Risk, return, resilience: The future financial system
Speech by José Manuel González-Páramo,
Member of the Executive Board of the ECB,
at 3rd Annual Risk and Return Russia Conference,
Moscow, 14 April 2011
Ladies and gentlemen,
As the crisis is still unfolding, we cannot tell with certainty how our economic and financial systems will function in the future. Unfortunately, based on past experience, we can safely predict that individual banks, and the financial system as a whole, will face new challenges, and even crises.
We, as risk managers, have the weighty responsibility of ensuring that our institutions are prepared to weather these financial storms. Our role is not to eliminate the risk faced by an institution – this would not be possible or even desirable. In order to create resilient institutions, our role must be to act as guardians of the balance between risk and return. To do this, we must learn lessons from history; however, we should not be blinkered by history – we must use our knowledge of the past, combined with our intellect and our imagination, to anticipate and design appropriate responses for the challenges of the future.
In response to the crisis, a new risk control framework is evolving in many of our institutions. This framework puts risk management at the core of the decision-making process. Today, based on lessons learned from the crisis, I would like to highlight some of the principles which should guide the development of this new approach. Moreover, since this framework will require powerful quantitative and judgemental based tools to guide decision-making, I would like to highlight the importance of taking a twin pillar approach so that the risk to which an institution is exposed is recognised and controlled – here, I am referring to the twin pillars of statistical risk models and stress testing. Although today I will focus on the framework being developed by institutions in the private sector, I would like to point out that many of the guiding principles as well as the quantitative and judgemental based tools are equally relevant in public institutions such as central banks.
2. The importance of the financial system 
Before considering this new framework in more detail, let me first emphasise that the role of institutional risk managers and institutional-specific risk control frameworks is more significant than simply protecting an individual institution from failure: the concerted efforts of risk managers, regulators and central bankers can – and indeed must – ensure the resilience of the entire financial system.
Why is the resilience of the financial system so important? The financial system is the lifeblood of the real economy. It touches all facets of our economy from households to corporations and even governments. Although much could be said about the positive contributions of the financial system to the real economy, for the sake of brevity let me highlight three contributions which I believe are of fundamental importance:
First, an important role of the financial system in the real economy is to intermediate between savers and borrowers to create a mutually beneficial symbiotic relationship:
From the point of view of borrowers the existence of sound financial intermediation means that people can obtain mortgages to buy homes; entrepreneurs can obtain funding to bring new ideas and innovations to life; and governments can undertake long-term projects to build roads and hospitals.
From the point of view of individual savers lending through a sound financial intermediary is less risky than lending directly to borrowers since intermediaries screen potential borrowers; perform ongoing due diligence; diversify over many loans; have expertise in assessing the risk in investment strategies and importantly financial intermediaries can provide savers with the level of liquidity they require.
Second, capital markets on one hand can give corporations access to funding allowing them to invest and grow their businesses, and on the other hand the reliance of a corporation on capital markets creates incentive for good governance in order to entice and retain shareholder investment.
Third, financial products allow businesses to hedge against risks such as adverse interest rate and exchange rate movements, allowing entrepreneurs to concentrate on growing their core business.
The seeds of the crisis were sown when the financial system began to loose its focus on these core services:
‘Originate-to-distribute’ business models meant that institutions no longer fulfilled their primary function of performing due diligence on borrowers.
Investors purchased opaque financial products such as securitisations but were unable to undertake adequate due diligence of the instruments they held, instead they relied blindly on the judgements and the assessments of third parties such as credit rating agencies
The risk involved in investment strategies was not properly assessed, in particular the probability and impact of tail events.
Rather than relying on deposits from private savers, some financial institutions began relying on wholesale funding markets which are much more sensitive to confidence-related shocks.
Some institutions began investing in complex financial products whose function had little to do with economic fundamentals, for example re-securitised products such as CDO squared;
The crisis has demonstrated in no uncertain terms that the behaviour of financial institutions has the power to inflict great harm on the real economy. As a result of the crisis, trust in the financial system has been damaged. Regulators and central bankers have now started on the long road to rebuilding this trust:
The regulatory and supervisory framework for financial institutions is currently undergoing a major overhaul to close the gaps identified by the crisis – for example Basel III and Solvency II will strengthen the capital and liquidity positions of financial institutions and thus enhance the resilience of the financial system as a whole.
