Tag: Cyber Risk

Risk Management Leadership Lessons – The Importance of Focusing on Operational Risk

The Volkswagen case shows us a contemporary case of what can go dramatically wrong when an enterprise does not focus on its operational risk. Worse, it shows what happens when a lack of leadership and presence of cheating overtake the virtues and values of the firm. Operational risk is a major concern for many firms and in particular for financial service firms.

It is important for risk leaders to focus on operational risk for many reasons. Let’s examine some reasons:

Operational Risk is not tied to an investment with a direct upside. Unlike credit and market risk, where the downside exposure is known (or mostly known) at the time of investment, and an upside is projected, setting up an operation or taking on a new vendor introduces operational risk of an unknown and unforeseen nature. There is no upside, generally. Therefore, reducing operational risk is a direct monetary benefit to the enterprise. Removing operational risk requires knowing how and why it occurs, in the first place.
Measuring Operational Risk requires acknowledging it. I once met with a CEO at a bank that told me, “We don’t have operational risk.” I remember telling him in response that until you recognize it as operational risk, you will see operational risk only as unexpected costs via project overrides, unexpected credit losses, and even lawsuits from customers. He informed me, “We have lots of that.” It is not about semantics. Operational risk is an error and unless you are looking for errors, it will simply look like your business, process, or systems have deviated from plan. Removing the error will be impossible from the investment decision to operate. If a loan process has missing data (a common operational risk) and the loans under-perform, the decision might be to shutdown the loan business entirely (not to invest) but the correct action is to fix the operational risk and process for collection of data. Not understanding and measuring operational risk will mean that business decisions are sub-optimal. Operational risk management is about removing the errors and making the business investment more precise going forward.
Critical operations introduce the biggest operational risk. As in all industries, the desire to reduce costs and develop new products is with us constantly in financial services. Outsourcing and new business models have also brought new risks as costs have been removed. The pressure to move into new banking products, such as online, mobile, and RFID payments have introduced operational risks too. It is little surprise that Apple Pay experienced a fraud rate of over 6%, which is more than 60 times that of normal credit cards.[1] Today, every bank and insurance executive fears that day they see customer data breached and shared online. A repeat of the Target case is nightmare for any business leader. Storing, accessing, and transmitting critical data are now some of the most critical decisions facing a financial institution.[2]
Operational Risk is at the root of reputational harm and regulatory risk. When asked, a risk leader, CEO, or board member will report that their greatest concern is harm to the reputation and customer.[3] Next, it is a great concern that a regulatory body might target the firm for behaviors (real or implied) and penalize the firm accordingly, often in response to how a customer has been harmed. The way a business operates is tied to how it treats a customer and how it fails in providing the customer what he or she expected or was promised. Customers sue banks and insurers for their practices and enforcement when something goes wrong. That is operational risk. If you want to get a head of reputational harm and regulatory risk, focus on operational risk detection and prevention. Develop a plan to measure, manage, and lead operational risk.

How a firm operates and makes decisions is tied to how it manages internal decision-making processes. The management of such risk falls under Operational Risk Management. Operational Risk and self-inflicted damages are the cause of the greatest reputational harm. Through cases and simulations, we will explore all of these topics in the upcoming course Operational Risk Master Class: Measurement, Management, and Leadership.

Join us!

About Russell Walker, Ph.D.

His most recent book, From Big Data to Big Profits: Success with Data and Analytics is published by Oxford University Press (2015), which explores how firms can best monetize Big Data. He is the author of the text Winning with Risk Management (World Scientific Publishing, 2013), which examines the principles and practice of risk management through business case studies.

He has advised many leading institutions on Operational and Reputational Risk Management, including: The World Bank, SEC, Genworth, Capital One Financial, Discover Financial, PNC, The Bank of England, and the US State Department, among others.

You can find him at @RussWalker1492 and russellwalkerphd.com

[1] http://blogs.wsj.com/digits/2015/03/03/fraud-comes-to-apple-pay/

[2] Deloitte, Global Risk Survey of CROs.

