By TIM GRANT
“Guns don’t kill people, people kill people.”
National Rifle Association Slogan
“Guns don’t kill people, people kill people, and monkeys do too (if they have a gun).”
Since the full magnitude of the recent financial crisis has become clear, a great deal has been written about how risk management failed us. We hear of purported death knells for quantitative financial modeling, cries of “back-to-basics” and even reports of civil war brewing between the quants and the managers. Commentators highlight spectacular blow-ups and mind-bending tales of management ineffectiveness, outsized hubris and plain ineptitude. And then, of course, there is always the requisite finger pointing towards those institutions that, either through intellectual and strategic prowess or via sheer brazen luck, came out smelling of banknotes and roses. We all love the drama – it’s the ultimate in reality TV and in the context of our self-obsessed culture, it really drives home the maxim that truth is stranger than fiction.[prbreak][/prbreak]
Now that the dust has settled, the question remains: was it risk management and quantitative modeling that failed the people, or was it the people who were supposed to be implementing risk management strategies and leveraging quantitative finance that failed the people?
As many observers point out, modern financial risk management as we know it, with its quantitative bias, has actually only been around since the 1970s (for a concise history see Aaron Brown’s excellent article and for a masterful and comprehensive history see Peter Bernstein’s book “Against the Gods”(1,2). The scale of the recent crisis has created an unprecedented opportunity for the industry at large to reassess its risk management practice, and for the first time in the modern era these significant questions have also become a popular concern. And this public pressure has a direct effect on institutions of all sizes and profiles. The large investment banks have, in some cases, published (or been forced to publish) striking and revealing exposés of their deficient risk management practices leading up to and during the crisis, and they are now under unprecedented scrutiny from their regulators and shareholders. Large institutional asset managers have been left reeling from losses and subsequent asset outflows and are now scrambling to put in place a coherent risk management narrative for their clients.
The common theme here is a collective and overdue demand for increased transparency. Had such transparency been provided during the financial fiesta of the bull market leading up to the crisis, it would have revealed that in many cases investment philosophy and risk management were hardly linked at all. It would have revealed that many organizations did not fully understand the difference between risk taking, risk management and risk control, and that these three terms would morph into each other creating gray areas that in the end became the black holes which consigned to history some of the world’s most venerable financial institutions.
Far too often in the financial sector, risk taking, risk management and risk control are ill-defined, confused with one another, and don’t function cohesively as separate but uniquely intertwined disciplines. This lack of clarity can throw an organization into a state of confusion where nobody knows who owns the risks, who is charged with understanding the risks, and who is charged with measuring the risks. It can happen in a small hedge fund or a large global insurance company or bank. And when those questions go unanswered, the ultimate responsibility and accountability has a hard time finding a home.
It shouldn’t really need a once-in-a-lifetime financial crisis to highlight these facts. But the length of time that these deficient practices have been around and the extent to which they are ingrained in the collective corporate consciousness of institutions of all sizes (and all but ignored by investors of all kinds) has been a real barrier to progress in the domain of risk management. Things, however, seem to be changing. And this change in prevailing winds was recently demonstrated when SEI /Greenwich Associates asked hedge fund investors to list the most important factors in selecting managers in their annual survey (3). “Risk management infrastructure” came second when, remarkably, it had not even appeared in the top 10 in previous surveys. Furthermore, the most highly rated factor was listed as “clarity of investment philosophy.” I would posit that investment philosophy and risk management are inextricably linked. Or, at least, they should be.
So what is the right way to look at risk taking, risk management and risk control? Let’s begin to flesh this out by first seeking a definition of the term “financial risk management.” A cursory internet search yields a plethora of answers and the inconsistency is striking. Wikipedia offers one of the better suggestions:
This definition is not perfect, but it does isolate some key components. That fact that it can be qualitative or quantitative is certainly receiving a lot of press these days (for good reason: relying on risk reports alone clearly gets us nowhere). That it involves identifying sources of risk, measuring them and formulating strategies to address them is paramount. That risk managers should create economic value should not be in question, but my sense is that this very often not a priority or that the potential economic value of the function is not well understood.
