The good news: ERM works! An interview with Suzanne Labarge

It's hard, it's never over, and consistency is key. But RBC offers living proof that there's gold not only at the end of the enterprise risk management rainbow, but along the way as well.

On a visit to www.rbc.com, it's refreshing to note a button on the opening page for "Compliments/Complaints," leading the visitor to believe that this bank might take complaints seriously. Sounds like a good reputational risk practice for Canada's largest company. In total, RBC has more than 12 million personal, business, and public-sector clients worldwide, operating from offices in more than 30 countries.

RBC also has 59,549 employees--approximately 19,000 in management-level positions that Vice Chairman and Chief Risk Officer Suzanne Labarge wants on the same page vis-a-vis risk culture. RBC saw the need in 1998 and has been an enterprise risk management pioneer. Two years ago, The RMA Journal interviewed Suzanne about ERM. Pam Martin, RMA's director of Regulatory Relations and Communications, pays another visit now to see how things are progressing--and to welcome her as RMA's 2003-2004 chair.

PM: The consensus among most bankers and their regulators is that better risk management practices have enabled the industry to withstand this downturn better than others. Looking back, do you see things that we did particularly well, and were there things that could have been handled better?

SL: Given the severity of the cycle, the financial services industry as a whole has performed remarkably well. The industry did a good job with the distribution of risk. Through the use of derivatives, loan sales, or other avenues, risk was spread far more broadly than it ever has been in the past. On the other hand, some institutions did have too much concentration in certain names and industries. Two obvious examples are telecom and energy. There's still that tendency to believe that if a loan is good at $2 million it must be better at $20 million. It's difficult to get it through our heads that smaller holds are really the best solution.

We also fell short in this recession by underestimating two factors. First of all, when things went wrong, we thought of loss in the event of default in historical terms. We didn't anticipate that when a whole industry went bad, the assets in that industry would have little or no value. The other factor is that as we became more sophisticated in the distribution of risk, we didn't necessarily recognize that we were transferring credit risk to operational risk. We thought we had mitigated our credit risk by buying protection through various mechanisms, including credit default swaps and insurance policies, only to find that some counterparties preferred to sue rather than pay. Just think of the number of legal cases on court dockets. It will be fascinating to watch, but that's an instance where we all thought we had mitigated credit risk; instead, we transferred it to legal risk.

PM: So although the war is "over," the market has kind of settled down, and the price of oil is not spiking anymore, the legal operating environment is still a huge factor contributing to uncertainty.

SL: Yes, but the market has changed to take these new risks into account. Whereas you used to do a credit derivative of $50 million with a single counterparty, you're now doing five $10 million transactions with five counterparties. Smaller transactions tend to lessen the possibility of legal action, because the cost of initiating such action outweighs the benefits.

Also, our documentation process is much tighter now. As we moved loans to our Special Loans group, we found the documentation was often inadequate and did not reflect the transaction that had been approved by Risk Management. Somehow, during the negotiations on documentation, the account manager gave up some of our legal protection. So while we in Risk Management might have thought we had protection, we didn't, or while we thought we had certain covenants, we may not have. In short, people tend to get sloppy in Rood times.

PM: You've found, then, that you must monitor the documentation as you go through the process to make sure it holds up?

SL: Yes. We now have a process in which and--this is especially true for our complex situations--the risk manager, the account manager, and the lawyer sit down before the final document is signed to find out what we have and what we don't have. Let me tell you--it's been an eye-opener.

PM: Has the Sarbanes-Oxley Act played a part in these changes, or is it just the reaction to seeing protection that didn't hold up?

SL: It's partly a reaction to the protection not holding up, but it's also a reaction to the documentation that was sloppier than we thought it should have been. Sarbanes-Oxley hasn't been a factor in our credit processes.

PM: In an interview with you in the March 2001 Journal, you said the three largest challenges the industry would face in the coming months were credit information management and its reputational risk implications, the continued reach for growth that will outpace the risk management aspect, and regulatory challenges. In the rearview mirror, now, how do you think those challenges were faced, and what are the new challenges?

