Has the development of tools for assessing risk lulled people into believing risk is now easier to control? When are risk-return trade-offs prohibitively dangerous? How should managers prepare for Black Swan events? What makes a good CRO?
Five experts discuss the future of enterprise risk management.
David Champion: How predictable was the financial meltdown of 2008–2009? Was it a Black Swan event or, rather, analogous to the next big California earthquake—something you know will happen though you don’t know when?
Peter Tufano: Many of the elements of the crisis were being talked about long before it happened. Analysts had been questioning the sustainability of the subprime business well before the meltdown. Macroeconomists had been worrying about the U.S. current account deficit. I myself had been looking at obviously unsustainable household saving rates and debt levels. Other people were writing about the imperfections of ratings models. What we didn’t see was how the elements were interacting. And that meant we were blind to the risk that the whole system would break down.
Michael Hofmann: I agree. The crash was essentially the bursting of a classic credit bubble. The interesting part was what the bursting revealed, which was just how concentrated the financial system had become. It also highlighted a classic behavioral bias. The main features of the financial system had been in place for some 25 years, and we had gotten pretty comfortable with the way things were. We were all relying on data from this largely stable period. It’s very hard in these situations to stand up and prophesy disaster.
Robert Simons: There has certainly been a strong pattern of risk-taking behavior in the financial sector, and in my view that is because we had three enabling conditions in place at once. First, the innovations in financial engineering that were developed over the past decade created an opportunity to take on more risk through new products. This is not new, of course. Breakthroughs in transportation, telecommunications, and computing all created similar opportunities for risk taking. Second, you need motivation in the form of performance pressure, and the financial markets supplied this in spades. There’s been intense pressure on executives to deliver sales growth, a larger market share, and ever-rising stock prices. But again, nothing in the past few years would suggest that this pressure had suddenly intensified. What was new was the third ingredient, which I call rationalization—the belief that a particular behavior is economically and morally justifiable. The shareholder value principle—that social welfare is somehow best served if managers focus exclusively on delivering the maximum value to stock owners—was one such rationalization. And rationalizations like that made it much easier for managers everywhere to take on risk that they would otherwise have avoided. Risk became the rule rather than the exception, which explains the scale of the crisis.
As you point out, financial innovation created the opportunity. But it also gave us tools for assessing risk, and some people argue that this “scientification” of risk made it easier for people to believe they could control it. Any thoughts?
Hofmann: There’s often a profound misunderstanding about what financial models can do. Any business decision is about capturing some reward. To capture it, you take certain risks. So the first questions for a risk person are: What’s the reward we are trying to capture? Do we really understand the risk we are taking? Is it an acceptable risk? If so, the next question is whether the reward is high enough. This is where modeling comes in. But before you start to model the risk, you have to think about whether you understand the nature of it.
Anette Mikes: I second that. Models are not decision makers; people are. So the real issue is the culture that you have around modeling. I’ve found that, in extremis, there are two types of risk managers. One type I call quantitative enthusiasts. They believe that there are basically just two kinds of risks: the ones we have already modeled successfully and the ones we haven’t. Some banks were convinced that you could use models to decide whether to lend to a particular company. You would plug in data, and the model would come out with a credit grade. If you step back a bit, you realize that you have to make some heroic assumptions to be able to do this. The weakness of the quantitative enthusiast culture is that managers give too much attention to the output and too little to the assumptions that went into the model. The other type of risk managers I call quantitative skeptics—people who overemphasize the weaknesses of risk models. They consider the major risks to be outside the quantifiable-risk universe, but they can easily lose sight of aggregate risk effects. Incidentally, the crisis has brought both camps closer to a healthy skepticism. Quantitative enthusiasts have become more skeptical and are reclaiming the lost science of decision making by expert judgment. Quantitative skeptics are getting more comfortable with risk analytics as they implement strong validation controls around risk models.
So far we’ve been talking about the financial sector. Aren’t the challenges that industrial companies face very different?
Hofmann: Yes and no. Koch Industries and its subsidiaries have some of the same financial risks, though obviously to a lesser degree than a bank would have. For example, we grant credit to our customers. We have a treasury group that deals with liquidity management; we manage large investment portfolios; and we have trading operations. But we also deal with significant operational risks—from logistics and massive industrial plants. Those operational risks are different from and much greater in scale than the ones that a financial services group is concerned with, which are mainly around documentation, data processing, and so forth.
Robert S. Kaplan: Industrial companies definitely have strategic risks, which may be even more difficult to measure and manage than financial risks. Those companies make big investments in their physical and intangible assets, which become worthless if customers cease to value the products and services produced from them. But since we don’t mark physical assets to realizable values or even recognize a company’s intangible assets, the impairment plays out over longer periods of time. General Motors took about 25 years to realize the risks it had assumed by generating profits only from large vehicles. When energy prices doubled, it did not have profitable fuel-efficient cars available for sale to customers, and the company failed.
