bank risk manager wp

8/8/2019 Bank Risk Manager WP

1/48

Th e Bo st o n Co n su l t in g Gr o u p

Resu lts o f a Global BCG Stu d y

From Risk Takerto Risk Man ager

Ten Principles for Establishing

a Compreh en sive Risk Managemen t

System for Banks

January 2001


2/48


3/48

Table of Contents

Foreword 3

Summary 5

From risk taker to risk manager: General issues 7

Principle 1: Risk management must become a central element in a

banks overall management system 12

Principle 2: Risk management must be firmly established at

all levels of the organization 14

Principle 3: Value-at-risk concepts should become the norm 15

Principle 4: An active portfolio management system should be

implemented for credit risks 19

Principle 5: Banks must move from measuring to managing

market risks 24

Principle 6: Operational risks should first be approached pragmatically 27

Principle 7: All types of risk should be aggregated 32

Principle 8: A banks management system should be

based on economic capital 35

Principle 9: Employees must nurture a risk-return culture 37

Principle 10: The concept in itself is nothing: It is the application

that creates competitive advantage 39

Notes on the study 42

1The Bost on Consul t ing Gr oup


4/48


5/48

Foreword

The banking industry has had a rude awakening. Cases like Barings, Schneider,

and Metallgesellschaft have shown the banking world it needs to treat lending,

and risk in general, far more carefully. Bank managers have long been aware of

the importance of having a comprehensive risk management system in place

much work is being don e to d evelop new structures and procedures. But n ot on ly

the highly publicized cases have made a deep impression on management: high

insolvency rates, an increasingly competitive environment, stricter supervisory

guidelines, and the emergence of the Internet also threaten the banking estab-

lishment.

In spite of challenging conditions and th e evident need for chan ge, many banks

are still hesitating to put a comprehensive risk management system into practice.

Particularly in the area of risk management, there is a notable lack of clear con-

cepts and well-articulated strategies. Risk management can no longer be consid-

ered in isolation. Together with portfolio managemen t, it is an integral part of the

bank managemen t system. It permeates all steps of the value chain. And above all,

it is a factor essen tial for sustainable, successful shareholder value m anagem ent.

The Boston Consulting Group has long recognized th e impor tance of a compre-

hensive risk management system. On the strength of many years of consulting on

intern ational projects, BCG wants to help promote the developmen t of risk man-

agement. The BCG concepts described here can help guide banks on the path

from "risk taker" to "risk manager" and thereby provide one of the main ingredi-

ents for success in the banking business of the twenty-first century.

We h ave formu lated ten principles that ou tline one possible path to a consistent

and efficient risk management system. It is a path strewn with obstacles and one

that demands endurance, but it also leads directly to the goal. Although other

strategies may be equally successful, our ideas have been tested extensively in the

real world. In ou r study, which included some 60 leading banks and r isk manage-

ment software vendor s, we analyzed the state-of-the-art o f risk man agemen t in the

banking industry.



6/48

Ou r special than ks go to all participants in the study, who have given freely of

their expertise and time. We would also like to thank the BCG risk management

pr oject team , namely, Susanne Chakr avarty, Carsten Gerh ard t, Sebastian

Hofmeister, Christian Rosen, and the project leader, Franz J. Herrlein.

We h ope that what follows piques your interest, and we wish you every success with

your risk management plan!

Thomas Gro Claus Michalk Andrew Cainey

Vice President Vice President Vice President

4 The Bost on Consul t ing Gr oup


7/48

Summary

Banks must become risk managers if they are to survive in this highly competi-

tive industry. This requires developing a consistent and comprehensive risk

management system. BCG has formulated ten principles for achieving this goal.

Principle 1: Risk management must become a central element in a bank's

overall managem ent system

Principle 2: Risk management must be firmly established at all levels of the

organization

Principle 3: Value-at-risk concepts should become the n orm

Principle 4: An active portfolio management system should be implemented

for cred it risks

Principle 5: Banks must move from measuring to managing market risks

Principle 6: Operational risks should first be approached p ragmatically

Principle 7: All types of risk should be aggregated

Principle 8: A banks management system should be based on economic

capital

Principle 9: Employees must nurture a risk-return culture

Principle 10: The concept in itself is noth ing: It is the application that creates

competitive advantage

BCG under took a global study to show the exten t to which banks have developed

risk management systems. The result was disheartening! Barely 5 percent of the

banks surveyed can be classified as risk managers, whereas a good two thirds still

see themselves as risk takers. The remainder, about 30 percent of the institutions

inter viewed, are cur ren tly tran sforming th emselves.



8/48

Banks that succeed in identifying and eliminating areas of weakness from their

organ izations can lay the foun dation for a successful risk managemen t system and

thus for an holistic, value-based bank management system. This in turn opens up

the path to sustainable improvemen t in shareholder value.

What main conclusions can be drawn from our study?

First, technical development will not be the determining or even sole success

factor in the future. Much more important than a bank's ability to implement

mathematical models is its ability to handle risk. Risk needs to be understood

strategically and controlled organ izationally. A rapidly chan ging and competitive

environment has encouraged banks to focus on selected business segments, and

the resulting loss of opportunities for risk diversification has contributed to thegrowing impor tance of risk management.

The adjustments to processes and systemsoutlined in our studythat are need-

ed to realize a risk-based man agemen t ph ilosophy, however, are n ot en ough. The

real change has to occur in the attitudes and minds of the employees. They must

be brought to understand that managing risk is crucial for success. This change

cannot be brought about th rough appeals and requests alone. Intensive training,

clearly defined structures and responsibilities, and a commitment to change are

equally important.

In conclusion, this change will become no less urgent in the next few years. The

banks that begin th e (unavoidable) restructur ing early and recognize the impor -

tance of a comprehensive risk management system will be in the best position to

respond to future demand s.



9/48

From risk taker to r isk man ager:

General issues

The competitive landscape in th e banking industry is changing rapidly. The con-

cept of the "universal bank" is being abandoned in favor of a growing ten den cy to

focus on selected business sectors and product segments.

This paradigm shift is being driven by technological developm ents, changing cus-

tomer behavior, and th e increasing significance of the capital markets as a sour ce

of financing for companies.

The trend away from traditional, longer-term lending and toward off-balance-

sheet business is accelerating. Understanding and structuring risk is becoming

ever more important, and active portfolio management is replacing the tradi-

tional buy-and-hold approach.

