The future of risk management: How independent should risk management be?

Barry SchachterBarry Schachter, research associate with the EDHEC Risk and Asset Management Research Centre and director, quantitative resources, Moore Capital Management believes the current crisis is a catalyst for change in the conduct of risk management because it has challenged the efficacy of the
existing risk management model, but simply imposing regulation is not the change that’s needed.

Not only has the current crisis given many (myself included) a deeper appreciation of the meaning of stress, it also has become a catalyst for change in the conduct of risk management. The crisis is a catalyst because it has challenged the efficacy of the existing risk management model.

The response to the challenge is coming from two levels. At the level of the individual firm, risk management approaches associated with survivability are being enhanced and copied, while approaches associated with
failure are being discarded.

While no intelligent designer is responsible here, at another level, those with responsibility for ensuring the smooth running of the financial system are at work modifying the parameters governing how individual firms approach the conduct of risk management. While it is folly to predict what will result, it is fruitful to speculate on how these forces of change may interact and how those interactions may influence the future course of risk management.

Before proceeding, I intend to limit the scope of my argument by distinguishing between risk management and risk measurement and exclude the latter. I feel I must justify that bifurcation, as the greatest portion of the focus of critics of risk management has been on failings of risk measurement and alleged failure of risk managers to recognize the failings of their risk measures.

Sponsored Content

The now popular view of risk managers is essentially a cartoon creation, a bit like the character Peter “Wrong Way” Peachfuzz, from the 1960’s TV cartoon “The Bullwinkle Show”, whose supreme self confidence as captain of the
S.S. Andalusia was matched only by his lack of both good sense and sense of direction.

In a similar manner, the cartoon risk manager exhibits unlimited faith in measures she assumes to be comprehensive of all sources of risk, free of estimation error, and a reflection of Gaussian uncertainty.

In fact, no risk managers hold these cartoon character beliefs. The invention of Value-at-Risk did not spawn a world of such risk managers. Credulity is not the risk manager’s Achilles’ heel. Fact is that risk managers are not the witless tools of their risk measures, risk measures are (some of) the tools of risk managers. Therefore, while a discussion of the
future role for risk measurement would be insightful and fruitful, it is not necessary to discuss the tools of the risk manager in order to examine the fundamental aspects of how risk management within the financial organization
may evolve.

In March of this year, at one of the many U.S. Congressional hearings on the crisis, one legislator asked AIG CEO Edward Liddy, “Where was the failure of your own internal risk-management procedures?”

A failure of the risk management process itself is a theme more fundamental than the possible failure of either measurement or data interpretation. By the risk management process I mean the manner in which, at all levels of the organization, business decisions take risk information into account, that is, how risks are evaluated one to another, how returns are evaluated relative to risks, and how incentives within the organization work to support consistent decision making with respect to risk taking.

If this process is flawed, the quality of risk measurement is of little relevance. If risk measures are flawed (and they are), good risk management is still relevant.

Failures in the risk management process are evident from the crisis. However, we cannot conclude this simply from a superficial study of the observed outcomes. Let me state (what I used to think of as) the obvious. Observing that a company experiences losses is not prima facie evidence of a failure in the risk management process. Returns are compensation for risk taking, and it is definitional that risk entails risk of loss. For the same reason, bankruptcy is not prima facie evidence of excessive risk taking. Failure to predict the future is not a failure of risk management, as fortune telling ability is not prevalent in humans (though it would be an advantage in avoiding, but no guarantee against, folly).

Further, if risk managers fall short of 100 per cent accuracy in interpreting the future implications of the sum total of all available data at a given point in time, without benefit of hindsight bias, we cannot claim that to be evidence of a failure of risk management. Finally, if we were able to know for a fact that the decisions made at individual financial
institutions, the managers of which having duly considered the risks and returns, inexorably lead, through a dynamic process of interaction involving complex feedback mechanisms, to a systemic crisis, even then, we cannot claim
that at the level of the individual firm we have evidence of a failure of risk management. None of this is an apology for risk management failure. Rather I am arguing that to find evidence of failure in the risk management process, we
have to look to something else.

I think we can find evidence that something might be wrong. It was recently widely reported that at AIG the corporate risk staff were limited from direct interaction with the Financial Products group. While details provided were few and the context fuzzy, something doesn’t seem right with this picture. It raises suspicions that risk management, in its current manifestation within financial firms, is not a fully integrated aspect of management decision making. The current opinion attributes risk management failure (in part) to a lack of sufficient independence, and therefore
recommendations have been put for to push for increased independence or more risk management responsibility at the highest levels of the organization. The idea that a good risk manager is independent has become dogma in risk
management philosophy. I will argue below that the AIG anecdote can be interpreted in conflicting ways, and a deeper examination of this tenet is in order.

When a risk manager is acting as an independent set of eyes on risk taking, the challenges to effectiveness are two, both epistemological. Can the risk manager deduce a thorough understanding of the risks associated with a decision and can the risk manager effectively communicate that understanding to the decision maker. C. P. Snow, in his book, The Two Cultures, re-tells an apocryphal story of the Oxford don who visits Cambridge for dinner. The visitor “addresses some Cheerful Oxonian chit-chat at the one opposite to him, and got a grunt. He then tried the man on his own right hand and got another grunt. Then rather to his surprise, one looked at the other and said, ‘Do you know what he’s talking about?’ ‘I haven’t the least idea’ was the reply. The President of the college then explained to the don, “Oh, those are mathematicians! We never talk to them.” (Cambridge University Press, 1964, p. 3)

The forces at work here are cultural and fundamentally so. In small organizations, individuals’ roles are frequently blurred, information is widely shared, and decision making is highly centralized. It is no accident that employees of small business frequently think of their colleagues as family. Large organizations cannot operate effectively in this way. To be effective, hierarchies are instituted, roles are narrowed, information is localized, and decision making is decentralized. Hierarchies have a downside, however.

