Saturday, May 30, 2009

Risk Management is a Corporate Culture Issue

At the Wharton Finance Conference in 2007, Lloyd Blankfein, chairman and CEO of Goldman Sachs, and Kenneth Moelis of Moelis & Co (previously with UBS Investment Bank) gave their perspectives on risks, rewards and opportunities in Wall Street.

They both provided different perspectives and here are the excerpts :

"At its most fundamental level, they agreed, risk management is a corporate culture issue. To manage risks effectively over time, employees must put the firm's welfare and the preservation of important client relationships ahead of everything else. In October, said Moelis, "firms got hit from The Blind Side" -- a reference to a recent bestseller by Michael Lewis about professional football -- "and a number of Wall Street leaders suffered career-ending injuries." Said Blankfein, whose firm seems to have emerged from the recent credit implosion relatively unscathed: "Risk is risk, and you can't be perfect at managing it."

"Give an experienced trader a new rulebook on risk, and he will figure out how to game the new rules in minutes.... What you need from employees is a sense of relationships.... You need to have people who want to save the firm... one trader sitting next to another, saying, 'This doesn't look right' instead of saying, 'I want to join that scam.'"

Blankfein offered a comprehensive overview of Goldman's risk management approach. Besides the firm's daily mark-to-market disciplines, the three indispensable ingredients, he said, are "escalation, accountability and culture." Escalation means communicating risk concerns to higher levels of management, "getting more fingerprints" on potential problem risks and challenging the notion that a business group leader ought to make independent decisions on risks that affect the entire firm. Accountability, of course, means acknowledging that people are responsible for what their business groups do, and, equally important, holding senior management committees responsible for evaluating all aspects of risk, including the quality of the people with whom the firm chooses to do business.

Goldman's greatest risk protection, however, comes from ascribing as much status, prestige and compensation to those partners engaged in control functions as to those running businesses -- and in constantly rotating partners back and forth between risk control and business operations.

Going back to fundamental disciplines such as "escalation, accountability and culture" is to my mind where we should be focusing in instilling the discipline and practice of risk management in this organization.

The entire article can be read here.

Sunday, April 19, 2009

Thinking about risks

Knowledge@Wharton recently published "Re-thinking Risk Management : Why the Mindset Matters More Than the Model" on April 15, 2009.

The entire article can be read by clicking the here

In reading this article, I relate this to our role as risk managers in this organization.

  1. In refining our risk management approaches, mindsets in the manner we think about risk need to change. The article emphasizes that "too much blame being placed on the risk management model and other tools of the trade" and argues "that risk models or tools are not necessarily broken, but instead are only as good as the decisions that get made based on them". We need to understand that risk models and tools can only assist us in making decisions, albeit judgemental, and we need to provide these insights to complement these models to senior management. We need to understand the assumptions underpinning these models, and more importantly understand the risks that are not represented in these models.
  2. It is not sufficient to get a fuller picture of risk, there is a need to develop a more integrated view of risk. In this risk managers need to understand events in the market that impacts us do not happen by risk type. The lines between credit risk, market risk, and operational risk gets blurred when there is a significant event or during the period of crisis. While the skills for each type of risk can be distinguished, it is more important to develop the capabilities in understanding how these risks impact each other and have an integrated view of risk.
  3. "Decisions need to be made faster, but based on information we don't have."
  4. While we have been "internally focused", "businesses around the globe have become increasingly interdependent" which increases companies' exposure to risks, perhaps risks that we don't know about. Risk management of the future needs to "look beyond the known issues to look at links and interdependecies." Key to this is to define not ALL links but rather the major links that we as an organization have not thought about OR we believe is key in achieving our growth strategies.
  5. Elevating risk management to a strategic level means making risk management discussions more strategic than operational. I believe in risk management needs to be cast in operational decisions. However, another level of risk management, strategic, needs to be defined and approached. Risk managers should also be part of the team of strategists, and think about not just downside risk, but risk of not acting on the upside. Risk managers should facilitate decision making in uncertain conditions facing the industry that a company is in.
  6. Risk considerations then need to be embedded at multiple stages in business, be it strategic planning, budgeting and evaluating risks vs. rewards in various aspects of decision-making. We can have the best tools and capabilities in risk management, but, if we are not serious in integrating risks with strategic decision-making process, risk management will continue to be thought as operational excellence, support and a compliance function.

These represents my thoughts as I was reading this article. Of course, implementation considerations and strategies to achieve the points raised above requires more thought than just summarized points above.

Wednesday, April 01, 2009

Risk means more things can happen than will happen

The Heart of Risk by Peter Bernstein, author of Against the Gods : The Remarkable Story of Risk
This article is courtesy of What Matters, a McKinsey & Company website. I find this excellent in framing and shaping our thinking about risk and uncertainty.
*******************************************************************************************************************************************

What is risk management all about anyway? We use the words as though everybody understands what we are talking about. But life is not that simple.

Risk means more things can happen than will happen—which is a fancy way of saying we do not know what is going to happen.

If we do not know what is going to happen, some surprises will be damaging, but others will make us wealthier than we had anticipated.

For anyone wrestling with the task of managing risk, it’s important to understand both the potential losses and the potential gains. As we’ll see, if more risk managers had thoroughly assessed the former, the current financial crisis might never have come to pass.

In today’s world, mathematical analysis has become the fashionable method for managing risks. This has been most obvious on Wall Street, where the so-called Quants, many of them with PhDs in math or theoretical physics, used their arcane modeling skills to conjure profitable trading models and new products. Non-Quants were often afraid of these new techniques, but liked the profits they produced and shied away from debating whether or not they were reliable.

In fact, math can only take us part way toward managing risk. What it cannot manage is what is at the heart of risk: the unknown. With a mathematical approach alone, the risk manager risks never correctly defining the problem and never asking the right questions.

Let me say the same thing from another perspective: risk management really means attempting to optimize outcomes under conditions in which the full range of outcomes might be unknown. Numbers will be a frail reed in such an environment.

How, then, can we come to grips with risk management when mathematics fails us? I begin the answer to this question with an anecdote from my experience managing other peoples’ money back in the late 1960s. The story is interesting in its own right, but it also provides a profound insight into the essence of risk management.

