Home > Risk > Do not fire the risk manager!

Do not fire the risk manager!

I recently read an interesting piece in finnews.com by Andrew Isbester. While he is currently the editor-at-large of Finews, he has about six years’ experience as a risk manager with Coutts and HSBC.

The underlying story is amazing; as Bloomberg tells us, Bill Hwang Had $20 Billion, Then Lost It All in Two Days:

Before he lost it all—all $20 billion—Bill Hwang was the greatest trader you’d never heard of.

Starting in 2013, he parlayed more than $200 million left over from his shuttered hedge fund into a mind-boggling fortune by betting on stocks. Had he folded his hand in early March and cashed in, Hwang, 57, would have stood out among the world’s billionaires. There are richer men and women, of course, but their money is mostly tied up in businesses, real estate, complex investments, sports teams, and artwork. Hwang’s $20 billion net worth was almost as liquid as a government stimulus check. And then, in two short days, it was gone.

The sudden implosion of Hwang’s Archegos Capital Management in late March is one of the most spectacular failures in modern financial history: No individual has lost so much money so quickly. At its peak, Hwang’s wealth briefly eclipsed $30 billion. It’s also a peculiar one. Unlike the Wall Street stars and Nobel laureates who ran Long-Term Capital Management, which famously blew up in 1998, Hwang was largely unknown outside a small circle: fellow churchgoers and former hedge fund colleagues, as well as a handful of bankers.

He became the biggest of whales—financial slang for someone with a dominant presence in the market—without ever breaking the surface. By design or by accident, Archegos never showed up in the regulatory filings that disclose major shareholders of public stocks. Hwang used swaps, a type of derivative that gives an investor exposure to the gains or losses in an underlying asset without owning it directly. This concealed both his identity and the size of his positions. Even the firms that financed his investments couldn’t see the big picture.

That’s why on Friday, March 26, when investors around the world learned that a company called Archegos had defaulted on loans used to build a staggering $100 billion portfolio, the first question was, “Who on earth is Bill Hwang?” Because he was using borrowed money and levering up his bets fivefold, Hwang’s collapse left a trail of destruction. Banks dumped his holdings, savaging stock prices. Credit Suisse Group AG, one of Hwang’s lenders, lost $4.7 billion; several top executives, including the head of investment banking, have been forced out. Nomura Holdings Inc. faces a loss of about $2 billion.

The Bloomberg article is an excellent read. Hwang’s operation apparently did nothing illegal. He just made huge, highly leveraged bets on stocks that went south.


Andrew’s latest article has a challenging title: What if Credit Suisse’s Problem Isn’t Risk Management?

But first, read his earlier post, Credit Suisse’s Massive Conflict of Interest. Here are some excerpts:

I am going to go out on a limb here – Credit Suisse’s mess for this week, Archegos Capital Management, does not look much like a failure in risk management at all. At least on the surface.

Although the losses are likely to be borne by the investment bank, I cannot imagine for a minute that its wealth management business did not have some form of individual banking relationship with Bill Hwang. And if it did not, you can be pretty certain that private bankers from that area of the bank were constantly trying to ingratiate themselves to him, his relatives, and others at Archegos – given it was essentially a family office.

You can have the tightest risk management governance and best control systems in the world, but that will not change the massive conflicts of interest inherent when you bank billionaires while performing complex capital market transactions for them.

Look at Credit Suisse’s risk management disclosure in its 2020 annual report. It has all the usual stuff that all the other large international banks have about three lines of defense, oversight and culture, including a neat organizational chart showing the main management bodies and committees.

There is nothing here that separates them from any other bank at first glance. There is one committee that does sound rather unique, however, and that is the Position and Client Risk (PCR) committee, which sits under the Capital Allocation and Risk Management Committee, or CARMC.

And say that the matter of Archegos was discussed at that committee, or another one of the risk committees, over the past few months. Can you imagine what it would be like for your average risk management specialist to be in attendance?

So there sits this rather hapless person, no matter how senior he or she is. Probably fully cognizant of the risks being taken and well-briefed but hesitant to say anything because, typically, under the three lines they are the second. That means they do not own the risk but are just responsible for policies and frameworks. I cannot tell you how many times I have heard risk management people say in the last decade or so that they do not own the risk – the business does. It gets really tiring for everyone, even the people saying it.

So, the meeting starts. You have one person facing up against the business, never more than one, as you want to emphasize how tightly your area manages costs. You always sit opposite more than one banker, at best three, ranging from senior to junior, probably one from the investment bank and another from wealth management or maybe a special function that combines both.

On their side, in their corner, invariably, is senior management, either as a chair or a member of the committee. And if the client is a billionaire, they are likely to have met him or her quite a few times before as well, probably over lunch or drinks. If they have, they usually let some comment slip about that.

Anything a risk management person says is effortlessly batted back by business and management. If you are on a tough committee, they usually do their utmost to make you feel foolish for even being there. And if the quorum is a simple majority, you are guaranteed to be outvoted anyway.

The only thing you can do is make sure that some well-formed comment or question is captured in the minutes accurately afterward, to make sure you can at least talk to the regulator with a shred of dignity at some point down the line.

Now, this is a management risk committee and not a committee of the board. I can certainly understand management ‘outvoting’ the CRO because they are focused on the opportunity and the CRO is seen as someone with a different agenda.

Andrew picks up the argument in his latest post. Here are more excerpts (with important sections highlighted):

After going out on a limb for risk management in the Archegos debacle last week, I am going to split hairs. I know it beggars belief and conventional wisdom, but I do not think the main problem is risk management.

