Is the Third Time a Charm for Effective Risk Management?

There’s an old curse that seems very appropriate today: “May you live in interesting times.” Indeed!

With that in mind, consider both (1) an exercise of ranking hypothetical catastrophes and (2) recent history since 2001.

  • Imagine if last year someone provided a list of ten plausible but low-possibility events that could harm the nation, the economy or your firm, and asked you to rank them in order of anticipated harm. Ignoring a giant meteor, asteroid or comet strike that would wipe out human life on earth, regardless of the other nine, it’s hard to believe that any reasonable and honest person wouldn’t have a pandemic from China at or near the top, along with, say, a Dwayne Johnson-level earthquake on the West Coast or some large-scale aggression from, say, North Korea or terrorist in the Middle East. Yet, how many firms have considered or have plans for any but the most routine emergencies, like a loss of power at corporate headquarters? For example, there is an article in Saturday’s Wall Street Journal, “Risky Loans Face a Huge Test from Crisis,” about CLOs—Collateralized Loan Obligations. It seems that same unrealistic models that contributed to The Financial Crisis via their application to MBS—Mortgage-Backed Securities–have been more recently applied to corporate loans with little emphasis on possible worst cases.1
  • Last week, during a hasty, 1,600-mile round-trip to retrieve the contents of her dorm room, I mentioned to my freshman daughter, “In your lifetime, you’ve had 9/11, The Financial Crisis, and this—the Corona Virus. I’m more than three times older than you, and in mine, and, I’ve pretty much only had the same three.”2 In banking and finance, there have been many other crises and scares, and with a capacity to learn should have left financial organizations better prepared.

After the trip, I mentioned to a colleague that I hoped—wished is a better word—that the third time’s a charm, and executives will start taking risk management and stress testing, seriously, by (1) asking the “what if” question before a crisis begins; (2) waiting around to hear the answer; and (3) then determining how to act and manage in those circumstances.3

What do we mean by “risk management?”

The process of:

  1. Either identifying or imagining harmful situations—large or small—via scenario generation
  2. Credibly estimating their harmfulness via stress testing
  3. Actually managing—or determining ways to avoid those situations economically or economically minimize the negative implications by:
  1. Taking precautions to reduce the possibility of negative affects—note the ‘pre’ as in ‘beforehand’
  2. Buying insurance or hedges—again, pre or beforehand—to reduce bad effects (après or post) in situations that couldn’t be avoided by collecting (insurance) or hedge payments after the fact
  3. Developing contingency plans—again, pre—to reduce bad effects après, and then, if something bad does occur, executing those contingency plans to mitigate losses.

This process incorporates scenario analysis or stress testing in the first two steps, where the possible effects are measured—more precisely, estimated—with models or with informed qualitative approaches when sound and reliable models aren’t available. It’s not easy, but it’s also not impossible, and once it’s set up properly, it’s much easier—though not instantaneous—to generate appropriate and credible ad hoc analyses of previously unforeseen scenarios.4

If you can’t forecast losses, how can you possibly manage your portfolio?

One would wish that two society-altering events in the first decade of the century would have motivated executives to implement more meaningful risk management activities in the 2010’s, especially “what if” analysis. Alas, that doesn’t seem to be the case. In banks, and for credit risk, in particular, regulators and bankers have focused only on variations of The Financial Crisis—via CCAR for large banks and the now defunct DFAST for mid-sized banks exercises—and have ignored the more comprehensive application of their own rules, SR 12-7, for other routine and ad hoc scenarios. Alas, and again, that failure of imagination has left many firms unable to forecast credibly either (i) anticipated or (ii) worst-case losses in our shocking current environment.

There was a huge expansion in risk “management” staffs at almost all medium and large banks since The Crisis, but not a proportionate increase in actually managing risks; there is a lot of reporting and checking and checking the checkers but not a lot of recommending and doing.5

So, will the third catastrophe in 20 years a charm? Will firms, especially banks, be willing to invest in true risk management capabilities? We’ll see. Doing it the right way need not be more expensive in the long term; for those with a financial accountant’s perspective, it initially seems costly when outlays of building analytical capabilities and flexibility (and the associated increase in human capital) are viewed as expenses, rather than a long-term investment of either reusable or portable models and analyses.

We’re not here simply to complain.

In future posts, we’ll explain “how to” build and port stress test exercises and models from routine loss forecasts, like CECL, and other routine stress tests, like CCAR, to ad hoc analyses, like forecasting losses in our current situation. We’re doing that work now. Those posts will be more tactical and technical than ranty. With an intelligent design and modeling program, this seemingly impossible work can be done quickly, but, again, not immediately or instantaneously. If you would like to learn more, sooner, please contact us.

P.S. Our small firm has been virtual since its start and has been unaffected by the pandemic; it remains very productive. We like to joke that our clients don’t want to see us, and we don’t want to see our employees; so, social distancing is our way of life and so we’re very robust to pandemics. Seriously, though, if you’re measuring someone’s contribution by their time spent on-site in an office, or, God-forbid, in a viral or bacterial petri dish of an open office, with its ever-louder and ever-shrinking space, then you’re probably not getting your or your shareholders’ money’s worth. Moreover, if your managers can’t determine if their employees are creating value when working away from the office and measure inputs as outputs, then maybe you may need more knowledgeable and more engaged managers.