A married couple came to see us at our offices one day, scruffily dressed and shy in manner. The man, John, opened the discussion by showing us their portfolio, which was worth a couple of hundred thousand dollars and consisted of only three stocks: AT&T, U.S. Steel, and Thiokol. The whole portfolio was on margin, but each position showed enormous profits. We were nonplussed and asked John why he needed us. Then he told us their story. He had been a reporter for the Brooklyn Eagle, but the paper had folded and he was now unemployed. At the time that he was fired, the couple had $15,000 in the bank, just about the amount they spent in the course of a year to meet their basic needs (don’t forget this episode took place over 40 years ago). John’s wife was a school teacher, so they had some money coming in—but nowhere near enough to cover their basic living expenses.

Unlike many people who hoard small accumulations of assets for fear of losing the little they have, John decided to go into the stock market and shoot the moon. “If I lose,” he figured, “I’ll just be broke a year earlier than I would be otherwise. If it works, though, we can be comfortable for the rest of our lives.”

That logic is what made John a master risk manager. The key question in decision making is, “What happens if I am wrong?” or, as in John’s case, “What happens if I lose?” In this instance, he could see that he and his wife were in such bad shape that they had little to lose but much to gain by taking this highly concentrated and leveraged risk in the stock market. (It did work. The problem John wanted my firm to help with was a different, though not uncommon one. John’s wife, who had been a firm companion while the great experiment was under way, now had high anxieties about the risk of losing their windfall. But John, transfixed by success, was psychologically incapable of unwinding his fantastic success. That was the role they wanted us to play.)

John was unaware of the hallowed history of his line of analysis, which dated back nearly four centuries to one of English literature’s most glorious achievements, Shakespeare’s Hamlet and Hamlet’s most famous soliloquy, “To be, or not to be.”

There is a powerful connection between the investment decision by an unemployed newspaper reporter and the contemplation of suicide by the Prince of Denmark (which is what he meant by the phrase, “To be, or not to be”).

Hamlet always deliberated at length before acting on his impulses. In this crucial scene in the play, he is considering what might happen to him if he does commit suicide: “To die: to sleep; no more; and by a sleep to say we end the heartaches and the thousand natural shocks that flesh is heir to.” An end to heartache. That is the outcome Hamlet hopes he will achieve. But then he asks a critical question: can we be certain of “no more”? Hardly. We can be certain of nothing that happens after death.

That being the case, suicide is not a riskless act. Suppose there is more to come after death? “To die, to sleep; to sleep: perchance to dream: ay, there’s the rub; for in that sleep of death what dreams may come . . . There’s the respect that makes calamity of so long life.” Hamlet prefers to suffer the immense pain of life rather than face the unknowable consequences of suicide: “to grunt and sweat under a weary life” because “the undiscovered country from whose bourne no traveler returns, puzzles the will, and makes us rather bear those ills we have than fly to others that we know not of.”

Hamlet left a perfect model for my client John to follow: what happens if I am wrong in taking this step? In John’s case, the consequences of being wrong were minor compared with the transformation he could achieve if his decision turned out to be the right thing to do. Hamlet’s choice of whether to be or not to be was precisely the opposite, because not acting was the better selection. But both John and Hamlet asked the right question.

Another example of the power of this line of analysis is Blaise Pascal, the great 17th century French mathematician who first articulated the use of probability in making estimates about the future. Despite the tremendous importance of Pascal’s work in the field of probability, his more fundamental contribution to risk management is similar to Hamlet’s, although I doubt that Pascal ever read any Shakespeare—or had even heard of Shakespeare. Like Hamlet, however, Pascal applied common sense, rather than higher mathematics, in managing the risk he faced.

Pascal was a deeply religious man, although he was also a skilled gambler—which is what led him to the study of probability in the first place. One day, in the silence of his room, Pascal asked himself a tantalizing question: “If I had to make a bet on whether God is or God is not, how should I respond?” He immediately recognized that “reason cannot answer.” Nevertheless, this was clearly a question of overwhelming importance, even though he would have to wait until the end of eternity to find out how his bet on God’s existence had worked out.

Pascal finally turned to an indirect approach to this puzzle, in which reason would help him decide which way he should bet on whether God is or God is not. He could choose what kind of a life he wanted to live: a life of virtue, restraint, and unselfishness, or a life of lust and self-indulgence. Suppose he chose a life of virtue and abstinence and then found out at the end of time that God is not? He would have passed up some goodies unnecessarily, but it would not have been such a bad life. If, on the other hand, he chose a life of lust, deceit, and self-gratification, and then found that God is, he would be in big trouble.

Therefore, Pascal decided he must bet that God is and choose the virtuous life, even though he had no way of knowing whether the bet would pay off. One thing he did know: the consequences of being wrong by betting that God is not and leading a life of sin could have intolerable consequences.

The heart of the matter is defining the choices. Shoot the moon or leave the $15,000 in the bank? To be, or not to be? God is or God is not? John, Hamlet, and Pascal all provide the same framework for risk management: whichever road you choose—whether you play it safe or take a risk—what are the consequences of being wrong?

In our own time, let us suppose that some of the people who took out subprime mortgages, or some of the lenders, had stopped for a moment to ask themselves, “What if we are wrong about the outlook for housing prices? I am confident they will keep rising, but nothing is certain in this life. I better think through the consequences if I am wrong.”

The consequence of being wrong about the trend of housing prices would be disaster, as the declining value of the mortgaged homes would soon wipe out the borrowers’ paper-thin equities. This tragedy is precisely what did happen when housing prices began falling in autumn 2006. If buyers or lenders had only taken the trouble to ask the question about being wrong, the history of the world economy could have been entirely different from the chaos that has overtaken us.
Thinking through what might happen if things go wrong is also a useful approach in routine business decision making.

In 1994, Avinash Dixit and Robert Pindyck wrote a book called Investment Under Uncertainty, which emphasizes the inherent irreversibility of most business-investment decisions. Dixit and Pindyck suggest a method for dealing with the risks posed by irreversibility: wait before acting. Waiting is valuable because the passage of time can produce additional information. This new information may have value that would not have been available if an irreversible decision had been made earlier. Thus, Dixit and Pindyck’s case has its roots in the deliberations of Hamlet and Pascal, because taking the risk of not waiting can have negative consequences. Waiting to make an irreversible decision may lead to a more rational choice than not waiting.

