Calculated risk

FST quizzes UniCredit’s Senior Risk Controller, Klaus Böcker, about current security concerns and risk management in financial services today.

FST. What impact has the US sub-prime crisis had on risk management in the European banking sector?
Klaus Böcker. The current market turmoil is something that most of my colleagues and peers in the banking industry have possibly never seen before. Although the crisis originally started in the US, it has spilled over into Europe and I clearly expect it to have tremendous effects on risk management. I mean here not only in the context of risk quantification and economic capital (EC) calculations, the field I am mainly working in at the UniCredit Group (UCG).

Clearly, flawed risk measurement techniques, inadequate risk modeling such as mispricing of CDO tranches played an important role in this credit crunch. However, They are only part of a larger mosaic of problems and misfortunes that have to be considered when we want to get at the root of this crisis. In my opinion, the so-called origination and distribution model plays an important role in this context. For quite some time experts have been criticising the fact that the increased practice of large financial institutions distributing loans to investors rather than holding them on their own balance sheets has created an opaque financial system with huge intrinsic risks. As a consequence, between a saver and a borrower there are a large number of financial intermediaries today, like mortgage lenders and brokers, loan packagers, securitisers, rating agencies, hedge funds etc. All together they are creating a highly complex world, entailing a systematic risk that has obviously been underestimated for a long time. Now we're seeing this unfolding, with a huge economic cost.

FST. When it comes to operational risk, what lessons have been learnt (or need to be learnt) from the massive losses racked up by Jerome Kerviel at Société Générale?
KB. This is a typical example for operational risk. The question is how Jerome Kerviel was able to hide his massive speculative positions to the Dow Jones Eurostoxx 50 just by offsetting them with fictitious trades in the banking system.

Three years ago, in a technical paper about operational risk quantification published in RISK Magazine, my co-author Prof. Claudia Klüppelberg and myself argued that operational risk actually is a kind of a ‘long-term killer’. The reason for this is basically that when operational risk losses are – as statisticians usually call it – ‘ heavy-tailed’, then it is just a matter of time until a devastating loss occurs. At the time we were writing that article, maybe the most spectacular example for a bank failure caused by operational risk losses was Barings Bank after the rogue trader Nick Leeson had been hiding loss-making positions in financial derivatives. In this respect, Société Générale's loss of EUR 4.9 billion due to trader fraud, and Bear Stearns near-death because it was not able to price its mortgage portfolios, are new examples of doubtful fame in a series of inevitable severe operational risk events sure to occur from time to time.

However, I don't want to be fatalistic. I think what has to be learned is that it is increasingly important to have a sound and reliable operational risk management, consisting of risk identification, monitoring and reporting, and risk mitigation. Clearly, for such complex banking organisations as we have today this is easier said than done, and therefore operational risk management is an ongoing process, which continuously has to be improved and adapted. For instance, always try to poke holes and identify weak points in your business practices and processes. Never get complacent; never be too convinced that you are doing everything right and that you have a foolproof model. Bear in mind what the German philosopher Friedrich Nietzsche once said:

“Convictions are more dangerous enemies of truth than lies.”

FST. What do you see as the key challenges that financial companies face when managing risk, in particular to the current crisis? How can these challenges be addressed in the future?
KB. Personally speaking, I think we should step back a bit. Over the past years many of us have experienced the sunny side of risk. I mean, the fact that risk is intimately related to the expected return of a business made us believe that risk is first and foremost something positive. This is also reflected in the euphemistic wording we have adopted, e.g. when bankers determine the total amount of risk exposure a company is willing to accept, they usually call it risk appetite. Now ‘appetite’ is usually associated with something positive and healthy, and indeed is essential for us to survive. But when talking about risk, we should bear in mind that the meal we are going to eat might actually be hard to digest or even contaminated. Risk is not just an abstract number you need to fill your report; it is something very real, something potentially devastating that can destroy your business completely.

With respect to the current crisis, I think many bank managers were well aware that something was going wrong and things could turn bad. But then there are the shareholders, pressurising banks to deliver the best possible returns, and executives usually have to account to them on a quarterly basis. I think this is pretty much what the former head of Citigroup Charles Prince actually meant when he said just before things turned to pot: “as long as the music is playing, you’ve got to get up and dance”.

