Six Mistakes Executives Make in Risk Management

Harvard-Business-Review-October-2009-Cover

Nassim N. Taleb, Daniel G. Goldstein, and Mark W. Spitznagel discuss risk management and short comings in approaches in the October 2009 issue of the Harvard Business Review (subscription required).

They offer up six mistakes in the way we think about risk:

1.  We think we can manage risk by predicting extreme events.
2.  We are convinced that studying the past will help us manage risk.
3.  We don’t listen to advice about what we shouldn’t do.
4.  We assume that risk can be measured by standard deviation.
5.  We don’t appreciate that what’s mathematically equivalent isn’t psychologically so.
6.  We are taught that efficiency and maximizing shareholder value don’t tolerate redundancy.

Black Swan events – low-probability, high-impact events that are almost impossible to forecast— are increasingly dominating the economic environment. The world is a complex system, made up of a tangled web of relationships and other interdependent factors.  Complexity makes forecasting even ordinary events impossible. So, complexity increases the incidence of Black Swan events as we have a harder time seeing the relationship and connection. All we can predict is that Black Swan events will occur and we won’t expect them.

The authors propose a different approach to risk management:

“Instead of trying to anticipate low-probability, high-impact events, we should reduce our vulnerability to them. Risk management, we believe, should be about lessening the impact of what we don’t understand—not a futile attempt to develop sophisticated techniques and stories that perpetuate our illusions of being able to understand and predict the social and economic environment.”

The authors end up equating risk to ancient mythology:

“Remember that the biggest risk lies within us: We overestimate our abilities and underestimate what can go wrong. The ancients considered hubris the greatest defect, and the gods punished it mercilessly. Look at the number of heroes who faced fatal retribution for their hubris: Achilles and Agamemnon died as a price of their arrogance; Xerxes failed because of his conceit when he attacked Greece; and many generals throughout history have died for not recognizing their limits. Any corporation that doesn’t recognize its Achilles’ heel is fated to die because of it.”

That is a bit lofty for my tastes. After all, the danger of the black swan is that you don’t know that you don’t know about that risk. If you know about a risk, you can deal with it. If you know that you don’t know about risk, you can manage that also. It’s hard to be a victim of hubris when you don’t know the danger for your downfall even exists.

Nassim N. Taleb is the Distinguished Professor of Risk Engineering at New York University’s Polytechnic Institute and a principal of Universa Investments, a firm in Santa Monica, California. He is the author of several books, including The Black Swan: The Impact of the Highly Improbable. Daniel G. Goldstein is an assistant professor of marketing at London Business School and a principal research scientist at Yahoo. Mark W. Spitznagel is a principal of Universa Investments.

The Four Areas of Risk and Knowledge

4 box black swan

When thinking about risk, I break things into four quadrants. There are things we know and there are things we don’t know as individuals. I then slice slice that further again with the things we know and the things we don’t know as part of the larger organization or conscious state.

Our sweet spot is the the things we know that we know. (The green area on my chart.) Those are our operations. Those are the things we have in the realm of compliance. We may not be fully compliant and dealing with the risk. But it is known.

At the opposite corner are the things that we don’t know that we don’t know. This is the black swan territory. This is an area of danger for an organization. This is a knowledge void and a compliance void. These are risks that we don’t know about. We don’t know the magnitude of the risk and we don’t know it even exists. Our models miss this factor. Our organizations are not paying attention to these risks.

4 box black swan

The other two areas are also interesting.

The things we know that we don’t know is an area that we know we can improve. (The orange quadrant on my chart) This is the area of known ignorance or accepted unknowns. You can manage these risks, because we know them. They have been identified, although not quantified. They may be on the list of things to address. Or we may just be willing to run naked in this area and are not worried about the risk.

The last area of the things that we don’t know we know is an area of opportunity. (The purple quadrant on my chart) This is risk that they are managing, even if they don’t know that risk exists. Often this will be a risk associated with another risk, either through causation or correlation. If an organization realizes they have this knowledge, they maybe able to create a new opportunity for themselves by discovering it. You do need realize that the causation or correlation may sever at some point, pushing this risk down into the territory of the black swan.

There is also an element of danger in the opportunity area when it comes to records management. These may be the pieces of information getting unearthed during litigation that gets an organization in trouble.

It’s important to realize and accept that there are things we don’t know. The key to bettering the organization is to continually try to reduce the amount of stuff that we don’t know.

I want to credit Liam Fahey, a professor at Babson College and co founder of the Leadership Forum, for the origins of this matrix. He gave a presentation using this analysis to a group of law firm knowledge management leaders in October of 2008.

Managing Risk in the Financial Sector

managing-compliance

On Sept. 16, 2009, Compliance Week and Navigant Consulting presented an exclusive editorial roundtable about compliance practices at financial services firms at The Mandarin Oriental Hotel in Boston.

(Apparently not so exclusive, considering I was able to get in. I even made it into one of the article’s pictures. – That’s me eating my fingers in the background.)

