POSITIONING RISK MANAGEMENT FOR THE FUTURE - CHALLENGES AND OPPORTUNITIES JOHN F LAKER Chairman Australian Prudential Regulation Authority Roundtable discussions at The Risk Management Association Sydney Wednesday, 28 July 2004 Melbourne - Thursday, 29 July 2004
POSITIONING RISK MANAGEMENT FOR THE FUTURE CHALLENGES AND OPPORTUNITIES Overview I am pleased to be participating today in this RMA Australia Roundtable. The ability of APRA-regulated institutions to identify, assess, manage and mitigate the risks in their activities is at the heart of the risk-based prudential regime in Australia. It is also the day-to-day focus of APRA s 200 front-line supervisors and 44 specialist risk staff. To this audience, I can simply say that your business is our business! Australia has a strong and resilient financial system. Our regulated institutions are well-capitalised and, generally speaking, risk-focussed and prudently managed. Nonetheless, our on-site reviews of risk management frameworks inevitably find areas for improvement, even in our best performing institutions. Securing that improvement is both your challenge and your opportunity. Drawing on our recent coal-face experience, the major message I would like to impart today that APRA-regulated institutions need to maintain their spending and management focus on risk management processes and systems to ensure that they keep pace with the growth of their operations and the risks they face when undertaking new activities. We detect a reluctance to upgrade these systems when institutions cannot see an immediate pay-off - such as a decline in capital requirements under the New Basel Capital Accord (Basel II), a reduction in costs or an efficiency gain. Risk management can find itself ranked second to so-called business priorities, especially in a cost-cutting environment. What does APRA expect of the risk management framework in our regulated institutions? We expect: an active focus on risk management policy and how it is working at the board level (either the whole board or one of its committees); a risk management policy document which is well constructed, has been endorsed by the board and senior management, and has been rolled out to, and accepted by, the business lines; the business lines to have a major role in, and responsibility for, identifying and managing their risks; some form of centralised risk management function with responsibilities for risk leadership and for identifying and raising awareness of new and emerging issues, and with clear accountability to the board and senior management; and Internal and External Audit to perform a fundamental role in reviewing the effectiveness of the risk management framework. What do we find in some of our risk reviews? We find: risk management frameworks that appear sound but are not implemented on a whole of business or group basis or are not responsive to changes in the
2 business model. It is not unusual to find that the original architect or champion of the model has moved on and that enthusiasm has waned; policies are often not reviewed in a robust manner or on a regular cycle; due often to budgetary constraints, the role of Internal and External Audit is often limited to reviews of compliance with risk management policy and procedures. The resolution of high and medium audit issues may not occur in a timely manner and issues graded low may receive limited attention. Unresolved audit issues - whether they be high, medium or low - are in themselves a risk indicator for APRA; and unless they have suffered material losses or experienced system down-time, business units can be reluctant to accept the need to proactively manage risk, especially if they are under pressure to contain or reduce expenditures. Our specialist risk visits, which review the management of balance sheet and market risk, credit risk and operational risk, have identified some specific risk issues, which I would like to discuss briefly. I will end with some comments on risk management in Basel II. Balance sheet & market risk Market risk issues generally rank low compared with other risks within institutions because the measures of market risk (mostly VaR) are small relative to credit and operational risk measures. It is true to say that treasury functions have not been a major source of risk for our largest financial institutions. Nonetheless, the irregular foreign currency options trading at the National Australia Bank (NAB) demonstrates the importance of vigilance across the risk spectrum, and that episode has certainly sharpened the focus of boards and senior management on the risks in treasury operations. We have been undertaking a series of on-site reviews of banks with significant treasury operations and we have not to date identified any serious risk management weaknesses though there is always room for improvement. On other matters, we observe that institutions are moving only slowly to introduce appropriate segregation of duties relating to balance sheet or asset/liability management. We expect formal separation of the positioning and execution components of balance sheet management (ie determining the view on interest rates and then executing swaps etc to create the desired position) from the policy setting and risk management functions for balance sheet risk. What we often find, though, is that these two roles report to the one executive. We are targeting this within Basel II and some banks have moved forward, but there is a reluctance to address the issue. In part, this is due to cost; banks view the change as creating the need for extra staff, although we would be surprised if the cost is other than relatively small. The reluctance is also surprising given that no bank would argue against segregation; in fact, all have already embraced the concept for traded market risk activities. We also observe that the resourcing of, and expenditure on, market risk divisions has not always kept pace with product innovation. A narrow focus on costs leaves institutions vulnerable to a lack of resources or of system functionality (or both) to undertake rigorous analysis of risk positions. As a result, market risk functions may take more of a compliance approach to risk management, which is backward rather than forward looking.