The bank's internal ability to actively handle risk is quickly growing in impor-

tance. New target measurements are being introduced for risk management:

strategies are increasingly influenced by a risk-return-oriented op timization of the

por tfolio and the allocation of economic capital.

Simply meeting regulatory requirements is not enough

Over the last few years, two factors have shaped the discussion surrounding risk

management: competitive requirements and supervisory regulations. In the

future, banks will and indeed must concentrate more than ever before on com-

petitive challenges. Focusing on regulations alone may not necessarily lead to suc-

cess because these regulations cannot keep pace with fast-changing competitive

conditions. And regulations represent only the minimum standards to be met.

Our study identified clear regional differences. In North America and Australia,

banks are concentrating on risk management primarily to enhance their com-

petitive positions. In Europe, in Asia, and par ticularly in South America, however,



10/48

risk management is considered primarily from the perspective of regulatory

requirements.

As a result, the effects of the proposals drawn up by the Basel Committee on

Banking Super vision on the topic "A New Capital Adequacy Framework" are clear-

ly assessed in different ways by the banks surveyed:

s The hot topic in Europe, and in Germany in particular, of whether and how

to accept internal ratings and th e associated regulator y capital backing is no t

an issue for the North American banks questioned. This problem appears

almost negligible to them because they have a broader base of externally

rated companies. Moreover, North American banks have already begun trad-ing debt from the segment of small and medium-sized companies as well as

from re tail customers. There are also a significant nu mber of customers in

the portfolios of American banks, however, that are not rated by external

agencies. This is likely to cause problems similar to th ose experienced in th e

rest of the world.


Assessment of main risk management drivers by the banks surveyed

40%

60%

Competition

Regulators

The main driver ofrisk management is

North America

Competition Regulators

South America -

-

-

Europe

Asia

Australia

( ) ( )

( ) ( )

Source: BCG study

Global Regional

Competitive pressure as the main driver in North America

and Australia

Exhibit 1


11/48

s Within Europe, Scandinavian and British banks indicated they were least

affected by the innovations in Basel. And South American banks seem almost

unaware of a problem.

Exhibit 1 assesses the relative importance of regulatory requirements and com-

petitive pressures.

In conclusion, risk management concepts differ significantly from region to

region . The leaders are mainly institutions from th e Un ited States. However, non-

U.S. banks are making the greatest efforts and are simultaneously continuing to

improve th eir databases, so Europeans, in par ticular, should be able to red uce the

disparity somewhat over the n ext few years. Even today some European banks arecounted among the leaders in risk management.

Accordingly, banks should not restrict cur ren t d iscussion to simply fulfilling reg-

ulatory requirements. Rather, they should focus on building competitive advan-

tage through risk management.

Significance of the different types of risk for banks

Individual types of risk must be considered separately to derive concrete recom-

mendations for dealing with them. In our study we wanted to find out what sig-

nificance credit, market, and operational risk have for the banks we interviewed.

The conclusion: credit risk is and will continue to be the most important risk cat-

egory in th e future, but oper ational risks will gain in importance. The results sup -

por t th is conclusion:

s More than 50 percent of banks surveyed described credit risk as the most

important risk category (see exh ibit 2) .

s More than 30 percent of banks ranked credit, market, and operational risks

as equally important.



12/48

s Approximately 5 per cent of participan ts in the study identified operational

risk as the most important type.

s Fewer than 5 percent of banks sur veyed described market risk as the decisive

risk factor.

s About 10 percent of banks sur veyed do no t consider credit, market, or oper-

ational risk most important. For them, general investment risk (such as late

entry into e-commerce) is the most significant.

Those sur veyed feel that th e man agement ofoperational risk will play an increas-

ingly important role. Managing this type of risk in particular presents the institu-tions with a special challenge.

General investment risksaccord ing to the banksshould be tackled within th e

overall bank strategy. For example, they should be considered separately within

the con text of investmen t decisions. These risks will there fore n ot be analyzed fur-

ther in th is study.


"Which type of risk is most important for your bank?"

Credit risk

Generalinvestment risks

All types areequally important

Marketrisk

Operational risk

5%3%

10%

30%

Source: BCG study

52%

Credit risk by far the most important risk category for banks

Exhibit 2


13/48

Ten principles for an efficient management system

We have elaborated on th e basics and stated the prevailing conditions. What next?

We want to develop ou r ten principles as an instructional guide to h elp bankers

quickly and directly build a state-of-the-art risk management system. Our proce-

dures aim to make it p ossible to quan tify, aggregate, and man age all types of risk.

By looking at risk management as an integral part of the bank's overall manage-

ment system and defining risk from a value-at-risk (VAR) perspective, we will first

deal with credit, market, and op eration al risk. We will show how these types of risk

can be systematically managed. Then, we will aggregate the individual cate-

goriesthe starting point for a value-based allocation of econ omic capital. Finally,we will give t ips on actual imp lemen tation , because knowledge in and of itself is

ultimately nothing: it is the application that creates competitive advantage.



14/48

Principle 1: Risk management must

become a central element in a banks

overall managemen t system

The goal of every bank is to maximize the return on capital employed and to

create value. A modern value management system is one of the keys to success.

When understood as the sustainable optimization of corporate value, value man-

agemen t can influence two levers: profitability and growth .

Here, profitability is measured by the increase in return using a return on risk-

adjusted capital (RORAC) approach. Growth, in turn, is reflected in changes ineconomic capital, i.e., a risk-adjusted measure of capital. This makes risk man-

agement an in tegral part of any modern value management system.

Figures for profitability and growth may, for example, be combined using the

"delta added value on equity" (DAVE) concept developed by BCG (see exhibit 3).

It is defined here as a measure of the change in added value on equity, and it

can be used as the centr al inter nal measure of value added .


Value management

Source: BCG study

Added value on equity

Delta added valueon equity (DAVE)

records profitabilityand growth

Profits requiredby capital market

Cost ofcapital

Capital

Return

Economiccapital

Economiccapital

RORAC

RORAC2

1 2

1

Profitability

Growth

Profitability and growth are the decisive components in valuemanagement

Exhibit 3


15/48

The DAVE concept facilitates both performance measurement on a bankwide

level and direct comparison of business units. It therefore represents a crucial

basis for maximizing corporate value: capital is made available to those business

un its that can realize th e maximum DAVE.

