Академический Документы
Профессиональный Документы
Культура Документы
Summary 5
In spite of challenging conditions and the evident need for change, many banks
are still hesitating to put a comprehensive risk management system into practice.
Particularly in the area of risk management, there is a notable lack of clear con-
cepts and well-articulated strategies. Risk management can no longer be consid-
ered in isolation. Together with portfolio management, it is an integral part of the
bank management system. It permeates all steps of the value chain. And above all,
it is a factor essential for sustainable, successful shareholder value management.
The Boston Consulting Group has long recognized the importance of a compre-
hensive risk management system. On the strength of many years of consulting on
international projects, BCG wants to help promote the development of risk man-
agement. The BCG concepts described here can help guide banks on the path
from "risk taker" to "risk manager" and thereby provide one of the main ingredi-
ents for success in the banking business of the twenty-first century.
We have formulated ten principles that outline one possible path to a consistent
and efficient risk management system. It is a path strewn with obstacles and one
that demands endurance, but it also leads directly to the goal. Although other
strategies may be equally successful, our ideas have been tested extensively in the
real world. In our study, which included some 60 leading banks and risk manage-
ment software vendors, we analyzed the state-of-the-art of risk management in the
banking industry.
We hope that what follows piques your interest, and we wish you every success with
your risk management plan!
Principle 10: The concept in itself is nothing: It is the application that creates
competitive advantage
BCG undertook a global study to show the extent to which banks have developed
risk management systems. The result was disheartening! Barely 5 percent of the
banks surveyed can be classified as risk managers, whereas a good two thirds still
see themselves as risk takers. The remainder, about 30 percent of the institutions
interviewed, are currently transforming themselves.
In conclusion, this change will become no less urgent in the next few years. The
banks that begin the (unavoidable) restructuring early and recognize the impor-
tance of a comprehensive risk management system will be in the best position to
respond to future demands.
The competitive landscape in the banking industry is changing rapidly. The con-
cept of the "universal bank" is being abandoned in favor of a growing tendency to
focus on selected business sectors and product segments.
The trend away from traditional, longer-term lending and toward off-balance-
sheet business is accelerating. Understanding and structuring risk is becoming
ever more important, and active portfolio management is replacing the tradi-
tional buy-and-hold approach.
The bank's internal ability to actively handle risk is quickly growing in impor-
tance. New target measurements are being introduced for risk management:
strategies are increasingly influenced by a risk-return-oriented optimization of the
portfolio and the allocation of economic capital.
Our study identified clear regional differences. In North America and Australia,
banks are concentrating on risk management primarily to enhance their com-
petitive positions. In Europe, in Asia, and particularly in South America, however,
■ The hot topic in Europe, and in Germany in particular, of whether and how
to accept internal ratings and the associated regulatory capital backing is not
an issue for the North American banks questioned. This problem appears
almost negligible to them because they have a broader base of externally
rated companies. Moreover, North American banks have already begun trad-
ing debt from the segment of small and medium-sized companies as well as
from retail customers. There are also a significant number of customers in
the portfolios of American banks, however, that are not rated by external
agencies. This is likely to cause problems similar to those experienced in the
rest of the world.
Regulators
Competition Regulators
North America -
40% South America -
60% Europe ( ) ( )
Asia ( ) ( )
Australia
-
Competition
Accordingly, banks should not restrict current discussion to simply fulfilling reg-
ulatory requirements. Rather, they should focus on building competitive advan-
tage through risk management.
The conclusion: credit risk is and will continue to be the most important risk cat-
egory in the future, but operational risks will gain in importance. The results sup-
port this conclusion:
■ More than 50 percent of banks surveyed described credit risk as the most
important risk category (see exhibit 2).
■ More than 30 percent of banks ranked credit, market, and operational risks
as equally important.
■ Fewer than 5 percent of banks surveyed described market risk as the decisive
risk factor.
Those surveyed feel that the management of operational risk will play an increas-
ingly important role. Managing this type of risk in particular presents the institu-
tions with a special challenge.
Credit risk by far the most important risk category for banks
Credit risk
52%
10% 5%
3%
Operational risk
General Market
investment risks risk
Exhibit 2 Source: BCG study
Figures for profitability and growth may, for example, be combined using the
"delta added value on equity" (DAVE) concept developed by BCG (see exhibit 3).
It is defined here as a measure of the change in added value on equity, and it
can be used as the central internal measure of value added.