3 A more general consequence of the focus on costs is that Australia has a very limited pool of people with high quality market risk skills. This situation has made it difficult for banks to continually find skilled staff, as does APRA. At this present time, demand is outstripping supply as institutions look to expand resources in this area just as many consulting firms are looking to do the same. Credit risk The major source of risks for authorised deposit-taking institutions (ADIs) in Australia has traditionally been, and remains, credit risk. As we all know, the continued rapid growth of credit for housing and the housing market boom of recent years have been the subject of considerable policy attention. APRA has been closely monitoring the housing market exposures of ADIs for some time and we have warned institutions that their risk management processes should not be set just for the good times. As Australia moves into what now clearly appears a cooling-off period in the housing market, these warnings remain especially relevant. This is an environment in which ADIs need to keep their attention focussed on basic lending practices. However, we do see slippages in these practices, in areas such as verification of customer data, assessments of debt serviceability and valuation processes. We see increasing reliance on the information collected by mortgage brokers, without independent verification. The current very low default rates and our generally benign historical experience can easily breed complacency in residential mortgage lending, and be used to justify cutbacks in compliance and risk management areas. APRA has been and will be prompt in responding to any signs of complacency. The proposed tightening in the prudential framework for non-conventional housing lending should also help to address our concerns by providing a capital penalty if robust credit assessment procedures are not in place. APRA has had other risk issues related to the housing market on its radar. ADIs are turning increasingly to the residential mortgage-backed (RMB) securitisation market to fund their lending, but need to be mindful of residual operational risks, related to poor compliance in origination or to servicing the loans. Many ADIs also rely on lenders mortgage insurance to cover loans with high loan-to-valuation ratios (LVRs), and need to ensure that they have reliable systems for tracking insured loans and satisfying the requirements of delegated underwriting authorities. Finally, our well-publicised stress test of the resilience of ADI housing loan portfolios drew attention to the quality of management information systems. We asked institutions to provide information on their portfolios, sliced by age and LVR at origination - two of the most important determinants of risks in mortgage lending. Too many institutions struggled to provide these data without a number of work arounds and/or assumptions. Institutions claiming to be able to undertake the detailed data analysis required for advanced modelling under Basel II should certainly be able to provide that information. Operational risk APRA s IT operational risk reviews have identified a number of common issues impacting on regulated institutions, particularly with respect to their IT security framework. Security policies and procedures are often developed on an ad hoc basis, they are reactive rather than proactive, they tend to focus primarily on short-term business needs (rather than balancing these needs against the risks) and documentation can be inadequate.
4 Our on-site visits also spotlight the need for improvement in areas such as outsourcing and business continuity management (where weaknesses include out-of-date or poor documentation, inadequate testing or failure to include outsourcing arrangements). Operational risks also include the risks involved in moving into new ventures, or bringing new products to the market. We expect institutions to have robust policies and procedures around how they do this, but we do not see this as often as we should. As the squeeze on lending margins continues and housing lending slows there will be temptations for institutions to break out into newer fields, and some may get it wrong. This is our dynamic market economy at work, but the size of such risks needs to be carefully controlled. Basel II Let me conclude with some comments on risk management and Basel II, particularly the so-called Pillar 2 on the Supervisory Review Process. Pillar 2 is intended to ensure that ADIs have adequate capital to support all the key risks in their business and to encourage ADIs to develop and use better risk management techniques in monitoring and managing their risks. In a perfect world, Pillar 2 would capture all the risks that ADIs measure in their economic capital models, apart from credit risk, traded markets risk and operational risk, which are in Pillar 1. Unfortunately there is no consensus yet as to what all those risks are and how they can be measured. Over time, it is our expectation that such a building block approach could be developed for Pillar 2. In the meantime, both supervisors and institutions are struggling to find a methodology to ensure that the requirements of Pillar 2 can be met. There is a view in the market that APRA will use Pillar 2 solely as a mechanism to achieve a pre-determined level of regulatory capital in individual ADIs. APRA is committed to ensuring that ADIs remain adequately capitalised but it is also committed to the spirit of Pillar 2. How it will achieve these goals is work-in-progress. Pillar 2 provides incentives for all ADIs to improve their risk management practices and it provides guidance on ways to do so. Implicit in Pillar 2 is encouragement for supervisors to improve the level and extent of the engagement they have with ADIs. This is intended to ensure that supervisors have a better understanding of institutions risk profiles, how they measure and monitor risks and, ultimately, how they ensure that they hold capital appropriate for those risks. Pillar 2, in other words, will only reinforce my opening comment to this audience that your business is APRA s business, and it will be increasingly so. My commitment to you is that, for our part, APRA is up to this task. My message to you, and to the financial institutions that you represent, is that short-changing risk management is a recipe for problems, and not good business sense. 28 July 2004