The four pillars of risk culture
This article is by Adam Litke, Head of Bloomberg Risk Solutions, for Intelligent Risk | knowledge for the PRMIA community.
Risk process vs. risk culture
Firms often speak of their risk management function in terms of how well organized it is, how well staffed it is, how much money they have invested in technology, and how prominent their risk officers are in the corporate hierarchy. Among the governance and process items often cited as evidence of good risk culture are:
• Attention to data quality
• Automation of reporting processes
• Extensive limit structures
• Clear statements of risk appetite at every level of the firm
• Good governance structures
• Independence of risk managers
• An appropriately crafted incentive structure for risk takers.
While all of these things are important, they are not risk culture. They are either risk governance or risk process. They are vital prerequisites to good risk management, but, without a good risk culture, they are little more than a Potemkin village.
Risk culture is not about what you do, it is about how you do it and what you are thinking when you do it. Time and again, we have seen firms with excellent risk governance but poor risk culture experience large losses. This doesn’t mean that a firm with good risk culture and poor risk governance will do well.
After all, if you don’t know your positions you can’t manage them no matter how smart or well-meaning you are. It does mean that, no matter how hard it is to quantify, the human aspect of risk management cannot be neglected.
The pillars
The key pillars of a good risk culture can be summed up in four words: transparency, challenge, humility, and curiosity. While these may sound like a set of virtues from a child’s schooling in good citizenship, they stand for very specific behaviors that lead to good risk management.
We will start with transparency because it is the easiest of the virtues to foster, and lack of it is often the first sign that something is wrong with an institution’s risk culture. In its simplest form, transparency means that anyone in the firm who could have a need to know about something or who could possibly contribute to the analysis of a problem has access to all relevant information. We often hear about lack of transparency in the aftermath of a large financial loss or “unforeseeable” crisis; famous examples of this include:
• AIG losses on complex credit transactions where members of the transaction approval
committee who were critical of deals were removed from the committee in the name of
streamlining process
• The J.P. Morgan London Whale scandal where both business managers and risk managers
outside of the London CIO office were aware of the full nature of positions
• The water crisis in Flint, Michigan where officials dismissed the complaints of local residents despite being in possession of data showing that there might be a problem.
You may ask why we are discussing a water crisis in the middle of a piece on risk culture. First of all, we must remember that risk is not always financial risk. Second, the ways in which people avoid being transparent are universal. Examine the following quote from a report issued by the State of Michigan’s Flint Water Advisory Task Force. “Throughout 2015, as the public raised concerns and as independent studies and testing were conducted and brought to the attention of MDEQ, the agency’s response was often one of aggressive dismissal, belittlement, and attempts to discredit these efforts and the individuals involved”. Compare this to the kind of thing that anyone who has ever been a junior market risk manager speaking to a senior trader has probably heard at one point or another. “I’m not really over my limit because your models are wrong”, “I haven’t got time to talk to you about my positions; I have to make money”, or “Go back to your boss and tell him to send somebody who can understand what we are doing.” All of these are ways of telling somebody that they don’t need to know what is going on and are the very opposite of transparency. In a good risk culture you keep people informed, and bad risk cultures always find ways of limiting the flow of information.
This brings us to the idea of challenge or the ability of people not directly involved in the decision making process to question what is going on. A risk manager who cannot challenge a trading decision is nothing more than a risk reporter. The most common places challenge breaks down are in great-man led organizations where an imperial CEO refuses to listen to his subordinates. This does not have to be a large firm. The most common examples in finance seem to come from the hedge fund community where many firms have been founded by a single powerful trader who is still the ultimate decision maker.
It is difficult to count the number of times I have spoken to hedge fund CROs who are looking for jobs because their firm has taken an outsized position that they are convinced will go badly. Invariably they have escalated this issue to the head of the firm and, almost always, they have been told that it is not their name on the door and, therefore, not their decision. Needless to say, most of the funds involved end up failing suddenly sometime in the next few months with both sides realizing that if they had managed to work things out they might have avoided destruction. It is reasonable to ask whether this is a culture issue or a governance issue. Of course, it is both. However, the cultural issues are more important than those of governance. In order for challenge to be effective, powerful people need to be willing to listen to dissenting voices and, if necessary, reverse their positions.
