What's wrong with Risk Management?
Whenever we have a crisis in the financial markets and inordinate amounts of wealth are lost, the cry goes up, “How could this have happened? What were the governments doing? It’s all the fault of those greedy fat-cats on Wall-Street.” Take a historical look at all the major financial crises in the past 100 years and the same clumsy song and dance between investors, fund managers, bankers, governments and regulators is played out.
The recipe for financial destruction goes something like this: a few dashes of incompetence here, pinches of oversight there, layers and layers of leverage in between, generous amounts of other people’s money and a whole lot of greed stirred throughout, pop in the oven to 500 degrees, let the “dough” rise until it can no longer support its weight - and then watch it collapse. Then serve whatever is left crisply burnt with ample bottles of bourbon on the side to swallow it down.
It makes you wonder if we are ever going to learn. Over the years, there have been attempts to try and prevent these disasters from happening again, usually in the form of tighter (yet painfully ineffective) regulation such as the Glass Steagall Act and Sarbanes Oxley. Such regulation is put in place supposedly to prevent financial disasters from re-occurring. But if recent history is anything to go by, these crises are actually rearing their ugly heads more frequently than before. Among the preventative measures introduced were the Basel Accords. These were expected to spread a hopefully healing balm to the wounds of our troubled markets, through a detailed plan for so-called “best-practice” risk management, which global financial institutions were instructed to adopt.
Nonetheless, things have still gone awfully wrong. This should lead us to ask ourselves some important questions. What’s wrong with risk management? Do we even understand the risks we are taking in the first place and are they quantifiable or should we also include more qualitative approaches? Is there a framework that is universally applicable that can mitigate all risks or should we have a more piecemeal approach? What has worked and what has not? How much authority do risk managers have and is it enough to be effective? Is there a disconnect between investors, fund managers, government and regulators about what risk management is and/or should be and, if so, how do we address this?
All of the above questions are important, but perhaps the biggest problem that relates to risk management is the issue of corporate governance. Within financial institutions, especially in the banking industry, risk management is a “must” under current regulatory frameworks. The reason for setting up risk management is to “balance” the benefit between the owners of capital and the profit making functions of the bank. Investors provide the capital to financial institutions for generating profit. In turn, these financial institutions then organize resources like proprietary traders, financial engineers, operations support, etc. to make use of this capital to generate profits. In return, the compensation to the “profit makers” is largely based on how much money they can make. Under these circumstances, the profit maker has more compensation if it can generate more profit. Everyone is familiar with the ubiquitous “more risk, more return” maxim, so a profit maker will be more inclined to take on more risk, as they know full well that their compensation is dependent on the returns they make, especially if they are trading other people’s money. However, this compensation scheme is “asymmetrical”, meaning that the profit maker can enjoy the “profit” they create without suffering the “losses” they incur - at worst, the profit maker gets fired and finds another job, hardly a strong deterrent in limiting unnecessary risk taking. Essentially, all money lost is incurred by the owner of capital, i.e. the investor. Under this asymmetrical profit sharing scheme, the purpose of risk management is to strike the balance between “risk and return” and to prevent the profit maker from taking on too much risk, which can potentially result in the investors losing significant amounts of money. Most banking regulators understand this point and therefore require the banks under their supervision to have a solid risk management and corporate governance function in place to address this issue. In order to be an effective form of corporate governance, the risk management function must be independent from the investment function and should have the necessary authority to enact its responsibilities. From personal experience, not all risk management functions in these financial institutions are “truly independent”. In general, risk management staff directly report to senior management in an organization, so the attitude of senior management will determine how the risk/return profile is within an organization. If the senior management is skewing to a “return-focused” mindset without tempering it on a risk-adjusted basis, it may override the risk management decision and favor the profit-maker. Therefore, in this case, the decision of senior management tends to get caught up in a feedback loop that continues to support the profit-maker as it makes substantial profits (regardless of the amount of risk being taken on) since the influence of the profit-maker will dominate the organizational mindset.
Continuing with this example, risk management simply becomes a “regulatory-required” function to senior management that should only be put in place to appease the regulators, but one that under the surface of it has no “real independent” authority to balance the risk/return profile for the organization.
