The promise of risk management has never been the elimination of bad outcomes. Those in financial services are keenly aware of this and spend enormous amounts of time trying to figure out how to improve performance by understanding and taking risk. Improving performance and reducing negative outcomes is the first rule of risk management and is natural to all of us. When I say it is natural to us, I am not referring to fundamental instincts such as fight or flight or emotional reactions under stress, but rather to those times when we ask ourselves, “is it worth it”. Risk management is the science and practice of trying to answer this question. While early man might have tried to determine if hunting a Woolly Mammoth, “was worth it”, we in financial services, try to determine if a lending decision “is worth it”. We both use tools and techniques to improve outcomes and we both evaluate probabilities and impacts.
Modern financial risk management has its roots in actuarial science and insurance and is heavily influenced by math and statistics to calculate the financial impact of uncertainty and help minimize risk. This mathematical focus was amplified in the 1970s, following the work of Fischer Black, Myron Scholes and Robert Merton on option pricing theory. Thus, the practical and widespread use of mathematical finance was born and by the 1980s the component parts of assets were being split, packaged and sold and the dimensions of an option’s price (the Greeks) were being used to create trading strategies.
At that time, I was working on the packaging of collateralized mortgage obligations (CMO’s) and while I was pleased as a successful hunter over his Woolly Mammoth, the tools we were using were more sophisticated than rocks and spears. Little did I know at the time where computing power and big data would lead, but even at that time the combination of complex math and increased computational capacity created a level of opacity that was dangerous. Don’t get me wrong, I firmly believe that the expansion of capital markets and efficient allocation of resources created through financial engineering are valuable, but the derivative and financial reporting scandals of the 1990’s and 2000’s are too well documented to deny the added risk. In response to these breakdowns, but also as a mandate of regulators and new laws such as Sarbanes Oxley and Dodd Frank, the role of risk managers and control functions expanded greatly.
In order to address the complexity of the business and associated financial instruments, risk managers now needed to use the same highly quantitative tools and techniques. The methodologies used have been standardized into processes to identify, measure, monitor, and if necessary, mitigate risk. By necessity, risk managers establish thresholds and limits, create operating controls, and establish procedures based on the risk appetite of the organization. I started my career as an auditor so knowing there are controls and thresholds elicits something close to a Pavlovian response in me. Controls and thresholds allow a company to operate efficiently through guard rails and lower risks through limits on what can be done. But they can also create a false sense of security.
The whole system of risk management staffed by experts utilizing highly quantified measures and complex computer monitoring naturally makes the organization believe that risk managers have it under control. Accordingly, when something bad happens like Archegos, those risk managers are the first ones to lose their posts. The bank’s Prime Brokerages unit who were facilitating highly leveraged trades through swap transactions with Archegos were just doing their jobs. The prime brokerage units were incented to generate fees and Bill Hwang helped them achieve that goal. Would the prime brokerages have associated with Bill Hwang a known inside trader, if they were truly accountable for the risks in their business? Would they have amassed all that risk even if it were permissible under the lax regulation of private funds? Would they have known a little more about their counterpart’s positions?
I agree that risk managers need to be accountable, yet it’s a herculean lift and a great deal can fall through the cracks. CRO’s need more help from those in the operating units who intimately know the risks in their business. Some firms have made a start in this regard by messaging that “risk is everyone’s business” and actively creating a “tone at the top” supporting this value. This is a good start but the incentives for better risk management are not often reflected in the goal setting and performance management of staff.
The next step in the evolution of risk management involves staff understanding their role in the risk framework, being accountable and being assessed on that accountability. Only through such a performance management system will your staff correctly ask, “is it worth it?”