Cost of Profitability
capital
Economic Economic
capital 1 capital 2
Empirical analysis by BCG has shown the suitability of DAVE for measuring the
development of corporate value. There is a high correlation with the (relative)
total shareholder return (RTSR; see exhibit 4), which is decisive for the share-
holder. The RTSR is an indicator of a stock's performance in relation to that of a
corresponding stock index.
For the best possible use of DAVE as a management metric, it is vital that there be
a standard, value-at-risk-based definition of RORAC and economic capital
throughout the bank. All essential types of risk must be recorded for this.
DAVE
RTSR (%)
R2 = 55%
30
20
10
-10
-20
-4 -2 0 2 4 6
Average DAVE (%)
Source: BCG database; BCG analysis Exhibit 4
Risk management in this sense is active rather than reactive, and it affects all trans-
actions and processes within a bank. It affects traditional counter transactions at
retail branches and global investment banking alike. A risk management system
of this sort must also rise to the challenge of realizing two basically opposing
goals—requirements specific to the business unit must be taken into account, and
a standard framework for comparisons between the different business units must
be guaranteed.
Risk management runs both vertically and horizontally across a bank. Vertical uni-
versality refers essentially to uniform, interrelated procedures and controls.
Horizontal universality, on the other hand, describes the comparability of indi-
vidual business units, using predetermined and clearly defined metrics. The
banks that can bridge this gap have laid the cornerstone for an efficient,
bankwide management system and a successful value management approach.
The DAVE concept clearly demonstrates the significance of risk management for
a value-based bank management system. A prerequisite is one uniform way of
viewing risk within a bank. But which definition of risk is the most appropriate?
As active portfolio management increasingly replaces traditional buy-and-hold
strategies, value-based risk assessment in the sense of a value-at-risk (VAR)
approach seems most suitable.
The VAR here is defined as a measure of the possible negative change in the
market value of an asset with a given confidence level and within a certain time
frame.
Our study shows that one cannot yet speak of a uniform risk definition, however.
Most banks still have far to go in this regard as is demonstrated by the following:
No standard
definition
Source: BCG study Exhibit 5
■ A standard definition has not yet been established for operational risk—only
a few banks are geared to VAR.
■ In the next step, the risk evaluation method should be standardized among
the business units—if necessary, as an interim solution, e.g., on the basis of
an earnings-at-risk (EAR) approach. EAR is defined as a measure of the pos-
sible negative deviation from the expected earnings (with a given confidence
level and time frame). The advantage of the EAR is that it requires fewer data
than VAR. All types of risk can be assessed using EAR, and this allows a first
comparison between different business units and types of risk. This compari-
son, however, fulfills the requirements of portfolio management and capital
allocation only to a limited extent.
■ Having a value-based VAR concept is still the goal for a standard definition of
risk within a bank. Only then will it be possible to compare market, credit,
and operational risks.
■ More than 60 percent of those banks surveyed use a VAR approach to quan-
tify credit risk in the large corporate sector and to determine how much indi-
vidual borrowers contribute to the institution's total portfolio risk.
■ All study participants in North America, Australia, and Japan employ a VAR
approach. In Europe, only about 50 percent do. In South America, VAR con-
cepts are barely applied. The significant regional difference in the spread of
VAR concepts can be explained mainly by data problems.
■ In the large corporate customer portfolio, the risk models developed by KMV
(Kealhofer/McQuown/Vasicek, San Francisco) and RMG (RiskMetrics
Group, New York) are most frequently used.
■ Of the banks yet to use VAR concepts, some 50 percent are planning to intro-
duce such a model within the next 18 months.
It is true that risk hedging and loan trading, for example, are generally possible
at the individual transaction level without VAR models (provided there are exter-
nal ratings), but the greatest efficiency in portfolio management and pricing can
be achieved only if VAR models are used. These models are also creating the pre-
requisites for the value-based allocation of economic capital. Here, it is important
for the leading models to be able to handle earnings at risk as well as value at risk.
So what should banks be doing? On no account should they wait any longer to
adopt such models for their large-corporate-customer business. In addition, expe-
rience can be collected for applying credit-risk VAR models to other client groups
as well.
VAR models can be applied to small and medium-sized companies and retail cus-
tomers. Our study revealed clear limitations to this approach, however:
■ Internal and external historical data are not really available, which means
that an important prerequisite is missing.
