MANAGING SHOCKS FORESIGHT How can risk professionals mitigate unforeseen shocks to the system that, in hindsight, may appear obvious? Paul Harwood has a few suggestions I WONGWEAN / SHUTTERSTOCK ts hard being a risk manager. You have to support business development while protecting the business from risks of every possible complexion and scale. Most risk management work is collaborative, with risk officers challenging function managers about relatively small risk variations What about risks that come out of the blue and have major cross-functional impacts? We, as risk managers, have to protect the business from these shocks. How? It can sometimes seem to be an almost impossible task. Knowing what you know now, imagine going back in time to 1 January 2008. Can you prevent the 2008 economic meltdown? To be fair, probably not. Lets assume, simplistically, that the crisis started because banks sold too many mortgages, using too much short-term borrowed money, to people who couldnt afford the repayments. Even if you were the most senior government or merchant bank CRO, youre going to have a hard time convincing people of the looming economic disaster which is odd because, presumably, youd have all the data and the arguments needed to explain how a forthcoming crisis will emerge. Think of all the times when youve wanted better information to assess a risk, or when a decision has been deferred or a default decision taken because better information was needed. Here you have perfect information, yet still cant prevent loss. Why not? Experience Youll perhaps be labelled a prophet of doom, always looking on the bleak side Three reasons come to mind. The first is that you wont be believed. The scenario that you paint wont match your audiences recent experience or world view. The second is that the seeds of destruction are already sown. Already, too many mortgages have been sold to people who cant afford them, pushing up property prices. Already, the banks have borrowed too much short-term, third-party debt to lend on long terms. Already, the mortgages have been sliced up, repackaged and sold in highly credit-rated bundles. Even the chairman of the Federal Reserve is claiming that risk has been spread widely and thinly, and that any default will have a limited and isolated impact. The third reason is that there may be little you could do anyway, because the drivers of the problem are outside your control. Your options to mitigate or eliminate your exposure are limited. What if it were five years earlier? 1 January 2003. Now you can point out the problems of selling high-commission mortgages to people who cant afford them. Maybe show the weakness of continually rolling over short-term debt to fund long-term mortgages? Illustrate the connection between the securitised mortgage and the credit default swap markets, and the resulting accumulation of risk? By addressing the problems at business model level, will you be able to make a difference then? Possibly, but it is by no means certain. The danger is youll come across as anti-business or uncommercial, instead of far-sighted and perceptive. Youll perhaps be labelled a prophet of doom, always looking on the bleak side. Risk management will be labelled the Business Prevention Unit. Your board would have to be quite tough to turn down business and watch while competitors performance, market penetration and share prices soar in comparison (to say nothing of the bonuses being paid). How many years of that before the CEO or other members of the board are replaced? If you worked in government, it would be a rare politician who would advocate restraint when all the numbers seem to be going the right way. Black swans There is a name for events like the 2008 crisis. They are called black swans (following the thinking of investment manager and philosopher, Nassim Taleb). Typically, black swan events are unforeseen, have a major impact, and seem obvious with hindsight. We risk managers should get some comfort from the fact that black swans are by definition unforeseen, and then are deemed to be obvious. Whats a risk manager to do? If, with perfect information, we cant convince our stakeholders about shocks, do we just give up? Taleb himself says he is fed up with being asked what the next black swan event will be, when the whole point is that you dont see them coming. The earlier time-travelling thought experiments show how hard it might be for the far-sighted risk manager to achieve anything meaningful about these shocks. However, giving up isnt an option. Here are three actions that might help: Communicating the nature of black swan events. Run the time-travelling thought experiments with your stakeholders. Use a recent example that is relevant to your industry. What changed for your business as a result of the 2008 crisis? What could and would your colleagues have done with hindsight? What indicators would have made them consider the suggested action? Discuss disaster impact. Its hard to discuss disastrous scenarios without making stakeholders feel the events are so extreme and the consequent rules of the game so different that detailed planning is pointless. Avoid this disenfranchisement. Your stakeholders are right (although we might not like to admit it). Better to show the impact of a disaster and then seek input about what if anything could be done to protect the business. This way, the impact is the important thing, not the cause. Protective actions are generally not cost free. Its worth framing the cost in terms of the actions benefit and reliability, thus allowing a decision to be made in context. Identify the connections. Charles Perrow identified a class of event that he called normal accidents. These are accidents that are inevitable in complex operating environments, and often arise from a series of small, seemingly independent failures. He identifies tight coupling as a factor that makes normal accidents likely. What is tight coupling? It could be defined as handovers between systems or part-systems. For example, output is generated manually in a spreadsheet then uploaded automatically into a payment system, which then makes the payments. The connection is a source of potential significant error. The spreadsheet may be created more than once, or a parameter may be input wrongly by a factor of 10, resulting in excessive or multiple payments being made. Perrow takes the view that these events are inevitable and cannot be designed out. Perhaps, though, the solution is to remove the coupling and simplify the system? Debate Life for a risk manager is never easy. Black swan events are obvious with hindsight, by definition. Having the debate about their nature can be difficult, given that everyone is busy and it was obvious anyway. Managers have the view, post-disaster, that steps have already been taken to prevent any recurrence and were safer now that we have ever been. Spending more money on remote events will seem pointless. And normal accidents? Just an excuse to explain failures in operations. If you cant even with perfect foresight better prepare for or mitigate shocks to the system, how does this affect the job specification for the risk manager? It may be worth even if just to hammer home the point ensuring that your job specification makes clear that there are some classes of serious risks that have to be considered as raised with the board and duly noted, but only managed to the extent that the board recognises them and so directs. Paul Harwood is an actuary and independent consultant on strategy and risk management