Initiatives to improve the transparency of the financial system have also been launched. For example, in cooperation with market participants, the ECB has launched the ABS loan level project. This is an initiative to make loan-by-loan data available for European asset-backed securities. The aim is to promote greater transparency in these historically opaque instruments in order to foster renewed confidence in securitisation markets.
Steps are being taken by regulators and central banks to reduce their over-reliance on external credit assessments. 
Risk managers also have an important role to play - using the new regulatory framework as a sound foundation, the risk control framework for the future needs to be implemented to ensure the resilience of individual institutions and to contribute towards the resilience of the financial system as a whole. A resilient financial system will have a positive influence on the economy as a whole.
3. Challenges facing individual institutions and the global financial system
Now, let’s consider some adverse scenarios which could serve as food for thought for risk managers when designing a risk control framework for the future. Even during the relative calm of the last few decades there have been numerous crises in different parts of the globe – some which impacted only individual institutions while others which have been systemic in nature. Although these events never seem to repeat themselves in exactly the same way, it is possible to identify some common causes and triggers. For each of these causes and triggers, risk managers need to ask themselves the question ‘How would my institution cope if …?’
Due to the nature of finance, it is not uncommon for individual banks to face challenges. These challenges come in many shapes and forms: for example, a counterparty default, a credit rating downgrade, the withdrawal of a secure funding line, the overvaluation of assets, an upsurge in non-performing loans, flight of deposits, or outright fraud. These are potential adverse scenarios which a risk manager must consider when preparing for the future.
Of course banks do not exist in isolation: they are subject to their economic environment. Therefore, in collaboration with supervisors and regulators, risk managers need to prepare for the eventuality of systemic crises in the markets where they operate. For example:
Many of you sitting in the audience today will have experienced first hand the devastating impact of the currency crisis which Russia experienced in the 1990s. Directly, this impacted banks reliant on foreign borrowing. Indirectly, bond and equity prices collapsed and the resulting depression resulted in higher levels of nonperforming loans.  A risk manager needs to understand the direct and indirect impact that an event can have on an institution by evaluating well thought-out and comprehensive potential adverse scenarios.
During the past decades, assets have played an increasingly important role in many economies. Therefore the boom and bust cycles of asset prices can have far-reaching consequences economically. For example, we witnessed the severe impact of a property price bubble in Japan in the 1990s. Currently, we are witnessing a sharp increase in commodity prices, as the growing emerging economies account for an increasing share of global consumption. The role of risk managers is to evaluate and prepare for the impact of a downturn in prices.
In recent decades we have also witnessed crises in emerging markets where economies have overheated. For example the Asian Crisis in the late 1990s first became evident in Thailand before quickly spreading to neighbouring countries and led to fears of wider economic impact due to financial contagion. A risk manager must consider where the risks may lie in the future, for example by considering the impact of a financial slowdown in important emerging economies like Brazil or China.
In light of the current banking crisis, it is evident that the impact of the activities of lightly regulated entities on the financial system cannot be ignored. In particular, risk managers must become more aware of the risks associated with the off-balance sheets activities of their own institutions since the crisis has revealed that these activities can have a direct impact on the financial health of the institution.
With these adverse scenarios in mind, it is clear that the risk control framework needs to be robust and comprehensive so that institution-specific events or wider economic challenges don’t create a crisis for the institution.
Let us now consider how the risk control frameworks of the past need to evolve to meet the challenges of the future.
4. A robust risk control framework for the future
The role of the risk control framework is to evaluate the risk inherent in the business activities of an institution and to ensure that these risks don’t endanger the institution even in extreme circumstances. However, financial institutions have struggled as the current financial crisis has unfolded and many have not been able to withstand the shocks that the financial system has experienced. But exactly why did these failures occur? Well, the diagnosis is clear: industry reports highlight that the risk control framework in many institutions was not robust enough, due primarily to weak governance and lack of understanding of the risks inherent in the business strategies adopted. The reports conclude that risk management reforms are necessary to create stronger institutions and a resilient financial system. 