■ U.S. banks are the exception, because they have a broader base of data on
small and medium-sized companies at their disposal. Why? Even within this
group, there is a greater proportion of externally available data because more
of the companies are listed on a stock exchange. In addition, U.S. banks
began constructing internal databases early. In Europe, only Scandinavian
banks possess databases that are in any way comparable. (These were set up
in response to the banking crisis in the early nineties.)
The extent to which VAR models from the large-customer segment can be applied
to small and medium-sized companies and retail customers has to be tested for
each institution. Certainly, a complete transfer is not possible, but there are good
interim solutions. Until a new, sufficiently large historical database is built up,
internal ratings can be compared with external references. And in the retail sec-
tor? Even if there is no real data history here, robust VAR models can still be devel-
oped at the portfolio level.
■ Banks are mainly concerned about the lack of data in the lending business
with small and medium-sized business clients. Things are no better with retail
customers. Why is this so? On the one hand, there is relatively little internal
data, and there is little to be learned from external information sources. On
the other hand, data warehousing concepts are not widespread. Much more
information is available in the large-customer business, especially in view of
the larger number of publicly traded companies.
■ With the exception of U.S. banks, all participants in the study regret the low
levels of secondary market liquidity for credit risks. The use of loan trading,
credit derivatives, and asset-backed securities (ABS) transactions is restricted
by a lack of standards for estimating risk, for pricing, and for formulating
agreements. Current developments such as the founding of electronic mar-
ketplaces (such as Creditex and Loantrade) promise increased liquidity.
■ Although comparability and the negotiability of risk are taken for granted in
the large-customer segment (there is a broad base of external ratings here),
the situation is somewhat different for small and medium-sized companies
and individuals, for whom only internal ratings are usually available. Since
these do not conform to any norm, trading and hedging credit risk are
restricted to individual agreements between risk vendors and purchasers.
■ Banks, however, are still far from having a standard internal rating system.
Even if Basel II has recently breathed new life into the topic, the discussion
has essentially not progressed. There is still great uncertainty about the exact
requirements: contents and ratios for internal rating systems are disputed.
Nor is it clear when there might be acceptance from national supervisory
bodies, and what room there is in national law for implementation. Generally
speaking, we can assume that, even in the future, it will not necessarily be pos-
sible to fully compare internal ratings, although this is essential for the
improved negotiability of credit risks.
■ One solution might be for banks to mutually approve each other's rating sys-
tems, thereby defining a market standard. The validity of "compromises"
reached would be guaranteed through the regulatory powers of the market.
This concept is currently being discussed intensively throughout Europe, and
Once the rating problem is solved, we can assume that the liquidity of secondary
markets for credit risks will increase considerably. Several things have to happen,
however, before that point is reached.
■ Limit setting is still done mainly in the traditional way. Nominal limits are set
by region, industry, or individual borrower.
In the short term, considering VAR within pricing processes and the allocation of
VAR limits are feasible options only in the large-customer business. Interim solu-
tions are needed for small and medium-sized corporate and retail customers:
■ First, at least the expected risk should be accounted for in pricing decisions
for all customer segments. This can be achieved via the standard cost-of-risk
scheme. In addition, limit setting should be linked with concrete risk meas-
ures and guidelines for credit policy. Cluster risks may be restricted, for exam-
ple, by using a pragmatic combination of customer, industry, and regional rat-
ings.
■ In the next stage, the cost of capital should be taken into account at the indi-
vidual transaction level on the basis of VAR calculations. In this way, unex-
pected risks should be covered by the pricing process.
■ In the final stage, portfolio effects are considered. This means that the cost
of capital for what each individual transaction contributes to the portfolio
VAR is brought into the equation. Thus, pricing reflects only the "marginal"
VAR.
■ Traditional loan departments will become internal rating agencies. They will
be fully responsible for determining the risk for each individual transaction.
They will not decide, however, how a transaction will be concluded.
With a consistent market-risk management system, market risks are defined across
all product types in a standardized, and therefore comparable, manner. All for-
ward-looking aspects are taken into consideration, and appropriate monitoring
and management procedures are implemented. Most banks are still far from
achieving this ideal. The challenge consists in progressing from simply measuring
to actually managing market risks.
Although our study shows that most banks use sophisticated market-risk models,
their development is far from complete:
■ One element that is often lacking is the conversion of VAR metrics for dif-
ferent product lines to one standard measurement. This is needed to calcu-
late portfolio VARs and to aggregate risk within the context of capital alloca-
tion.