SL: What I didn't realize was how long this would go on. I think those three challenges continue to be the greatest, and I say that for a couple of reasons. First, we all know that the investment banks have been after the commercial banks for tied selling. Apparently, the regulators are now going to do a study of how we "bundle" products for our corporate clients. As a result, the industry will be under enormous scrutiny during the coming year. Second, there's now a joint market practices draft on exposures from the Bond Market Association, the Association of Credit Portfolio Managers, and the Loan Syndication Trading Association. The goal is to address the Chinese Wall issues of handling material public information.

We really are just scratching the surface on this. There have been articles in the press about banks front-running on credit derivatives, etc. When markets are tight, and that's certainly the current case, everyone starts looking at everyone else's market practices. When you read that bank lending to corporates has declined 14 months in a row, you wonder where you can make up for the aggregate decline of $85 billion. Lenders are into highly structured transactions in an effort to make money.

PM: Do you think there's a concern that the reach for growth is occurring in the retail products sector? Also, given the leveraged nature of consumers, has too much credit been extended to the consumer?

SL: That charge was made in the American Banker in an article that showed how C&I loans had peaked and were falling, but lending to consumers was rising rapidly. So, yes, you're right, but I would say that every bank has turned up the heat under all its business to find sources to replace C&I income. Look at the Wall Street Journal article about the $100 million in proprietary trading gains at Morgan Chase. That's a quick fix! However, in trading, you may make it this month but not make it next month. Then again, if the consumer goes, we're looking at a long-term problem.

PM: You also mentioned that regulatory challenges remain a concern.

SL: Some of this is because there's still a lack of understanding about how the regulators are going to deal with Basel. The costs of Basel are substantial for those who have to implement it, but even those institutions that don't have to implement it will see some kind of impact. In addition, I think the regulators are concerned that as institutions shrink their corporate exposures and grow their consumer businesses, there are opportunities for more unethical practices. There's probably more pressure on regulators now than there ever has been, and that pressure just translates into more strained relationships with the regulators as we go forward.

[ILLUSTRATION OMITTED]

PM: Let's talk about enterprise-wide risk management. You were a very early proponent, and I've heard you speak to this many times since you were appointed CRO in 1998. Would you comment on ongoing efforts throughout the firm?

SL: Royal Bank had a good year last year, but that wasn't a one-year phenomenon; it's because people had started working on ERM about five years ago. In fact, at the last meeting of the board, the directors discussed the time it takes for the impact of changes in risk management to be felt.

Our CEO felt very strongly about an enterprise-wide view of risk. He was afraid we were going into a downturn; he'd taken the bank through the last one, and I remember when I took the job on he said, "Suzanne, you're going to be beside me in the next downturn, and I don't want any of the pain that we had in the last one." So there was my mandate. But he then also made me part of the executive management team, which brought me into discussions about strategy.

Enterprise risk management doesn't work until the risk managers are involved in the strategic operations decisions. And while it's taken a long time, ERM has now moved to a business platform level, and our risk managers are involved in the strategy discus stuns within the businesses themselves. In this way, we're in early. Recently, one of our business partners said, "I just had a conversation with one of my clients who wants to do something," and the risk manager was able to say, "I can't support it because we've got these issues." We've worked together to figure out how we can solve those issues so the business can meet its strategic objectives.

It's a lot of work, with a lot of people, to keep the risk profile of the organization where we said we want it to be. We don't want to become a risk-avoidance organization. We want people to think about risk as they make their decisions and to understand how we manage it.

Creating a strong risk culture requires not only impetus from the top but also continued support from the top. I remember having a discussion with our CEO once when I was just totally frustrated. I knew we had his support, so I finally asked him to be more vocal, because risk management is not supply driven, it's demand driven. If you don't ask for it, you're not going to get it, and nobody's going to believe you want it. Both our CEO and the board have been very supportive of what we've done, and consistently so, for going on five years.

