By Pascal vander Straeten January 30, 2023
In the financial services sector, risk management has become dominated by numbers and mathematical models, and the human dimension is often neglected. A focus on quantitative models has thus led to the belief that risks can be managed once they are quantified.
A good example is the use of Loss Given Default (LGD). In forecasting credit default losses, most analysts make the same assumptions. There is an assumption that the degree of loss on an exposure, or loss given default (LGD), varies independently or not at all. Models are developed by analysts of individual deals to price loans and credit derivatives, and to relate these prices to public credit ratings. Using credit models such as RiskMetrics CreditManager, KMV Portfolio Manager, and CSFB CreditRisk+, portfolio credit risk analysts assume independence.
Yet, LGD’s sensitivity to an economic downturn has stood in opposition to its independence. Intuition consists of two levels. The first level of recovery is based on the assets of the defaulting party. Systematic risk is presumed to be present on those assets before the default event, so logically, they will also be exposed post-default. Consequently, a downturn should lead to lower recovery and higher LGD.
Another example is that investors tend to take information released by the Fed about the path of rates (the “dots” chart) too literally, which can lead to complacency.
It can be argued that a Fed’s zero interest rate policy increases risk taking. The low interest rates on U.S. Treasury bonds encourage investors to take on more risk, resulting in lower interest rates for loans to homeowners and businesses, which promotes growth. In the aftermath of the financial crisis, this has been a prudent policy response.
However, what is good for the economy may not always translate into good investment decisions. In a recent past, some investors took a bet on interest rates by shortening durations and increasing credit risk and equity allocations. When the Fed exited from an almost six-year period of zero interest rates, in hindsight these choices might not seem wise. Can some asset classes return to earth after such a liftoff?
It is also possible to manage even difficult risks, such as subprime mortgages, if we can quantify the likelihood of default. But organizations are still left with the uncertain elements, or risks that cannot be managed. Because firms could be blamed for these things if things go wrong, risk management has evolved into a discipline that aims to categorize things into manageable categories so managers can claim that things went crazy, or that the scenarios were impossible to imagine if things went wrong.
In managing risk rather than engaging with it, risk managers are limited in their field of vision. Furthermore, the Swiss cheese model suggests that risk management systems alone are not sufficient.
What about the existence of stress tests? Recent history shows us that passing stress tests can also create a false sense of security because of what they are not. Infinite factors could strain a bank’s capital. Only a small fraction of these can be imagined by humans. As a result, stress testing cannot anticipate all possible scenarios, including the “unexpected and highly consequential” events that black-swan events are.
Despite the fact that black-swan events can’t be predicted, people think in hindsight that they took such an event into account; this gives them confidence to continue predicting. Black swans, however, cannot be forecasted or measured with our current risk management tools. By relying on these tools, we continue to take uninformed, dangerous risks.
This mental bias combined with passing stress tests can lull organizations into believing they can survive extreme crises or black swans. Managers and regulators had a similar complacent mindset before 2008, relying on VaR as a statistical measure to predict maximum losses without appreciating its limitations. Pre-2008, this may have created a false sense of security, as well as being ineffective in dealing with the crash.
This means that current risk management practices are creating a distorted perception of certitude (driven by regulatory pressures and principles), while what is needed is more creativity/ imagination/ out-of-the-box thinking in risk management, sound judgement, and a return to basics by avoiding following the crowd/ universal thinking. When Enterprise Risk Management is extended to include also the possibility of addressing risk imbalances, it allows the organization to embrace a truly holistic process involving both humans and machines.
There have been numerous reports and reviews of what went wrong, and the list of possible solutions is growing daily. To better understand their company’s performance and exposure against the desired risk appetite, board members should be educated in risk management and measurement, according to the Institute of International Finance (2008).
Others, such as the Committee of European Banking Supervisors, argue that more regulatory guidance is needed on issues of risk culture, risk appetite, and risk tolerance. Fundamentally, it is argued that regulatory philosophy needs to change so that it considers systemic risks and business models’ sustainability rather than assuming all risks can be handled by the firm itself.
The proposed solutions, however, don’t focus on people enough, as they emphasize mechanics.
A review of 18 high profile risk management crises in the “Roads to Ruin” Airmic 180 pages report (July 2011) found poor board leadership, limited vision in identifying risks, poor communication, inappropriate incentives, and a glass ceiling that prevents risk managers from being heard at the highest level.
What is the best way to cope with this false sense of certainty? It is simple: We should build institutions that will survive black swans.
Strong institutions require a shift from event definition to damage definition, or a damage-centric approach. When banks address maximum potential damage, or extreme-tail risk, regardless of the events that cause damage, they can avoid falling apart during crises. The problem is that there currently isn’t a metric that measures extreme risk from the perspective of damage. Lehman Brothers and Bear Stearns didn’t just have too much extreme-tail risk; they also didn’t know how close to the precipice they were. An extreme-tail risk metric is needed to address unknown unknowns.
The insurance industry has a concept known as “Probable Maximum Loss.”. This concept measures the maximum damage if the worst happens, and all mitigation measures work to reduce that damage. Banks can use this to measure and manage their strength/fragility in relation to extreme risks.
Risk management today focuses primarily on “known” variables, but offers no guarantee of a bank’s sustainability. The regulatory community is even beginning to recognize the need for a new approach. Risk management must address the Unknown-Unknowns or extreme risks to ensure that banks are able to continue operations during times of economic and financial stress, and hence remove this false sense of certainty.