■ Only a small minority of banks use VAR models for all product lines. In addi-
tion, the systems are usually restricted to the trading sector. Also, interest risk
is in the bailiwick of the Treasury, and is often considered separately.
■ There is also a need for adaptation with respect to modeling issues. New VAR
models will be guided by the future development of risk to a greater extent
The fact that market risk cannot be fully mapped has less to do with quantifica-
tion than with problems associated with data warehousing. Efforts to capture and
model relevant data have already caused many headaches. An efficient data ware-
housing system is rarely achieved; data validation, preparation, and administra-
tion are still in their infancy. Existing VAR concepts must be transferred logically
to all product lines to record the full extent of the market risk, and banks must
create the technological prerequisites for this as quickly as possible. Moreover,
procedures have to be developed to compare the VARs of individual risk/product
categories.
■ Limits are still set mainly through the allocation of notional limits. VAR lim-
its have subordinate significance, as do stop-loss limits.
■ Limit setting is uniformly determined with respect to neither the type of limit
nor to the allocation of limits to organizational units.
This means that, within individual banks, part of the market risk is managed on
the basis of VAR limits. The other part is managed on the basis of notional limits
or of both types of limits together. In addition, these limits are reduced to the
individual trader or customer level in many product sectors; in others, only down
to the departmental or desk level.
■ Some 20 percent of banks do not yet have an approach for managing opera-
tional risk but are developing in-house solutions to quantify it. Many have
already begun collecting data on internal loss events. All other banks are
awaiting regulatory guidelines.
Self-
assessment
Waiting for
regulatory 70%
guidelines
20%
60% Deployment Rule of
thumb
20% 30%
Concept design
phase
■ All banks surveyed reject the latest proposal from the EU Commission sug-
gesting the use of a top-down approach for calculating risk. Simple rule-of-
thumb approaches—such as the use of percentages of fixed costs to estimate
operational risk—do not meet with much approval, either. Fewer than 10 per-
cent of banks surveyed favor such an approach.
Despite the trend toward quantifying operational risk, only one-quarter of the
banks surveyed assume that operational risks will be modeled like market or cred-
it risks in the near future. Pragmatic solutions are generally finding more favor
than sophisticated VAR models. Nevertheless, some banks are currently working
on VAR concepts to set standards that will be accepted by the supervisory author-
ities.
■ This basis should be used to build a loss database. Concepts for identifying
specific-event risks (bottom-up procedures) and estimating strategic business
risks (top-down procedures) need to be developed. Where internal loss data
and information on historical fluctuations in earnings do exist, operational
risk can be mapped using an earnings-at-risk approach. This, at least, makes
it possible to approximately allocate economic capital.
■ Many banks see the results of quantification as an indication only, and focus
on procedural controls.
Value management will succeed only if economic capital is allocated to those busi-
ness units that contribute most to improving corporate value. For this to be pos-
sible, all risks must be aggregated at the overall bank level.
Our interviews show clear room for improvement in the aggregation of different
types of risk. Systematic aggregation occurs in fewer than half of the banks, and
of those that aggregate their risks, the overwhelming majority merely add up the
various types of risk or proceed according to rules of thumb. Only a few banks
take correlations into account when aggregating risk (see exhibit 7).
No aggregation
55%
Aggregation with
6% correlations
39%
Aggregation without
correlations
■ To aggregate the VAR figures for the three types of risk and to determine the
cumulative risk, the correlation among the types of risk must be recognized.
To date, however, there have been no definitive studies of these correlations.
The greatest problems are dependencies between operational risk and the
other classes of risk. Some of the banks surveyed have chosen a conservative
approach and assume a correlation of one. Conversely, other institutions
assume the different types of risk are independent. Thus, the value of the
overall risk is significantly reduced.
S&P's rating
AAA
AA
A
99.99
BBB 99.97
99.84
99.6
BB
98.4 99.0 99.6 99.84
Confidence level (%)
The starting point is the VARs, since economic capital is made available to the
business units on the basis of these values. Minimum rates of return must also be
met. It is indeed possible to translate bank goals into business-unit goals.
There is a yawning gap, however, between vision and reality: overall bank goals are
often broken down into business unit goals in an undifferentiated manner, so cap-
ital allocation is often not as efficient as it might be:
■ For 55 percent of those taking part in the study, regulatory capital is still the
relevant capital allocation metric.
