Ahead of the Operational & Enterprise Risk Management Congress, we interviewed Daniel Ward the Head of CIB US Independent Review and Control at BNP Paribas.
Daniel, can you please tell the Risk Insights readers a little bit about yourself, your experiences and what your current professional focus is?
Hi Risk Insight readers! I am with BNP Paribas based out of New York. I am head of RISK Independent Review and Control for Corporate and Institutional Banking in the US which makes me responsible for both model validation and model governance. In addition I have a mandate to promote innovation within RISK and the institution as a whole.
I have worked in both the UK and the US in positions across Front Office Quantitative Research, Trading and Anti-Fraud prior to my current position. Prior to BNP Paribas I worked in IT and as a prop trader as well as an aborted and very short attempt at a career as a musician!
BNP Paribas, along with other significant FBOs formed an Intermediate Holding Company in July 2016 and this brought renewed focus on model risk and more broadly our enterprise risk framework. We have been focusing on the various modelling aspects implied by the IHC formation including CCAR, liquidity management and market risk capital as well as connecting the dots between a pre-existing model risk framework based out of Europe and our US requirements.
In regards to how the likelihood of risk is assessed, have you got any advice for risk professionals?
This is an area where we are all still learning and I do not think we can claim that current ‘best practice’ is where we want to be in five years. My advice would be that the more we bake broad risk identification and risk management into our firms’ DNA and our daily behaviors, the more readily we will be able to both easily and completely assess our risk as well as manage it.
Those of us involved in the driving seats of the risk identification and quantification space should keep in mind a clear vision of the future where all staff consider themselves ‘risk managers’ and as a matter of habit are both thinking about, reporting, and escalating all types of risks as they come across them. The institution language of risk (risk taxonomy) will be part of the conversational business parlance and consequently the weight of all the employees’ vigilance and experience can be ‘crowd-sourced’ to better assess risk impact and likelihood. Then, through committees, model documentation etc. it will be natural for the full spectrum of risks to be identified, surfaced and assessed.
I would add one more element which is even more optimistic and perhaps leans too much on my quant background. At most firms, when we seek to assign likelihoods and impacts to a risk, staff are expected to somehow choose a likelihood-loss pair out of the infinite spectrum of possible likelihood. Once they have consulted their SME and picked out a single pair of values their entire experience apart from this data point is discarded. I would prefer to see SMEs give some simple ‘curves’ (perhaps just a couple of points which can be interpolated). This way senior management or the board can decide what likelihood they want to interrogate and dynamically get a view of the magnitude of their risks at different thresholds.
Of course if you follow that thread the next step would be to figure out some kind of proxies for correlations between risks and then you have… an enterprise risk VaR model! I concede this is not happening tomorrow and perhaps never. But it’s a good thought exercise to appreciate how much data is lost between the SMEs and most firms risk ID process and also how difficult it is to combine the data points most firms currently request into something truly empowering to the board and decision makers.
In your experience, how can financial institutions best manage the identification of risk and quantifying risk? And what are the implications if either of these are done unsuccessfully.
In short we can best manage identification and quantification of risk through not only appropriate and properly executed policies and procedures for a robust risk ID process but also proper and meaningful use of these identified risks in the management of the firm. This is a regulatory requirement but it is also a logical goal we should all have to extract the maximal value from the work we must do anyway.
Speaking with my ‘Model Risk’ hat on I can speak from experience both of best practices internally and a repeated theme from our regulators which we hear at conferences etc. In many areas of modelling where you’re trying to manage a business area you must start but understanding your business and the nature of the risks. Only then can you model the balance sheet/revenue/risk etc. you seek to with confidence that you’re appropriately focusing your efforts and covering aspects you must.
Some concrete examples: if you’re building a PPNR forecast model for the CCAR exercise or perhaps a liquidity stress test model you better understand the financial and liquidity risks inherent in the businesses you’re modelling. And you better be able to demonstrate that your model captures those risks and their identified drivers. If you’re putting in place transaction monitoring for potential BSA/AML violations you will want to understand the client profiles you’re managing and the types of risks most prevalent for your customer profile in order to demonstrate that you are capturing an appropriate universe of transactions.
With these examples in mind the consequences of not undertaking this exercise effectively, or performing the exercise but not integrating the results into how you think about your businesses should be clear. You run the risk of the information you are using to make business decisions, manage risk and report to the board and external parties being incomplete or misleading.
At the Operational and Enterprise Risk Management Congress you will be speaking on your insight regarding – Utilizing stress testing and ERM as a function for increased risk identification across the enterprise. Why do you believe this is a key talking point in the industry right now and what can risk professionals gain from this insight?
I have addressed this somewhat in my comments above. To create a convincing stress test and associated narratives it is necessary to understand your businesses and risks in order to apply stress. If we cannot clearly demonstrate we understand our risks it means we cannot convincingly claim we have a meaningful stress test which could mean we fail CCAR which means we could have our dividends suspended. So this can cut right to the bottom line.
Stepping outside our day to day work of working in complex and large organizations and just thinking about running a business it would seem natural for investors or owners to want to know what risks we face and how much of a risk they really are. The large and interconnected nature of our institutions makes this doubly important for large financial institutions as our interconnectedness can (and has) imply interconnected, and sometimes therefore amplified, risks.
From a regulatory point of view you can see how clarity from the firms on their individual risks should allow the regulators to identify thematic issues that we may not be able to see ourselves which they can use to tailor their regulatory priorities to mitigate the likelihood and impact of the next major financial markets shock.
What does the future look like for the Model Risk Professional right now? And what changes or problems do you see in the horizon and theoretically, how would you tackle these?
Model risk professionals are still in the process of transitioning our firms from a series of reactive projects getting our universe of models identified and compliant with requirements to a more BAU mode. The regulatory focus in this space for the last few years has made this an exciting space but also a competitive and expensive one in terms of attracting and retaining the best talent. I expect to see firms looking at their current set ups and trying to scale the effort to the actual risk – somewhere the risk identification and quantification comes in. The next step, as with risk identification and quantification in general, is to bake model risk management info the firms DNA and through that release the pent up value in the process.