Empirical analysis by BCG has shown the suitability of DAVE for measuring the

development of corporate value. There is a high correlation with the (relative)

total shareholder return (RTSR; see exhibit 4), which is decisive for the share-

holder. The RTSR is an indicator of a stock's performance in relation to that of a

corresponding stock index.

For th e best possible use of DAVE as a man agemen t metric, it is vital that there bea standard, value-at-risk-based definition of RORAC and economic capital

throughout the bank. All essential types of risk must be recorded for this.

Under these conditions, risk management is an integral part of any coherent

value management system and may make an en during contr ibution to th e maxi-

mization of value.


Exhibit 4

DAVE

Source: BCG database; BCG analysis

30

20

10

0

-10

-20

-4 -2 0 2 4 6

R = 55%2RTSR (%)

Average DAVE (%)

High correlation between DAVE and the relative totalshareholder return (RTSR)


16/48

Principle 2: Risk management must be

firmly established at all levels of the

organization

Value can be created on ly by differentiating a bank's concepts and produ cts from

those of its competitors. To do this, internal procedures, systems, and structures

have to be adapted. It is important th at risk managemen t concepts be tailored to

key success factors specific to the business. Standardized concepts lose their sig-

nificance as transaction complexity increases, so customizing risk management

systems is essen tial.

The universality of the concept is also important. Risk management must be

linked logically from the level of the individual transaction to the overall bank

level. It must permeate all marketing and management procedures, and it must

record all essential compon ents of credit, market, and operational risk in a con -

sistent manner.

Risk man agemen t in this sense is active rather than reactive, and it affects all trans-

actions and processes within a bank. It affects traditional counter transactions at

retail branches and global investment banking alike. A risk management system

of this sort must also rise to the challenge of realizing two basically opposing

goalsrequirements specific to the business un it must be taken into accoun t, and

a standard framework for comparisons between the different business units must

be guaranteed.

Risk man agement runs both vert ically and horizontally across a ban k. Vert ical un i-

versality refers essentially to uniform, interrelated procedures and controls.

Horizontal un iversality, on th e oth er h and , describes the comparability of indi-

vidual business units, using predetermined and clearly defined metrics. The

banks that can bridge this gap have laid the cornerstone for an efficient,

bankwide management system and a successful value management approach.



17/48

Principle 3: Value-at-risk concepts

should become the norm

The DAVE concept clearly dem onstrates the significance of risk management for

a value-based bank management system. A prerequisite is one uniform way of

viewing risk within a bank. But which definition of risk is the most appropriate?

As active portfolio management increasingly replaces traditional buy-and-hold

strategies, value-based risk assessment in the sense of a value-at-risk (VAR)

approach seems most suitable.

Th e VARhere is defined as a measure of the possible negative change in the

market value of an asset with a given confiden ce level and within a certain time

frame.

Ou r study shows that one cannot yet speak of a un iform r isk definition , however.

Most ban ks still have far to go in this regard as is demonstrated by the following:

s Less than 50 percent of those surveyed have a standard definition of credit

and market risk that applies throughout the bank (see exhibit 5).


Definition of market and credit risk

Value at risk

VAR concept predominates inNorth America and Australia

Operational risk isusually not recorded

Earningsat risk

No standarddefinition

Losses realized

55%

15%

3%

27%

Source: BCG study

Fewer than 50 percent of the banks surveyed have a standarddefinition of risk

Exhibit 5


18/48

s A standard definition has been established on ly in North America. In the rest

of the world , cred it and m arket r isk are often d efined d ifferen tly. The value-

at-risk concep t has indeed becom e a market standard when d ealing with mar-

ket risk, although most banks have not yet applied this logic to all product

lines. Moreover, different VAR approaches have not yet been made suffi-

ciently comparable ( e.g., in terms of holding periods) . By contrast, credit risk

is traditionally defined by a loss concept. VAR concepts are, at best, deployed

for larger corporate customers or for listed compan ies.

s A standard definition has not yet been established for operational riskonly

a few banks are geared to VAR.

On ly a small number of banks will presumably be in a position to introduce a un i-

form way of looking at risk in the short te rm. We therefore recommen d p roceed-

ing step by step:

s First, a standard assessment method should be introduced for each type of

risk. This will make it possible to m anage the portfolio within business un its

accord ing to standardized criteria.

s In the next step, the risk evaluation method should be standardized among

the business unitsif necessary, as an interim solution, e.g., on the basis of

an earn ings-at-risk (EAR) approach. EAR is defined as a measure of the pos-

sible negative deviation from the expected earnings (with a given confiden ce

level and time frame) . The advantage of the EAR is that it requires fewer data

than VAR. All types of risk can be assessed using EAR, and this allows a first

comparison between different business un its and types of risk. This compari-

son, however, fulfills the requirements of portfolio management and capital

allocation only to a limited extent.

s Having a value-based VAR concept is still the goal for a standard definition of

risk within a bank. Only then will it be possible to compare market, credit,

and operational risks.



19/48

VARconcepts are almost the market standard in credit business with large

corporate customers

Value-at-risk concepts are becoming the norm in the large corporate customer

business. The following picture emerges when the prevalence of VAR systems is

analyzed:

s More th an 60 percen t of those banks sur veyed use a VAR approach to quan-

tify credit risk in the large corporate sector and to determine how much ind i-

vidual borrowers contribute to the institution's total portfolio risk.

s All study participants in North America, Australia, and Japan employ a VAR

approach. In Europe, only about 50 percent do. In South America, VAR con-cepts are barely applied. The significant regional difference in the spread of

VAR concepts can be explained main ly by data problems.

s In th e large corporate customer por tfolio, the r isk models developed by KMV

(Kealho fer/ McQuown/ Vasicek, San Francisco) an d RMG (RiskMetr ics

Group, New York) are most frequen tly used.

s Of the banks yet to u se VAR concepts, some 50 percent are planning to intro-

duce such a model within the next 18 months.

It is true that risk hedging and loan trading, for example, are generally possible

at the ind ividual transaction level without VAR models (provided there are exter-

nal ratings), but the greatest efficiency in portfolio managemen t and pricing can

be ach ieved only if VAR models are used. These models are also creating the pre-

requisites for the value-based allocation of economic capital. Here, it is importan t

for th e leading models to be able to hand le earn ings at risk as well as value at r isk.

So what should banks be doing? On no account should they wait any longer to

adopt such models for their large-corporate-customer business. In addition, expe-

rience can be collected for applying cred it-risk VAR models to other clien t groups

as well.



20/48

VAR concepts should be extended to small and medium-sized corporate

customers and retail customers

Unlike in business with listed companies, there is at present no market standard

for assessing credit risk in the small and medium-sized enterprise segment.

Usually rating- or scoring-based in-house solutions are used to estimate risk in

individual cases. Although these approaches represent a step in the right d irec-

tion, VAR concep ts are still needed to establish a value-based managem ent system.

VAR models can be applied to small and med ium-sized companies and retail cus-

tomers. Our study revealed clear limitations to this approach, however:

sInternal and external historical data are not really available, which meansthat an important pre requisite is missing.

s U.S. banks are the exception, because they have a broader base of data on

small and medium-sized companies at their disposal. Why? Even within this

group , there is a greater propor tion of externally available data because more

of the companies are listed on a stock exchange. In addition, U.S. banks

began constructing inte rn al databases early. In Eur ope , only Scandinavian

banks possess databases that are in an y way comparable. ( These were set u p

in response to the banking crisis in the early nineties.)

s In the retail business, problems are similar at all banks sur veyed.

Risk management must eliminate as quickly as possible the weaknesses in meas-

uring portfolio risk (especially missing data) in small and medium-sized compa-

nies as well as in the retail business. In addition, internal rating systems must be

aligned with th e market standards.

The exten t to which VAR models from the large-customer segment can be ap plied

to small and medium-sized companies and retail customers has to be tested for

each institution . Certainly, a complete tr ansfer is not possible, but there are good

interim solutions. Until a new, sufficiently large historical database is built up,

intern al ratings can be compared with extern al references. And in th e retail sec-

tor? Even if there is no real data h istory here , robust VAR models can still be devel-

oped at the portfolio level.



21/48

Principle 4: An active portfolio manage-

ment system should be implemented

for credit risks

An active credit portfolio managemen t system will become the decisive factor in

lend ing, as this is how to optimize the risk-return ratio. Most banks, however, have

not come this far. Most institutions are trying to close existing gaps at the risk

measurement level, but the real problem remains unsolved. The knowledge

gained from risk measurem ent is seldom used to manage the portfolio. In oth er

words, the step from risk taker to risk manager has not yet been taken.

The BCG stud y high lights the following problem areas:

s Banks are mainly concerned about the lack of data in the lending business

with small and med ium-sized business clien ts. Things are no better with r etail

customers. Why is this so? On the one hand, there is relatively little internal

data, and th ere is little to be learned from extern al information sources. On

the o ther hand, data warehousing concepts are not widespread . Much more

information is available in the large-customer business, especially in view of

the larger number of publicly traded compan ies.

s With the exception of U.S. banks, all participants in the study regret the low

levels of secondary market liquidity for credit r isks. The use of loan trad ing,

credit derivatives, and asset-backed securities (ABS) transactions is restricted

by a lack of standards for estimating risk, for pricing, and for formulating

agreements. Current developments such as the founding of electronic mar-

ketplaces (such as Cred itex and Loantrade) p rom ise increased liquidity.

s Although comparability and the negotiability of risk are taken for granted in

the large-customer segment ( ther e is a broad base of external ratings here) ,

the situation is somewhat different for small and medium-sized companies

and individuals, for whom only internal ratings are usually available. Since

these do not conform to any norm, trading and hedging credit risk are

restricted to individual agreements between risk vendors and purchasers.



22/48

s The situation is quite different in countries where, regardless of the type of

credit, interest rates are predominantly flexible (for example, in Norway) or

only short-term loans are granted (for example, 30-day terms in Brazil). In

these regions banks are by nature affected by the secondary market problem

only to a limited exten t. Neverth eless, the problem remains that companies

at risk of bankruptcy can no longer be hed ged through th e market. Increases

in interest rates or the failure of loan renewals lead, in cases of doubt, to

bankruptcy and thus to loss of the loan or redu ced value.

The core elements of an effective portfolio management system

First, an effective portfolio management system requires that internal databases

be developed. Historical ratings, default probabilities, etc. need to be drawn on tocalculate portfolio risks. This, however, solves only part of the problem, of meas-

uring risks and making them comparable within the bank. To create an effective

por tfolio managemen t system, banks have to reach a common understanding of

risk. This involves solving th e rating p roblem, particularly for small and medium -

sized companies. The levers for doing this are the creation of common internal

rating standards and the further spread of external ratings.

s Banks, however, are still far from having a standard internal rating system.

Even if Basel II has recently breathed new life into the topic, the discussion

has essen tially not progressed. Th ere is still great uncertainty abou t the exact

requirements: contents and ratios for internal rating systems are disputed.

Nor is it clear when there might be acceptance from national supervisory

bodies, and what r oom there is in national law for implemen tation. Generally

speaking, we can assume th at, even in the futu re, it will no t n ecessarily be p os-

sible to fully compare internal ratings, although this is essential for the

improved negotiability of cred it r isks.

s One solution might be for banks to mutually approve each other's rating sys-

tems, thereby defining a market standard. The validity of "compromises"

reached would be guaranteed through the regulatory powers of the market.

This concep t is curr en tly being discussed in tensively th rou ghout Europe, and



23/48

some bankssupported by external rating agencieshave already secured

mutual acceptance of their ratings.

s An alternative solution is to include more small and med ium-sized compan ies

in th e rating p rocess. We are alread y seeing great e ffortsmostly in Europ e,

and particularly in Germanyto set up rating agencies for small and medi-

um-sized companies. Two factors support this developm ent: the banks' efforts

to run active credit portfolio management systems, and the incentives of the

companies themselves, which hope to be able to lower their financing costs.

Additionally, external ratings repr esent an independ ent verd ict on credit-

worthiness, which might have more credibility than internal ratings.

Although external ratings will undoubted ly take on a more p rominent role inthe next few years, they do not yet represent a genuine alternative. On the

one han d, market penetr ation is still too low and , on th e oth er, there are sig-

nificant differences in the quality of the ratings produced. The professional-

ism of the providers also varies considerably. Because many providers are cur-

rently entering this segment, we can expect a consolidation to occur in the

next few years.

Once the rating problem is solved, we can assume that the liquidity of secondary

markets for cred it r isks will increase considerably. Several th ings have to happen,

however, before that point is reached.

VAR should be considered in limit setting and pricing

VAR mod els for defining risk at the por tfolio level are increasingly becoming th e

norm in the lending business. A logical consequence is that VAR would have to

be included in limit setting and pricing for individual transactions. Most banks,

however, are still far from this level of sophistication:

s Limit setting is still done m ainly in the tr aditional way. Nominal limits are set

by region , industry, or ind ividual borrower.

s Risk pricing usually occurs, if at all, according to the standard cost-of-risk

principle: the expected risk is based on historical losses. In our study some



24/48

two-thirds of the banks surveyed said that they included risk specific to cus-

tomers within the scope of an ordinary pr icing process, but th ere are still vast

differen ces in practical implementation . There are reservations in Europe in

par ticular, where loans are n ot p riced to adequately cover r isk, for reasons of

customer retention. And risk considerations are only partially relevant to

pricing in South American banks.

In th e short term, considering VAR within pr icing processes and th e allocation of

VAR limits are feasible options only in the large-customer business. Interim solu-

tions are needed for small and med ium-sized corporate and retail customers:

sFirst, at least the expected risk should be accounted for in pricing decisionsfor all customer segmen ts. This can be achieved via the standard cost-of-risk

scheme. In addition, limit setting should be linked with concrete risk meas-

ures and guidelines for cred it policy. Cluster r isks may be restricted, for exam-

ple, by using a pragmatic combination of customer, industry, and regional rat-

ings.

s In th e next stage, the cost of capital shou ld be taken into account at the indi-

vidual transaction level on the basis of VAR calculations. In th is way, un ex-

pected risks should be covered by the pricing process.

s In the final stage, portfolio effects are considered. This means that the cost

of capital for what each individual transaction contributes to the portfolio

VAR is brought into the equation. Thus, pricing reflects only the "marginal"

VAR.

Systems must be changed

An active portfolio management system requires adapting more than risk instru-

men ts and systems. Equally importan t are changes in the organization 's structures

and proceduresa monumen tal feat that in many banks will turn existing struc-

tures in the lending business upside down. Above all, three sectors are affected:



25/48

s Sales units will concentrate exclusively on the acquisition of new business

and on satisfying existing customers' needs. They will sell credit risks at fixed

internal transfer prices to the portfolio management unit. Sales units will be

managed as profit centers, meaning that if the transfer prices are not fully

attained , the profit cen ter's earn ings will be diminished .

s Traditional loan departments will become intern al rating agencies. They will

be fully responsible for determining the risk for each individual transaction.

They will not decide, however, how a tran saction will be concluded .

s Portfolio management will also be managed as a profit center. It will enter

the risk at transfer prices on its books. At the same time, portfolio manage-ment will be responsible for developing portfolio strategies and for imple-

menting activities on the secondary market. The aim: to improve the risk-

return tradeoff.



26/48

Principle 5: Banks must move from

measuring to managing market risks

With a consisten t market-risk man agemen t system, market risks are defined across

all product types in a standardized, and therefore comparable, manner. All for-

ward-looking aspects are taken into consideration, and appropriate monitoring

and management procedures are implemented. Most banks are still far from

achieving th is ideal. The challenge consists in progressing from simply measur ing

to actually man aging market r isks.

Uniform risk measurement, in the sense of a mark-to-market approach, and theuse of VAR models are considered standards in market-risk management: some 80

percen t of banks use VAR models. These mod els are essen tially based on the vari-

ance-covariance approach, although some are also based on historical volatility

and/ or Monte Carlo simulations. Market-risk VAR models are p redominantly

based on the logic of the RiskMetrics approach. The selected confidence level for

external reporting is usually 99 percen t, with a h olding period of ten days; for inter-

nal man agement purposes, it is often 95 percent with a one-day holding per iod.

Although our study shows that m ost banks use sophisticated market-risk models,

their d evelopmen t is far from complete:

s One element th at is often lacking is the conversion of VAR metr ics for dif-

ferent product lines to one standard measurement. This is needed to calcu-

late portfolio VARs and to aggregate r isk within the con text of capital alloca-

tion.

s Only a small minority of banks use VAR models for all product lines. In addi-

tion, the systems are usually restricted to the tr ading sector. Also, interest r isk

is in th e bailiwick of the Treasury, and is often considered separately.

s There is also a need for adaptation with respect to modeling issues. New VAR

models will be guided by the future development of risk to a greater extent



27/48

than existing systems. This also includes extending and ensuring more flexi-

bility in stress testing and scenario models for market risk. Only two-thirds of

the banks surveyed are systematically applying sensitivity and scenario analyses.

The fact that market risk cannot be fully mapped has less to do with quantifica-

tion than with problems associated with data wareh ousing. Efforts to capture and

model relevant data h ave already caused many headaches. An efficien t data ware-

housing system is rarely achieved; data validation, preparation, and administra-

tion are still in their in fancy. Existing VAR con cepts must be tr ansferred logically

to all product lines to record the full extent of the market risk, and banks must

create the technological prerequisites for this as quickly as possible. Moreover,

procedures have to be developed to compare th e VARs of individual risk/ productcategories.

Market risk management processes must be improved further

Although risk taking and risk control appear to have been essentially separated

within the organization's structures and procedures, there is still a need to align

the processes with the business requirements.

Basic weaknesses can be identified in virtually all the banks surveyed:

s Limits are still set m ainly th rou gh the allocation of notional limits. VAR lim-

its have subordinate significance, as do stop-loss limits.

s Limit setting is un iform ly determ ined with respect to ne ither the type of limit

nor to the allocation of limits to organizational units.

This means that, within individual banks, part of the market risk is managed on

the basis of VAR limits. The other p art is managed on the basis of notional limits

or of both types of limits together. In addition, these limits are reduced to the

ind ividual trader or customer level in man y product sectors; in others, on ly down

to the departmen tal or desk level.



28/48

Control in risk man agemen t is less efficien t as a result: there is no universal logic

behind managing m arket risks.

Eliminating these weaknesses is less a question of feasibility than of the need to

establish un iform guidelines for market risk. Thus, the n eed for action in market-

risk management will continue to be great.



29/48

Principle 6: Operational risks should

first be approached pragmatically

Operational risk management represents an unsolved problem for an over-

whelming majority of ban ks. Yet in some cases is it not even perceived as such .

