Watch Your Back! The Machines are Coming!!!

Did you see the 2004 movie I Robot?  Do you remember the scene where the hoards of silver robots came down the streets and started to take over?

Where is Robot Take Over on your risk list?

In Artificial intelligence – can we keep it in the box? two writers from Cambridge argue that the threat from AI is not an “if?” question, but a “when?” question.

The authors are part of a group at Cambridge (actually, there are three members of the group) who are interested in studying threats from technology.  “Many scientists are concerned that developments in human technology may soon pose new, extinction-level risks to our species as a whole.” says their website, The Cambridge Project for Existential Risk.

Go back and watch I Robot again.  The only reason that the robot rebellion was foiled was because there was one robot who was designed to be independent enough to disagree.

If the “group” from Cambridge is correct, we need to get working on designing that robot that will save the day.

But first, we should ask them what they mean by “many scientists”?

Advertisement

Knowing and Thinking must be linked to Doing

“One of the things that we’re trying to do is to get people to think more rather than know more,” said Rick Nason, associate professor of finance at Dalhousie University’s School of Business in Halifax, Nova Scotia. “In risk management we’ve gotten into a regulatory mode of knowing more, and unfortunately we’re stuck on techniques and forget how to think about risk. Going beyond knowing is what we’re trying to stress.”

Too few risk managers are actually empowered to actually DO anything.  Natural human nature steps in which leads these disempowered risk managers to elevate the importance of the things that they are empowered to do.  Knowing and Thinking are two of those things.

It is of course important to KNOW your risks and the possible paths to loss that go with each risk as well the current status of your exposures.  Nason rightly points out that regulatory risk management requirements work on the assumption that if a management team KNOWS about their risks that they can necessarily be counted on to react.  But that is often an unstated and unrequired assumption.  Perhaps regulators shy away from going any further in their prescriptions because of lack of authority.

Risk Management systems, such as ISO31000, build up a massive infrastructure of steps that are required to support the KNOWing objective.  A risk manager applying ISO31000 can keep very, very busy for several years building up that infrastructure without getting to the step of actually infringing upon management of the company.

Nason is right to suggest that THINKing is a step further.  But by focusing on THINKing, he makes the same sort of assumption, that if someone THINKs about their risks, they surely must eventually DO something about them.

The risk manager who wants to be effective must start with the end in mind (see Covey).  DOing must be the purpose of a risk management system.  A system that focuses on KNOWing or THINKing is merely a Risk Management Entertainment System.

Is this just MATH that you do to make yourself feel better?

Megyn Kelly asked that of Karl Rove on Fox TV on election night about his prediction of Ohio voting.

But does most risk analysis fall into this category as well?

How many companies funded the development of economic capital models with the expressed interest in achieving lower capital requirements?  How many of those companies encouraged the use of “MATH that you do to make yourself feel better” MTYDTMYFB

Model validation is now one of the hot topics in Risk model land.  Why? Is it because modelers stopped checking when they got the answer that was wanted, rather than working at it until they got it right?  If the later was the answer, then there would be zero additional work to do to validate a model.  That validation work would already be done.  MTYDTMYFB

The Use Test is quite a challenge for many.  First part of the challenge is to produce an example of a situation where they did modeling of a major risk decision before that decision was finalized.  Or are the models only brought into play after all of the decisions are made?  MTYDTMYFB

There are many other examples of MTYDTMYFB.   Many years ago when computers were relatively new and dot matrix printers were the sign of high tech, it was possible to write a program to print out a table of numbers that had been developed somewhere else.  The fact that they appeared on 11 x 14 computer paper from a dot matrix printer gave those numbers a sheen of credibility.  Some managers were willing to believe then that computers were infallible.

But in fact, computers, and math, are about as infallible as gravity and about as selective.  Gravity will be a big help if you need to get something from a higher place to a lower place.  But it will be quite a hindrance if you need to do the opposite.  Math and computers are quite good at some things, like analyzing large amounts of data and finding patterns that may or may not really exist.

Math and computers need to be used with judgement, skepticism and experience.  Especially when approaching the topic of risk.

Statistics works like gravity helping us take things downhill when you are seeking to estimate the most likely value of some uncertain event.  That is because each additional piece of data helps you to hone in one the average of the distribution of possibilities.  Your confidence in your prediction of the most likely value should improve.

But when you are looking at risk, you are usually looking for an estimate for extremely unlikely adverse results.  The principles of statistics are just like the effect of gravity on moving heavy things uphill.  They work against you.

