Sie sind auf Seite 1von 8

Perspective Charles Teschner

Dr. Peter Golder

Thorsten Liebert

Bringing Back Best

Practices in Risk
Banks’ Three Lines
Of Defense
Booz & Company is a leading global management knowledge, deep functional expertise, and a
consulting firm, helping the world’s top businesses, practical approach to building capabilities and
governments, and organizations. delivering real impact. We work closely with our
clients to create and deliver essential advantage.
Our founder, Edwin Booz, defined the profession
when he established the first management consulting For our management magazine strategy+business,
firm in 1914. visit

Today, with more than 3,300 people in 58 offices Visit to learn more about
around the world, we bring foresight and Booz & Company.

Beirut Frankfurt Hong Kong
Peter Vayanos Thorsten Liebert Giles Brennand
Partner Principal Senior Executive
+961-1-336433 +49-69-97167-864 +852-3650-6100

London Moscow
Alan Gemes Charles Teschner Dr. Peter Golder Steffen Leistner
Partner Partner Principal Partner
+44-20-7393-3290 +44-20-7393-3792 +44-20-7393-3234 +7-495-980-9962

Munich New York São Paulo Shanghai

Dr. Johannes Bussmann Paul Hyde Ivan de Souza Andrew Cainey
Partner Partner Partner Senior Executive Advisor
+49-89-54525-535 +1-212-551-6069 +55-11-5501-6368 +852-3650-6100

Sydney Tokyo
Peter Burns Yoshiyuki Kishimoto
Partner Senior Executive Advisor
+61-2-9321-1974 +81-3-3436-8609

Nick Donovan and Hussein Sefian also contributed to this Perspective.

bringing back Executive Summary The Root of the Problem
Many financial institutions have The current downturn originated
best practices had horrific losses over the past largely in the U.S. financial
18 months. A variety of largely markets. Cheap credit from
in risk exogenous factors have been the Federal Reserve fueled an
management blamed for the losses, such as
ownership structures and incen-
extraordinary leveraging of the
U.S. economy—with a particular
tives, rating agencies, and the focus on consumer debt, especially
Banks’ Three Lines absence of effective market pric- mortgage debt. The original sin
Of Defense ing for some products. However, was not in the lack of regulation
we contend that at a small num- but in the expansion of credit
ber of banks, a focus on basics to the non-creditworthy on
actually prevented many losses. outrageous terms—as in the case
In particular, they benefited from of 105 percent loan-to-value
a strong risk culture combined loans being given without credit
with a sharp focus on three effec- checks. Underwriting banks, large
tive lines of defense: top manage- and small, packaged and resold
ment and the front office, the risk this debt to investors, including
management function, and audit. other banks, as collateralized
These lines of defense, staffed debt obligations and mortgage-
with capable individuals imbued or asset-backed securities; this
with a strong sense of risk aware- freed up their balance sheets and
ness, are at the heart of effective allowed them to go at it again.
risk management. The latter step was predicated on
the notion that the purchase of
the debt would bring a perpetual
stream of repayment income
against “secure” collateral—and,
of course, this notion depended on
the idea that the real estate market
would keep rising. Globally, many
institutions, assured by ratings,
believed this to be the case.
Cheap debt also contributed to
the explosive growth in banks’
balance sheets. These purchases
of assets resulted in irresponsible
leverage, rising at some banks
to debt-equity ratios of 30:1,
40:1, and even 100:1. However,