What’s missing here is that risk management should involve an innate ability to define and communicate to others, both internally and externally, the risk management philosophy of the organization. Again, this is frequently overlooked as a source of economic value in itself (an excellent example of the kind of thinking that should reside in the risk manager’s wheelhouse is set out in a paper written by Golub and Crum from BlackRock (4).
What’s also missing is that risk management needs to be fundamentally independent of the risk taking function. The problem is that with this concept we can have too much of a good thing. Too often in financial institutions the risk manager’s independence is taken more than just a little too literally. Indeed, risk management can be so removed from the risk takers, both in terms of physical location and more importantly in terms of influence and thought leadership, that they don’t have a seat at the table when it comes to the risk taking decisions. With no seat at the table they can’t have the ability to execute their core duties. And that’s when the job of a risk manager becomes that of a risk controller.
The key difference between the two was summed up in the words of renowned academic and Goldman Sachs alumnus, Professor Emanuel Derman, in a recent blog entry on Wilmott.com: “I attended Goldman's risk committee meetings during 2000-2002, and, while I'm not a fan of everything Goldman does, they did do a very good job of [managing] risk. But they did it not with a new formula or a single rule. They did it by being smart rather than doctrinaire.” (5) In short, risk management is smart and risk control is, by definition, doctrinaire.
Most important of all, the job of a risk manager is to be a partner with the risk takers. To provide an independent and complementary counterpoint to their perspective and to understand and communicate risks that the risk takers may not have considered. To challenge and enhance the quality of the dialogue and be an active part of the definition and redefinition of the investment philosophy and process. Ultimately it’s about empowerment from and representation at senior management level and it relies on a truly progressive and collaborative risk culture (this was the topic of a recent article in the Financial Times by Justin Baer (6). And there are many institutions that get this balance of empowerment right. BlackRock, JP Morgan and Goldman Sachs are often highlighted in this respect, and their cultures are shining examples of where risk taker and risk managers rank pari passu throughout all levels of the firm. There are, of course, many more institutions that get it right. I fear, however, that they may be in the minority.
To get a handle on what risk management is NOT, consider this quote from riskglossary.com:
With all due respect, I have to disagree with most of this. It illustrates what can happen when independence turns into a lack of engagement and the cross-functional gray area turns into a black hole of losses. When financial risk management “is not about optimizing risk” and, rather curiously, “isn’t really about managing anything,” that’s most definitely when it becomes risk control. When it becomes a support function rather than a symbiotic partner with risk taking. When investment philosophy and risk management are kept at arms length and there’s nothing left for the risk manager to manage - the term “management” becomes redundant.
Now, let’s turn our attention to risk control. Try a Google search for “financial risk control” and the results say it all. They all refer to risk management. It seems that risk management and risk control are seen as one and the same! Make no mistake: risk control is an incredibly important part of any institution engaged in taking financial risks, and a sub-standard risk control function could very well bring a firm to its knees. But risk control is not about having a seat at the table and being charged with coming up with the kind of opinions, insight and thought leadership that the risk management mandate implies. Risk control is about monitoring risks versus pre-determined and mechanistic limits. It’s about upholding policies and procedures and the production and distribution of risk reports. It’s about the necessary broad brush strokes required to provide a rigorous framework within which the risk takers and managers can operate. This framework is not, however, defined by risk control, but by the risk takers and managers. Risk control certainly requires a sound working knowledge of the financial risks involved and a technically skilled staff to carry out the duties effectively. And it could be that risk control has some or all of the ownership in the increasingly important and central area of technology design and implementation. But it’s fundamentally a support function for the risk takers, risk managers, compliance managers and treasury managers. One way to look at it is that the Basel capital adequacy directives are to the banking industry as a risk controller is to a trading desk. You wouldn’t manage your business according to the Basel rules. Nor would you manage a trading desk based on risk control limits alone.
