Interview with Christian Bluhm, CRO, UBS

A study carried out a few years ago by the RiskNET competence portal revealed a great deal of potential for optimisation in commercial risk management. More than 50 percent of around 580 companies surveyed viewed the development of a "genuine risk culture" as the greatest challenge for the immediate future. Looking at the risk map, the study also showed that in the area of corporate governance across different sectors, inadequate corporate and risk culture was viewed as the greatest potential risk.

More than 61 percent of the respondents to the study (362 companies) were convinced that even the best risk management system will be ineffective if it is not practised on a daily basis within the company. To prevent management of opportunities and risks becoming nothing more than a façade, risk management must be viewed as a process that creates value and must be integrated into business management. This is the only way to turn risk management into a strategic and value creating instrument. We spoke to Dr. Christian Bluhm, Group Chief Risk Officer at the UBS Group, about risk culture, quantitative risk management and much more. The questions   were asked by Frank Romeike, Editor in Chief of the RISK MANAGER magazine, and Prof. Matthias Scherer from the Technical University of Munich.

Risk management as a whole and operational risk specifically are strongly linked to the concept of a "genuine risk culture". What measures would you recommend to bring the risk culture to life? What role does senior management play in this?

Christian Bluhm: At UBS, we have a clearly defined set of "Principles and Behaviours", i.e. values, principles and types of behaviour that are important to our work and shape the corporate culture. Senior management has the function of setting an example. Integrity, responsibility, honesty and customer focus are integral components of our corporate culture. But questioning or – to use the buzzword "challenging" – one another is also part of it. To achieve the best solution for customers and the bank it must be possible to critically scrutinise managers' views at all times.

Is there a chance that tight regulation could prevent a "genuine risk culture", as the focus of risk and compliance management is geared towards meeting regulatory requirements?

Christian Bluhm: No, I don't think so. Personally, I am not happy about the current development of the Basel III guidelines ("Basel IV"), as it will lead to less sensitivity in risk weighting. However, you can also see the regulatory requirements that have sprung up since the 2008 financial crisis as a challenge to continuously improve your own risk standards and risk culture. Compliance and management of so-called "consequential risks" need to be strictly defined and put into practice, as grey areas cannot be tolerated. Unlike on the issue of capital requirements, I believe that regulators' and banks' interests are aligned on this question.

In modern banking, almost everything is digital and networked. What cyber risks is your institution exposed to on a daily basis and what do you expect in the future? How do you train employees to deal responsibly with these risks?

Christian Bluhm: Cyber attacks are now one of the biggest risks in banking. We have a legal obligation to protect our customers' data. Banks are always the target of cyber attacks, which can take different forms. For example, these could be "Distributed Denial of Service (DDOS)" attacks, where someone from outside attempts to paralyse the bank's servers for various reasons, or phishing attacks, where someone attempts to obtain employees' login data using fraudulent e-mails so that they can gain access to internal bank systems under a false identity. The reason for phishing can be anything from theft in online banking to spying out secrets through to destructive actions aimed at damaging a bank (cyber terror). Bank employees have to be trained regularly in detecting cyber attacks and reporting them properly. Banks have specialists who know how to deal with these kinds of situations.

At a methodological level, in QRM we can observe a trend that scenario-based stress tests are playing an increasingly important role alongside traditional stochastic models. Where does this trend come from and how do you assess it?

Christian Bluhm: At the end of the 1990s, the trend in banking clearly moved towards an integrated overall bank model for economic capital, typically calibrated to a confidence level at the so-called tail of loss distribution. Conditional expectations were then used to allocate risk contributions to individual business areas, in extreme cases down to individual customer level. Since the last major financial crisis, the industry's faith in a universal model incorporating all of a bank's risks has pretty much disappeared. Regulatory developments towards Basel IV or CCAR in the USA have fuelled this trend. These days, banks are attempting to use carefully selected stress scenarios to simulate potential risks in order to obtain an idea of the potential losses that could impact on the bank in the future.

At the beginning of my career, when I was working as a quantitative analyst, I programmed and saw many of these models. Emotionally it hurts a little bit that these models hardly play a role in the banking world any more. However, I take considerable comfort in the trend towards simulating risks using stress scenarios. Stress scenarios are risk-sensitive, easy to interpret if they are well-designed, and therefore enable details of the business to be explained and communicated. For example, macro scenarios – in other words shocks involving shares, currencies or macro indices – can be directly interpreted, and I believe it is essential to be familiar with their impact on your own bank portfolio. The future of quantitative risk modelling clearly and justifiably belongs largely to stress test models.

How do you actually construct effective scenarios for stress tests? Is there a consensus or any literature you can recommend?

Christian Bluhm: I can't say anything about the literature on stress tests. We develop these models completely "in-house" – although they do have to be approved by the regulator. The starting point is the bank's own portfolio. The choice of risk factors to be stressed is determined by your own portfolio.

Typical risk factors are market or macro indices, such as share indices, exchange rates, interest curves or growth indices such as GDP or similar. Regulators have also developed their own stress tests, for example the FED in the USA simply obtains portfolio data from banks that operate in the USA, then simulates its own stress tests and compares its results with the results of the banks' own stress tests.

Risk management methods and instruments have shown extremely dynamic development over recent years. What approaches do you think will become more significant in the future? Do you see opportunities to overcoming the gap between the qualitative nature of many risks – such as operational risks – on the one hand and the desire for the fullest possible quantification of all risks on the other hand within a foreseeable time frame?

Christian Bluhm: Risk management cannot be reduced to quantitative approaches alone. Qualitative aspects will always play a major role. Of course, many risks can be quantified, even some operational risks. However, qualitative aspects such as experience of loan approvals or, when it comes to so-called "consequential risks", recognition of whether a triggered "alarm" for "fraud detection" is a genuine indicator or actually a false alarm, are also essential in risk management. I see both aspects – quantitative and qualitative – as important and of equal value. Figures tend to make people feel more secure and think they have things under control. Unfortunately, this can be a fallacy. Therefore, I would like to see my colleagues always using both quantitative and qualitative assessments of risks.

A few months ago (see magazine RISIKO MANAGER 17/2015) Prof. Paul Embrechts responded to the question of how mutual sharing of knowledge between academia and professionals can be improved by stating that academics need to venture out of their ivory towers. This frequently calls for intellectual courage and normally a lot of time. How do you assess the cooperation and dialogue between academics and professionals?

Christian Bluhm: Paul is one hundred percent right. Approaches suggested by the academic world are often very detached from practical reality. We need models that are robust, reliable, comprehensible and, above all, models that can be calibrated with available data and can use the information that banks have reliably collected over the course of two decades. I also believe that banks should be comfortable with comparing different models, so that they can illuminate and investigate a particular problem from different perspectives. Really, any model is nothing more than a kind of laboratory experiment with restrictions in terms of its proximity to reality. It definitely makes good sense to study the same problem or phenomenon several times in the laboratory under different conditions and using different models, in order to learn as much as possible about it. This might sound like something from the world of natural sciences, but the analogy to banking is very relevant. I am always happy to promote cooperation between academics and banks – we can learn plenty from one another.

Putting the ball back in the universities' court: How satisfied are you with the level of training of current graduates? In which areas would you like to see more specialist knowledge?

Christian Bluhm: We particularly welcome university graduates who have also completed internships in the industry and ideally are familiar with the difference between academia and the professional world. Here's an example: A mathematician leaving university and moving to a bank who thinks they will be involved in developing academically sound models there is mistaken. Quantitative analysts in banks spend around 70 to 80 percent of their time working with data. The actual mathematics makes up only a small proportion of their work. They also have to deal with audit-proof documentation, cooperation with other areas within the bank, programming, communicating with senior management at the bank etc. If someone has already experienced this as a student, they know what they are letting themselves in for. Another thought on this issue: The specialist area a candidate focused on during their studies is not so critical. The mathematics used in banks can be understood with no problems by anyone who has completed a Masters degree in mathematics. Commitment to practical work with data, communication skills and the ability to integrate into a team are the crucial factors for differentiating applicants and ensuring the correct candidate is taken on. Internships during semester breaks are the best way to acquire experience and prior knowledge.

How do you keep your existing employees right up to date with developments in risk management?

Christian Bluhm: Our employees, especially the quantitative analysts, are expected to maintain their interest in current developments in their job. We like to send employees to international conferences. We encourage our employees to publish their own papers, provided they do not disclose any confidential internal information. Employees often remain in close contact with peers from their respective universities, allowing them to continue engaging in specialist dialogue.

The factor of "trust" plays an incredibly important role in the relationship between a bank and its customers. What opportunities do you believe there are for risk management in a bank to take greater account of reputation risks and similar "soft" potential risk and to manage them more efficiently?

Christian Bluhm: Reputation risks come under the category of operational risks. The problem here is that it takes a long time to build up a good reputation and this can be lost at a stroke when operational risks impact the bank. As a result, banks protect their reputation to the best of their ability. The easiest way for me to explain this is using an example. A bank gains the trust of its customers by convincing them that the bank will act uncompromisingly in the customers' interest. However, if the bank makes the headlines for having badly advised customers in favour of its own profits, the bank's reputation suffers long-term damage and it can take years for the bank to recover. At UBS, reputation risks are identified and then addressed and managed accordingly as part of our "Consequential Risk Framework". Specifically, this means meeting very high standards on issues such as money laundering, "know your client", "monitoring and surveillance" and other control mechanisms.

In the German-speaking region, we have a tendency to ignore the issue of "opportunities" and "upside risks" in our analysis. Is this mainly due to the negative connotations of the term risk in the sense of danger?

Christian Bluhm: The nature of their business model means that banks are "risk takers". Without taking risks, we would do no business as there is no such thing as risk-free business. Therefore, in many decisions banks consciously take risks within their own risk appetite. Risks normally also involve opportunities and if you do it right you can take advantage of these. Unfortunately, sometimes the only opportunity with certain risks is to learn from them. But even that can be an important lesson. To that extent, I do not see risk as being a term with negative connotations but as an integral component of the banks' business model. However, risks must be continuously managed by all of a bank's employees who are involved in taking risks. Risk management is not restricted to the function of the risk division; it also affects customer advisors and even the human resources department, who need to be appropriately aware of risk when taking on new employees.

Across the world, particularly in populist debates, existing economic cooperations and federations of states are often called into question. National solutions to international problems  are sold as an easy answer to complex questions. As an internationally operating company, how do you deal with these political risks?

Christian Bluhm: We monitor social and geopolitical risks very closely. I have a special team for this – "Political and Country Risks". Political trends, for example, and resulting potential risks are factors that influence our analysis of transactions and our business strategy.

Finally, we'd like you to gaze into your crystal ball. Which developments will bring the biggest changes to the risk map in the coming years, and what will you be doing to help shape these developments?

Christian Bluhm: The banking sector is currently characterised by regulatory changes and macro trends. The only banks that will be successful in the long term will be those that can trim their business models to take advantage of automation, and to some extent implement the changes that the manufacturing industry completed years ago. Alongside investments in process streamlining and infrastructure, one way to achieve this could be consolidation. Macro trends will definitely play a big role in the focus of our business. This also includes demographic trends, such as the ageing population in Western industrialised nations. Studying these trends very closely and drawing the right conclusions is the only way to successfully invest in appropriate business segments and thus in a sustainable successful future for the bank.