Exposure Management Is Key, Says Risk Expert
February 16, 2009
When securities firms fail, it's often due not to a single problem, but a series of interrelated risk events. Because risk management has traditionally been divided, or "siloed," among business lines, the big picture has frequently been hard to see, according to Prakash Shimpi, managing principal and head of enterprise risk management at consultancy Towers Perrin. Shimpi advocates a strategy that focuses on understanding the accumulation of risk exposure, and the correlations among various risk factors.
Shimpi's view of risk has been shaped by long experience. Before joining Stamford, Conn.-based Towers Perrin in 2004, Shimpi, 49, was president of enterprise risk consultant Fraime and president and CEO of Swiss Re Financial Services Corp. He has also been a managing director in Chase Manhattan Bank's global insurance corporate finance division and a VP at Drexel Burnham Lambert. Shimpi recently spoke with Securities Industry News special reports editor Carol E. Curtis about the changing role of risk management in financial services.
How do you define risk? Risk has become a word that people use to mean many things. I look at risk in terms of the range of exposure rather than just the worst-case event. If you think of risk as having many components, one of the most important is getting the taxonomy right--that is, what are the buckets you can use to classify the different types of exposures you have? For each of these buckets, you want to understand the distribution of your exposure due to the various causes, events and consequences you face.
For example? Suppose you have a rogue trader. That is the event that is the culmination of a lot of exposures that went unaddressed: poor supervision, inadequate systems, poor human resources. If you don't think through the questions, you may be missing whole categories of things.
What went wrong in the banking industry? Initially banks spent lots of time on market risk, then on credit risk management, and so on. Many of these risks were managed by laying them off through hedging and holding capital against any residual risk. Clearly there was overconfidence in how well they laid off their risk and an underestimation of the residual risk that the banks were holding. A lot of the other things that hit banks hard have been around a long time and are broadly classified as operational risk. If that is viewed only as the processing errors, then they miss the really big exposures. Management has to look at things more analytically and look at the range of possible outcomes. They were not able to capture the full picture.
What should securities firms be doing now? They should undertake a critical review of their risk management practices. I would suggest going outside the firm and outside the advisers that they have been using and that may have steered them in the wrong direction. There are many practices that are done for audit or compliance purposes but don't really contribute to an understanding of risk. They should recognize that risk management did not start in banking and that there are techniques used elsewhere that they can adopt. For instance, risk management is fundamental to how the insurance industry manages its exposures. Insurers recognize that their policies have embedded options, so there is uncertainty in how profits emerge over time. They also recognize that they cannot lay off all their risks, so they are quite adept at managing "buy and hold" risks. They employ actuarial techniques to evaluate and manage the capital required to bear those risks. These actuarial techniques are quite transferable to banks.
