The collapse of the US sub-prime housing market has exposed poor risk-management practices at some of the world’s most powerful financial institutions, blindsiding the banking sector and taking major finance houses down with it. The institutions affected were not small, second-tier local or regional banks. Senior executives lost their jobs at some of the world’s biggest institutions – Citigroup, Merrill Lynch and Bear Stearns.

This should never have happened, say analysts. The amount of risk to which banks were exposing themselves should have been caught in a filter before the situation could ever have developed. The large financial institutions should be secure to a systemic failure of this nature. They have highly sophisticated software to assess risk and armies of analysts to ensure they have enough core diversification to avoid the problems caused by sub-prime debt and collateralised debt obligations (CDOs), which have plagued the banking community since the summer.

Banks and lending institutions constantly balance risk and reward. Too high a price on loan products and you lose the customer; too low and you starve the profit margin or take a loss. Too much capital on reserve and you miss investment revenue; too little and you risk regulatory non-compliance and financial instability.

If risk management had been integrated into the front-end functions of financial institutions, as opposed to being an afterthought, things might have been very different, say observers.

Risk management is widely misunderstood. Product developers, fund managers and structurers say they find the risk-management function debilitating and limiting.

Risk managers, however, compare their role in managing risk to that of a co-driver in a cross-country rally. A company’s profits may be being driven by its banking expertise, but even the most skilled and competent banker needs a co-driver, or risk manager, to identify approaching hazards. Sadly, in parts of the financial services industry, a silo mentality still pervades and the two functions remain separated.

Policy paramount

A major misconception of risk is that it can be managed through technology. True, there is a whole industry devoted to banking risk management software. Misys, Sas, Pendo and Finacle Infosys all offer proprietary systems, while other organisations create bespoke risk-control software, such as Schroder’s Prism system.

However, technology can only be used to calculate a quantitative measure of risk, design charts and print a report. According to risk managers, the vital part of the process is the people who interpret data and apply it to the individual bank’s liabilities to develop a risk appetite that fits the strategic vision, direction and capacity of the institution.

“Systems are a tool, but policies are more important,” says Philip Stockburn, head of risk management at Bahrain-based Unicorn Investment Bank. “One needs a strong operational infrastructure where robust and meaningful policies underpin all the functions of the bank.”

This means that at the front end, there needs to be a risk management policy and manager guiding the hand of the person developing the bank’s assets, investing its money or structuring its products. If this is the case, and the policies outline in unambiguous terms what the bank’s risk appetite is, a crisis such as the CDO debacle should not surprise the bank, say risk managers. This is a reality for Goldman Sachs and a goal for Stockburn, who is implementing risk-management software at Unicorn.

“Risk management is a combination of qualitative and quantitative measures,” says Stockburn. “Yes, all banks have technology. However, risk management’s function is to use technology to flag problems, and then have the framework of policy to challenge all functions and debate with them whether it is in the bank’s interests to take on the risk that they are exposing the organisation to.”

There are three main risks for banks. Credit risk, or the risk of default, is a key threat to a bank’s stability. It was thought that with securitisation this risk could be offset. However, the fallout of the CDO debacle, where debt was packaged, repackaged, sold on and securitised – against assets that were worthless – has not acted to diversify risk.

Another risk to banks is asset price. This manifested itself over the summer in the falling house prices that started the domino affect of sub-prime mortgage foreclosures. As the price of property fell in the US, people found they were paying home loans on property that was worth less than they had paid for it. They were caught in a negative equity trap. When they could not pay and the banks foreclosed their loans, the properties were worth less than the outstanding loans. Sales of numerous properties further depressed property prices and banks and borrowers were caught in a vicious circle.

Finally, banks suffer from liquidity risk. This too manifested itself in the summer and is a continuing threat. As there was so much money outstanding, investment and wholesale banks became reticent to lend more. This starved the smaller, retail banks of liquidity. A bank with no access to money is in serious trouble. This liquidity crisis led to a run on the Northern Rock bank in the UK, while the US Federal Reserve intervened to prop up its own retail banking sector.

Reducing exposure

No computer system could protect banks from all three of these risks impacting at the same time. One of the few banks emerging relatively unscathed from the summer’s credit crisis was Goldman Sachs. Goldman has risk management in place as one of the pillars of its operation. According to the bank, its risk-management policy flagged up a concentration of CDO assets in the system and the asset and liability committee decided to hedge the exposure and sell down sub-prime exposures.

Gerald Corrigan, managing director in charge of risk management for Goldman Sachs, argues that his bank has “on balance, probably made money” and has had “a measure of success in hedging some of our exposure”.

Explicit loses in the Middle East were minimal. “Most banks have so far been immune to the sub-prime turmoil, except for Abu Dhabi Commercial Bank (ADCB),” says Walid Khalfallah, an analyst for Dubai-based HSBC Global Research.

In November, the bank reported that losses on its investment portfolio because of the sub-prime crisis reduced third-quarter profits by $19m. A recent HSBC report puts this at $77m. ADCB says this is an over-estimate.

“If conditions worsen further, it could impact on the banks as it restricts funding and therefore lending growth, as well as the overall cost of funding,” says Khalfallah.

In the Middle East, there is no sub-prime debt. All debt is prime, which served to minimise the impact of the credit crunch. Also, not many of the local banks are heavily involved in the derivatives and CDO business. However, the credit crunch is highly contagious, and a squeeze on liquidity is affecting the regional banks.

In the coming months, we will learn whether this stress testing of the risk management systems and policies of regional banks has created enough protection. The situation the banks find themselves in now is not a drill. The whole business of banking is risk. At the most basic level, it is a risk giving someone somebody else’s money. Will they pay it back? Can you make money for yourself and your investor?

With risk being the basic building block of banking, surely risk management should be the basic skill of all bankers? Sadly, as this summer has shown, somewhere along the way that has been forgotten.

Key fact

$480bn is the estimated maximum total losses as a result of the sub-prime lending crisis

Source: UBS