[3] Economist Intelligence Unit, survey of CROs.

Risk Management Leadership Lessons – Operations Are Improved when Leaders Welcome Bad News

Risk Management Leadership Lessons – Operations Are Improved when Leaders Welcome Bad News

As the Volkswagen case unravels before our eyes, it plays out a familiar and repeated lesson on dealing with risk. This lesson is that early warning signs were available, but ignored. It appears that Bosch warned VW of the illegal diesel emissions as early as 2007.[1] It is not entirely surprising that VW and its executives ignored the warning. In fact, many of the great risk-driven crises involve firms that ignored early warning signs. Often early warning signs come as disconfirming information – or bad news – information that suggests the prevailing outlook on things is flawed and that a negative outcome is looming.

Let’s look at some other big failures in risk management and how the ignoring of early warning signs played a dangerous role. Evidence shows that BP had many test results, indicating that the critical pressure levels on the doomed Deepwater Horizon well were questionable. Toyota had the benefit of many years of excessively large numbers of customer complaints about accelerators. GM knew of the ignition problems. And, even famously, the NASA leadership team knew of the vulnerability of rubber O-rings in low temperatures (it was below freezing at Cape Canaveral the night before the launch in January, 1986). In all cases, the organizations ignored the information and elected to interpret it in a different manner. Why?

The answer is tied to how we develop our outlooks or hypotheses for the things around us. In these spectacular failures, the organizations and their leaders had early warning signs. Yet the early warning signs were ignored. As humans, we are predisposed to confirmation bias when confronted with new and disconfirming information. That is to say, when we see data that suggests our outlook is wrong, we first interpret the data in a way that still fits our rose-colored outlook. We attempt to discredit the data, the messenger, or the meaning of the data before we question our outlook and theory.

For instance, it results in the following claims: The drivers are the problem with Toyota automobiles, not the accelerators. Inconclusive pressure tests are common in oil well tests, as noted by BP. There is no statistically shown relationship between O-ring failure and temperature, as asserted by NASA before the Challenger explosion. And at VW, our engines are better, in spite of the data and warnings.

Overcoming these challenges is a fundamental one in the management of risk and decision-making. It involves organizational refocus and a diligent examination of disconfirming information or bad news. For the leader, it means opening your personal and professional network to the upward from of disconfirming information. That is not a one-time task, but a change in how you operate and do business.

Join us!

About Russell Walker, Ph.D.

You can find him at @RussWalker1492 and russellwalkerphd.com

The Value of Trust: Operating for Success

The Value of Trust: Operating for Success

In business and life, we grow to expect certain things. Namely, our society expects companies to produce products that are safe and reliable. We go to Yelp and rail against restaurants that do not meet our expectation for service. However, large firms, when caught red-handed often have gotten by with a mere slap on the hand. When we see a firm misbehave or use a controversial advertisement, we see boycotts initiated and apologies extracted. What about more severe damages? How a firm operates is important in its success and in forming trust with its customers.

In the last few weeks, we have seen a couple of major developments in how firms have cheated and thus lost trust. Stewart Parnell, the former CEO of Peanut Corporation of America, was sentenced to 28 years in prison for knowingly selling and distributing peanut products containing salmonella. At least nine people are known to have died from these contaminated peanut products. It is a striking case, because we now have the science to keep food safe. We now have the science to find what has killed us and identify the source of that contamination. Yet, a firm and its executives decided to operate in a reckless manner. It is the first severe penalty levied on a food company for selling contaminated food. In the trial, former employees of the Peanut Corporation of America testified that the CEO and firm prioritized profits over safe operating conditions. Of course, the tragic deaths cannot be reversed with prison time or fines. The damage to the Peanut Corporation of America was self-inflicted. No competitor or market force did that to them. No surprise in the capital markets or fear of peanuts by consumers brought them harm. When firms cheat and do harm, they ultimately hurt themselves. This fraud is of course a major risk to shareholders, customers, markets, and, in this case, the health of people.

