Andrew Gray, DTCC Managing Director, Group Chief Risk Officer, discusses the changes in the regulatory landscape since the global financial crisis, the biggest sources of systemic risks in the industry today and how financial institutions can mitigate these risks.
The Changing Risk Profile
A Q&A with Andrew Gray, Managing Director, Group Chief Risk Officer at DTCC
Q: What do you think are the biggest sources of systemic risk today?
A: At DTCC, we monitor roughly 20 potential systemic risks. Concerns around cybersecurity have consistently been identified as the number one risk in DTCC’s Systemic Risk Barometer surveys, conducted annually. This is not hard to understand. Over the years, we have seen cyberattacks become ever more frequent and sophisticated, to the point where they can be used as a weapon by nation states targeting critical infrastructure components. Other top risks include geopolitical tensions and uncertainty around trade agreements – specifically with respect to the UK’s trade relations with Europe post-Brexit, but also on a more global scale. The risks around emerging fintech are also beginning to grow.
Q: How can the industry safeguard against these risks?
A: Most importantly, the risk management function has expanded its remit in recent years to cover areas as diverse as operational, systemic, technology, information security, data management, vendor, geopolitical and physical security risks. In addition, financial firms are taking a more holistic approach to risk management, which includes leveraging the knowledge and expertise of cross-disciplinary experts. This is more important than ever given the wide variety of threats facing the industry, the evolving nature of risk and the fact that risks are increasingly interdependent. In addition, industry-wide simulation exercises are a crucial component of a truly comprehensive risk management discipline.
Q: Are financial institutions doing enough to mitigate these risks? And will regulations prevent another crisis from happening?
A: Financial institutions around the world have made significant investments since the crisis to enhance their risk management practices, both in terms of staffing as well as by developing better and more sophisticated risk management systems. It is also encouraging to see more collective initiatives emerging. From industry-wide simulation exercises designed to better prepare for business continuity events to a host of public-private partnerships to guard against threats, particularly in the cybersecurity area, firms are working together to better prepare and respond to these risks. Regulations like Basel and Dodd-Frank have helped enhance resilience within the financial services industry, which is a crucial part of protecting against the impact of shocks. That said, regulations tend to focus on preventing a crisis that materialized in the past from reoccurring. It’s likely that the next crisis will be entirely different, which is why it’s so important that we remain vigilant and have a forward-looking lens when preparing for future risks.
Q: What significant pieces of regulation have been implemented since the financial crisis?
A: Regulatory requirements have increased significantly over the past ten years. In addition to DoddFrank, Basel, liquidity-enhancing measures such as the Liquidity Coverage Ratio (LCR) and the Net Stable Funding Ratio (NSFR), and a host of other regulations that primarily sought to strengthen banks and other financial institutions, supervisors have also raised the bar for financial infrastructures in recognition of their systemic importance. In 2012, the Principles for Financial Market Infrastructures (PFMI) were introduced to harmonize and, where appropriate, strengthen three previously issued sets of international standards for systemically important payment systems, securities settlement systems and central counterparties (CCPs). Rules set by national regulators are consistent with these principles, which have been supplemented since 2012 by a series of related documents that provide further guidance. These standard-setting initiatives have been a key driver of significant enhancements by CCPs around the globe in areas including cybersecurity, recovery and resolution, stress testing, loss allocation models, capital structure and governance.
Q: What lessons would you take from the Lehman crisis in order to prepare for the next crisis?
A: One of the most profound lessons that came out of the Lehman insolvency and the crisis that followed, is how interconnected risks are in today’s world and how these interdependencies can have a systemwide impact on a truly global scale. Back in 2008, very few people had any idea of how a crisis that started with US-based mortgages could spread outside of the US and affect financial institutions worldwide, and the notion that what started as a financial crisis could spill over into the real economy and ultimately cause a global recession was even harder to grasp. The systemic nature of this crisis is what made risk management practitioners think more holistically about threats and look more closely at interdependencies. At DTCC, we established a Systemic Risk Office shortly after the Lehman insolvency to complement our existing risk discipline by adding a specific focus on interconnectedness risk, as well as internal and external sources of systemic risk.
This article first appeared in Global Investory/FOW