The big view of risk calls for a variety of skills, but doesn't ensure the message is heeded

Clifford Rossi, Tyser Teaching Fellow, Center for Financial Policy at the University of Maryland

How does a chief risk or credit officer for Citi, Washington Mutual, Countrywide Bank, Fannie and Freddie end up teaching college finance class?

I had been an adjunct professor in the business school at the University of Maryland for about eight years while I was full time at Freddie Mac and later on at some point the stars aligned and I could afford to do it. Once TARP came along in the wake of the financial crisis it became enormously stressful and teaching full time seemed like a rewarding career move. So I came to teach finance and they also thought I could help with UMD's new Center for Financial Policies in D.C. I still do some work for Citi and stay active in all facets of the risk side.

What does a chief risk officer at a big company do all day?

The CRO of any company is responsible for the enterprise-wide risk exposure of the firm including the credit risk, the market risk and interest rate risk, the operational risks, and maybe even the legal and regulatory compliance risk. The job is about three things: identification of risk; measurement and recommendation of risk tolerances or appetites for the company; and the management of risk, how you lay off or transfer unwanted risk given the appetite for risk at the board of director level.

You must need to be good at delegating duties.

You do have a variety of different groups reporting in: policy-making groups for credit and underwriting decisions at the individual level for a loan or for a counterparty you're doing business with. You have people who do all sorts of analytical modeling to value and size up the level and likelihood of risk. You have a ton of statisticians and econometricians augmented by strong MIS reporting capabilities and some very strong IT and data management professionals. Risk guys know if you don't have good data, it's game over, you might as well go home. At the heart of everything, you quantify what you can, and for anything you can't, you need to set up risk boundaries through policies, rules, limitations, etc.

What are the important skills of the job?

You need to be very task oriented but at the same time have a strategic view of what needs to be managed from the top of the house for risk-taking purposes. In a financial institution for example, the focus is on being compensated for a risk that you're taking. Where there is no risk, there is no value to the franchise. If you take too many risks you wind up, unfortunately, like many of the institutions I worked at.

Are you saying there are limits to a chief risk officer's ability to control risk?

I believe most everybody in the industry to a certain extent was guilty as charged of missing the huge structural change that was taking place [in the recent financial crisis], particularly in the mortgage market. [We were] adding on what we called risk-layered assets, assets in which we compounded the risk by, for example, having people state their incomes rather than verifying income; allowing people to put variable down payments on mortgages or allowing people with spotty credit records to buy. All those things together create risk layering.
We didn't understand the degree to which the last 10 years of data was not going to be the same as the next 10 years. We really underestimated the impact of those important changes in credit policy were going to have on the overall risk. But beyond that, we were still calling out the high risk taking and asking our production folks to kind of slow that down.
My sense is that yes, there are some greedy people out there, but by and large I think they were misguided by seeing such a long and good period of performance out there that many of the most senior people probably said, "How can you tell me that you're going to have any kind of risk event when home prices are going to rise at double digit rates?" So I think a lot of it comes down to people looking into the rearview mirror and seeing smooth sailing for the next five years.

It sounds like you are saying the chief risk officer advises on risk more than he or she can actually control.

You need an enormous capacity to negotiate and communicate to senior managers who may otherwise be very aggressive and wanting to pursue views counter to yours and will act accordingly. During the time leading up to the financial crisis, the places I was [employed] at were led by very strong-willed individual production teams that had enormous power of control over the firm to the detriment of the risk officers. As we saw later, that really put them in a particularly bad spot if the institution goes down for excessive risk taking. Risk managers are only there to advise [about] levels of risk. A CRO cannot stand up and say, "I will not allow this to happen." He or she could certainly say, "I do not support this and I will not sign off on this decision," but of course the CEO and the board have every right to override that view.

You're implying a lot of risk was understood but ignored, but how does a CRO navigate the automation of huge amounts of data everyone is pushing around these days?

You can easily track down a paper I wrote for mortgage bankers that gets precisely to that time of crisis, but for a CRO, the intersection of IT and all these other things means you do need to be a Jack of all trades and a master of none. You have to understand the quantitative aspects of risk, so having in your toolkit all the various types of risk measurement capabilities is very important. You also have to balance the art and science, where science is the quantitative aspect and all the tools to value and measure risk. The qualitative overlay on top of that needs to transcend the fact that you can't always know with certainty what the outcomes based on your model really are. Your models pose risk all by themselves that you have to control by putting overrides or wrappers around them.