The recent EPA disclosures about how Volkswagen has more or less gamed its diesel engine systems to perform well on emissions tests (and only during tests) showcases yet another case of internal fraud. Attorneys General across the US are already calling for billions in damages from Volkswagen. The firm created an image for “clean diesel,” sold it to well-educated and wealthy Americans, who wanted an environmentally palatable vehicle, and they profited handsomely from it. Now the lies have been revealed. The fraud, again, is internal and self-inflected. No competitor, regulator, customer, or market force made Volkswagen do this. It is risk that now will harm shareholders, customers, the German economy, and the environment. And, let’s not forget about Toyota and its accelerator, GM and its ignition switches, and well… the list goes on and on. We lose trust in firms because of the harm they cause and because that is the result of internal risk taking and decision-making gone awry.

These two recent cases are largely about internal fraud. It is clear that the firms knew about their misdeeds and elected to operate in a reckless and harmful manner. We often think of internal fraud as a banker walking out of the vault with gold bars. Such fraud is far less likely to occur than that of an executive taking undue risk against the firm to meet short-term goals. With average CEO tenures on the order of 5 years, the pressure to preform is high and the window of opportunity is short. The threat of internal fraud is a risk that all firms must address.

The management of such risk falls under Operational Risk Management. Operational Risk and self-inflicted damages are the cause of the greatest reputational harm. Nobody forced BP, GM, Volkswagen, Toyota, or the Peanut Corporation of America to do what they did. Their executives elected to take risks (and dangerous ones). Trust requires operating successfully over many transactions and creating value for customers. Once that trust and reputation are damaged, the firm must work to change not only its image, but also its operation. The process to managing Operational Risk requires a treatment that addresses the organization, its culture, its management, and leadership. We will explore all of these topics in the upcoming course Operational Risk Master Class: Measurement, Management, and Leadership.

Join us!

About Russell Walker, Ph.D.

Professor Russell Walker helps companies develop strategies to manage risk and harness value through analytics and Big Data. He is Clinical Associate Professor of Managerial Economics and Decision Sciences at the Kellogg School of Management of Northwestern University. His most recent book, From Big Data to Big Profits: Success with Data and Analytics is published by Oxford University Press (2015), which explores how firms can best monetize Big Data. He is the author of the text Winning with Risk Management (World Scientific Publishing, 2013), which examines the principles and practice of risk management through business case studies.

You can find him at @RussWalker1492 and russellwalkerphd.com

The Increasing Importance of Operational Risk in Enterprise Risk Management

Enterprise Risk Management, as a corporate undertaking, has its deepest roots in financial services. Historically, for banks and insurance firms, the focus within enterprise risk has largely been credit and market risk. The Great Recession of 2008 showed us that liquidity risk and the interplay between a firm and capital markets were also important to consider. Now that sufficient time has passed since the Great Recession, we see that credit and market risk were not the sole causes. Indeed, critical operations and processes at many lending institutions failed. Underwriting procedures, loan processing, and the like were subject to little if any confirmation and oversight, leading to larger and higher credit risk positions than anticipated. Operational risk had reared its ugly head. The wave of regulation that has overtaken the financial services industry since then is largely driven by concerns over processes and procedures that caused harm to customers. The impact of processes and policies has never been greater. There are drivers at work to suggest that operational risk is still increasing, and that in particular, firms should be mindful of certain risk drivers, in the context of enterprise risk management, such as Increasingly Complex Operations, Development of New and Untested Products, Automation and Digitization, Increasing Reputational Impact from Operational Risk, New Focus of Regulators on the Treatment of Customers as Victims, and lastly, Cyber Risk. The disturbing and uncomfortable reality is that operational risk is unintended and, in theory, should not happen, if critical processes are well designed. Operational risk is self-inflicted, or if not self-inflicted, it is the result of unexpected errors or mistakes, all proving to be much more costly and dangerous than initially anticipated. Therefore, this leads firms to pay specific focus on operational risk management as part of enterprise risk management.