Why? The topic has no standard definition and is therefore hard to grasp.

Lengthy internal discussions on terminology prevent the banks from coming to

grips with the actual problem. Ind ividual, bank-specific definitions therefore have

to be drawn up to form the basis for further work.

An analysis of the current definitions of operational risk reveals two mainapproaches:

s Today, most banks understand operational risk as specific-event risk. This

includes inappropriate behavior, defective processes or technologies, and

external events. Examples of such events are computer crashes, deception,

and natural disasters. The British Bankers' Association also follows this

approach with its definition of "people, process, technology, and extern al

events." Despite this apparent standardization, however, there are clear dif-

ferences in interpretation: most banks usually restrict themselvesfor rea-

sons specific to th e institution and for ease of measurem entto a few select-

ed event categories. Such a partial approach, of course, cannot cover all

aspects of operation al risk.

s Besides specific-event r isks, strategic business risk is also understood to be an

operational risk by some banks. This expresses the risk of failure to produce

returns because of price, volume, or cost fluctuation, or because of changes

in market conditions.

To implement a comprehensive value management system, banks need to con-

sider operational r isks as comprehensively as possible when allocating economic

capital at the business-unit level. Specific-event risks and strategic business risks



30/48

must therefore be looked at together. It is up to each institution to define the

extent to which both types of risk are considered.

Today, the focus is on pragmatic approaches to measuring operational risk

Although a compreh ensive concept based on a more-or-less standard logic should

be sought, most of the banks interviewed are currently focusing on a pragmatic

definition of operational risk:

s 60 percent of the banks surveyed are already trying to quantify operational

risks in concrete terms (see exhibit 6) . In par ticular, a focus on specific-event

risks can be observed. The most common approach is to establish internal

databases using self-assessment methods. Here, individual processes andunits are systematically analyzed for risk, and the possible effects are estimat-

ed .

s Some 20 percent of banks do not yet have an approach for managing opera-

tional risk but are developing in-house solutions to quantify it. Many have

already begun collecting data on internal loss events. All other banks are

awaiting regulator y guidelines.


Overview of the spread of OR concepts

Waiting forregulatoryguidelines

Concept designphase

Deployment60%20%

20%

70%

30%

Source: BCG study

Self-assessment

Rule ofthumb

Self-assessment approaches dominate in the quantification ofoperational risks

Exhibit 6


31/48

s The results of our study show that within two years some 80 percent of the

banks will have built up internal loss databases.

s External databases, on the other hand, are seen as relatively unsuitable by

more th an 75 per cent of those taking part in the study. At best, they can be

used to complement internal data. Instead of serving to supplement mathe-

matical simulations, external data are rather suited for benchmarking exer-

cises which are oth erwise h ard to carr y out, given the restricted public access

to bank loss data. Indeed, some attemp ts are being made to collect corrected

inter nal loss data cen trally to obtain a statistically adequate basic collection of

loss events, but it is still disputable whether such a method will succeed. The

majority of the banks interviewed rated this solution as having only a smallchance of success, as banks are not prepared to expose weakness and errors

in the ir procedures to the ou tside world.

s All banks surveyed reject the latest proposal from the EU Commission sug-

gesting the use of a top-down approach for calculating risk. Simple rule-of-

thumb approachessuch as the use of percentages of fixed costs to estimate

operation al riskdo not meet with much approval, either. Fewer th an 10 per-

cent of banks surveyed favor such an approach.

Despite the trend toward quantifying operational risk, only one-quarter of the

banks sur veyed assume th at operational r isks will be modeled like market or cred-

it risks in the near future. Pragmatic solutions are generally finding more favor

than soph isticated VAR mod els. Nevertheless, some banks are curren tly working

on VAR concepts to set standards that will be accepted by the supervisory auth or-

ities.

In summary, determ ining operational risk represents one of the greatest risk

management challenges for banks. A step-by-step procedure should be chosen to

quantify operational risk because of the existing weaknesses associated with the

availability of data an d m athematical modeling:



32/48

s First, operational risk can be rou ghly determ ined with self-assessment proce-

du res. A prerequisite is a standard definition of risk, measured as a bank-spe-

cific combination of specific-event and strategic business risks.

s This basis should be used to build a loss database. Concepts for identifying

specific-event risks (bottom-up procedu res) and estimating strategic business

risks ( top-down procedures) need to be developed. Where intern al loss data

and information on historical fluctuations in earnings do exist, operational

risk can be mapped using an earnings-at-risk approach. This, at least, makes

it possible to approximately allocate econ omic capital.

sFinally, the earnings-at-risk approach needs to be translated into a value-at-risk mod el. Although initial approaches have already been in troduced, their

suitability in practice is still very restricted; more development is needed.

Should the effort succeed and an adequate historical basis of data be accu-

mulated, however, it will be possible to model operational risks like market

and credit r isks. The allocation of risk capital to operational risk will then be

possible at all levels of the bank.

The timing of this process is inevitably defined by progress in the collection of

inter nal loss data. Th e first two stages at least should be fully implemen ted within

two years, but the first EAR may be calculated much earlier.

Adapting control procedures is a key component of operational

risk managements

Along with establishing suitable models for quantifying operational risk, banks

need to modify the existing control procedures to avoid or minimize the occur-

ren ce of the r isk itself. New procedures may be n ecessary. The banks sur veyed rec-

ognize th is, as they place great importance on improving control procedures:

s Many banks see th e results of quan tification as an indication on ly, and focus

on procedural controls.



33/48


34/48

Principle 7: All types of risk should be

aggregated

Value managem ent will succeed only if economic capital is allocated to th ose busi-

ness units that contribute most to improving corporate value. For this to be pos-

sible, all risks must be aggregated at the overall bank level.

Aggregating risk forms the basis for capital allocation

Aggregating all types of r isk at bank level is the basic requirement for capital allo-

cation.

Our interviews show clear room for improvement in the aggregation of different

types of risk. Systematic aggregation occurs in fewer than half of the banks, and

of those that aggregate their risks, the overwhelming majority merely add up the

various types of risk or proceed according to rules of thumb. Only a few banks

take correlations into account when aggregating risk (see exhibit 7).