Compliance Week Editor-in-Chief Matt Kelly moderated the session, which featured Daniel Bender and John Schneider of Navigant Consulting. The full roster of participants is in the article’s sidebar.

You can read more about what we discussed during the roundtable in an article in Compliance Week: Managing Risk in the Financial Sector. (Subscription Required)

A few of my favorite quotes from the article:

Lou Iglesias, chief compliance officer of PanAgora Asset Management: Part of the role of a compliance and risk officer is “being a student of history” and learning from past industry mistakes. “And you don’t have to look back too far to find them.”

James Bone, founder of GlobalComplianceAdvisors LLC: Because there is no school for compliance, continually developing new staff to keep up with regulations is also a challenge. Even if you have an unlimited budget to hire talent, “finding people who have the right skill-set to do the things that you need to get done” isn’t always easy.

Redefining Risk

risk

Maybe we should define risk as what needs to go right, instead of what could go wrong.

Although I would like to claim credit for this view of risk, it came from James Bone of Global Compliance Advisors, LLC. I met James at a Compliance Week round table last week discussing risk management and regulatory developments for the financial services industry.

By changing the definition, you are now looking at risk through the operations of your company and its business plan. You are no longer the doomsayer, worrying about the myriad of things that could go wrong, some of which are likely to highly unlikely. You are now focusing on implementing your company’s business plan.

Compliance and risk professionals need to keep an eye on what may go wrong. But, as James points out, it is just as important to make sure things are going right.

Image is by anarchosyn: RISK AWR WC T7L LosAngeles Graffiti Art
http://www.flickr.com/photos/24293932@N00/ / CC BY-SA 2.0

What Went Wrong at Lehman?

DeMuro

Complinet interviewed David DeMuro, head of compliance at Lehman Brothers during its last days in 2008. It should come as no surprise that the warning signs were there for everyone to see but in the midst of a bubble, employees were too scared to raise their hand because there was still money to be made.

DeMuro did not blame the regulators, saying they were looking closely at the working of the investment bank. He did lay some blame on the Federal Reserve Bank: “The role of the Fed is to take away the punch bowl just as the party gets going. However, in recent times the Fed has chosen to add just a few more shots of vodka to the punch bowl to keep the party going.”

He did peg lots of blame on an over-reliance on financial risk models. There was also an “almost religious belief” in the veracity of the models.

See the webcast yourself (13 minutes): Complinet Interviews David Demuro

References:

Failure to Conduct Diligence Can Lead to SEC Sanctions

SEC Enforcement Logo

If you advertise that you have due diligence process, you had better follow that process. The Securities and Exchange Commission brought an administrative proceeding against an investment adviser for failing to follow its advertised due diligence program.

The Hennessee Group promoted its process for evaluating and selecting hedge funds as the “Five Level Due Diligence Process.” They represented to clients and prospective clients that they would not recommend investment in hedge funds that did not satisfactorily complete all five levels of its due diligence evaluation. The Hennessee Group routinely touted the excellence and rigor of the process.

According to the SEC’s order, approximately 40 clients invested millions of dollars in the Bayou hedge funds from February 2003 through August 2005 after the Hennessee Group recommended those investments. Most of the money was lost by Bayou’s principals, who defrauded their investors by fabricating Bayou’s performance. The SEC charged the managers of the Bayou hedge funds with fraud in 2005.

“With regard to Bayou, Hennessee Group, at Gradante’s direction, failed to perform two elements of the due diligence evaluation that Hennessee Group had told its clients and prospective clients that it would do: (1) a portfolio/trading analysis; and (2) a verification of Bayou’s relationship with its purported independent auditor. By not conducting the entire due diligence evaluation that it had advertised, and by failing to disclose to clients that its evaluation of Bayou deviated from its prior representations, Hennessee Group and Gradante rendered the prior representations about the due diligence process materially misleading and breached their fiduciary duties to Hennessee Group’s clients.”

To resolve the matter, the Hennesse Group agreed to adopt procedures to ensure proper disclosure of its evaluation processes. They also had to pay $549,000 in disgorgement of its advisory fees related to Bayou, and to pay a civil penalty of $100,000.

These seems like a great example of the consequences for failure to follow your policies and procedures.

See:

Risk Assessment – Getting It Right

pwc

PricewaterhouseCoopers LLP sponsored this webcast: Corporate leaders have long recognized that the pace of change continues to increase in velocity, thus challenging management’s execution of the business’ strategic and tactical plans. Enterprise Risk Management (ERM) is a management tool that can be effective in identifying and assessing the risks that come with change and allow management to respond to their organization’s changing risk profile in a timely fashion. The speakers were all from PricewaterhouseCoopers LLP:

  • Joseph C. Atkinson, Principal
  • Brian Brown, Partner
  • Peter Frank, Director
  • Catherine Jourdan, Director

These are my notes.

Why focus on risk? Changes in the marketplace and the world economy has given the perception that the world is a riskier place. That may or not be true. But people are more focused on risk. It seems that poor risk management had a role in the recent economic troubles. Joe advocates that risk assessment should be integrated into business processes.

