"The real goal of risk management is to give decision makers a more intimate understanding of their portfolio"

The financial crisis has sparked many conversations about best practices in risk management. Of course, many of those conversations involve risk categories such as counterparty credit risk and liquidity risk that were neglected during the boom times. And there is a continuing focus on the appropriate statistical distributions to use in risk analysis and the current preoccupation is with ‘fat tails', ‘black swans', and ‘outliers', to name but a few of the buzz phrases. But as important as these technical discussions is a greater focus on developing an appropriate risk culture within financial organisations.

Board members, senior executives, regulators and investors must pay greater attention to the dynamics of risk taking and risk management decisions. Greater attention needs to be paid to management and governance issues, such as which reporting lines for risk managers are most effective, how much risk knowledge is needed at senior levels of the organisation and what level of involvement in the risk process is needed from them. And further consideration needs to be given to finding the right balance between mathematical logic and human judgement, of how a firm can use its risk technologies to aid decision making instead of relegating it to a set of rules and tick-boxes.

A far bigger problem than poor models or inaccurate data was the disempowerment of the risk management function through poorly conceived reporting lines and weak corporate governance. Too often, risk management has been seen simply as a cost centre and support function to the business lines. Where risk managers reported to business line managers, the lure of profits led to the risk department's calls for caution to be ignored. Some organisations have addressed this by having the risk function report directly to the CEO and to very senior management. The case at HBOS, where the head of risk was sacked by the firm's former management, illustrates that even that may not be enough.

Consequently, there have been suggestions for the risk function to have reporting lines to non-executive board members. A more extreme proposal even calls for chief risk officers to have ‘dotted' reporting lines to regulatory bodies.

For there to be effective communication between the risk function and senior management or boards of directors, the level of risk knowledge held by the latter has to be strong. While it is critical that designated members understand the mathematics and business logic involved, all members of senior oversight groups should make meaningful contributions to the risk process without having to follow every equation.

A healthy risk culture can only be fully realised if all senior leaders involve themselves in the risk process, and do not leave everything to one senior ‘risk-savvy' guy on the board or in senior management. Risk models have to be grounded in reality. Those with a knowledge of subjects as diverse as from economics, politics and accounting, to medicine and meteorology, all need to provide the real-world inspiration behind the scenarios underpinning risk models. Risk managers depend on this knowledge so they can calibrate the models and use them to give assessments of the firm's exposure to world events as varied as a rise in UK unemployment, Middle East unrest and flu pandemics.

A strong risk culture seeks to balance human judgement with mathematics. Most people can sense the pitfalls of an over-reliance on mathematics and an absence of pragmatism. But we must be wary of the other extreme - calls for the abandonment of mathematical approaches to risk and the sole use of gut instinct for risk decisions. Risk techniques empower companies to determine whether to invest in asset A versus asset B, or whether to reduce, increase or eliminate a held investment. We accept and believe that there is a trade-off between risk and return. Given that we look at return as a number, it is reasonable to want risk to be a number too.

What is clear is that risk management is less effective in organisations where risk operates purely as a control function. The power of risk tools is not harnessed when risk simply takes the form of a set of rules. Organisations that robotically follow a process to curtail risk whenever some risk equation hits a specified level will likely fail to capture the value that human judgement can bring.

For counterparty credit risk, the mathematics is rather straightforward. The data is critical. One must pay particular attention to represent correctly all the netting rules your documentation permits. The real issue with counterparty credit risk is execution. Many risk managers neglected managing this risk during the boom times. But as the business cycle turns, defaults and downgrades inevitably become more likely, and credit spreads widen. So if this risk has been left out of the organisation's toolbox, it should be reintroduced.

However, the mathematics involved in liquidity risk is not so straightforward. In fact, there is no universally accepted standard. But new approaches are finally starting to be debated in the community.

Liquidity risk plays a key role in the breakdown of historical relationships between markets during times of market crises - times when correlations for historically independent markets can go to plus or minus one, or when historically correlated markets behave independently. There are many examples of such crises, which suggest that effective modelling of these liquidity-based pressure points require transparency on how market participants are positioned. So there have been a few industry constituents advocating the creation of an international regulator with full visibility of the actual holdings and flows of all market participants. Obviously there would be significant confidentiality and security issues involved if such a database were to be compiled.

One model that has received much attention is distribution-based risk metrics. There are loud cries to use non-Gaussian distributions (or anything with ‘fat tails') to improve forecast performance. The fact is that long before the current crisis, most of us were already using fat-tailed, non-Gaussian distributions. And in our experience, there are even more risk managers using them today. That's a great thing, and they should continue to use non-Gaussian approaches alongside the traditional Gaussian tools. Having more lenses for looking at the problem and keeping your approaches up-to-date with the latest innovations in risk mathematics is very valuable. However, perhaps the debate surrounding fat-tailed distributions is something of a red herring.

Imagine that you have perfect models using exactly the right fat-tailed distributions with all the desired mathematical properties. And imagine you have perfect data to feed the models and flawless understanding of the model outputs. Now imagine that it is the day before an extreme market event is about to occur. You don't know that, of course, but your perfect tools can tell you that there is a 0.1% chance that the particular extreme event that's about to happen might occur. Would you behave any differently than if you had less than perfect tools that told you that there was a 0.001% chance of the extreme event? Whether it has a 0.1% chance or a 0.001% chance, it is an extreme event. Regardless of the model you choose, extreme events have a low probability of occurring - but they do occur.

So why then the pursuit for perfection? Why seek better models and a richer risk culture? Because good risk management is not about predicting extreme events or necessarily acting differently before an event. It is about acting more effectively after the event occurs. Because the real goal of risk management is to give decision makers a more intimate understanding of their portfolio - to know where it is strong and weak, to know how it might react to various events. To have some sense of the inevitability of various scenarios even if the tools can't tell us with 100% clarity what the future holds.And finally because when you combine robust governance structures with good tools, a good overlay of judgment and an intimate familiarity with your portfolio, you will react more quickly and make decisions when that extreme event does occur.