Risk management comes mainstream

April 2005

As risk management comes mainstream, firms are increasingly bolstering their risk groups, which already comprise market, credit and operational risk professionals, to also include professionals in financial compliance. Reporting structures are being reorganized, and the Chief Risk Officer (CRO), now a member of the executive committee, is being charged with overseeing the firm's financial capital and reputational risk, as well as the interaction between its operations and global regulators. We are seeing a convergence of risk management and financial compliance as the borders blur between these two disciplines. Michael Woodrow, President of Risk Talent Associates, the leading executive search firm focused on risk management, discusses this trend.

During the past two decades, risk management has seen a steady evolution. When I started my career, the risk manager was the guy in short sleeves who managed the property and casualty insurance for our firm. He sat in a back office, and no one paid him much attention. Now, risk professionals from around the world belong to various trade and industry associations, with memberships reaching over 20,000 globally, with significant representation on each continent. The Wall Street Journal routinely prints articles on risk management practices at hedge funds, investment banks, insurance firms, and so on. Risk professionals are also making more money; our own 2004 compensation survey found that managing directors in risk management groups from the capital markets now earn an average total compensation package of over $600,000 USD. Moreover, CROs have moved into the executive suite in terms of responsibility and compensation. Risk management has come a long way in the past twenty years, and it appears that its evolution continues.

Two trends in risk management

Where is risk management going? Two trends seem apparent. First, CROs, particularly at large, global financial services firms, have new roles and responsibilities. Rather than spending the bulk of their time as a senior risk officer, overseeing the day-to-day activities of risk management groups, they have become senior executives, dealing with strategic, investor, M&A, regulatory, and key operational issues. Instead, the day-to-day responsibilities of the risk groups have been delegated to their chiefs, some of who are the heads of market, credit and operational risk, and oversee their own army of risk professionals. Chief executive officers now sleep a little better at night knowing that they have a seasoned executive "waking up every morning" thinking about the myriad of risks that affect the firm.

Second, and more importantly, we see a convergence of the risk management and compliance functions. Just as risk management grew out of finance and has succeeded in becoming a critical forward-looking aspect of financial management, rather than simply a reporting, or accounting function, so too is financial compliance moving from largely an audit role to a strategic function.

Compliance in 2005 resembles risk management in the 1990's

It is no mystery why compliance is getting everyone's attention. Well-publicized financial disasters such as LTCM, Enron, WorldCom, Parmalat, and Asia Aviation all have had tremendous ramifications well beyond the names listed. We hear of derivative valuation and mark-to-market pricing problems, and we think of Fannie May and Freddie Mac, Orange County, and so on. Last year, many of us first learned of the term "late trading" with respect to mutual fund shares, as Putnam and Bank of America, among others, were forced to pay significant fines for this activity. Recently, we became aware of irregularities around insurance brokers and bidding practices, with Marsh and others paying hefty fines - and Marsh's CEO being shown the door. Other Fortune 500 companies continue to surface in connection with questionable deals and practices. Rarely does a month go by when we do not learn about some compliance related issue that has an affect on a firm's market value.

After far too many lessons learned, firms are beginning to take compliance, and the larger issue of ethics, seriously. Failures in these areas are being seen as the greatest potential type of operational risk - reputational - with significant impact on both earnings (through fines) and market share (through investor action).

An example in capital markets - Citigroup

One example of a firm who seems to be getting the message is Citigroup. While it might not be apparent in their share price, and 52-week activity, it is possible that their market cap has been adversely affected by the many negative articles in the press about Citi's business practices. Recently, Chuck Prince, Citi's chief executive decided that it was time for a cultural change at the colossal financial services firm. As reported in the Wall Street Journal on March 1st, 2005, Mr. Prince stated, "We emphasized the short-term performance side of the equation exclusively … We didn't think we had to say: ' and by the way, don't violate the law.' There were unspoken assumptions that need to be spoken." Mr. Prince is backing this up with a 30 percent increase in budgets for compliance and audit. His chief risk officer, Dave Bushnell, is also taking a more active role in compliance in a prime example where compliance and risk management are converging.

