Fortune favours the well-prepared
Financial Times, January 1, 2009

Fortune favours the well-prepared

By Russell Walker

Published: January 29 2009 17:42 | Last updated: January 29 2009 17:42

Traditionally, organisations have viewed risk management as a corporate requirement, and have often grouped it with audit and regulatory functions. Some have even empowered and titled corporate groups to "manage risk" along these lines. This has often centred on managing insurance policies and reviewing reports from rating agencies, which suggests that risk management was viewed more as the hedging of certain risks and the overall outsourcing of critical risk analysis, especially as related to credit risk.

The recent economic downturn has shown a new face and place for risk management. The strongest companies in this downturn are those that integrated risk management as a more comprehensive part of corporate strategy. The weaker companies depended on the traditional risk management school of thought mentioned above almost entirely. This is true in financial services and extends to nearly all industries reliant on credit, market, and operational risk management.

As a result, a few key behaviours of risk management as a driver of corporate strategy have emerged. First and foremost, sound risk management requires executive involvement and ownership. Next, a culture and climate must exist for openly communicating risk in the organisation. Additionally, communication of risk must have an emphasis on data- driven decisions. Last, but perhaps most critically, the organisation must have a "ready response" to a known risk.

Let us look first at how executive involvement in risk management helps to make it part of corporate strategy. A good example is US bank JPMorgan Chase, which has avoided the worst woes afflicting its competitors and has brilliantly executed a strategy that is rooted in understanding its risk and adapting as required. Witness its buying of Bear Stearns, the US investment bank, at $10 a share and its purchase of Washington Mutual, formerly the largest savings and loans operator in the US.

Unlike many of his peers, Jamie Dimon, JPMorgan chairman and chief executive, takes an active role in regular risk briefings. Not only does he ask for detailed risk reports, he also recognises the need to set a direction for the company in reaction to these risk outlooks rather than delegating the risk decisions. When the investment banking industry was moving towards greater real-estate investments and larger collateralised debt obligations purchases, he looked to data from the JPMorgan retail banks that showed that mortgage defaults were on the rise, and then provided his team the direction (based on data) to move against the herd by selling real-estate backed securities. It is hard to fathom that any organisation would make such a drastic decision about risk without the direct involvement of its senior leadership. So, just as executive involvement is important in setting corporate strategy, it is equally important in risk decisions.

To be effective as an organisation, there must be honesty and openness in communicating risks. It is clear that the international real-estate bubble was in part fuelled by a field of mortgages that were, in various forms, deceitful, incomplete or otherwise untraditional. Indeed, the classically trained credit risk managers signalled these mortgages as high risks. For many organisations that were focused on short-term earnings and felt a need to outpace the industry in bookings, this communication of risk was dismissed, or worse, silenced.

In the case of JPMorgan, it was the retail banking division that shared data with the investment bank on the escalations in mortgage delinquencies. This sharing of data across business lines allowed Mr Dimon and his corporate team to change strategy on the investment side. For many organisations, sharing information that challenges accepted norms or questions conventional wisdom is not welcomed. Other banks could have done the same as JPMorgan, but the practice of communicating risks and data across business lines was absent. The lesson, of course, is that an enterprise must be willing to communicate about risk, especially when things are going well and the risk has yet to be realised. Given the interconnectedness of risk within an organisation, all lines should take the time to learn what other lines are doing.

The importance of information in risk management should not be missed. In recent months, many risk managers have pondered how the traditional risk management models failed to predict the crisis. After all, a great deal of thought has gone into the development of the models and techniques that are used to conventionally manage risk. But it is in the convention that the problem resides.

Conventional risk management techniques use historical data to make projections about "worse cases" or statistical anomalies that might arise. However, future negative outcomes are unknown to the models and future "failure paths" are not incorporated into the models. Most of the risk models used are not good at incorporating new information and even worse at new types or sources of information, such as changes observed in a tangential business line, observations from front-line staff or traders, or alternations in market behaviour due to phenomena such as reduced availability of capital.

When JPMorgan saw signs in its mortgage accounts, it incorporated information on mortgage payments that was unconventional for the evaluation of portfolios of mortgages by the investment bank. Its success came from identifying such novel information and realising that it challenged conventional thinking. In such conditions, relying on conventional risk models is highly questionable - some would even say harmful. So, the focus of a risk manager should not be strictly quantification, but the identification and incorporation of information, especially of new types and new sources, in order to determine direction and the changes that drive risk. Risk management is inherently a process of investigation and learning that is rooted in unravelling the complexity of the unknown.

The risks facing organisations are more complex and tightly connected than ever before. This complexity is largely driven by the ongoing globalisation of business and the increased speed of business activity, as enabled by technological advances. Using data to make decisions is key; it enables verification, and provides a means of breaking down the complexity of business.

For many organisations, there was a reliance on securitisation or swaps to transfer risk in ways that were not possible a few years previously. In many ways, these swaps served as insurance, yet the buyers of such swaps were not necessarily qualified or even financially guaranteed (as is required by many insurers worldwide). It is clear that very few of the buyers or sellers of such novel financial instruments understood the inherent interconnectedness of risks in these instruments.

