Michael Held: Risk management

Remarks by Mr Michael Held, Executive Vice President of the Legal Group of the Federal Reserve Bank of New York, at the University of International Business and Economics, Beijing, China, 18 May 2017.

It is an honor to join you at the University of International Business and Economics in Beijing. Thank you for inviting me. As always, the views I will express are my own. They are not necessarily those of the Federal Reserve Bank of New York or the Federal Reserve System.1 "Federal Reserve Bank of New York" is a lot to say. From now on, I'll just call it the "New York Fed."

My topic today is the role of lawyers in what is called "risk management." I am not sure how familiar the term will be to you. We certainly did not cover it in law school-although, in retrospect, many of the principles I learned might be rephrased in the language of risk. Risk management is, however, a daily feature of my practice as a lawyer at the New York Fed.

"Risk" is the possibility of injury or failure. It is a component of most decisions in life-big or small. Opportunities for growth or gain tend to entail some risk of failure.

"Risk management," therefore, does not always mean eliminating all risk. To do so would mean that one is also eliminating all opportunity. Instead, risk management is the art of distinguishing the risks you accept from the risks you deem unacceptable, and deciding how best to avoid, reduce, or eliminate those risks. Prudent risk management also includes plans for recovering from risks that materialize.

Your characterization and assessment of risk-acceptable or unacceptable, large or small-and your strategy for dealing with risk will depend on your broader purpose and goals. This is what is called a "risk appetite." How much risk is, for you, too much risk? Or, perhaps more important, what type of risks should you avoid?

In this talk, I will share my own experience in helping to manage risks at the New York Fed. I will also offer some thoughts on the role lawyers should play in any financial institution's risk management. I will focus on lawyers for two reasons-it's what I know, and it's what many of you are studying at the University of International Business and Economics.

First, though, a caveat: I understand that the issues surrounding risk management in the financial system are of great interest in China today as well as in the United States. But I am not an expert on Chinese law, culture, or history. My experiences may not fully resemble your own, and the lessons I share today may have only partial relevance to your lives and careers. At the very least, I hope there may be value in learning about someone else's experience and perspective. And, at the end of these remarks, I hope you will share your perspectives with me. After all, the primary purpose of my visit to China is to listen.

Background on the Federal Reserve System

Some of you may be familiar already with the Federal Reserve System and the New York Fed. For those of you who are not, I would like to provide some background.

The central bank of the United States is known as the Federal Reserve System. There is, however, no single entity that goes by that name. The central bank comprises, instead, three key components: the Board of Governors, which is an independent government agency; twelve regional Federal Reserve Banks, which operate under the supervision of the Board of Governors; and the Federal Open Market Committee. The United States Congress ultimately oversees the Federal Reserve System and its entities.

You may be familiar with the names Janet Yellen, Ben Bernanke, and Alan Greenspan. Dr. Yellen is the chair of the Board of Governors and the Federal Open Market Committee. Her predecessors in those roles were Dr. Bernanke and Dr. Greenspan. You may also be familiar with the name Bill Dudley. He is the president and chief executive officer of the New York Fed-in other words, my boss. He visited China earlier this month.

Broadly speaking, the responsibilities of the Federal Reserve System include setting and implementing monetary policy, regulating and supervising certain financial institutions, acting as fiscal agent for the United States Treasury, and helping to maintain financial stability. Not every responsibility is shared by each component of the Federal Reserve System. For example, the Board of Governors regulates financial institutions. The Federal Open Market Committee sets monetary policy. And the New York Fed serves as a fiscal agent for the United States Treasury. But, collectively, these are the functions of the central bank of the United States.

The New York Fed, where I serve as general counsel, is one of the twelve regional banks. Its district includes New York City-the financial center of the United States.

The New York Fed implements monetary policy pursuant to the directives of the Federal Open Market Committee. Monetary policy refers to the actions taken by the Federal Reserve to influence the availability and cost of money and credit to help promote economic goals. The New York Fed helps to accomplish these goals by, among other things, purchasing and selling securities. And, like other Federal Reserve Banks, we make loans to commercial banks and pay interest on deposits by commercial banks.

In addition, the New York Fed manages the operation of wholesale payment services-known as Fedwire® Services-on behalf of the other Federal Reserve Banks. The New York Fed also participates in the regional and international distribution of United States currency and coins.

