James Lam is one of the industry's most outspoken advocates of firm-wide integrated risk management. After working as a research analyst and consultant at various brokerage and consulting firms, Lam joined Glendale Federal Bank in 1984 as vice president of strategic risk management, where he worked on asset/liability management and mergers-and-acquisition transactions. In 1990, he joined First Manhattan Consulting Group, where he helped financial institutions integrate their business strategies with their risk management and performance measurement processes. He was also an early advocate of integrating market, credit and operational risk management. In 1993, he had his first opportunity to practice what he preached when he became chief risk officer of FGIC Capital Markets, a triple-A-rated GE Capital subsidiary. There he managed the middle and back office of a new capital markets business, developing risk management policies, operational procedures and trading systems. He eventually became acting president of the business within the firm that sold guaranteed investment contracts, structured products and investment products to municipalities. In 1995, he joined Fidelity Investments as chief risk officer to develop a firm-wide risk management function for the organization, which has 40 business units and more than $500 billion in assets under management. He spoke with editor Joe Kolman in July.

Derivatives Strategy: How is risk management run on a decentralized basis at Fidelity?

James Lam: The culture of Fidelity is based on business unit accountability, so that each business unit is fully accountable for its business performance. That includes customers, revenues, expenses, risk management and so on. The business units and corporate functions have ultimate responsibility for measuring and managing risk. You can say that we have decentralized risk management and centralized risk monitoring.

DS: Does each unit have its own risk manager?

JL: We have nearly 40 separate units. Investment management is one group of business activities; the brokerage business is another. And then we have distribution channels such as companies that target institutional or retail clients that are also established as separate business units. Smaller units may have a part-time risk manager, while the larger ones may have a team of risk managers. We work with business unit risk managers as well as other control functions such as audit, compliance and corporate security.

DS: But doesn't most of the financial risk associated with Fidelity's operations involve people who manage money?

JL: Yes, our investment management and brokerage units manage market and credit risk on a daily basis. But like all of our other business units, they also have operational risk, such as transaction processing, cash movement, information security and systems. Business risks are also embedded in our sales and marketing functions, and organizational risks associated with people, culture and incentives cut across all of our units.

Portfolio managers are ultimately responsible for stock selection. They do bottom-up research and analysis, company by company. They're responsible for stock selection and the overall performance of the fund. We also have a separate and segregated trading area.

DS: So after the money manager makes a decision, the Fidelity traders take over, and try to get the best price.

JL: Yes. We also have a market risk area within our investment management operation that looks at things on a portfolio basis and also on an aggregate basis to help us determine what our risk is vis-à-vis our peer group.

DS: You mean other funds?

JL: Other funds that we benchmark against. In other words, are we overconcentrated or underconcentrated in a specific stock, sector or country?

DS: Let's say I was a European equity manager. Exchange rates would affect my portfolio quite a bit. What would my risk report look like?

JL: The system will tell you, first of all, how much you were overweighted relative to your peer group in terms of percentage allocation. By definition, if you're overweighted in a specific sector, you're underweighted in another sector—it may be an industry group or a country. Then you can stress-test those decisions as well.

It would also give you what-if analyses. If the German stock market moved up vis-à-vis the U.S. market, or if the U.S. dollar appreciates significantly against the British pound, how would that impact performance relative to your peer group? These reports are prepared daily and we use both simulations and scenarios for stress testing.

DS: What's the goal of this particular kind of competitive analysis?

JL: The goal is to develop the right risk information so senior management understands where portfolio managers are making positive and negative bets, or where they're overweighted and underweighted. And to provide the same information to the portfolios managers themselves. The portfolio managers are out there focusing on stock selection, visiting companies and trying to uncover undervalued stocks. This tool should help them focus on making better decisions.

One of the biggest challenges we have is figuring out how to integrate all this information. While we have some systems that are looking at market risk, we have other systems looking at credit risk and operational risk within each unit. So if you have 40 business units, how do you report all that information in the appropriate way? A system could spit out a 200-page report, but that would be too much to show senior management. We want of focus on the key exposures, trends and exceptions.

DS: At JP Morgan and elsewhere, they spit out a value-at-risk (VAR) report every afternoon...

JL: Some business units have daily or intraday flash reports that look at specific exposures and incidents, such as VAR and other risk-adjusted measures. But for our firm-wide risk management reporting process, we started with a two-page monthly risk report for each business unit.

