Majoring in Risk Management: Is It Time to Restudy the Subject?

by Robert N. Charette, Fellow and Director, Enterprise Risk Management & Governance Practice, Cutter Consortium

The beginning of 2008 started off with the French bank Société Générale reporting that a low-level employee, Jérôme Kerviel, had executed a series of "elaborate, fictitious transactions" that cost the bank more than €4.9 billion, the largest loss ever recorded in the financial industry by a single trader. However, Kerviel's escapade pales in comparison with those of investment advisor Bernie Madoff, who admitted in early December to defrauding his clients of upward of US $50 billion in a "giant Ponzi scheme" for years.

These were a pair of nice matching bookends to a year of extraordinary financial turmoil that will be studied by economists for the next 100 years. It will also be interesting to see in retrospect whether 2008 will end up being the year that the practice of enterprise risk management was fully discredited or merely heavily sullied.

Why do I say that?

Take a look at a most interesting piece in the New York Times early this month written by Joe Nocera, the Times' longtime business columnist, titled "Risk Mismanagement." It is only one of several articles that have appeared in the past few months questioning the value of enterprise risk management.

Nocera's piece is fascinating and one that I urge everyone -- risk manager or not -- to read and study. Nocera looks at the role that quantitative risk management -- especially Value at Risk (VaR) -- has had in creating the financial situation we are now in.

The specific questions Nocera was trying to answer in his article were: "Could VaR and the other risk models Wall Street relies on have helped prevent the financial crisis if only Wall Street paid better attention to them? Or did Wall Street's reliance on them help lead us into the abyss?"

In his story, Nocera reviewed the history of VaR and how it became the main risk management model for assessing and managing enterprise risk on Wall Street, in corporate America, and how VaR has become to be a financial standard around the world, including national and international regulators. He also interviewed many of the original developers of VaR at JPMorgan in the late 1980s and early 1990s, such as Till Guldimann, who confirmed that while VaR might be right 99% of the time in assessing risk, the 1% where it didn't could cause giant losses.

Guldimann also admitted that VaR could be (and was being) gamed, which gave traders a way to show less risk in their trading positions than was actually the case. Why did the traders do so? Because banks and other financial institutions compensated traders based on an ability to make big profits at (seemingly) low risk.

Nocera also interviewed Nassim Nicholas Taleb, distinguished professor of risk engineering at New York University and author of Fooled by Randomness: The Hidden Role of Chance in Life and in the Markets and The Black Swan: The Impact of the Highly Improbable , published in 2001 and 2007, respectively. Taleb calls VaR a mathematical fraud that does more harm than good when it is used normally. It doesn't take too much imagination to predict his response of what he thinks of its worth is when it is being gamed.

The debate Nocera writes about between those who believe and those who don't believe in quantitative risk models is an absorbing read. All models have limitations, of course, and when you approach a model's limits, you need to be very, very careful; highly skeptical is a better warning. However, when you have risk models piled on top of risk models, well, you might want to be more than a bit questioning of the results.

That seems like common sense, but in the recent boom times, it was forgotten.

As Nocera points out, while there were may be a handful of risk management experts using models such as VaR who were mathematically sophisticated enough to know their limits, there was a legion of others who were not risk experts and who didn't bother to take them into account or even know their limitations. This ignorance, however, didn't stop them from using the output of the models in making major financial decisions involving risk.

Who were the people who used these quantitative risk management model outputs but didn't understand their full meaning? Nocera writes:

There were the investors who saw the VaR numbers in the annual reports but didn't pay them the least bit of attention. There were the regulators who slept soundly in the knowledge that, thanks to VaR, they had the whole risk thing under control. There were the boards who heard a VaR number once or twice a year and thought it sounded good.… There was everyone, really, who, over time, forgot that the VaR number was only meant to describe what happened 99% of the time. That $50 million wasn't just the most you could lose 99% of the time. It was the least you could lose 1% of the time.

Forgetting that point has been an expensive, multitrillion-dollar lesson to learn. As I wrote, Nocera's article is one that everyone should read -- and may eventually mark at least the end of the current enterprise risk management movement.

I welcome your comments on this Advisor and encourage you to send your insights on the enterprise risk management and governance market in general to me at rcharette@cutter.com.

Sincerely,
Robert N. Charette, Fellow and Director
Enterprise Risk Management & Governance Practice
E-mail: rcharette@cutter.com

Editor's Note

I am the editor of the February issue of Cutter IT Journal , which will be taking an in-depth look at current enterprise risk management practice. The articles will be debating whether ERM is broken and, if it is, whether it is fixable or irretrievably broken. The articles in it are thought provoking -- we'll be sure to provide you with information on obtaining a copy once it is published.