The Boston Consulting Group

From Risk Taker

to Risk Manager
Ten Principles for Establishing
a Comprehensive Risk Management
System for Banks

Results of a Global BCG Study

January 2001
From Risk Taker
to Risk Manager
Ten Principles for Establishing
a Comprehensive Risk Management
System for Banks
Results of a Global BCG Study
January 2001

© The Boston Consulting Group, 2001

Table of Contents
Foreword 3

Summary 5

From risk taker to risk manager: General issues 7

Principle 1: Risk management must become a central element in a

bank’s overall management system 12

Principle 2: Risk management must be firmly established at

all levels of the organization 14

Principle 3: Value-at-risk concepts should become the norm 15

Principle 4: An active portfolio management system should be

implemented for credit risks 19

Principle 5: Banks must move from measuring to managing

market risks 24

Principle 6: Operational risks should first be approached pragmatically 27

Principle 7: All types of risk should be aggregated 32

Principle 8: A bank’s management system should be

based on economic capital 35

Principle 9: Employees must nurture a risk-return culture 37

Principle 10: The concept in itself is nothing: It is the application

that creates competitive advantage 39

Notes on the study 42

The Boston Consulting Group 1

Foreword
The banking industry has had a rude awakening. Cases like Barings, Schneider,
and Metallgesellschaft have shown the banking world it needs to treat lending,
and risk in general, far more carefully. Bank managers have long been aware of
the importance of having a comprehensive risk management system in place—
much work is being done to develop new structures and procedures. But not only
the highly publicized cases have made a deep impression on management: high
insolvency rates, an increasingly competitive environment, stricter supervisory
guidelines, and the emergence of the Internet also threaten the banking estab-
lishment.

In spite of challenging conditions and the evident need for change, many banks
are still hesitating to put a comprehensive risk management system into practice.
Particularly in the area of risk management, there is a notable lack of clear con-
cepts and well-articulated strategies. Risk management can no longer be consid-
ered in isolation. Together with portfolio management, it is an integral part of the
bank management system. It permeates all steps of the value chain. And above all,
it is a factor essential for sustainable, successful shareholder value management.

The Boston Consulting Group has long recognized the importance of a compre-
hensive risk management system. On the strength of many years of consulting on
international projects, BCG wants to help promote the development of risk man-
agement. The BCG concepts described here can help guide banks on the path
from "risk taker" to "risk manager" and thereby provide one of the main ingredi-
ents for success in the banking business of the twenty-first century.

We have formulated ten principles that outline one possible path to a consistent
and efficient risk management system. It is a path strewn with obstacles and one
that demands endurance, but it also leads directly to the goal. Although other
strategies may be equally successful, our ideas have been tested extensively in the
real world. In our study, which included some 60 leading banks and risk manage-
ment software vendors, we analyzed the state-of-the-art of risk management in the
banking industry.

The Boston Consulting Group 3

 Our special thanks go to all participants in the study, who have given freely of
their expertise and time. We would also like to thank the BCG risk management
project team, namely, Susanne Chakravarty, Carsten Gerhardt, Sebastian
Hofmeister, Christian Rosen, and the project leader, Franz J. Herrlein.

We hope that what follows piques your interest, and we wish you every success with
your risk management plan!

Thomas Groß Claus Michalk Andrew Cainey

Vice President Vice President Vice President

4 The Boston Consulting Group

Summary
Banks must become risk managers if they are to survive in this highly competi-
tive industry. This requires developing a consistent and comprehensive risk
management system. BCG has formulated ten principles for achieving this goal.

Principle 1: Risk management must become a central element in a bank's

overall management system

Principle 2: Risk management must be firmly established at all levels of the

organization

Principle 3: Value-at-risk concepts should become the norm

Principle 4: An active portfolio management system should be implemented

for credit risks

Principle 5: Banks must move from measuring to managing market risks

Principle 6: Operational risks should first be approached pragmatically

Principle 7: All types of risk should be aggregated

Principle 8: A bank’s management system should be based on economic

capital

Principle 9: Employees must nurture a risk-return culture

Principle 10: The concept in itself is nothing: It is the application that creates
competitive advantage

BCG undertook a global study to show the extent to which banks have developed
risk management systems. The result was disheartening! Barely 5 percent of the
banks surveyed can be classified as risk managers, whereas a good two thirds still
see themselves as risk takers. The remainder, about 30 percent of the institutions
interviewed, are currently transforming themselves.

The Boston Consulting Group 5

 Banks that succeed in identifying and eliminating areas of weakness from their
organizations can lay the foundation for a successful risk management system and
thus for an holistic, value-based bank management system. This in turn opens up
the path to sustainable improvement in shareholder value.

What main conclusions can be drawn from our study?

First, technical development will not be the determining or even sole success
factor in the future. Much more important than a bank's ability to implement
mathematical models is its ability to handle risk. Risk needs to be understood
strategically and controlled organizationally. A rapidly changing and competitive
environment has encouraged banks to focus on selected business segments, and
the resulting loss of opportunities for risk diversification has contributed to the
growing importance of risk management.

The adjustments to processes and systems—outlined in our study—that are need-

ed to realize a risk-based management philosophy, however, are not enough. The
real change has to occur in the attitudes and minds of the employees. They must
be brought to understand that managing risk is crucial for success. This change
cannot be brought about through appeals and requests alone. Intensive training,
clearly defined structures and responsibilities, and a commitment to change are
equally important.

In conclusion, this change will become no less urgent in the next few years. The
banks that begin the (unavoidable) restructuring early and recognize the impor-
tance of a comprehensive risk management system will be in the best position to
respond to future demands.

6 The Boston Consulting Group

From risk taker to risk manager:
General issues

The competitive landscape in the banking industry is changing rapidly. The con-
cept of the "universal bank" is being abandoned in favor of a growing tendency to
focus on selected business sectors and product segments.

This paradigm shift is being driven by technological developments, changing cus-

tomer behavior, and the increasing significance of the capital markets as a source
of financing for companies.

The trend away from traditional, longer-term lending and toward off-balance-
sheet business is accelerating. Understanding and structuring risk is becoming
ever more important, and active portfolio management is replacing the tradi-
tional buy-and-hold approach.

