"JPMorgan Loses $2 billion-$3 billion from Trading Activities"—This is the newest in a string of high-profile headlines describing significant trading losses at major financial institutions. And, the losses at JP Morgan Chase (JPMC) are increasing as we speak, and may top $7 billion.1 As with the others, this most recent big-bank loss call into question the notion that the large banks have strengthened their risk management capabilities in the post-Great Recession world. JPMC was supposed to be the best of the best. This venerable institution with its "fortress balance sheet," the darling of the regulators2 was supposed to somehow have immunized itself from this kind of risk. At least that is what many thought, as the behemoth bank had successfully navigated through the Great Recession. But that clearly is not the case, as it wasn't in the other cases that experienced massive losses from trading activities, as shown in Figure 1.

Figure 1 includes the big, headline-grabbing losses that have happened in the last 20 years. This list does not include the hundreds of smaller, but still significant, losses that occurred on numerous trading strategies gone wrong or on other unauthorized or rogue trading activity. The list also excludes losses from trading activities at many large non-public hedge funds and other investment funds, in which such losses are not publicly reported. In addition, the list does not include the massive losses from even more significant portfolio management decisions to increase (or not to limit or decrease) concentrations in high-risk activities. Examples of the latter risks or losses include originations or purchases of subprime mortgages (pre-crisis), even as the U.S. housing market was in a state of decline, and concentrations in commercial real estate in weak markets. The collapse of Lehman and Bear Stearns falls into the last category.

These losses weaken our financial institutions and heighten the call for more intensive regulation. For example, the Volcker Rule, a new rule named after a former Federal Reserve chairman and part of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act), will significantly limit U.S. banks from making certain kinds of speculative investments that do not benefit customers.4 The Volcker Rule is highly controversial and very complex. The proposed rule is nearly 300 pages in length, and it seeks comment from the industry on hundreds of questions that would affect its promulgation and implementation, virtually ensuring that the final rule will be even more lengthy and complicated.

These risks and losses, and the often ill-advised and poorly structured regulations that are promulgated to try to limit risks and losses, could have been avoided. They highlight key questions that need to be asked and resolved by the financial institution: "Why didn't our risk oversight, management and control functions identify this risk, and what can we do to be sure it doesn't happen again?" However, these questions need to be asked prospectively and not reactively (that is, after the losses already have occurred). So the pertinent questions for a company to be asking today are: "What are the risks that could result in losses to our company tomorrow?" and "How can we strengthen risk oversight, management and controls to ensure that those losses cannot occur?"

This is the latest focus of risk management, and particularly enterprise risk management (ERM)5, now and into the future. For example, the new requirements for risk assessment and stress testing in the financial services industry, which also are components of the Dodd-Frank Act, have the underlying objective of motivating directors and senior officers to think today about risks that will impact the company tomorrow.6 Both risk assessment and stress testing processes require a financial services company to identify those risks that could produce losses, project what those losses likely would be in a severe stress scenario, and implement controls that are commensurate with the magnitude and frequency of the identified risk exposures.

So could these emerging requirements for more proactive risk assessment and stress testing processes have helped JPMorgan Chase or UBS avoid the trading losses in 2012 and 2011, respectively, or the banking industry to dodge the major hemorrhaging from the Great Recession? Maybe, but probably not. Risk assessment and stress testing (and other risk monitoring) processes represent the mechanics of ERM. They are the nuts and bolts of risk identification and analysis that, when completed throughout the enterprise, should be successful in highlighting the risks that likely are to produce material losses.

Of equal or greater importance to an organization is how those risks are governed and managed on a proactive basis based on the results of the risk assessment, stress testing, and other risk identification and analysis processes. The fact of the matter is that virtually all the major financial institution losses in recent memory, including those listed in Figure 1, can be traced to major weaknesses in risk oversight and risk management decision-making processes. In the case of the JPMorgan Chase loss, weak oversight by the board risk committee and a lack of banking/finance expertise on the committee have been cited as factors contributing to the loss.7 At UBS, the $2 billion loss in 2011 exposed "woefully inadequate risk oversight" in trading and treasury operations at the bank.8

What are the components of a strong risk oversight and decision-making framework? These are presented in Figure 2.

BOARD OF DIRECTORS

The board has the responsibility for the oversight of the performance and risks of the company, although that responsibility is delegated to the board risk committee and to senior management through risk policies established for each risk category. Delegation of this responsibility does not absolve the board from its responsibility for risk oversight. The board must approve all major strategies with material risk exposure and risk management implications.

BOARD RISK COMMITTEE

The committee is responsible for more focused oversight of risks on behalf of the full board and reports the results of its meetings to the full board. Also, the committee receives summarized reporting on risks and risk management from the management-level risk management committee and holds an executive session (no other members of management are present) with the chief risk officer to underscore the independence of the risk management function. Per the Dodd-Frank Act, a board risk committee is required now for all banks with more than $10 billion in total assets.

