Has the development of tools for assessing risk lulled people into believing risk is now easier to control? When are risk-return trade-offs prohibitively dangerous? How should managers prepare for Black Swan events? What makes a good CRO?
Five experts discuss the future of enterprise risk management.
David Champion: How predictable was the financial meltdown of 2008–2009? Was it a Black Swan event or, rather, analogous to the next big California earthquake—something you know will happen though you don’t know when?
Peter Tufano: Many of the elements of the crisis were being talked about long before it happened. Analysts had been questioning the sustainability of the subprime business well before the meltdown. Macroeconomists had been worrying about the U.S. current account deficit. I myself had been looking at obviously unsustainable household saving rates and debt levels. Other people were writing about the imperfections of ratings models. What we didn’t see was how the elements were interacting. And that meant we were blind to the risk that the whole system would break down.
Michael Hofmann: I agree. The crash was essentially the bursting of a classic credit bubble. The interesting part was what the bursting revealed, which was just how concentrated the financial system had become. It also highlighted a classic behavioral bias. The main features of the financial system had been in place for some 25 years, and we had gotten pretty comfortable with the way things were. We were all relying on data from this largely stable period. It’s very hard in these situations to stand up and prophesy disaster.
Robert Simons: There has certainly been a strong pattern of risk-taking behavior in the financial sector, and in my view that is because we had three enabling conditions in place at once. First, the innovations in financial engineering that were developed over the past decade created an opportunity to take on more risk through new products. This is not new, of course. Breakthroughs in transportation, telecommunications, and computing all created similar opportunities for risk taking. Second, you need motivation in the form of performance pressure, and the financial markets supplied this in spades. There’s been intense pressure on executives to deliver sales growth, a larger market share, and ever-rising stock prices. But again, nothing in the past few years would suggest that this pressure had suddenly intensified. What was new was the third ingredient, which I call rationalization—the belief that a particular behavior is economically and morally justifiable. The shareholder value principle—that social welfare is somehow best served if managers focus exclusively on delivering the maximum value to stock owners—was one such rationalization. And rationalizations like that made it much easier for managers everywhere to take on risk that they would otherwise have avoided. Risk became the rule rather than the exception, which explains the scale of the crisis.
As you point out, financial innovation created the opportunity. But it also gave us tools for assessing risk, and some people argue that this “scientification” of risk made it easier for people to believe they could control it. Any thoughts?
Hofmann: There’s often a profound misunderstanding about what financial models can do. Any business decision is about capturing some reward. To capture it, you take certain risks. So the first questions for a risk person are: What’s the reward we are trying to capture? Do we really understand the risk we are taking? Is it an acceptable risk? If so, the next question is whether the reward is high enough. This is where modeling comes in. But before you start to model the risk, you have to think about whether you understand the nature of it.
Anette Mikes: I second that. Models are not decision makers; people are. So the real issue is the culture that you have around modeling. I’ve found that, in extremis, there are two types of risk managers. One type I call quantitative enthusiasts. They believe that there are basically just two kinds of risks: the ones we have already modeled successfully and the ones we haven’t. Some banks were convinced that you could use models to decide whether to lend to a particular company. You would plug in data, and the model would come out with a credit grade. If you step back a bit, you realize that you have to make some heroic assumptions to be able to do this. The weakness of the quantitative enthusiast culture is that managers give too much attention to the output and too little to the assumptions that went into the model. The other type of risk managers I call quantitative skeptics—people who overemphasize the weaknesses of risk models. They consider the major risks to be outside the quantifiable-risk universe, but they can easily lose sight of aggregate risk effects. Incidentally, the crisis has brought both camps closer to a healthy skepticism. Quantitative enthusiasts have become more skeptical and are reclaiming the lost science of decision making by expert judgment. Quantitative skeptics are getting more comfortable with risk analytics as they implement strong validation controls around risk models.
So far we’ve been talking about the financial sector. Aren’t the challenges that industrial companies face very different?
Hofmann: Yes and no. Koch Industries and its subsidiaries have some of the same financial risks, though obviously to a lesser degree than a bank would have. For example, we grant credit to our customers. We have a treasury group that deals with liquidity management; we manage large investment portfolios; and we have trading operations. But we also deal with significant operational risks—from logistics and massive industrial plants. Those operational risks are different from and much greater in scale than the ones that a financial services group is concerned with, which are mainly around documentation, data processing, and so forth.
Robert S. Kaplan: Industrial companies definitely have strategic risks, which may be even more difficult to measure and manage than financial risks. Those companies make big investments in their physical and intangible assets, which become worthless if customers cease to value the products and services produced from them. But since we don’t mark physical assets to realizable values or even recognize a company’s intangible assets, the impairment plays out over longer periods of time. General Motors took about 25 years to realize the risks it had assumed by generating profits only from large vehicles. When energy prices doubled, it did not have profitable fuel-efficient cars available for sale to customers, and the company failed.