Brian took over and focused on defining risk and risk management. “Risk assessment is a systematic process for identifying and evaluating the events that could affect the achievement of an organization’s objectives, both positively or negatively.”

Risk Assessment can be mandatory or voluntary. Anti-Money-Laundering, Basel II, and Sarbanes-Oxley compliance all require formalized risk assessment and focus on such processes as monitoring of client accounts, operational risk management, and internal control over financial reporting. Often it also voluntary, driven by business needs, to assess development opportunities, talent retention, operational efficiency and performance improvement.

There are three primary frameworks for risk management: COSO‘s ERM requirements, Federal Sentencing Guidelines, and OCEG’s Red Book.

Peter took over and focused on the challenges to an effective risk assessment. Common business challenges include:

  • Risk assessment is viewed only as an episodic initiative, a required report that needs to be updated
  • An inordinate amount of effort is invested in gathering data and information, and the volume is difficult to interpret and leverage in a meaningful way for executive leadership
  • The risk assessment is viewed as a conclusion of the process, rather than a starting point.
  • Risks are identified and risk mitigation practices are emphasized without meaningful understanding of impact, causing some risks to be over-controlled and stifling innovation
  • Risk assessment is viewed as an additional function or department, not as an integrated management capability to embed in day-to-day activities
  • Accountability for risk management and performance management resides in silos
  • Multiple risks assessments are performed, using different definitions and measurements of risks, creating confusion and making confident action impossible

Catherine moved on to the six essential steps to performing a risk assessment.

  1. Identify relevant business objectives
  2. Identify events that that could affect the achievement of objectives
  3. Determine risk tolerance
  4. Assess inherent likelihood and impact of risks
  5. Evaluate the portfolio of risks and determine risk responses
  6. Assess residual likelihood and impact of risks

Joe came back to conclude that “risk assessment discipline should be embedded in the organization’s regular business processes and yield valuable information to support decision-making to help systematically link risk, reward, and performance management.”

Ten Principles for a Black Swan-Proof World

Nassim Nicholas Taleb penned an opinion piece in the Financial Times: Ten principles for a Black Swan-proof world .

Check out the piece for details behind each item:

1. What is fragile should break early while it is still small.
2. No socialisation of losses and privatisation of gains.
3. People who were driving a school bus blindfolded (and crashed it) should never be given a new bus.
4. Do not let someone making an “incentive” bonus manage a nuclear plant – or your financial risks.
5. Counter-balance complexity with simplicity
6. Do not give children sticks of dynamite, even if they come with a warning.
7. Only Ponzi schemes should depend on confidence. Governments should never need to “restore confidence”.
8. Do not give an addict more drugs if he has withdrawal pains.
9. Citizens should not depend on financial assets or fallible “expert” advice for their retirement.
10. Make an omelette with the broken eggs.

If you have not read The Black Swan yet, you should. it was one of those few books that changed the way I view the world.
The Black Swan

Ways Companies Mismanage Risk

hbr_2009_march

René M. Stulz put together Six Ways Companies Mismanage Risk for the March issue of the Harvard Business Review. Professor Stulz summarizes his thoughts in that “conventional approaches to risk management present many pitfalls. Even in the best of times, if you are to manage risk effectively, you must make extremely good judgment calls involving data and metrics, have a clear sense of how all the moving parts work together, and communicate that well.” Risk management is a new discipline, moving from the domain of the quant geeks to the board room. It is hard to pull it all together

Based on the recent downfalls of financial companies, it is clear that they lost a sense of of how the pieces of their risk management worked together. (See my earlier post: The Risk Management Formula That Killed Wall Street.) You need to understand the data, understand the weaknesses of the formulas that manipulate the data, and the understand what is missing from the end result. Most of the danger comes from what you don’t know that you don’t know. To avoid that you need to continually learn so there is less you don’t know and continually be cognizant that there is still much that you don’t know.

Here are the six ways from Professor Stulz:

  • Lack of appropriate data. The rapid financial innovation of recent decades has made historical data less useful.
  • Narrow measures of risk. Traditional daily measures of risk can’t capture a company’s full exposure when market fundamentals are shifting.
  • Overlooked risks. Hedge funds that bought high-yielding Russian debt in the 1990s failed to properly account for counterparty risk.
  • Hidden risks. Unreported risks have a tendency to expand in financial institutions.
  • Poor communication. Complex and expensive risk-management systems can induce a false sense of security when their output is poorly communicated to top management.
  • Rate of change. The risk characteristics of securities may change too quickly to enable managers to properly assess and hedge risks.

“If you live in Florida or Louisiana, you shouldn’t spend a lot of time thinking about how likely it is that you’ll be hit by a hurricane. Rather, you should think about what would happen to your organization if it was hit by one and how you would deal with the situation. Instead of focusing on the fact that the probabilities of catastrophic risks are extremely small, risk managers should build scenarios for such risks, and the organization should design strategies for surviving them.”

René M. Stulz is the Everett D. Reese Chair of Banking and Monetary Economics at The Ohio State University’s Fisher College of Business in Columbus.

See: