Credit crunch- lessons for Kenyan banks' risk management

Imho, the genesis of the current West financial crisis is the deregulation of financial services in 1970s and 1980s that allowed financial entities into activities they were previously barred from. As an example, Barclays could move from retail to investment banking. However, the skillset required to manage a retail vs. an investment bank is like chalk and cheese. Banks then started off-shoring risk in their banking or even trading books e.g. by bundling loans and offering them as collateral in exchange for loans from other financial firms. From the late 80s/early 90s financial firms then offered insurance against these bundled loans using credit derivative swaps. Infact, almost every type of risk was managed via an invented form of derivative. Factor in globalisation; the emergency of the APAC nations and a benign interest rate regime. All this took place within 20 years and risk managers and senior managers generally either couldn't or didn't keep pace with the changes although the generally bullish conditions presumably fooled some. Finally, too many banks exclusively relied on either international rules on risk (Basel accords) or what regulators stipulated. In other words, they outsourced risk management.

Risk management is very straightforward;

1. Based on your understanding of the business your entity undertakes, identify the risks it faces.
2. Measure these risks in terms of the potential monetary impact on your bank's capital/liquidity and profitability.
3. Monitor these risks.
4. Set up ways of controlling these risks. To be clear, banks as with other walks of life, will always face risks. Control entails expressing your risk limits/appetite and putting controls in place to keep within the said limits.

Where an entity doesn'tdo any of the above to a satisfactory degree, nothing (sophisticated VaR models, stress testing and scenario analysis; layers upon layers of risk management cadres) will prevent failure due to one type of risk or the other. Unwary risk management meant that Northern Rock and Lehman Brothers and others fell over whilst ticking all the boxes on capital adequacy as dedicated by Basel 2, whilst neglecting liquidity risk. Failure of risk/senior managers to keep pace with the changing dynamics of its fast growth, led to Northern Rock's failure. The complexity of Lehmans' business and legal structure meant a Tsunami was not seen in good time.

Similarly, lax risk management can also be in CBK's risk survey undertaken in 2010;

-30% of Kenyan banks didn't have a centralised risk function (so nobody apart from perhaps the CRO) knows the overall risks faced by their bank.

-to compound the above, 58% of the banks don't have a head of risk i.e. nobody to take senior responsibility for risk management.

-Just over half of Kenyan banks reviewed their risk management manuals annually. This in a very fast changing industry. Think mobile banking, internet banking, agency banking, branch growth, regional expansion, increased fx/interest rate risk, money laundering laws to name but a few.

-7 banks didn't have a dedicated MIS for risk and another 9 only collected risk MI on an annual basis. So 16 banks couldn't tell you what risks they faced at any given time.

-16 banks didn't think they needed to make any changes to their risk management practices...

When things are going well (straight growth in year on year profitability), its easy to take your eye of the ball, but remember, its only when the waves go out, that we know who is naked.