Phoenix Rising

July 31, 2009 | Last updated on October 1, 2024
13 min read

It’s been nearly a year since the foundation of the global economy was shaken and splintered to its core. By now, we are all better acquainted with the dubious market practices that almost caused a handful of major financial institutions south of the border to collapse, generating a ripple effect that has caused risk managers in both the financial and non-financial sectors to wonder what exactly went wrong — and what needs to be adjusted in order to prevent it from happening again.

The role, practice and value of risk management came under fire after the event. Some suggested the entire book on the discipline needed to be torn up and re-written. Others argue the fault does not lie with risk management, but rather with the lack thereof.

Some suggest key financial institutions relied too heavily on financial models, causing risk managers at these firms to basically fall asleep at the wheel and grow complacent. As a result, myopic decisions were made with little to no consideration given to qualitative factors such as reputation risk. Highly improbable events were simply shuffled off of the radar screen. Some surmise that perhaps the most expensive words in the English language — ‘that won’t ever happen’ — replaced careful consideration and creative stress testing within the risk management departments at these troubled firms.

A global corporate calamity such as the financial crisis holds the potential to make or break the entire discipline of risk management. Ironically, the banking sector — the same investment banks that made questionable mortgage loans, thus contributing to the financial crisis — appeared to sit on the front edge of the risk management wedge, says Dr. Bob Mark, the CEO of Black Diamond Risk Enterprises. “They’ve published policies and designed methodologies to measure a lot of things,” he says. “They built the infrastructure and put a significant amount of investment into it, and yet they still had problems. I think that’s the dilemma.”

But Mark cautions the answer is not to throw the baby out with the bathwater and jettison risk modelling altogether. By recognizing weaknesses in the systems that faltered, he continues, others are building and shoring up their respective programs. The event may have been the wake-up call that the C-suite needed to hear.

An event of this magnitude — some insurers have projected the financial crisis will lead to liability claims of about US$10 billion, roughly one-quarter of the insured losses associated with Hurricane Katrina — is forcing risk managers in all sectors, both financial and non-financial, to stop and re-evaluate what led to the meltdown in the first place. Risk managers are already moving forward with lessons learned to improve risk management practices across the spectrum. “Bad risk management got us into this mess and good risk management will get us out of it,” says Perry Brazeau, FM Global’s chief agent in Canada.

Lessons learned

It’s an old adage that a tool is only as effective as the person using it. After all, businesses are essentially an aggregation of humans. Thus, when sifting through the ashes of the financial crisis, experts argue the post-mortem should not be on whether or not it was the financial models that faltered. Rather, analysis should concentrate on whether corporations failed to execute sound risk management principles. “In our experience, many of the models were sound and credible,” says Don Mango, Guy Carpenter & Company’s chief actuary. “The issues really centred around systemic risk, which impacted all participants simultaneously, and a liquidity meltdown to unprecedented levels.”

Financial models are basically a collection of theories and correlations, says Joanna Makomaski, a principal and senior ERM specialist with the V3 Advisory Group in Toronto. “Or as I like to call them, a Jenga tower of assumptions that are typically based on past observations and not necessarily on a current operating environment of any one organization. It’s a best guess.”

Makomaski hypothesizes that the size and complexity of the models financial institutions use have simply grown to the point where no one really questions the assumptions on which they are based. “The models may have been perfectly sound, but no one likely was responsible for questioning the assumptions that were in them,” she says. Worse yet, she adds, “we got so close to these models that we failed to see the forest for the trees. You need to step back and regularly look inside the model to see if there might be something else that needs considering.”

Before the crisis, most companies, and not just those in the financial services industry, approached risk with an eye towards compliance, Phillip Ellis, leader of Willis’ ERM Business, observes. Lost in this approach was the need to manage risk.

“Models were often used as something of a crutch — sort of a reassurance that what management was already doing was okay,” says Ellis. “It has been widely noted and reported that most senior executives of most of the institutions that have been seriously damaged in the crisis didn’t really understand the models or the signals that many of the models were giving with regard to risk tolerances and risk barriers.”

Complacency likely took hold, Makomaski says, and the models were being treated as crystal balls. Risk management really should be about preparation, not just prediction.

“There was probably a combination of overly optimistic models that were based only on the recent past, when financial volatility was low, as well as lack of discipline to follow the models that did indicate stress and excessive leverage,” Mango says.

Twisting the assumptions

How do risk managers make sure they don’t retreat back into that comfort zone of complacency? First of all, they need to remember that models are more than just a collection of historical data: they are based on theoretical assumptions, and the currency and relevance of these assumptions should be re-evaluated frequently. This is part of what risk managers mean when they say the models’ assumptions need to be “twisted” every so often.

