| Risk management lessons from ‘Black Monday’
"The answer to minimizing risk exposure is to not ignore it. Everything is a risk ... customer relationships, financial controls, back office operations and product development practices could all pose problems for an organization. It's getting the company to focus on the right risks. Sure you should worry about disasters (like Hurricane Ike or the stock market crash), but sometimes too much emphasis is put on these 'sky-is-falling scenarios'. Instead, be sure to focus some attention on the risks that cause 'death by a thousand cuts'. These risks slowly erode your competitiveness, and leave you in the same spot as a disaster," says Welles. When new banking rules allowed investment banks, such as Lehman Brothers and Bear Stearns, to not only create a debt-based instrument (mortgage backed securities), but also facilitate its sale, it appears the motivation to understand exactly what risk was buried within the debt instrument was lost. The new rules shifted the industry's risk posture from cautious to aggressive. "With a disciplined approach to risk management any business can understand the risks that lie just beneath the surface and develop a layer of protection from their own ‘Black Mondays'," advises Welles. "The key rests in recognizing the dynamic nature of risk - and watching out for those risk triggers that hint at where things stand," he adds. According to Welles, every company can take these steps to minimize risk: 1. Review existing risk policies. Do the policies stop at disaster recovery or do standards exist to manage the dynamic nature of day-to-day business risks? 2. Assess your company's attitude toward risk: Is your company a risk averse culture or does it live by the mantra - the greater the risk the greater the reward? How do your risk practices fit with this attitude toward risk? 3. Use new technologies to your advantage: Automated risk assessment and tracking tools, such as prediction markets, exist that can get you beyond 'just trusting your instincts'. 4. Change the culture: The long-term goal should be to get every employee involved in managing risks. Developing a common risk language among the employees and training a disciplined approach to risk management prevents minor risks from morphing into disastrous challenges. Reader comment Michael Welles' article on the 'Risk management lessons from ‘Black Monday’" was very interesting, but I have a different take on the lessons that the risk management community might learn from the events in the world of financial services over the past year (not just ‘Black Monday’). Risk is classically measured by the probability of an event occurring multiplied by its expected cost. This is all very well in environments where the probability and expected cost can be measured with any degree of certainty, but what happens in environments where these cannot be measured? Financial services is, unfortunately, one of those environments where neither the probability of an event nor its expected cost can be measured with any degree of certainty. For example, what is the probability of someone defaulting on a mortgage from Fannie Mae? If that question was asked two years ago you would get a very different answer from if it was asked today. The figures on foreclosure rates are very complex, but according to the US department of Housing and Urban Development can range from 6 percent to 22 percent over the lifetime of a mortgage for ‘good years’ versus ‘bad years’. In reality, nobody knows the probability, mainly because this will change dramatically depending on the particular economic circumstances prevailing at the time the question is asked. Continuing with the example, the cost of someone defaulting on a mortgage from Fannie Mae is also unknown. Let's say that the mortgage is for $100,000 on a property that had been valued at $120,000. The cost to Fannie Mae will depend on the amount of the loan that had been repaid to date, the delay between the first non-payment and the foreclosure, and the value at which the property can be sold. This could vary from $0, unlikely in a foreclosure, so let's use an arbitrary low value of $20,000, to the full $120,000 (or more). Again, nobody knows the cost because this will change dramatically depending on the particular economic circumstances prevailing at the time. Using the example, our single risk could be measured as anything from $1,200 to $26,400. Quite a difference. If you have a million of these, the risk could be as much as $26.4 billion, or then again it could be $1.2 billion. Enough to break a bank if you get it wrong! So, we have the situation where risk managers in financial services institutions are assessing clearly defined and simple risks based on unknown probabilities and unknown expected costs. Start to package these things up and sell them to other financial institutions, or to insure the risk, and the other financial institutions compound the problem by take on packages of unknown risk. Risk managers then assess these risks, and have absolutely no way of knowing the probabilities or expected costs because they do not know the details of what they have taken on. Even if they did they couldn't assess the risk with any degree of certainty. In other words, financial institutions were telling themselves that they understood the risks, when clearly they didn't. The lesson that I think needs to be learnt is not the one that Welles advises, which is "With a disciplined approach to risk management any business can understand the risks that lie just beneath the surface and develop a layer of protection from their own ‘Black Mondays'". What clearly stands out to me is that risk management is unable to even come close to assessing the risks in the world of financial services, and the sooner everyone understands this and stops fooling themselves, the better. If you cannot measure probability and expected cost, then no amount of discipline or sophisticated tools will help. Mel Gosling
•Date: 18th Sept 2008• Region: World •Type: Article •Topic: Operational risk
|