Take correlation, for example.  The chart above can be easily reproduced by anyone with a spreadsheet program.  RISKVIEWS simply created two columns of random numbers that each contained 1000 numbers.  The correlation of these two series for all 1000 numbers is zero to several decimal places.  This chart is created by measuring the correlation of subsets of that 1000 that contained 10 values.

What this shows is how easy it is to get any answer that you want.  MTYDTMYFB

How Much Resilience Do We Need?

Much too much of what we do relies upon the simplest idea of linear extrapolation.  It must be hard wired into human brains to always think first of that process.  Because we frequently seem to miss when extrapolation does not work.

Risk managers desperately need to understand the idea of system capacity.  The capacity of a system is a point beyond which the system will fail or will start to work completely differently.

The obvious simple example is a cup with a small hole in the bottom.  If you pour water into that cup at a rate that is exactly equal to the rate of the leak from the hole at the bottom, then the water level of the cup will be in equilibrium.  A little slower and the cup will empty.  A little faster and it will fill.  Too long in the fill mode and it will spill.  The capacity will be exceeded.

The highly popular single serving coffee machines are built with a fixed approach to cup capacity.  The more sophisticated will allow for two different capacities, but usually leave it to the human operator to determine which limit to apply.

For the past several years, there have been a number of events, the latest a hurricane that damaged an area the size of Western Europe, that have far exceeded the resilience capacity of our systems.  The resilience capacity is the amount of damage that we can sustain without any significant disruption.  If we exceed our resilience capacity by a small amount, then we end up with a small amount of disruption.  But the amount of disruption seems to grow exponentially as the exceedance of resilience capacity increases.

The disruption to the New York area from Hurricane Sandy far exceeded the resilience capacity.  For one example, the power outages still continue two weeks after the storm.  The repairs that have been done to date have reflected herioc round the clock efforts by both local and regional repair crews.  The size of the problem was so immense that even with the significant outside help, the situation is still out of control for some homes and businesses.

We need to ask ourselves whether we need to increase the resilience capacity of our modern societies?

Have we developed our sense of what is needed during a brief interlude of benign experiences?  In the financial markets, the term “Great Moderation” has been used to describe the 20 year period leading up to the bursting of the dot com bubble.  During that period, lots of financial economics was developed.  The jury is still out about whether those insights have any value if the world is actually much more volatile and unpredictable than that period of time.

Some weather experts have pointed out that hurricanes go in cycles, with high and low periods of activities.  Perhaps we have been moving into a high period.

It is also possible that some of the success that mankind has experienced in the past 50 years might be in part due to a tempory lull in many damaging natural phenomina.  The cost of just keeping even was lower than over the rest of mankind’s history.

What if the current string of catastrophes is just a regression to the mean and we can expect that the future will be significantly more adverse than the mild past that we fondly remember?

We need to come to a conclusion on those questions to determine How Much Resilience Do We Need?

Getting Started in a Risk Management Career

RISKVIEWS got an email request…

I am a senior ‘Risk Management & Insurance’ and ‘Finance’ double major at Butler University. I was wondering if you would be able to lend some advice for my future career endeavors. One question is “what made you chose the consulting risk management side over more of a singular corporation risk management position?”  My basic concern is that unlike finance, I feel the path for a student to get involved with the risk management industry is much less defined. I keep hearing how most risk managers usually start in a completely different corporate function. I am just trying to do my due diligence and research to get insight into all career paths before I choose which way I want to go.   Daniel Gable

Daniel, some Risk Management career paths are very new.  New enough that there are not yet any people who entered the field out of college and who are now in retirement.  Now, if you are majoring in “Risk Management and Insurance”, then you are aware that there is a long established career centering upon the management of corporate insurance purchasing programs.  But the risk management programs that go beyond insurance purchasing, in banks, insurance companies and in many other industries are all new enough that they mostly had to go outside the field for at least initial leadership.  Those people will value skills and experiences that come from a wider range of experiences than someone might have who has always worked in risk management.  So their senior staff positions will have some people who also did not start out in a risk management career.

RISKVIEWS’ perspective is that risk management will be best served if a balance of highly trained risk management specialists along with a significant number of people with broader business perspectives and especially experiences working in the areas where the risk is taken on.

The highly trained risk management specialists are needed to keep the technical rigor of the risk management program up to a similar level to the areas that originate the risk taking.

