ANALYSIS

The future of risk management: How independent should risk management be?

Barry SchachterBarry Schachter, research associate with the EDHEC Risk and Asset Management Research Centre and director, quantitative resources, Moore Capital Management believes the current crisis is a catalyst for change in the conduct of risk management because it has challenged the efficacy of the
existing risk management model, but simply imposing regulation is not the change that’s needed.

Not only has the current crisis given many (myself included) a deeper appreciation of the meaning of stress, it also has become a catalyst for change in the conduct of risk management. The crisis is a catalyst because it has challenged the efficacy of the existing risk management model.

The response to the challenge is coming from two levels. At the level of the individual firm, risk management approaches associated with survivability are being enhanced and copied, while approaches associated with
failure are being discarded.

While no intelligent designer is responsible here, at another level, those with responsibility for ensuring the smooth running of the financial system are at work modifying the parameters governing how individual firms approach the conduct of risk management. While it is folly to predict what will result, it is fruitful to speculate on how these forces of change may interact and how those interactions may influence the future course of risk management.

Before proceeding, I intend to limit the scope of my argument by distinguishing between risk management and risk measurement and exclude the latter. I feel I must justify that bifurcation, as the greatest portion of the focus of critics of risk management has been on failings of risk measurement and alleged failure of risk managers to recognize the failings of their risk measures.

The now popular view of risk managers is essentially a cartoon creation, a bit like the character Peter “Wrong Way” Peachfuzz, from the 1960’s TV cartoon “The Bullwinkle Show”, whose supreme self confidence as captain of the
S.S. Andalusia was matched only by his lack of both good sense and sense of direction.

In a similar manner, the cartoon risk manager exhibits unlimited faith in measures she assumes to be comprehensive of all sources of risk, free of estimation error, and a reflection of Gaussian uncertainty.

In fact, no risk managers hold these cartoon character beliefs. The invention of Value-at-Risk did not spawn a world of such risk managers. Credulity is not the risk manager’s Achilles’ heel. Fact is that risk managers are not the witless tools of their risk measures, risk measures are (some of) the tools of risk managers. Therefore, while a discussion of the
future role for risk measurement would be insightful and fruitful, it is not necessary to discuss the tools of the risk manager in order to examine the fundamental aspects of how risk management within the financial organization
may evolve.

In March of this year, at one of the many U.S. Congressional hearings on the crisis, one legislator asked AIG CEO Edward Liddy, “Where was the failure of your own internal risk-management procedures?”

A failure of the risk management process itself is a theme more fundamental than the possible failure of either measurement or data interpretation. By the risk management process I mean the manner in which, at all levels of the organization, business decisions take risk information into account, that is, how risks are evaluated one to another, how returns are evaluated relative to risks, and how incentives within the organization work to support consistent decision making with respect to risk taking.

If this process is flawed, the quality of risk measurement is of little relevance. If risk measures are flawed (and they are), good risk management is still relevant.

Failures in the risk management process are evident from the crisis. However, we cannot conclude this simply from a superficial study of the observed outcomes. Let me state (what I used to think of as) the obvious. Observing that a company experiences losses is not prima facie evidence of a failure in the risk management process. Returns are compensation for risk taking, and it is definitional that risk entails risk of loss. For the same reason, bankruptcy is not prima facie evidence of excessive risk taking. Failure to predict the future is not a failure of risk management, as fortune telling ability is not prevalent in humans (though it would be an advantage in avoiding, but no guarantee against, folly).

Further, if risk managers fall short of 100 per cent accuracy in interpreting the future implications of the sum total of all available data at a given point in time, without benefit of hindsight bias, we cannot claim that to be evidence of a failure of risk management. Finally, if we were able to know for a fact that the decisions made at individual financial
institutions, the managers of which having duly considered the risks and returns, inexorably lead, through a dynamic process of interaction involving complex feedback mechanisms, to a systemic crisis, even then, we cannot claim
that at the level of the individual firm we have evidence of a failure of risk management. None of this is an apology for risk management failure. Rather I am arguing that to find evidence of failure in the risk management process, we
have to look to something else.

I think we can find evidence that something might be wrong. It was recently widely reported that at AIG the corporate risk staff were limited from direct interaction with the Financial Products group. While details provided were few and the context fuzzy, something doesn’t seem right with this picture. It raises suspicions that risk management, in its current manifestation within financial firms, is not a fully integrated aspect of management decision making. The current opinion attributes risk management failure (in part) to a lack of sufficient independence, and therefore
recommendations have been put for to push for increased independence or more risk management responsibility at the highest levels of the organization. The idea that a good risk manager is independent has become dogma in risk
management philosophy. I will argue below that the AIG anecdote can be interpreted in conflicting ways, and a deeper examination of this tenet is in order.