“A lot of folks [were] …lulled into a false sense of security [about] risks [and] forecasts for the future because, by and large, their models were telling them something that for a long time was right,” says Mat Allen, practice leader for ERM at Marsh. “And then with this crisis, the model’s output was wrong. Not only was it wrong, but it was big-time wrong.” That’s when it becomes a big problem, Allen continues. “The models are a reflection of what’s happened in history or the past. When you know what the past is, the models are pretty accurate. Well, when the past changes a bit, it starts to change the model pretty dramatically.”

Mike Stramaglia, chief risk officer at SunLife Financial, agrees. He says the calibration of risk models using historical precedence or past experience is an inherent flaw. “As complex as some of these financial models are, of course the real world in which we are cursed to live really orders a magnitude that’s even more complex,” he says. “There’s an implicit assumption that the future will always look like the past, but we know that’s not always true. When those historical patterns break down, they often do so in a very significant way.”

So, how do risk managers prepare for those momentous occasions that models reject as statistically improbable? “There are ways to get around history, and that would be to change the [models’] assumption base or the way that [their] assumptions are generated,” Allen says.

Stress testing is a common procedure; in certain situations, it is a regulatory requirement. Whether required or not, stress testing always benefits from risk managers showing some creativity and imagination in an effort to explore hypothetical scenarios and assumptions. “For example, Quebec separates,” Mark says. “It’s not a crazy scenario, but you need to think of what would happen to your business if Quebec sep arates. I know that if Quebec separates, I have thought through the implications. Now if something happens to my currency, or the Canadian dollar gets whacked, I can have hedges in place. Do I have business risks because people don’t want to deal with me because they don’t know what’s going on? That’s my communication plan. I can tell them, ‘I’m okay. It’s business as usual for me.”

Sensitivity testing on the key model assumptions is paramount, as is an understanding of which assumptions have the highest leveraged effect on the results. “The idea is to really hone in on what you are actually betting on,” Stramaglia says. “What are the functions that are really driving the bus in terms of impacting results?”

Broadening engagement in the stress testing — incorporating as many different people and perspectives as possible — and expanding the timeline beyond a model’s projected result time frame can also help test the models’ assumptions and thresholds. “Involving people in the process that aren’t married to some of those past paradigms and [people] who continue to ask ‘Why not?’ can be particularly helpful,” Stramaglia continues. “Looking beyond the one-year horizon to what might happen in three or five years can help, too. Because we know that time frames are getting to be more and more compressed. It’s amazing just how quickly things can unwind.”

The ‘unknown unknowns’

Borrowing a phrase from former U. S. secretary of state Donald Rumsfeld, Ellis says one of the primary challenges for risk management is to plan for the “unknown unknowns.”

One can never really predict what the future holds, Ellis says. But by using a combination of quantitative and qualitative methods — methods that take into consideration data, hard numbers and human experience — risk managers can drum up a series of estimates that would help define plausible calamitous scenarios.

Stramaglia suggests turning a typical stress test on its head, working backwards through it. “Instead of first thinking up a scenario and then running it through your model and getting a result, start with a really bad result and then run it backwards and try to identify some scenarios or assumptions that might land you there. Then try to determine what you think about that. That has a tendency to put a focus on some of the more audacious scenarios than if you approached it in a more conventional sense.”

Talk to management teams, Ellis says. Ask them about past surprises they have seen occur. Find out what kinds of potential scenarios are keeping them awake at night. Get estimates on how likely those nightmare scenarios are to occur. In obtaining these estimates, don’t get bogged down by data analysis; listen to their ‘gut feelings.’

“By mining human expertise to come up with the definition of the calamities, and the possibility of those calamities [occurring], management develops a comfort level that they have faced the abyss head on,” says Ellis. “But it’s defined by what the abyss looks like, and then they can come up with their risk management plans.”

Using a model as a base, supporting its statistical findings with anecdotal data and good judgement, better supports an executive’s decision-making process, says Garry McDonnell, national director of Aon Global Risk Consulting in Canada.

“I think reliance on a model [alone] will not give you the best outcome,” McDonnell says. He adds that he has observed a shift in risk management practices that sees the a higher premium being placed on the inclusion of judgement and human experience, not just the hard data. Makomaski agrees. “Models can act as wonderful benchmarks and support tools that can create boundaries with respect to risks. It might be slightly off, but at least it puts us in the ballpark, and we need that. There are some great benefits to having these tools, but they are just tools and need to be gut-checked.”

Risk management is not merely an exercise in prediction, Makomaski continues. It’s about being prepared for those calamities as well. “It’s about rebound time, it’s not just about the nature of the risks. It’s about your ability to quickly rebound once something hits you and hopefully bounce back before your competition.”

Embrace the fact that there will be failures and that bad things will happen, she says. Learn from them and adjust your business resilience plan.

“If you know that you’re going to be in a jungle, you know there is a chance you may be bitten by a ferocious animal,” she says. “You can spend all your time trying to figure out the particulars of the tiger or snake that may bite you. Or rather think: ‘If I get bitten, how quickly will I be able to recover? Focus more on the action plan and the size of a bite that could actually pose a serious problem for you.”

