UBS Risk Management Fiasco Illustrates Hidden Big Bank IT Time Bombs

Yves here. One of the sources of risk in big and even moderately big banks that does not get the attention it deserves is information systems. Having mission critical systems function smoothly, or at least adequately, is crucial to a major trading operation. Huge volumes of transactions flow through these firms, and the various levels of reporting (customer exposures, funds flows, risk levels, transaction and reconciliation failures) need to be highly reliable or things get ugly fast. Witness MF Global, where the firm was unable to cope with the transaction volume of its final days and literally did not know where money was at various points in time during the day.

Now one would think that in the wake of a super duper financial crisis, that big banks would up their game on the risk management/IT front. My guess is the reverse. First, regulators haven’t thought much about operational risks; that’s only recently been considered something worth thinking about. Second, even though I suspect that over time trading managers have gotten better at managing IT, that likely means they have gone from terrible (as in too preoccupied with the press of business to do an adequate job of specing projects or being willing to try approaches like Extreme Programming) to merely garden variety not very good (as in pretty much no one in corporate-land is willing to spend the extra 20% or so to have developers document their work in sufficient detail that a completely new person could understand what was done). And banks have a monster legacy system problem. Multihundred million dollar programs to tidy up and integrate systems into the One System to Rule (Big Parts of Them) All have this funny way of being cashiered after running up monstrous bills and not getting very far.

One window into the severity of this problem: the OCC (yes, our overly bank friendly OCC) graded the 19 biggest banks as failing on a whole slough of operational measures, which included IT. And remember, the list consists mainly of traditional banks (admittedly some really big traditional banks like Wells Fargo), not firms that derive a major portion of their profits from more operationally-demanding trading activities. From American Banker in December (hat tip Richard Smith):

The Office of the Comptroller of the Currency recently graded the 19 largest national banks on five factors designed to gauge how well they are being run.

The results are startling.

Not a single bank met the OCC’s requirements for internal auditing, risk management or succession planning. Only two of the 19 banks met the regulator’s requirements for defining the company’s appetite for risk-taking and communicating it across the company. Only two banks were judged to have boards of directors willing to stand up to their CEOs…

Among the five governance areas being targeted, risk management and audit are getting the harshest eye. “We determined that for these 19 banks, their audit and risk management functions had to be elevated from wherever they were to meet our definition of ‘strong,’ ” Brosnan says.

None of the banks have met that standard for audit; 10 banks are within a year of meeting it while the nine remaining banks will need up to two more years, according to the materials the OCC disseminated at the conference. (The OCC did not identify any of the banks by name.)

None of the banks have met the risk management standards either. Four are within a year and 15 of the banks are going to need up to two years to pull their systems up to snuff, the OCC says.

My admittedly dated experience on IT (with two firms that were considered to be extremely good at it) is that the OCC will need to double its estimates on how long it will take. Independent of the fact that it alway take longer than anyone estimates, with major elements of Dodd Frank being hashed out and Basel III both in play and being delayed, a lot of IT projects will be pushed off until those are finalized.

But this UBS vignette is one of those peeks behind the curtain to see how bad things often are. Remember that UBS wa sone of the banks recognized to be most at risk in 2008. The Swiss National Bank was caught flat footed when UBS needed a monster bailout and was alone among central banks in making UBS hire an outside party to ascertain exactly what led to the meltdown (an undersupervised CDO team was a major culprit) and publish the findings. The Swiss have also imposed capital requirements of 19% on their banks, a level regarded elsewhere as draconian, and which is forcing UBS and Credit Suisse to downsize considerably.

Yet this story published originally in German by Lukas Hässig reveals that even under a tough central bank, a lot of IT messes and deficiencies remain at the big financial firms (although it is also possible that the Swiss set capital levels at 19% precisely because they knew what a mess their charges were). And, quelle surprise, no one responsible has been fired or even demoted. Once you reach a certain level in banking, you only fail upward.

By Lukas Hässig, an independent financial journalist in Zurich, who has written two books about the crash of UBS and the end of Swiss banking secrecy. He has operated the internet financial newspaper Inside Paradeplatz with daily news about Swiss banks since 2011. You can contact him at mail_at_lukashaessig.ch. Translation by the author

UBS loses hundreds of millions in a failed risk management project

After the “A-Risk” project failed, UBS risk control aggregates risks using an excel patchwork. Recently, the investment bank has been inadvertently running open risks stemming from unhedged trading positions with CHF 500m loss potential.

UBS’s top management has being grilled by the British parliamentary commission for constantly failing to get risks under control, as demonstrated by several catastrophic and reputation-wrecking scandals: the gigantic $40 billion suprime loss, the tax-evasion scheme perpetrated in the USA, the Adoboli fraud and the Libor manipulation.

The line of defense of the UBS managers is always based on the same answer: “we did not know”. In reality, UBS’s top management has always been aware of the deficiencies in risk control. For instance, Walter Stuerzinger and Philip Lofts, the former and the current Chief Risk Officer, were already warned in 2002 by two risk specialists (“The crisis at the heart of UBS”, published in “The Sunday Telegraph” on 6 July 2008) of the Zurich head office with extensive experience at main trading centers that the bank was building-up an unacceptably large risk concentration in the US structured credit sector (including subprime) and that the risk management approach was flawed and incapable to capture and hence adequately measure the true loss potential of these exposures.

After the subprime losses UBS declared that it had changed its approach and had become particularly risk-averse. However the reality was different: as history shows, UBS did never turn the corner and has remained one of the most aggressive investment banks.

The recent failure of the “A Risk” project is further evidence for this statement and it also shows that the integrity and the solidity of the risk control infrastructure is still not a top priority of top management. The “A Risk” initiative was supposed to deliver a state-of-the art and innovative risk monitoring infrastructure and it should have allowed top management to have a global view of all the risks of the bank.

After 5 years development and the spending of several hundred million Swiss Francs, “A Risk” does not run as expected and, according to an insider source, is in a “catastrophic status” and has failed to deliver: the various trading desks of the bank still run on different IT infrastructures and the various risks have to be collected from “different databases” and aggregated using Excel spreadsheets with several manual interventions. These are clearly very prone to operational errors.

Not very surprisingly, given UBS track record in dealing with risk control failures, the people directly responsible for this failure are still employed by UBS and hold highly paid positions. Among these are teh above mentioned Walter Stuerzinger and Philip Lofts, the former and the current Chief Risk Officer. But also at the next hierarchical level no major consequences seem to have been taken:

• Galo Guerra, who graduated at the Sloan School of Management of MIT and was leading the “A Risk” project is still on the payroll of UBS;

• Pieter Klaassen, also graduated at the same school, according to the insider source has been removed from his position as “Head of firm-wide risk aggregation” apparently because of his lacking leadership skills. However, on LinkedIn he appears to still hold the same position;

• Darryll Hendricks, who holds a PhD from Harvard, was in charge of the “Risk Methodology” function of the investment bank and was therefore at least partly responsible for the correct representation of the risks. He is still with the bank and has the position of “Head of Strategy” of the investment bank;

• Tom Daula, who was till the crash of 2008 the Chief Risk Officer of the investment bank and had good prospects of becoming Chief Risk Officer of the bank, changed internally and is now apparently the head of global research and analytics.

While highly paid top shots have succeeded to stay on board, many employees in the back office function are being axed due to the fact that the bank has decided to reduce the investment banking activities.

However, good specialists in this area are urgently needed. According to the insider source, in late summer 2011 the Swiss investment banking unit in Opfikon executed a very large transaction in Korean Won. However, the Treasury department that is in charge of managing the balance sheet and hedging the positions forgot to execute the hedge. As a result, the position bearing a 500 million loss potential remained open for several months. As this failure was discovered, UBS started an investigation in which also Finma (Swiss regulator) was involved. However, no consequences at personnel level have been taken. A UBS press spokesman refused to comment this event.

This piece is cross-posted from Naked Capitalism with permission.

2 Responses to "UBS Risk Management Fiasco Illustrates Hidden Big Bank IT Time Bombs"

  1. TERRY   January 13, 2013 at 8:43 am

    NO PROBLEM WE THE PEOPLE WILL PAY.

  2. Nancy L. Oneal   March 4, 2013 at 11:49 pm

    The most difficult part in working as a security specialists in the banking and finance industry is that increasing vulnerabilities in the mobility scheme and the need for certain infrastructure to be updates is often scoffed at by the board.