Monday, January 3, 2011

A Risk by Any Other Name Would Burn as Bad

Risk management is bread-and-butter for Corporate-level execs, Line-of-Business leaders, and Risk Managers. Crises like 2008 provide hard evidence that rock-solid risk management is an integral part of the business of finance. Those financial institutions (FIs) that had a comprehensive, objective, and disciplined risk management framework survived. Those that outsourced their risk management to their business partners, trading desks, LOB leaders, or customers found their balance sheets pushed into risky and turbulent waters. Most did not survive the voyage.

What follows is a brief and anecdotal discussion of the evolution of how FIs view, and therefore address risk. My objective in trawling this history is to demonstrate:
  1. That risks mutate as rapidly as ( the evolution of the business model * the increase in the complexity of the industry )
  2. That, before managing risk, it is necessary to clearly define and measure it (but that failing to measure it doesn't mean it doesn't exist)
  3. That the industry is always at least a step (or 3) behind
  4. That Financial Crime (including topics like Money Laundering, Identity Theft, Fraud, Unauthorized Access, and Data Theft) is the next frontier in the evolution of Risk Management
In the 60's and '70's, and thanks in part to the likes of George Soros, FIs discovered that credit risk was a relative measure. A whole market could go up ... or down, taking even good credits with it. FIs realized they were in a race to catch and control a previously-unidentified form of risk: Market Risk. Thanks to Latin American dictators and Mideastern ayatollahs, FIs learned that sudden political shifts can lead to unexpected moves in currencies, tax regimes, and regulatory structures, which in turn ruin individual customers or whole markets. Hello, Sovereign Risk.

The '80's started with rampant inflation, which deeply submerged many loans, bonds, swaps, and other fixed-income instruments. FIs realized they needed to be able to manage the risk related to the overall prevailing interest rates. In order to manage it, they had to identify and measure it. Thus emerged Interest Rate Risk. By mid-decade, Volcker had tamed rates, leading to an explosion in leveraged trading activity by a rapidly-growing list of firms across an ever-diversifying spectrum of markets. Every once in a while, one of those firms couldn't pay up when their margin call or loan came due, or couldn't deliver the securities which they had sold. It was time again to start managing new types of risk: Settlement Risk, Counterparty Risk, Liquidity Risk, Concentration Risk.

The rip-roaring '90's grew business size and complexity to levels which far outstripped managers' ability to even understand the risks to the business, much less manage those risks. Authority was implicitly devolved to the front office, for whom risk management is just a hurdle between them and their sale. Rather than deeply and objectively analyzing risks to new products and services, they outsourced the effort to the market; if a competitor did it, it must be OK. If a smart customer bought it, it must be OK. If the risk management rules and models flashed red with warnings, they were "re-calibrated" to shut up. Welcome to the era of Operational Risk.

For quite some time, there was no consensus about what Operational Risk was, how to measure it, or what to do about it. The Basel Committee defined it as "The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events." This was far too abstract for most people to convert into real-world risk management strategies, but at the highest level, most understood that the way they ran their business might come back to bite them. The news provided a steady stream of examples of bone-headed moves by large companies which sent their stock prices into free-fall. Investors got burned. Managers got fired. Risks continued to be piled on. Risk Management was absent.

The first 10 years of this century proved that fact. FIs, governments, academics, and talking heads in the news spent a lot of time talking about all the risks a business face: headline risk, bad business model risk, rogue employee risk, reputational risk, legal risk, political risk, act-of-God risk. Without finishing the task of defining what it was, the industry shifted focus to building "something" to manage Operational Risk. Risks were inventoried, abstracted, debated, categorized. Laws (such as Sarbanes-Oxley) were implemented saying that "something" had to be done. "Someone" had to be held accountable. Regulators began prodding their FIs for evidence of compliance. For most FIs, their best evidence was not in results, but in large amounts of money they were allocating to large, ambitious projects, the details and timing of which were TBD.

Unfortunately, 2008 showed that, for most firms, the risks beat the projects to the finish line, to tremendously expensive effect. We learned about a new type of risk: Systemic Risk.

House prices, over-indebted Americans, Chinese exchange rates, and greedy bankers got most of the headlines, but embedded within the rubble of that crisis were a vast array of crimes. These crimes led to hard-dollar losses which contributed to the gravity of the crisis. The economic downturn, coupled with the globalization effects of the Internet, have led to an increase and diversification in financial crime.

While not yet fully emerged from the previous crisis, FIs are once again in a race to head off the next crisis: Welcome to Financial Crime Risk. While many FIs see this as an operational problem, or a law-enforcement problem, it is indeed a risk management problem, just like all the other types mentioned above. It is an intrinsic part of the business of finance, just as the others are. To prevent 100% of Financial Crime is to stop doing business. FIs must instead manage and mitigate it as a risk, making informed decisions about the resources they allocate to the task. FIs must recognize and measure the cost of residual risks which they choose not to mitigate. This is not a one-time decision, but an ongoing process of objectively assessing the cost and benefit of their choices.

No comments:

Post a Comment