Finally, there is a psychological phenomenon that helps to explain why we all too easily forget about the true nature of risk, and what in behavioural finance is referred to as overconfidence. To put it simply, in good times when your decisions are confirmed by positive results, humans simply tend to have too much confidence in their own judgements.

FST. Can you tell me about the processes you have in place at UniCredit Group to capture risk?
KB. UCG is one of the largest international banking groups with strong roots in 23 European countries and we have representative offices in 27 other markets. Therefore a strong and efficient CRO function is needed and is achieved by both a centralised and a decentralised approach. The latter is used for the CEE countries where the CRO of each bank is either part of the management committee or a board of manager with a reporting line to the CRO of Bank Austria. For the core countries of UCG, i.e. Italy, Germany, and Austria, we have a divisional steering approach where divisional risk officers (DRO) are responsible for retail, corporate, and investment banking, and all these DROs report directly to the CRO of the Holding.

FST. What impact does the raft of financial regulation out there like Basel II have on your work?
KB. Since I’m working in the EC arena, my work is closely related to Basel II. More precisely, in the second pillar of the new regulatory framework, supervisors require banks to implement a so-called Internal Capital Adequacy Assessment Process (ICAAP). Although in order to comply with Pillar II banks do not necessarily have to adopt formal EC models, many banks have such techniques in place, as does UCG. Needless to say, for such a complex institution as the UCG, implementing an ICAAP is not a trivial task. However, we are very positive about our approach and are convinced that it will finally improve our overall risk management.

FST. You are a regular speaker on risk and have written technical papers in operational risk, credit risk, strategic risk and risk integration. How do you see the role of risk measurement evolving or intensifying over the next few years?
KB. Clearly, the subprime crisis has sparked an ongoing debate about the value of risk quantification. I remember a lot of headlines of last year reading: “The failure of Wall Street mathematics", "Why did risk models fail?" etc, and we surely have to ask some genuine questions with respect to model risk. Nevertheless, using the old cliché again that "what cannot be measured cannot be managed", maybe followed by "and what cannot be managed cannot be improved", I'm really convinced of the necessity of risk quantification. This is also confirmed by Basel II where supervisors explicitly encourage banks to assess and estimate all their material risks more accurately. Consequently, many of those risks currently only considered within Pillar II (such as business risk) will play an even bigger role when thoughts eventually turn to Basel III. Therefore, every reduction in risk measurement activities today would be a clear step backwards.

Having said that, the bigger question is how the results of risk measurement should actually be used in practice. First and foremost, we have to accept that every model is only a simplified description of a much more complex reality. Therefore we have to be aware of the underlying assumptions and the context in which a specific model is used. Moreover, we have to strike a compromise between the mathematical complexity of a model versus a solution that is still manageable and even comprehensible intuitively. There is an apt saying by Albert Einstein that one should "keep things as simple as possible, but not simpler". I think this is the way we should start looking at models, numbers and figures. Put another way, improved risk measurement does not always mean higher mathematics and more complex models but sometimes just more common sense.

FST. Do you think risk measurement can help to prevent future crises?
KB. As I said, at an institutional level an improved risk measurement has to definitively be part of the equation when it comes to risk mitigation. But ultimately, it is up to the management how risky they want their business to be. Maybe this has an analogy to traffic where the number of road fatalities has not declined since the invention of the airbag, simply because people now drive faster and take more risks.

At a systemic level, a future crisis could be alleviated if one could successfully prevent an initial infection spreading over to other market participants. This is in effect what risk modellers usually call ‘contagion’. To achieve this, regulators have to think more holistically by basically taking the whole international financial network into consideration.

Klaus Böcker works as a Senior Risk Controller in UniCredit Group and is team head of Risk Analytics and Methods. In this capacity, one of his primary responsibilities is overseeing all quantitative aspects of UniCredit Group’s economic capital model, in particular business risk, real estate risk, financial investment risk and risk aggregation.