My client John, Hamlet, and Pascal, each in his own way, laid out the fundamental principle of risk management by defining the right problem and asking the right question. A purely mathematical approach would make sense only if the risk manager were indifferent to the possible outcomes, in which case, there would be no point to the exercise.

There is always uncertainty. Nothing is 100 percent sure. While a 95 percent probability is statistically significant, that still leaves us in the dark about the remaining 5 percent; we may decide to accept that uncertainly and bet on the 95 percent sure thing, but there is still a possibility of being wrong. The crucial question to ask is, “What would be the consequence if that 5 percent chance comes to pass?”

Tuesday, March 31, 2009

Thinking small where ERM is concerned

I am appalled at the selected narrow-mindedness in risk management thinking in this organization. I am of the view that the greatest challenge is therefore to change the mindsets of selected persons that definitely hampers the progress of Enterprise Risk Management in this organization.

What a pity this is.

Saturday, March 28, 2009

EIU report : Managing Risk in Perilous Times : Practical Steps to Accelerate Recovery

This report from EIU, published in March 2009, sponsored by ACE, KPMG, SAP and Towers Perrin provides a guide in what it takes in an organization to enable and empower risk managers to perform their roles.

The summary of ten practical lessons that could help in addressing the perceived weaknesses of risk management are :

  1. Risk management must be given greater authority
  2. Senior executives must lead risk management from the top
  3. Institutions need to review the level orisk expertise in their organization, particularly at the highest levels
  4. Institution should pay more attention to the data that populates risk models, and must combine this output with human judgment
  5. Stress testing and scenario planning can arm executives with an appropriate response to events
  6. Incentive systems mustbe constructed so that they reward long-term stability, not short-term profit
  7. Risk factors should be consolidated across all the institution's operations
  8. Institutions should ensure that they do not rely too heavily on data from external providers.
  9. A careful balance must be struck between the centralization and decentralization of risk
  10. Risk management systems should be adaptive rather than static

There you go. I seriously think that in the context of this organization that the priority ishould be no 1,2 3, 7 and 9.

I recommend reading this report in detail. Click at the link here.

Friday, March 27, 2009

Survey Reveals Financial Services Firms Focused on Enhancing Risk Management Practices in Advance of New Legislation

Navigant Consulting yesterday announced the results of a new survey conducted by the Economist Intelligence Unit (EIU). Nearly 200 financial services professionals were surveyed to evaluate the evolving role of risk management in financial services organizations. The survey indicates that financial institutions around the world are focused on the impact of risk on enterprise business value and profitability, rather than merely complying with arbitrary levels of risk exposure and performance.

The survey results suggest there is significant room to improve risk intelligencemaking it more current, comprehensive and consistent – an observation that is especially important as more than 70 percent of respondents cite risk disclosure as a likely element of expected regulatory reform.

“It is evident that the financial crisis has led to a 'crisis of confidence',” said John Schneider, Managing Director and head of Navigant’s Capital Markets Regulatory Advisory team. “We’re seeing a call to action by regulators across the globe to create additional transparency and risk monitoring capabilities to reduce the likelihood of another similar financial crisis.”

According to the survey, most respondents stand by their risk-monitoring capabilities, but concede they are most confident about their ability to monitor mainstream risks (e.g., credit, accounting, liquidity risk), and least confident in the areas revealed as problematic by the recent credit crisis.

For example, 87 percent say they are “Excellently” or “Well Positioned” to identify and monitor credit risk, but fewer (67 percent) are equally confident of their capabilities on enterprise risk, and 47 percent describe themselves as “Weak” on new and emerging risks.

“Effective risk management hinges not only on an organization’s ability to capture data on risk, but the ability to interpret, escalate, and make decisions based on the information. The survey data shows that financial professionals recognize this need but struggle with implementing meaningful solutions to enhance risk management. We work alongside clients to design, enhance, and implement robust risk and compliance programs to shore up investor confidence,” said Sharon Siegel Voelzke, Navigant’s Vice President of Business Consulting Services.

The survey respondents comprise nearly 200 executives from a broad range of financial services firms around the globe. Of the executives surveyed, 37 percent are based in North America, and 33 percent in Europe; 30 percent are from firms with global assets of more than $250 billion, and 41 percent are senior corporate executives (including chief executive, financial and risk officers, as well as board members).

News link to this story, click here

Link to survey results, click here

Thursday, March 26, 2009

Over reliance on risk management models

I have posted previously on the dangers of relying too much on the preciseness that risk management numbers purportedly gives you. We seem to be assured that by having risk models that we are getting somewhere in progressing risk management without thinking about the quality of information that comes from our risk models, the application of the results of such models in risk decision-making, the assumptions behind such models and more importantly, the risks that are not captured in risk models.

While I am a strong believer in number crunching by way of statistical analysis, spreadsheets and presenting these numbers in a meaningful manner to facilitate decision-making as well as providing an indication of how much risks we are taking, we should not be lulled into being too "confident" with numbers that we think we have all our risks in our radar.