The bank's internal ability to actively handle risk is quickly growing in impor-
tance. New target measurements are being introduced for risk management:
strategies are increasingly influenced by a risk-return-oriented optimization of the
portfolio and the allocation of economic capital.

Simply meeting regulatory requirements is not enough

Over the last few years, two factors have shaped the discussion surrounding risk
management: competitive requirements and supervisory regulations. In the
future, banks will and indeed must concentrate more than ever before on com-
petitive challenges. Focusing on regulations alone may not necessarily lead to suc-
cess because these regulations cannot keep pace with fast-changing competitive
conditions. And regulations represent only the minimum standards to be met.

Our study identified clear regional differences. In North America and Australia,
banks are concentrating on risk management primarily to enhance their com-
petitive positions. In Europe, in Asia, and particularly in South America, however,

The Boston Consulting Group 7

 risk management is considered primarily from the perspective of regulatory
requirements.

As a result, the effects of the proposals drawn up by the Basel Committee on

Banking Supervision on the topic "A New Capital Adequacy Framework" are clear-
ly assessed in different ways by the banks surveyed:

■ The hot topic in Europe, and in Germany in particular, of whether and how
to accept internal ratings and the associated regulatory capital backing is not
an issue for the North American banks questioned. This problem appears
almost negligible to them because they have a broader base of externally
rated companies. Moreover, North American banks have already begun trad-
ing debt from the segment of small and medium-sized companies as well as
from retail customers. There are also a significant number of customers in
the portfolios of American banks, however, that are not rated by external
agencies. This is likely to cause problems similar to those experienced in the
rest of the world.

Competitive pressure as the main driver in North America

and Australia

Assessment of main risk management drivers by the banks surveyed

Global The main driver of Regional

risk management is …

Regulators
Competition Regulators
North America -
40% South America -
60% Europe ( ) ( )

Asia ( ) ( )
Australia
-
Competition

Exhibit 1 Source: BCG study

8 The Boston Consulting Group

■ Within Europe, Scandinavian and British banks indicated they were least
affected by the innovations in Basel. And South American banks seem almost
unaware of a problem.

Exhibit 1 assesses the relative importance of regulatory requirements and com-

petitive pressures.

In conclusion, risk management concepts differ significantly from region to

region. The leaders are mainly institutions from the United States. However, non-
U.S. banks are making the greatest efforts and are simultaneously continuing to
improve their databases, so Europeans, in particular, should be able to reduce the
disparity somewhat over the next few years. Even today some European banks are
counted among the leaders in risk management.

Accordingly, banks should not restrict current discussion to simply fulfilling reg-
ulatory requirements. Rather, they should focus on building competitive advan-
tage through risk management.

Significance of the different types of risk for banks

Individual types of risk must be considered separately to derive concrete recom-
mendations for dealing with them. In our study we wanted to find out what sig-
nificance credit, market, and operational risk have for the banks we interviewed.

The conclusion: credit risk is and will continue to be the most important risk cat-
egory in the future, but operational risks will gain in importance. The results sup-
port this conclusion:

■ More than 50 percent of banks surveyed described credit risk as the most
important risk category (see exhibit 2).

■ More than 30 percent of banks ranked credit, market, and operational risks
as equally important.

The Boston Consulting Group 9

 ■ Approximately 5 percent of participants in the study identified operational
risk as the most important type.

■ Fewer than 5 percent of banks surveyed described market risk as the decisive
risk factor.

■ About 10 percent of banks surveyed do not consider credit, market, or oper-

ational risk most important. For them, general investment risk (such as late
entry into e-commerce) is the most significant.

Those surveyed feel that the management of operational risk will play an increas-
ingly important role. Managing this type of risk in particular presents the institu-
tions with a special challenge.

General investment risks—according to the banks—should be tackled within the

overall bank strategy. For example, they should be considered separately within
the context of investment decisions. These risks will therefore not be analyzed fur-
ther in this study.

Credit risk by far the most important risk category for banks

"Which type of risk is most important for your bank?"

Credit risk

52%

30% All types are

equally important

10% 5%
3%
Operational risk
General Market
investment risks risk
Exhibit 2 Source: BCG study

10 The Boston Consulting Group

Ten principles for an efficient management system
We have elaborated on the basics and stated the prevailing conditions. What next?

We want to develop our ten principles as an instructional guide to help bankers

quickly and directly build a state-of-the-art risk management system. Our proce-
dures aim to make it possible to quantify, aggregate, and manage all types of risk.

By looking at risk management as an integral part of the bank's overall manage-

ment system and defining risk from a value-at-risk (VAR) perspective, we will first
deal with credit, market, and operational risk. We will show how these types of risk
can be systematically managed. Then, we will aggregate the individual cate-
gories—the starting point for a value-based allocation of economic capital. Finally,
we will give tips on actual implementation, because knowledge in and of itself is
ultimately nothing: it is the application that creates competitive advantage.

The Boston Consulting Group 11

 Principle 1: Risk management must
become a central element in a bank’s
overall management system
The goal of every bank is to maximize the return on capital employed and to
create value. A modern value management system is one of the keys to success.
When understood as the sustainable optimization of corporate value, value man-
agement can influence two levers: profitability and growth.

Here, profitability is measured by the increase in return using a return on risk-

adjusted capital (RORAC) approach. Growth, in turn, is reflected in changes in
economic capital, i.e., a risk-adjusted measure of capital. This makes risk man-
agement an integral part of any modern value management system.

Figures for profitability and growth may, for example, be combined using the
"delta added value on equity" (DAVE) concept developed by BCG (see exhibit 3).
It is defined here as a measure of the change in added value on equity, and it
can be used as the central internal measure of value added.

Profitability and growth are the decisive components in value

management

Return Value management

RORAC2 Delta added value

on equity (DAVE)
RORAC1 records profitability
and growth
Added value on equity

Cost of Profitability
capital

Profits required Growth

by capital market

Economic Economic
capital 1 capital 2

Exhibit 3 Source: BCG study Capital

12 The Boston Consulting Group

The DAVE concept facilitates both performance measurement on a bankwide
level and direct comparison of business units. It therefore represents a crucial
basis for maximizing corporate value: capital is made available to those business
units that can realize the maximum DAVE.

Empirical analysis by BCG has shown the suitability of DAVE for measuring the
development of corporate value. There is a high correlation with the (relative)
total shareholder return (RTSR; see exhibit 4), which is decisive for the share-
holder. The RTSR is an indicator of a stock's performance in relation to that of a
corresponding stock index.