Like the business rules we automate decision-making with today?

Yes, but it's still about understanding basic business issues and that's more complicated now. As I teach my kids in class, the risk management function lies at the heart and the center of everything that goes on, and that's especially true at banks. You have to be business savvy, [and now] you have to understand accounting, you have to understand IT, you have to understand the quantitative stuff. So it's really an eclectic range of subjects you have to master. It's not like being a CFO where you are a finance guy. There are very few programs that train you up to be a CRO. In my case it was pretty much on the job training over the years to get to that point.

Nobody seems to remember that 20 years ago, all a corporation had was a stack of ledgers and a bunch of file cabinets.

I can tell you from experience that Countrywide surprisingly understood this best. They were masters at implementing the latest technology and keeping ahead of the curve. They were absolutely at the head of the class. The other firms I was at, including Fannie and Freddie, really struggled with creating an integrated data warehouse for risk management, [because they weren't] acknowledging the downstream integration costs of various mergers and acquisitions and the impossibility of integrating risk views across different platforms.

Did that cut the legs off the CRO function?

As a head of risk myself, I couldn't look at the balance sheet of mortgages from the thrift vehicle in a consistent fashion with those from the bank vehicle or the non-bank legal vehicle. It would have taken an enormous amount of effort to do that. Other places I worked at tried to create credit data marts for Basel II reporting and it was a monumental effort because we had not kept up with the technology. Going forward, firms will simply have to make much larger investments to upgrade their data management capabilities, particularly as regulatory oversight increases, agencies such as the Office of Financial Research come in and ask for things that have never before been standardized across institutions before.

Can the CRO also build the top line?

I think the overall operational and strategic sides of the business is going to have to get with the program more than they have in the past by understanding that data is not just a byproduct of the business. You always want to use data to enhance the business. You do that by leveraging all the information at the transaction level. If you have that at your disposal you are so much more effective at cross selling your business than anyone who doesn't have that. Customer "A" has a credit card and also a mortgage and maybe they might need an auto loan. Often it's been impossible to link any of the portfolios.

We seemed more comfortable managing risk once than we are now, so from a risk standpoint, has the data glut and technology made it harder to do risk management?

It'll help the risk manager and also make his job a little harder. It will help because now all eyes are tending to the details from an analysis standpoint of what's coming onto the balance sheet. People will simply be much more vigilant there. The difficulty will be putting the systems and infrastructure in place to support that goal. That's not an easy assignment, and though the tools are there it's equally about mindset. For example I am always railing on financial institutions that really need to start adopting a risk adjusted return on capital mindset. That's not what they're doing now, they're usually saying all assets are equal in terms relative risk.

That is surprising to hear, given the sophistication of all these quants and analysts.

It's partly about the mindset. If the government requires me to hold 4 percent of capital on a prime mortgage and 4 percent on a sub-prime mortgage but I get a 3 percent spread on the sub-prime and only a half point spread on the prime mortgage, it doesn't take a rocket scientist to see that the marginal capital is going to go to the sub-prime loan and not the prime loan. But if you take a risk-adjusted return approach you would go back through, have a more extensive data warehouse and a more extensive modeling platform that would tell you that the risk on that sub-prime isn't really 4 percent, it's probably closer to 10 percent and the risk on the prime might be 2 percent. So the whole equation, that return, that spread income on risk capital changes and your whole mindset changes and you think more about committing your capital to prime mortgages instead of sub-prime. If we had done that exercise correctly we might have missed out on a lot of the pain we're facing now.

One of my risk management friends thinks business will increasingly use risk as a competitive weapon to make money on uncertainty. Do you agree?

Well, as ratings agencies get more comfortable with their assessments of firm exposure that leads to ratings and the cost of finance for firms, I think you're going to see institutions become more transparent about their risk taking because investors are going to demand this. You're going to see more effort to provide the public with the risk profile that the institution is planning or already taking on.
I think the government is going to require this through the SEC disclosures, and you'll see financial regulatory agencies weighing in more than they have in the past. It really is all about transparency and documenting the amount of risk that lies on and off the balance sheets of these firms for the public. The upshot may be that all these crazy structured investment vehicles that created a lot of [unhealthy] exposure will no longer be helpful to institutions and may hurt them. If investors and analysts look at a balance sheet and can't understand it, they are going to discount it by whatever amount they don't understand.