Overview of the spread of risk aggregation concepts

Source: BCG study

Aggregation withcorrelations

No aggregation

Aggregation withoutcorrelations

39%

6%

55%

Most banks do not aggregate risk at the bank level

Exhibit 7


35/48

The following shou ld be considered when working toward a realistic aggregation

of risks:

s Risk must be defined consistentlypreferably in the sense of a value-at-risk

approach (see principle 3). At pr esent, however, VARs can at best be gener-

ated for market risk, and, in some cases, with credit risk models as well.

Quantifying operational risks remains the greatest problem.

s Unexpected losses or fluctuations in value should be seen in relation to a

standard confidence level and time frame. This applies to market risk itself

and also to drawing parallels between market and credit risk. The assump-

tions have to be standardized for market risk: daily or ten-day VAR?Confidence levels of 95 or 99 percent? Also, agreement must be reached on

market and credit risks, since th e con fiden ce level for credit risk is usually set

to one year. The bank's standard confidence level (with a one-year time

frame) is geared toward the desired external target rating for most of the

banks surveyed. Exhibit 8 shows the relationship between the confidence

level and the external rating.

s To aggregate the VAR figures for the th ree types of risk and to determine the

cumulative risk, the correlation among the types of risk must be recognized.

To date, however, there have been no definitive studies of these correlations.

The greatest problems are dependencies between operational risk and the

other classes of risk. Some of the banks surveyed have chosen a conservative

approach and assume a correlation of one. Conversely, other institutions

assume the different types of risk are independent. Thus, the value of the

overall risk is significantly reduced.

Besides the techn ical aspectsthe qu estion of the feasibility of calculating cor re-

lationsone thing should not be forgotten: concepts have to remain manage-

able. For this reason , a robu st determination of correlations is often p referable to

a mathematically exact calculation .



36/48

In summar y, the ideal is to aggregate r isk using the VAR approach. Until this goal

has been attained, banks should be working toward pragmatic, interim solutions

in subunits.


98.4 99.0 99.6 99.84

Example: Standard & Poor's

Source: BCG study

S&P's rating

AAA

AA

A

BBB

BB

Confidence level (%)

99.699.84

99.97

99.99

Confidence levels are directly related to the external rating

Exhibit 8


37/48

Principle 8: A banks management

system should be based on economic

capital

Every bank's goal is to increase corporate value. To reach th is goal, banks need to

manage individual business units as well as the bank as a whole on the basis of

value. But what does this mean in concrete terms? It means that capital must be

allocated to th e ind ividual business un its according to the risk structures involved.

The starting po int is the VARs, since economic capital is made available to the

business un its on the basis of these values. Minimum rates of return must also bemet. It is ind eed possible to tran slate ban k goals into business-un it goals.

There is a yawning gap , however, between vision and reality: overall bank goals are

often broken d own into business un it goals in an undifferentiated mann er, so cap-

ital allocation is often no t as efficient as it might be:

s 45 percent of the banks surveyedparticularly in North Americastated

that they allocate economic capital to business units. RORAC and RAROC

are the standard metrics used for assessing risk and return.

s For 55 percen t of those taking part in th e stud y, regulatory capital is still the

relevant capital allocation metric.

s Capital allocation is usually restricted to market and credit risk. Operational

risk is taken into accoun t on ly to a minor degree.

The most important prer equisite for capital-based value man agement is to d efine

one uniform economic capital concept for the bank, on which the target returns

are then based. If a capital concep t is used consisten tly, un it results can be com-

pared with the ban k's overall goals.



38/48

Of course, even if capital were allocated on an economic basis, the bank's regula-

tory requiremen ts would have to be met. Or, to put it d ifferen tly, the target is to

optimize return s on th e allocated econ omic capital, subject to the second ary con-

dition that regulatory requ iremen ts must be complied with.

There are three possibilities for meeting bo th conditions:

s Higher-of variant : econom ic capital is compared with r egulatory capital, and

the larger of the two values is taken as the key.

s Economic capital is the primary allocation key; regulatory capital is the sec-

ondary condition to be considered in individual cases.

s Regulatory and economic capital are weighted within the allocation key.

The last variant is preferable if regulator y and economic capital differ greatly. (In

some cases, th is could just be the result of an assumption of no correlation across

credit, market, and operational risk.) This is the only way to ensure that an ade-

quate rate of return on the fixed regulatory and economic capital is taken into

account. Since the regulatory concep t is becoming increasingly similar to the eco-

nom ic one, econom ic capital can be expected to become th e prevailing allocation

key in the long run .

Ultimately, once there is a standard capital concept th roughout the bank, the allo-

cation key has been defined, and the results of the risk aggregation are available,

capital may be distributed to the business units within the scope of the annual

plan. The original capital allocation may be amended throughout the year in

response to actual business trends. These changes will first be restricted to the

market risk sector, however, because most banks are currently unable to restruc-

ture their credit portfolios in the short term.

It is possible to measure p ortfolio effects approximately within the scope of capi-

tal allocation and then to allocate them to the business units. This approach is

rarely used, however, in practice because of the comp lexity and man agement dif-

ficulties involved.



39/48

Principle 9: Employees must nurture a

risk-return culture

When comprehen sive risk management systems are being intr oduced, the human

factor is at least as importan t as the technical. Not all procedu res have been auto-

mated, and leeway remains for individual decisions. And that is a good thing,

because th is is how differentiation arises.

The "correct" way to deal with r isk is not con fined to th e old adage, "Loans should

be allocated as if your own money were involved." Although this saying might well

be tru eand could be app lied to the other r isks as wellsuch an approach doesnot go far enough. The risk has to be placed in the context of the return attain-

able on all activities and transactions. Both sides must be weighed carefully. This

involves making employees aware of the bank's aims, equipping them to act, and

motivating them.

The key here is to create a corporate culture in which the principles of avoiding

risk and generating return s are n ot d iametrically opposed. Both have to be con-

sidered and employees need to be familiar with both to be able to assess the

opportunity for profit in relation to the associated risks. In concrete terms, career

planning shou ld include activities that focus on sales as well as risk man agement.

But that is not all. Responsibilities must be clearly allocated and not distributed

among a number of committees, for instance. Simultaneous consideration of risk

and return must also be reflected in management and incentive policies. For

example, if in the lending business sales units are managed on purely return-

based figures and the credit department is assessed only according to provision

charges, the optimal risk-/ retur n ratio will not be achieved.

The ban ks par ticipating in the survey were clear on th is point: even sophisticated

risk measurement procedures, decision-making processes, and structures cannot

compensate for deficits in the risk-return consciousness of employees.