Firms are realizing that compliance efforts designed simply to audit and report on problems are no better than risk management tools and practices that look more in the "rearview mirror". Sure, these audits and reports provide some information, but senior management and business unit heads are more interested in making sure that the business is run properly going forward. Risk management has already taken this step, as it has been pushed into the front office and business units at most firms. With the convergence of compliance and risk management in capital markets, financial firms are moving compliance into the business units, and making it part of the daily operations. As this matures, I expect a compliance oversight group to emerge to monitor and report on it but the day-to-day responsibility for compliance will sit within the business unit. This oversight group will not be staffed only with lawyers who know all of the regulations, but instead with business unit professionals - individuals who understand the trading, middle- and back-office operations, in addition to the NASD or SEC regulatory requirements. We see many firms already filling these roles with individuals who can react quickly to an issue on the trading desk.

Where will firms find these individuals? Many are looking inside their firm so they can leverage internal knowledge transfer and fill these positions with individuals who understand the business. Other firms are already raiding the regulators for talent, offering compensation packages that far exceed those paid by the government, exchanges, and self-regulated bodies. Most individuals in these regulatory positions can expect to see a 25 to 50 percent, or higher, compensation increase to move to the private sector.

Hedge funds and compliance

We are seeing similar trends in the hedge fund arena. Due to recent rulings, a significant percentage of US-based hedge funds are required to be registered and have compliance officers by February, 2006. These firms, which tend to mirror proprietary trading desks at investment banks, have long operated with lean staff. We estimate that approximately 10 percent of US-based hedge funds have dedicated risk management groups. These firms, among the largest funds in terms of assets under management, have established these risk groups for three primary reasons. First, there are the quantitative-driven shops that make use of quantitative trading strategies. They naturally and somewhat easily incorporate risk management into their systems. Second, there are firms with multiple desks and/or strategies and they need to aggregate their risks across both desks and strategies to ensure survival. Third, some investors, particularly the coveted institutional investors, require risk management and the related risk reporting disclosure in order to invest in the fund.

There are similar reasons for growing compliance efforts at these firms, beyond the addition of regulatory (SEC driven) oversight. Demonstration of quality compliance efforts will be one more way to separate the real hedge funds from the pretenders - and investors will take notice, just as they have taken notice of risk management efforts. While compliance at hedge funds is relatively new, we have seen signs that, because of the leanness of staff at hedge funds, the senior risk officer is also becoming responsible for compliance. We expect to see this trend continue as the February, 2006 deadline approaches. However, this skill set - combining risk and regulatory experience, with the ability to face clients and regulators - will be a staffing challenge for hedge funds. Quite simply, there will not be enough people with the required skills to satisfy demand. As in the past, hedge funds will look to investment banks to recruit staff, creating pressure on the supply/demand balance of compliance personnel at investment banks.

As we know, the modern discipline of risk management was focused first on market risk, then credit risk, and more recently operational risk. In 2005, we are seeing the emergence of the fourth aspect within risk management - financial compliance. It is likely that the sophistication of financial compliance will be much like the maturity of market risk - a steep curve with significant payback and integration of this framework into the business units. Just as global financial markets and the investors are more secure with sophistication of risk management, the addition of a financial compliance discipline to the office of the CRO will result in greater safety in the global capital markets.

Michael Woodrow
Risk Talent Associates LLC

About Risk Talent Associates
Risk Talent Associates (www.risktalent.com) is the leading international executive search firm focused exclusively on positions in the fields of market, credit and operational risk, as well as financial compliance and risk technology. Risk Talent's expertise, industry knowledge, proprietary network and dedicated focus shorten the recruiting process to deliver senior and mid-level risk managers in the capital markets, asset management, energy, consulting and software industries. Risk Talent has offices in New York, Chicago and London.
©2005 Risk Talent Associates LLC. All rights reserved.

Industry Focus

  • Capital Markets
    investment banks, commercial banks, federal agencies, and financial exchanges.
  • Asset Management
    traditional asset managers, hedge funds, fund of funds, and insurers.
  • Global Corporations
    major corporations, including construction, manufacturing, agricultural, and commodity as well as their financial subsidiaries.
  • Software Analytics
    risk management software solutions.
  • Oil/Energy & Renewables
    firms that develop, manage and market energy.
  • Risk Consulting
    consulting firms, administrators and ratings agencies
  • Healthcare
    hospitals, health insurance providers, healthcare organizations