The Reconciliation Loop: Where Risk Identification Dies

Two Lists and a Question No One Could Answer

In early 2017, I sat in a conference room at a European G-SIB with two printouts on the table. On the left, the output of our first top-down workshop — just over twenty risks identified by the CRO, business unit heads, and senior risk officers. On the right, the consolidated bottom-up submissions from every business unit — nearly two hundred risks documented using standardised templates.

The top-down list included a risk we had labelled "cross-counterparty concentration in prime brokerage services." I cross-referenced it against the bottom-up submissions. Not a single business unit had included it. The equity financing desk had reported counterparty credit risk. The derivatives desk had reported market risk. The securities lending desk had reported operational risk in collateral management. Each submission was complete and accurate within its scope. But the aggregate, cross-product exposure to a common set of counterparties existed between business units, not within them.

I asked the question that reconciliation is designed to answer: who owns this risk? No one. That gap — the space between what leadership sees from altitude and what business units see from the ground — is where risk identification goes to die.

The Problem: Compilation Masquerading as Reconciliation

Most banks have two identification tracks. A top-down process — typically a workshop or CRO-led discussion — captures strategic and emerging risks visible from the executive vantage point. A bottom-up process — RCSAs, risk registers, specialist assessments — captures the granular, operational risks visible to the people closest to the business.[1] Both tracks are necessary. Neither alone is sufficient.

The top-down track cannot see the trader who has found a way to circumvent a position limit, the operations process with a reconciliation gap, or the customer complaint pattern signalling an emerging conduct risk. The bottom-up track cannot see macroeconomic regime shifts, cross-business-unit concentrations, or strategic risks arising from the institution's competitive position. The value of dual-track identification lives in the space between them.

Yet what passes for reconciliation at most institutions is compilation. Someone in the risk function takes both lists, removes obvious duplicates based on risk name, merges them into a single spreadsheet, and sends the result to the CRO. The top-down risks sit at the top of the page. The bottom-up risks fill the remainder. The document is called a "reconciled risk inventory." It is nothing of the sort.

Compilation tells you what two tracks have produced. Reconciliation tells you what neither track has found. The difference is the analytical work between receiving the two outputs and producing an enterprise view — the gap analysis, the escalation decisions, the ownership assignments, the challenge sessions, and the iterative refinement that converts two lists into a single, coherent picture of institutional risk.

At a UK-regulated international banking group in 2023, I examined the reconciliation documentation from the prior cycle. It consisted of a merged spreadsheet with colour-coding to indicate source: blue for top-down, green for bottom-up, yellow for both. No gap analysis. No escalation decisions documented. No evidence of challenge sessions. No enterprise portfolio view. The institution had two identification tracks. It did not have reconciliation.

The Evidence: What Happens Without the Loop

Archegos: The Risk That Lived Between Desks

In March 2021, the collapse of Archegos Capital Management cost Credit Suisse $5.5 billion.[2] The total losses across all affected prime brokers approached $10 billion. The mechanism was straightforward. Bill Hwang used total return swaps to build massive concentrated positions in a handful of stocks, leveraged at five to eight times, across multiple prime brokers. No single prime broker had visibility into his total exposure. Each bank assessed its bilateral exposure as manageable. None asked the question that mattered: what is this client's aggregate position across all brokers?

Within each institution, the same structural blindness applied. The prime brokerage desk monitored its own exposure. The derivatives desk monitored its own book. Each desk's bottom-up risk assessment was internally sound. But the cross-counterparty, cross-product concentration was invisible to any individual unit's assessment. It was a reconciliation failure — the kind of risk that exists between business units, not within them, and that only a structured comparison of top-down and bottom-up views could have surfaced.[3]

Citigroup: $45 Billion in Correlated Exposures No One Assembled

Before the 2008 financial crisis, Citigroup's business divisions each maintained their own risk reporting and their own view of the exposures they held. Each operated within its own risk limits. Each produced its own bottom-up risk submission. And each was, by its own internal standards, within acceptable parameters.[4]

But no enterprise view connected these exposures into a single picture. The CDO warehouse positions on the balance sheet. The liquidity puts to the SIVs off the balance sheet. The mortgage origination pipeline feeding the same CDO structures. The commercial paper funding model that would collapse if investor confidence faltered. These were not four independent risks. They were four manifestations of a single underlying exposure: Citigroup's total position in US residential mortgage credit quality, viewed across on-balance-sheet, off-balance-sheet, direct, and contingent channels.