I propagate the following as a guide for all levels of management in this organization, with particular emphasis to risk managers whom I believe play an important role in communicating this message:
  1. Risk models supported with established methodology should not replace sound business judgment. In the context of this organization, sound business judgment comes from business lines and it is our role as risk managers to understand the business, its decision-making process, and the risks that businesses take in that process.
  2. Numbers can never capture market preception of the company, loss of confidence, reputational risks and in this crisis, I would question whether even liquidity risk can be captured accurately in risk models. In our context, our risk analysis assumes that the risks can be hedged or positions can be liquidated assuming there is liquidity. Therefore risk managers need to communicate to management what risks are represented in risk models and what risks are not.
  3. In relation to no 2, for those risks represented in risk models, we must communicate that these risk models attempts to model the reality of risk out there using assumptions that more often than not does not represent the reality of risk out there. Questioning assumptions, I believe, first will make us understand better what these risk models represent and forces us to think what other risks lurks out there that we have not captured. In the recent article in FT "Maths and Mayhem", Lord Turner, chairman of the Financial Services Authority, blamed "misplaced reliance on sophisticated maths" for lulling banks' top managers into a false sense of security about the risks they were taking. This article asserts that contrary to Lord Turner's assertion, the banks' sums were not sophisticated enough. They over-simplified, and assumed away the limitations and caveats of their models. They did this to convey an illusion of accuracy and precision, and so convince the market that they had everything under control.
  4. Making decisions in accepting risks based on the results of these risk models and not considering tail-risk may lead to accepting risks that can be beyond what an organization could sustain in a worst case scenario (and when all assumptions in risk models break down). According to a Wall Street Journal article, AIG said in a 2006 SEC filing that its credit default swaps had never experienced high enough defaults to consider the
    likelihood of making a payout on its credit-default-swap protection products more than “remote, even in severe recessionary market scenarios” (Refer to “Behind AIG’s Fall, Risk Models Failed to Pass Real-World Test,” Wall Street Journal, WSJ.com, October 31, 2008
  5. Worst case scenarios have to complement the results of risk models and we should question the company's ability to weather these worst case scenarios and assess its impact on P&L and capital.

I hope this and references to previous postings would serve as a guide to

  1. senior management in understanding and questioning the analysis that are presented to them and the models used to support such analysis.
  2. risk managers in communicating to management on the level of risks that an organization has and in facilitating discussion about risks in business decision-making.

Monday, March 02, 2009

We should be asking ourselves these questions

From S&P ERM Review Discussion Questions :

a. What are the company's top risks, how big are they, and how often are they likely to
occur? How often is the list of top risks updated? Do we know what are the company top risks?
b. What is management doing about top risks? At the enterprise wide level? Business level? Entity specific?
c. What size quarterly operating or cash loss has management and the board agreed is
tolerable? Do we have an approach determining the risk appetite taking into consideration all risks faced by the organization?
d. Describe the staff responsible for risk management programs and their place in the
organization chart. How do you measure success of risk management activities? Is risk management a success by having a framework but lacks implementation?
e. How would a loss from a key risk impact incentive compensation of top management
and on planning/budgeting?
f. Tell us about discussions about risk management that have taken place at the board
level or among top management when making strategic decisions. How do we frame risks in these strategic decisions?
g. Give an example of how your company responded to a recent “surprise” in your
industry and describe whether the surprise affected your company and others
differently. How did we respond to the Financial Crisis and what came out of that?
.

Sunday, February 22, 2009

Re-approaching risk management

I have been reading many good articles and write-ups on risk management that I do not know where to begin. Risk management takes priority in view of what has happened and now is as good a time as any in this organization to demonstrate, apply and implement the value of risk management.

The following are the list of articles, its excerpts and in the order of hierarchy and priority :

Setting the Tone

In the Fortune special report "What boards must do in a crisis", top consultants Ram Charan and Tom Neff say company directors have to roll up their sleeves in times like these and take a hard look at risk, targets, pay, and balance sheets.

"Boards have to spend more time thinking about the unthinkable -- scenarios that would have seemed irrational, maybe unimaginable, just a year ago. What if our lead bank disappears? What if we have a liquidity crisis? What if the Dow goes to 6,000? What if our stock keeps dropping and attracts raiders?

The other subject that boards need to focus more on is enterprise risk management. It's not just risk in the sense that banks need to focus on it, but what are the risks in our business model, what are the global risks that could affect our business? It's a holistic approach to the subject, and stress testing what we're doing."


Shaping Risk Management : Addressing qualities of risk managers, decision-making and culture

In another FT article, Personalizing Risk Management, part of a series of articles in Managing in a Downturn, a professor and executive in residence at the London Business School writes about how companies have evolved in managing risks and the shift in thinking about risk management that is required today.

"Personalisation of risk management does not mean throwing out the traditional systems and support structures. Rather, it means a subtle shift in emphasis from the management of a portfolio of risks to the underwriting of individual risk decisions. This approach is relevant across all sectors of the economy, not just to the world of financial services companies. "

The author suggests three approaches in personalizing risk management that I find has every relevance in this organization in its efforts to move forward with risk management:


  1. High-quality insight. Those who make decisions require good quality information, effective analytical tools and the competence to interpret this information. But it is rare for all these things to come together. It is more likely for decisions to be made with poor insight from self-interested sources, and with the relevant information fragmented across different parts of the company. Effective personalisation of risk management is, therefore, about building a system that puts the right information into the hands of those making decisions, and then transforming that information into insight through experience.
  2. Personal accountability. Effective risk management requires personal accountability, but most companies get this wrong as well. Sometimes there are too many decision makers, or the decision maker is too far removed from the action to feel any genuine responsibility. And often there is no link between the decisions taken and the rewards provided.
  3. Supportive culture. The informal norms of behaviour in a company – its culture – should support the principles of high-quality insight and personal accountability. But all too often, these informal norms end up undermining the effectiveness of decision making. Some companies exhibit a fear culture where bad news is hidden from top executives; some are purely mercenary, where everyone looks out for themselves; some suffer from chronic risk aversion, with almost zero tolerance for false-positive errors.
    Of course, there is no simple way to build a supportive culture. It takes many years of consistent messages and actions from leaders. But there are, nonetheless, a couple of basic principles that can be applied.

Risk Measurement : What It Is and What It Is Not

There has been numerous debates as to the usefulness of Value-at-Risk (VaR) as a mathematical model based on statistical assumptions in predicting risk. The basic VaR model, the parametric model, relies on the extent of historical data available for a market and asset class, and for as long as you think history repeats itself, then the parametric VaR is your best indicator of what your portfolio predicted risk would be.

The nature of the financial crisis that evolved from 2007 till now has been unprecedented and as Nicholas Nassim Taleb said in a McKinsey article "my idea in The Black Swan is to make people think of the unknown and of the potency of the unknown, particularly a certain class of events that you can't imagine but can cost you a lot; rare but high-impact events." Therein lies the limitation of VaR and assuming market risk events can be represented by a probability distribution with a certain confidence level.