Tufano: It’s also important to think about the unit of analysis. In most of our discussion so far, the unit of analysis is a corporation, and the risk-return trade-off is being calculated at that level. But you can look at risk on a higher level. If you’re the World Food Programme (the unit of the UN that provides food in the wake of emergencies), for instance, you think about large-scale famine. That is systemic risk, and if the risks that blew up at individual firms hadn’t risen to the level of systemic risk, we wouldn’t be here today. When systemic risk arises—as it can when firms and markets interact—then all the traditional risk-return analysis in the world won’t help.
Simons: I agree. I get nervous when we talk about risk-return trade-offs. That’s clearly the right approach to portfolio and individual investment decisions. But there are risks that affect customers, employees, and the long-term viability of a firm. The danger with those risks is that if we start talking about a risk-return trade-off, we might rationalize getting into things that we should stay out of. The best firms, I think, have a clear sense of what they will not do under any circumstances.
Kaplan: To provide a vivid example of a firm that did not follow Bob’s excellent advice, consider the remarkable statement made in July 2007 by Charles Prince, then CEO at Citigroup: “When the music stops, in terms of liquidity, things will be complicated. But as long as the music is playing, you’ve got to get up and dance.” He concluded, “We’re still dancing.” I don’t think Prince or his former company’s bondholders, shareholders, and employees are dancing much these days.
Mikes: True, but lots of companies also took a beating from the stock market for trying to drop out of the dance.
That raises an issue around incentives, no?
Kaplan: Of course. And the more we tie incentives to short-term performance, the more we encourage managers to take on high degrees of risk to generate high returns, leading to a big moral-hazard problem. Bank analysts referred to a “Greenspan put.” Whatever risks banks took on were hedged by society, because the Fed would bail them out in order to save the system. With the recent “rescues” of AIG, General Motors, and Chrysler, this “society put” has now been extended beyond the banking sector.
It’s interesting how this has come full circle.
Kaplan: Yes. In the 1970s we encouraged company managers to take on more risk because investors held diversified portfolios that could tolerate more risk taking by individual firms. In the 1980s and 1990s companies motivated managers to take risk by issuing them large options and equity grants. But a pendulum never stops in the middle, and managers took on too much. In retrospect, we should have encouraged them to take on uncorrelated risks—risks that would affect only their individual firms. We didn’t want them to take systemic risks that other firms were also taking. Going forward, we’ll have to design incentives that encourage uncorrelated risk taking but not correlated risk taking. That’s hard for many reasons—not the least of which is that risk correlations change in response to extreme events.
Tufano: One idea I’ve been working on is bond-based compensation. If executives were compensated not just according to the performance of their stock but also according to the performance of their bonds, they would have a somewhat more balanced view of stakeholder interests and would move us away from incentives that benefit stockholders at the expense of bondholders.
Kaplan: You also have to distinguish between compensation for risk managers and compensation for general managers. My colleague Bob Merton pointed out to me that the ideal bonus for risk professionals like Michael is a five-year nonrecourse note that’s paid only if the firm is still in business.
Hofmann: Wouldn’t that just make me fixate on the five-year term? Effectively aligning incentives to encourage productive behavior is challenging. In my experience, what seems to work best is a combination of short-term, intermediate, and long-term incentives consistent with a person’s ability to influence results. Unfortunately, any formula you work out in advance can cause problems in practice, because it is impossible to anticipate all issues. But if we are able to achieve a good balance of measures and judgment, it can be effective.
How do you see nonfinancial risk measures going forward?
Kaplan: You probably expect me to say this, but I think the balanced scorecard provides a useful framework for managing strategic risk. Briefly, the scorecard is predicated on a hierarchy of measures and objectives that collectively show how a given strategy translates into operational reality and results. At the foundation, you develop metrics for people’s skills and motivation and the IT infrastructure. The next level identifies the processes critical for creating and delivering the strategy. On top of that is the customer perspective, where you see how your work and processes create value for the customer. Finally there’s the financial perspective. At each level you could develop a risk scorecard that would serve as an early warning system when one of your strategic objectives was in jeopardy. Risk scorecard targets could come from a heat map [see “Mapping Your Fraud Risks,” by Toby J.F. Bishop and Frank E. Hydoski, in this issue], a two-dimensional table with the likelihood and the consequences of a risk event each scored on a 1-to-5 scale. The two scores are multiplied together, and risk events with a score of 15 or higher require management action, such as a risk-mitigation initiative to reduce the likelihood or severity of the event. You’d obviously need to come up with ways to measure risk, and one of the companies I stay in touch with, Infosys, has been very active in this respect. Its current strategy is to have large engagements with global customers, so one of its biggest financial risks involves getting paid. To manage that risk, Infosys tracks the credit default swaps market, which trades contracts on about 80% of its customers. The need to deliver services globally also creates a learning and growth perspective risk: The company has to be able to put key people into key projects around the world. That makes it vulnerable to protectionism in the labor market. So Infosys tracks how many of its employees hold multiple visas or citizenships.
