Lessons from the credit crunch

By Patrick Roberts

There have already been a number of articles discussing the role of business continuity management in preventing events such as the ‘credit crunch’ or mitigating their specific effects: it is not intended to repeat these arguments here. This article is concerned, instead, with some more fundamental lessons arising from the crisis concerning: how we understand and manage risk.

Short term viewpoints
One of the most powerful and persistent arguments against spending money on business continuity management is the casual observation that most companies survive from year to year even if they don’t do any formal risk management. There is an obvious parallel here to the way that the banks had been taking enormous risks for a considerable period of time and getting away with it. Indeed, both staff and shareholders of banks benefitted enormously from the increased short-term profits that were generated; but, with the benefit of hindsight, surely nobody would argue that this was a sensible way to do business.

Given the catastrophic consequences of this lack of attention to risk there is now much debate on how banks, and individual bankers, can be encouraged to take a longer-term view including:
* Changes to remuneration packages, especially cash bonuses;
* Ensuring that directors having a better understanding of the risks to which the bank is exposed; and
* Institutional shareholders becoming more active.

Many of these debates are equally applicable to promote more effective risk management in other industry sectors. Obviously incentivising employees appropriately and educating directors about business continuity management are important. Ultimately though, most employees and directors will still have relatively short horizons (of the order of 3 – 5 years) compared to the time-frame of catastrophic events. As has been graphically illustrated by the current crisis, it is shareholders who sustain the big losses when risks are not managed effectively so improving the understanding of operational risk amongst institutional investors is probably the best guarantee that BCM will be taken seriously.

Inappropriate tools
Another interesting lesson is the failure of regulatory regimes across the world to prevent the crisis. This is due in part to the use of inappropriate tools, most notably the widespread reliance on Value at Risk (VaR) calculations, for regulatory purposes.

VaR emerged in the 1980s as a useful tool for managing day-to-day risks in banks’ trading operations. The technique involves picking a suitably high probability (x) - typically 90 or 95 percent - and estimating the level of loss that will only be exceeded (100-x) percent of the time. Thus the risk of different portfolios can be expressed as a single number allowing easy comparison. Building on this, regulators then sought to use VaR to manage the risk of banks collapsing. To do so though, they needed to set the probability thresholds at extremely high levels such as 99.9 or even 99.97 percent. At these levels, data is very scarce and the calculated VaR figures become highly dependent on the precise data used and the assumptions made. The apparent precision of the output therefore hides a great deal of uncertainty.

The analogy that I would draw here is to the widespread, and often unthinking, application of Impact and Likelihood scoring in the business continuity management process. The Impact and Likelihood approach is clearly of value when dealing with high frequency-low impact events - such as workplace accidents and IT outages - where data is plentiful. However, I have often seen it inappropriately applied to low frequency-high impact events: indeed this is enshrined in the UK government’s ‘Emergency Preparedness’ guidance which asks Local Resilience Forums to differentiate between annual likelihoods of 1 in 10 000 and 1 in 100 000. Even if history were an entirely reliable guide to the future (which it is not), the paucity of data on such extreme events renders such probability estimates so vague as to be meaningless. The danger is, like VaR, we are seduced by the seemingly scientific nature of the process and accept this as a substitute for judgement and common sense.

Equating size with resilience
It was inconceivable even two years ago that a number of major multinational banks would have failed completely and many others would have had to be bailed out by governments. With the credit markets still frozen it is entirely possible that there may be a number of high-profile casualties in other industry sectors (eg airlines and automotive) before too long. Going back only a few years; it seemed equally inconceivable before the collapse of Enron or Worldcom that these huge companies could implode so swiftly and spectacularly, leaving so much debris in their wake.

Despite these numerous vivid examples though, when speaking to people about their supply chain vulnerabilities there is still often an assumption that a key supplier is resilient purely by virtue of their size. Further evidence of this customer complacency, all be it somewhat circumstantial, is provided by the surprisingly small number of large corporations that have felt the need to demonstrate their resilience by achieving BS25999 certification.

Whilst geographical spread and sheer scale of resources clearly give an organization considerable protection against local disruptions (fires, floods etc) it gives no general guarantee of resilience. In fact, in crises resulting in reputational damage, the very size and visibility of a company can be a significant disadvantage.

Conclusions
All crises present an opportunity for learning and, as stated in the introduction, a number of practical lessons from the credit crunch have already been identified and, hopefully, learned. It is important though that we fully seize the opportunity to learn from the fundamental mistakes that led to the credit crunch in order to manage risk better in all industry sectors. In particular we need to:

* Continue to educate institutional investors about operational risk;
* Ensure that risk management tools are applied appropriately and are never seen as an alternative to common sense and judgement; and
* Demand the same evidence of formal business continuity management systems from multinationals as one would from a small local supplier.

Author: Patrick Roberts is a director of Cambridge Risk Solutions Ltd www.cambridge-risk.com

•Date: 29th May 2009• Region:UK/World •Type: Article •Topic: BC general
Rate this article or make a comment - click here