September 2021

Credit Suisse published its report outlining the findings from its investigation in to the $5.5 billion loss caused by the default of Archegos Capital Management, providing important insight into what happened, how and why. In this article, we identify the key themes in the report as they apply to the management of risk in financial services firms. We cover culture, the three lines of defence, accountability and how the voice of risk was weakened (again).

What went wrong?

Risks were ignored or rationalised

Credit Suisse’s report raises several questions regarding the way risks were managed. How could the bank possibly allow itself to:

  • grow its Archegos exposure from a position of breaching its “potential exposure” limit by ten times the value of the limit ($20 million) in April 2020;
  • continue to be on the list of counterparty credit exposures in breach of its potential exposure limit and net scenario limits reported to credit risk control regularly from 2020 to default in March 2021; and
  • eventually accumulate gross notional exposure of $21 billion (compared with the business’ next largest client exposure of $1.5 billion) and a net long biased position of $7.3 billion (compared with the business’ next largest client net long position of $1.5 billion) which was grossly under margined at the time of default in March 2021?

The report found that the cause of the failure was not due to flaws in risk management frameworks, risk reporting or systems. Rather it calls out culture, blindspots, and shadow sides of deliberate decisions that weakened the management of risk and actually enabled excessive risk-taking.

The report finds that there was no effective action taken by the business when confronted with multiple concerns about the size of the exposure and how it was being managed.  Many senior people within the business and the Risk function failed to heed the many signs.

A failure purely of financial risk management?

These losses were avoidable and though they may be credit-specific, non-financial drivers played a key role in paralysing effective risk management. Themes highlighted in the report, included:

  • competency and resourcing of risk personnel in leadership positions – risk personnel in the business and the Risk function were junior, lacking experience and expertise to “push back” against the demands of the business or client;
  • senior managers in the business abrogating accountability for risk management to their Line 1 / “in-business” risk function (an unintended consequence of the three lines of defence model);
  • serious risks were identified and systematically ignored by the business and Risk function – lack of proactive risk management when confronted with identified risk concerns;
  • lack of responsiveness and reflexivity to learn lessons from previous failures (where losses were much smaller);
  • an imbalance of constructive professional tension between the Risk function and the business (the ‘voice of risk’); and
  • poor risk and reward decision-making, where the cost of risk was poorly understood and measured (i.e. understated) and the return was insufficient to reflect the risks taken.

“Nor is it one where the architecture of risk controls and processes was lacking or the existing risk systems failed to operate sufficiently to identify critical risks and related concerns. The Archegos risks were identified and were conspicuous.”

“The business was focused on maximizing short-term profits and failed to rein in and, indeed, enabled Archegos’s voracious risk-taking. There were numerous warning signals—including large, persistent limit breaches—indicating that Archegos’s concentrated, volatile, and severely under-margined swap positions posed potentially catastrophic risk to CS. Yet the business, from the in-business risk managers to the Global Head of Equities, as well as the risk function, failed to heed these signs, despite evidence that some individuals did raise concerns appropriately.”

“The business was focused on maximizing short-term profits and failed to rein in and, indeed, enabled Archegos’s voracious risk-taking. There were numerous warning signals—including large, persistent limit breaches—indicating that Archegos’s concentrated, volatile, and severely under-margined swap positions posed potentially catastrophic risk to CS. Yet the business, from the in-business risk managers to the Global Head of Equities, as well as the risk function, failed to heed these signs, despite evidence that some individuals did raise concerns appropriately.”

Culture

Culture is a fundamental area that still requires greater focus, especially if businesses want to be successful in delivering for their customers and other stakeholders. Boards should be taking proactive steps to require further uplifts in capabilities to assess and address cultural characteristics that do not support the effective management of risks. Regulators continue to look for evidenced understanding of root cause, including cultural factors, in issues and incidents.

Your bank may have different ‘symptoms’ – but how sure are you (and with what evidence) that you know the real issues and drivers of how risk is managed? ‘That’s not us’ or ‘that wouldn’t happen here’ are often tells that suggest surface-level views on culture, rather than deeper understanding and analysis.

The report identified that Credit Suisse lacked a strong risk culture and failed to invest in risk management. The review panel focused on a lack of experienced risk personnel, and non-prioritisation of investment in technology to assist in more effectively managing risks by the business and risk functions. Whilst important, other cultural characteristics are evident in the report.  These included:

  • a “lackadaisical attitude toward risk and risk discipline”;
  • a lack of accountability for managing risks by the business owners;
  • senior risk executives did not support their more junior staff efforts to adequately manage risk in an urgent manner; and
  • a “cultural unwillingness to engage in challenging discussions or to escalate matters posing grave economic and reputational risks”.

