How many people does it take to run a risk function? This is a question I’ve been pondering for almost 20 years. After much deliberation here’s the formula:
Risk Staffing (RS) is a function of Risk Weighted Assets (RWA) – divided by Average Salary – and a function of Risk Maturity (RM), Front Line Maturity (FLM), Systems of Record (SOR), and Data Quality (DQ). Lets take a look at each of these individually and intuitively:
This is pretty intuitive. An organization with $300bn of RWA focused on operational risk is likely going to need a lot more people than one which has $60bn of RWA. Not necessarily 5x – but directionally at least.
To be honest – I put that in here because RWA’s are measured in billions and the numbers are so huge we need to convert this to capital by dividing by 12.5 – and then convert into people by dividing by an average salary. Assuming an average salary of $200k per person a firm with $300bn op risk rwa ($24bn capital) would result in over 100,000 people. This is why the other factors of the formula come to the forefront.
Here’s the challenge – we don’t know what we don’t know. Back in 2003 Operational Risk was in its infancy. At that time, looking at past losses, most organizations thought that the ‘one in 1000 year event’ (the Basel capital standard) would be around $4bn of losses or about $50bn of rwa’s.
External factors influence Risk Maturity. Think about new regulatory rules and standards – and also think about what your peers are doing. Individual loss events at peer events can create seismic after shocks that ripple through the banking industry. As an example think of the Enron bankruptcy in 2001 – which lead to the creation of Sarbanes Oxley. How many firms thought their controls and staffing over financial reporting risk were adequate prior to 2001? Probably all of them.
Front Line Maturity
Its 100% true that the business, or front line, must understand and own its risks. Risk Management is never someonelse’s job. That then sets the perpetual temptation that in nirvana front line units are so effective in managing risk that we only need a small second line of defense. I don’t want to say that’s nirvana is impossible because but I can say that in my 20 years of experience we have not reached nirvana yet!
I worked at Merrill Lynch prior to the financial crises and internally we all (probably like many in the industry) thought we understood and managed risk well. Take a read of this CNN Q&A with the CEO of the time – Stan O’Neal:
I never stopped looking at the risk reports. It turns out they didn’t properly capture the nature of the risk. I now understand why, but it obviously doesn’t matter.
CNN Money interview in 2010 with Stan O’Neal
That said – for the purpose of this formula – we can acknowledge that if businesses have demonstrated complete grasp of risks then the size of the independent risk management function becomes smaller.
Systems of Record
Think about credit risk or market risk. What do they have that operational risk does not have? Answer GREAT SYSTEMS OF RECORD. Its not “SOME” loans that are entered into credit risk systems but rather “EVERY LOAN”. Its not some trading risk position – but rather every trading risk position. You get the picture. Great systems of record – updated timely allow firms to manage risks better.
Op Risk in its diverse nature has some risks that lend itself to good systems of record – but many types of Op risk don’t have those yet. Prior to the market conduct related events of the early 2010’s how many firms had good systems of records to detect such risks? To be honest – not many. This past decade has seen a huge level of investment in many firms surveillance systems and practices to address prior shortcomings.
More can be done to drive operational risk towards systems of record to more accurately manage those risks. Infrequent control ‘attestations’ that individuals have executed controls – are no substitute for the kind of ‘system of record’ driven insights that can be derived ‘near real time’.
So – back to the formula – the more you have good systems of record for specific risks; updated dynamically, the lower the level of staffing needed in risk functions.
Data Quality has always been critical – but it took the publication of BCBS 239 in 2013 to establish standards to ensure reporting to boards of directors are complete and accurate.
The intended effective date of 2016 for these principles was not met – and we see recent examples today of firms facing significant fines for failures in their risk reporting. The Citibank $400m penalty from the OCC related to “deficiencies in enterprise-wide risk management, compliance risk management, data governance, and internal controls”.
In 2020 the Basel Committee on Banking Supervision published a progress report on BCBS 239. At that time none of the banks surveyed were fully compliant with the principles.
None of the banks are fully compliant with the Principles in terms of building up the necessary data architecture and, for many, IT infrastructure remains difficult. But banks’ efforts to implement the Principles have resulted in tangible progress in several key areas, including governance, risk data aggregation capabilities and reporting practices
BIS: Progress in adopting the principles for effective risk data aggregation and risk reporting
Data is very challenging but the effort is worth it, not least from avoiding penalities, but from improvements in risk transparency and speed of decision making.
Putting it together
While I don’t have all the coefficients empirically tested – I do know this – having great systems of record and great data can make a huge impact on the staffing levels of risk functions. I’d easily guess this to be coefficients of 10 – each – so a 100x benefit.
Front Line Maturity and Risk Maturity are always tricky to evaluate. Hubris comes into play here because we naturally think we have all the risks covered – and we all (front line included) tend to think we are better at managing risk than we really are. The nirvana of a ‘perfect’
Back to my formula – and the example of the $300bn RWA firm ($24bn of capital). If it scored the worst (1 out of 10 for each dimension) – we would need 120,000 risk people. If it scored the best (perfect front line, perfect maturity, perfect data, perfect systems) – you may just need 12 people. Either extreme is unrealistic.
The value of the formula comes in measuring maturity over time. Is your data improving? is the Front Line getting better at identifying an managing risk? If so there is a clear path to efficient and effective risk staffing.
Did a firm get hit with a large penalty and a significant set of new regulatory requirements. If so then the hubris needs to be corrected – and the parameters of the formula updated to reflect reality. Inevitably we know that this will reactively result in increased staffing.
Risk functions are never static. This formula intuitively explains the factors to support why staffing needs increase or decrease over time. It can be used to make the case for improvements in data quality and systems of record.
Without maturity in these factors; risk departments need a lot of people to try to manage the risk — which in turn increases risk administration. Administration tends to feed on itself — creating yet more adminstration.
Do you want to create an efficient, effective and value add risk function? Then work on the factors identified here!