Pursuant to authority delegated by the Board of Governors, the New York Fed plays a significant role in the supervision of some of the largest financial institutions in the United States and most of the foreign banks that do business in the United States. Supervision means the monitoring, inspecting, and examining of financial institutions to ensure that they comply with rules and regulations, and that they operate in a safe and sound manner. Supervision of financial institutions is tailored based on the size and complexity of the institution.

The New York Fed also participates in much of the Federal Reserve's work in the international arena. We manage the foreign reserves of the Federal Reserve System and the United States Treasury. We offer deposit and custody accounts, and provide related services, to foreign official institutions, including other central banks. And we maintain a current understanding of foreign markets and laws. Our analysis helps us to carry out our responsibilities and to assess the risks posed by an increasingly interconnected global financial system.

Risk in banking

Now that you have some idea of what the New York Fed does, I will share some thoughts on the roles of risk in banking.

For starters, and to state the obvious, risk is inherent in banking. Economic growth requires taking chances. Taking risks is part of what banks do.

When depositors leave their money in a bank, they are actually lending it to the bank. There is a risk the bank will fail and be unable to repay its debts to depositors. Similarly, when a bank lends money to buy a home or start a business, there is a risk that the borrower will default.

In the United States, these risks are mitigated through a combination of public laws and internal controls, including deposit insurance and lending guidelines that, since the financial crisis, have become more stringent.

Those are simple examples of risks taken by banks, and there are relatively straightforward ways to mitigate those risks. But the more complex banking activity becomes, the more difficult it is to identify and manage risks. And the more connections exist in a global financial system, the more risk can be distributed or amplified, and the greater the opportunity for new systemic risks to emerge.2

Banks can face risks from employees, some of whom are located in offices in financial centers around the world. Some risks are, again, inherent. We are all human, which means we sometimes make honest mistakes. There is also a risk from intentional employee misconduct. For example, a trader may seek personal gain by taking undue risks in investing someone else's money. An analyst may disclose confidential information without permission. Or, more simply, in an institution that deals with money, some people may decide to take some for themselves.

In some of these cases, the bank may be the victim of the crime. In other cases, the laws in the United States will treat a bank as the perpetrator. That is because, as an employer, the bank may be legally responsible for the actions of its employees. So a bank could risk losing money in two ways: theft or fines. And, more important, a bank may risk losing its good name or reputation for trustworthiness. Now consider, hypothetically, a bank that employs 100,000 people. That bank may have a 99.9 percent record of good conduct-almost perfect. Even then, there will still be 100 employees whose misconduct could, under the right circumstances, damage the bank's reputation or balance sheet or harm its customers.

Banks face risks from third parties too. Vendors or other service providers may expose a bank to additional risk. For example, if a bank gives a software vendor access to its network, the bank may take on risks in the vendor's cyber security. Cyber risk is not limited to software vendors. It actually could be any vendor. The vendor that opened the gate for a cyber attack on a chain of retail stores in the United States was an air conditioning contractor using an electronic vendor invoicing system.

Here is another example of risk from third parties. A newer, faster means of executing or settling transactions may draw such a significant share of a market that it creates a concentration risk that previously did not exist. If that connection fails, an entire market could shut down.

Banks can also face risks from their customers. I mentioned one example earlier. A borrower may not repay a loan. Prudent lending standards-like securing good collateral and identifying credit-worthy borrowers-can help mitigate that risk. Here is another example. A depositor may use a bank account to hold, transfer, or obscure the proceeds of a crime. This is more difficult to determine, especially when deposits are received from half way around the world.

Third-party service providers and customers are examples of risks from outside the bank that are unavoidable in the ordinary course of business. These third-party risks are not purely hypothetical. They featured in recent cases of attacks on the global correspondent banking network. My colleague Richard Dzina runs Fedwire®, the payments system that I mentioned earlier. Here is how he described some of the risk that he faces:

Historically, and understandably, market infrastructures have operated on the presumption that endpoint security is principally the responsibility of the endpoint, and infrastructure security is principally the responsibility of the operator. Increasingly, reflecting the elevated cyber threat landscape, this distinction is not so clear, especially as endpoint security breaches can potentially have implications for public confidence in the network as a whole, even in circumstances when the operator's infrastructure, applications, and security perimeter have not been compromised.3

I also worry that some risk management practices can themselves create risk. Advances in technology have enabled more sophisticated economic modeling, on which many financial institutions rely to assess and manage their risk. This can, unfortunately, lead a bank to conclude that it has reduced one set of risks and can therefore afford to take on an additional set of risks. But what if the technology was imperfect, and the sophisticated models were flawed? Overconfidence in risk models can itself become a significant risk.