For the best possible use of DAVE as a management metric, it is vital that there be
a standard, value-at-risk-based definition of RORAC and economic capital
throughout the bank. All essential types of risk must be recorded for this.

Under these conditions, risk management is an integral part of any coherent

value management system and may make an enduring contribution to the maxi-
mization of value.

High correlation between DAVE and the relative total

shareholder return (RTSR)

DAVE

RTSR (%)
R2 = 55%
30

20

10

-10

-20
-4 -2 0 2 4 6
Average DAVE (%)
Source: BCG database; BCG analysis Exhibit 4

The Boston Consulting Group 13

 Principle 2: Risk management must be
firmly established at all levels of the
organization
Value can be created only by differentiating a bank's concepts and products from
those of its competitors. To do this, internal procedures, systems, and structures
have to be adapted. It is important that risk management concepts be tailored to
key success factors specific to the business. Standardized concepts lose their sig-
nificance as transaction complexity increases, so customizing risk management
systems is essential.

The universality of the concept is also important. Risk management must be

linked logically from the level of the individual transaction to the overall bank
level. It must permeate all marketing and management procedures, and it must
record all essential components of credit, market, and operational risk in a con-
sistent manner.

Risk management in this sense is active rather than reactive, and it affects all trans-
actions and processes within a bank. It affects traditional counter transactions at
retail branches and global investment banking alike. A risk management system
of this sort must also rise to the challenge of realizing two basically opposing
goals—requirements specific to the business unit must be taken into account, and
a standard framework for comparisons between the different business units must
be guaranteed.

Risk management runs both vertically and horizontally across a bank. Vertical uni-
versality refers essentially to uniform, interrelated procedures and controls.
Horizontal universality, on the other hand, describes the comparability of indi-
vidual business units, using predetermined and clearly defined metrics. The
banks that can bridge this gap have laid the cornerstone for an efficient,
bankwide management system and a successful value management approach.

14 The Boston Consulting Group

Principle 3: Value-at-risk concepts
should become the norm

The DAVE concept clearly demonstrates the significance of risk management for
a value-based bank management system. A prerequisite is one uniform way of
viewing risk within a bank. But which definition of risk is the most appropriate?
As active portfolio management increasingly replaces traditional buy-and-hold
strategies, value-based risk assessment in the sense of a value-at-risk (VAR)
approach seems most suitable.

The VAR here is defined as a measure of the possible negative change in the
market value of an asset with a given confidence level and within a certain time
frame.

Our study shows that one cannot yet speak of a uniform risk definition, however.
Most banks still have far to go in this regard as is demonstrated by the following:

■ Less than 50 percent of those surveyed have a standard definition of credit

and market risk that applies throughout the bank (see exhibit 5).

Fewer than 50 percent of the banks surveyed have a standard

definition of risk

Definition of market and credit risk

Losses realized
Value at risk 3%
15%

VAR concept predominates in

North America and Australia
Earnings
at risk 27%
55% Operational risk is
usually not recorded

No standard
definition
Source: BCG study Exhibit 5

The Boston Consulting Group 15

 ■ A standard definition has been established only in North America. In the rest
of the world, credit and market risk are often defined differently. The value-
at-risk concept has indeed become a market standard when dealing with mar-
ket risk, although most banks have not yet applied this logic to all product
lines. Moreover, different VAR approaches have not yet been made suffi-
ciently comparable (e.g., in terms of holding periods). By contrast, credit risk
is traditionally defined by a loss concept. VAR concepts are, at best, deployed
for larger corporate customers or for listed companies.

■ A standard definition has not yet been established for operational risk—only
a few banks are geared to VAR.

Only a small number of banks will presumably be in a position to introduce a uni-

form way of looking at risk in the short term. We therefore recommend proceed-
ing step by step:

■ First, a standard assessment method should be introduced for each type of

risk. This will make it possible to manage the portfolio within business units
according to standardized criteria.

■ In the next step, the risk evaluation method should be standardized among
the business units—if necessary, as an interim solution, e.g., on the basis of
an earnings-at-risk (EAR) approach. EAR is defined as a measure of the pos-
sible negative deviation from the expected earnings (with a given confidence
level and time frame). The advantage of the EAR is that it requires fewer data
than VAR. All types of risk can be assessed using EAR, and this allows a first
comparison between different business units and types of risk. This compari-
son, however, fulfills the requirements of portfolio management and capital
allocation only to a limited extent.

■ Having a value-based VAR concept is still the goal for a standard definition of
risk within a bank. Only then will it be possible to compare market, credit,
and operational risks.

16 The Boston Consulting Group

VAR concepts are almost the market standard in credit business with large
corporate customers
Value-at-risk concepts are becoming the norm in the large corporate customer
business. The following picture emerges when the prevalence of VAR systems is
analyzed:

■ More than 60 percent of those banks surveyed use a VAR approach to quan-
tify credit risk in the large corporate sector and to determine how much indi-
vidual borrowers contribute to the institution's total portfolio risk.

■ All study participants in North America, Australia, and Japan employ a VAR
approach. In Europe, only about 50 percent do. In South America, VAR con-
cepts are barely applied. The significant regional difference in the spread of
VAR concepts can be explained mainly by data problems.

■ In the large corporate customer portfolio, the risk models developed by KMV
(Kealhofer/McQuown/Vasicek, San Francisco) and RMG (RiskMetrics
Group, New York) are most frequently used.

■ Of the banks yet to use VAR concepts, some 50 percent are planning to intro-
duce such a model within the next 18 months.

It is true that risk hedging and loan trading, for example, are generally possible
at the individual transaction level without VAR models (provided there are exter-
nal ratings), but the greatest efficiency in portfolio management and pricing can
be achieved only if VAR models are used. These models are also creating the pre-
requisites for the value-based allocation of economic capital. Here, it is important
for the leading models to be able to handle earnings at risk as well as value at risk.

So what should banks be doing? On no account should they wait any longer to
adopt such models for their large-corporate-customer business. In addition, expe-
rience can be collected for applying credit-risk VAR models to other client groups
as well.