WARNING: SPORTS ANALOGY AHEAD

The best sports teams prevail against their rivals only if they have great natural players in both offensive and defensive positions.  There are an extremely small number of players who can excel at either offense or defense.  Most players in most sports are much better at one or the other.  Risk management programs need to find the natural defenders who also excel at the technical skills that are needed to monitor the risk taking effectively.

But only some risk management work can be accomplished by highly technically competent trained risk managers.  Some of risk management requires people with the experience and gut instincts about the business who can tell when something just “smells” wrong.   To get this experience, one needs to have lived in the business, understand the motivations and choices that are available to the people in the business as well as their competition and the markets that they operate in.  This is all experience that is very difficult to get working from within the risk management program.

At the top of the risk management system is a Chief Risk Officer.  Like most senior executives, this person will need a high degree of leadership/managerial/political skills.  Perhaps much more so than most of the people who work in the risk management program.  In the last year or so, there have been a steady stream of bank CROs moving to CEO positions.  So in many places, it is a position with a serious future.

Finally, Daniel asked about consulting vs. working inside a company?  First of all, many consulting firms hire few if any entry level people.  They usually look to find people with at least a few years of experience inside of the firms that they are likely to consult for.  Once you have enough experience to have a choice, the option is for breadth vs. depth.  RISKVIEWS has over ten years of experience in both situations.  Inside of a company, a person may get the chance to develop a deep understanding of one or several aspects of the company operations.  Many people get a feeling of satisfaction from mastering their environment in this way and developing the ability to work with people and situations that they know very well.  Many corporate jobs are also in a fixed location, so that people who have strong reasons to want to be home most nights would prefer that.  While there is some uncertainty about continuation of corporate jobs, many jobs are secure for a decade or more at a time.  Consulting positions on the other hand provide the person to get a very broad perspective on the many different ways that things are being done in the industry.  Consulting often offers the possibility of doing different work without it having a significant impact on career path.  Consultants often travel, some a little and most quite a bit.  An advantage for some and a big disadvantage for others.  Consulting work is insecure, often it is unknown what work a consultant will be doing in six months.  Some people are very excited by the variety and uncertainty of consulting work.  Consultants need to have excellent communications skills, especially the “client facing” consultants.

In both the question of starting out in risk management or moving to risk management after working in a business and the question of starting early in consulting vs. after some work inside of a business, the considerations end up being similar.  A few people have the talent to pick up enough of the details of the business life to be able to be effective consultants or risk managers from outside of the business, but most people need to live it to be really effective risk managers or consultants.

Daniel is studying Finance as well as Risk Management.  RISKVIEWS cannot give any advice in finance careers, but will observe that with the effect of the financial crisis and the resulting changes to regulation of banks, the future finance career path may well be very different than it has been for the past 20 years.

 

Math Wins

The emerging US election results are showing that the more math based people like Nate Silver were extremely accurate in predicting the outcome of the election and the GUT based people were totally off base. See NYT.

This is the same comparison that psychologists have been doing for 50 years between clinical judgement and statistical reasoning.  See The Evolution of Thinking.

The pundits making GUT predictions seem to be totally fooled by the Confirmation Bias.  They only gave any credibility to information that matched their preferred conclusion.

Risk managers need to take care.

This does not mean that the statistical risk models must be right.

That is because risk models are fundamentally based upon opinions.  They are fundamentally a tool of the Confirmation Bias.

Risk models are not models of “what is” as much as they are models of “what will be”.  They always reflect one or more biases:

• A bias that the future is predictable.  That has not particularly been the case for the past 4 years or so.  The future has been decidedly unpredictable.  Uncertain is the word that we read over and over.  Companies with highly complex models have had less of an advantage over companies without than during the Great Moderation.
• The bias that the future will be just like the past.  This bias manifested itself as a totally disastrous blindness to the risks that led to the Great Recession.  Or the Fukishima  Reactor disaster.  It was thought that something could not happen if it has not happened before.
• The bias that the market reflects all available information.  The market value of sub prime mortgage CDO in 2006 when mortgage defaults first started happening just does not confirm this bias.  And at least half of all corporate defaults happen in a cliff, not a gradual decline.
• The bias that things will be much worse than everyone else thinks.  (This is the position of folks like Nassim Taleb and Nouriel Roubini.  They can predict disaster every week and be right occasionally.  But this is not a useful position for risk managers to take in general.  Chicken Little was right, but just once.

So risk managers need to be careful about taking too much comfort from the win for statistics in the Presidential race.