Traditionally, organizations have viewed risk management as a corporate requirement, and have often positioned it along with audit and regulatory functions. Some have even empowered and titled corporate groups to “manage risk” along these lines. This charge has often revolved around managing insurance policies and reviewing reports from rating agencies, which suggests that risk management was viewed more as the hedging of certain risks and the overall outsourcing of critical risk analysis, especially as related to credit risk. The recent economic downturn has shown a new face and place for risk management. The strongest firms in this economic downturn are those who integrated risk management as a more comprehensive part of corporate strategy. The weaker firms almost entirely shared the traditional risk management school of thought mentioned above. This is true in financial services and extends to nearly all industries reliant on credit, market, and operational risk management.
In the recent economic downturn, a few key behaviors of risk management as a driver of corporate strategy have emerged. First and foremost, sound risk management requires executive involvement and ownership. Next, there must exist a culture and climate for openly communicating risk in the organization. Additionally, communication of risk must have an emphasis on data-driven decisions. Lastly, but perhaps most critically, is that the organization must have a “ready response” to a known risk.
Let’s look at how executive involvement and ownership have a role in risk management in driving corporate strategy. A nice example is JP Morgan-Chase. Of the major banks in the US, JP Morgan Chase has carefully skirted the largest issues afflicting its competitors and brilliantly executed a strategy that is rooted in understanding its risk and adapting as needed. We can’t forget their buying of Bear Stearns at $10 a share and their buying of Washington Mutual (formerly the largest savings and loans operator in the US). It is worth looking at Jamie Dimon, Chairman and CEO of JP Morgan Chase. Unlike many a CEO, he took an active role in regular risk briefings. Not only did he ask for detailed risk reports as the CEO, he also recognized the need to set a direction for the organization in reaction to these risk outlooks versus delegating the risk decisions. When the investment banking industry was moving towards greater real-estate investments and larger CDO purchases, he looked to data from the JP Morgan retail banks that showed that mortgage defaults were on the rise, and he provided his team the direction (driven off of data) to move against the herd by selling real-estate backed securities. It is hard to fathom that an organization in the world that would make take such a drastic decision about risk without the direct involvement of its senior leadership. Therefore, just as executive involvement is important in setting corporate strategy, it is equally important in risk decisions.
To be effective as an organization, there must be honesty and openness in communicating risks. It is clear that the international real-estate bubble was in part fueled by a field of mortgages that were, in various forms, deceitful, incomplete, or otherwise untraditional. Indeed, the classically-trained credit risk managers signaled these mortgages as high risks. For many organizations that were focused on short-term earnings and felt a need to outpace the industry in bookings, this communication of risk was dismissed, or worse, even silenced. In the JP Morgan Chase example, it was the retail banking division that shared data with the investment bank on the escalations in mortgage delinquencies. This sharing of data across business lines allowed Mr. Dimon and his corporate team to change strategy on the investment side. For many organizations, sharing unexpected information is unwelcomed. Presumably, other banks could have done the same as JP Morgan Chase, but the focus on communicating risks and data across business lines was not there in other banks. The lesson, of course, is that an enterprise must be willing to communicate about risk, especially when things are going well and the risk has yet to be realized. Businesses lines should take time to learn what other lines are doing given the interconnectedness of risk within an organization.
The importance of information in risk management should not be missed. In recent months, many risk managers have pondered how the traditional risk management models failed to predict the crisis, as a great body of thought has gone into the development of the risk models and techniques that have been used to conventionally manage risk. In that convention resides the problem. Such conventional risk management techniques use historical data to make projections about “worse cases” or statistical anomalies that might happen with some likelihood. However, future negative outcomes are unknown to the models and future “failure paths” are unincorporated in the models. Most of the employed risk models are poor at incorporating new information and even worse at new types or sources of information, such as changes observed in a tangential business line, observations from front-line staff or traders, or alternations in market behavior due to phenomena such as reduced availability of capital.
In the case of JP Morgan Chase seeing signals in their mortgage accounts, they incorporated information on mortgage payments that was unconventional for the evaluation of portfolios of mortgages by the investment bank. Their success came from identifying such novel information and realizing that it challenged conventional thought. In such conditions, relaying on conventional risk models is highly questionable and some would even say harmful. So, the focus of a risk manager should not be strictly quantification (as in the execution of conventional risk models), but the identification and incorporation of information, especially from of new types and of new sources, in order to determine direction and changes that drive risk. Risk management is inherently a process of investigation and learning, rooted in unraveling the complexity of the unknown.
The risks facing organizations are legitimately more complex and tightly connected than ever before. The complexity of risk is largely driven by the continual globalization of business and the increased speed of virtually every business activity, as enabled by technological advances. Using data to make decisions is key; it enables verification, and provides a means of breaking down the complexity of business. For many organizations, there was a reliance on securitization or swaps to transfer risk in ways that were not possible a few years previously. This was heralded, and in fact, there are benefits to these instruments. In many ways, these swaps served as insurance, yet the buyers of such swaps were not necessarily qualified or even financially guaranteed (as is required by many a insurers worldwide). It is clear that very few of the buyers or sellers of such novel financial instruments understood the inherent interconnectivity of risks in these instruments. For instance, the US government is still unwinding the trades and obligations of AIG, which relied heavily on swaps and risk transfers. The case of AIG shows how even a large and diversified firm can struggle to fully understand its obligations and risks. Many firms like AIG, relied heavily on hedging or transferring of risk as a means of risk management. The assumption that risk is perfectly transferred means that one’s counterparty is perfectly resilient, too. This is of course a naïve view and one proven wrong recently, but one that fundamentally demonstrates how a few assumptions about risk can drastically impede a corporate strategy.