Full article at:

http://www.ermjournal.org/index.php/erm

Managing Data Breaches and Cyber Risks

Data Breaches Impact Reputations and Customers

A data breach can lead to terrible consequences for you and your customers. In addition to devastating financial losses, the damage to your reputation and brand may be irreversible. Yet, despite the risks, some firms still view cyber crimes as random events. They take a “this will never happen to me” approach. On the contrary, it can happen to you and there are things you can do to prevent it.
For one, know that hackers don’t pull names out of a hat. They target firms for precise reasons. Either you have something they want or they’ve spotted a weakness in your system that makes you vulnerable. Consider TJX. In 2007, the retail giant reported the largest data breach in history. Out from under the company’s nose, cyber criminals made off with more than 45 million credit and debit card numbers. It turned out the crooks had been siphoning data for nearly two years before TJX detected the breach. How did the hackers do it? They intercepted insecure wireless payment information TJX was sending to its credit card authorizers and banks. TJX was using an outmoded WEP encryption instead of the more secure WAP. The company elected to not install the latest encryption technology, figuring the risk of a breach was low. Sounds familiar. It was also at work in the Target and Home Depot cases. You might argue, TJX’s business was retail, not technology. What did its management know about cyber crime? Probably not as much as they do now. But had they taken the risks more seriously, the event likely would never have happened.
Employees present a risk, too
Sometimes cyber criminals get help from employees inside a company. In 2011, an RSA employee retrieved an email from his junk folder and opened it. The email contained a malware that gave cyber thieves a foothold and allowed them to burrow into the company’s network. That one employee’s oversight ended up costing RSA and its parent company EMC $66 million. Other times, employees inside a company become the cyber criminals themselves. Booz Alan Hamilton gave its employee Edward Snowden access to classified information. Snowden, in turn, went against his employer’s client, the US government, by going public with that information. JP Morgan, Barings Bank and Société Générale are examples of other companies that also have experienced employee fraud or data breaches.
Tips for securing your data
We live in a data-driven society. Fortunately, you can do a few things to mitigate loss, and ensure your data is more secure.
1. Pay attention to the tiniest of details – As we rely increasingly on data automation to do our heavy lifting for us, we open ourselves up to the dangers of processing data inappropriately. Cloud storage and file sharing add to that risk. It’s best to take a detailed approach to examining data flows. Small holes easily can turn into flood gates.
2. Partner with best-in-class data firms – TJX lost money not because of a bad business model or even poor customer service. It lost money because of how it transferred credit card data, a task far outside of running a department store. Target, Home Depot, and many more are suffering the same. Be honest about what you do best and don’t be afraid to partner with experts in data risks and management.
3. Know your employees and their actions – A broad universe of tools (social networks, blogs, and intranet postings) is available for monitoring employee behavior. Many firms even deploy keystroke tracking software to comb messages and emails for legal issues. It is important to educate employees on how their actions can impact a company’s overall data security.
4. Customers expect more than the law – Laws exist that set clear direction on how companies need to process financial and health care data. But as more firms allow data sharing with web services and third-party apps, the risks become greater. Management needs to look to customer expectations regarding the treatment of data.

How to Win With Risk Management

A Q&A with Russell Walker about risk management

Many people think about risk management as a defensive strategy, a tool for minimizing exposure to economic crises or public-relations blowouts. But Russell Walker, a clinical associate professor of managerial economics and decision sciences at the Kellogg School of Management, argues that businesses should be thinking about risk management very differently. He has just written a book on the topic, Winning with Risk Management, published by World Scientific Press, which he kindly agreed to discuss with Kellogg Insight. Here is our conversation, lightly edited and condensed. (For a longer version of our conversation, listen to the accompanying podcast.)Kellogg Insight: Your book argues that a company’s risk management strategy can actually bring it a competitive advantage. Can you start by explaining just what you mean?