When a risk manager is acting as an independent set of eyes on risk taking, the challenges to effectiveness are two, both epistemological. Can the risk manager deduce a thorough understanding of the risks associated with a decision and can the risk manager effectively communicate that understanding to the decision maker. C. P. Snow, in his book, The Two Cultures, re-tells an apocryphal story of the Oxford don who visits Cambridge for dinner. The visitor “addresses some Cheerful Oxonian chit-chat at the one opposite to him, and got a grunt. He then tried the man on his own right hand and got another grunt. Then rather to his surprise, one looked at the other and said, ‘Do you know what he’s talking about?’ ‘I haven’t the least idea’ was the reply. The President of the college then explained to the don, “Oh, those are mathematicians! We never talk to them.” (Cambridge University Press, 1964, p. 3)

The forces at work here are cultural and fundamentally so. In small organizations, individuals’ roles are frequently blurred, information is widely shared, and decision making is highly centralized. It is no accident that employees of small business frequently think of their colleagues as family. Large organizations cannot operate effectively in this way. To be effective, hierarchies are instituted, roles are narrowed, information is localized, and decision making is decentralized. Hierarchies have a downside, however.

The creation, through hierarchies, of independent webs of knowledge makes organizations less adaptable and hinders the flow of information across groups. It is not uncommon to refer to members of other groups (IT, or Risk perhaps) as “them,” and thereby to create a tribal image of  “otherness” that becomes a barrier to cooperation in achieving the overall goals of the enterprise.

Worse, over time, as individual groups evolve their separate functions, they may begin to work at cross-purposes. Eventually, one group’s added value (either stand alone or as a contributing source of value to a larger effort) may become incomprehensible to another. If a hierarchical structure is to work, then the benefits anticipated from the creation of separate functions should outweigh the resulting added drag on the organization. In this tension lies the dilemma for the future path of risk management.

The idea of an independent risk function evolved from the regulatory response to the derivatives blow-ups of the early 1990’s (see, for example, the U.S. Office of the Comptroller of the Currency Banking Circular 277 (October, 1993)) and the adoption of Value at Risk as a (partial solution) to the risk aggregation problem that had become more urgent with the growth of trading books of those same derivatives. Partly imposed from above and partly arising from the propagation at the individual firm level of an endogenous adaptation, risk management at that time was responsible for the physical technology relevant to risk taking, i.e., identifying, quantifying, monitoring, and controlling (through enforcement of limits) risk. These functions are both arm’s length and passive with respect to risk taking decisions.

In the context of the current crisis pundits have pointed to failure among both the physical technologies and some aspects of the risk culture, i.e., those qualitative aspects of the organization, sometimes called social technologies, surrounding the decision making process. A flaw in the social technologies can be inferred when we see the information flow about risk being actively blocked as it may have been in the case of AIG.

As I noted at the outset, natural forces of selection are already operating in the response to the failures related to the crisis. Supervisors’ top-down response is already being seen as well, specifically, a push for increased independence of risk management.

Independent risk management works (pretty well) when responsible for the physical technologies related to risk taking. It requires a set of specialized skills and entails a set of activities that can be carried out centrally and separate from the rest of the business organization.

I worry that mandating from above the particulars of the extent of independence in the risk function may tip the balance against the net benefits of an independent structure for risk, and lead to fewer and less meaningful discussions of risk, the opposite of what Leo Tilman, in his excellent book on business strategy, Financial Darwinism, calls
“risk-management-based executive decision making,” Internal discussions of risk must emanate from a set of cultural rules where risk, to take C. P. Snow’s words from another context, “has got to be assimilated along with and as part
and parcel of, the whole of our mental experience, and used as naturally as the rest.” I worry that the too-independent risk function will become an outsider rather than a partner in the decision process.

It is also a worry that, as Eric Beinhocker notes in The Origins of Wealth (Chapter 13), structure imposed on a dynamic system from the outside has the tendency to impede the natural process of selection and adaptation. Solutions imposed from above are likely, too, to reduce diversity as well, which, as Andrew Haldane noted recently, is a force for stability in a networked financial system. Finally, given the complexity of the financial system, it may be difficult to identify the prescriptive approach toward addressing a risk management failure at the individual firm level which will
achieve a given desired outcome at the systemic level.

As the senior supervisors’ group has noted, the crisis has rewarded firms with a more integrated approach to risk in decision making. The rest of the financial industry will emulate those organizational features that enhance the probability of survival. Given the ongoing nature of this process and the difficulties of implementing a targeted effect from above, a “wait and see approach” by regulators is called for prior to attempting to impose new requirements on the conduct of risk management.

0 comments