Other banks believe that they're doing the same things, but they may have breakdowns because they're not getting the buy-in from the senior management team. It is easy to talk about, but much harder to implement.

Sometimes there can be confusion between risk management and corporate governance, and this can lead to some people feeling overwhelmed. It just seems like somebody else is adding on to the business line's current overhead and this makes them ask, "Tell me one more time why I am doing something that's going to cost me money and I'm not sure of the exact benefit?" The good news is that everybody liked last year's results. Everybody likes the fact that our share price has held up well over the past several years. I actually was afraid we would lose steam if we didn't have a downturn.

A change in management or pressure for growth can easily push an institution in the wrong direction. We've been fortunate to have the same management during ERM implementation. Consistently is key. Everybody discovered religion last year--two years from now, it'll be interesting to see how many are still true believers. There's client pressure, there's analyst pressure, and there's board pressure for growth. We are trying to get that balance right and trying to get the right risk/return in the various businesses. Being involved early on, as I mentioned earlier, has allowed us to talk a common language. And Risk Management can pull back and say, "Wait a second." What we haven't done is put the risk managers in the business units. Frankly, they're just as happy not to be in the businesses, given the pressure on all staff to generate immediate revenue without regard for the impact in two to three years. When the pressure comes on, it pays to have an independent risk function.

PM: I heard you give a speech almost four years ago in which you said that risk is always institutionally viewed as "the speed bump on the way to someone's bonus." I guess you've changed that perception at RBC.

SL: Originators still view us as a speed bump, but the good thing is that we've changed, if you will, the traffic pattern. It's never going to be perfect. They're going to push the envelope, but we can push back. In fact, the head of Investment Banking and I ask each other, "Are we getting along too well?" Because if we are, one of us isn't doing our job.

Although we've covered a lot of territory to date, ERM is a continuing process, and we have a list of priorities to cover over the next three years. We want to set our credit risk limits through economic capital. We've gone from reducing single-name notional limits to developing methodology for using economic capital to set single-name limits. And we want to improve our models to find better early warnings. We know the current models don't pick up everything. Then, of course, we want to work with our businesses to get the right incentives in place.

We continually work at refining the reports that we give to the board and the consistency with which we do so. All of our processes are geared toward improving the information on risk and the culture of risk in the organization. It's not easy to find the right balance between giving the board the information they will need without moving into the micro side of providing too much. Sarbanes-Oxley and other governance concerns cause me to constantly wonder if I'm answering the right questions. The board shouldn't be involved at the product-approval level, at least not at a bank of our size. But they need to know the kind of things we're doing and why and how we're managing the risk. Also, they need to see trends. I do know that each year the list of information needs gets longer!

PM: RBC is now in the second year of an organization-wide risk-control and self-assessment process.

SL: Yes, but it will take three years to roll out the full process across the organization, because we have close to a thousand operational risk entities. There was a lot of pain to put it in place, and it required working closely with the businesses. We tailored it for our organization, but because we took the time to do that, it's working.

The good news is that the businesses have really bought into it. They are finding it useful not only front a risk management perspective but from an operational perspective as well. They have found opportunities for operational efficiencies and come to the realization that the process has value. We've also used it for controlling major projects, and it has added a new discipline in project management.

We will have to improve how we disseminate the information we gather from these reviews. We are trying to use the operational risk framework to incorporate some of our compliance work so that we can eliminate duplication and provide one mechanism for gathering the information that is required for much of our regulatory assertions. We developed the framework for sound risk management reasons. Now we're trying to use our framework for multiple purposes, and it seems to be working.

PM: RMA recently held a round table on operational risk in New York. The self-assessment process is proving quite useful for Sarbanes-Oxley, and it has managed to get senior management's attention in that way, too.

SL: Absolutely, and since we had our process in place, it's just feeding in, and we're finding that we can cut down a lot of the work around some of the new requirements related to Sarbanes-Oxley. We've also been able to get more efficiency from our internal auditors. They can now (based on the self-assessments) determine the quality of the self-assessment and review the steps being taken by the units to correct any deficiencies.