“… the business continually advocated for an accommodative approach to risk, refusing to take forceful steps and generally suggesting half measures that failed to address the substantial risks.”

The report also noted that the Line 1 risk function lacked the:

“know how or gravitas to manage pressure from the business or its clients”.

Whilst not included in the observations, it is pertinent that the last recommended remedial measure, asserts that the bank has acted:

“…to enhance the stature, authority, and independence of the Risk function and to prevent the business from undermining Risk decisions by, among other things, requiring that any business effort to “appeal” a Risk decision to a more senior Risk manager be escalated and reported to the Board Risk Committee Chair.”

Considering this action, it appears that the voice of risk was allowed to be undermined. This remedial measure is extreme but also appears necessary to rebalance the appropriate tension and restore the stature of Risk across the group.

Three lines of defence and accountability

Despite the regulatory attention and emphasis regarding accountability, risk management frameworks and the importance of the three lines of defence, financial institutions continue to struggle with implementation of these frameworks. Key weaknesses identified in the report included:

  • the traders (business owners) effectively abrogated risk management responsibilities for managing counterparty and portfolio-level credit risks to the Line 1 “in-business” risk function.
  • Line 1 risk lacked sufficient risk capability and as a result, roles and responsibilities of the Line 1 risk function were unclear or not fully appreciated.
  • no one was held accountable for not staying within the bank’s stated risk appetite and exposure limits. The report highlighted that breaches similar to the ones that were allowed to persist for Archegos should have been “punished severely”.
  • lack of collective accountability and willingness of representatives on the IB Counterparty Oversight Committee to challenge the exposures under the responsibility of other committee members. The report noted:

“Yet, in practice, these senior leaders operated in silos, deferring to the business and Risk personnel who covered the particular counterparty under review at CPOC, and failing to challenge and, if necessary, escalate matters to the executive management or the Board.”

 …should develop a corporate culture where all employees at all levels view themselves as risk managers….

How was the stature and voice of the Risk function undermined?

A number of characteristics appear to have adversely impacted the effectiveness of the Risk function. These include:

  • tone from the top – appointment of Risk leaders with no prior risk management experience with an agenda to create “a more commercial” Risk function;
  • “juniorisation” of the first and second line risk functions – greater responsibility on fewer, less experienced staff under “doing more with less”;
  • senior risk leaders ignoring and/or overruling serious concerns of junior risk staff – creating a behavioural norm where risk staff concerns were undermined or trivialised;
  • continued tolerance of poor risk management behaviours – where the business was not held accountable for breaches of limits nor were timelines imposed for rectification; and
  • acceptance of weak arguments used to justify excessive risk-taking and persistent limit breaches.

How is Credit Suisse remediating the lack of culture of responsibility, accountability and controls?

Culture of Accountability – the bank reported that it has taken action against 23 individuals who failed to discharge their responsibilities. These actions included terminating the employment of nine individuals and monetary penalties totaling $70 million including cancellation of deferred compensation and clawback of amounts previously paid.

Culture of Responsibility – Credit Suisse will be developing a corporate culture where everyone “is responsible for identifying, acting on and escalating risks, and are held strictly accountable for the failure to discharge their risk management duties”.

Culture of respect for risk controls – the report recommends that Credit Suisse should assess its existing control framework to ensure that each employee’s risk management duties are clearly articulated and emphasized. Credit Suisse should review relevant policies and procedures and improve training.

Enhancing the stature of the Risk function – as noted previously, the bank has taken additional steps to enhance the independent “voice” of the Risk function. Some of the measures highlighted in the report, included:

  • hiring of senior experienced risk managers and leaders (including experienced Risk leaders previously let go by management);
  • recognising the efforts of those risk employees who took proactive steps to escalate Archegos risk to more senior members of the business and Risk function; and
  • implemented a new formal mechanism whereby any effort to “appeal” a Risk decision to a more senior Risk manager must be escalated and reported to the Chair of the Board Risk Committee.

This communication provides general information which is current at the time of production. The information contained in this communication does not constitute advice and should not be relied on as such. Professional advice should be sought prior to any action being taken in reliance on any of the information. Rhizome Advisory Group Pty Ltd shall not be liable for any errors, omissions, defects or misrepresentations in the information or for any loss of damage suffered by persons who use or rely on such information (including for reasons of negligence, negligent misstatement or otherwise).