The Boston Consulting Group 17

 VAR concepts should be extended to small and medium-sized corporate
customers and retail customers
Unlike in business with listed companies, there is at present no market standard
for assessing credit risk in the small and medium-sized enterprise segment.
Usually rating- or scoring-based in-house solutions are used to estimate risk in
individual cases. Although these approaches represent a step in the right direc-
tion, VAR concepts are still needed to establish a value-based management system.

VAR models can be applied to small and medium-sized companies and retail cus-
tomers. Our study revealed clear limitations to this approach, however:

■ Internal and external historical data are not really available, which means
that an important prerequisite is missing.

■ U.S. banks are the exception, because they have a broader base of data on
small and medium-sized companies at their disposal. Why? Even within this
group, there is a greater proportion of externally available data because more
of the companies are listed on a stock exchange. In addition, U.S. banks
began constructing internal databases early. In Europe, only Scandinavian
banks possess databases that are in any way comparable. (These were set up
in response to the banking crisis in the early nineties.)

■ In the retail business, problems are similar at all banks surveyed.

Risk management must eliminate as quickly as possible the weaknesses in meas-

uring portfolio risk (especially missing data) in small and medium-sized compa-
nies as well as in the retail business. In addition, internal rating systems must be
aligned with the market standards.

The extent to which VAR models from the large-customer segment can be applied
to small and medium-sized companies and retail customers has to be tested for
each institution. Certainly, a complete transfer is not possible, but there are good
interim solutions. Until a new, sufficiently large historical database is built up,
internal ratings can be compared with external references. And in the retail sec-
tor? Even if there is no real data history here, robust VAR models can still be devel-
oped at the portfolio level.

18 The Boston Consulting Group

Principle 4: An active portfolio manage-
ment system should be implemented
for credit risks
An active credit portfolio management system will become the decisive factor in
lending, as this is how to optimize the risk-return ratio. Most banks, however, have
not come this far. Most institutions are trying to close existing gaps at the risk
measurement level, but the real problem remains unsolved. The knowledge
gained from risk measurement is seldom used to manage the portfolio. In other
words, the step from risk taker to risk manager has not yet been taken.

The BCG study highlights the following problem areas:

■ Banks are mainly concerned about the lack of data in the lending business
with small and medium-sized business clients. Things are no better with retail
customers. Why is this so? On the one hand, there is relatively little internal
data, and there is little to be learned from external information sources. On
the other hand, data warehousing concepts are not widespread. Much more
information is available in the large-customer business, especially in view of
the larger number of publicly traded companies.

■ With the exception of U.S. banks, all participants in the study regret the low
levels of secondary market liquidity for credit risks. The use of loan trading,
credit derivatives, and asset-backed securities (ABS) transactions is restricted
by a lack of standards for estimating risk, for pricing, and for formulating
agreements. Current developments such as the founding of electronic mar-
ketplaces (such as Creditex and Loantrade) promise increased liquidity.

■ Although comparability and the negotiability of risk are taken for granted in
the large-customer segment (there is a broad base of external ratings here),
the situation is somewhat different for small and medium-sized companies
and individuals, for whom only internal ratings are usually available. Since
these do not conform to any norm, trading and hedging credit risk are
restricted to individual agreements between risk vendors and purchasers.

The Boston Consulting Group 19

 ■ The situation is quite different in countries where, regardless of the type of
credit, interest rates are predominantly flexible (for example, in Norway) or
only short-term loans are granted (for example, 30-day terms in Brazil). In
these regions banks are by nature affected by the secondary market problem
only to a limited extent. Nevertheless, the problem remains that companies
at risk of bankruptcy can no longer be hedged through the market. Increases
in interest rates or the failure of loan renewals lead, in cases of doubt, to
bankruptcy and thus to loss of the loan or reduced value.

The core elements of an effective portfolio management system

First, an effective portfolio management system requires that internal databases
be developed. Historical ratings, default probabilities, etc. need to be drawn on to
calculate portfolio risks. This, however, solves only part of the problem, of meas-
uring risks and making them comparable within the bank. To create an effective
portfolio management system, banks have to reach a common understanding of
risk. This involves solving the rating problem, particularly for small and medium-
sized companies. The levers for doing this are the creation of common internal
rating standards and the further spread of external ratings.

■ Banks, however, are still far from having a standard internal rating system.
Even if Basel II has recently breathed new life into the topic, the discussion
has essentially not progressed. There is still great uncertainty about the exact
requirements: contents and ratios for internal rating systems are disputed.
Nor is it clear when there might be acceptance from national supervisory
bodies, and what room there is in national law for implementation. Generally
speaking, we can assume that, even in the future, it will not necessarily be pos-
sible to fully compare internal ratings, although this is essential for the
improved negotiability of credit risks.

■ One solution might be for banks to mutually approve each other's rating sys-
tems, thereby defining a market standard. The validity of "compromises"
reached would be guaranteed through the regulatory powers of the market.
This concept is currently being discussed intensively throughout Europe, and

20 The Boston Consulting Group

 some banks—supported by external rating agencies—have already secured
mutual acceptance of their ratings.

■ An alternative solution is to include more small and medium-sized companies

in the rating process. We are already seeing great efforts—mostly in Europe,
and particularly in Germany—to set up rating agencies for small and medi-
um-sized companies. Two factors support this development: the banks' efforts
to run active credit portfolio management systems, and the incentives of the
companies themselves, which hope to be able to lower their financing costs.
Additionally, external ratings represent an independent verdict on credit-
worthiness, which might have more credibility than internal ratings.
Although external ratings will undoubtedly take on a more prominent role in
the next few years, they do not yet represent a genuine alternative. On the
one hand, market penetration is still too low and, on the other, there are sig-
nificant differences in the quality of the ratings produced. The professional-
ism of the providers also varies considerably. Because many providers are cur-
rently entering this segment, we can expect a consolidation to occur in the
next few years.

Once the rating problem is solved, we can assume that the liquidity of secondary
markets for credit risks will increase considerably. Several things have to happen,
however, before that point is reached.

VAR should be considered in limit setting and pricing

VAR models for defining risk at the portfolio level are increasingly becoming the
norm in the lending business. A logical consequence is that VAR would have to
be included in limit setting and pricing for individual transactions. Most banks,
however, are still far from this level of sophistication:

■ Limit setting is still done mainly in the traditional way. Nominal limits are set
by region, industry, or individual borrower.

■ Risk pricing usually occurs, if at all, according to the standard cost-of-risk

principle: the expected risk is based on historical losses. In our study some

The Boston Consulting Group 21

 two-thirds of the banks surveyed said that they included risk specific to cus-
tomers within the scope of an ordinary pricing process, but there are still vast
differences in practical implementation. There are reservations in Europe in
particular, where loans are not priced to adequately cover risk, for reasons of
customer retention. And risk considerations are only partially relevant to
pricing in South American banks.

In the short term, considering VAR within pricing processes and the allocation of
VAR limits are feasible options only in the large-customer business. Interim solu-
tions are needed for small and medium-sized corporate and retail customers:

■ First, at least the expected risk should be accounted for in pricing decisions
for all customer segments. This can be achieved via the standard cost-of-risk
scheme. In addition, limit setting should be linked with concrete risk meas-
ures and guidelines for credit policy. Cluster risks may be restricted, for exam-
ple, by using a pragmatic combination of customer, industry, and regional rat-
ings.

■ In the next stage, the cost of capital should be taken into account at the indi-
vidual transaction level on the basis of VAR calculations. In this way, unex-
pected risks should be covered by the pricing process.

■ In the final stage, portfolio effects are considered. This means that the cost
of capital for what each individual transaction contributes to the portfolio
VAR is brought into the equation. Thus, pricing reflects only the "marginal"
VAR.

Systems must be changed

An active portfolio management system requires adapting more than risk instru-
ments and systems. Equally important are changes in the organization's structures
and procedures—a monumental feat that in many banks will turn existing struc-
tures in the lending business upside down. Above all, three sectors are affected:

22 The Boston Consulting Group

■ Sales units will concentrate exclusively on the acquisition of new business
and on satisfying existing customers' needs. They will sell credit risks at fixed
internal transfer prices to the portfolio management unit. Sales units will be
managed as profit centers, meaning that if the transfer prices are not fully
attained, the profit center's earnings will be diminished.

■ Traditional loan departments will become internal rating agencies. They will
be fully responsible for determining the risk for each individual transaction.
They will not decide, however, how a transaction will be concluded.

■ Portfolio management will also be managed as a profit center. It will enter

the risk at transfer prices on its books. At the same time, portfolio manage-
ment will be responsible for developing portfolio strategies and for imple-
menting activities on the secondary market. The aim: to improve the risk-
return tradeoff.

The Boston Consulting Group 23

 Principle 5: Banks must move from
measuring to managing market risks

With a consistent market-risk management system, market risks are defined across
all product types in a standardized, and therefore comparable, manner. All for-
ward-looking aspects are taken into consideration, and appropriate monitoring
and management procedures are implemented. Most banks are still far from
achieving this ideal. The challenge consists in progressing from simply measuring
to actually managing market risks.

Uniform risk measurement, in the sense of a mark-to-market approach, and the

use of VAR models are considered standards in market-risk management: some 80
percent of banks use VAR models. These models are essentially based on the vari-
ance-covariance approach, although some are also based on historical volatility
and/or Monte Carlo simulations. Market-risk VAR models are predominantly
based on the logic of the RiskMetrics approach. The selected confidence level for
external reporting is usually 99 percent, with a holding period of ten days; for inter-
nal management purposes, it is often 95 percent with a one-day holding period.

Although our study shows that most banks use sophisticated market-risk models,
their development is far from complete:

■ One element that is often lacking is the conversion of VAR metrics for dif-
ferent product lines to one standard measurement. This is needed to calcu-
late portfolio VARs and to aggregate risk within the context of capital alloca-
tion.

■ Only a small minority of banks use VAR models for all product lines. In addi-
tion, the systems are usually restricted to the trading sector. Also, interest risk
is in the bailiwick of the Treasury, and is often considered separately.

■ There is also a need for adaptation with respect to modeling issues. New VAR
models will be guided by the future development of risk to a greater extent

24 The Boston Consulting Group

 than existing systems. This also includes extending and ensuring more flexi-
bility in stress testing and scenario models for market risk. Only two-thirds of
the banks surveyed are systematically applying sensitivity and scenario analyses.

The fact that market risk cannot be fully mapped has less to do with quantifica-
tion than with problems associated with data warehousing. Efforts to capture and
model relevant data have already caused many headaches. An efficient data ware-
housing system is rarely achieved; data validation, preparation, and administra-
tion are still in their infancy. Existing VAR concepts must be transferred logically
to all product lines to record the full extent of the market risk, and banks must
create the technological prerequisites for this as quickly as possible. Moreover,
procedures have to be developed to compare the VARs of individual risk/product
categories.

Market risk management processes must be improved further

Although risk taking and risk control appear to have been essentially separated
within the organization's structures and procedures, there is still a need to align
the processes with the business requirements.

Basic weaknesses can be identified in virtually all the banks surveyed:

■ Limits are still set mainly through the allocation of notional limits. VAR lim-
its have subordinate significance, as do stop-loss limits.

■ Limit setting is uniformly determined with respect to neither the type of limit
nor to the allocation of limits to organizational units.

This means that, within individual banks, part of the market risk is managed on
the basis of VAR limits. The other part is managed on the basis of notional limits
or of both types of limits together. In addition, these limits are reduced to the
individual trader or customer level in many product sectors; in others, only down
to the departmental or desk level.

The Boston Consulting Group 25

 Control in risk management is less efficient as a result: there is no universal logic
behind managing market risks.

Eliminating these weaknesses is less a question of feasibility than of the need to

establish uniform guidelines for market risk. Thus, the need for action in market-
risk management will continue to be great.

26 The Boston Consulting Group

Principle 6: Operational risks should
first be approached pragmatically

Operational risk management represents an unsolved problem for an over-

whelming majority of banks. Yet in some cases is it not even perceived as such.
Why? The topic has no standard definition and is therefore hard to grasp.
Lengthy internal discussions on terminology prevent the banks from coming to
grips with the actual problem. Individual, bank-specific definitions therefore have
to be drawn up to form the basis for further work.

An analysis of the current definitions of operational risk reveals two main

approaches:

■ Today, most banks understand operational risk as specific-event risk. This

includes inappropriate behavior, defective processes or technologies, and
external events. Examples of such events are computer crashes, deception,
and natural disasters. The British Bankers' Association also follows this
approach with its definition of "people, process, technology, and external
events." Despite this apparent standardization, however, there are clear dif-
ferences in interpretation: most banks usually restrict themselves—for rea-
sons specific to the institution and for ease of measurement—to a few select-
ed event categories. Such a partial approach, of course, cannot cover all
aspects of operational risk.

■ Besides specific-event risks, strategic business risk is also understood to be an

operational risk by some banks. This expresses the risk of failure to produce
returns because of price, volume, or cost fluctuation, or because of changes
in market conditions.

To implement a comprehensive value management system, banks need to con-

sider operational risks as comprehensively as possible when allocating economic
capital at the business-unit level. Specific-event risks and strategic business risks

The Boston Consulting Group 27

 must therefore be looked at together. It is up to each institution to define the
extent to which both types of risk are considered.

Today, the focus is on pragmatic approaches to measuring operational risk

Although a comprehensive concept based on a more-or-less standard logic should
be sought, most of the banks interviewed are currently focusing on a pragmatic
definition of operational risk:

■ 60 percent of the banks surveyed are already trying to quantify operational

risks in concrete terms (see exhibit 6). In particular, a focus on specific-event
risks can be observed. The most common approach is to establish internal
databases using self-assessment methods. Here, individual processes and
units are systematically analyzed for risk, and the possible effects are estimat-
ed.

■ Some 20 percent of banks do not yet have an approach for managing opera-
tional risk but are developing in-house solutions to quantify it. Many have
already begun collecting data on internal loss events. All other banks are
awaiting regulatory guidelines.

Self-assessment approaches dominate in the quantification of

operational risks

Overview of the spread of OR concepts

Self-
assessment

Waiting for
regulatory 70%
guidelines
20%
60% Deployment Rule of
thumb

20% 30%

Concept design
phase

Exhibit 6 Source: BCG study

28 The Boston Consulting Group

■ The results of our study show that within two years some 80 percent of the
banks will have built up internal loss databases.

■ External databases, on the other hand, are seen as relatively unsuitable by

more than 75 percent of those taking part in the study. At best, they can be
used to complement internal data. Instead of serving to supplement mathe-
matical simulations, external data are rather suited for benchmarking exer-
cises which are otherwise hard to carry out, given the restricted public access
to bank loss data. Indeed, some attempts are being made to collect corrected
internal loss data centrally to obtain a statistically adequate basic collection of
loss events, but it is still disputable whether such a method will succeed. The
majority of the banks interviewed rated this solution as having only a small
chance of success, as banks are not prepared to expose weakness and errors
in their procedures to the outside world.

■ All banks surveyed reject the latest proposal from the EU Commission sug-
gesting the use of a top-down approach for calculating risk. Simple rule-of-
thumb approaches—such as the use of percentages of fixed costs to estimate
operational risk—do not meet with much approval, either. Fewer than 10 per-
cent of banks surveyed favor such an approach.

Despite the trend toward quantifying operational risk, only one-quarter of the
banks surveyed assume that operational risks will be modeled like market or cred-
it risks in the near future. Pragmatic solutions are generally finding more favor
than sophisticated VAR models. Nevertheless, some banks are currently working
on VAR concepts to set standards that will be accepted by the supervisory author-
ities.

In summary, determining operational risk represents one of the greatest risk

management challenges for banks. A step-by-step procedure should be chosen to
quantify operational risk because of the existing weaknesses associated with the
availability of data and mathematical modeling:

The Boston Consulting Group 29

 ■ First, operational risk can be roughly determined with self-assessment proce-
dures. A prerequisite is a standard definition of risk, measured as a bank-spe-
cific combination of specific-event and strategic business risks.

■ This basis should be used to build a loss database. Concepts for identifying
specific-event risks (bottom-up procedures) and estimating strategic business
risks (top-down procedures) need to be developed. Where internal loss data
and information on historical fluctuations in earnings do exist, operational
risk can be mapped using an earnings-at-risk approach. This, at least, makes
it possible to approximately allocate economic capital.

■ Finally, the earnings-at-risk approach needs to be translated into a value-at-

risk model. Although initial approaches have already been introduced, their
suitability in practice is still very restricted; more development is needed.
Should the effort succeed and an adequate historical basis of data be accu-
mulated, however, it will be possible to model operational risks like market
and credit risks. The allocation of risk capital to operational risk will then be
possible at all levels of the bank.

The timing of this process is inevitably defined by progress in the collection of

internal loss data. The first two stages at least should be fully implemented within
two years, but the first EAR may be calculated much earlier.

Adapting control procedures is a key component of operational

risk managements
Along with establishing suitable models for quantifying operational risk, banks
need to modify the existing control procedures to avoid or minimize the occur-
rence of the risk itself. New procedures may be necessary. The banks surveyed rec-
ognize this, as they place great importance on improving control procedures:

■ Many banks see the results of quantification as an indication only, and focus
on procedural controls.

30 The Boston Consulting Group

■ For cost reasons, only a few banks are beginning to apply the possibilities of
risk hedging through insurance offerings, and usually only to selected areas.
Yet many banks see this as a potential route for the future. The first product
offerings from some insurance companies have already met with significant
interest.

■ Nevertheless, functional and efficient control of operational risk is assessed

very highly because most of the banks expect guidelines to come from the
supervisory side. They assume that the authorities will issue guidelines on
how to recognize and continually control relevant risk drivers.

In short, optimizing control procedures is the key component in managing oper-

ational risk. Significant results can be achieved in a relatively short time. Great
patience is required, however, to completely revise and realign all control proce-
dures.

The Boston Consulting Group 31

 Principle 7: All types of risk should be
aggregated

Value management will succeed only if economic capital is allocated to those busi-
ness units that contribute most to improving corporate value. For this to be pos-
sible, all risks must be aggregated at the overall bank level.

Aggregating risk forms the basis for capital allocation

Aggregating all types of risk at bank level is the basic requirement for capital allo-
cation.

Our interviews show clear room for improvement in the aggregation of different
types of risk. Systematic aggregation occurs in fewer than half of the banks, and
of those that aggregate their risks, the overwhelming majority merely add up the
various types of risk or proceed according to rules of thumb. Only a few banks
take correlations into account when aggregating risk (see exhibit 7).