A voice in the wilderness

One pertinent lesson learned from the crisis is the need to communicate those projected risks — and the planning undertaken around them — to the rest of the organization, from the mailroom to the C-suite. “The primary role of the risk manager is to make the risks transparent,” says Mark. “Reports need to be clear, and other people in the organization need to be brought into the process. I would ask for the help of the managers of the other units within the organization so that I could understand those units. I try to make it a partnership. I couldn’t do it by myself. These managers are your business partners; if something goes wrong, it’s both of your issues.”

Today, more than ever, risk managers have tools available to communicate the risks, Craig Rowe, founder and CEO of ClearRisk, notes. “Through intranets, internal micro-blogs and networking sites, all kinds of opportunities exist for risk managers to keep risk management on top-of-mind in all levels of the organization.”

Rowe says he doesn’t see the risk manager as being the only person within an organization that manages risk. “I don’t think any one person within an organization can manage risk on their own effectively,” he says. “The risk manager is the person who leads the organization through the risk management process.”

Taking on this leadership role requires a risk manager to think of their career in terms like that of a doctor or lawyer — i. e. a career that requires ongoing education. “You’ve got to stay on top of the case law, on top of the news and events in both your organization and the industry at large,” Rowe says. “And you have to keep communicating that inside of your organization. There’s nothing like a real-world example to get people interested, get their attention and make them remember. Be the risk library in your organization and pass it on.”

Ellis agrees. “The models don’t need to get any more sophisticated,” he says. “What has to get more sophisticated is the communication” between senior executives and modellers. The senior executives need to be telling modellers in a clear way what they are looking for in terms of a model that can help them manage their business. Modellers, on the other hand, need to communicate coherent messages to the senior management about what their models are telling them.

“The real issue — and one that’s really come into focus with this crisis, given that many companies have severe liquidity issues and are very worried about their level of debt and, in many cases, their cash flows — is that it’s extremely important to understand the catastrophic ends of things and how companies can protect themselves against those kinds of losses,” Ellis says.

Decision-makers in organizations that suffered as a result of the crisis were clearly ill-informed about the risks and ill-prepared to deal with the consequences. “A lot of the time [the senior executives] are left disabled and they aren’t given the proper information,” Makmomaski says. “Management means that action is being taken and decisions are being made with the understanding of the risks. … I do believe that at the executive level, often people aren’t getting reliable business intelligence to actually apply sound risk management.”

Culture shift

Even though, as a result of the crisis, the C-suite now seems to be paying more attention to those within its risk management department, the awareness of risk still needs to permeate throughout the organization, experts agree.

Well-crafted employee incentive programs and compensation plans are the single largest levers management has to create a risk-responsible behaviour, Makomaski says. ” Often leaders and decision makers get ahead in organizations because they’re recognized for putting out fires, so naturally their incentive is to wait for the next fire so that they can show their abilities,” she says. “For me, it’s that kind of incentive, and it’s those kinds of performance metrics, that need adjusting…. People need to be rewarded for mitigating fires too.”

Oddly enough, the crisis has accelerated the acute nature of the demands of the risk manager’s role, Allen says. “There is a fundamental shift in the expectation of what the risk manager does. More specifically, there is an expectation that the role is migrating in a different direction than it’s ever been in.”

Historically, the risk manager’s role was typically one-dimensional. The risk manager was the person within the organization that purchased insurance. Since the economic downturn, however, senior managers have changed their views about what risk managers are and what they should be doing. The role is becoming now becoming more strategic, McConnell suggests.

“It’s creating a huge opportunity,” Allen adds. “The smart cross-section of risk managers understands that it’s an opportunity to make the role more strategic and get closer to the C-suite. The smart money is on the folks who are viewing risk in a much more strategic way and have the ability to talk about the financial structure of their organization and provide very specific value as it relates to the protection of that structure.”

At the end of the day, risk management is not about eliminating or avoiding risks, it’s about striking the proper balance between an organization’s goals and the amount of risk that can be taken to meet those goals and remain profitable.

“Be very conscious of what environments breed risk, work at thwarting and dampening the risks to eliminate the risks you don’t want and embrace the ones that you do want,” Makomaski says. “Risk management means preparing for and understanding what is creating volatility in your desired goals. It’s sound, it makes sense, but it needs to be practiced — it is like staying fit, we must go to the gym regularly — it doesn’t just happen.”

———

Perhaps the most expensive words in the English language — ‘that won’t ever happen’ — replaced careful consideration and creative stress testing within the risk management departments of troubled financial firms.

———

Bad risk management got us into this mess and good risk management will get us out of it.

———

There are some great benefits to having these models as tools, but they are just tools and need to be gut-checked.

———

A lot of folks were lulled into a false sense of security about risks and forecasts for the future because by and large their models were telling them something that for a long time was right. And then with this crisis, the model’s output was wrong. Not only was it wrong, but it was big-time wrong.