These feel like known unknowns. What about unknown unknowns?
Kaplan: We need a different approach for the Black Swan events that have a very low likelihood but catastrophic consequences should they occur. Quantifying those risks is not worth the effort. You have to undertake some form of scenario analysis instead. You begin by identifying the unusual events that would cause your strategy or entire enterprise to fail if they were to occur. We may not know if the future will bring hyperinflation or deflation, but we can attempt to assess how our strategy and our competitors’ strategies would play out in either of those scenarios.
Michael, does that twin-track approach make sense to you?
Hofmann: Yes. Scenario planning, the balanced scorecard, and heat maps are all useful tools. But you need to avoid three traps in using them. First, don’t believe your own predictions. Whatever you consider most likely will probably not occur. You have to be ready to question every—and I mean every—significant assumption. Second, don’t think of catastrophic risk as something you can tolerate because its probability is low. That’s OK for some of the risks that Bob was describing, but no company should ever treat a catastrophic risk as anything but intolerable. Either you don’t engage in the business or you find a way to structure it to “cut the tail off,” so to speak. But—and this is the third trap—don’t believe that it’s easy to eliminate a risk. When you buy insurance, for example, what you’re really buying is an option to make a claim against somebody you hope will be good for the payment. So you’ve just converted one kind of risk into another.
Tufano: I couldn’t agree more. Most derivatives and insurance contracts are far from perfect, and you have to ask hard questions when you’re buying derivatives or entering into insurance contracts. Is the risk adequately transferred? Does the contract do what I think it does, and will it be enforceable in court? Is the party to whom I’ve transferred the risk going to hold on to that risk? To the extent that your counterparties are not able to bear the risk, does it flow back to you in some way—if not contractually, then at least reputationally?
What about outsourcing? Is that an effective risk-management tool?
Hofmann: Yes, it can be. If you’re outsourcing because somebody has a competitive advantage of some sort, you’re probably reducing operational risks. But what happens if your subcontractor goes out of business? These kinds of decisions require you to think about what you’re really doing. What can go wrong? Am I willing to take the consequences if it goes wrong? And none of the answers are clear. Of course, that’s what makes our job interesting.
Slack in the balance sheet can be a form of insurance. Do you think capital structures in many companies have become a bit too efficient?
Hofmann: Leverage is more problematic at some times in the economic cycle than at others, and tensions exist between caution and investors’ demand for returns. Managing that tension is a significant part of a CRO’s job, because it has an impact on the level of risk a firm assumes.
Tufano: Deciding on leverage is basically about balancing the tax advantages of debt financing against the likelihood of financial distress if the economy turns out worse than expected. For the past 25 years we’ve been discounting the chances of financial distress quite heavily. Obviously that calculation has changed. People were also levering up in order to take advantage of opportunities: The more you borrowed, the more you could apply your managerial skills and create value. But in a world where you have to be careful about which opportunities you take, the incentives to lever down and create some idle capacity to use in the future will increase. So we’re now seeing a change in how we define a healthy balance sheet. In financial services, for example, we were used to a set of relatively simple metrics for determining what appropriate capital structures were. Now people are talking about imposing conditional capital requirements that change with the economic cycle. Some people in the current administration, for example, are suggesting that financial institutions build more slack into their balance sheets in good times, so that they have a reserve for the bad times. I think this makes some sense.
Kaplan: I agree. As M.D. Ranganath, the CRO of Infosys, points out, everyone focuses on risk management in bad times. “The strong test of risk management,” he says, “is whether it works in good times. Will top management stand behind the risk managers, avoiding temptation and saying no to things that put the enterprise at risk?” When the music is playing, you need the discipline from risk management to keep managers from dancing too exuberantly.
Simons: You should also think about slack in the P&L, which is where your financial policies affect performance. Top performers like Johnson & Johnson build in a contingency to the profit plans of each of their businesses. They hold managers to a high performance standard, but if something comes up that puts their profit plan in jeopardy, they can protect their profit targets without forcing managers into actions that put the firm at risk. Of course, operating managers have always built slack into their budgets, and they always will. But the problems with this kind of secret padding are widely documented and indeed are part of the reason that many people favor high debt levels; it leaves less room for such padding. These problems largely disappear, though, if you make the slack explicit and transparent.