When the subprime crisis struck, all the SIV liquidity puts triggered simultaneously. Citigroup brought more than $49 billion in SIV assets back onto its balance sheet. The institution required a $45 billion TARP bailout and a US government equity stake to survive.[5] A structured reconciliation process would have forced the question: what is our total exposure — direct, indirect, contingent, on-balance-sheet and off — to a decline in US residential mortgage credit quality? No one asked.

HSH Nordbank: False Diversification

HSH Nordbank was the world's largest shipping lender before the 2008 crisis, with an approximately EUR 30 billion shipping loan portfolio. It had also built a substantial portfolio of US subprime structured products. The two exposures were treated as diversified — shipping finance and structured credit occupied different taxonomy categories, different desks, different geographies. The risk assessments for each were internally sound.

But both exposures were correlated to global economic activity. The same crisis that impaired CDO valuations also collapsed global trade volumes, which collapsed shipping rates, which impaired the shipping loan book. Losses materialised simultaneously across what the institution had believed were diversified portfolios. HSH Nordbank required a EUR 10 billion state guarantee.[6] The diversification assumption itself was a risk — one that only an enterprise-level analysis, looking across the full portfolio under stress conditions, could have identified and challenged.

What Good Looks Like: The Five Steps

Genuine reconciliation is not a single meeting or a merged spreadsheet. It is a structured, iterative process with five distinct steps.[7]

Step 1: Gap analysis. Map every top-down risk to the common taxonomy and search for corresponding entries in the bottom-up submissions. Where no match exists, categorise the gap. A top-down risk with no bottom-up owner might be a genuinely enterprise-level risk that no single business unit can see — cross-counterparty concentration, systemic infrastructure dependency, macroeconomic regime change. Or it might be a bottom-up identification failure where the business unit rolled forward last year's register without genuine re-identification. The distinction matters.

Step 2: Escalation. Bottom-up risks of strategic significance must be elevated to the principal risk list. A single cloud provider outage might appear manageable when reported by one business unit. But when you discover that five critical functions across three business units depend on the same provider, the risk transforms from a local operational concern into a systemic enterprise dependency. Escalation makes that transformation visible.

Step 3: Assignment. Top-down risks with no business unit owner must be assigned to named individuals — not committees, not functions. No business unit head wants to own a risk they did not identify. This is one of the most politically sensitive moments in the entire process, and the Risk Identification Lead must have a clear governance mandate to assign based on analytical judgement, not organisational willingness.

Step 4: Challenge. Structured challenge sessions between senior management and business unit risk teams test the completeness of both tracks. These are not consensus-building exercises. A business unit head who dismisses a top-down risk as theoretical discovers that their own bottom-up submission contains the evidence for it. A senior risk officer who championed a risk in the workshop learns that the bottom-up data shows effective controls already in place. The challenge sessions are where analysis displaces opinion and where the reconciled inventory earns its credibility.[8]

Step 5: Iteration. The cycle repeats until both tracks are aligned and coverage is comprehensive. A typical annual cycle requires two to three iterations. Quarterly re-identification cycles, being more focused on changes and emerging risks, typically require one to two. Each iteration narrows the gap. The first identifies the major disagreements. The second resolves the majority through evidence. The third addresses residuals that require CRO judgement.

The output is not a merged list. It is an enterprise portfolio view — an analysis of common exposures, simultaneous crystallisation scenarios, aggregate position against risk appetite, and correlation under stress. A risk inventory that contains two hundred individually assessed risks without an analysis of which ones would activate simultaneously is not a portfolio view. It is a catalogue.

One critical signal: a clean reconciliation with no gaps should be treated with suspicion, not satisfaction. If the top-down workshop identifies exactly what the bottom-up process produces, either the workshop wasn't challenging enough or the bottom-up wasn't granular enough. The gaps are the signal, not the noise.