Booz & Company 1

based on recent interviews with medium-size insurance companies, the regulators) created a false
leading financial institutions, for instance—may yet surface. sense of comfort.
our hypothesis is that neither
cheap central bank money nor However, the more serious gaps
Risk Governance Failures within companies are related not
inadequate regulation nor even
The enormous losses we have to technology and models but to
the “complexity” of risk was the
seen have resulted in many the role of individual people and
culprit behind this overleveraging.
top management casualties. general decision-making processes.
The job of financial institutions
However, while chief executives Good tools and processes provide
is to collect, price, disaggregate,
and investment banking directors the basis for a solid risk manage-
de-correlate, reaggregate, and
are falling on their swords, ment framework, but the human
price risk. To blame complexity
postmortem evaluations and aspects of decision making must
is to seek a barter economy.
industry commentators are not be underestimated. For a
The real culprits were bad
pointing fingers at a bewildering number of institutions, the strong
governance, bad incentive systems,
variety of underlying external drive for profit in the seemingly
and astonishingly poor risk
causes. These include moral benign pre-crisis environment led
management at some major banks.
hazards arising from public to veiled but intense pressures
With the inevitable decline of ownership and compensation on risk departments to approve
the U.S. real estate market, the structures; a “herd” mentality increasingly risky transactions. In
leverage-powered engine of across the industry; rating turn, these assaults on the institu-
growth went into reverse. For agencies’ compensation schemes tional risk culture have weakened
primary originators (or the resold and models; opaque reporting and the stature and prominence of the
obligation owners), asset values illusory off-balance-sheet transfers; risk discipline.
sank below loan values. Moreover, and inadequate market pricing
a major goal of “packaging and infrastructure for some products. Banks that want to see their way
aggregation” had been to create Surely, all these factors were at successfully out of the downturn
pools of lower or more diversified work. However, in many respects, will need to address this issue. The
risk. However, this was built on losses stemmed from a failure key to strong risk management
the premise that the underlying of one of the core functions of in complex, turbulent markets
assets were not correlated, which, banks: risk management. By this, is a renewed focus on the basic
of course, was not the case given we do not mean simply the risk concept of effective lines of
that many of the bets were based management function. Rather, we defense, working in conjunction
on one super bet: the prospects of are speaking of risk management with a pervasive risk culture.
the U.S. housing market. in a holistic sense. The three major lines of defense
are top management and the
What we are now observing is Banks have invested heavily in risk front office, the risk management
an almost Darwinian process of management tools and processes function, and audit (see Exhibit 1).
selection, in which the strong over the years, conducting a num-
or fast vanquish the weak or ber of large and complex projects.
Although such initiatives made Enabling a Strong
slow. As the pressure for growth
became greater and greater over banks compliant with regula- Risk Culture
the past few years, almost all tions, often they failed to address The risk culture of an organization
banks became more focused on more fundamental issues. For stems from its leadership. If
returns, in absolute or relative instance, few banks have focused the board is to understand,
terms, and less on risk. However, sufficiently on addressing the root define, and actively manage its
not all banks began with equal causes of poor data integrity and organization’s risk appetite,
capabilities in terms of managing quality, resulting in systems that it needs a core of executive
risk—particularly in terms of level have proved ineffective at pro- directors with solid business and
of funding and human resources. ducing timely, relevant, decision- risk expertise. The board must
As a result, we have seen the oriented information. When this be able to appreciate the risks
near-death of weaker business information is available, too few being run. In practice, this means
models—namely, the stand-alone managers have the experience, board members must not only
integrated investment bank. We authority, and oversight to make be informed but also understand
have also seen and will continue actionable decisions. In addition, the risk—return drivers inherent
to see distress among banks whose overreliance on complex models in major product innovations
appetite for growth and risk that were understood by too few and concentrations. Additionally,
exceeded their ability to handle it. people within the bank (let alone they must understand and accept
Losses at other players— the consequences of major

2 Booz & Company

Exhibit 1
Best Practices in Risk Management Governance

1st Line of Defense: 2nd Line of Defense: 3rd Line of Defense:

Top Management and Risk Management

Front Office Function Audit

Best Practice • Promote a strong risk • Combination of watchdog • Good understanding of

culture and sustainable and trusted advisor; police capital markets, the
risk-return thinking limits with “teeth” business type, and risk
• Portfolio optimization on • Understand how the management
the macro and micro level business makes money— • Top talent within audit—to
• Promote a strong culture of and actively challenge challenge the front office
adhering to limits and initiatives if appropriate and risk management
managing risk exposure • Top talent with business function
• Ongoing monitoring of experience engaging with • Independent oversight
positions and inherent risks front office as equals function—with enforcement
• Risk management separate ability (e.g., immediate
from risk control fulfilment of findings)
• Overarching “risk oversight • Ability to link business and
unit” across all risk types risk with process and IT
• Intraday availability for
data and positions;
comprehensive resport at
T+1 6 a.m.

