From cushion to caution: An assessment of the risk management function of a typical Lebanese bank

The banking crisis in Lebanon extends beyond what the average citizen can and is able to see! To most of us, the banking crisis has been reduced to how banks have been dealing with their clients. By all standards, these are the consequences of the crisis. The core problem banks have been facing is rooted in their risk management, or better yet in their lack of risk management. Banks in Lebanon have serious difficulties winning the argument on effective risk management. Nevertheless, they win on compliance because the entity that grants them the stamp of approval on regulatory compliance – the Central Bank of Lebanon – can’t afford otherwise! For as long as I served in the banking sector in Lebanon (thirty plus years), banks, with the blessing of the Banking Control Commission of Lebanon (BCCL), have effectively shifted the responsibility of identifying, assessing and cushioning the somewhat static component of their risks to the regulatory authorities. The regulator allowed banks, by practice, to pick and choose what they want to comply with, and it sized a portion of banks’ risks and all concerned parties have been content with such a practice.

 

I can’t count the times I heard CEOs and Supervisors telling me “if it is not broken, why fix it!” in response to me pointing out to the dangers of being content with compliance and the utter reluctance to deploy enough resources to effectively identify, assess, and manage risks in real time. The recent crises proved to be the ultimate test for effectiveness of Risk, Crisis Management and Business Continuity Systems for banks. Not a single success can be claimed in any; even crises with financial-system origins, banks failed to manage. 

 

This false sense of safety that the regulators gave banks in good times just because they are deemed cushioned against identified traditional risks pushed them from cushion to caution when times turned bad. The cushion killed banks; and the caution will, if not already did, kill the economy in all of its components.

 

Here is my take on the curse of being content with the Central Bank’s dictated risk assessment:

 

● The shareholders. According to conventional wisdom in banking, a higher capital-asset ratio is associated with a lower after-tax ROE. A higher capital ratio tends to reduce the risk on equity and, therefore, lowers the equilibrium expected return on equity required by investors. Therefore, shareholders prefer less over more capital.

● The Board of Directors (BoD). There is no risk whatsoever in blindly accepting something that the regulator dictated on the bank’s risk management. That means, less pressure on board members to perform their expected and required risk oversight, little to no pressure on performance, and a sense of relief in knowing that there is a lower probability in being discovered as a risk-incompetent board member.

● The Chief Risk Officer (CRO). The unprecedented technological innovations, which spilled over a greater complexity in financial product offerings, produced a banking environment whereby risks emerge and develop much faster than knowledge about these risks can be acquired and evolve. As a result, the safer bet by CROs has been to have the regulator chaperone the bank’s risk management journey instead of having him/her be the whip which could potentially muddy CRO’s relationship with the Board and hurt CRO’s bonus and career ambitions. 

● The Chief Financial Officer (CFO). Although in most financial institutions their contributions to regulatory compliance is immense, they get little recognitions and appreciations on a job well done! Their job is rendered much easier when the regulator sizes a significant portion of bank’s risks (i.e., risk weights are provided by the regulator). Having the regulator on board: 

 

✔ serves as an advanced assurance on the quality of the bank’s risk reporting – especially CAR; and 

✔ minimizes frictions between the CRO and the CFO of the bank. 

 

It is worth noting that in most banks operating in Lebanon the CFO oversees accounting, static end-of-period reporting, dynamic reporting (MIS), and budgeting. 

 

● The Chief Internal Auditor (CIA). There is no greater comfort than giving internal auditors a work environment and a work culture whereby they don’t have to think outside the boundaries of the regulatory guidelines. That’s one of the greatest blessing in having the regulators on board. I have to admit; I have never been impressed with the outcomes of any audit engagement with the risk management division; and I have seen plenty.

● The External Auditors. Audit firms are profit seekers like any other firm. They plant the seed of “happy bank management” to reap the benefits of longer audit engagement with the bank and stable income! This is rendered even better when the regulatory authority: 

 

✔ has deemed the financial institution adequately compliant, and/or 

✔ fell short of taking decisive corrective actions when not in compliance!

 

● The Local Regulatory Authorities. Simply, to show banks who is boss! There is so much we can learn from the conduct, better yet the poor conduct of the regulatory authorities. The central bank has always assured banks that they’re compliant, and banks have never argued with that. Banks have never questioned the adequacy of their compliance; they’ve never asked the very important questions:

 

✔ Under what circumstances are we compliant?

✔ How fast could this change to our detriment?  

✔ Is the regulator adequately aware of our actual risk-taking behaviors?

✔ And a host of other legitimate questions and concerns

 

Recent events have proved that the local regulatory authorities have been giving banks false assurances, and a wrong sense of safety.

 

● Bank Clients. Ironically, bank clients benefit significantly when banks pay little attention to risks in pursuit of profits. However, when risks are not easily identified and sized, banks may resort to de-risking as a safe avenue to charter. This is very damaging to banking and banks as well as to clients. One of the reasons clients have been suffering as a result of the crisis that emerged in late 2019 is that banks quickly switched from cushioning risks to dealing with caution with risk (i.e., de-risk). 

