the toronto and new york cro round...
TRANSCRIPT
September 2014 The RMA Journal44
ENTERPRISERISK
THE TORONTO AND NEW YORK
CRO ROUND TABLES
September 2014 The RMA Journal 45
North of the border or south, participants in recent CRO round tables in Toronto and New York said their main concerns are regulatory burdens, cyber risk, the continuing low-interest rate environment—and the unknown.
THE TORONTO AND NEW YORK
CRO ROUND TABLES
September 2014 The RMA Journal46
Among the many concerns, the panelists said, are cyber threats, a potential failure by a cloud provider and the pos-sible impacts, how interest rates and the overall economy will respond when quantitative easing is fully withdrawn, the supply of U.S. Treasuries and the implications for the liquidity of the financial system, and general political and geopolitical instability.
And then there are the risks that are unknown. “Not long ago, risk was a quantitative set of activities
someone performed in a backroom and a number popped up and you were good or you weren’t,” David Kimm of TD Ameritrade said.
Not anymore. “Look back seven, eight years. The risks people saw
were technical, model-driven, and focused on market risk,” Patrick Howard of BNY Mellon pointed out. “The entire landscape has changed. The real threats are harder for us to divine.”
“We are in such an uncertain environment,” Kimm remarked. “This is the new normal.”
The Treadmill Is Set to ‘Incline’As regulatory bodies strive to add stability in an uncer-tain environment, they also add myriad tasks to the risk management function, making it even more complex. “Multiple regulatory bodies have high expectations and they’re not getting lower,” DiMassimo said. “We’re wor-ried about being constantly asked to do more. We’re on a treadmill with the incline up to seven or eight. It makes it challenging to do risk management.”
David Belmont of Commonfund said that when he started his career, he was able to be more focused on cre-ating shareholder value by helping his organization boost its return on equity. “These days,” he said, “the regulatory environment is crowding out the other value-added func-tions. There is more emphasis on protecting capital than on driving higher risk-adjusted returns.”
More Challenging, More Expensive With memories of the financial crisis still fresh, the regu-latory environment “is still in the activist phase,” Kimm said. “We are seeing agencies redefine their boundaries and stretch their reach. The regulatory uncertainty is going to continue for a while. We have to figure out what the priorities are and how we resource those.”
At TD Ameritrade, he said, “risk-and-regulatory-required
Each spring, whilE people chat about topics such as balmy temperatures, flowers blooming, and vacation plans, chief risk officers meet in Toronto and New York to discuss topics decidedly less pleasant—like events that can doom major financial institutions and possibly the entire finan-cial system.
Call it their rite of spring. They gathered again this year at RMA chapter events
in late April. Read below for a report on each.
THE NEW YORK CHAPTER OF RMA CHIEF RISK OFFICERS ROUND TABLE
DATE: April 23, 2014 LOCATION: Citigroup Building, 399 Park Avenue, New York, N.Y.PANELISTS: David Belmont, chief risk officer, Com-monfund; Vincent DiMassimo, chief credit officer, Mor-gan Stanley; Patrick Howard, executive vice president, enterprise-wide head of market risk, BNY Mellon; David Kimm, chief risk officer, TD Ameritrade; and Harry Miller, president, annuity strategy and senior vice president/chief risk officer, Allstate Financial MODERATOR: Dietmar Serbee, principal, PwC
The title of the New York event was “Perspectives Across the Financial Services Landscape” and, befitting the title, moderator Dietmar Serbee’s first question was big picture: How did the panelists see the state of the industry?
Noting that he spent 2007 and 2008 at Lehman Broth-ers, one of the centers of the financial crisis, Vincent Di-Massimo said the system is definitely safer today thanks to reform, regulatory change, and internal controls. “A lot of leverage has been taken out of the system. Things have gotten simpler and more straightforward,” he noted. Whether the system is “safe enough,” though, “still has people nervous.”