Individual institutions and the financial industry as a whole are learning from experience and are now developing a resilient risk management framework for the future. This framework should be built following some guiding principles and should be supported by a comprehensive risk management toolkit, namely the twin pillars of statistical risk models and of stress-testing programmes.
I would like to add that central banks do not consider themselves exempt from the implementation of such a framework. Central banks, as public institutions, are accountable to the citizens they serve and must lead by example: In normal times, the core functions of a central bank include conducting repurchase operations to implement monetary policy and the investment of public money. In order to do this prudently, a framework must be in place to assess and mitigate the associated risks. Moreover, in times of crisis a central bank must act as the Lender of Last Resort and take socially necessary risks to safeguard the stability of the financial system. Inevitably, this means additional credit risk exposure. However, this additional risk should not be borne blindly: it is essential that the risk control framework can quantify the true magnitude of the risk borne by the central bank.
4.1 Principles for a risk control framework
Let us now consider four guiding principles around which the risk control framework should be built. 
First, and most important, is the principle of sound governance: The voice of risk management must be independent and within the boardroom must be at least as powerful as that of the revenue-makers: good advice from risk managers is worthless if senior management do not listen or are not fully committed to controlling the risks generated by revenue-makers. Clearly, this first principle is the base upon which the other principles stand. If this principle is not followed, then the impact of the other principles is, to all intents and purposes, nullified.
Second, there needs to be a clear understanding of the risk inherent in the business model adopted by the institution. The risk control framework needs to give a bird’s eye view of the risks associated with the high-level overarching strategy, individual business lines and specific portfolios. Even the risks associated with the off-balance sheet activities of the institution cannot be overlooked. Let me illustrate the importance of each of these considerations by drawing on some of the lessons of the crisis which I briefly mentioned earlier:
The crisis highlighted the vulnerability of some business models, in particular those models which relied heavily on wholesale markets for funding. It is clear that the liquidity risks associated with such a model were not properly assessed or understood. Consequently sufficient contingency measures, such as adequate liquidity reserves or alternative sources of funding, were not in place to cope with the evaporation of liquidity in stressed conditions. Therefore it is essential that the risk framework can properly assess the risks associated with the high-level business model and that steps are taken to mitigate these risks.
The crisis showed that many institutions did not properly understand the risks associated with the complex instruments which they held in their portfolios and that there was a blind reliance on the trading strategies or the assessments of others, for example so-called ‘smart’ market participants or rating agencies. Therefore a robust risk framework must be able to drill down to a granular level so that the risk associated with individual portfolios can be analysed.
The crisis revealed that the activities of lightly regulated entities were not as de-linked from their originators or sponsors as was previously thought. During the crisis many institutions had to bring the assets of the lightly regulated entities to which they had close links onto their balance sheet when the entities ran into trouble, although in most cases there was no legal onus to do this. The reason for such action was to help protect the reputation of the regulated institution in the markets.
When defining the business model and strategy of a firm the risk tolerance of the institution needs to be clearly defined and communicated to all business lines. The risk control framework needs to include explicit checks and controls to ensure that the actual risk profile of the firm stays line in with the risk tolerance of the financial institution.
Furthermore it should be recalled that the potential for high returns goes hand in hand with high risks, therefore when developing business strategies a balance needs to be struck so that long run profitability can be ensured. In particular the risk control framework should be able to identify the risks associated with high profit business lines so that this can to be signalled to, and understood by, the highest level of management.
The third key principle is the concept of diversification: It is clear that an institution which has well diversified activities is better placed to weather challenges. However, as our global economy becomes more interconnected the traditional definition of diversification must be re-examined: diversifying across equity, market and credit risk is no longer enough – institutions also need to consider business lines which are less sensitive to the business cycle. Having said this there is still room in our financial system for specialised banks which have the expertise required to take particular risks onto their balance sheet. For these banks which lack the cushion that diversification provides, the second principle which I mentioned, a clear understanding of the risks inherent in the business model, is paramount. 