Furthermore, the far more insidious fact of the matter is that investors will “think” they are investing in a “prudent or well-structured” institution and their capital is protected by these highly paid professionals. Hedge funds are unregulated financial pools of money provided by qualified professional investors. The rationale for the existence of this industry is that traders can utilize their special skill sets to generate absolute “uncorrelated” returns for its investors. However, as with financial institutions, the compensation scheme is still “asymmetrical” in this industry and could arguably be even worse considering that a hedge fund manager has the discretionary right to decide whether the fund needs to have a risk management infrastructure in place. It cannot be denied that there are some well-disciplined hedge fund managers that attempt to incorporate best practice risk management and operational infrastructures through the active use of and stringent adherence to a well thought out rules-based structure. However, they tend to be “exceptional” cases in the hedge fund industry as a good portion of them are purely “return focused” instead of “risk-adjusted return focused”. Some fund managers consider themselves to also be the “risk managers”. Surely, their role as a trader is the “first-line” risk manager as they can actively manage their portfolio and adjust the risk-return profile dynamically. However, it should be recognized that they still need to have a risk manager in place as an “independent” verifier that the fund manager is adhering to the risk guidelines and rules put in place. The role of an “independent” risk manager is not merely to provide risk measurement and reporting but to also setup the necessary risk and valuation policies & procedures and risk limit structures and to monitor the market condition changes and related market exposures of the fund. The most important role is to execute all risk policies & procedures as stated in the offering memorandum and additional guidelines provided to the investors. Unfortunately, risk policies & procedures execution is usually ignored and not enforced. In fact, some hedge funds can have very presentable and detailed risk policies and procedures, but they are simply for “showing” the investor how they perform their “prudent” risk management functions. They rarely delegate the authority to the risk manager to execute actions like stop loss or position reduction if limits are breached, for example. If a fund has a risk manager but the de facto person in charge for actions taken on limit breaches is still controlled by the fund manager, the independent risk management function should be called into question. There is a lot of talk about the need for better risk management, particularly given the current state of affairs in the global world markets. However, the focus should not be on better risk measurement, although this is still important. Instead, the real focus should be on corporate governance in ensuring that a proper risk management structure is in place and that it is independent, continuously adhered to and fully transparent to the investor. In essence, corporate governance will always be the key to good risk management. As such, for the future of risk management to be successful, its function has to be directly reportable to investors instead of internal management. Such a structure should carry out these two key functions:
Greater transparency on what the institutions/funds are investing in (esp. on derivatives) and the accurate and timely reporting of their true risk-return profiles; and
Risk management function must be truly independent from the profit making function, so investors can truly enjoy absolute upside return from the profit maker but still have downside protection from the risk manager
This structure will make the profit maker consider the risk elements of his strategy more carefully because they will know that the risk manager has the authority to enact his duties as per the agreed risk policies and procedures. Ultimately, risk management should no longer be viewed as a “regulatory-required” function but as a “value-added” function in the investment decision-making process. The “value-added” does not derive from making money, but rather from capital preservation, particularly in down markets. Experience, discipline, communication and common sense are always the essential elements of a good risk manager. Some market participants misunderstand that having expert quantitative staff and a sophisticated risk system is sufficient. This misperception stems from a false sense of comfort that can come from the risk managers’ utilization of a lot of different mathematical models (e.g. VaR, Monte Carlo, auto-regression, scenario analysis, etc.) through the use of expensive state-of-the-art technology to assist the risk manager’s decision process. However, these quantitative elements and technologies are not the only factors needed to determine whether the organization has a robust and proper risk function. More importantly, an experienced risk manager needs to effectively communicate with the profit makers and understand the risk and return of each product/portfolio while also demonstrating these risks to senior management and investors. For example, common sense is essential to justify whether the position or new product is too risky or complex and is sometimes much more important than relying on a complicated mathematical model to arrive at a decision whether to incorporate and trade a new product type. In summary, inevitably regulation will always be tightened post-crisis, which will, in turn, prompt the need for more robust risk management to avoid crises from happening again. However, this time, regulators and investors should consider demanding changes at the highest levels of the corporate governance structure. These changes will need to grant the risk manager a more “independent” role which can directly report to investors (especially within the hedge fund industry), so that risk management can play a more pro-active role. It goes without saying high quality risk managers that have a better understanding of risk will also be a key to successful risk management. Importantly, sophisticated risk systems and quantitative models are not the only components of a solid risk function. In some cases, good old common sense will be a better suited method to justify particular actions to a given situation.