This article Risk Mismanagement from the New York times reinforces my overall philosophy that while VaR is a means to quantify risks, we must understand the assumptions behind VaR and certainly should never be complacent in thinking that once VaR is in place and that would represents all of our risks.

Nicholas Nassim Taleb was quoted in this article :

"Wall Street risk models, no matter how mathematically sophisticated, are bogus; indeed, he is the leader of the camp that believes that risk models have done far more harm than good. And the essential reason for this is that the greatest risks are never the ones you can see and measure, but the ones you can’t see and therefore can never measure. The ones that seem so far outside the boundary of normal probability that you can’t imagine they could happen in your lifetime — even though, of course, they do happen, more often than you care to realize. Devastating hurricanes happen. Earthquakes happen. And once in a great while, huge financial catastrophes happen. Catastrophes that risk models somehow always manage to miss."

"What he cares about, with standard VaR, is not the number that falls within the 99 percent probability. He cares about what happens in the other 1 percent, at the extreme edge of the curve. The fact that you are not likely to lose more than a certain amount 99 percent of the time tells you absolutely nothing about what could happen the other 1 percent of the time. You could lose $51 million instead of $50 million — no big deal. That happens two or three times a year, and no one blinks an eye. You could also lose billions and go out of business. VaR has no way of measuring which it will be. "

Gregg Berman of RiskMetrics posits differently :

"Obviously, we are big proponents of risk models,” he said. “But a computer does not do risk modeling. People do it. And people got overzealous and they stopped being careful. They took on too much leverage. And whether they had models that missed that, or they weren’t paying enough attention, I don’t know. But I do think that this was much more a failure of management than of risk management. I think blaming models for this would be very unfortunate because you are placing blame on a mathematical equation. You can’t blame math."

Richard Bookstaber :

"Richard Bookstaber, a hedge-fund risk manager and author of “A Demon of Our Own Design,” ranted about VaR for a half-hour over dinner one night. Then he finally said, “If you put a gun to my head and asked me what my firm’s risk was, I would use VaR.” VaR may have been a flawed number, but it was the best number anyone had come up with."

The NYT article is a good for all risk managers to understand what VaR represents and its limitations with quotes from proponents and dissenters of VaR. Read on.

Sunday, February 15, 2009

Increasing Interest in Risk Management by CFOs

Financial Crisis Intensifies Interest in Risk Management Among CFOs was a survey commisioned by Towers Perrin to CFO Research Services, an affiliate of The Economist and CFO magazine, to gain insights on how companies view the seriousness of the financial crisis for their businesses.

For a complete view of the results of the survey and findings, please click here

According to Towers Perrin website, the findings that stand out are :

  • Only 4% of respondents perceived the recent financial market meltdown as having a severe impact on their financial prospects. Although the majority acknowledged that the crisis would dampen profit expectations and leave a potentially lasting dent in the world economy, only five respondents feared a major negative impact on their financial results.
  • Nonetheless, approximately 72% of respondents expressed concern about their own companies' risk management practices and ability to meet strategic plans. This suggests that finance executives, regardless of industry, perceive a need to invest in more effective risk identification, measurement and management procedures.
  • In a related finding, a sizable minority (42%) foresaw more energized involvement by boards of directors in risk management policies, processes and systems, and a comparable minority foresaw intensified employee-level engagement.
  • 61% expressed concern about raising short-term capital — a sobering percentage of the executives surveyed but hardly surprising given ballooning spreads in the commercial paper market.

Risk management practices on the top of the agenda for many CFOs


It is interesting that, despite the evident impact of the current financial crisis on liquidity and consumer confidence, more than half (55%) of the CFOs agree that they plan to put their risk management practices under a microscope and that this investigation will in many instances reach all levels of the organization, from the board down and from the shop floor up.
What Standard & Poor's stated so plainly when it announced the inclusion earlier this year of an explicit ERM component in its rating of corporate securities is echoed by America's leading finance executives: Effective risk management depends on effective risk culture — i.e., genuine awareness and control of risk throughout the organization, and genuine line-of-sight accountability.

FSA 2009 Financial Risk Outlook

The Financial Services Authority (FSA), the British financial services regulator, published its 2009 Financial Risk Outlook. For those who wish to read the 90 page report, please click here

The 2009 report, according to the Foreword, has a different structure in consideration of "the scale of the financial crisis and the uncertainty over the future of the financial system, in particular the banking system" and in view of the increased regulatory policies to contain financial risks.

There were key messages that are listed at the end of each section and I would like to draw attention to a few that I think bears relevance to this organization.

  • Setting the tone Senior Management should ensure appropriate risk management is undertaken and that there is a clear understanding of the underlying risks to their business model, particularly risks associated with complex hedging strategies. Firms need to satisfy themselves that key risks are appropriately managed and continually re-assessed as financial market and economic conditions evolve.
  • Measurement Stress testing and scenario analysis should form an integral part of firms’ risk management, business strategy and capital planning decisions. It is of particular importance in this unpredictable environment, when the financial sector is vulnerable to further shocks, that firms also consider the implications of deteriorating economic conditions and the long-term viability of and weaknesses present in their business models. In addition, the financial sector and economy will also remain vulnerable to potential shocks, such as a large-scale terrorist attack. Firms should continue to consider such risks in their business planning to ensure effective plans are in place for dealing with these shocks.
  • Liquidity Risk Firms need to be aware of the vulnerabilities of their capital arising from the closure of individual markets and ensure that they have diversified funding channels and a varied investor base within each funding source. They also need a clear understanding of the availability of liquid assets which could be converted to cash if funding is suddenly unavailable, and the extent of their over-reliance on such ‘liquidity through marketability’. Many financial institutions continue to face liquidity pressures. Firms
    need to manage liquidity risk to ensure any gaps are filled by appropriate funding strategies. Internal risk management of liquidity issues needs to be addressed and reported effectively.
  • Risk Management Is A Business Strategy Strategies need to be underpinned by strong risk management systems and controls for all areas of risk: credit; market and operational risk; conduct of business risks; compliance with relevant rules, codes and standards; and managing risks of fraud and financial crime.
  • Do Your Own Due Diligence As a credit rating represents only one opinion on the creditworthiness of a particular product, a rating should not replace appropriate due diligence. Investors should assess how much reliance is appropriate to attach to the ratings produced by third parties, in light of rating performance and other forms of risk assessment relevant for the security concerned. Factors such as liquidity risk and price volatility can be as important in making an appropriate decision, and should be considered alongside other relevant indicators regarding the creditworthiness of an investment. (Refer to previous posting on Lloyd Blankfein and the similarities)
  • Valuation Controls Systems and controls should also be in place to manage valuation difficulties and to ensure that questionable prices are identified. Appropriate governance procedures are also important when using non-independently sourced values.
  • Disclosures To enhance market confidence, it is important that firms provide sufficient disclosures about the key judgements and uncertainties concerning valuations and any reclassifications in the accounts.