Russell Walker: The world of business has taught us that companies develop competencies and use those to create advantages. Companies might, for instance, be excellent in operations, in marketing, pricing, branding, etc. So in the same way we would ask ourselves, “how do we compare against another firm on pricing?” or “how do we compare against a firm on branding?,” we could ask questions about risk management. How does the organization tie into knowledge networks, how is the organization exposed to global stresses, global shocks, shocks in supply chains, or even risk from regulation?

“What’s really exciting about competing on risk is that you could ‘buy’ your competitor’s assets for free.”

KI: You point out that operational risk in particular is often mismanaged—to a company’s peril. What do you mean by operational risk, and why is it important to manage it well?

Russell Walker: Operational risks are the negative outcomes associated with executing a strategy. It’s often the case that we remember the very catastrophic, image-driven, external events: explosions, hazards, tornados, what have you. But many organizations fail not because of outside stresses, but because of challenges internally. There may be technological challenges. And there may be organizational issues dealing with information that might suggest that risks are different. Operational risk mostly is the implicit risk that an organization has accepted by setting a strategy.

KI: So let’s move to a couple concrete examples. Your book takes us through the way two different cell phone companies, Nokia and Ericsson, both responded to the same crisis, a fire in a supplier’s factory that delayed production of a critical component. But the two companies’ responses to this crisis were night and day. What happened?

Russell Walker: Great question. The case is a famous one because it highlights how two companies were exposed to essentially the same risk. Both companies were using a single supplier—Philips in this case—which made a memory chip that was unique in the cell phone industry. Both Nokia and Ericsson found themselves dependent on this single supplier. When Philips was unable to produce chips because of a fire event at its factory, Nokia and Ericsson took drastically different approaches.

Ericsson was laissez-faire: “we’ll wait for more information on our supplier.” Nokia more proactively sought out information. And as you might guess, that more proactive approach by Nokia allowed them to secure the international supply of this memory chip, preventing Ericsson from acquiring any supply. Nokia was able to provide its competitor Ericsson a deathblow, and in doing so gained market share. They picked up 3% of the world’s market share and paid Ericsson nothing for that. The case has changed how technology companies in particular view their global supply chain and assess the risk of their suppliers.

KI: How so?

Russell Walker: We have found that many of the components used in technological devices like iPhones or iPads now accept one of many different components in the marketplace. Whereas in the case of Nokia and Ericsson, the phones were designed around one particular memory chip—only one, made by one supplier—now many of the devices have built in an engineering flexibility that allows them to receive one of many different components. We’ve also seen that Apple has changed its relationship with suppliers. It has a nearly exclusive relationship with Foxconn and develops very deep relationships with its partners. This case shows that both Ericsson and Nokia lacked that kind of deep relationship with a supplier.

KI: Would you say that there are any other ways that technology has shaped the risk landscape?

Russell Walker: Many ways. T.J. Maxx is a large retailer here in the U.S., and they’re not a company that you would expect to necessarily be competitive in the world of data security. But because they elected not to take particular actions to upgrade the security on their credit card transaction systems, they became the victim of a very sophisticated and targeted fraud scheme in which individuals stole credit card information from the satellite transfers from T.J. Maxx stores to their headquarters.

T.J. Maxx is a retailer. They compete on selling brands and clothes and all the things that we wish to wear, not on credit card security and in the technology necessary for that. But now even companies that run small e-commerce webpages are exposed. The case highlights—and it was the largest example of credit card fraud to date in the U.S.—the need for companies to stay abreast of technological risk.

KI: Time and again your book frames risk as this opportunity. I know you’ve touched on it briefly before. But why do you think that the more positive aspects of risk are ignored?

Russell Walker: They’re largely ignored because risk has been presented as a downside, not necessarily as an upside. What is fascinating about risk and understanding your competitive position against risk is that if your competitor is to falter—if you could assist your competitor in some demise—their assets (be they market share, factories, brands, etc.) get transferred. And in the context of risk, if we look at the examples of Nokia and Ericsson, and even Toyota and British Patroleum, we see that assets get transferred for nothing. What’s really exciting about competing on risk is that you could “buy” your competitor’s assets for free. That largely will define the winners and the losers in a marketplace.

