Category: Enterprise Risk Management

The Risk Management Formula That Killed Wall Street

wired-1703Felix Salmon published a great article in Wired that looks at the Recipe for Disaster: The Formula That Killed Wall Street. The article looks at the widespread use of the Gaussian copula function. In assessing the risks in mortgage backed securities.

The theory behind Gaussian copula function tries to overcome the difficulty in assessing the multitude of  correlations among all the risks in a pool of mortgages. David X. Li came up with the Gaussian copula function that instead of waiting to assemble enough historical data about actual defaults, which are rare in the real world, uses historical prices from the Credit Default Swaps market. Li wrote a model that used the price of Credit Default Swaps, rather than real-world default data as a shortcut to determining the correlation between risks. There is an inherent assumption that the CDS markets can price default risk correctly.

I did not do well in my college statistics class. (It was on Friday afternoon, close to happy hour.) But I do remember two concepts. One, correlation does not equal cause and effect. Two, you always need to challenge the underlying assumptions and methodology, because they can have dramatic effects on the data. (and third, do not schedule difficult classes on Friday afternoon.)

According to Felix’s story, Wall Street seemed to miss some of the underlying assumptions in the Gaussian copula function. Since the risk profile was based on the CDS market, the data was only looked as far back as the CDS market existed. That was less than ten years. During that time, home prices did nothing except skyrocket. Unfortunately, the last real estate crash was before that period.

Li’s formula was used to price hundreds of billions of dollars worth of mortgaged-backed securities. As we now see, Wall Street got it wrong.

It looks like I did not waste my time with statistics and that I got the key knowledge. Look closely at correlation to see why things are moving together. Challenge the underlying assumptions and make sure you understand how they effect the end product of your results. Those are good lessons for anyone involved in enterprise risk management.

When Markets Turn

The EconomistThe Economist ran a special report on the future of finance last week. One item caught my eye – When Markets Turn: A Parable of How Modern Finance Can Go Wrong. The story looks back at the collapse of the Long-Term Capital Management in 1998. The article puts some of the lessons of that funds collapse to the current collapse of the credit markets.

They identify the theory put forth by Mr. Soros on “reflexivity.” Once people come to believe that an economic theory is true, they over invest in that economic theory. “Once people come to believe that house prices never fall, they will buy too much property—and house prices will fall. When they believe that shares always do well in the long run, they will buy too many shares—and the market will do badly for years.”

Relexivity makes financial markets more dangerous than the casinos. “The numbers on a roulette wheel never change, but markets offer no guarantee that yesterday’s odds will be the same tomorrow.”

The Growing Importance of Enterprise Risk Management

Kyle McNabb writes about The Growing Importance of Enterprise Risk Management on his Forrester blog. In this article he lets us know about the things he learned after talking with a large number of professionals that work for or directly support executives responsible for compliance and risk management endeavors

  1. Boards and CFOs will prioritize initiatives supporting their enterprise risk management efforts.
  2. They will focus on driving risk management into business decisions.
  3. They believe technology’s fundamental to helping them succeed.

What it means for information and knowledge management:

  1. Understand the business context of an important role – those responsible for risk management.
  2. Redefine how information management technologies provide value to the enterprise.

What is Enterprise Risk Management?

The Committee of Sponsoring Organizations of the Treadway Commission adopts this definition of Enterprise Risk Management:

Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

The definition reflects certain fundamental concepts. Enterprise risk management is:
• A process, ongoing and flowing through an entity
• Effected by people at every level of an organization • Applied in strategy setting
• Applied across the enterprise, at every level and unit, and includes taking an entity level portfolio view of risk
• Designed to identify potential events that, if they occur, will affect the entity and to manage risk within its risk appetite
• Able to provide reasonable assurance to an entity’s management and board of directors
• Geared to ac

You can find that definition in the Enterprise Risk Management – Integrated Framework Executive Summary (.pdf) by Committee of Sponsoring Organizations of the Treadway Commission

Risk IQ

ca_logoSumner Blount and CA have coined the term Risk IQ to address a company’s risk management environment:  Risk IQ – The Key to Effective Risk Management. The idea is deliver comprehensive, timely and accurate information to the decision makers to improve the decision-making process.