Most banks do not aggregate risk at the bank level

Overview of the spread of risk aggregation concepts

No aggregation
55%
Aggregation with
6% correlations

39%

Aggregation without
correlations

Exhibit 7 Source: BCG study

32 The Boston Consulting Group

The following should be considered when working toward a realistic aggregation
of risks:

■ Risk must be defined consistently—preferably in the sense of a value-at-risk

approach (see principle 3). At present, however, VARs can at best be gener-
ated for market risk, and, in some cases, with credit risk models as well.
Quantifying operational risks remains the greatest problem.

■ Unexpected losses or fluctuations in value should be seen in relation to a

standard confidence level and time frame. This applies to market risk itself
and also to drawing parallels between market and credit risk. The assump-
tions have to be standardized for market risk: daily or ten-day VAR?
Confidence levels of 95 or 99 percent? Also, agreement must be reached on
market and credit risks, since the confidence level for credit risk is usually set
to one year. The bank's standard confidence level (with a one-year time
frame) is geared toward the desired external target rating for most of the
banks surveyed. Exhibit 8 shows the relationship between the confidence
level and the external rating.

■ To aggregate the VAR figures for the three types of risk and to determine the
cumulative risk, the correlation among the types of risk must be recognized.
To date, however, there have been no definitive studies of these correlations.
The greatest problems are dependencies between operational risk and the
other classes of risk. Some of the banks surveyed have chosen a conservative
approach and assume a correlation of one. Conversely, other institutions
assume the different types of risk are independent. Thus, the value of the
overall risk is significantly reduced.

Besides the technical aspects—the question of the feasibility of calculating corre-

lations—one thing should not be forgotten: concepts have to remain manage-
able. For this reason, a robust determination of correlations is often preferable to
a mathematically exact calculation.

The Boston Consulting Group 33

 In summary, the ideal is to aggregate risk using the VAR approach. Until this goal
has been attained, banks should be working toward pragmatic, interim solutions
in subunits.

Confidence levels are directly related to the external rating

Example: Standard & Poor's

S&P's rating
AAA

AA

A
99.99
BBB 99.97
99.84
99.6
BB
98.4 99.0 99.6 99.84
Confidence level (%)

Exhibit 8 Source: BCG study

34 The Boston Consulting Group

Principle 8: A bank’s management
system should be based on economic
capital
Every bank's goal is to increase corporate value. To reach this goal, banks need to
manage individual business units as well as the bank as a whole on the basis of
value. But what does this mean in concrete terms? It means that capital must be
allocated to the individual business units according to the risk structures involved.

The starting point is the VARs, since economic capital is made available to the
business units on the basis of these values. Minimum rates of return must also be
met. It is indeed possible to translate bank goals into business-unit goals.

There is a yawning gap, however, between vision and reality: overall bank goals are
often broken down into business unit goals in an undifferentiated manner, so cap-
ital allocation is often not as efficient as it might be:

■ 45 percent of the banks surveyed—particularly in North America—stated

that they allocate economic capital to business units. RORAC and RAROC
are the standard metrics used for assessing risk and return.

■ For 55 percent of those taking part in the study, regulatory capital is still the
relevant capital allocation metric.

■ Capital allocation is usually restricted to market and credit risk. Operational

risk is taken into account only to a minor degree.

The most important prerequisite for capital-based value management is to define

one uniform economic capital concept for the bank, on which the target returns
are then based. If a capital concept is used consistently, unit results can be com-
pared with the bank's overall goals.

The Boston Consulting Group 35

 Of course, even if capital were allocated on an economic basis, the bank's regula-
tory requirements would have to be met. Or, to put it differently, the target is to
optimize returns on the allocated economic capital, subject to the secondary con-
dition that regulatory requirements must be complied with.

There are three possibilities for meeting both conditions:

■ Higher-of variant: economic capital is compared with regulatory capital, and

the larger of the two values is taken as the key.

■ Economic capital is the primary allocation key; regulatory capital is the sec-
ondary condition to be considered in individual cases.

■ Regulatory and economic capital are weighted within the allocation key.

The last variant is preferable if regulatory and economic capital differ greatly. (In
some cases, this could just be the result of an assumption of no correlation across
credit, market, and operational risk.) This is the only way to ensure that an ade-
quate rate of return on the fixed regulatory and economic capital is taken into
account. Since the regulatory concept is becoming increasingly similar to the eco-
nomic one, economic capital can be expected to become the prevailing allocation
key in the long run.

Ultimately, once there is a standard capital concept throughout the bank, the allo-
cation key has been defined, and the results of the risk aggregation are available,
capital may be distributed to the business units within the scope of the annual
plan. The original capital allocation may be amended throughout the year in
response to actual business trends. These changes will first be restricted to the
market risk sector, however, because most banks are currently unable to restruc-
ture their credit portfolios in the short term.

It is possible to measure portfolio effects approximately within the scope of capi-

tal allocation and then to allocate them to the business units. This approach is
rarely used, however, in practice because of the complexity and management dif-
ficulties involved.

36 The Boston Consulting Group

Principle 9: Employees must nurture a
risk-return culture

When comprehensive risk management systems are being introduced, the human
factor is at least as important as the technical. Not all procedures have been auto-
mated, and leeway remains for individual decisions. And that is a good thing,
because this is how differentiation arises.

The "correct" way to deal with risk is not confined to the old adage, "Loans should
be allocated as if your own money were involved." Although this saying might well
be true—and could be applied to the other risks as well—such an approach does
not go far enough. The risk has to be placed in the context of the return attain-
able on all activities and transactions. Both sides must be weighed carefully. This
involves making employees aware of the bank's aims, equipping them to act, and
motivating them.

The key here is to create a corporate culture in which the principles of avoiding
risk and generating returns are not diametrically opposed. Both have to be con-
sidered and employees need to be familiar with both to be able to assess the
opportunity for profit in relation to the associated risks. In concrete terms, career
planning should include activities that focus on sales as well as risk management.

But that is not all. Responsibilities must be clearly allocated and not distributed
among a number of committees, for instance. Simultaneous consideration of risk
and return must also be reflected in management and incentive policies. For
example, if in the lending business sales units are managed on purely return-
based figures and the credit department is assessed only according to provision
charges, the optimal risk-/return ratio will not be achieved.

The banks participating in the survey were clear on this point: even sophisticated
risk measurement procedures, decision-making processes, and structures cannot
compensate for deficits in the risk-return consciousness of employees.

