Governance, Risk Management, and Risk-Taking in Banks

One might be tempted to conclude that good risk management in banks reduces the exposure to danger. However, such a view of risk management ignores that banks cannot succeed without taking risks that are ex ante profitable. Consequently, taking actions that reduce risk can be costly for shareholders when lower risk means avoiding valuable investments and activities that have higher risk. Therefore, from the perspective of shareholders, better risk management cannot mean risk management that is more effective at reducing risk in general since reducing risk in general would mean not taking valuable projects. If good risk management does not mean low risk, then what does it mean? How is it implemented? What are its limitations? What can be done to make it more effective? In my article, Governance, Risk Management, and Risk-Taking in Banks, which was recently made publicly available on SSRN, I provide a framework to understand the role, the organization, and the limitations of risk management in banks when it is designed from the perspective of increasing the value of the bank for its shareholders and review the existing literature.

Since an increase in risk can enable a bank to invest in assets and projects that are valuable but it can also lead to a loss in value because it can make financial distress more likely, there is an optimal amount of risk for a bank from the perspective of its shareholders. A well-governed bank will have processes in place to identify this optimal amount of risk and make sure that the bank’s risk does not differ too much from this optimal amount. Theoretically, the bank’s problem is simple: it should take any project that increases its value, taking into account the costs associated with the impact of the project on the bank’s total risk. Practically, the bank’s problem is difficult because risk-taking decisions are made all the time throughout the bank and each decision affects its probability of financial distress to some degree. As a result, risk-taking decisions cannot be evaluated in isolation but must be assessed in terms of their impact on the overall risk of the bank.

In principle, if there is an optimal level of risk for a bank, the cost of taking on a new risk that increases the bank’s total risk should be traded off against the potential gain from taking the risk. When risk-taking is decentralized, the tradeoff between how a project’s risk contributes to the bank’s aggregate risk and its expected return cannot be made in real-time for most risk-taking actions. Instead, a short cut is needed, which is to focus on risk separately and manage the overall amount of risk of the bank. Focusing separately on risk has the potential to destroy value if not done well when it leads the bank to reject projects that are valuable for the institution despite their risk. There is no simple recipe that enables a bank to measure and manage risks better. For risk-taking to maximize shareholder wealth, a bank has to have the right risk management but also the right governance, the right incentives, and the right culture. An organization of risk management that is optimal for one bank may be suboptimal for another. Independence of the risk management organization in a bank is not a panacea as excessive independence can make it harder for the risk management organization to assess risks correctly. Ultimately, the success of risk management in performing its functions depends on the corporate environment and its ability to shape that environment.

In a well-run and well-governed financial institution, the person who is responsible for managing risk is the CEO, not the chief risk officer (CRO). The CEO manages the institution’s risk within parameters defined by the board, which state the institution’s risk appetite. The role of the CRO and of the risk organization is to enable the institution and the CEO to make value-increasing risk choices and avoid value-decreasing risk choices. However, the tools of the risk management organization have intrinsic limitations and their reliability is easily overstated. Some risks are not subject to reliable quantitative assessments and aggregating all risks within an institution to obtain a firm-wide measure of risk is fraught with perils and difficulties. I discuss a number of the difficulties that arise in measuring the aggregate risk of a financial institution. Though a system of risk limits is essential for good risk management, such a system cannot be effective if an institution does not have appropriate governance, incentives, and culture. I show how culture can play an essential role in the success of risk management within an organization and discuss obstacles in changing an institution’s culture.

The full paper is available for download here.