Source: Booz & Company

implementation decisions. risk issues are everyone’s concern. professionals are represented
Most boards of investment banks Modern investment banking on executive committees and
did not, for example, discuss products involve multiple asset boards of directors. While the risk
the consequences of the huge classes with reinforcing risks; at a management function has grown
increase in absolute leverage or portfolio level, dangerous correla- in size over time, it is typically
the unintended consequences of tions can exist not only between a short on top talent. How many
some bankers’ almost unlimited firm’s positions but also between former traders actually work
earning power. Actively shaping the firm’s positions and counter- on risk teams? How many risk
and agreeing to a risk profile is parties’ positions. No individual— managers combine both strong
the first step in building a culture whether a specialist in a certain quantitative skills and a deep
in which risk management is seen asset class, product, or function— understanding of the business?
as an enabler of the front office can be solely responsible for How many board members
rather than an obstacle to identifying and mitigating against have worked on a trading floor?
be circumvented. all possible causes of unacceptable Establishing the credibility of
losses. Steps to improve com- the risk function through a
The second step in building an munication can be as simple as deep knowledge of the business
appropriate risk culture is to requiring risk managers to sit on and its ever-evolving product
encourage constant communica- the trading floor, and encouraging, requirements would go a long
tion. A company’s culture should rather than silencing, a variety of way toward entrenching a culture
make it easy to get the right people opinions on portfolios. in which risk professionals are
engaged on potential risk issues, as perceived to be on equal footing
well as hold individuals account- The third step in strengthening with the front office, rather than
able for their own decisions and risk culture is to raise the profile merely support professionals. Risk
actions. Where clear account- of the risk teams, particularly management must be pervasive to
ability exists, no one can assume in the front office areas, and to the culture, not the responsibility
that risk is not their responsibility; increase the extent to which risk of the risk function alone.

Booz & Company 3

Back to Basics: The Three risk culture. Discussions about zational structure, infrastructure,
Lines of Defense new products, existing and new and internal processes are also
Top Management and the Front positions, and other issues must required. Risk managers need
Office: Football (or soccer) be broad and not limited to timely, accurate data, as well as
coaches sometimes say that for meeting quarterly targets or the authority to enforce actions
the goalie to miss a save, 10 other short-term goals. Both the and impose rapid sanctioning
other players must have missed it front office and top management mechanisms when appropriate.
before him. Fixed-income traders must have reliable and consistent Roles and responsibilities must be
and desk heads at some banks information with respect to the clearly allocated.
obviously missed some goal-line positions and the risks they are
taking. Finally, limits and other Traditional risk-type separation
saves. They also took unnecessary
basic controls must be respected. will not suffice when it comes to
risks, as if they were shortsightedly
For example, limit setting and products that cross the divide,
playing to win a single game and
limit monitoring must be done by such as structured products, or in
build their individual reputations
mechanisms with teeth, traders assessing correlations or con-
rather than looking toward
must be forced to take holidays, centrations that involve multiple
winning the tournament as a team
and segregation of duties should risk classes. We are observing the
(that is, ensuring the long-term
be clear and enforced. formation of more “traded risk”
success of their firm).
teams that deal both with market
Various entities—rating agen- The Risk Management Function: risk and with the counterparty
cies, in particular—could be and Alongside a farsighted and and issuer risks arising from
have been made scapegoats in the responsible front office, banks traded products. To get a wider
wake of the credit crisis. Investors need an effective, respected risk view across risk types, portfolio
thought they could rely on the management function. Risk oversight and strategic risk man-
agencies to provide reliable ratings managers need to go beyond agement units perform stress tests
information. However, greater the traditional role of “limit and concentration analysis on the
scrutiny by top management on cop”: Not only do they need to macro level, with the authority to
the part of both buyers and sellers understand and challenge the force change where necessary.
would have played a large role in front office; they also need to
develop a deep understanding However, sophisticated risk analy-
preventing some of the problems.
of concentrations, correlations, sis must be underpinned by reli-
For example, one product that
and early warnings. Finance able marking to market of illiquid
has received public scrutiny was
must develop a more critical assets. Despite the noise in the sys-
the GSAMP Trust 2006-S3, a
understanding of the underlying tem about the deleterious impact
Goldman Sachs second-mortgage
risk-return drivers of profitability. of marking to market, a lack of
securitization in which the aver-
this discipline would impair the
age loan-to-value of these second
If the secret of best-in-class risk functioning of those markets that
properties was 99.29 percent,
management lies in the risk culture have largely been spared by the
where 58 percent of the loans
of an institution, that culture is credit crisis to date. The role of
were no- or low-documentation,
enabled by the capabilities of the the finance organization indepen-
and where GSAMP could not
risk managers. For risk managers dently validating “marks” is also
effectively foreclose.1 Of this issue,
to engage with the front office on of critical importance.
93 percent was rated as invest-
equal footing, and for the front
ment grade. No sophisticated This is an important final point:
office to respect the disciplines
model is necessary to raise ques- The effectiveness of the second
imposed by risk, high-caliber risk
tions about the logic of selling or line of defense requires that the
managers are required. Not only
buying such an instrument. control functions—finance, risk,
do these managers need to have a
clear understanding of the business compliance—work hand in hand.
There are three characteristics
and the risks being taken on, they For instance, all too often, finance
of a healthy first line of defense:
also need to keep pace with a has critically challenged negative
sustainable risk–return thinking;
rapidly evolving and increasingly swings in performance while pay-
usable, up-to-date risk-related
complex array of products. ing less attention to the causes of
information; and respect for limits
peaks in performance. A focus on
and other basic controls.
However, highly skilled risk decomposing the drivers of profit,
Sustainable risk–return thinking managers are not enough on good or bad, needs to be the men-
is a corollary of a communicative their own. A supporting organi- tality prevailing in the future.

