In press accounts and popular commentaries on the current financial crisis, a constant refrain is that the risk management function in many of the world’s largest financial institutions has failed to carry out its responsibilities. To cite just one example, an article in the Financial Times declares “it is obvious that there has been a massive failure of risk management across most of Wall Street.”
I have written an article in which I challenge or, at least qualify, this assertion by examining what it means for risk management to fail. This article is available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1278073 . My main aim is to show that the fact that an institution makes an extremely large loss does not necessarily imply that risk management failed, or that the institution made a mistake. Getting the diagnosis right is important because the changes in risk management that take place in response to the crisis could be the wrong ones. Most troubling, top executives and investors could continue to expect more from risk management than it can actually deliver. With this goal in mind, I show when bad outcomes can be blamed on risk management and when they cannot. In so doing, I offer what amounts to a taxonomy of risk management failures.
In a typical company, the role of risk management is to identify and evaluate the risks faced by the firm, to communicate these risks to senior management (and possibly the board of directors), and to monitor and manage those risks in a way that ensures the firm bears only the risks its management and board want it to bear. To guide them in monitoring and managing risk, most companies specify one (or more) risk measures of overall risk (perhaps along with other metrics or indicators). When a risk measure exceeds the company’s stated tolerance for risk, risk is reduced. But when the risk measure falls below the firm’s targeted risk position, the firm will likely choose to increase risk.
With this role for risk management, it is possible that a financial institution makes an extremely large loss even though the risk management function was performed perfectly. All it takes for that to happen is for top management to correctly decide that taking some risk is worthwhile ex ante, but ex post the risk turns out to not pay off.
Having described the role of risk management and why firms with good risk management can nevertheless make large losses, I show how risk management can go wrong. More specifically, I show that there are five types of risk management failures:
1) Failure to use appropriate risk metrics.
2) Mismeasurement of known risks.
3) Failure to take known risks into account.
4) Failure in communicating the risks to top management.
5) Failure in monitoring and managing risks.
I provide examples of these failures and then make the case that scenario analysis focusing on possible financial crises has to become an integral part of risk management in financial institutions. Such scenario analysis would differ from existing stress tests which examine how a financial institution would fare if a past crisis repeated itself. Rather, such scenarios would use economic analysis to identify the impact of possible future crises.