Seven Tenets of

Risk Management in
the Banking Industry
If a bank is serious about risk management, then it will
be serious from the top down. Before discussing this
statement, it is important to understand the events
that precipitated it.

Seven Tenets of Risk Management in the Banking Industry

The chain of events that led to the global economic crisis are outlined in figure 1. The resulting
global economic downturn led to a vicious cycle of companies failing or downsizing, thus
leading to unemployment, which further reduced demand for goods and services. In addition,
banks across the globe retrenched and in place of the liberal lending practices credit
tightened across the board. Governments stepped in with fiscal supportthe likes of
which has never been seen in modern recorded history. And now, everyone waits to see
what will happen with this never-before-tried experiment of flooding the world markets
with government money.

Figure 1
Economic crisis: The timeline and chain of events

July 2007

August
JulyAugust 2007 September 2008

September 2008 October 2008

Mortgage
bubble in U.S.
real estate
market

Mortgage
crisis

Financial
sector crisis

Liquidity crisis

Recession
in developed
markets

U.S. mortgage
market bubble
bursts

Interest rates rise;

borrowers are
unable to refinance
debt

Mortgage assets
are re-evaluated,
causing major
bankruptcies
(Lehman Brothers,
Merrill Lynch,
Wachovia)

International
capital markets
hit by liquidity
crisis

Funding difficulties
force many companies to reduce
costs

Loan rates increase

Companies cut
production and
workers

U.S. home prices

continue to decline,
affecting construction
segment
Fed raises interest
rates to cool the
U.S. economy

Rates on home
mortgages increase;
refinancing becomes
difficult

Borrowers default
on mortgage loans
Banks stuck in
market with
declining collateral

Market mortgage
bonds increase
More banks dispose
of assets, reduce
liquidity

Stock market
collapses

Major financial
institutions file
for bankruptcy;
a crisis of
confidence ensues

Financial institutions and corporate borrowers

cannot refinance
debt

Interest rates rise

Major European
commercial banks
feel the pain

The real economy

falls

Production and
consumption in
developed
countries decline
Commodity
prices fall

Source: A.T. Kearney analysis

What happened? Why did everything turn so bad so fast when it looked like the good times
would go on unabated and it appeared that the very predictable five- and 10-year recession
cycle had been overcome?
Different people like to point fingers at different culprits. Some experts put the blame on credit
default swap instruments that were sold worldwide with promises of high returns and low risk.
Others blame those who promoted mortgage access to people who normally would not qualify
for a housing loan. But we believe that the issue is more fundamental: The worlds financiers lost
sight of the requirement to manage risk effectively and, in many cases, it is questionable if the
basics of risk management were ever put in place.
Seven Tenets of Risk Management in the Banking Industry

A Banks Business
The core business of a bank is to manage risk and provide a return to shareholders in line with
the accepted risk profile. The credit crisis and ensuing global recession seem to indicate that
the banking sector has failed to tend to its core business. If it had done so effectively, then
credit default swaps would not have been bought up with so much eagerness. If the banks had
attended to risk management, then there would not have been the flood on the U.S. market of
cheap short-term interest rate mortgages that led to the so-called housing bubble and the
ultimate wave of personal bankruptcies and home foreclosures.
A.T. Kearney believes that the framework for risk management in a bank is fundamentally no
different today than it was prior to the credit crunch and recession. Indeed, the risk function
lacks a certain business acumen, and continues to be considered a handbrake on growth.
Chief economists and their macro perspectives are still divorced from the banks own strategy
function. We believe that a return to managing risksnot ignoring them or believing they can
be passed offis the cure for the ailment that has hit the economy so hard. Let us therefore
review what we call The Seven Tenets of Risk Management to see why the paradigm has
neither been altered nor fundamentally changed in this new world order:
1. Establish a Language System to Discuss and Categorize Risk
A risk manager is overheard at a recent intra-departmental meeting: The Basel II second pillar
requires that we focus on the ICAAP, and it is inherent that the board of the bank fulfill their
obligations in this respect and that sufficient oversight is provided by the SREP at which point
many of the participants have no idea what the risk manager is talking about, but they are too
afraid to ask questions so they nod their heads in polite agreement and hope no one will ask
them for their personal opinion.
This scene is played out all too frequently at many banks. Each function within a bank has its own
lingo and acronyms that are useful in the right format and context. Take them out of their natural
environment and they cause untold confusion and misunderstandings. It is incumbent upon risk
experts to translate risk issues into a language and terms that all interested parties can understand, and it is the responsibility of the other functions to make the effort to understand.
2. Develop a Big Picture View of Risk Exposure and Focus on the Most Important
Not all risks are created or end equally. Banks need to be mindful of credit, market, and operational
risks. Within the three main areas of risk, further stratification is embedded to allow for a comprehensive overall view of risk. Tools such as VaR (Value at Risk), Monte Carlo simulations, CFaR (Cash
Flow at Risk), stress testing, and others are applied to judge the level of risk and subsequently the
actions required to contain the risks. Yet within banks there is often a lack of tools and sophistication to keep pace with a rapidly changing set of products. At any point in time, one or more
risk elements may be more relevant than others, but the bank needs to know its risk framework
and monitor developments in real time to provide the right level of attention and action.
As a whole, Canadian banks seem to have fared better than banks in other countries. Canadian
banks in general steered away from the credit derivative craze, adopting a more conservative
approach as other banks were ambitiously buying the risky instruments. By taking the big
picture view, Canadian banks avoided a major melt down. According to a report by TD Bank:
There appears to be a more risk-averse culture in Canada running through government, the
public and banks. Canadian banks benefited from prudent and disciplined risk-management
Seven Tenets of Risk Management in the Banking Industry