I think everybody thought they had good operational risk management in place--after all, that's mostly what we've been doing all our lives. Because a bank's product is money, internal controls have always been important. With all the restructuring of banks and processes over the past 10 years, however, gaps developed that no one saw. So Basel has driven us in the right direction. But is using the new Accord for capital purposes the correct answer? I'm not sure, yet. The fact remains that banks have improved as a result of their risk management efforts. The change in the risk culture at RBC over four years has been incredible. Part of that is because the risk control of sell-assessment drives the risk issues down further into the organization and that tends to get everyone on the same page.

PM: RBC is going to expand its presence in the U.S. What can you tell us about that?

SL: We have completed 10 acquisitions since April 2000 and are in the process of increasing our client base by 24%, to approximately 2.4 million clients. So, we already have a strong U.S. presence. We've acquired Centura and several smaller bolt-on acquisitions to Centura. We have a full-service brokerage based in Minneapolis--Dain Rauscher--and subsequent to that, we bought Tucker Anthony, a full brokerage with an East Coast presence.

We have our wealth management platform, but we'd like the equity market to take off again. We have capital markets operations in New York, with a very active trading platform, alternative assets, corporate banking, and the other standard operations of a foreign bank operating in the U.S.

We have an insurance company as well (RBC Liberty), so the only business we don't have in the U.S. is processing and custody. That's a very concentrated market in the U.S., which is one reason we're not involved.

PM: RBC's expanded geographic diversification is a key benefit, and I think the industry is finding that product diversification is a benefit as well. From what I understand, it's difficult to quantify the benefits of diversification. What has RBC developed that would quantify the benefit of diversification--say, for board-reporting purposes?

SL: When we were validating our economic capital model about two years ago, we decided we would capitalize each unit at the 99.93% factor. When we added it up at the top of the bank, however, we realized we were overcapitalized because there was diversification, depending on the strength of each business. We brought in a consultant, Oliver Wyman, to help us quantify it. The benefit now has been quantified based on the nature of each business, and capital has been reduced accordingly at each business unit while maintaining the 99.93% confidence level at the top of the organization.

PM: That's one thing that Basel does not take into account: It's additive on a continuum, and you get benefits for diversification, but you don't get a diversification offset.

SL: Basel has several flaws, including the fact that it doesn't include a lot of things that we allocate capital for right now. For example, we assign capital to business risk and to the market risk in our accrual book. So Basel's flaws include diversification as well as the range of risks it covers. The total number is probably approximately right, but Basel doesn't take a lot of things into account that the rest of us would.

PM: Continuing with the subject of Basel, all the Canadian banks will be required to be advanced-internal-ratings banks, as will the largest banks in the U.S.

SL: We're looking at the cost of going to each of the levels, because we're trying to see if there is a real cost benefit to going from foundation to advanced. If we thought there wasn't a cost benefit, we'd fight back.

Part of our unknown quantum is the burden of regulation that goes with the advanced approach. Some experiences we've had recently have made us a little nervous about what our regulator might do. It may turn out not to be as big an issue as we thought, but we're not spending a lot of money on Basel right now. Rather, we're spending money on those things that we want to implement from a risk management perspective. Thus, while there are a lot of good things we've done that also will help for Basel regulations, we are not driven by savings in capital. The only benefit from some of the investment required for advanced-internal-ratings banks would be capital relief. If there's no capital relief at the end of it, it's not worth spending the money.

So we reviewed the gaps between what we currently do--foundation IRB--and what Basel would require for the advanced approach, and we estimated what it might cost to fill those gaps. We presented that to the Executive Committee of the bank in July so that we could discuss what we wanted to do, particularly in an environment where getting money for capital projects is not exactly easy. There was general support for our recommendations but, as you can well imagine, there is also a reluctance to undertake further major investments until the Accord has been signed and a final implementation date is set. We are particularly concerned about developments in the U.S. and finding ourselves disadvantaged because of different regulatory approaches.

