Message From the Senior Chairman

Message From the Senior Chairman

S&C Senior Chairman Rodge Cohen shares his thoughts on preventing the next great financial crisis.

The Great Financial Crisis of 2007-2008 requires policymakers, regulators and financial institutions themselves to focus—as never before—on the subject of risk. Excessive risk-taking at individual institutions and in the financial system as a whole helped drive the world’s financial system to the brink of collapse. The abyss was avoided only by courageous actions by a small number of individuals, which proved to be wildly unpopular politically, and by a large measure of luck.

Had we plunged into the abyss, the consequences could have extended beyond the financial system, and even our economic system, to political and social turmoil. Our socio-political system is built upon certain basic assumptions about our economic well-being and future promise. If those assumptions are rendered invalid, our political comity could be at risk. The demagogy of the 1930’s had many roots, but undoubtedly a principal one was economic desperation.

Even though the most dire systemic consequences were escaped, the suffering of millions of individuals was not. The ranks of the unemployed swelled to levels not seen for decades. The American dream of owning one’s home was dashed for millions more.

Even more recent events demonstrate that risk extends beyond poor credit decisions and the resultant losses on loans and investments. Practices that were negligent and in some cases shoddy have exposed banks to billions of dollars of losses as a result of government enforcement actions and private litigation. Even more damaging has been the reputational damage. The fines and settlements, as enormous as they have been, will be earned back within a few years. The reputation loss could take far longer to recover. 

As the last five years have demonstrated, risk must be addressed comprehensively, holistically and aggressively, and always with an eye to the future. It was not so long ago that all home mortgages, whatever the terms, were regarded as involving such low credit risk that they were assigned a risk-weighting 50 percent lower than other loans. Just three years ago, if you polled banks and their regulators as to the greatest risks, I doubt that anyone would have mentioned cybersecurity. Today, it would rate as among the top three on everyone’s list.

In addressing the subject of risk at financial institutions, there is a preliminary, but fundamental, question. Should the objective of the government and the financial institutions themselves be to eliminate risk or to control and manage risk? The devastating consequences of the risks incurred by financial institutions in recent years have led a number of observers to conclude that the objective should be risk-elimination. That goal, however, creates its own risk of damage to the bank customer populace and the economy as a whole.

In addressing this question, it is essential to understand that banks’ fundamental function is to take two basic types of risk in supporting its customers’ needs and the country’s economy.

The first is credit risk. Banks are the principal source of credit in this country and their credit-providing role is, of necessity, even greater where the borrowers, such as small businesses or consumers, lack access to the public credit markets or other credit sources. If banks seek to reduce credit risk by tightening credit standards, the inevitable result is less credit availability, particularly for smaller borrowers and those who do not have a demonstrated pristine credit record. To state it differently, if every loan were repaid in full, numerous good loans are not being made.

The second risk is maturity-mismatch risk. Depositors and other funders are seeking to place their money short term, while the credit needs of consumers and businesses are often intermediate and long term. Banks perform the role of converting liquid funds into less liquid assets. If banks seek to match assets and liabilities more closely, the consequence will be to reduce the longer term credit that businesses need to grow and consumers need for home-buying and other long-term expenditures.

There are other risks that banking organizations incur on behalf of their customers and that also benefit the economy. One example is underwriting. The benefits of underwriting to issuers of securities and to the markets are presumably beyond dispute. Our capital markets are still the envy of the world and have enabled our companies to expand, produce and hire. The underwriting system has developed to the point where risks are normally small and well-managed. Even the Volcker Rule recognizes that the economic benefits of underwriting outweigh the risks.

Undoubtedly, these key risks should be carefully managed, with robust capital and liquidity requirements, lending limits and strong underwriting and asset/liability risk management. Moreover, it is appropriate for the bank regulators to take an active role in assuring that these risks are appropriately managed. As the financial crisis demonstrated, if these risks spin out of control, banking organizations will no longer have the capacity to support their customers and the economy more broadly; indeed, if excessive risk-taking reduces credit availability, the economy can be put into a tailspin. It is precisely because of the centrality of banks to our country’s economy that they must take the precautions to be in a position to perform their role successfully.

In seeking to manage risk, however, it is essential to eschew simplistic solutions, which actually threaten to imbed risk rather than reduce it. For example, some observers argue that the banking system was much safer before there was substantial industry consolidation and product and geographic expansion, particularly following the Riegle-Neal Act of 1994 and the Gramm-Leach-Bliley Act of 1999, and that the largest banks should be broken-up. This idea of an halcyonic past is refuted, however, by a clear-eyed view of what actually happened. Between 1982 and 1993, there was an extraordinary wave of failures, as approximately 2,300 depository institutions, including approximately 1,650 banks, failed. Nor were these failures limited to small banks. When Continental Illinois failed in 1984, it was not only the country’s seventh-largest bank, but had been widely lauded as one of the country’s most progressive and innovative banks. Other major failures included First Republic and Bank of New England.

In place of these simplistic approaches, it is hard work that requires conscientiousness and culture. I offer the following nine observations on developing effective risk management.

