“When the economic tide goes out, you get to see who’s been swimming naked.”

FST. What lessons can the banks learn from the subprime lending crisis and subsequent meltdown in the markets?

KB. The lessons are abundant, but most of them aren’t new. It all boils down to people losing sight of several fundamental principles. Not the least of these is that subprime lending is a risky business. That’s why it’s called ‘subprime’. Subprime lending has been around for ages and has been done successfully in the past. Lenders protected themselves by requiring conservative loan-to-value ratios (LTVs) and low debt-to-income ratios (DTIs). Stated income was carefully verified – lenders knew their borrowers.

This time, however, lenders made subprime loans using subprime underwriting standards, a combustible combination. It’s difficult to imagine what underwriters were thinking when they offered 100 percent LTVs, high DTIs, and no documentation loans to borrowers with histories of bad credit. Unfortunately, strong economic times, like the mid-2000s, tend to mask poor underwriting. Bankers, brokers, underwriters, and investors all need to remember that the financial services industry is a highly cyclical business. When the economic tide goes out, you get to see who’s been swimming naked.

There’s an old saying in the financial services industry: ‘Know your customer’. Many investors in the current crisis were too far removed from the underlying borrower. For example, a borrower would obtain his loan from a broker, who sold it to an underwriter, who pooled the loan with 10,000 others into a securitization that was then sold to investors. Tranches of the securitization were bought by underwriters of collateralized debt obligations (CDOs) who packaged the tranche with tranches from other securitizations and sold them to other investors – I could go one but I won’t.

By the time an investor was holding a CDO tranche, it was highly unlikely he or she had any idea whom the underlying obligors were. Unable to perform due diligence, the investor outsourced his/her due diligence responsibility to a rating agency. It’s fairly obvious now that some rating agencies also suffered from a failure to know the customer.

Too many underwriters and investors assumed the capital markets would always be liquid. While the vast majority of the time this is the case, it is not unprecedented to see them dry up overnight. One should always bear in mind the possibility of a liquidity freeze and contemplate the consequences it may cause.

FST. How have some banks managed to escape relatively unscathed?

KB. Many years ago I was a bank regulator, responsible for handling bank failures on a nationwide basis. I recall a situation in a town in Nebraska where three banks competed in the same market for the same customers. In the throes of the agricultural crisis, two of the banks ultimately failed. The third never got into trouble. This prompted us to launch a study to determine why banks failed; what differentiated the ones that survived from the ones that didn’t? In the end, it ultimately came down to the quality of management. Those who carefully thought through the nuances of the risks they were taking were better prepared when the unexpected happened. I think the same can be said about the current environment.

Financial services companies are in the business of taking risks – they have to in order to make money. However, some are much better at understanding the risks they take. Thus, they’re able to make sure they’re getting properly paid for them. If the company is not getting paid for the risk it takes, it must increase its revenue, decrease its risk, or abandon the position. Unfortunately, all too often management is blinded by what seems to be an enormous profit, only to discover too late that it is accompanied by an even more enormous risk.

In well-run organizations, you’ll see management at the highest levels making a concerted effort to understand the risks the company is taking. They don’t have to be experts, but they certainly set the tone for the company. If the CEO is interested in knowing the risks, others will follow suit. (This, incidentally, makes the job of the chief risk officer much easier). It’s fairly well documented that the CEO of one of the largest financial institutions was deeply involved in understanding what risks his company was taking. This company has largely avoided the pitfalls where others have succumbed.

FST. This whole debacle has certainly been a wake up call for the industry. How will risk management procedures change on the back of this?

KB. As unfortunate as these circumstances are, they do have a silver lining. When things go wrong, companies have a compulsion to invest in risk management. Senior managers will make a more focused effort to understand what they’re getting into and whether or not they’re being adequately paid for it. To achieve that purpose, the company must hire the right people, create the right processes, and implement the right technology.

When times are good, it is sometimes difficult for risk managers to make their voices heard. However, situations such as those we currently find ourselves in often result in CEOs creating an environment that allows risk managers to do their jobs. Companies will view risk management less as a cost and more as an investment, less as a nuisance and more as a business partner.

FST. Would you agree that this has highlighted the need for all financial firms to have a dedicated CRO?

KB. Risk management is a cultural thing: you can have a wonderful organizational structure that is hopelessly ineffective. Conversely, you can have a bizarre structure that is incredibly effective. It all comes down to the people and the commitment. That said, I couldn’t envision running a financial services company without a CRO.

Having a CRO and a supporting risk organization helps to ensure there’s always somebody out there focused on understanding the company’s risks. It’s very important that the CRO have a posture within the company that’s on par with other senior executives such as the head of the business segments or the CFO. This ensures that no one’s voice is too powerful – it keeps everyone in check.

FST. Aside from this, what are the main risk management issues that will keep the industry on its toes for the next few years?

KB. Clearly, there are more chapters of this book to play out yet. It’s difficult to imagine the current crisis ending anytime soon. There is still too much uncertainty in the capital markets about what the underlying assets are, or will be worth; hence, a reluctance for liquidity to return. The economy appears to be on the verge of, if not already in, a pretty tough recession. That will have further repercussions in the already skittish lending markets. It’s hard to be optimistic right now.

Everything else aside, there is always a need to focus on the adequacy of controls around technology. We have recently seen an individual manipulate technology and other operational controls to perpetrate one of the largest individual losses a financial institution has ever taken. No matter how sophisticated we think our technology controls are, there’s always room for improvement.

Technology has opened many wonderful doors for us, but it has also exposed us to some catastrophic events in the process. We must be relentless in our pursuit of ways to protect our technology systems, for the bad guys are always ready to exploit any weaknesses they can find.