Risk Management is all about avoiding taking Too Much Risk.
And when it really comes down to it, there are only a few ways to get into the situation of taking too much risk.
- Misunderstanding the risk involved in the choices made and to be made by the organization
- Misunderstanding the risk appetite of the organization
- Misunderstanding the risk taking capacity of the organization
- Deliberately ignoring the risk, the risk appetite and/or the risk taking capacity
So Risk Management needs to concentrate on preventing these four situations. Here are some thoughts regarding how Risk Management can provide that.
1. Misunderstanding the risk involved in the choices made and to be made by an organization
This is the most common driver of Too Much Risk. There are two major forms of misunderstanding: Misunderstanding the riskiness of individual choices and Misunderstanding the way that risk from each choice aggregates. Both of these drivers were strongly in evidence in the run up to the financial crisis. The risk of each individual mortgage backed security was not seriously investigated by most participants in the market. And the aggregation of the risk from the mortgages was misunderestimated as well. In both cases, there was some rationalization for the misunderstanding. The Misunderstanding was apparent to most only in hindsight. And that is most common for misunderstanding risks. Those who are later found to have made the wrong decisions about risk were most often acting on their beliefs about the risks at the time. This problem is particularly common for firms with no history of consistently and rigorously measuring risks. Those firms usually have very experienced managers who have been selecting their risks for a long time, who may work from rules of thumb. Those firms suffer this problem most when new risks are encountered, when the environment changes making their experience less valid and when there is turnover of their experienced managers. Firms that use a consistent and rigorous risk measurement process also suffer from model induced risk blindness. The best approach is to combine analysis with experienced judgment.
2. Misunderstanding the risk appetite of the organization
This is common for organizations where the risk appetite has never been spelled out. All firms have risk appetites, it is just that in many, many cases, no one knows what they are in advance of a significant loss event. So misunderstanding the unstated risk appetite is fairly common. But actually, the most common problem with unstated risk appetites is under utilization of risk capacity. Because the risk appetite is unknown, some ambitious managers will push to take as much risk as possible, but the majority will be over cautious and take less risk to make sure that things are “safe”.
3. Misunderstanding the risk taking capacity of the organization
This misunderstanding affects both companies who do state their risk appetites and companies who do not. For those who do state their risk appetite, this problem comes about when the company assumes that they have contingent capital available but do not fully understand the contingencies. The most important contingency is the usual one regarding money – no one wants to give money to someone who really, really needs it. The preference is to give money to someone who has lots of money who is sure to repay. For those who do not state a risk appetite, each person who has authority to take on risks does their own estimate of the risk appetite based upon their own estimate of the risk taking capacity. It is likely that some will view the capacity as huge, especially in comparison to their decision. So most often the problem is not misunderstanding the total risk taking capacity, but instead, mistaking the available risk capacity.
4. Deliberately ignoring the risk, the risk appetite and/or the risk taking capacity of the organization
A well established risk management system will have solved the above problems. However, that does not mean that their problems are over. In most companies, there are rewards for success in terms of current compensation and promotions. But it is usually difficult to distinguish luck from talent and good execution in a business about risk taking. So there is a great temptation for managers to deliberately ignore the risk evaluation, the risk appetite and the risk taking capacity of the firm. If the excess risk that they then take produces excess losses, then the firm may take a large loss. But if the excess risk taking does not result in an excess loss, then there may be outsized gains reported and the manager may be seen as highly successful person who saw an opportunity that others did not. This dynamic will create a constant friction between the Risk staff and those business managers who have found the opportunity that they believe will propel their career forward.
So get to work, risk managers.
Make sure that your organization
- Understands the risks
- Articulates and understands the risk appetite
- Understands the aggregate and remaining risk capacity at all times
- Keeps careful track of risks and risk taking to be sure to stop any managers who might want to ignore the risk, the risk appetite and the risk taking capacity