Risk Management is Not a Job for Compliance

Credit Suisse's recent losses on its Archegos financing remind me of an announcement — nearly 10 years ago — from the repo desk of my then-employer, at our weekly sales meeting. The desk had proudly booked $3 million of profits on a long-dated, multi-billion-euro structured trade with the National Bank of Greece. When I enquired about the collateral, I learned it was composed of Greek government bonds. My heart sank.

This was only the beginning of the eurozone crisis, and many institutions were still ignorant of wrong-way risk. Holidays and other absences had pushed responsibility for credit sign-offs to a senior executive who was unfamiliar with repo. The bank recorded repo credit exposures at only a small percentage of the notional amount, so the size of the facility failed to attract his attention. He approved it without consulting a counterparty credit specialist. Others were left to hedge it, manage it and worry about it for the next three years.

On top of the Archegos meltdown, Credit Suisse faces a possible loss of $3 billion from credit-wrapped paper placed into client funds from a 'supply chain finance' specialist that does not appear to have been capable of surviving any serious due diligence. These twin failures should trigger a debate in the profession about the value of risk management experience and expertise.

Back in February 2019, when Credit Suisse reorganised its risk management function, it replaced an experienced, veteran risk management professional with a new chief risk officer (CRO) who appeared to have no experience or qualifications in the area. According to the biography published by Credit Suisse in its annual report, the new CRO's original professional training had been in equity research rather than in risk management.

Risk management professionals know the value of experience, judgement and training. The original manual for RiskMetrics, the first-ever popular mathematical risk model, stated: 'We remind our readers that no amount of sophisticated analytics will replace experience and professional judgment in managing risks'.

Credit Suisse's new CRO was unfortunate to be placed, at an exceptional time, in a risk management position with awesome responsibilities but without the necessary experience, education and training.

She was not alone. Credit Suisse's board had a risk committee, charged with oversight of the bank's risk management resources, but only one of its six members had a professional background in risk management. And Credit Suisse is not alone. The board of Nationwide, Britain's largest building society with 15 million members, runs a risk committee in which not a single member has professional risk management experience.

Effective risk management requires technical training — to disentangle the substance of complex transactions and portfolios from their form and to understand their weaknesses — as well as a capacity to maintain risk standards and risk limits, to turn away profitable business when necessary, to articulate difficult truths, to tolerate being disliked, and to motivate the organisation to do the same.

Few board members would consider appointing a general counsel without legal training or a finance director without a background in accounting — should shareholders or directors permit risk management to be treated less seriously?

If tomorrow's financial institutions are to remain safe and sound, today's risk management professionals need to make their voice heard soon, while the public is still listening.