One sure fallout from the crisis is that we’re going to get more financial regulation. Any suggestions for policy makers?
Tufano: I’ll offer two bits. First, as my colleague David Moss has pointed out, systemic risk needs heavy and careful regulation, but nonsystemic risk should be lightly regulated. There’s also a decision about whether you have one regulator or many. The U.S. has historically had multiple regulators, and much of the criticism of our system is that quite a lot of risks fall into the gaps. There seems to be a movement right now toward consolidating the system. I think that’s probably a step in the right direction.
Mikes: Absolutely. Regulators traditionally focus on individual firms. The challenge is to connect the dots at the systemic level. To get the bigger picture they’ll have to communicate with one another better or consolidate. On top of that, they’ll have to talk to central banks and regulators in other countries.
Kaplan: Regulators will always lag behind innovation—certainly in finance—and they’re always going to be regulating the previous innovation. We have to be skeptical about the ability of regulators to understand the kinds of risks being taken on in innovative enterprises. I also think that banks should be regulated more like utilities than like entrepreneurial firms. Let’s reintroduce a wall and say “Taking in short-term money and lending it out long is important. Concentrate on doing that well and stay away from the really risky stuff.” Let hedge funds and investment banks do that business.
I’d like to switch gears from risk management to risk managers. What makes a good CRO?
Tufano: Michael and I belong to the Global Association of Risk Professionals. The organization is about 10 years old, and we’ve been working on creating professional standards. First, risk professionals need to master technical material—the math and the models. We have an extensive set of exams similar to those that CPAs or CFAs would take, to certify that people have that basic knowledge. But the knowledge isn’t enough; they also need to be able to think like seasoned executives who can look beyond individual risks to appreciate broader trends and how firm-to-firm interactions play out. The third thing they need is a sense of responsibility to something greater than their individual organization, which my colleague Rakesh Khurana and others have been talking about in the context of MBA education.
Mikes: I’d add communication skills to Peter’s list. Much of what risk managers do is expressed in technical language. To get access to top-level decision making, they need to be able to translate risk analytics into a language that top management speaks. Effective CROs, at a minimum, help top management understand the downside scenarios: Can the company afford to have those events occur? Some go even further and become trusted advisers to the executive team on strategic matters. They do this essentially by playing devil’s advocate, collecting and channeling information that challenges taken-for-granted assumptions in the organization.
It sounds as if the boundaries between general management and risk management are getting blurred.
Simons: Typically, general managers hand off accounting, HR, and IT functions to professionally qualified employees. But I’m not sure you can do this with risk—risk needs to be owned by operating managers. Clearly, risk officers have a huge role to play, but we don’t want to transfer the responsibility for risk from operating general managers to CROs and then feel that the problem is solved.
Mikes: There’s an interesting sociological perspective on this. Neil Fligstein, at Berkeley, has been studying the transformation of corporate control over the past 100 years. He shows that different functional groups became strategically important in running companies at different times. In the age of the railroads, top management came from manufacturing. When the conglomerates emerged, it became more important to know how to market different products to different geographies and market areas, which meant that top managers were more often marketing executives. When the biggest concern of corporations became how to finance their operations, we saw the rise of the finance executive. I think we now live in an era when many of the concerns in running organizations are being reframed in terms of risk, which suggests that risk professionals are likely to rise to the top.
Michael, you’ve heard what everyone else has to say. What do you think?
Hofmann: To me, it all boils down to decision making under uncertainty and the issues this creates. We are all subject to our own biases and need to be aware of them when we’re thinking about our decisions. That can create a problem with “experience.” Yes, experience creates credibility, but it also anchors your perspective. The risks that get you are the ones you’re not expecting, and your experience may be what’s making you not expect them. For some reason, people do not always just say: Time out. How does this work? Why do we do it this way? What’s the problem here? They may assume they know these things from experience. Also, one of the hardest things for a decision maker to admit is his or her own ignorance, and the more complicated we get with our metrics and models, the more hesitant people are to admit that they don’t understand. Bottom line, I think that credibility for a risk manager stems not only from the ability to understand the business but also from a willingness to push back on the opinions of decision makers, including senior executives. That doesn’t mean saying no all the time—quite the reverse. A credible risk manager also has to be a risk taker. If you keep saying no, you will go out of business. Finally, you have to be able to draw on different talents. At Koch Industries, for example, our risk-management teams include engineers, accountants, finance people, and other professionals. We need all of them, because there is no one perspective that can give the full picture.