Still, in each corporate strategy, particular risks are accepted, namely and ideally those risks which management believes hold some attractive opportunity. Focusing on the data or factors that foretell of the risk accepted is key; it is how one begins to understand a risk and reduce uncertainty. Risk management is a process of investigation and study. Interestingly, many companies worldwide have accepted data at face value, such as credit ratings from the agencies, the financial stability of a counterparty that was buying a swap or credit risk transfer, or the direction of commodity or real estate prices. For example, it is clear that the US automobile industry was not prepared for the recent volatility in oil prices. The “Big Three” manufacturers were largely working on a view that oil would remain inexpensive to the US consumer. Instead, the likes of Toyota and Honda were making calculated investments in hybrid vehicles and other high efficiency vehicles to position themselves for an upswing in oil prices. In many ways, Toyota and Honda, had already “readied their response” to the risk posed by higher oil prices and the subsequent impact on their customers. This reflects a treatment of risk on the part of Toyota and Honda as part of their corporate strategies.
This forward thinking about risk is key in organizations. Toyota and Honda were not immune to the recent economic downturn nor did they completely depart the previously lucrative SUV market in the US, but clearly each was better positioned than the major US manufacturers, because they were better prepared. They identified a risk, took action in a way that would allow their corporate strategy to adapt to an environment with lower consumer interest in large vehicles. The emphasis is on “readying the response,” much in the same way that militaries conduct simulations to prepare for a yet unseen conflict. Companies that ready a response for various situations are not necessarily better at predicting the future; they are just more prepared for what comes to pass. This continuous preparation often makes them better at understanding factors predictive of a risk. So, being ready is not preparing for doomsday, but rather being able and prepared to adapt.
It is interesting we have heard the phrase “liquidity risk” come to describe the woes of many a firm recently. In fact, it is a more polite way of saying that an organization ran out of money. The seeds of today’s liquidity risks were set a few years ago, during more prosperous times, when companies dispersed excess cash through dividends, share buybacks, and undertook a wave of high-priced mergers. Indeed, shareholders and the investment community clamored for this sharing of wealth and punished those firms that held “excessive cash reserves.” Yet, today those organizations that hoarded a bit of cash can protect themselves against “liquidity risk” and can purchase competitor assets at significant discounts. Warren Buffett’s Berkshire Hathaway serves as a wonderful example in this case. Its history and policy of not paying a dividend has drawn naysayers in the past. Yet, this has provided a strategy that positioned the firm to have cash when it is most needed. It has allowed Warren Buffett to follow a strategy of long-term value to investors. The implicit risk decision was tied to strategy. The risk decision and strategy decision go hand in hand.
It is fair to admit that the current economic situation has altered many assumptions about business and markets, and we have seen a massive encroachment (oops, I meant investment) by governments in corporations. This will surely bring new risks to corporations and governments alike. Governments and corporations have different strategies and goals. Although we can more or less agree that corporations are driven to return profits to investors, the role of governments as major shareholders in banks, mortgage-holding firms, automobile manufacturers, and insurance firms is less clear. In part, the governments of the world have provided a rescue plan to stabilize (hopefully) our markets. But such investments by the government come with a price tag. We have already seen the US Congress and UK Parliament adjust and limit banks’ pricing on credit cards. Banks in both countries are furthermore restricted in taking action on defaulting mortgages, as part of accepting the government funds. So, the risks accepted change as the corporate strategy changes. Governments and politicians seem much more sensitive to reputations and public outcries than corporations, suggesting that firms accepting government assistance will likely be addressing a new list of risks and responding to a growing group of constituents. The risk of regulation is high for many industries, and firms should adjust their corporate strategies accordingly.
In driving corporate strategy, we see that risk management is much more than a set of best practices and transferring of risk. Instead, it involves clear identification of those risk accepted. Factors that are believed to drive risk and the data that is predictive of risk should be openly communicated, but this is not limited to risks internal to the firm. Let’s not forget, “Profit is reward for taking risk,” as so wisely put by the famous economist Frank Knight in 1921. Therefore, firms should not only be selective in which risks to take, but willing to pounce when the opportunity presents itself. This involves tracking the risk position of competitors, in order to understand competitive advantages. So, risk management is not an exercise in paranoia, but rather a thoughtful approach to understanding uncertainty, exposures, opportunities, and limits in order to make educated investments. It requires executive involvement, an emphasis on making data-driven decisions, open communication about risks, and a discipline to think through scenarios and ready responses. Indeed, a great many of the winners coming out of our current economic environment will be those that not only held a bit more cash, but had a bit more information than their competitors and were able to seize a window of opportunity.
These lessons show that risk management is really about the identification of key information and its use in the decision-making process. It is not about guidelines or the execution of conventional mathematical models. It is more important than ever as preparing for the unknown requires having the best information not the industry accepted “best practice.” This all signals that the risk management team belongs on the corporate strategy team, not on the phone with insurance brokers.