BY FRANK DEVLIN
Prev
ious
sPr
ead:
shut
ters
tock
, inc
.
September 2014 The RMA Journal 47
activities take up more than 20% of the technology budget” and they will continue to consume a large share of resources for the foreseeable future.
Added Howard: “Compared to 10 years ago, risk man-agement and regulatory compliance are a significant cost.”
Serbee asked how time can be carved out for other tasks when so much is put into responding to regulators.
“Be more rigorous in separating critical from merely useful,” Kimm advised. “The most important thing I’ve done is hire great people to take things off my plate. I like detail and could get sucked into technical details” otherwise.
‘Step Back, Look Around’“White time on your calendar is critical,” said Harry Miller of Allstate Financial. Time allows CROs the opportunity “to look for where the threat is going to bite you and put your model at risk.”
Miller named some companies that failed to notice the landscape changing around them: Kodak, Blockbuster, and those in the record industry. “Who in the organization is stepping back and looking at the pace of change in the world? Step back, look around, and see the risk that may not be front and center in everyone’s mind. Think a little differently.”
Belmont said Commonfund’s risk committee performs “reverse stress-tests.” They start with a result—say, the loss of $20 million—and imagine how it could have happened.
“It’s easy to measure things we have established metrics for,” Howard said. What really needs to be addressed, he explained, are business risks that can arise from changes in regulation, technology, perception of the financial industry, and other factors.
As a risk professional, Howard said, “you need to carry the expertise of the organization with you. Poll the experts
who generate the business. They know where the risks are. Draw those out. Do it a few times a year. Develop a framework.
“It’s the responsibility of CROs to get that conversation to management,” he added.
In more and more cases, management is listening and actively seeking such conversations. The industry has largely recognized the changed and challenging environment.
“The profile of risk management has been elevated,” DiMassimo said. “The board and senior management truly want to understand the risks.”
Which is as it should be, Kimm said. “The CRO needs to be recognized as equal with anyone else on the executive team.” Still, “in many places, the CRO is a technocrat. They are still a few levels down [on the organizational chart]. They report to the CFO.”
As CRO at Ameritrade, Kimm said, he reports to the CEO and has “a right to wade into issues of strategy and direction.”
Kimm noted that, in addition to its oversight role, risk has to work in partnership with the business side or “you’ve got no standing in the organization” and the risk function is seen as the place “where ideas go to die.” It’s a delicate balance. The goal is to “transition and reposi-tion yourself as a fully entitled partner carrying that dual mantle of business support and control,” he said.
Where there is challenge there is often opportunity, though, and that is the case in the discipline of risk man-agement, DiMassimo noted.
“There’s always opportunity in risk,” he said. “It’s an environment that’s changing. There are new requirements. You need to have your hand up and be ready to go. There’s opportunity when you walk off the elevator. Have your eyes open and your hand up. There’s opportunity.”
Step back, look around, and see the risk that may not be front and center in everyone’s mind. Think a little differently.” –HARRY MILLER, ALLSTATE FINANCIAL“
September 2014 The RMA Journal48
of Financial Institutions],” Hughes continued. “I was getting the impression they were agreeing that constantly increasing the number of pages they require each year is not the answer.”
Added Laura Dottori-Attanasio of CIBC: “There are so many regulations coming from every different regulator. It’s very hard to keep up. Different regulators are issu-ing rules for their respective countries where they want capital to sit.”
Such measures are “undoing the concept of an enhanced global regulatory framework that we’ve been working for,” she said.
Common SenseRegarding data aggregation, though, Dottori-Attanasio said it was “very important,” adding that “it shouldn’t have to be the regulator to tell us to get our data aggregated so they can see our risk profile.
“A lot of what the regulator tells us is just common sense,” she remarked. “At CIBC, it’s not just about getting data aggregation right for risk. It’s about what we know about our clients and how we make our risk decisions. It determines which clients you go after more aggressively.”