Washington Post, Tuesday, October 16, 2007, “An Unsavory Slice of Subprime.”

4 Booz & Company

Audit: The third line of defense— pline, performing more than just Term Capital Management hedge
audit—has arguably failed in its a “checking the checkers” role. It fund in 1998, leading industry
role of providing independent and is not inconceivable, for example, experts and regulatory bodies
objective assurance of the effec- that after reviewing the securitiza- a series of recommendations
tiveness of the first two lines tion process, the internal audit to prevent similar losses in the
of defense. team could identify and bring to future. In retrospect, a great deal
the board’s attention potential of progress has subsequently
For the third line of defense to flaws, such as overreliance on been made along the scientific
act as an effective steward of the rating agencies. All too often, and technical aspects of risk
policies and procedures approved auditors document processes as management. But at a more
by the board, it needs to have not a box-ticking exercise to ensure fundamental level—in terms of
only a good understanding of the compliance, with limited critical good governance, strong lines
business—how the front office review of potential weaknesses. of defense, and a healthy risk
makes money—but also a deep culture—much remains to
understanding of risk management Finally, the third line of defense be done.
discipline. In best-in-class organi- must be empowered to enforce
zations, audit and finance teams its findings. Audit items often Bank managers should act
have the ability to blend their remain open quarter after quarter, to establish a strong risk
strong process and IT know-how with no consequences for the management culture now, while
with their understanding of the executive who fails to act. A more the front office has been humbled
business and risk. For example, disciplined approach is required, and there is strong consensus
audit teams should investigate and with senior leaders taking a in the organization. As John F.
validate mark-to-market positions, leading role. Kennedy said, “In the Chinese
ensuring the integrity of informa- language, the word ‘crisis’ is
tion as it passes from one system Conclusion composed of two characters—one
to the next. representing danger, and one
Short-term memory is a persistent
representing opportunity.”
Moreover, the third line of defense problem in financial markets.
must develop a strong critical After the failure of Barings PLC
approach to each functional disci- in 1995 and the bailout of Long

Booz & Company 5

Asia Europe Middle East South America
Beijing Amsterdam Abu Dhabi Buenos Aires
Hong Kong Berlin Beirut Rio de Janeiro
Mumbai Copenhagen Cairo Santiago
Seoul Dublin Dubai São Paulo
Shanghai Düsseldorf Riyadh
Taipei Frankfurt
Tokyo Helsinki North America
London Atlanta
Australia, Madrid Chicago
New Zealand, Milan Cleveland
and Moscow Dallas
Southeast Asia Munich Detroit
Oslo Florham Park
Adelaide Paris
Auckland Houston
Rome Los Angeles
Bangkok Stockholm
Brisbane McLean
Stuttgart Mexico City
Canberra Vienna
Jakarta New York City
Warsaw Parsippany
Kuala Lumpur Zurich
Melbourne San Francisco

The most recent list of our office addresses and telephone numbers 10/08 Printed in Germany
can be found on our Web site, ©2008 Booz & Company Inc.