk management, although given aspects of our discussion, I would suggest budding risk managers consider carefully the influence of robotics, machine learning and artificial intelligence on their area of planned expertise. The pace of progress in our world is curving upwards, give or take some pronounced political risk, and naive ‘straight-line’ prognoses around the future of work may be way off when reality crystallises.

HK:  I agree – it’s important to try and manage ‘career risk’ as far as possible from the very outset, although the world is as dynamic a place now as it has ever been. Tanveer, a fascinating discussion – thank you for your time.