Recent crises have highlighted many failures in managing risk, including at the Board, senior management, regulator, and rating agency levels. But Risk Management failed too…
In measuring risk
- Risk models misused or specified incorrectly
- Lack of understanding or attention to issues of liquidity, correlation
- Ineffective use of stress testing
In mitigating risk
- Hedges viewed in isolation
- Concentrations of risk ignored, not understood
- What-if scenarios and stress-testing inadequate
(And almost above all) in communicating risk
- Not being proactive enough, just reactive
- Not ‘managing’ Risk as much as playing to some nebulous ‘support’ and ‘control’ roles
- Not ensuring an audience (exacerbated by the CRO not being truly in the C-suite)
As discussed under “The CRO of Tomorrow” the fundamental role of the risk manager is to oversee and continually test for “compatibilities” of a firm’s risk-taking with:
- Its risk appetite (contextualized for the legal-regulatory environment)
- Products and markets through which risk is taken
- Returns for taking such risks
As a primer, the fundamental questions for Risk Management should be:
- Do we know what bet/s we are making?
- Are our bets those that we can afford to make?
- Do limits reflect business strategy, risk-tolerance & appetite, our markets?
- Are positions within established limits?
- Is the risk/reward ratio appropriate?
- Is our risk-taking on purpose: do we know the unusual, the unintended, and the unacceptable?
- Do the right people discuss the risks…and watch over them?
The financial meltdown shows that among the many contributing failures, Risk Management didn’t sufficiently manage risk. Were Risk Managers constrained by the C-suite who wouldn’t hear the warnings, or were Risk Managers not answering (not able to answer) the Fundamental Questions? Either way, Risk Management has some soul-searching to do.
17 comments:
Agreed, much has been written about “big picture” ways to modify or improve the hierarchical structure of risk management. Maybe now is a good time to look in the mirror as individual risk managers and simply ask; “what can I do to personally take responsibility to help improve the risk management process?” Nothing changes if nothing changes!
I think there has been a lot of the “touchy feely” questions and tip-toeing around the issue of why or how risk managers failed. The system broke down because the personal reward for an ill conceived one way bet became so heavily skewed to the pocketbook of management and the business line there was no practical way to stem the tide.
The issue is clearly whether the risk managers were either unable to deal with the big issue, unwilling to do so or being prevented from doing so. The silo structure and inconsistent modelling that was prevalent combined with the lack of risk management vision all contributed to the issues and perhaps the focus on new rules and systems reduced concentration on what was actually happening. What is needed is more thinking and less modelling. Dennis Cox, Risk Reward
Perhaps we need to step back a bit and recognize that most of those involved in generating unmanageable risks did so in their own "enlightened self-interst." Factors such as moral hazard and compensation plans that rewarded short-tern results rather than life-cycle results may have motivated risk takers to engage in behavior that can be rationalized, yet is not truly justified.
Once the outcomes of risk taking are separated from the rewards, we have seen, repeatedly and not just recently, that excessive risks are taken. This is not a new issue, but one that we have been unable to properly address.
In my view, the issue goes beyond the CRO. Rather, it requires changes in corporate culture, including changes in industry compensation plans for those creating risks (I assume that human nature is not changeable, at least in any meaningful time frame).
At the top, Boards must take the initiative and assume greater oversight than most have exercised in the past. Boards must be willing to lose a "top producer" if necessary in order to ensure that risks are properly managed. Greater attention to "high impact, low probability" events is needed.
Lastly, there has been an implicit assumption (sometimes explicit), that most risks have a Gaussian distribution. Closer analysis of many risks reveal a Levy distribution, which visually appears similar but has very different characteristics. Levy distributions have "fatter tails" than Gaussian distributions, making tail events more probable. However, the most important difference is that Levy distributions have an infinite variance, making the use of standard deviation and other statistical tools to quantify risk not helpful. This strongly suggests to me that the solution is not to be found in better risk models, but must be found in basic changes to how those involved in the risk taking process are rewarded.
Very Good Analysis. There is a lot of blame to go around, and Risk Managers have to take their share.
I would add that RMs were too timorous, mainly because they were not really sure of the limits of their power and influence. Going forward , RMs have to become more assertive but to do so they have to be better able to convince the Board and fellow managers of their ability to contribute fully to the business, not just the risk, debate. Education and forums like GARP (and PRMIA) are excellent for promoting the vital role of RMs.
Pat
Good analysis. Risk Managers need to self-assess. And physicians must heal themselves!
A very good article on the topic of risk manager soul-searching, insightful. I just wish that there are solutions or planned actions to address all the issues mentioned: such as risk managers are not in the insider circle of the C-suite; risk models are not accurately calculating the risk (fat tails, etc); stress testings are not proactive; risk managers are not proactively communicate/manage the rare event risks, including liquidity and tail risks; compensation and visibility of risk stuff members, etc. Having an actionable solution will help preventing/mitigating the next crisis.
An Impressive article for reading. To me the issue is the whether risk managers failed or they were forced to fail? We have seen that organizations are usually dominated by the business personnel are always in dominant position as they are closely related to the core objective of the business i.e. to maximize the wealth of owners. Where does the risk manager stand in this? To me the time has come that corporate entities should start changing their mindset of traditional “Maximizing returns” to “Safe and consistent returns” which would automatically include a greater role of risk manager as a major participant in the strategic picture of the company.