Several panelists said it was a good idea to make the process that is required to show regulatory compliance be beneficial to the financial institution, and not just be a check-the-box exercise. “Let’s do it in a way that adds value,” emphasized Mark Chauvin of TD Bank.
“If we look at the things that have made us stronger [as an industry], a catalyst has been regulatory change,” he said.
But he added, with so much demanded of risk profes-sionals on the regulatory front, “hopefully, people won’t get trapped by the feeling that if they manage all the regulatory challenges, they have done their job as a risk manager.”
There’s so much still left to do.
The Risk List Mark Chauvin called cyber threats “probably our top uncontrollable risk,” although “that doesn’t mean you can’t do a lot of things to protect yourself. The trick is to stay ahead.”
A potential “loss of availability and the disruption it could cause our customers is our worst nightmare,” he stressed. “There would be brand impact and you could lose customer confidence.
“You’re only as strong as one of your vendors might be,” he added. And even if it’s another bank that’s hit by
THE TORONTO CHAPTER OF RMA CHIEF RISK OFFICERS 2014
PANEL LUNCHEON
DATE: April 30, 2014LOCATION: Arcadian Court, Toronto, OntarioPANELISTS: William Bonnell, executive vice president and chief risk officer, National Bank of Canada; Mark Chauvin, group head – risk management and chief finan-cial officer, TD Bank Financial Group; Laura Dottori-Atta-nasio, senior executive vice president and chief risk officer, CIBC; Stephen Hart, chief risk officer, Scotiabank; Mark Hughes, chief risk officer, RBC Royal Bank of Canada; and Surjit Rajpal, chief risk officer, BMO Financial Group. MODERATOR: Scott Baret, partner, global financial ser-vices industry leader – enterprise risk services, Deloitte Touche Tohmatsu Limited.
As at the New York event, a great deal of discussion in Toronto centered on the increasing demands of the regulatory environment. Moderator Scott Baret said one CRO he knows has lamented, “I never thought my job would be chief regulatory officer, not chief risk officer.”
“Regulators around the world are asking for an in-creased amount of data flows,” said Mark Hughes of RBC Royal Bank. “The idea of having data and aggregating it and making sure you understand how all the numbers add up is something we’ve grown up with in our careers. We all support the idea. The challenge is the immensity of the requirement.
“Some of us on the panel were down at the RMA North American Chief Risk Officers Round Table in Arizona [in February]. We were listening to the American CROs talking about the amount of paperwork they have to pro-vide on the CCAR [Comprehensive Capital Analysis and Review] submission. It was incomprehensible, the hours they had to put in to put the data together. Is 7,000 pages of data really better than 5,000 pages or 3,000 pages? What are they really going to do with it?
“I am at least slightly heartened by a conversation I had with OSFI [Canada’s Office of the Superintendent
September 2014 The RMA Journal 49
an attack, there could be “guilt by association,” and the entire industry’s reputation could suffer, he said.
Said William Bonnell of National Bank, “Every other week we’re faced with a new event on the front page of the newspaper that forces us to realize there are frailties in the systems we rely on.
“There are some sophisticated and well-funded actors around the world who are trying to exploit those weak-nesses,” he warned.
On the bright side, Bonnell added, “there is a tremen-dous amount of work being done in our institutions to better understand, better prepare, and be more resilient against cyber risks.”
Added Chauvin, “We’re all in this together, sharing information,” and that includes the “increasing involve-ment” of the government agencies.
“We all want to be strong,” he said.
Several panelists noted persistent low interest rates as cause for concern. “How do our businesses grow to the extent that our shareholders and investors want without taking on more risk?” Hughes asked. “Or, what are the risks you are prepared to take?”
Said Stephen Hart of Scotiabank: “As people look to find an area that can make money, you’re seeing a resur-gence in both the U.S. and the U.K. in the HLT [highly leveraged transaction] market, no covenants, and silent seconds” [where a secondary mortgage is not disclosed to the original lender]. All the terms we grew to fear in 2008 and 2009 are now being sold off the shelf. You’ve got a movement of people trying to find some yield and regulators trying to balance against that.”