KI: You said something really interesting in your book about CEO tenure, and how that might actually influence how companies think about risk. Do you mind sharing?

Russell Walker: Exact numbers are in the book, but I believe a typical CEO tenure is 4–7 years. But it’s not uncommon for it to even be less. This suggests that a CEO, given his or her reward package, may take risks or make investments that maximize short-term results, and potentially expose the firm to larger risks later down the road. We could look at family businesses as a comparison, where a family business has the goal of preserving the company over a very long period of time, in fact even transferring it to the next generation. And we find that they take different risks, risks more in the direction of, “how do I preserve this and grow this in a sustainable way?” versus “how do I grow revenue rapidly, quickly?”

KI: So it might not be a bad thing for us all to start thinking about public corporations more as family corporations.

Russell Walker: Well, in the sense that you own it and it’s yours, you think about it very differently. In fact it has been suggested that CEOs should be compensated entirely by stock, entirely by ownership.

Winning with Risk Management

Traditionally, organizations have viewed risk management as a corporate requirement, and have often positioned it along with audit and regulatory functions. Some have even empowered and titled corporate groups to “manage risk” along these lines. This charge has often revolved around managing insurance policies and reviewing reports from rating agencies, which suggests that risk management was viewed more as the hedging of certain risks and the overall outsourcing of critical risk analysis, especially as related to credit risk. The recent economic downturn has shown a new face and place for risk management. The strongest firms in this economic downturn are those who integrated risk management as a more comprehensive part of corporate strategy. The weaker firms almost entirely shared the traditional risk management school of thought mentioned above. This is true in financial services and extends to nearly all industries reliant on credit, market, and operational risk management.

In the recent economic downturn, a few key behaviors of risk management as a driver of corporate strategy have emerged. First and foremost, sound risk management requires executive involvement and ownership. Next, there must exist a culture and climate for openly communicating risk in the organization. Additionally, communication of risk must have an emphasis on data-driven decisions. Lastly, but perhaps most critically, is that the organization must have a “ready response” to a known risk.

Let’s look at how executive involvement and ownership have a role in risk management in driving corporate strategy. A nice example is JP Morgan-Chase. Of the major banks in the US, JP Morgan Chase has carefully skirted the largest issues afflicting its competitors and brilliantly executed a strategy that is rooted in understanding its risk and adapting as needed. We can’t forget their buying of Bear Stearns at $10 a share and their buying of Washington Mutual (formerly the largest savings and loans operator in the US). It is worth looking at Jamie Dimon, Chairman and CEO of JP Morgan Chase. Unlike many a CEO, he took an active role in regular risk briefings. Not only did he ask for detailed risk reports as the CEO, he also recognized the need to set a direction for the organization in reaction to these risk outlooks versus delegating the risk decisions. When the investment banking industry was moving towards greater real-estate investments and larger CDO purchases, he looked to data from the JP Morgan retail banks that showed that mortgage defaults were on the rise, and he provided his team the direction (driven off of data) to move against the herd by selling real-estate backed securities. It is hard to fathom that an organization in the world that would make take such a drastic decision about risk without the direct involvement of its senior leadership. Therefore, just as executive involvement is important in setting corporate strategy, it is equally important in risk decisions.

To be effective as an organization, there must be honesty and openness in communicating risks. It is clear that the international real-estate bubble was in part fueled by a field of mortgages that were, in various forms, deceitful, incomplete, or otherwise untraditional. Indeed, the classically-trained credit risk managers signaled these mortgages as high risks. For many organizations that were focused on short-term earnings and felt a need to outpace the industry in bookings, this communication of risk was dismissed, or worse, even silenced. In the JP Morgan Chase example, it was the retail banking division that shared data with the investment bank on the escalations in mortgage delinquencies. This sharing of data across business lines allowed Mr. Dimon and his corporate team to change strategy on the investment side. For many organizations, sharing unexpected information is unwelcomed. Presumably, other banks could have done the same as JP Morgan Chase, but the focus on communicating risks and data across business lines was not there in other banks. The lesson, of course, is that an enterprise must be willing to communicate about risk, especially when things are going well and the risk has yet to be realized. Businesses lines should take time to learn what other lines are doing given the interconnectedness of risk within an organization.

