The future of risk management: How independent should risk management be?

Barry SchachterBarry Schachter, research associate with the EDHEC Risk and Asset Management Research Centre and director, quantitative resources, Moore Capital Management believes the current crisis is a catalyst for change in the conduct of risk management because it has challenged the efficacy of the
existing risk management model, but simply imposing regulation is not the change that’s needed.

Not only has the current crisis given many (myself included) a deeper appreciation of the meaning of stress, it also has become a catalyst for change in the conduct of risk management. The crisis is a catalyst because it has challenged the efficacy of the existing risk management model.

The response to the challenge is coming from two levels. At the level of the individual firm, risk management approaches associated with survivability are being enhanced and copied, while approaches associated with
failure are being discarded.

While no intelligent designer is responsible here, at another level, those with responsibility for ensuring the smooth running of the financial system are at work modifying the parameters governing how individual firms approach the conduct of risk management. While it is folly to predict what will result, it is fruitful to speculate on how these forces of change may interact and how those interactions may influence the future course of risk management.

Before proceeding, I intend to limit the scope of my argument by distinguishing between risk management and risk measurement and exclude the latter. I feel I must justify that bifurcation, as the greatest portion of the focus of critics of risk management has been on failings of risk measurement and alleged failure of risk managers to recognize the failings of their risk measures.

Sponsored Content

The now popular view of risk managers is essentially a cartoon creation, a bit like the character Peter “Wrong Way” Peachfuzz, from the 1960’s TV cartoon “The Bullwinkle Show”, whose supreme self confidence as captain of the
S.S. Andalusia was matched only by his lack of both good sense and sense of direction.

In a similar manner, the cartoon risk manager exhibits unlimited faith in measures she assumes to be comprehensive of all sources of risk, free of estimation error, and a reflection of Gaussian uncertainty.

In fact, no risk managers hold these cartoon character beliefs. The invention of Value-at-Risk did not spawn a world of such risk managers. Credulity is not the risk manager’s Achilles’ heel. Fact is that risk managers are not the witless tools of their risk measures, risk measures are (some of) the tools of risk managers. Therefore, while a discussion of the
future role for risk measurement would be insightful and fruitful, it is not necessary to discuss the tools of the risk manager in order to examine the fundamental aspects of how risk management within the financial organization
may evolve.

In March of this year, at one of the many U.S. Congressional hearings on the crisis, one legislator asked AIG CEO Edward Liddy, “Where was the failure of your own internal risk-management procedures?”

A failure of the risk management process itself is a theme more fundamental than the possible failure of either measurement or data interpretation. By the risk management process I mean the manner in which, at all levels of the organization, business decisions take risk information into account, that is, how risks are evaluated one to another, how returns are evaluated relative to risks, and how incentives within the organization work to support consistent decision making with respect to risk taking.

If this process is flawed, the quality of risk measurement is of little relevance. If risk measures are flawed (and they are), good risk management is still relevant.

Failures in the risk management process are evident from the crisis. However, we cannot conclude this simply from a superficial study of the observed outcomes. Let me state (what I used to think of as) the obvious. Observing that a company experiences losses is not prima facie evidence of a failure in the risk management process. Returns are compensation for risk taking, and it is definitional that risk entails risk of loss. For the same reason, bankruptcy is not prima facie evidence of excessive risk taking. Failure to predict the future is not a failure of risk management, as fortune telling ability is not prevalent in humans (though it would be an advantage in avoiding, but no guarantee against, folly).

Further, if risk managers fall short of 100 per cent accuracy in interpreting the future implications of the sum total of all available data at a given point in time, without benefit of hindsight bias, we cannot claim that to be evidence of a failure of risk management. Finally, if we were able to know for a fact that the decisions made at individual financial
institutions, the managers of which having duly considered the risks and returns, inexorably lead, through a dynamic process of interaction involving complex feedback mechanisms, to a systemic crisis, even then, we cannot claim
that at the level of the individual firm we have evidence of a failure of risk management. None of this is an apology for risk management failure. Rather I am arguing that to find evidence of failure in the risk management process, we
have to look to something else.

I think we can find evidence that something might be wrong. It was recently widely reported that at AIG the corporate risk staff were limited from direct interaction with the Financial Products group. While details provided were few and the context fuzzy, something doesn’t seem right with this picture. It raises suspicions that risk management, in its current manifestation within financial firms, is not a fully integrated aspect of management decision making. The current opinion attributes risk management failure (in part) to a lack of sufficient independence, and therefore
recommendations have been put for to push for increased independence or more risk management responsibility at the highest levels of the organization. The idea that a good risk manager is independent has become dogma in risk
management philosophy. I will argue below that the AIG anecdote can be interpreted in conflicting ways, and a deeper examination of this tenet is in order.

When a risk manager is acting as an independent set of eyes on risk taking, the challenges to effectiveness are two, both epistemological. Can the risk manager deduce a thorough understanding of the risks associated with a decision and can the risk manager effectively communicate that understanding to the decision maker. C. P. Snow, in his book, The Two Cultures, re-tells an apocryphal story of the Oxford don who visits Cambridge for dinner. The visitor “addresses some Cheerful Oxonian chit-chat at the one opposite to him, and got a grunt. He then tried the man on his own right hand and got another grunt. Then rather to his surprise, one looked at the other and said, ‘Do you know what he’s talking about?’ ‘I haven’t the least idea’ was the reply. The President of the college then explained to the don, “Oh, those are mathematicians! We never talk to them.” (Cambridge University Press, 1964, p. 3)

The forces at work here are cultural and fundamentally so. In small organizations, individuals’ roles are frequently blurred, information is widely shared, and decision making is highly centralized. It is no accident that employees of small business frequently think of their colleagues as family. Large organizations cannot operate effectively in this way. To be effective, hierarchies are instituted, roles are narrowed, information is localized, and decision making is decentralized. Hierarchies have a downside, however.