For instance, the US government is still unwinding the trades and obligations of AIG, the insurance group, which relied heavily on swaps and risk transfers. The case of AIG shows how even a large and diversified company can struggle to fully understand its obligations and risks. Many companies relied heavily on hedging or transferring risk as a means of risk management. The assumption that risk is perfectly transferred assumes that the counterparty is perfectly resilient, too. This is, of course, naive and has been proved wrong recently, but it demonstrates how a few assumptions about risk can drastically impede a corporate strategy.

Nevertheless, in every corporate strategy, particular risks are accepted, ideally those risks that management believes hold some attractive opportunity. Focusing on the data or factors that foretell of the risk accepted is essential; it is how one begins to understand a risk and reduce uncertainty. Risk management is a process of investigation and study.

However, many companies have accepted data at face value, such as credit ratings, the financial stability of a counterparty that was buying a swap or credit risk transfer, or the direction of commodity or real estate prices. For example, it is clear that the US automobile industry was not prepared for the recent volatility in oil prices. The "Big Three" US manufacturers were largely working on a view that oil would remain inexpensive to US consumers. Meanwhile, the likes of Toyota and Honda were making calculated investments in hybrid cars and other high-efficiency vehicles to position themselves for an upswing in oil prices. In many ways, the Japanese carmakers had already "readied their response" to the risk posed by higher oil prices and the subsequent impact on their customers. This reflects a treatment of risk on the part of Toyota and Honda as part of their corporate strategies.

This forward thinking about risk is crucial. Neither company was immune to the recent economic downturn, nor did they completely abandon the previously lucrative American SUV market, but both were better positioned than their big US counterparts because they were better prepared. They identified a risk and took action in a way that would allow their corporate strategy to adapt to an environment with lower consumer interest in large vehicles.

The emphasis is on "readying the response", in much the same way that armies conduct simulations to prepare for a yet-unseen conflict. Companies that ready a response for a range of situations are not necessarily better at predicting the future; they are just more prepared for what comes to pass. This continuous preparation often makes them better at understanding factors predictive of a risk. So, being ready is not preparing for doomsday, but rather being able and prepared to adapt.

The phrase "liquidity risk" has been used to describe the woes of many companies. In fact, it is a more polite way of saying that an organisation has run out of money. The seeds of today's liquidity risks were sewn a few years ago, during more prosperous times, when companies dispersed excess cash through dividends and share buy-backs, and undertook a wave of high-priced mergers. Indeed, shareholders clamoured for this sharing of wealth and punished those companies that held "excessive cash reserves." However, today those organisations that hoarded cash can better protect themselves against "liquidity risk" and can purchase competitor assets at significant discounts.

Warren Buffett's Berkshire Hathaway is a good example of this. Its policy of not paying a dividend drew naysayers in the past, but it means that the company now has cash when it is most needed. It has allowed Mr Buffett to follow a strategy of long-term value for investors. The implicit risk decision was tied to strategy.

The current economic situation has altered many assumptions about business and markets, and we have seen a massive investment by governments in corporations. This will surely bring new risks to both corporations and governments alike, which have different strategies and goals. Although we can more or less agree that corporations are driven to return profits to investors, the role of governments as major shareholders in banks, mortgage-holding companies, automakers and insurance companies is less clear. In part, the governments of the world have provided rescue plans aimed at stabilising markets. But such investments come with a price tag. We have already seen US Congress and the UK parliament adjust and limit banks' pricing on credit cards. Banks in both countries are also restricted in taking action on defaulting mortgages, as a condition of accepting the government funds. So, the accepted risks change as the corporate strategy changes. Governments and politicians are more sensitive to public outcries than corporations, suggesting that companies accepting state assistance will likely face a new list of risks and responding to a growing group of constituents. The risk of regulation is high for many industries, and companies should adjust their corporate strategies accordingly.

In driving corporate strategy, risk management involves much more than just a set of best practices and the transferring of risk. It involves clear identification of the risks accepted. Factors that are believed to drive risk and the data that are predictive of risk should be openly communicated, but this is not limited to a company's internal risks. As the economist Frank Knight said in 1921: "Profit is reward for taking risk." Companies should not only be selective in which risks they take, but also be willing to pounce when the opportunity presents itself. This involves tracking the risk position of competitors in order to understand competitive advantages.

Risk management is not an exercise in paranoia, but rather an approach to understanding uncertainty, exposures, opportunities and limits in order to make educated investments. It requires executive involvement, an emphasis on making data-driven decisions, open communication and the discipline to think through scenarios and ready responses. A great many of the winners coming out of the current economic crisis will be those that not only held a bit more cash, but had a bit more information than their competitors and were able to seize a window of opportunity.

These lessons show that risk management is really about the identification of key information and its use in the decision-making process. It is not about guidelines or the execution of conventional mathematical models. Preparing for the unknown requires having the best information, not the industry accepted "best practice". The risk management team belongs on the corporate strategy team, not on the phone with insurance brokers.

Russell Walker is assistant director of the Zell Center for Risk Research, Kellogg School of Management, Northwestern University.

Russell Walker