■ Economic capital is the primary allocation key; regulatory capital is the sec-
ondary condition to be considered in individual cases.
■ Regulatory and economic capital are weighted within the allocation key.
The last variant is preferable if regulatory and economic capital differ greatly. (In
some cases, this could just be the result of an assumption of no correlation across
credit, market, and operational risk.) This is the only way to ensure that an ade-
quate rate of return on the fixed regulatory and economic capital is taken into
account. Since the regulatory concept is becoming increasingly similar to the eco-
nomic one, economic capital can be expected to become the prevailing allocation
key in the long run.
Ultimately, once there is a standard capital concept throughout the bank, the allo-
cation key has been defined, and the results of the risk aggregation are available,
capital may be distributed to the business units within the scope of the annual
plan. The original capital allocation may be amended throughout the year in
response to actual business trends. These changes will first be restricted to the
market risk sector, however, because most banks are currently unable to restruc-
ture their credit portfolios in the short term.
When comprehensive risk management systems are being introduced, the human
factor is at least as important as the technical. Not all procedures have been auto-
mated, and leeway remains for individual decisions. And that is a good thing,
because this is how differentiation arises.
The "correct" way to deal with risk is not confined to the old adage, "Loans should
be allocated as if your own money were involved." Although this saying might well
be true—and could be applied to the other risks as well—such an approach does
not go far enough. The risk has to be placed in the context of the return attain-
able on all activities and transactions. Both sides must be weighed carefully. This
involves making employees aware of the bank's aims, equipping them to act, and
motivating them.
The key here is to create a corporate culture in which the principles of avoiding
risk and generating returns are not diametrically opposed. Both have to be con-
sidered and employees need to be familiar with both to be able to assess the
opportunity for profit in relation to the associated risks. In concrete terms, career
planning should include activities that focus on sales as well as risk management.
But that is not all. Responsibilities must be clearly allocated and not distributed
among a number of committees, for instance. Simultaneous consideration of risk
and return must also be reflected in management and incentive policies. For
example, if in the lending business sales units are managed on purely return-
based figures and the credit department is assessed only according to provision
charges, the optimal risk-/return ratio will not be achieved.
The banks participating in the survey were clear on this point: even sophisticated
risk measurement procedures, decision-making processes, and structures cannot
compensate for deficits in the risk-return consciousness of employees.
Moreover, in this first phase a general awareness of risk is stimulated and the basic
aims of risk management are defined. Is the system being established or restruc-
tured intended primarily to limit loss? Or is the purpose to optimize the
risk/return ratio? Are there other goals? The concept phase should be initiated
only after concrete objectives have been identified.
To manage risk, banks must specify monitoring and control processes, define ade-
quate risk-return management systems, and describe and allocate clear responsi-
bilities.
(3) Implementation
Implementation can be started while the concept phase is still in progress. Solving
data problems for all types of risk should be emphasized. Even if the need to act
on credit and operational risks is the most pressing, the need for change in the
market risk sectors should not be underestimated. What is to be done?
Once methods and IT solutions have been detailed, universal procedures deter-
mined, and responsibilities allocated, pilot schemes should be initiated even for
partial solutions. The knowledge and experience gained from this phase may be
used to make further improvements.
Step by step, the individual components are made operational. The decisive suc-
cess factor here is not how good or sophisticated the system is, but how well
employees use it to realize the bank's goals.
The procedure outlined is certainly an ideal one and many of the banks inter-
viewed did want to proceed in this manner. However, a greater number of insti-
tutions confessed that they had strayed from this concept because of daily opera-
tional demands. The consequences are fatal:
■ figures that are only partially available and even then barely comparable, and
■ frustration among top management because the original goals are not being
met.
Exhibit 9 shows the industry and geographic spread of those who participated in
the study.
The interviews were conducted between November 1999 and March 2000 by BCG
consultants who have many years of project experience in the field of risk man-
agement.
40
26
24
9 8
6
3
Atlanta Budapest Düsseldorf Kuala Lumpur Mexico City New York Shanghai Toronto
Berlin Cologne Helsinki Los Angeles Moscow San Francisco Stuttgart Washington
Boston Copenhagen Hong Kong Madrid Mumbai São Paulo Sydney Zürich
BCG www.bcg.com