40/48

The aim is obvious. Rather than a technocracy and a belief in figures, initiative

and a focus on th e business, combined with a r eal awaren ess of risk-return ratios,

should predominate. What does this mean for risk management? It must set up

and develop guidelines, and it must enable employees to act within this frame-

work. Above all, risk management must ensure compliance with the guidelines.



41/48

Principle 10: The concept in itself is

nothing: It is the application that

creates competitive advantage

How can all the requiremen ts described h ere be met? Although the backgroun d,

resources, and goals differ from bank to bank, the procedure described below

gives a useful basic framework.

(1) Conducting a risk management audit

All efforts should begin with comprehensive analysis. In which areas (business

segmen ts) is the ban k active an d in which regions? Thus, which risks are relevantand to what extent? The answers determ ine th e n ext steps, starting with an audit

of the existing risk management system, its strengths and weaknesses, and the

data available.

Moreover, in th is first ph ase a general awaren ess of risk is stimulated and the basic

aims of risk management are defined. Is the system being established or restruc-

tured intended primarily to limit loss? Or is the purpose to optimize the

risk/ return ratio? Are there oth er goals? The concept ph ase should be initiated

only after concrete objectives have been identified.

(2) Development of a risk management concept

During the second stage, the ground rules and components of the risk manage-

ment system have to be defined. Depending on the goals set in the preliminary

phase, this is a question of developing the appropriate approaches to market,

credit, and operational risk within the scope of recording and quantifying risk.

This includes both the individual transaction and the portfolio level.

To man age risk, banks must specify monitoring and control processes, define ad e-

quate risk-return management systems, and describe and allocate clear responsi-

bilities.



42/48

Then the next steps to be taken must be determined. At what point should spe-

cific goals be attained? Focal poin ts must be established when consider ing restrict-

ed resourcesshort-term milestones help to proceed toward the goals. Should

the real estate business be looked into first, or is it better to begin with investmen t

banking? How relevant are operational risks, and which ones should be tackled

first? Proceed ing step by step he lps you see th e big picture and p revents you from

doing too much at once. A development plan should be drawn up to cover all

issues and dependencies to be addressed, as should a schedule for tackling them.

Just as important is communication with employees. All units concerned should

be involved in th e process early. Simply presenting a finished concep t to the

employees is not enough; their ideas should be solicited from the outset. Thisensures that th e solutions developed will be un derstood and accepted later on .

(3) Implementation

Implemen tation can be started while the concept phase is still in progress. Solving

data problems for all types of risk should be emphasized. Even if the need to act

on credit and operational risks is the most pressing, the need for change in the

market r isk sectors should n ot be underestimated. What is to be done?

s Databases should be established for specific purposes. It is importan t to clar-

ify what kind of information is to be generated for which users, for which pu r-

pose, and when. Useful data can be procured only on this basis.

s Data already available internally and externally should be processed in line

with this model to improve th e cur ren t situation as quickly as possible.

s Prerequisites for an effective data warehousing system must be developed

along with th e creation of sufficiently broad an d deep databases: they should

be formulated in a way that guarantees the best possible use from the very

moment they go live. Existing internal bank systems should be adapted early

to interface with th e data warehouse.



43/48

The degree of standardization and the integration of the solutions used with the

existing IT infrastructure should also be decided upon. The more complex the

tasks, the ear lier customized and ind epen den t procedures must be developed.

Once methods and IT solutions have been detailed, universal procedures deter-

mined, and responsibilities allocated, pilot schemes should be initiated even for

partial solutions. The knowledge and experience gained from this phase may be

used to make further improvemen ts.

Step by step, the individual components are made operational. The decisive suc-

cess factor here is not how good or sophisticated the system is, but how well

employees use it to realize th e ban k's goals.

The procedure outlined is certainly an ideal one and many of the banks inter-

viewed did want to proceed in this manner. However, a greater number of insti-

tutions confessed that they had strayed from this concept because of daily opera-

tional demands. The consequences are fatal:

s isolated, incompatible solutions,

s budget and time overru ns due to th e high cost of integration ,

s figures that are on ly par tially available and even then bare ly comparable, and

s frustration among top management because the original goals are not being

met.

Almost no other important topic requires more patience during implemen tation.

Therefore, the creation of the risk management development plan is absolutely

critical. It addresses the expectations of individual units and persons. If imple-

mented cor rectly, it helps the bank realize the ben efits of a risk managemen t sys-

tem at an early stage. Above all, it ensures that the overall goal is always clear.

Then , and on ly then , the tran sition from risk taker to r isk manager can be m ade

successfully.



44/48

Notes on the study

The results of our study are a product, on the on e hand, of the inte rnational pro-

ject experience of The Boston Consulting Group in the risk management sector

and, on the other, of some 60 inter views condu cted th roughout the world. Those

interviewed included decision-makers from banks and selected risk management

software vendors.

Exhibit 9 shows the industry and geographic spread of those who participated in

the study.

The in terviews were cond ucted between November 1999 and March 2000 by BCGconsultants who have many years of project experience in the field of risk man-

agement.


Participants by industry Participants by region

Investmentbanks

Commercialbanks

Softwarevendors

Other Asia/ Australia

Europe North/SouthAmerica

8

3

40

96

2426

Source: BCG study

Overview of study participants

Exhibit 9


45/48


46/48


47/48

Th e Bo s t o n C o n s u l t i n g Gr o u p , 2 00 1

For fur ther in form ation , please con tact:

Thomas Gro

Grn ebur gweg 18

60322 Frankfurt

GERMANY

Telephon e: +49 69 9150-2192

Fax: +49 69 9150-2131

E-mail: gross.tho [email protected]

Andr ew Cainey

50 Raffles Place #44-02/ 03

Singapore Land Tower

SINGAPORE 048623

Telephon e: +65 429-2533

Fax: +65 226-2610

E-mail: cainey.andr [email protected]


48/48

Th e Bo st o n Co n su l t in g Gr o u p

Amsterdam

Atlanta

A kl d

Brussels

Budapest

B Ai

Dallas

Dsseldorf

F kf t

Jakarta

Kuala Lumpur

Li b

Melbourne

Mexico City

Mil

Munich

New Yor k

O l

Seoul

Shanghai

Si

Tokyo

Toronto

Vi

bank risk manager wp

Documents