Thursday, February 12, 2009

Lloyd Blankfein on Lessons Learnt

Much has been said about the financial crisis and the lessons that we should learn from the crisis.

Lloyd Blankfein, the CEO of Goldman Sachs, provided his opinion in the Comment section of FT here.

The lessons learnt :

Lesson #1 Risk management should not be entirely predicated on historical data. In the past several months, we have heard the phrase “multiple standard deviation events” more than a few times. If events that were calculated to occur once in 20 years in fact occurred much more regularly, it does not take a mathematician to figure out that risk management assumptions did not reflect the distribution of the actual outcomes. Our industry must do more to enhance and improve scenario analysis and stress testing.

Lesson #2 Too many financial institutions and investors simply outsourced their risk management. Rather than undertake their own analysis, they relied on the rating agencies to do the essential work of risk analysis for them. This was true at the inception and over the period of the investment, during which time they did not heed other indicators of financial deterioration.

Lesson #3 Size matters. For example, whether you owned $5bn or $50bn of (supposedly) low-risk super senior debt in a CDO, the likelihood of losses was, proportionally, the same. But the consequences of a miscalculation were obviously much bigger if you had a $50bn exposure.

Lesson#4 Many risk models incorrectly assumed that positions could be fully hedged. After the collapse of Long-Term Capital Management and the crisis in emerging markets in 1998, new products such as various basket indices and credit default swaps were created to help offset a number of risks. However, we did not, as an industry, consider carefully enough the possibility that liquidity would dry up, making it difficult to apply effective hedges.

Lesson #5 Risk models failed to capture the risk inherent in off-balance sheet activities, such as structured investment vehicles. It seems clear now that managers of companies with large off-balance sheet exposure did not appreciate the full magnitude of the economic risks they were exposed to; equally worrying, their counterparties were unaware of the full extent of these vehicles and, therefore, could not accurately assess the risk of doing business.

Lesson #6 Complexity got the better of us. The industry let the growth in new instruments outstrip the operational capacity to manage them. As a result, operational risk increased dramatically and this had a direct effect on the overall stability of the financial system.

Lesson #7 Perhaps most important, financial institutions did not account for asset values accurately enough. I have heard some argue that fair value accounting – which assigns current values to financial assets and liabilities – is one of the main factors exacerbating the credit crisis. I see it differently. If more institutions had properly valued their positions and commitments at the outset, they would have been in a much better position to reduce their exposures.

For Goldman Sachs, the daily marking of positions to current market prices was a key contributor to our decision to reduce risk relatively early in markets and in instruments that were deteriorating.

For the industry, we cannot let our ability to innovate exceed our capacity to manage. Given the size and interconnected nature of markets, the growth in volumes, the global nature of trades and their cross-asset characteristics, managing operational risk will only become more important.

Risk and control functions need to be completely independent from the business units. And clarity as to whom risk and control managers report to is crucial to maintaining that independence. (Cannot be emphasized enough)

Equally important, risk managers need to have at least equal stature with their counterparts on the trading desks: if there is a question about the value of a position or a disagreement about a risk limit, the risk manager’s view should always prevail. (The heart of any risk governance)

More generally, we should apply basic standards to how we compensate people in our industry. The percentage of the discretionary bonus awarded in equity should increase significantly as an employee’s total compensation increases. An individual’s performance should be evaluated over time so as to avoid excessive risk-taking. To ensure this, all equity awards need to be subject to future delivery and/or deferred exercise. Senior executive officers should be required to retain most of the equity they receive at least until they retire, while equity delivery schedules should continue to apply after the individual has left the firm.

For policymakers and regulators, it should be clear that self-regulation has its limits. We rationalised and justified the downward pricing of risk on the grounds that it was different. We did so because our self-interest in preserving and expanding our market share, as competitors, sometimes blinds us – especially when exuberance is at its peak. At the very least, fixing a system-wide problem, elevating standards or driving the industry to a collective response requires effective central regulation and the convening power of regulators.

Capital, credit and underwriting standards should be subject to more “dynamic regulation”. Regulators should consider the regulatory inputs and outputs needed to ensure a regime that is nimble and strong enough to identify and appropriately constrain market excesses, particularly in a sustained period of economic growth. Just as the Federal Reserve adjusts interest rates up to curb economic frenzy, various benchmarks and ratios could be appropriately calibrated. To increase overall transparency and help ensure that book value really means book value, regulators should require that all assets across financial institutions be similarly valued. Fair value accounting gives investors more clarity with respect to balance sheet risk.

The level of global supervisory co-ordination and communication should reflect the global inter-connectedness of markets. Regulators should implement more robust information sharing and harmonised disclosure, coupled with a more systemic, effective reporting regime for institutions and main market participants. Without this, regulators will lack essential tools to help them understand levels of systemic vulnerability in the banking sector and in financial markets more broadly.

Wednesday, February 11, 2009

Reinforcing skills required in risk management

Time and time again I have reinforced my views on what it takes to be a risk manager (not what it takes to build capability in risk management)

  1. Possess the visionary in where risk management should be and the depth required to ensuring "the trains work and arrive on time".
  2. Having a bigger picture of the organizational direction and the role of risk management in the organization.
  3. Recognize risk management trends that impacts how risk management is implemented in this organization
  4. Process-oriented in the application of risk frameworks, policies, controls and implementation and principle driven in applying risk management in the corporate context
  5. Analytical capabilities in understanding the business, how risks arises and the drivers of risk (both market and internal drivers), identifying risks, how risk impact the business from strategic, tactical and operational perspective, the risk return trade off in business decision-making and prescribing practical risk management solutions

Saturday, January 31, 2009

Changing perceptives on risk management

In implementing integrated financial risk management, senior management's view of risk management shapes the risk management thinking and culture throughout the organization. Key to this is a consistent message about the importance of risk management and changing perceptions regarding risk management.