What To Do Monday Morning

Pull your last reconciliation output and read it critically. Is it a merged spreadsheet with colour-coding, or does it contain a documented gap analysis with investigation notes, escalation decisions, and ownership assignments? If it is the former, you do not have reconciliation. You have compilation. Name the problem before you can fix it.
Map every top-down material risk to a bottom-up owner. Take your current principal risk list and, for each risk, identify which business unit's bottom-up submission covers it. Where there is no match, you have found a risk with no operational owner. These unowned risks are the ones most likely to materialise unmanaged.
Run one cross-business-unit aggregation. Pick a single common driver — interest rate movements, a key technology platform, a major counterparty — and trace every business unit's exposure to it. Add the exposures together. Compare the aggregate to your stated risk appetite. If the sum exceeds the appetite while each unit is within its own limit, you have demonstrated exactly why reconciliation matters.
Schedule a challenge session, not a review meeting. Invite the top-down workshop participants and the bottom-up risk owners into the same room. Present the gaps. Require evidence for every "effective" control rating. Ask why the top-down list contains risks the bottom-up doesn't and vice versa. Disagreement is the point — risks where senior participants genuinely disagree are disproportionately the ones the institution most needs to understand.[9]
Document the process, not just the output. Regulators do not just want to see the reconciled risk inventory. They want to see how it was produced — the gap analysis methodology, the escalation criteria, the challenge session minutes, the iteration history. The risk identification template pack includes a pre-built reconciliation matrix for exactly this purpose.[10]

Sources & References

ISO 31010:2019, Risk Assessment Techniques, International Organization for Standardization. Table A.1 catalogues 31 techniques; top-down techniques include SWIFT (Annex B.7), Delphi (Annex B.4), and scenario analysis. Bottom-up techniques include checklists (Section 6.3.2), FMEA, and RCSA.
Credit Suisse Group Special Committee of the Board of Directors, Report on Archegos Capital Management (Paul, Weiss, Rifkind, Wharton & Garrison LLP, 29 July 2021). Total losses of $5.5 billion; total return swap positions concentrated in a handful of equities across multiple prime brokerage desks.
SEC, Charges Archegos Capital Management and its Founder Bill Hwang (27 April 2022). Subsequent amendments to Form PF and Regulation 13D-G addressed the disclosure gap that allowed Archegos to build concentrated positions invisible to individual counterparties.
Financial Crisis Inquiry Commission (FCIC), The Financial Crisis Inquiry Report (Washington, DC: U.S. Government Printing Office, January 2011), pp. 298–303. Details Citigroup's divisional structure, SIV liquidity puts, and the absence of an enterprise-wide view of mortgage credit exposure.
U.S. Department of the Treasury, Troubled Asset Relief Program (TARP): Monthly Reports to Congress (2008–2009). Citigroup received $45 billion in TARP capital injection and a $301 billion loss-sharing arrangement backed by the U.S. government.
European Commission, State Aid Decision SA.29338, HSH Nordbank: Restructuring Aid (20 September 2011). EUR 10 billion guarantee provided by the states of Hamburg and Schleswig-Holstein.
BCBS, Principles for Sound Management of Operational Risk (2011, revised 2021), Principle 7: requires banks to identify and assess operational risk inherent in all material products, activities, processes, and systems through multiple approaches, supporting the need for reconciliation between identification tracks.
ISO 31000:2018, Risk Management — Guidelines, Section 5.2 on communication and consultation: requires that multiple perspectives be sought and considered in establishing context and assessing risk, providing the standards basis for structured challenge sessions.
COSO, Enterprise Risk Management — Integrating with Strategy and Performance (2017). The framework explicitly addresses the need for multiple perspectives in risk identification and the integration of risk views across business units and functions.
Fed SR 15-18, Federal Reserve Supervisory Assessment of Capital Planning and Positions for LISCC Firms and Large and Complex Firms (18 December 2015). Requires a Material Risk Inventory updated quarterly and forward-looking risk identification, establishing the regulatory expectation for documented reconciliation processes.