practices, and higher capital ratios pre-crisis. The fact that Canadas major investment banks
were part of a large diversified financial services institution also played a role.1
3. Centralize Ownership of Process and Decentralize Decision Making
Risk management can be most effective when it is applied consistently across the banking
organization with policies and procedures developed by risk experts who have the training and
experience for their specific country, area, and client mix. It is incumbent upon front-line officers
to use the tools and processes to guide their daily inter-actions with customers. Interactions are
clear. Answers are given in a timely manner and the responses leave no ambiguity about what the
bank is able to do for its customer.
A good example can be drawn from banks in Central Europe pre- and post-privatization. Prior to
privatization and modernization, many banks had a decentralized business model and it was a
public secret that the branch managers made up the rules and profited handsomely from insufficiently transparent business practices. This led to the failure of many banks in Central Europe. Post
privatization, the banks focused on centralizing key processes around risk and then decentralizing
decision making down to the branch level, with the knowledge that decisions would be made
within the centrally developed framework; this provided safeguards against unwanted risk.
4. Drive the Process from the Top and Clearly Define Roles and Responsibilities
In the lead-up to the big bustthe credit crunchbanks were reporting record profits and the
leaders were receiving bonuses for relatively short-term results. It seemed that everybody wanted
in on the big profits and pay days, and little heed was given to people calling for curbing the
growing risk profiles. The clear lesson: what the leaders in the organization do, not so much what
they say, is what defines an organizations behavior. Risk management in a bank is everyones
responsibility, not just the risk departments. Leadership must not only espouse a vision but also
behave in a manner consistent with it and demonstrate to employees that prudent risk
management is a cornerstone to success.
5. Quantify Risk Exposure and the Costs and Benefits of Managing Risks
The warnings were everywhere, renowned financial experts were quoted almost every day: The
risks of credit derivatives are not quantified and nobody really knows how much is out there
and what will happen when contracts come due. We know now at least to this point what has
happened. Had individual organizations been looking appropriately at the risks of purchasing the
seemingly too-good-to-be-true derivative instruments, perhaps they would not have taken them
on with such zeal and the problem would have been more contained at the original source, which
was the overheated mortgage market in the United States. Consistent and rigorous assessment of
risk and quantification of the net benefits of appropriately dealing with the risk cannot be replaced
with promises of above-average returns with no knowledge of the potential downsides.
A recent article in Fortune may have said it best when describing Blackrock, the large money
management company.2 When instruments get complicated, do your homework. In fact, at
BlackRock, executives are constantly refining their models to stay one step ahead of the latest
funky financial product from Wall Streets wizards. The firms that design securitized products
are always conspiring against us with new, increasingly complex instruments, explains Rob
Goldstein, who oversees BlackRock Solutions, which leases an ultrasophisticated technology
TD Economics, Economic Notes, February 24, 2009.

Inside the Trillionaires Club, Fortune, August 17, 2009.

Seven Tenets of Risk Management in the Banking Industry

platform to clients and has a team that helps companies analyze and run their portfolios. Its our
mission to make sure they dont win. On behalf of the Federal Reserve, BlackRock Solutions is
managing troubled assets from AIG and Bear Stearns.
Even the most sophisticated models will not make an organization 100 percent foolproof as
BlackRock found when it misjudged the market for commercial mortgage-backed securities.
Regardless, strong and rigorous analytical capabilities will lessen the chance of failure.
6. Embed IT Systems to Facilitate the Risk-Management Process
The value of IT appears to be increasing over time to banking organizations as the environment
grows ever more complexso there is no change in this variable in troubled times. However, the
IT value will be realized only if IT systems development is driven by user needs and not vice
versa. IT systems, if properly developed and used, can assist the company in risk management
by providing control and compliance monitoring technology, databases, market and industry
research and analysis tools, and communication tools. These are all critical tools that assist in
the delivery of the required information to decision makers in the bank. This can happen if the IT
systems are developed with the users needs in mind.
7. Embed a Risk-Management Culture
If a bank is serious about risk management, then it will be serious from the top down.
Leadership will espouse a culture of responsible risk management through its behaviors and
through the systems and programs it puts into place. In the run up to the financial crisis,
organizations talked about good risk management; however, few in leadership positions
espoused effective risk management, which is evident in the dismal failures in the financial
sector. A risk-management culture can be embedded in the organization through training,
communications and incentives (see figure 2).