Earlier I touched on the idea that risk management is as much about managing business as it is about managing risk. In his historical perspective on risk management, I think Aaron Brown encapsulates this idea as well as drives home the difference between risk management and risk control, in the following statement on the use of one of the current whipping boys of quantitative finance, VaR: “The emphasis was never on the VaR number itself: it’s not something anyone particularly wants to know. VaR is not a limit, nor a measure of capital requirements. There is no appropriate level of return on VaR. Its value is that businesses have to be under control in order to measure their VaR and have to be well run in order to control their VaR.”(1) From a functional perspective risk controllers should be producing VaR numbers and risk takers and managers should be figuring out what those numbers mean for their business (for a related perspective on the use of VaR in managing institutions see John Kay’s recent Financial Times article (7)).
So what about the risk takers? They exist at all levels of a firm from the CEO down. and they all have a hand in forming the ultimate risk position of the institution. The risk takers must define, redefine and communicate their investment philosophy and within that philosophy must make the decisions as to which specific risks to take. Their economic value is derived from making such decisions in a profitable and consistent manner. A risk taker is, for the most part, managing a portfolio of risks (a single portfolio of risk positions or an aggregation of portfolios depending on their seniority) and this is where the symbiosis between risk taker and risk manager should yield the most fruit. It’s also where many institutions fall down. Let’s face it, aggregating risks across multiple portfolios and business can be both conceptually and quantitatively very challenging, and the extent to which risks are truly aggregated and their interdependencies are understood often leaves a lot to be desired. This is in no small part due to the fact that risk takers often act independently of their alleged risk managers – or perhaps it’s more appropriate to say that they do their own risk management and the alleged risk managers are not empowered. In this situation there are no checks and balances. Or even more fundamentally, there is no risk-adjustment of the outcomes. I would argue, for instance, that a portfolio manager should be paid for generating true alpha rather than for the excessive use of leverage of beta – the latter leads to excessive risks and demonstrably lower risk-adjusted returns. Only through a unified approach to investment philosophy and risk management philosophy, where each is created in the context of the other, where risks are managed in partnership and where each party is empowered to work together, can this be achieved in a consistent way.
I want to make clear that I’m not suggesting that there can never be overlap between the three functions in question. As I mentioned before, I recognize the separation can go to far and be counterproductive. I’m merely making the case that there should be a clearer definition and implementation of those functions. The bottom line is that risk management and risk control are fundamentally different functions, and their relationship with risk takers should be distinct. Risk management is pro-active while risk control is more reactive. By the same token risk taking and risk management are also different functions and maximum economic value is derived when they work together. It’s true that a portfolio manager has to risk manage his or her positions and perhaps in a very small asset management firm comprising one lone portfolio manager, for instance, the PM could conceivably fulfill both roles. As the fund grows, the roles should be split. Frequently funds grow and there is no explicitly defined independent risk management function. It could also be that the roles of risk manager and risk controller are also combined in a smaller institution but, again, with any growth they should be separated. At the other end of the spectrum with, say, a large global investment bank or asset manager, you would expect the legions of employees to stratify nicely into these well-defined categories. The truth is that this is very often not the case. Risk management, for instance, is frequently only “risk management” in title and “risk control” in reality (again, see Justin Baer’s FT article (6)).
There has been little reason to address these ingrained structural inefficiencies within the framework of investor and regulatory oversight until now. Professionals don’t want to speak out when they are in a reasonably well-paid seat and dissent is often not encouraged. Within the current framework many individuals are motivated not to rock the boat. A trader at an investment bank who basically holds a low cost call option on trading book performance has little reason to diminish his or her power and authority by sharing responsibility explicitly with a risk manager. Equally a risk manager by title has little reason to upset the apple cart by complaining that his or her job yields no influence is really risk control.
But things are changing. And those who have reflected on how we manage financial risks as a result of the crisis to arrive at a clearer definition of involved roles may be better placed come the next one.
[At this point it’s worth highlighting an example of how risk taking, risk management and risk control can work together harmoniously in the form of the JP Morgan RIFLE (Risk Identifcation For Large Exposures) program. The following taken from their 2009 annual report (8): “Individuals who manage risk positions, particularly those that are complex, are responsible for identifying potential losses that could arise from specific, unusual events, such as a potential tax change, and estimating the probabilities of losses arising from such events. This information is entered into the Firm’s RIFLE database. Management of trading businesses control RIFLE entries, thereby permitting the Firm to monitor further earnings vulnerability not adequately covered by standard risk measures.” Anecdotal evidence from JPM insiders suggests that this idea of risk self-identification combined with an open and collaborative risk culture is an extremely effective management tool.]
We’ve made our way through the three distinct areas of risk taking, risk management and risk control. Given the theme of concern at the lack of clear definition between the roles, the logical next step is to put forward definitions of my own. Assuming the definition of “financial risks” is not in dispute, I come up with the following:
Financial risk taking is the practice, within a well-defined investment, risk management philosophy and business model, of creating economic value by finding profitable opportunities to take financial risks.The risk takers should have ownership of the clear definition and communication to stakeholders of the organisation’s investment philosophy and methodology, which should be constructed in the context of the risk management philosophy and in partnership with the risk managers. The risk takers should be the ultimate owners of individual risk taking decisions.
Financial risk management is the practice, within a well-defined investment and risk management philosophy and business model, of creating economic value by the qualitative and quantitative identification and measurement of risk sources and the formulation of plans to address and manage these risks. The risk managers should have ownership of the clear definition and communication to stakeholders of the organisation’s risk management philosophy and methodology, which should be constructed in the context of the investment philosophy and in partnership with the risk takers. The risk management function should be independent of the risk taking function yet be empowered by senior management to challenge the views and assumptions of the risk taking function.
Financial risk control is a support function for financial risk takers and risk managers. It involves the measuring and monitoring of risks versus pre-determined limits (and the flagging of the proximity to and violation of those pre-determined limits) as defined by the risk management framework. It also involves the upholding of risk policies and procedures and the production and distribution of risk reports to stakeholders.
Readers may disagree on some of these definitions and, if so, let a welcome debate begin on where the specific boundaries lie between risk taking, risk management and risk control. The overarching point here is that they are distinct functions and that many of the exciting advances in these areas on a micro level continue to be overshadowed by the institutional inertia that has set in at the macro level over the last few decades. Crises tend to lead to a temporary focus on these issues but, as BlackRock’s Chief Risk Officer, Bennet Golub, rightly pointed out at an event organized by the International Association of Financial Engineers in 2010, “You can’t cram for a crisis.”(9) The industry as a whole needs to focus on these issues as a matter of managing their everyday business, not in response to the next financial disaster.
Ultimately, it’s a truism that guns don’t kill people and that, in actuality, people kill people with guns. There’s clearly room for debate on whether guns are necessary or a necessary evil. But in my opinion, society’s creation of financial risks and capital markets has played and will continue to play a meaningful role in global prosperity, and there’s no question as to their significant value. Risk management and financial modeling underpin this contribution to the advancement of our society, and ongoing practical and academic developments in parallel with rapid evolution in science and technology will bolster these fields going forward. We’ll never stop the fruits of our labour getting into the wrong hands, and we’ll never be able to make sure everyone understands the true meaning and importance of differentiating between risk taking, risk management and risk control. However, we can and should try.
In the crisis leading up to the Great Recession, it was not risk management and quantitative financial modeling that failed the people; it was the people who were supposed to understand and implement them that failed the people.
About the Author
- Brown, A. “The History of Financial Risk Mangagement: A (Mostly) Personal View”, Global Association or Risk Professionals, May/June 2004, Issue 18
- Bernstein, P. “Against the Gods: The Remarkable Story of Risk”, Wiley 1998
- SEI/Greenwich Associates. “Institutional Hedge Funds Comes of Age - A New Perspective on the Road Ahead”, 2011
- Golub, B.W. & Crum, C.C. “Risk Management Lessons Worth Remembering from the Credit Crisis 2007-2009”, The Journal of Portfolio Management, Spring 2010, pp 21-44
- Derman, E. “The Next Crisis”, Jan 31st 2011, www.wilmott.com/blogs/eman
- Baer, J. “Noise of the financial herd will drown out risk concerns”, Financial Times, US Edition, 5/6th February 2011
- Kay, J. “Don’t blame luck when your models misfire”, Financial Times, US Edition, 2nd March 2011
- J.P. Morgan Assual Report 2009, p 131
- Golub, B.W. at “Risk Management Lessons Worth Remembering & Stress Testing”, organized by International Association of Financial Engineers, May 20th 2010