NEW YORK (Thomson Reuters Regulatory Intelligence) - Goldman Sachs' recent decision (here) to give its risk managers greater organizational autonomy is part of an industry-wide trend to make risk management a separate function, reporting directly to the chief executive.

In that sense, Goldman is somewhat behind the curve. Many of its competitors have already made that change. But other aspects of Goldman’s decision, particularly the elevation of a senior technology executive to join the risk group, point to a new reality: risk is no longer just about financial risk.

For many global financial institutions the risk management function has expanded its footprint into much bigger arena. Whether it is cyber-security, operational risk, or conduct risk – as well as evolving political risk – the task of protecting a financial organization has become all-consuming.

"Arguably non-financial risk is an even greater threat than other forms of more traditional risk. . . It is other kinds of risk, including cyber and conduct that are rearing their head and creating challenges for these organizations," said a former Federal Reserve official, who is now an adviser to banks.

ADVERTISEMENT

Roy Smith, professor of finance at New York University’s Stern School of Business, and a former partner at Goldman Sachs, notes the new environment may require greater independence for those guarding large institutions. "Maybe we need to make these guys a little bit more independent, particularly if they are challenging more than market risk," says Smith.

RISK MANAGERS AND OPERATIONAL STAFF

Goldman has long had a structure whereby its risk managers, or controllers as they are referred to internally, were on equal footing with the operational or business functions. As Gerald Corrigan, a senior executive with the firm who retired last year, told Regulatory Intelligence in 2013 (here), a key element of Goldman’s approach to risk management is the role of the “federation,” or the part of the firm that includes controllers, credit risk, market risk, and other individuals who monitor the trading side of the business.

When a dispute arises over the pricing of a particular trade, for example, the control groups have the final word.

"Without exception at the end of the day it’s the controller that wins -- without exception. That is so well ingrained in the values and culture, that when there is a friendly dispute, there is no second guessing about it. That’s the way it is," he said at the time.

Smith of NYU says that arrangement was unique among Wall Street firms and allowed Goldman to avoid many pitfalls that befell other banks over time. This was particularly true in the run up to the 2008 financial crisis.

"In 2006 the so-called risk managers came to (chief executive) Lloyd (Blankfein) and said we have too much exposure to the real estate sector …and we need to reduce our positions," says Smith. "Lloyd said sounds good but they had a huge amount of pushback from senior trading people who had large positions. In the end it was because he and Gary (Cohn) were traders themselves that they were able to stand up and say we’re not going to do this."

ADVERTISEMENT

Gary Cohn, who until recently was president of Goldman Sachs, started his career as an options dealer on the New York Mercantile Exchange. When he joined Goldman he quickly rose through the ranks of the trading side of the business, eventually running the Fixed Income, Currencies and Commodities division. He is now director of the National Economic Council in the Trump administration.

TECHNOLOGY AND RISK MANAGEMENT: THE NEW TERRAIN

According to a Reuters description of the Goldman reorganization, Phil Venables, the bank's chief information risk officer, will move into the new risk division in a role that includes handling operational risk. He previously sat within the technology division. Experts say it is the elevation of a top technology person to a senior risk function that speaks volumes of the new challenges facing Goldman and others.

"They have taken Venables, who is a very talented technology person, and moved him into the risk organization," said a senior partner at a New York law firm who requested anonymity. "This suggests they are taking cyber and operational risk very seriously. . . it’s also an emerging trend to have technology people in the second line of difference of the organization."

According to his LinkedIn profile, Venables has expertise in information security, IT and network security, cryptography, information risk management, business continuity planning, crisis management, and enterprise risk management, all skills that traditionally would fall outside the scope of risk management professionals.

CONDUCT RISK MAY BE ANOTHER FOCUS

Some say the new risk management challenges are not necessarily all about cyber and other forms of operational risk. With global banks having paid $321 billion in fines for a long string of regulatory failings since 2008, the impact such costs have had on the bottom line has prompted greater scrutiny of the problems that lie behind many penalties. Invariably, these focus around conduct, behavior and other forms of ethical failure.

"As conduct-based regulations evolve, fines and penalties, along with related legal and litigation expenses, will remain a cost of doing business," analysts led by Gerold Grasshoff of the Boston Consulting Group wrote in a recent study of global risk management. "Managing those costs will continue to be a major task for banks."

Some large banks have already put greater responsibility in the hands of front-office business heads for conduct risk and surveillance of their trading staff. At JPMorgan, for example, a conscious effort has been made to make business heads more involved in monitoring and training.

"Historically, the big focus around surveillance was second-line surveillance. But clearly, front office, first line, monitoring, supervision, surveillance; using front-office supervision tools independently of the second-line checks are really important," Sally Dewar, the bank’s international head of regulatory affairs, told a London conference last month (here).

Whether managing conduct risk, or perhaps playing a greater role in challenging certain forms of behavior, becomes part of Goldman’s newly-independent risk management group is unclear. But Smith of NYU reckons that it in order to effect change and manage such risks, business heads and those around them who act as guardians of the firm have to play a larger role.

"The truth is unless you have senior people acting as on the field referees to decide what should and shouldn’t be done. . .then I think you will be driven back in trying to get your hands around these problems," Smith said. "It’s a tough, tough thing to do."

"These issues are deep and broad," he added. "Risk management goes everywhere and consequences of failure could be terminal."

(Henry Engler is a North American Regulatory Intelligence Editor for Thomson Reuters Regulatory Intelligence. He is a former financial industry compliance consultant and executive, and earlier served as a financial journalist with Reuters. Email Henry at henry.engler@thomsonreuters.com)

(This article was produced by Thomson Reuters Regulatory Intelligence and initially posted on Mar. 13. Regulatory Intelligence provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 400 regulators and exchanges. Follow Regulatory Intelligence compliance news on Twitter: @thomsonreuters)