Fourth and finally, the strategy of an institution should be forward looking: The risk control framework should look ‘through the cycle’ and in particular identify and seek to mitigate the risks associated with pro-cyclicality – that is the exaggeration of the peaks and troughs of the natural economic cycle. For example, the institutional risk control framework must account for the risks associated with following similar strategies as other market participants particularly during the contraction phases of economic cycles, when many firms may be unwinding similar positions at the same time. Here, of course, the individual institutions can benefit from the counsel and guidance of the macro-prudential supervisors.
4.2 Strategic decisions should be guided by a two pillar analytical approach: A toolbox of statistical risk models and a comprehensive stress-testing programme
In order that these four core principles can be followed, the tools used within the risk control framework need to be capable of evaluating the totality of the risk the institution faces. Furthermore, it should be possible to communicate this evaluation in a concise but comprehensive way to all stakeholders in the institution. In order to achieve this, a comprehensive risk evaluation toolbox needs to be put in place. This toolbox should comprise of a suite of complementary statistical risk models and a comprehensive stress testing programme.
First let me highlight some considerations regarding the statistical risk models before turning my attention to the concept of stress-testing.
A toolbox of complementary statistical risk models
We use statistical risk measures such as value-at-risk, expected loss or expected shortfall to assess the risk facing an institution. However, as I’m sure you are aware, statistical risk models have been subject to strong criticism in recent times since the crisis has brought the shortcomings of some of these models to light. Nevertheless, this does not signal the death toll for such models. On the contrary, statistical models, properly used, will be an important component of the risk control framework since they allow us to compress the myriad of risks facing an institution into a few easy-to-understand figures.
There are some common-sense guiding principles which will ensure that this toolbox is used in a constructive manner to evaluate and control the risks faced by an institution:
First, and perhaps most importantly, risk models are a tool: they are created to help aid our understanding of risk but are not there to replace the intellect of a risk manager who must interpret their output in a meaningful way.
Second, risk models should not be used in isolation: every model encapsulates a different version of reality therefore using different models helps to build a more representative picture of the risks facing an institution.
Third, risk models by their nature make simplifying assumptions regarding reality. Therefore limitations of individual models should be clearly signalled. If the limitations of the model are not properly understood then this can lead to misinterpretations of the output. For example, statistical models may work well under normal market conditions but not under stressed market conditions where accessing funding may become more challenging or liquidity may evaporate.
Fourth, since statistical models use historical data to anticipate what might happen in the future, accurate and representative historical data is a basic requirement as without this, even the most sophisticated model is worthless.
Fifth, the field of statistical risk modelling is still evolving but it is important when developing new models that emphasis is placed on ease of use and calibration and that model outputs are easily interpreted and understood: sophisticated models are worthless if it is not possible to derive realistic input assumptions from the market or interpret the output in a meaningful way.
With these guiding principles in mind, it should be possible to create a statistical risk toolbox which can help inform the decision makers of an institution.
A comprehensive stress-testing programme 
Now let me turn to the second pillar of the risk analysis toolbox – namely a comprehensive stress-testing programme. (Of course, I refer here to an “internal” stress-testing programme which is designed and executed by the institution itself, rather than the “external” stress-tests carried out by regulators such as the European Banking Authority.) An internal institution-specific stress-testing programme should be used to complement statistical risk analysis since a well-developed programme will allow decision-makers to gain an insight into what happens in extreme circumstances or so-called ‘tail-events’.
In the past, stress-testing in an institution was normally done in a rather ad-hoc way, for example:
sensitivity tests were carried out to check that statistical models where not concealing potentially large risk exposures due to their specific assumptions and limitations, or
mechanical stress tests were carried out, for example, increasing interest rates by a certain – rather arbitrary – factor to determine the impact on a particular portfolio.
Although sensitivity tests and mechanical tests have their place, such tests are not necessarily a reflection of reality. So while these tests may be stressful, it is difficult to interpret whether they are in fact plausible.
