Is risk management really just a necessary evil?
by Max Marquardt, Managing Director, and Ron D’Vari, CEO, NewOakNewOak is an independent financial services advisory firm built for today’s global markets. Led by a team of experienced market and legal practitioners, NewOak provides a broad range of services across multiple asset classes, complex securities and structured products for banks, insurers, asset managers, law firms and regulators, including financial advisory and dispute resolution, valuation, credit and compliance, risk management, stress testing, model validation and financial technology solutions. We have analyzed or advised on more than $4.5 trillion in assets to date.
Most seasoned finance risk managers will admit it: we live in a very different world than 20, 10 or even five years ago. Like most Wall Street practitioners, they will happily swap war stories of front offices refusing to share information or admit mistakes, of objects being thrown at them by irate traders, of painful meetings with managers asking that they simply “kick the tires” and think of the “good of the firm.”
These stories recall an era and a culture in which deal makers had a monopoly on influence and power. As many have no doubt witnessed in their own careers, questioning a successful trader’s strategy or methods often meant putting job security on the line. In other words, risk management was viewed as a necessary evil rather than the foundation of the financial system’s stability.
Former U.S. Treasury Secretary Hank Paulson once said at a July 2008 Senate Banking Committee hearing, “If you have a bazooka in your pocket and people know it, you probably won’t have to use it.” Now, one spectacular financial crisis later, regulators are beginning to realize they are the ones with the bazooka in their pocket. But despite progress in the formulation of new policies, the 2012 London Whale scandal remains a pointed reminder that new laws and regulations are insufficient by themselves. What is required is a change in the culture of Wall Street.
In a replay of “revenge of the nerds,” risk managers are now well-armed by regulators to impose more stringent oversight of front-office activities and risk taking. While it is too early to say the tables have turned, as one insider at a large bank observed, “Today, we are protected by the regulator, so we have earned credibility with the trading desk. They might not respect us, but at least they fear us.”
And this, in turn, has blurred perceptions of reporting lines. Who does the chief risk officer report to: the CEO and the board, or the regulators? If the answer is the former, then you are living in the old paradigm. If the answer is some combination thereof, you have to embrace the notion that their responsibility is not “only” to serve the interests of the shareholders. Some might argue that this is only a matter of semantics and that the regulatory link has always existed implicitly, but chances are that this will initiate a true shift in the culture of Wall Street, whether or not you believe it is necessary or that the Street’s competitiveness and ability to function will be affected.
Data Security Risks: Who Bears the Costs?
Data security violations are a serious and escalating concern for financial institutions, merchants and retailers as they can destroy reputations and cause serious financial harm. With the extent and frequency of cyber attacks rising, a key question is who bears the ultimate costs and liabilities associated to these risks.
The Target and Home Depot cyber attack cases serve as representative examples. So far, the largest retailer data breach has been Home Depot, where a reported 56 million customer accounts were compromised over a period of six months. In the case of Home Depot, hackers used a unique and previously unseen technique to evade detection. With cyber attackers constantly inventing new approaches and malware to invade businesses and access critical customer information, businesses must adapt and evolve their protection schemes to maintain and re-establish security when breached.
The financial industry has been lobbying for federal action to establish national cyber-security standards. However, as of yet there is no comprehensive regulatory structure for retailers and merchants that store sensitive customer information within their systems.
Breached businesses should be responsible for promptly investigating the attack and reporting the findings to appropriate agencies and parties impacted. Currently, financial institutions are lobbying for national laws and regulations for the costs of restoring security resulting from data breaches to be borne equitably by breached entities and not just the institutions issuing the cards. The rationale is that the entity best positioned to prevent the risks of sensitive data being accessed illegally should be the liable party for breaches that occur. Also in question is who has the burden of proving a lack of fault? Financial institutions now argue that the merchants/retailers have the responsibility to demonstrate that they took all necessary precautions.
In the meantime, everyone is treating cyber-security risks and liabilities as just another cost of doing business. As usual, the customers will bear the ultimate costs through higher fees, no matter who is initially liable.