Hughes said that, in a recent talk with the risk com-mittee at RBC, he touched on operational risks and how they could cause “bigger losses than an individual loan
loss.” There have been examples in the U.S. and Europe where fines and losses resulting from rogue traders, product mis-selling, and failure to meet regulations can reach into the billions. “It’s about the issues that could affect the on-going viability of the institution,” he said. “A single loan won’t do that. Billions of dollars in fines could.”
‘Execution Risk’“What we worry about the most isn’t a particular single risk we manage, but whether we remain effective in our ability to identify and deal effec-tively with risk in a changing and more complex
Every other week we’re faced with a new event on the front page of the newspaper that forces us to realize there are frailties in the systems we rely on.” –WILLIAM BONNELL, NATIONAL BANK OF CANADA“
Attendees of the Toronto Chapter’s 2014 Chief Risk Officers Panel—PHOTO BY TOM SANDLER
September 2014 The RMA Journal50
so that the operational risk role reports directly into the CRO and spans the institution and includes IT risk, where we have a specialized team whose job is to challenge the technology staff.”
Hughes reported that RBC has added an operational risk group that handles “all the potential [cyber] attacks that come in during the day.”
And Bonnell said, “Both in the business lines and in the risk group we need people who are risk savvy, IT savvy, and business savvy.
“To have the combination of all those skills requires movement and experience. It isn’t something you can learn in a one-week session in a classroom. It comes from opportunities to have lateral moves—across risk functions and also between the business lines and the risk functions so you can develop a real depth of knowledge,” he said.
Hart echoed the call for risk savviness throughout the organization. “If you get risk right at the front line you don’t have to worry about quality control further on, and that saves you money in the long term,” he said.
“At the end of the day,” concluded Chauvin, “what I take the most comfort from is culture. If I could have one thing in an organization, it would be a culture that is strong from a risk perspective. That doesn’t mean it says no all the time. It means it’s transparent, thought out, and it takes the organization’s principles to heart.” v
••Frank Devlin is editor of The RMA Journal. He can be reached at [email protected].
environment,” Chauvin stated. “We’ve coined the term ‘execution risk.’ That’s our main risk. We have to keep pace with all the regulatory change, be ready and watchful and always able to identify emerging risks, and deal with the basic risks we’ve been managing for years—like credit, market, and operational.”
Along the same lines, Hughes said, “We’ve got to be able to acknowledge what we don’t know.”
Meanwhile, Surjit Rajpal of BMO Financial Group pointed out the need for greater deliberation: “We’ve got to have a lot more thinking time than we currently do. When I evaluate some of the losses we take on our loan book, oftentimes the conclusion is that the business didn’t have good fundamentals. We should have seen it coming.”
Time should also be spent thinking about possible para-digm shifts. “Look at societal issues,” Rajpal said. “The risk is if we don’t do it we’re going to be left behind. Banks have been comfortable with modeling economic factors and geopolitical events that could happen. We haven’t been as good at looking at societal issues. The peripheral issues are just as important.”
Added Chauvin, “We constantly have to look at our risk management resources to make sure we have the right capa-bilities, the right people, and the right number of people.”
Dottori-Attanasio reported that CIBC “recently named a person into the chief data officer role reporting into the COO. We thought, ‘Let’s try to be more strategic.’ We’re thinking across the whole organization and not just risk.
“More specifically to risk,” she said, “we reorganized
PANELISTS FROM LEFT TO RIGHT:Surjit Rajpal, BMO Financial Group; Mark Hughes, RBC Royal Bank of Canada; Mark Chauvin, TD Bank Financial Group; William Bonnell, National Bank of Canada; Laura Dottori-Attanasio, CIBC; and Stephen Hart, Scotiabank—PHOTO BY TOM SANDLER