This, of course, must be the core tenet of a comprehensive stress testing programme: scenarios should be ‘stressful but plausible’. To achieve this, institutions are placing less emphasis on the ad-hoc tests of the past and are implementing an approach whereby scenarios are defined by considering a set of coherent events; the impact of these events on the institution, on business lines and even on individual portfolios and positions is then examined.
In order to ensure that such scenarios are indeed ‘stressful but plausible’, this programme cannot be the sole responsibility of risk managers – all business areas within the institution need to be involved, and macro-prudential supervisors consulted, so that the end-result is credible. For inspiration, to those of you who will take up the challenge of developing such a programme, let me recall some of the adverse scenarios I mentioned earlier:
on one hand, institution-specific (and even business-line specific) events need to be considered: a counter-party default, a credit rating downgrade, the withdrawal of a secure funding line, the overvaluation of assets…
on the other hand, and perhaps more importantly, macroeconomic scenarios need to be considered: for example asset price bubbles, slowing global economies, the impact of difficulties in the less regulated markets.
Once an array of scenarios have been chosen, these skeletal scenarios must then have meat added to them. The chain reaction resulting from the initial scenario needs to be developed: for example a slowing emerging economy may or may not have a large direct impact on an institution, but what if an important counterparty is exposed? Or what if the slowing emerging economy causes a collapse in the demand for commodities, how would this affect internal portfolios? Is the institution indirectly affected by a collapse in commodity prices due to high exposure to commodity-rich countries? ... and so on.
The impact of such a scenario on an individual institution can be determined by looking at historical data, but it is not reasonable to assume that the world is not changing; we must also prepare for risks which have never occurred. To help us economic forecasts and analysis play a role – but our judgement and imagination are also indispensable tools.
To develop such a comprehensive stress-testing programme is not a trivial task. It will require an investment of time and resources. But there are high dividends to be reaped: institutions with such a programme will surely be better placed to survive the next crisis.
Let me conclude.
In the years leading up to the crisis, too often, in the clamour for ever higher returns, the voice of reason was not heard and risks were ignored. The crisis has exposed this and has revealed significant shortcomings in the risk control frameworks of financial institutions. In particular, the failure to properly assess the risks inherent in business models, in portfolios, and in off-balance sheet activities has become evident. Consequently, a rebalancing of risk and return is required to ensure resilient institutions and a resilient financial system.
To achieve this, a strengthening of the risk control framework is needed so that our financial institutions are ready to face the challenges that lie ahead. Such a framework needs to put risk management at the heart of the strategy and decision making processes of each institution. The framework should be supported by the twin pillars of risk analysis, that is a suite of statistical risk models to provide a measure of the different risks faced by the institution and a comprehensive stress testing programme which consists of a more judgemental and coherent risk analysis based on scenarios that the institutions may be facing in the future.
I will leave you with a final reflection: although the global economy may show signs of recovery, many uncertainties remain. There is no room for complacency as new challenges will undoubtedly arise. We must act now to rigorously implement risk control frameworks so that we are prepared to face the next challenge from wherever that may come.
Thank you for your attention.
 Finance and growth – theory and evidence, Handbook of Economic Growth (2005);
 European commission’s public consultation on credit rating agencies – Euro system reply, 23 February 2011;
 Making the banking sector more efficient and resilient, OECD Economic Surveys: Russian Federation (2009);
 Reform in the Financial Services Industry: Strengthening Practices for a More Stable System, Institute of International Finance (Dec. 2009); Risk Management Lessons from the Global Banking Crisis of 2008, Senior Supervisors Group, (Oct. 2009); Containing Systemic Risk: The Road to Reform, Counterparty Risk Management Policy Group (Aug. 2008); Principles of conduct and best practice recommendations, Financial services industry response to the market turmoil of 2007-2008 (Jul. 2008).
Please refer to the previous footnote for further information.
 EU Banking Structures, ECB (September 2010).
 Principles for sound stress testing practices and supervision, BIS (May 2009).