CHIEF EXECUTIVE OFFICER

The chief executive officer presides over the management of the company's risk and performance, as always.

RISK MANAGEMENT COMMITTEE

The committee receives and reviews reports pertaining to risk exposure and risk management from throughout the company; makes decisions as to how to mitigate risks and integrate the management of risks; evaluates the risks of new products, strategies and acquisitions; and recommends risk limits and guidelines for approval by the board via risk policies.

CHIEF RISK OFFICER

The chief risk officer chairs the risk management committee; coordinates and directs independent risk analysis, monitoring and reporting functions across all risk categories and business units; manages the ERM function; and reports to the board risk committee and the full board as needed.

INTERNAL AUDIT AND THE AUDIT COMMITTEE

Internal Audit conducts audits of the ERM function to confirm that it is operating effectively and reports those results to the audit committee, which ensures that any outstanding control issues are resolved on a timely basis.

It is important that each of these components be established and be functional at all times. A lack of any one component can undermine the operation of the entire framework. Even though a company may have a board risk committee in place, for example, it may not be functioning optimally in overseeing risk or the members on the committee may not have appropriate experience, as discussed in the article referenced in Footnote 6. An important role that experienced risk consultants such as FTI Consulting can fulfill is in independently evaluating the effectiveness of the risk oversight and management decision-making processes—for the board of directors and/or for executive management.

As noted above, nearly all the breakdowns in ERM occurred in risk oversight and decision-making processes, and losses can be traced to these weak links. Such breakdowns come in many shapes and sizes. Some examples are provided below:

  • The board is not adequately apprised of the risks of major new products or strategies.
  • The board and the risk committee reports describing trading, portfolio credit, counterparty credit and other risks do not adequately depict actual exposures.
  • The board or risk management committee does not act decisively to address an identified risk exposure or issue.
  • The board's limited risk appetite is not adequately reflected in the policy limits established in the risk policies, potentially resulting in excessive risk exposure.
  • Significant risk exposures or issues are not escalated appropriately to executive management or to the board to ensure they are resolved effectively.

Although ERM has made sound progress from being virtually non-existent 15 years ago, we still have a long way to go, as the JPMorgan Chase loss indicates. According to Michael Greenberger, former regulator with the U.S. Commodity Futures Trading Commission, "There have been increased efforts to improve risk controls, but it wouldn't surprise me if three or four months from now, there is another explosion somewhere else."9

By establishing a risk oversight and decision-making structure that reflects leading practices in the industry, with a strong emphasis on risk awareness, a company can make major inroads to avoiding the significant losses that have plagued so many. This top-down focus on risk, combined with a bottom-up concentration on risk assessment, stress testing and other proactive risk identification tools, represents the best overall framework for ensuring sound risk oversight and management at the enterprise level. Will such a framework eliminate losses from rogue trader activities going forward? Probably not. But it will give us the greatest likelihood of avoiding such losses in the future.

Although the subject of this article is risk management in the financial services sector, the same concepts equally are applicable in the other industries that FTI Consulting serves such as Energy & Utilities, Healthcare, Construction, Insurance and Petroleum & Chemicals, to name a few.

Footnotes

1. "Double Trouble at JP Morgan: Trader's Losses Could Exceed $7B", InvestmentWatch, May 22, 2012

2. "...Jamie Dimon, long considered Washington's favorite banker." "Bank Regulators Under Scrutiny in JPMorgan Loss," New York Time Business Day, May 25, 2012.

3. "Top Ten Biggest Trading Losses in History," Time NewsFeed, May 11, 2012.

4. Interagency Notice of Proposed Rulemaking: "Prohibitions and Restrictions on Proprietary Trading and Certain Interests in, and Relationships with, Hedge Funds and Private Equity Funds," U.S. Department of the Treasury, Oct. 11, 2011.

5. "Enterprise risk management is a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives," Committee of Sponsoring Organizations of the Treadway Commission, Enterprise Risk Management – Integrated Framework, 2004, page 2.

6. Supervisory Guidance on Stress Testing for Banking Organizations with More Than $10 Billion in Total Consolidated Assets," Board of Governors of the Federal Reserve System, May 14, 2012

7. "JPMorgan Was Warned About Lax Risk Oversight," The New York Times, June 4, 2012.

8. "How UBS Mismanaged Its Way to a Profit," Seeking Alpha, Oct. 5, 2011.

9. Quote from Michael Greenberger, professor of financial law at the University of Maryland and a former regulator with the U.S. Commodity Futures Trading Commission, regarding "JPMorgan Was Warned About Lax Risk Oversight," The New York Times, June 4, 2012.

The views expressed herein are those of the author and do not necessarily represent the views of FTI Consulting, Inc. or its other professionals. (c)FTI Consulting, Inc., 2011. All rights reserved.