The creation, through hierarchies, of independent webs of knowledge makes organizations less adaptable and hinders the flow of information across groups. It is not uncommon to refer to members of other groups (IT, or Risk perhaps) as “them,” and thereby to create a tribal image of  “otherness” that becomes a barrier to cooperation in achieving the overall goals of the enterprise.

Worse, over time, as individual groups evolve their separate functions, they may begin to work at cross-purposes. Eventually, one group’s added value (either stand alone or as a contributing source of value to a larger effort) may become incomprehensible to another. If a hierarchical structure is to work, then the benefits anticipated from the creation of separate functions should outweigh the resulting added drag on the organization. In this tension lies the dilemma for the future path of risk management.

The idea of an independent risk function evolved from the regulatory response to the derivatives blow-ups of the early 1990’s (see, for example, the U.S. Office of the Comptroller of the Currency Banking Circular 277 (October, 1993)) and the adoption of Value at Risk as a (partial solution) to the risk aggregation problem that had become more urgent with the growth of trading books of those same derivatives. Partly imposed from above and partly arising from the propagation at the individual firm level of an endogenous adaptation, risk management at that time was responsible for the physical technology relevant to risk taking, i.e., identifying, quantifying, monitoring, and controlling (through enforcement of limits) risk. These functions are both arm’s length and passive with respect to risk taking decisions.

In the context of the current crisis pundits have pointed to failure among both the physical technologies and some aspects of the risk culture, i.e., those qualitative aspects of the organization, sometimes called social technologies, surrounding the decision making process. A flaw in the social technologies can be inferred when we see the information flow about risk being actively blocked as it may have been in the case of AIG.

As I noted at the outset, natural forces of selection are already operating in the response to the failures related to the crisis. Supervisors’ top-down response is already being seen as well, specifically, a push for increased independence of risk management.

Independent risk management works (pretty well) when responsible for the physical technologies related to risk taking. It requires a set of specialized skills and entails a set of activities that can be carried out centrally and separate from the rest of the business organization.

I worry that mandating from above the particulars of the extent of independence in the risk function may tip the balance against the net benefits of an independent structure for risk, and lead to fewer and less meaningful discussions of risk, the opposite of what Leo Tilman, in his excellent book on business strategy, Financial Darwinism, calls
“risk-management-based executive decision making,” Internal discussions of risk must emanate from a set of cultural rules where risk, to take C. P. Snow’s words from another context, “has got to be assimilated along with and as part
and parcel of, the whole of our mental experience, and used as naturally as the rest.” I worry that the too-independent risk function will become an outsider rather than a partner in the decision process.

It is also a worry that, as Eric Beinhocker notes in The Origins of Wealth (Chapter 13), structure imposed on a dynamic system from the outside has the tendency to impede the natural process of selection and adaptation. Solutions imposed from above are likely, too, to reduce diversity as well, which, as Andrew Haldane noted recently, is a force for stability in a networked financial system. Finally, given the complexity of the financial system, it may be difficult to identify the prescriptive approach toward addressing a risk management failure at the individual firm level which will
achieve a given desired outcome at the systemic level.

As the senior supervisors’ group has noted, the crisis has rewarded firms with a more integrated approach to risk in decision making. The rest of the financial industry will emulate those organizational features that enhance the probability of survival. Given the ongoing nature of this process and the difficulties of implementing a targeted effect from above, a “wait and see approach” by regulators is called for prior to attempting to impose new requirements on the conduct of risk management.

Leave a Comment

Sort content by

Swiss referendum: funds’ headache or investor utopia?

The idea of referendums setting the agenda for institutional investors may be a frightening pipe dream in much of the world, but Switzerland’s unique brand of direct democracy is set to revolutionise its funds’ priorities. Swiss funds are due to be anointed as no less than the country’s official guardians against “rip-off” executive salaries. That

Siguler: buy good quality companies

As the world and companies globalise, George Siguler, managing director and founding partner of private equity firm, Siguler Guff, has a simple recommendation for investors. “My recommendation for stock investors is to look at great global companies,” he says. “Look at companies like Johnson and Johnson, Unilever or Boeing. They all have great balance sheets

A series of shorts
don’t make a long

It is easy for long-term investors to avoid short termism, and the solution lies in avoiding momentum and conducting risk analysis using cash flows – not market pricing. “Diversification is a joke. Diversification and risk analysis relies on pricing, but pricing is distorted because it’s driven by momentum,” says Paul Woolley, chairman of the Paul

ShareAction mainstreams responsible investment

“ShareAction has become the premier organisation to give voice to those who wish to invest their values as well as their assets,” enthused former vice president of the United States Al Gore, speaking to a packed audience at ShareAction’s annual lecture in London’s Guildhall last week. ShareAction is only a tiny pressure group but Gore’s

Cass creates principles
for DC model

As almost every market in the world looks to move from defined benefit to some sort of defined contribution model, academics at the Pensions Institute of the Cass Business School, City University London have developed a set of 15 principles for designing a defined contribution model. The principles, consistent with the recently published OECD guidelines, are based

Pension funds reject EU financial transaction tax

When the European Commission announced plans on February 14 to introduce a Financial Transaction Tax (FTT) by the start of 2014, it planted a bomb under Europe’s pension funds. That is not, of course, the view of Algirdas Šemeta (pictured below right), the EU’s commissioner for taxation. He says the proposed tax is “unquestionably fair

Previous