The importance of information in risk management should not be missed. In recent months, many risk managers have pondered how the traditional risk management models failed to predict the crisis, as a great body of thought has gone into the development of the risk models and techniques that have been used to conventionally manage risk. In that convention resides the problem. Such conventional risk management techniques use historical data to make projections about “worse cases” or statistical anomalies that might happen with some likelihood. However, future negative outcomes are unknown to the models and future “failure paths” are unincorporated in the models. Most of the employed risk models are poor at incorporating new information and even worse at new types or sources of information, such as changes observed in a tangential business line, observations from front-line staff or traders, or alternations in market behavior due to phenomena such as reduced availability of capital.

In the case of JP Morgan Chase seeing signals in their mortgage accounts, they incorporated information on mortgage payments that was unconventional for the evaluation of portfolios of mortgages by the investment bank. Their success came from identifying such novel information and realizing that it challenged conventional thought. In such conditions, relaying on conventional risk models is highly questionable and some would even say harmful. So, the focus of a risk manager should not be strictly quantification (as in the execution of conventional risk models), but the identification and incorporation of information, especially from of new types and of new sources, in order to determine direction and changes that drive risk. Risk management is inherently a process of investigation and learning, rooted in unraveling the complexity of the unknown.

The risks facing organizations are legitimately more complex and tightly connected than ever before. The complexity of risk is largely driven by the continual globalization of business and the increased speed of virtually every business activity, as enabled by technological advances. Using data to make decisions is key; it enables verification, and provides a means of breaking down the complexity of business. For many organizations, there was a reliance on securitization or swaps to transfer risk in ways that were not possible a few years previously. This was heralded, and in fact, there are benefits to these instruments. In many ways, these swaps served as insurance, yet the buyers of such swaps were not necessarily qualified or even financially guaranteed (as is required by many a insurers worldwide). It is clear that very few of the buyers or sellers of such novel financial instruments understood the inherent interconnectivity of risks in these instruments. For instance, the US government is still unwinding the trades and obligations of AIG, which relied heavily on swaps and risk transfers. The case of AIG shows how even a large and diversified firm can struggle to fully understand its obligations and risks. Many firms like AIG, relied heavily on hedging or transferring of risk as a means of risk management. The assumption that risk is perfectly transferred means that one’s counterparty is perfectly resilient, too. This is of course a naïve view and one proven wrong recently, but one that fundamentally demonstrates how a few assumptions about risk can drastically impede a corporate strategy.

Still, in each corporate strategy, particular risks are accepted, namely and ideally those risks which management believes hold some attractive opportunity. Focusing on the data or factors that foretell of the risk accepted is key; it is how one begins to understand a risk and reduce uncertainty. Risk management is a process of investigation and study. Interestingly, many companies worldwide have accepted data at face value, such as credit ratings from the agencies, the financial stability of a counterparty that was buying a swap or credit risk transfer, or the direction of commodity or real estate prices. For example, it is clear that the US automobile industry was not prepared for the recent volatility in oil prices. The “Big Three” manufacturers were largely working on a view that oil would remain inexpensive to the US consumer. Instead, the likes of Toyota and Honda were making calculated investments in hybrid vehicles and other high efficiency vehicles to position themselves for an upswing in oil prices. In many ways, Toyota and Honda, had already “readied their response” to the risk posed by higher oil prices and the subsequent impact on their customers. This reflects a treatment of risk on the part of Toyota and Honda as part of their corporate strategies.