Figure 2
Elements of a risk-management culture

Training

Communications

Incentives and
performance guidelines

Develop formal training sessions.

Corporate risk management
facilitates training sessions with
representatives from business units
and functions

Discuss risk management status in

management review meetings

Increase accountability by defining

explicit incentives and performance
metrics around risk management

Embed risk management thinking.

Representatives share information
with their colleagues in their own
areas via:
Online systems: representatives
circulate training documents,
examples and lessons learned
Cross-functional working
sessions: subject matter experts
discuss risk management ideas
and techniques

Involve all decision makers (from the

Board to individual business levels)
in evaluating and monitoring risks
What risks do we face given our
new initiatives?
What are the risk-benefit
trade-offs?
How has our risk exposure
changed?

Identify clear consequences of

compliance and non-compliance
(pre- and post- event)
Incorporate specific risk management
goals into performance evaluations,
both for variable remuneration and
promotions

What actions do we need to take?

Ensure that risk-related discussions
take place regularly across business
units and the central risk
management function

Source: A.T. Kearney analysis

Seven Tenets of Risk Management in the Banking Industry

Goldman Sachs, although not currently popular among the general populace, nevertheless has
embedded a rich culture as noted in a Forbes article:3
Still, the special moxie of Goldmans culture is to respond boldly and brilliantly to crises that
threaten the franchise, and move through them to higher ground, more resolute and inner
directed. This is a paean to its leadership This is due to the GS culture; the risk control officers
are treated as equal in authority to the risk takers. There is now a comprehensive effort to bolster
what GS calls the federationthe empowering of the firms support staff, those less glamorous
individuals once called back-office types. That description is banned under the new culture.
Recruitment, training, and compensation are conceived to create a band of brothers and sisters
honored for their contribution as much as some whiz kid trader or M&A banker. Smart. Very smart.

Putting a Ribbon and Bow around Risk Management

Banks around the globe should review their risk-management practices with an eye toward
assessing whether or not they fulfill these seven tenets. A structured review of the banks
risk-management practices against these tenets will certainly provide a clear starting point
for improving risk management in areas that are found to be wanting. The regulators will
certainly impose new demands on the banking sector. A clear analysis can be the guiding
light and a pre-emptive initiative for implementation of sustainable improvements to risk
management that will secure shareholder returns over the short, medium, and long term and
appease regulators demands.
Above all, a firms leadership should behave the way it wants its organization to behave. Or, as
we stated at the outset of this article: if a bank is serious about risk management, then it will be
serious from the top down.

Authors
Ettore Pastore, partner, Milan
ettore.pastore@atkearney.com

Johan Kestens, partner, Brussels

johan.kestens@atkearney.com

John Winkler, partner alum

In Goldman Sachs We Trust, Forbes, July 16, 2009.

Seven Tenets of Risk Management in the Banking Industry

A.T. Kearney is a global team of forward-thinking partners that delivers immediate

impact and growing advantage for its clients. We are passionate problem solvers
who excel in collaborating across borders to co-create and realize elegantly simple,
practical, and sustainable results. Since 1926, we have been trusted advisors on the
most mission-critical issues to the worlds leading organizations across all major
industries and service sectors. A.T. Kearney has 58 offices located in major business
centers across 40 countries.
Americas

Atlanta
Bogot
Calgary
Chicago
Dallas

Detroit
Houston
Mexico City
New York
San Francisco

So Paulo
Toronto
Washington, D.C.

Asia Pacific

Bangkok
Beijing
Hong Kong
Jakarta
Kuala Lumpur

Melbourne
Mumbai
New Delhi
Seoul
Shanghai

Singapore
Sydney
Tokyo

Europe

Amsterdam
Berlin
Brussels
Bucharest
Budapest
Copenhagen
Dsseldorf
Frankfurt
Helsinki

Istanbul
Kiev
Lisbon
Ljubljana
London
Madrid
Milan
Moscow
Munich

Oslo
Paris
Prague
Rome
Stockholm
Stuttgart
Vienna
Warsaw
Zurich

Middle East
and Africa

Abu Dhabi
Dubai

Johannesburg
Manama

Riyadh

For more information, permission to reprint or translate this work, and all other correspondence,
please email: insight@atkearney.com.
A.T. Kearney Korea LLC is a separate and
independent legal entity operating under
the A.T. Kearney name in Korea.
2013, A.T. Kearney, Inc. All rights reserved.

The signature of our namesake and founder, Andrew Thomas Kearney, on the cover of this
document represents our pledge to live the values he instilled in our firm and uphold his
commitment to ensuring essential rightness in all that we do.