It should not come as a particular surprise that the OCC, FDIC, and Federal Reserve are moving toward "supervision by risk" programs. The management M in CAMEL (Capital adequacy, Asset quality, Management, Earnings, and Liquidity) now dwarfs the other CAMEL elements as the key to safety and soundness. Banking is a business of risk, and a strong bank requires strong management of all types of risk. Broadening the definition of risk and making competence in risk management the key component of the M in CAMEL is new. This approach to regulatory supervision goes beyond credit risk to look at a total of nine categories:
1. Credit risk from a debtor's failure to meet the terms of any contract with the bank or by otherwise failing to perform as agreed.
2. Interest rate risk from movements in interest rates.
3. Liquidity risk from a bank's inability to meet its obligations when they come due without incurring unacceptable losses.
4. Price risk from changes in the value of portfolios of financial instruments.
5. Foreign exchange risk from movement of foreign exchange rates.
6. Transaction risk from problems with service or product delivery.
7. Compliance risk from violations or nonconformance with laws, rules, regulations, prescribed practices, or ethical standards.
8. Strategic risk from adverse business decisions or improper implementation of those decisions.
9. Reputation risk from negative public opinion.
Of course, all these factors were, more or less, always a part of the regulators' approach to evaluating management. They simply were not explicitly defined. But a more formalized and specific management evaluation would be a good idea even if it were not part of the regulatory process. The new structure of the banking - and financial services - industry requires a fresh approach to managing the large institutions that are being created and demands a new basis for boards of directors to use in assessing management.
The new, diverse bank organizations - large and small - must manage increasingly complex and diverse risks through centralized controls and policies while, at the same time, enabling responsive decisions to be made close to the marketplace. Responsiveness is the hallmark voiced in the often-heard strategy "be big, but act small." This strategy brings all the qualities, services, and skills of a large bank to the customer in an intimate fashion. The new banks are learning that executing this strategy requires a fresh management approach across the board - data-based decisions, leadership, empowerment, and appropriate loose/tight controls, to name a few. Comprehensive risk management skills will be an important and urgent management talent necessary for implementing this strategy.
Managing Complexity and Diversity
It is no longer possible for the chief executive officer (CEO) of a truly large bank to have intimate and direct knowledge of the bank's risks. CEOs often believe that they have this knowledge by relying on what they are told by direct reports. This can be, and often is, an illusion. Today, most CEOs properly rely on individual managers to control and know the risk in their areas. This reliance would appear to be the good management practice of delegation.
But risk is often unconsciously built into the way the business is run. So it may be assumed that if the business is running well, its risks are properly controlled. However, this assumption is wrong. Unanticipated risk is what is usually deadly. And in many circumstances, the true risk inherent in the business is rarely expressed, understood, or measured. But, of course, it needs to be.
CEOs tend to trust certain managers more than others and are willing to let these managers take on more risk, regardless of the inherent, and usually unmeasured, risk of the business. Doubling the volume of an inherently risky business is not necessarily sound, even when the manager of that business is trusted, seen as an expert, and highly competent. …