This forward thinking about risk is key in organizations. Toyota and Honda were not immune to the recent economic downturn nor did they completely depart the previously lucrative SUV market in the US, but clearly each was better positioned than the major US manufacturers, because they were better prepared. They identified a risk, took action in a way that would allow their corporate strategy to adapt to an environment with lower consumer interest in large vehicles. The emphasis is on “readying the response,” much in the same way that militaries conduct simulations to prepare for a yet unseen conflict. Companies that ready a response for various situations are not necessarily better at predicting the future; they are just more prepared for what comes to pass. This continuous preparation often makes them better at understanding factors predictive of a risk. So, being ready is not preparing for doomsday, but rather being able and prepared to adapt.

It is interesting we have heard the phrase “liquidity risk” come to describe the woes of many a firm recently. In fact, it is a more polite way of saying that an organization ran out of money. The seeds of today’s liquidity risks were set a few years ago, during more prosperous times, when companies dispersed excess cash through dividends, share buybacks, and undertook a wave of high-priced mergers. Indeed, shareholders and the investment community clamored for this sharing of wealth and punished those firms that held “excessive cash reserves.” Yet, today those organizations that hoarded a bit of cash can protect themselves against “liquidity risk” and can purchase competitor assets at significant discounts. Warren Buffett’s Berkshire Hathaway serves as a wonderful example in this case. Its history and policy of not paying a dividend has drawn naysayers in the past. Yet, this has provided a strategy that positioned the firm to have cash when it is most needed. It has allowed Warren Buffett to follow a strategy of long-term value to investors. The implicit risk decision was tied to strategy. The risk decision and strategy decision go hand in hand.

It is fair to admit that the current economic situation has altered many assumptions about business and markets, and we have seen a massive encroachment (oops, I meant investment) by governments in corporations. This will surely bring new risks to corporations and governments alike. Governments and corporations have different strategies and goals. Although we can more or less agree that corporations are driven to return profits to investors, the role of governments as major shareholders in banks, mortgage-holding firms, automobile manufacturers, and insurance firms is less clear. In part, the governments of the world have provided a rescue plan to stabilize (hopefully) our markets. But such investments by the government come with a price tag. We have already seen the US Congress and UK Parliament adjust and limit banks’ pricing on credit cards. Banks in both countries are furthermore restricted in taking action on defaulting mortgages, as part of accepting the government funds. So, the risks accepted change as the corporate strategy changes. Governments and politicians seem much more sensitive to reputations and public outcries than corporations, suggesting that firms accepting government assistance will likely be addressing a new list of risks and responding to a growing group of constituents. The risk of regulation is high for many industries, and firms should adjust their corporate strategies accordingly.

In driving corporate strategy, we see that risk management is much more than a set of best practices and transferring of risk. Instead, it involves clear identification of those risk accepted. Factors that are believed to drive risk and the data that is predictive of risk should be openly communicated, but this is not limited to risks internal to the firm. Let’s not forget, “Profit is reward for taking risk,” as so wisely put by the famous economist Frank Knight in 1921. Therefore, firms should not only be selective in which risks to take, but willing to pounce when the opportunity presents itself. This involves tracking the risk position of competitors, in order to understand competitive advantages. So, risk management is not an exercise in paranoia, but rather a thoughtful approach to understanding uncertainty, exposures, opportunities, and limits in order to make educated investments. It requires executive involvement, an emphasis on making data-driven decisions, open communication about risks, and a discipline to think through scenarios and ready responses. Indeed, a great many of the winners coming out of our current economic environment will be those that not only held a bit more cash, but had a bit more information than their competitors and were able to seize a window of opportunity.

These lessons show that risk management is really about the identification of key information and its use in the decision-making process. It is not about guidelines or the execution of conventional mathematical models. It is more important than ever as preparing for the unknown requires having the best information not the industry accepted “best practice.” This all signals that the risk management team belongs on the corporate strategy team, not on the phone with insurance brokers.

Follow me at @RussWalker1492 and russellwalkerphd.com