The benefits of risk management is not clear throughout the organization resulting into inconsistent interpretation of the value proposition of risk management. The recent financial crisis has somewhat provided the impetus for pockets of people, entities or business units within this organization to consider risks in their businesses or where financial risks complacency existed, financial risks became a priority in their management radar. This is evidenced by the multitude of financial risk advisory and guidance that has been sought from us in the past 6 months, with market risk and counter-party risks as their top risk management concern.

This development that came about arising from the financial crisis is indeed a positive development in that businesses are realizing the importance of understanding how risks impact their businesses and makes efforts to manage these risks. In my view, these developments still fall short of what constitutes an effective risk management practice.

In this posting, I will attempt to list key risk management concept and ideas that I believe will shape the organization's thinking on the value proposition risk management brings and the practice of risk management.

Understanding the value proposition of risk management

Based on our experience in implementing integrated financial risk management, there are still companies that think of risk management as compliance and that risk management will stop businesses from expanding because their view is that risk management is risk aversion. There are also companies flush with cash that believes managing risks does not apply to them. Why manage risks when we have survived all these years without having the governance, framework and discipline of risk management in place?

These are dangerous mindsets because as I mentioned earlier, the practice of risk management is shaped by how senior management perceives it to be. Key to this is consistent message on risk management value proposition. Risk management (more so ERM), when designed comprehensively especially in a large organization is not just about having in place a process to protect businesses from setbacks, it enables better business performance by prioritizing risks that businesses want to reduce and risks that businesses want to profit from. With the uncertainty facing businesses in 2009, particularly brought about by economic uncertainty, subsidiaries and businesses should jump at the opportunity to leverage on the strengths of a risk management program in having a total view of its risks and knowing how these risks will impact their business growth strategies.


Friday, January 23, 2009

Credit Crunch : A Practical Guide

For those who are interested, I found this guide reinforcing or sharing our viewpoints in managing risks arising from the crisis.

Read on.

This hands-on booklet, The Credit Crunch: A Practical Guide, provides an explanation of some of the recent major financial events and an assessment of how they may affect the typical business. The guide also lays out 10 action items to consider as businesses manage through the crisis

http://www.boardmember.com/media/files/risk-mgmt-pdfs/TheCreditCrunch_GrantThornton.pdf

Integrated Financial Risk Management (IFRM) notes

IFRM Guidelines content

  • Reference to the principles in the appropriate sections in CFP - principles of oversight and transparency
  • Building on existing practices in the organization i.e. the risk organization in each entity, and identify governance improvements based on the compliance checklist i.e. risk tolerance levels as an agreed consensus by an entity's Board, the adequacy of risk management design and effectiveness of internal controls over financial risk
  • Widely recognized principles in risk management - what are they? Leveraging risk management in light of the financial crisis and its impact
  • What is the current baseline risk management practice in general, and financial risk management practice in particular?
  • Lessons learnt in the CFP roll-out and differing risk management practices
  • Integration of financial risks - where financial risks are embedded into key decision-making i.e.supply chain risk management, contractor risk assessment, project risk assessment
  • Common tools and methodologies in risk assessment, risk compliance, risk measurement

To be continued

Monday, January 12, 2009

A Modeling Manifesto Now?

A spectre is haunting Markets – the spectre of illiquidity, frozen credit, and the failure of financial models.
Beginning with the 2007 collapse in subprime mortgages, financial markets have shifted to new regimes characterized by violent movements, epidemics of contagion from market to market, and almost unimaginable anomalies (who would have ever thought that swap spreads to Treasuries could go negative?). Familiar valuation models have become increasingly unreliable. Where is the risk manager that has not ascribed his losses to a once-in-a-century tsunami?
To this end, we have assembled in New York City and written the following manifesto.

Manifesto

In finance we study how to manage funds – from simple securities like dollars and yen, stocks and bonds to complex ones like futures and options, subprime CDOs and credit default swaps. We build financial models to estimate the fair value of securities, to estimate their risks and to show how those risks can be controlled. How can a model tell you the value of a security? And how did these models fail so badly in the case of the subprime CDO market?
Physics, because of its astonishing success at predicting the future behavior of material objects from their present state, has inspired most financial modeling. Physicists study the world by repeating the same experiments over and over again to discover forces and their almost magical mathematical laws. Galileo dropped balls off the leaning tower, giant teams in Geneva collide protons on protons, over and over again. If a law is proposed and its predictions contradict experiments, it's back to the drawing board. The method works. The laws of atomic physics are accurate to more than ten decimal places.

It's a different story with finance and economics, which are concerned with the mental world of monetary value. Financial theory has tried hard to emulate the style and elegance of physics in order to discover its own laws. But markets are made of people, who are influenced by events, by their ephemeral feelings about events and by their expectations of other people's feelings. The truth is that there are no fundamental laws in finance. And even if there were, there is no way to run repeatable experiments to verify them.

You can hardly find a better example of confusedly elegant modeling than models of CDOs. The CDO research papers apply abstract probability theory to the price co-movements of thousands of mortgages. The relationships between so many mortgages can be vastly complex. The modelers, having built up their fantastical theory, need to make it useable; they resort to sweeping under the model's rug all unknown dynamics; with the dirt ignored, all that's left is a single number, called the default correlation. From the sublime to the elegantly ridiculous: all uncertainty is reduced to a single parameter that, when entered into the model by a trader, produces a CDO value. This over-reliance on probability and statistics is a severe limitation. Statistics is shallow description, quite unlike the deeper cause and effect of physics, and can't easily capture the complex dynamics of default.