PM: Let's say you've decided you believe the investment is worth what you'll get in terms of capital relief What happens if the analysts push back and say, "No, we think you need that much capital"?

SL: If it requires a 15% reduction in capital to make the cost benefit work, we can't count on that. If we can break even at 3-5% reduction in capital, I don't believe that would move the ratings agency to say we're undercapitalized. So that's a really big issue. We're looking for a number that we think is reasonable and will produce a breakeven on the investment.

PM: Then there's the economy In our 2001 interview, you mentioned that the Canadian economy generally lagged the U.S. economy. Yet Canada never really experienced the downturn the U.S. dealt with.

SL: For some reason, we had a disconnect this time, much to our benefit. We never had a recession, our portfolios have held up extremely well, and Canada's economy is growing faster than the U.S. economy.

If the U.S. economy picks back up again soon, I think we'll end up with a stable growth outlook. If the U.S. economy doesn't pick up, eventually it's going to hit us. The rise in the Canadian dollar, Mad Cow Disease, and SARS all have an economic impact--not necessarily any one of them significantly, but in combination they act as a drag on the economy.

It's interesting to note how fragile everybody's psyche is. The reaction to these events is disproportionate to what it would have been two or three years ago. People are on edge, and it's worrisome when consumers are on edge. Right now, consumer confidence in Canada remains strong. I don't know what it would take to change that, but one has a sense it wouldn't take much.

PM: You're obviously created a risk agenda for RBC. Do you have an agenda for RMA in your role as chair?

SL: RMA is trying to operarionalize the concept of enterprise risk management in terms of what the association is offering, and I'd like to be able to take that forward. But do I have a specific agenda myself? No, because RMA really is an industry association, and the strategic direction has only recently been changed by the members. What I'd like to do is make sure we're steering in the right direction to meet the needs that are being identified by our members.

There's a lot of momentum within RMA, and one of my goals is to build on it while recognizing the differing needs of our constituents. The diversity of our members is both a strength and a challenge. RMA must continue to meet the needs of institutions at both ends of the spectrum, ranging from relatively small to highly complex institutions.

The industry as a whole benefits when the best practices of the most advanced institutions are discussed among the smaller institutions. For me, RMA's strength is that there are very few forums where risk managers can talk together about the issues they face, both technically and professionally. RMA provides that forum and the exchange of ideas. We all lie to each other, of course--we're really good at exaggerating how advanced we really are--but it does give everybody an idea of what it is we're trying to cope with and how we think we'll get there. Isn't that really how best practices fall into place?

I think everybody learns from RMA, and the fact that a lot of our discussions are tailored to the level of sophistication of the institutions allows everybody to learn from each other.

PM: In every, association, both the association and its members have responsibilities. What would you encourage people to do as members of the association to keep it strong and to help the industry?

SL: I would like to see people contributing their intellectual capital to RMA. Whether it is sharing at round tables or being part of a chapter, it's recoginizing that you're part of a larger community and you have a responsibility to participate in that community and share whatever intellectual or other resources you might have to improve the practice of risk management. For some people, that's being in chapters and working within their community; for others, it's being part of round tables or seminars. It's about getting involved with RMA working groups, like the one that has been so active in the new Accord; it's about being on councils; and for some of us, it's about being on the board.

You can't benefit from RMA without actively doing something. And RMA won't exist unless members actively do things. Just receiving and reading The RMA Journal, as good as it is, is not a sufficient role for a member of RMA.

I happen to believe that RMA is a truly great organization, l think the staff is terrific and the members are great. One thing I've learned is that risk management does add value, and we've got to continue to add value if we are going to be relevant. We're all professionals, and we should all take pride in what we do. We should all make sure we're up to date, and I think the RMA plays a very important role in helping us do that.

[c] 2003 by RMA. Pamela Martin is director of Regulatory Relations and Communications at RMA--The Risk Management Association and is executive editor of The RMA Journal.

COPYRIGHT 2003 The Risk Management Association
COPYRIGHT 2005 Gale Group