Risk and responsibility

There is a popular phrase in the United States among risk management professionals who want to be clear about accountability for risk. We often say that a person, or division, or firm "owns the risk."

Let me explain what I think that phrase means, at least in some contexts. When a business line manager understands that she "owns the risk"-and not, say, the lawyers, compliance professionals, or anyone else-it means that she is accountable to a more senior manager and to the firm for the risk. Presumably, that means she will bring an appropriate focus and attention to issues of risk management. She will not assume that risk management is somebody else's problem.

Sometimes I worry, however, that this phrase-"own the risk"-has become overused and can itself give rise to risk.

To be clear, clarity of roles and responsibilities with respect to risk management is critical. Business managers should not be able to outsource accountability for risk management to others. Still, I wonder if it is time to retire the phrase "own the risk" or at least be more thoughtful about its use.

If a business manager is told that she "owns the risk," she may feel empowered to ignore or otherwise shut out other key stakeholders and control functions. After all, if she truly owns the risk, then why does she have to listen to anyone else? This is obviously wrong. Lawyers and compliance professionals, for example, should be part of an ongoing conversation about risk management. Or, conversely, if those lawyers and compliance professionals do not themselves share some stake in the risk, they may not feel that speaking up or challenging a position by the business line is worth it. After all, the business line "owns the risk" and they (the lawyers or compliance officers) do not.

What's more, certain types of risks, in certain types of contexts, do not fit neatly into the "own the risk" model. Reputational risk is an example. Firms often discover, to their dismay, that reputational risk cannot be neatly contained within one business line, or even within one organization. In a sense, it would be better to think of certain types of risks as shared, with shared accountability, rather than owned.

In short, it is important to remember that risk management is a means to an end. Who "owns the risk" is not as important as clearly understanding how that risk may inhibit an organization from fulfilling its purpose or achieving its goals, and clearly understanding how that risk is being managed. That does not mean that responsibility should be unattributed or entirely diffuse. Rather, responsibility for risk should not be parsed so finely that employees forget the purpose of managing risk in the first place.

Understanding the client

I promised at the outset that I would talk about the role of lawyers in risk management. First and foremost, lawyers must advise on the law. A colleague of mine likes to say that lawyers must always remember the reason why they are in the room-to advise on the law. To do so, of course, lawyers must know what the law says.

But that advice is most effective if it is formulated with an understanding of the client's objectives and challenges, and in light of the broader business context or market in which the client operates.

So, when I speak with my colleagues about the New York Fed's risk, I try to think first, but not only, about legal risk. The Federal Reserve System exists because the public trusts it to serve the national interest. So, I also consider how decisions will affect the public's trust, and how the New York Fed can best demonstrate that it is worthy of that trust. Managing legal risk is one aspect of trustworthiness, and it is my specialty. But, as an officer of the New York Fed, I have a responsibility to think more broadly about its good name. I want to avoid the mistakes of lawyers for other organizations who "saw their role in very narrow terms, as an implementer, not a counselor." 4

I also take steps to improve my understanding of the New York Fed's operations-even after nearly twenty years working there. In my current role, I try to maintain regular communication and strong relationships with the heads of other groups within the New York Fed. I don't just talk to them about legal risk. I do an awful lot of listening too, with the hope of better understanding the work they are doing and the issues that concern them. And I think about ways that input from lawyers might help. In those unfortunate instances when legal disputes arise, I look for lessons that I might report back to those colleagues-insights relevant to their primary concerns. This type of information sharing is essential to an organization that seeks to maintain a high degree of public trust in an increasingly complex field of coexisting and interrelated risks.

I also believe that lawyers need to reign in their tendency to want to reduce risk-especially legal risk-to zero at the expense of potentially more important goals. Lawyers are worriers. We tend to see what can go wrong. This is a product of training and disposition. And it is part of the value that we contribute to an organization. We must remember, though, that the point of reducing risk must be to aid some broader corporate purpose. And so, if the reduction of risk starts to impede a more fundamental reason for being, risk management has gone too far.