Such risk management practices must come to an end if the banking system hopes for any healthy recovery. If we accept that the world is increasingly unpredictable, complex, and therefore uncertain, we see that the traditional approach to risk management does little to avoid top leadership from periodically being caught unprepared as demonstrated with tragic clarity by recent events. Many types of risks, while being equally serious, take very different time spans to manifest due to internal technologies and external environments. Traditional risk analyses do not account for any of that. Focus of controls to mitigate high velocity (risk overloads) and low velocity (risk silos) risks are vastly different. Risk analyses will be significantly improved through the addition of risk velocity and risk overloads. Otherwise,

 

▪ Management’s response will be slow and inadequate.

▪ Impacts will be experienced at a rapid pace.

▪ Risk professionals will not be able to support management decision making process in this faster-paced environment. Decision-making that is based on periodic reporting will no longer be acceptable, and cannot serve as a recipe for success. 

 

The concept of risk must be taken beyond the traditional likelihood-impact and periodic risk assessment process to explore and introduce additional risk indicators, and collect data to manage risks in real time. The emerging risks financial institutions are facing today are less visible than and fast-developing relative to traditional risk types. This can present challenges to the risk function:

 

● Poor risk identification 

● Failure to capture risk dependency and complexity 

● Inability to recognize risk overloads and guard against them

● Lack of know-how in understanding risk velocity, not just risk, and be able to assess its impact. Important risk considerations such as:

✔ Time to cause (from risk identification to the actual occurrence of each risk)

✔ Time to impact (from the actual occurrence of a risk event to the point when its impact is felt, and how fast has this been developing)

✔ Time to recover (to slowly recover from a risk event is a fail in risk management if otherwise is possible)

In effect, failure to effectively plan your risk management is a plan for failure. By focusing on compliance, banks misidentify risks, under-estimated the risks and their impacts. Consequently, bank’s capital ends up less than adequate to effectively cushion the financial institution against all risks. 

 

For those of you who are familiar with the three pillars of the Basel Accord should undoubtedly know that complying with Pillar 1 will only provide a poor cushion against the relatively static component of risks. However, most dangers to financial institutions come from the more dynamic component of risks. Pillar 1 deals with maintenance of regulatory capital calculated for three major components of risk that a bank faces: credit risk, operational risk, and market risk. On the other hand, Pillar 2 provides a framework for dealing with systemic risk, pension risk, concentration risk, strategic risk, reputational risk, liquidity risk and legal risk, which the accord combines under the title of residual risk. Banks can review their risk management system, and at the heart of Pillar 2 is the Internal Capital Adequacy Assessment Process (ICAAP). This is the true test of the effectiveness of a bank’s risk management function. Traditionally, banks in Lebanon have been poor in complying with Pillar 2, and deemed adequately compliant with pillar 1. 

Risk Management failures are behind banks’ recent switch from “cushion” to “Caution” at the first sign of trouble. However, when Lebanese banks were expected to cushion, they fell seriously short of what is required; and when they were supposed to exercise caution, instead they went to the extreme of total de-risking! In effect, the conduct of banks operating in Lebanon in recent months has redefined failure, and erased all of their self-proclaimed successes. Considering what Lebanon is going through in terms of the multitude of crises hitting simultaneously and evolving to a dangerous scale, the caution zone would be expected, but it is very different from complete de-risking. A banking system forced outside the cushion zone will have serious decisions to make:

 

● In the caution zone, banks will first need to understand exactly where they stand, through monthly or even weekly stress tests.

● Banks might reduce exposure to non-core activities that absorb considerable capital.

● Banks might look to run substantial cost-cutting programs, and to achieve further cost efficiencies by, for example, shutting brick-and-mortar branches and migrating customers to other service channels. 

● Banks must take care, however, not to jeopardize long-term relationships with their customers.

● If a credit crunch can be avoided, banks will tend to allocate their limited capital to only the most profitable loans. 

● Mergers & Acquisition regulations can play a role in shaping the direction of the industry by encouraging strong banks to acquire weaker ones, making tough choices on failing banks’ resolution mechanisms, and so on.

● Governments and banks can come together to understand some of the unwanted effects of monetary policy.

Capital buffers allow the banking system to withstand crises, but the system will be damaged and must be repaired. Losses are expected to deplete most of the capital, and the fact that we have not yet seen failing financial institutions, it only means that some weak banks are being protected at a price the local economy cannot afford. What must stand strong and show strength in weathering the storm is the banking system but not necessarily every individual bank. The wait-and-see attitude, the blame game, and the lack of actions by all will prove detrimental to the rescue and recovery efforts.

 

-------

Mohammad Ibrahim Fheili  is a Risk, Capacity Building, and Organizational Transformation Specialist