Models are at bottom tools for approximate thinking; they serve to transform your intuition about the future into a price for a security today. It's easier to think intuitively about future housing prices, default rates and default correlations than it is about CDO prices. CDO models turn your guess about future housing prices, mortgage default rates and a simplistic default correlation into the model's output: a current CDO price.

Our experience in the financial arena has taught us to be very humble in applying mathematics to markets, and to be extremely wary of ambitious theories, which are in the end trying to model human behavior. We like simplicity, but we like to remember that it is our models that are simple, not the world.
Unfortunately, the teachers of finance haven't learned these lessons. You have only to glance at business school textbooks on finance to discover stilts of mathematical axioms supporting a house of numbered theorems, lemmas and results. Who would think that the textbook is at bottom dealing with people and money? It should be obvious to anyone with common sense that every financial axiom is wrong, and that finance can never in its wildest dreams be Euclid. Different endeavors, as Aristotle wrote, require different degrees of precision. Finance is not one of the natural sciences, and its invisible worm is its dark secret love of mathematical elegance and too much exactitude.

We do need models and mathematics – you cannot think about finance and economics without them – but one must never forget that models are not the world. Whenever we make a model of something involving human beings, we are trying to force the ugly stepsister's foot into Cinderella's pretty glass slipper. It doesn't fit without cutting off some essential parts. And in cutting off parts for the sake of beauty and precision, models inevitably mask the true risk rather than exposing it. The most important question about any financial model is how wrong it is likely to be, and how useful it is despite its assumptions. You must start with models and then overlay them with common sense and experience.

Many academics imagine that one beautiful day we will find the 'right' model. But there is no right model, because the world changes in response to the ones we use. Progress in financial modeling is fleeting and temporary. Markets change and newer models become necessary. Simple clear models with explicit assumptions about small numbers of variables are therefore the best way to leverage your intuition without deluding yourself.

All models sweep dirt under the rug. A good model makes the absence of the dirt visible. In this regard, we believe that the Black-Scholes model of options valuation, now often unjustly maligned, is a model for models; it is clear and robust. Clear, because it is based on true engineering; it tells you how to manufacture an option out of stocks and bonds and what that will cost you, under ideal dirt-free circumstances that it defines. Its method of valuation is analogous to figuring out the price of a can of fruit salad from the cost of fruit, sugar, labor and transportation. The world of markets doesn't exactly match the ideal circumstances Black-Scholes requires, but the model is robust because it allows an intelligent trader to qualitatively adjust for those mismatches. You know what you are assuming when you use the model, and you know exactly what has been swept out of view.

Building financial models is challenging and worthwhile: you need to combine the qualitative and the quantitative, imagination and observation, art and science, all in the service of finding approximate patterns in the behavior of markets and securities. The greatest danger is the age-old sin of idolatry. Financial markets are alive but a model, however beautiful, is an artifice. No matter how hard you try, you will not be able to breathe life into it. To confuse the model with the world is to embrace a future disaster driven by the belief that humans obey mathematical rules.

MODELERS OF ALL MARKETS, UNITE! You have nothing to lose but your illusions.
The Modelers' Hippocratic Oath
~ I will remember that I didn't make the world, and it doesn't satisfy my equations.
~ Though I will use models boldly to estimate value, I will not be overly impressed by mathematics.
~ I will never sacrifice reality for elegance without explaining why I have done so.
~ Nor will I give the people who use my model false comfort about its accuracy. Instead, I will make explicit its assumptions and oversights.
~ I understand that my work may have enormous effects on society and the economy, many of them beyond my comprehension.

Monday, January 05, 2009

Thursday, January 01, 2009

Lessons Learnt in 2008 and Looking Ahead in 2009

Happy 2009 to everyone and Good-Bye 2008!

I doubt if any risk manager would or could have anticipated the extent of events that had unfolded in 2008. I certainly didn't, and most of us in oil and gas, cushioned by crude oil prices reaching new highs, felt we were insulated by what really began in as early as 2007. I think we are all still reeling from the impact of events as we navigate ourselves, in our personal and professional capacities, to steer the ship to ride this storm.

What was unimaginable happened and having experienced this organization's weathering through the 1998 Asian Crisis and the 2008 Credit Crisis, these crises ultimately in my view, will have long term implications in shaping the practice of risk management.

There will be a series of risk management areas that I will be writing this year focussing on scrutinizing our own risk management practices and what we should be doing in shaping the practice of risk management in this organization.

I would like to begin with the topic of risk governance. Risk governance is the key element in risk management that sets the foundation for the remaining key elements. It is the glue that holds together the remaining elements in risk management. Without risk governance our efforts in risk management becomes futile.

What is risk governance? When we mention risk governance, we conjure images of risk management structure, principles of independence, creating a risk culture, developing risk capabilities etc. While these are crucial elements in risk governance, I am of the view that at the core of risk governance is that risk management must be given equal seat in any business decision-making process and treated at par with the growth and profitability strategies.

In the past risk management is treated as a process that each business activity or strategy undertakes to perform, identifying potential risk events and potential mitigation strategies and typically takes place in the form of workshops and templates. Unfortunately, the good intentions of these processes gives us a false picture or assurance that the risks are always mitigated. Now the reason I say that is

  • Who monitors the effectiveness of such mitigation strategies?
  • Who monitors the appropriateness of such mitigation strategies in the event of a stressed situation?
  • Who re-evaluates whether the risk events and therefore its risk mitigation approaches and strategies are still relevant to the current situation? How quick do we respond to a certain risk event?
  • Who executes the risk mitigation strategy? Given the multi-disciplinary experts required to manage such risks, who coordinates these collaborative approaches?
  • Are our risk management talent empowered in a way that they have the ability to say "No" and business decision-makers pay heed to risk management because they bring value to the discussion table?

Who holds the answer to these questions depends on the risk governance approach and design of the organization.

  • Is the risk culture pervasive enough that each business will be able to monitor the impact of risk events and trigger a chain of command to respond appropriately?
  • Is there a risk management function at the business level that will work closely with the business decision-makers and act as an enabler to manage such risks?
  • Or is there a role for those in Enterprise Wide Risk to play an intervention role when a risk event is triggered and before an action is taken, the impact to the Group is quickly assessed, rather than making a marginal business decision?

To be continued