The Boston Consulting Group 37

 The aim is obvious. Rather than a technocracy and a belief in figures, initiative
and a focus on the business, combined with a real awareness of risk-return ratios,
should predominate. What does this mean for risk management? It must set up
and develop guidelines, and it must enable employees to act within this frame-
work. Above all, risk management must ensure compliance with the guidelines.

38 The Boston Consulting Group

Principle 10: The concept in itself is
nothing: It is the application that
creates competitive advantage
How can all the requirements described here be met? Although the background,
resources, and goals differ from bank to bank, the procedure described below
gives a useful basic framework.

(1) Conducting a risk management audit

All efforts should begin with comprehensive analysis. In which areas (business
segments) is the bank active and in which regions? Thus, which risks are relevant
and to what extent? The answers determine the next steps, starting with an audit
of the existing risk management system, its strengths and weaknesses, and the
data available.

Moreover, in this first phase a general awareness of risk is stimulated and the basic
aims of risk management are defined. Is the system being established or restruc-
tured intended primarily to limit loss? Or is the purpose to optimize the
risk/return ratio? Are there other goals? The concept phase should be initiated
only after concrete objectives have been identified.

(2) Development of a risk management concept

During the second stage, the ground rules and components of the risk manage-
ment system have to be defined. Depending on the goals set in the preliminary
phase, this is a question of developing the appropriate approaches to market,
credit, and operational risk within the scope of recording and quantifying risk.
This includes both the individual transaction and the portfolio level.

To manage risk, banks must specify monitoring and control processes, define ade-
quate risk-return management systems, and describe and allocate clear responsi-
bilities.

The Boston Consulting Group 39

 Then the next steps to be taken must be determined. At what point should spe-
cific goals be attained? Focal points must be established when considering restrict-
ed resources—short-term milestones help to proceed toward the goals. Should
the real estate business be looked into first, or is it better to begin with investment
banking? How relevant are operational risks, and which ones should be tackled
first? Proceeding step by step helps you see the big picture and prevents you from
doing too much at once. A development plan should be drawn up to cover all
issues and dependencies to be addressed, as should a schedule for tackling them.

Just as important is communication with employees. All units concerned should

be involved in the process early. Simply presenting a finished concept to the
employees is not enough; their ideas should be solicited from the outset. This
ensures that the solutions developed will be understood and accepted later on.

(3) Implementation
Implementation can be started while the concept phase is still in progress. Solving
data problems for all types of risk should be emphasized. Even if the need to act
on credit and operational risks is the most pressing, the need for change in the
market risk sectors should not be underestimated. What is to be done?

■ Databases should be established for specific purposes. It is important to clar-

ify what kind of information is to be generated for which users, for which pur-
pose, and when. Useful data can be procured only on this basis.

■ Data already available internally and externally should be processed in line

with this model to improve the current situation as quickly as possible.

■ Prerequisites for an effective data warehousing system must be developed

along with the creation of sufficiently broad and deep databases: they should
be formulated in a way that guarantees the best possible use from the very
moment they go live. Existing internal bank systems should be adapted early
to interface with the data warehouse.

40 The Boston Consulting Group

The degree of standardization and the integration of the solutions used with the
existing IT infrastructure should also be decided upon. The more complex the
tasks, the earlier customized and independent procedures must be developed.

Once methods and IT solutions have been detailed, universal procedures deter-
mined, and responsibilities allocated, pilot schemes should be initiated even for
partial solutions. The knowledge and experience gained from this phase may be
used to make further improvements.

Step by step, the individual components are made operational. The decisive suc-
cess factor here is not how good or sophisticated the system is, but how well
employees use it to realize the bank's goals.

The procedure outlined is certainly an ideal one and many of the banks inter-
viewed did want to proceed in this manner. However, a greater number of insti-
tutions confessed that they had strayed from this concept because of daily opera-
tional demands. The consequences are fatal:

■ isolated, incompatible solutions,

■ budget and time overruns due to the high cost of integration,

■ figures that are only partially available and even then barely comparable, and

■ frustration among top management because the original goals are not being
met.

Almost no other important topic requires more patience during implementation.

Therefore, the creation of the risk management development plan is absolutely
critical. It addresses the expectations of individual units and persons. If imple-
mented correctly, it helps the bank realize the benefits of a risk management sys-
tem at an early stage. Above all, it ensures that the overall goal is always clear.
Then, and only then, the transition from risk taker to risk manager can be made
successfully.

The Boston Consulting Group 41

 Notes on the study
The results of our study are a product, on the one hand, of the international pro-
ject experience of The Boston Consulting Group in the risk management sector
and, on the other, of some 60 interviews conducted throughout the world. Those
interviewed included decision-makers from banks and selected risk management
software vendors.

Exhibit 9 shows the industry and geographic spread of those who participated in
the study.

The interviews were conducted between November 1999 and March 2000 by BCG
consultants who have many years of project experience in the field of risk man-
agement.

Overview of study participants

Participants by industry Participants by region

40

26
24

9 8
6
3

Investment Commercial Software Other Asia/ Europe North/South

banks banks vendors Australia America

Exhibit 9 Source: BCG study

42 The Boston Consulting Group

For further information, please contact:

Thomas Groß Andrew Cainey

Grüneburgweg 18 50 Raffles Place #44-02/03

60322 Frankfurt
GERMANY
Telephone: +49 69 9150-2192
Fax: +49 69 9150-2131
E-mail: gross.thomas@bcg.com
Singapore Land Tower
SINGAPORE 048623
Telephone: +65 429-2533
Fax: +65 226-2610
E-mail: cainey.andrew@bcg.com

© The Boston Consulting Group, 2001

The Boston Consulting Group

Amsterdam Brussels Dallas Jakarta Melbourne Munich Seoul Tokyo

Atlanta Budapest Düsseldorf Kuala Lumpur Mexico City New York Shanghai Toronto

Auckland Buenos Aires Frankfurt Lisbon Milan Oslo Singapore Vienna

Bangkok Chicago Hamburg London Monterrey Paris Stockholm Warsaw

Berlin Cologne Helsinki Los Angeles Moscow San Francisco Stuttgart Washington

Boston Copenhagen Hong Kong Madrid Mumbai São Paulo Sydney Zürich

BCG www.bcg.com