In the world of risk management humility is not being humble in the conventional sense. Rather, it is being able to admit that one doesn’t understand things. A wonderful example of humility in action comes from a portfolio manager of my acquaintance who runs a market neutral macro hedge fund. Each strategy in the fund was designed to be uncorrelated to the market and was extensively tested out of sample to ensure that this lack of correlation was stable. When he observed his performance, he realized that it exhibited a surprising correlation to the stock market. This man has powerful incentives to convince himself that this effect is a mere coincidence. He has marketed his investment strategy as a diversifying component of a portfolio. He has hired some of the best minds on Wall Street to help him construct his portfolio. At least in the short run, admitting that he doesn’t understand something is likely to lower his compensation. Nonetheless, he admits he doesn’t understand what is happening and is investigating the causes. This is true even though his performance has not begun to suffer.
Contrast this behavior with the behavior of many portfolio managers who experience severe market underperformance. The standard phrasing in their investment letters will be along the lines of “Our portfolios have underperformed in the last year but we have confidence in our strategies.” A bit of this is necessary marketing as investors are not likely to keep their fund with a manager who says he doesn’t understand what is going on. All too often it is also the truth. They continue to stick to their positions as they lose more and more money, blowing through any stop loss limits they have set for themselves and doubling down on bad positions in the hopes that when things go back their way they will make up their losses.
What is the key difference between these two types of manager? The first is willing to admit that the market is telling him he is wrong despite all prior experience. The second can’t conceive the idea that he could be wrong and will continue to come up with reasons why he is right despite the fact that the market has gone against him.
The humility of the first manager in admitting he doesn’t know something extends to the culture of the firm. Successful people and firms got where they are by being right most of the time. They have every right to be proud of this. If they have built a good risk culture, then they are willing to show humility and admit that they do not understand everything. A sure sign of a poor risk culture is the opposite statement.
Curiosity is the partner of humility in many ways. While the humble risk manager admits that he doesn’t always know what is going on, the curious risk manager is always trying to figure out why. Two examples will illustrate this point.
Example 1: It is 2006 and our curious risk manager sees that the market for CDOs of ABS is exploding. She asks why so many of these assets are being snapped up and is told that they have a high coupon for a bond rated AAA. Since she is curious, she asks about the rating methodology and about the spreads for comparable assets. As soon as she looks into the rating methodology, she sees that there is no data behind it and immediately moves to keep her firm out of the market. Now contrast her with the incurious risk manager who simply accepts the rating agency’s word that the assets really are AAA. Following their ratings based guidelines, his firm purchases large numbers of these ABS CDOs and, in 2007 and 2008,
suffers large losses. Both of these risk managers followed the governance processes of their respective firms, but only one of them was curious and tried to find what was happening.
Example 2: It is 2015 and traders, who have already taken credit valuation adjustments (CVA), debt valuation adjustments (DVA) and funding valuation adjustments (FVA) into account when valuing their portfolios of derivatives start complaining that they must also account for the lifetime cost of capital (KVA) when valuing their investments. Our incurious risk manager simply acquiesces. After all, capital is something the firm charges for and it seems reasonable that any charges must be passed on to customers. The fact that these charges mean that all new deals are entered with a large up-front loss is troubling, but, if those are the rules, the traders will just have to price conservatively. The curious risk manager goes further. He takes the trouble to learn how the accounting for derivatives works. He learns that cost of capital isn’t really a cost but (to oversimplify a bit) is another word for return on equity or profit. This allows him to ask why firms don’t account for lifetime cost of capital when purchasing assets like bonds or equity. He is able to work with the traders to ensure that the firm implements policies that do not favor one asset class over another if they have the same risk return profile. In this case curiosity hasn’t helped prevent a loss, but it has helped the firm to structure its business in an optimal way.
Curiosity is important because it keeps us from being intellectually lazy. It is all too easy to accept conventional assumptions that work well in normal times. Good risk management is not about what works well in normal times. It is about knowing when and why things fail to work and planning around them. Only a firm that fosters curiosity in its risk managers can expect them to provide useful insights.
Our four pillars are not independent. Transparency is a necessary condition for challenge; you can’t challenge what you don’t know about. Curiosity and humility are two sides of the same coin. All of these pillars are vital to a good risk cultures. Without them, risk becomes a compliance and reporting function but can’t add
value to the firm.
This article originally appeared in Intelligent Risk | knowledge for the PRMIA community.