They break the Risk IQ into two parts: visibility and insight.

You need visibility into the right information at points in the business process to identify risks across the enterprise. You need easy access to it. You are all too likely to ignore or not ask for a report that is difficult to create.

You need insight into the information so it needs to be structured and presented in a way that allows the decision-maker to properly assess, quantify and manage the associated risks.

Improving your organization’s Risk IQ by establishing a common risk management framework can have significant financial benefits, in addition to controlling enterprise risks more effectively. Standard & Poor’s, for example, uses the level of risk management maturity as part of its overall corporate evaluation. So, poor risk management leads to a lower rating, which can increase the cost of borrowing, among other consequences.

Business Risk Intelligence

These are my notes from the OCEG webinar: Business Risk Intelligence.

  • Carole Stern Switzer, President of OCEG
  • Paul Shultz, Managing Director of Protiviti
  • Dave Anderson, Senior Director of SAP Business Objects

Paul frames the problem: Risk is often just an afterthought of strategy, resulting in strategic objectives that may be unrealistic and risk management being an appendage to performance management.

Paul breaks the solution down into components: enable, measure, plan, aim, aspire and protect to enable technology to build enterprise risk intelligence.

Dave views risk intelligence as a peice of performance. Risks can prevent you from reaching your goals. Strategy needs context to make decisions and needs to be connected to operations. Then there maybe a gap between the strategy and the execution.

Dave (and SAP’s) approach is to have an integrated approach to strategy and risk management, by addressing financial risk, compliance risks,market risks,process risks, and people risks.

Dave points out that S&P’s now requires enterprise risk management into their evaluation criteria as part of their credit rating calculations.

Carole pointed out that you want transparency so that risk is not hidden (whether intentionally or not).

it was interesting to hear the use of KRIs in connection with KPIs. (That is Key Risk Indicators and Key Performance Indicators.

From Burden to Benefit: Making the most of regulatory risk management

The Economist Intelligence Unit published an executive briefing: From Burden to Benefit: Making the most of regulatory risk management (executive summary) (full report .pdf).

It is an irony of modern business that regulation, a concept designed to reduce risk by protecting the interests of corporates, customers and society at large, has itself become one of the most serious risks that companies face. From dealing with unfamiliar regulatory frameworks in overseas markets to scanning the environment for new threats, regulatory risk management has become a time-consuming and costly activity that demands board-level engagement and a rigorous approach.

According to the report, two-thirds of respondents say the biggest problem that hinders their company’s ability to manage regulatory risk is “complexity of the regulatory environment.”

On the positive side, most said they had strong capabilities dealing with regulatory risk. But the big weakness, was the problem of dealing with multiple regulatory environments, both domestically and internationally, and juggling multiple projects.

Thanks to Leon of SOX First for pointing out the report: Compliance Challenges.

Risk Mismanagement

I really enjoyed the story by Joe Nocera in the New York Times: Risk Mismanagement. The author focuses on the failures of risk management during the most recent financial crisis.

The author starts with the failure of the VaR (Value at Risk) model used by many companies. He then moves on to the theories of Taleb captured in his book Black Swan (next on my reading list).

Taleb says that Wall Street risk models, no matter how mathematically sophisticated, are bogus; . . . . And the essential reason for this is that the greatest risks are never the ones you can see and measure, but the ones you can’t see and therefore can never measure. . . . Because we don’t know what a black swan might look like or when it might appear and therefore don’t plan for it, it will always get us in the end.

The key for a compliance professional is do handle the current know risks to your company, while at the same time keeping an eye out for unknown risks.

Does Your D&O Policy Cover Criminal Investigations?

Kevin M. LaCroix of The D&O Diary weighs in on coverage of criminal investigations: D&O Insurance: Corporate Criminal Investigations. He references a December 2008 article by Patricia Bronte of  Jenner & Block entitled D&O Coverage for Corporate Criminal Investigations (.pdf).

The main issue is how your policy defines “criminal conduct.” Some policies defines it with “commenced by the return of an indictment.” That definition leaves out a lost money spent trying to avoid (or avoiding) indictment and responding to an investigation.