"I think risk professionals often put too much emphasis on the ‘hard side' of risk management, such as risk policies, systems and reports. We need to place more emphasis on the ‘soft side' of risk management, such as people, culture, values, accountabilities and incentives.”

In those two page reports, we ask our business units for four things in a standardized format. First of all, we want to see a full accounting for the actual losses incurred. What are your gross losses? Which are the result of operational or credit or other problems? What's the trend in those losses and the ratio of losses to volumes or revenues? Second, we want you to capture your key risk incidents, or near misses. Could these incidents create financial or reputational exposure for the company? How did you respond to these incidents. Third, we want you to assess what are the major risk issues you're dealing with. In other words, what keeps you up at night? Last, we want you to show the key risk measures and trends in a handful of charts, including actual performance against any limits or goals.

DS: Give us an example of some hypothetical problems they might put in those reports.

JL: Hypothetically, if unreconciled cash items doubled in the past few months, or if trading errors increase significantly, or if we have counterparty exposure that exceeded our credit limits—some of our businesses would even look at personnel turnover rates as a key risk measure. Each report takes about five or 10 minutes to review and captures all the business, operational, market, credit and organizational risks. It's also self correcting, because losses and incidents will always be evident.

If you see over time that there are losses and incidents in particular business units that are not being discussed in the management assessment or tracked in the performance measures, then either management is not being diligent about tracking their risk exposures, or they are tracking them but they are not communicating them to corporate management. Either way you have a problem.

DS: What do you do once you get that report?

JL: We review it and identify the key trends and issues and communicate that to senior management, and share the information with other control functions. Right now, the report is monthly, but we are building a global risk management information system that will produce risk information on a daily or real-time basis. So if specific incidents were reported by business units, we could establish trip wires or certain thresholds. If a loss exceeded a certain dollar amount within a particular business unit, we'd want that incident or loss to be escalated to senior management right away, so that when senior managers log on their computers in the morning, they'd get a flag that shows them the two incidents and three losses they should know about.

DS: The ultimate goal, then, is to promote risk transparency within a firm. If you do that, the rest will take care of itself.

JL: Risk transparency should be one of three major objectives for any risk program, the others being risk mitigation and risk awareness. If you look at all the headline stories about derivatives and other major problems, a common component of each one is that bad news did not travel up. Almost any company that takes an honest look at itself internally will find specific incidents or episodes in which bad news did not travel up.

This is countercultural. As a child, you want to show your Mom and Dad the As and Bs. You don't want to show them your Cs and Ds and definitely not the Fs. But risk management is not about the 95 percent or 98 percent of the things that are going well. It's about the 2 percent or 5 percent of things that could go wrong or are not going well, and putting a magnifying glass on them and asking questions. What went wrong? What are the underlying root causes? What can we do to mitigate the risk?

There's only one alternative to risk management and that's crisis management. If you promote good risk transparency within the company, you can be more proactive and prevent a small problem from becoming a bigger one.

DS: It sounds like the risk reporting framework that you are trying to develop here is dependent on managers telling you the bad things that happen. Is there a way around this?

JL: First of all, self assessment has been widely recognized as a best practice for risk management at many companies and consulting firms. Second, the reporting structure that we designed is self-correcting. We also collaborate with other control functions such as compliance and audit that will be looking at some of the same operations. If they see things that are not being properly reported, then you'll get a red light. Finally, we also rely on independent risk management systems and informational sources.

DS: What do you think are the future trends for risk management?

JL: I think the state of the art will continue to evolve. Management needs to figure out not only how to integrate market, credit and operational risk, but also how best to organize and leverage its control resources, such as risk, audit, finance and compliance. Risk professionals also need to apply its tools to support better business decisions, on the trading desk as well marketing, product development and pricing, and client management.

"A system could spit out a 200-page report, but that would be too much to show senior management. We want to focus on the key exposures, trends and exceptions.”

While the current focus on firm-wide risk management is a good one, I think risk professionals often put too much emphasis on the "hard side” of risk management, such as risk policies, systems and reports.

For example, does it really matter whether you use a binomial or trinomial model for your VAR calculation if you are not vetting key employees or if your reward systems send the wrong signals? Don't get me wrong—I think VAR is an important innovation, but we need to place more emphasis on the "soft side” of risk management, such as people, culture, values, accountabilities and incentives.

Let's not forget about the people and what motivates them, because their actions and decisions will ultimately determine the risk profile of an organization.