The creation, through hierarchies, of independent webs of knowledge makes organizations less adaptable and hinders the flow of information across groups. It is not uncommon to refer to members of other groups (IT, or Risk perhaps) as “them,” and thereby to create a tribal image of  “otherness” that becomes a barrier to cooperation in achieving the overall goals of the enterprise.

Worse, over time, as individual groups evolve their separate functions, they may begin to work at cross-purposes. Eventually, one group’s added value (either stand alone or as a contributing source of value to a larger effort) may become incomprehensible to another. If a hierarchical structure is to work, then the benefits anticipated from the creation of separate functions should outweigh the resulting added drag on the organization. In this tension lies the dilemma for the future path of risk management.

The idea of an independent risk function evolved from the regulatory response to the derivatives blow-ups of the early 1990’s (see, for example, the U.S. Office of the Comptroller of the Currency Banking Circular 277 (October, 1993)) and the adoption of Value at Risk as a (partial solution) to the risk aggregation problem that had become more urgent with the growth of trading books of those same derivatives. Partly imposed from above and partly arising from the propagation at the individual firm level of an endogenous adaptation, risk management at that time was responsible for the physical technology relevant to risk taking, i.e., identifying, quantifying, monitoring, and controlling (through enforcement of limits) risk. These functions are both arm’s length and passive with respect to risk taking decisions.

In the context of the current crisis pundits have pointed to failure among both the physical technologies and some aspects of the risk culture, i.e., those qualitative aspects of the organization, sometimes called social technologies, surrounding the decision making process. A flaw in the social technologies can be inferred when we see the information flow about risk being actively blocked as it may have been in the case of AIG.

As I noted at the outset, natural forces of selection are already operating in the response to the failures related to the crisis. Supervisors’ top-down response is already being seen as well, specifically, a push for increased independence of risk management.

Independent risk management works (pretty well) when responsible for the physical technologies related to risk taking. It requires a set of specialized skills and entails a set of activities that can be carried out centrally and separate from the rest of the business organization.

I worry that mandating from above the particulars of the extent of independence in the risk function may tip the balance against the net benefits of an independent structure for risk, and lead to fewer and less meaningful discussions of risk, the opposite of what Leo Tilman, in his excellent book on business strategy, Financial Darwinism, calls
“risk-management-based executive decision making,” Internal discussions of risk must emanate from a set of cultural rules where risk, to take C. P. Snow’s words from another context, “has got to be assimilated along with and as part
and parcel of, the whole of our mental experience, and used as naturally as the rest.” I worry that the too-independent risk function will become an outsider rather than a partner in the decision process.

It is also a worry that, as Eric Beinhocker notes in The Origins of Wealth (Chapter 13), structure imposed on a dynamic system from the outside has the tendency to impede the natural process of selection and adaptation. Solutions imposed from above are likely, too, to reduce diversity as well, which, as Andrew Haldane noted recently, is a force for stability in a networked financial system. Finally, given the complexity of the financial system, it may be difficult to identify the prescriptive approach toward addressing a risk management failure at the individual firm level which will
achieve a given desired outcome at the systemic level.

As the senior supervisors’ group has noted, the crisis has rewarded firms with a more integrated approach to risk in decision making. The rest of the financial industry will emulate those organizational features that enhance the probability of survival. Given the ongoing nature of this process and the difficulties of implementing a targeted effect from above, a “wait and see approach” by regulators is called for prior to attempting to impose new requirements on the conduct of risk management.

Leave a Comment

Sort content by

California dreamin’ of responsible funding

Relief for Californian state fund investment chiefs, their bosses and their members – with CalSTRS and CalPERS both returning 20+ per cent for the financial year – has been usurped by a reminder to politicians that the funds cannot invest their way to good health and a responsible funding strategy is required. mrec4inarticleinline Sponsored Content

Manager selection a fortunate choice

Whether it involves skill, good judgment or just plain luck, choosing the right manager is never an exact science but recently published research reveals institutional investors can make better decisions by avoiding conventional wisdom around past performance.mrec4inarticleinline Sponsored Content scnative1 scnative2 scnative3

Service providers key to ESG development

There is nothing like a bit of red-hot competition to get the blood pumping – 37 Principle for Responsible Investment (PRI) signatories are running for only six positions on the newly-structured PRI Advisory Council. Let’s hope this has the effect of actually transforming institutional investment portfolios, not just getting these responsible types a little spirited.mrec4inarticleinline

CalPERS looks for emerging private equity managers

Domestic emerging managers are the latest focus in the private equity portfolio of the $239 billion CalPERS, with the fund searching for a new investment vehicle, most likely a customised fund-of-funds, to invest in partnerships that may be under-capitalised.mrec4inarticleinline Sponsored Content scnative1 scnative2 scnative3

Managers refine glidepaths for a smoother ride

Managers are continuing to refine their strategies for target date funds, with more than a third of managers incorporating a tactical overlay into their asset allocation, a recent survey has revealed.mrec4inarticleinline Sponsored Content scnative1 scnative2 scnative3

Nasty surprises on the rise for investors, says ESG expert

Corporate disasters such as the BP Gulf of Mexico oil spill and the Fukushima nuclear disaster will be more prevalent and pose a greater risk to investors unless they act to comprehensively change the way they invest, a sustainability expert has warned.mrec4inarticleinline Sponsored Content scnative1 scnative2 scnative3

Previous