First, although both Congress and other regulators have appropriately focused on risk management, superior risk management cannot ultimately be legislated or regulated. It must be a function of a company’s own culture and commitment. To that effect, a financial institution’s board should be periodically asking the following basic questions:

  1. Are my company’s risk parameters appropriate? How do they correlate to reward?
  2. Do the company’s risk management personnel have the appropriate skills, expertise and independence to manage risk?
  3. Does the board itself have sufficient expertise and information to exercise its oversight role over risk?
  4. How can we as a board assure ourselves that the company is complying with the risk parameters we have approved?
Second, board-level expertise in effective risk management at financial institutions obviously requires knowledge of the particular risks encountered by the particular type of financial institution. This can create a dilemma because the persons with the most relevant knowledge are generally employed at other financial institutions, and there are significant restrictions under the Federal Reserve’s Regulation L and the Clayton Act on director and management interlocks between financial institutions. One, at least partial, answer to this dilemma would be to consider a higher maximum age limit for directors in order to take advantage of the expertise of retired financial executives and regulators.

Third, risk management must be enterprise-based rather than business-confined. Because of the numerous ways in which risk can be created and incurred, risk exposure to similar circumstances can exist in multiple business lines. This risk can only be evaluated from the top on an overall basis.

Fourth, the boards and management of financial services companies must understand one fundamental principle relating to risk. When a particular business line or unit is experiencing outsized growth in revenues or profits, that should be a clear warning signal and not just a cause for celebration. With all due respect, it is unlikely that one group of bankers is so much smarter than everyone else or has discovered some magic formula that explains their extraordinary performance. In most cases, the simple explanation is that these bankers have gone further out on the risk curve. If an athlete sharply improves his or her performance, there is a suspicion that the individual has taken steroids. Excessive risk is the steroids for financial institutions. 

Boards and management should insist on a thorough evaluation of the risks in any unusually high-performing business operation. An inability to understand what is often a complicated business strategy is a reason for more rather than less scrutiny.

Fifth, if a financial institution becomes aware of a likely or actual problem, particularly in the area of compliance, investigate it promptly and thoroughly. It is essential to avoid compounding the risk. The financial institutions that have gotten into the most trouble have often done so less because they flunked the underlying conduct and more because they flunked the investigation.

Sixth, a financial institution is placed at heightened risk when there is a vacuum of leadership. A board must recognize its obligation to provide for management succession, not only in the normal course but when the CEO is hit by the proverbial bus—which often happens when the CEO steps into a busy street without looking. In several high-profile cases, the CEO was dismissed because of a failure to control risk, but the company was placed in peril when many months elapsed before a successor was appointed. The institution was adrift during that interim period. Some CEOs have suggested that they have a sealed envelope dealing with succession locked in their desk drawer. I would suggest that boards also have that envelope, and the contents should be the result of careful evaluation.

Seventh, in a consolidating industry, the depth of the risk in acquisitions must be recognized and managed. This risk is not just a reduced EPS or ROE if the transaction does not pan out as anticipated. In recent years, a number of banks of all sizes have been sunk or nearly sunk by misbegotten acquisitions involving serious credit or other problems at the target. More recently, prior compliance violations at the target that come to light after the acquisition is consummated are providing no insulation or immunity for the acquiror. The adequacy of due diligence should trump every other consideration—including time and possible loss of the deal itself. 

An eighth risk that must be fully recognized is the implication of the current enforcement environment. The risk of a violation being determined by the regulators or law enforcement authorities has sharply increased, the response of the authorities to violations has become much more aggressive, and the authorities have been imposing monetary penalties that are literally exponentially greater than ever before existed. The potentially most threatening aspect of this new enforcement approach is the Department of Justice’s insistence that two banks—UBS and RBS in connection with Libor settlements—accept a guilty plea to a criminal charge, albeit by a small affiliate. The consequences of a guilty plea by a bank can be potentially life-threatening.

Financial institutions must understand—and respond to—this enforcement phenomenon, which shows no signs of abating and, indeed, may well continue to intensify. The regulators and law enforcement authorities are themselves under siege from legislators and the media. They are criticized for being insufficiently harsh and insufficiently diligent, and for failure to bring criminal charges against financial institutions and their executives. 

Ninth and last, but of perhaps most importance, the public and private sectors need to work collaboratively to develop constructive solutions to risk management. There are many complex problems that require nuanced and balanced responses, and those responses can be best shaped if multiple perspectives and knowledge pools are brought to bear. 

A predicate to this approach is collaboration within the financial industry itself. Furthermore, industry cooperation could be useful in enhancing the industry’s reputation. For example, the industry could develop guidelines in such areas as customer products and services and anti-money-laundering. In the long run, the issue should be whether the industry is benefitted, not whether a particular institution’s susceptibility is greater or less than its competitors.
In summary, achieving sufficient management and control over risk to prevent damage to the financial system, while minimizing the damage that this effort reduces credit availability and other productive bank services, should be of the highest priority. It requires a proactive approach and recognition that the search should be for solutions rather than villains.