Lawyers have to point out legal risks and other risks to their clients. That is our job. But if all we ever tell our clients is "no," they will at some point stop asking for our advice. So it is important that lawyers consider why a client is facing a decision, what they want to achieve in the near term and in the long term, and how their decision may affect others. Lawyers serve their clients well by pointing out assumptions, gaps in reasoning, and unforeseen, collateral consequences. We should help our clients see the range of issues confronting them and options available to them.

Moreover, how a lawyer gives this advice is often as important as the content of that advice. A lawyer must not only be right, he must also be persuasive. My advice is worthless if no one listens to it. We are judged by our results not how hard we try. Let me share with you, as law students, some advice on how to be heard.

Advice to law students

First, speak up! This is part of a lawyer's training in the United States. We are called on in class to explain cases in front of our peers. We participate in appellate and trial advocacy competitions. And we are required to study not only the court opinions that decide a case, but the dissenting opinions that did not. We read and study and admire the great dissenters: John Marshall Harlan, Harry Blackmun, and Antonin Scalia, among others-even though we may not always agree with their views.

This training is important because speaking up is not always easy. Every lawyer will likely encounter a situation in which you simply need to be courageous in stating a divergent or unpopular viewpoint. In these circumstances, remember that you are part of a profession, not just part of a firm or a company. Professional courage is expected of you by your fellow lawyers, and you should count on their support. The New York City Bar has called professional courage "the indispensable element" of lawyering. "The essential need is for lawyers . . . not to waver when the advice is unwelcome, no matter how important the client or how powerful the officer or director resisting the advice."5

Second, be on the lookout for what is not being considered. Ask yourself, "What are we missing?" This is a critical question in good risk management. In-house lawyers are often well-positioned to spot problems that others might miss. These issues become apparent only with a certain perspective-one that looks across an organization with both independent judgment and inside knowledge. Lawyers can offer both.

Third and finally, try to promote diversity and inclusiveness in the organizations where you work. I have seen too many examples of supervised banks that managed their risks poorly because they approached decisions with limited experience, insight, and perspective.

In my few months so far as General Counsel at the New York Fed, I am increasingly mindful of the value of cognitive diversity and inclusiveness within the Bank's Legal Group. Former prosecutors may view an enforcement matter differently than former defense lawyers. A regulatory lawyer who studied economics might not have the same insight as a lawyer whose background is in political science. A compliance officer may spot a problem in our policy that a regulatory lawyer would not have considered. Managers-myself included-whose tenure at the Bank spans decades, may not see shortcomings in communication or organization that are glaring to newer arrivals.

When different views are brought to the table, risks are better understood and better decisions get made. As you progress in your careers, I encourage you to seek out other views. One way to do this is to expand your professional network to lawyers in other countries. We are likely to face similar problems and it can be enlightening, as my meetings this week in Beijing have been, to learn from each other about possible solutions.

Conclusion

The circumstances of modern corporate practice demand increased attention to risk and professionals mindful of managing risk with a view to promoting broader organizational and public purposes. Whether or not you practice law, the virtues of issue spotting, listening to your clients, and speaking up will serve you well in your professional careers. They are invaluable tools for the task of risk management-a shared task of corporate officers, and one that extends beyond professional bailiwicks. I wish you all the very best of luck as you embark on your careers.

I would be happy to take a few questions.


1 James Bergin, Erin Kelly, Lev Menand, Thomas Noone, Brett Phillips, Joseph Sommer, Joseph Tracy, Shawei Wang and Jennifer Wolgemuth assisted in preparing these remarks.

2 See Michael Power, The Risk Management of Everything: Rethinking the Politics of Uncertainty (2004), 37-38 ("A functional explanation for the phenomenon suggests that the emergence of a systematic, generic and broad approach to risk management is a rational response to the fact that the environment of individuals and organizations, indeed the world, has become genuinely 'more risky.'").

3 Richard Dzina, Advancing the Fed's Wholesale Services in an Era of Unprecedented Challenge and Change, Remarks at Securities Industry and Financial Markets Association's Operations Conference and Exhibition 2017, Boca Raton, Florida, May 9, 2017.

4 Final Report of Neal Batson, In re Enron Corp., No. 01-16034 (S.D.N.Y. Bankr. Nov. 4, 2003), at 115.

5 Association of the Bar of the City of New York, "Report of the Task Force on the Lawyer's Role in Corporate Governance" (2006), 95.