I agree with earlier commenters who pointed out short-term rewards skewed incentives to individuals and financial institutions, leading to the collapse. While bad incentives can be improved, there's also a need for risk managers to reconceptualize their whole field (both education and practice). Right now, risk management follows the model of physics where financial instruments, risk attributes and trades are isolated and have no spillover effects. The way forward for risk management would follow the model of a field like civil engineering where broader ideas of risk and utility are put into practice.
We tried to introduce multiple market failure stress testing scenarios where I was back in 2000, but were laughed out of the building as our yes man boss sucked up to the board.
The place is now run by a 100 man team wih no real depth or width of knowledge about risk management, they will just bend to whatever senior management wants, if thats no volatility in earnings they will fix both downside and upside.
Some (actually everyone at some point) used the historic 5 years to project the future 5 years.
One of the things risk managers must be extremely wary of is believing that markets are orderly. The entire mark to market argument was based on this assumption and many risk assessments were based on this assumption as well. Markets are NOT ORDERLY and to assume that they are is a critical failure of risk management.
Agree with Muhammad's tone here. In an interesting dialogue with Economist a few months ago, a 'victimised' risk manager confessed as much. Towards the end of 06-07, the structure of investment banking in the US and EU had become such that corporate decision makers were forced to concentrate on deriving max 'business', and the moderate nature of the economy globally allowed them to become increasing leveraged. Risk management began to be internally viewed as a hindrance to profitability and its scope was conveniently curtailed. The CRO (or its like) are never capable on their own. Banks are in the business of taking on risk, but what was forgotten was, to what extent. Easy availability of leverage-creating instruments allowed banks to build it up to unsustainable levels (probably because 'what is sustainable' became a fuzzy question with time). Such a corporate culture was destined to bring problems some time or the other. Unluckily, globalisation made these institutions so interconnected (and dependent) that all fell together.
A comment on modelling is in order here, as can be seen from the prior posts. I see models getting better going forward, to be frank. The great moderation over the last decade upto 07 made models based on history useless as they simply did not have the deviation in history to account for it in the future. Now, with the deviations actually occuring, and volatility itself becoming volatile, I see that as we move forward, such models would automatically have forecasts rationalised.
Agree with what has been said.
Problem started from the top : lack of knowledge and discipline as well as conflicts of interest by senior mgt.
No budgets for proper firm-wide Risk MIS.
Silos all over the place.
No holistic risk view incl reputational risk (SIV's).
The merging of market and credit risks not well understood let alone managed. Skills are different.
The followers of quant dogmas became CRO's. Judgment was replaced by ill-conceived/used models.
Risk mgt failed to make itself heard.Risk managers lacked credibility, power and were steamrolled. They were considered "partners" but was one sided : risk mgt should be a partner like the police is to the citizens ie they carry a stick and use it. Risk mgt never had a stick and if they had one they were criticized for using it.
Hopefully regulators will enforce better practices. Self-regulation has lead to moral bankruptcy.
Claude Poppe (recently retired risk manager and not proud to have been a banker and a risk mgr.)
This is a case of moral hazard. Most of the managers chose to look away in as much as they get bonuses so they pursue short term profits to justify their bonuses. They engage in empire building projects all at the expense of the owners. Who gets hurt in the process is of no importance. This is the case with five nigerian banks CEOs that got hammered few days ago by the CBN governor. They were giving loans to speculators both in the capital market and oil & gas sectors without due process including loans to friends and family which resulted in debts of 1.14 naira($7bn).
I posted a comment on "Whither CRO of tomorrrow" before reading this discussion.But, some points in view of earlier comments on this discussion:
(a) Yes......misunderstanding of tools etc do play a part.........but then could bulk of the CROs/ RMs globally get their intellect into a can simultaneously? Hard to believe, that intuitively at least, some would not recognize that something majorly stupid was being done.
(b)Hence, the issue/ focus shifts to the human factor.....i.e the CRO's ability or willingness to stand up to the rest of the bunch (including the Board......because often, the Board gets carried away by grandeur growth dreams or wants to keep up with competition......and, ego will not permit that an underling i.e CRO is allowed to throw a spanner in the works).
(c) It is fine to ask the CRO to sacrifice himself for the cause......but when the choice is between toeing the line or losing the job,and probably getting the reputation of being a "negativist, who stops business growth", how many CROs will have the moral fibre to walk into the wilderness? (Also, what exceptionally qualifies/ rewards/ protects them for such professionalism/ altrusim, when the rest of the business colleagues, are onto the gravy train with reckless nonchalance?
(d) To my mind, the failure is in not protecting the independence of the CRO. Money matters, but not every professional is driven by money alone. But, it is unreasonable to put the CRO in a compromised position and expect him alone to act true to conscience and to have to walk the plank, whilst others go scot free.
ss
All these comments stated earlier are in line with the releted experiences of every person, however the top mangment know how about the risk managment application & benefits accrue in future are the real concerns, which are seemingly the main hurdel to implement RM in true later & spirit. to avoid this issue on permanent basis i am strong supporter of to account for capital charge dervied against the espousers/risk weighted assets in to balance sheet & the remaining amount could be distributed to shareholder. this will bring real change of attitude in every concerned stakholder as the sharholder will get its risk adjusted portion will obviously put pressure on the business side to opt for more advanced appraches of risk managment as well as set aside budget for capabalities & adhere the Risk Managment guidlines.
Post a Comment