Three Lines of Defense Part 2

"Three Lines of Defense," Part 2

Presenter 2: Dr. Colin Lawrence, Bank of England
Risk, Control, and Culture: the Regulatory Approach

"We've become risk measurers rather than risk managers."

Failure of risk managers was to just measure VaR, without recognizing the context in which it was used. The first question should be "Is the business model sustainable."

"4th line of defense: the regulator." Concern for regulators is the safety and health of the entire financial system, *not* the particular firm.

Focus now is on the biggest risks to failure, whereas it used to be on dozens of different risks. Regulators used to have some tolerance for failure, but now it's zero tolerance.

The Bank of England is doing all these controls, but why aren't other firms doing this? Bank and insurers? Reason is an enormous moral hazard problem: when people are compensated for taking risks. Argument that regulators are needed to enforce risk governance.

Prior to 1960, banks made a stable 7%. When Nixon went off the gold standard, ROR went up to 20%, but with a great deal more volatility (almost 4x). Leverage went crazy. Securities became prevalent. "Re-aging" or "forbearance" might be good as a social value, but you need to build up reserves for the risk of default. Accounting conventions don't require this until there's an actual trigger of default.

Bank of England study on bank data: Found 85% of losses were from structured finance, distributed evenly between trading book and banking book. Bias to record profit in trading book and losses in banking book to avoid disclosing mark-to-market losses. Also note that all banks were essentially in the same investment market: real estate.

This tells us where reforms need to be made structurally. The branch model causes a lot of problems due to perverse incentives for branch managers. None of the governance discussed in the prior presentation were in place. He blames this on a principal agent problem: don't want to disclose, don't want to know.

Lack of IT integration means poor data. Poor data means poor risk management. Good data management needs to be understood and accepted as an essential part of the business - it's a cost of doing business. Book "Why People Cheat" by behavioral economist Dan Ariely talks about how people become institutionalized into not reporting thoroughly and promptly. [KR: I believe he means this book.]

Boards are not in a position to really do their jobs. Most Boardmembers are on multiple Boards; it's not possible that they are able to really understand everything they need to in order to do their jobs. Which firms did well? Mostly those with Boards that are on top of things. Setting limits doesn't actually help; banks just move things around to achieve the ROE in "limit arbitrage." He also notes that controllers are often ignored (and paid very little compared to those taking the risks.)

See slide 13 for a list of what he as a regulator wants each firm to demonstrate to him. Particularly interesting point to me is the emphasis on counter-cyclical resilience. Strikes me as highly applicable to insurance.

Because regulators will no longer tolerate failures, it's important that firms understand the conditions under which they will be resolved. *Not* looking at static values, *not* accounting values. Dynamic analysis of market values under many scenarios. "Ring fencing" means isolating certain business segments or units when things go south. "Contingent capital": regulator decides when it becomes a put option rather than the investor.

Recommends having a diverse jury on the Risk Committee.

Slide 23 shows how they did the bailout in UK. Notes the poor econometrics (he went to UChicago; hurray Maroons!)

End Part 2.