Risk managers can set limits for counterparty credit exposure, the framework, approve the exposures, even comfort the trades, and send out the margin calls. Ultimately though it is up to the business to figure out what to do as they own the risk, and should bear the brunt of the responsibility.

Why was Credit Suisse slower than Goldman Sachs, Morgan Stanley, and Nomura in getting rid of the positions and exposures? That could not have been due to the risk managers as they are not usually shouting prices into phones or sitting on the backs of traders helping them to slam down the return key to execute trades.

Credit Suisse’s risk and compliance framework looks pretty much like all the other banks out there: three lines, the section on culture and governance, and even a position and client risk (PCR) committee that seems made for these situations. The Swiss bank has a framework that defines risk capacity, appetite, and profile, as everyone else does and which is usually agreed with the local regulator.

So why didn’t it protect Credit Suisse from the Archegos hit, and could it happen again? Most observers leapt to the conclusion that this responsibility should lie with risk management. But I would argue instead, after just throwing the business under the bus, that I might go ahead and throw them under the bus again.

Risk management, whether you are in financial crime, counterparty risk or the plainest vanilla credit risk job, depends on the business for regular, periodic detailed risk assessment of their activities. If these are not completed correctly or fully, boundlessly tiresome though they are, nothing will change because – in defense of that downtrodden and overwrought risk manager – they are not, as far as I know, telepathic.

I do not know what the risk assessment for the prime services or hedge fund business looked like, but I think we can safely assume it did not mention the possibility of a full fire-sale of the client’s positions in distressed markets that were also held by the bank on inventory for irrationally low prices, hours and even days after everyone else had sold. They would be too rational for that.

The main point in Andrew’s pieces is here, when he refers to the firing of the CRO:

Credit Suisse’s management changes seem to mean, at the highest executive level, it is more or less directly blaming the risk chief and the head of its investment bank. A cascade of changes at lower levels, including the head of equities trading, of prime service risk, and of credit risk at the investment bank demonstrates Credit Suisse puts the onus on risk management.

The tally of all the departures announced thus far is six in risk versus two in the business, while management – which owns the risk more than anyone else – only miss out on their bonuses (meaning they get out of this with their hair tousled). Anyone in the client relationship teams simply need to keep their heads down and let it all pass.


Andrew is asserting that the bank was quick to fire the CRO and others on her team, and slow to fire the people who actually took the risk.

There is a great deal of merit to his argument.


First, I should state that neither Andrew (to my knowledge) nor I know what happened at Credit Suisse beyond what has been in the news (as excerpted above).


From what I can tell, the CRO was a high-flyer and the only reported connection is that she approved at least one sizeable loan to Hwang.

But that would have been in response to a request for her approval from operating management – the people taking the risk; the people closest to Hwang; the people who would have had a far better understanding of the level of risk.


I would agree with firing or at least disciplining the risk officers if:

  • They failed to perform or enable (using appropriate methods and tools) a reasonable assessment of the level of risk based on the available information when required by company policy. They should be trained if they didn’t recognize that the level of risk is a range, not a point.
  • They failed to properly inform the appropriate levels of operating management of the level of risk, especially if it was beyond defined acceptable levels.
  • They failed to escalate to more senior management, even the board, after operating management decided to take a risk beyond what was approved.
  • They were responsible for the firm’s inability to move quickly once the positions started going south.

In other words, I would fire or discipline them if a reasonable person would find them responsible for the losses.


But, even if they were inept, the major culprits remain the operating management team that took the risk of funding Hwang and then failed to see how the situation was changing so they could take prompt action.


The question then is whether all or any of this was a ‘failure of risk management’.

There is a huge difference between a failure to perform of the risk management function and a failure of the management of risk by the bank.


Once we know whether and how the CRO and her team failed, we can know the answer to one of those.


When the bank decided to fund Hwang, they knew there was a risk as well as an opportunity.

If everybody involved had done their job, they would have recognized that the level of risk was a range, including the low likelihood that they would lose the entire value of the loan.

The fact that Hwang cratered does not mean that the risk assessment was wrong – unless that possibility was entirely overlooked or was assessed as a far lower likelihood than it truly was.


There was a loss. But was there a failure to reasonably manage the risk? We don’t know.

The fact of a loss does not mean that there was a failure of risk management.

It certainly doesn’t mean that the risk function was at fault – in fact, nobody might have been at fault.

Losses happen when you take risks.


Who failed to perform? We don’t know.

But I would blame operating management before the risk function!

As Andrew says, operating management has better insights into the facts and the possibilities. The CRO relies on the information they share with her.  If that information is incomplete, out-of-date, or otherwise unreliable, blame should first be placed at the feet of management. Only blame the CRO if she should have known.


Should the CRO of Credit Suisse have been fired? Maybe, and maybe not. But I join Andrew in questioning why she and five others on her team were fired and only two fired from management.


Your thoughts?

  1. April 15, 2021 at 3:17 PM

    Fully agree with your analysis, but as stated we do not know what went wrong exactly. From reading other press coverage, it seems likely though that CS (nor any of the other banks) was aware of the cumulative position Archegos held with all its counterparties. Who’s to blame for that? Extremely slow regulation??
    The other matter as I see it is this: who in CS decided on the process to unwind the position? As CS was slower than some other banks, it lost a lot more. Was that Risk or Operations??
    I’m looking forward to reading the book….

  1. April 15, 2021 at 2:24 PM
  2. April 17, 2021 at 12:39 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: