The painful losses in the sub-prime mortgage market among Banks and Wall Street firms, a near global melt down of credit markets show once again that despite an army of PhD’s in finance, sophisticated risk models, the same kinds of errors continue to be repeated. As James Kenneth Galbraith observed in his book, A Short History of Financial Euphoria (Financial Genius is Before the Fall) control of large sums of wealth is mistakenly assumed to be a sign of great intelligence and leadership when it may in fact, only indicate, accident of birth, political acumen or indifference to legal restraint. There are lessons here, which many will ignore, but one in particular bears repeating and impacts enterprise risk management.
Success is a positive feedback loop with each success re-enforcing the previous action and increasing like kinds of behavior. Positive feedback loops are an essential element of any system, but there is a tendency for them to cycle out of control. An example would be children starting to build a fort from scrap wood and ending up putting titanium gun ports on their material list. A more ominous example is drug abuse where the addict must ingest ever larger dosages to achieve the same high. In like manner, euphoria regularly overtakes markets and businesses. The restraint on this behavior is a negative feedback loop. Externally these are provided by short sellers at market highs and buyers at lows. Internally, on Wall Street, this is the role of risk managers.
Following the debacle in the subprime market and other collateralized debt obligations (CDO) many risk managers lost their jobs. This seems reasonable given what occurred except for one thing; in at least one case they reported to the heads of the individual businesses . Does this sound familiar? When you have been assigned the responsibility but do not have the power, you are nothing more than a sacrificial lamb for someone else’s failure. The negative feedback loop function of risk management is eliminated and the most you can do is sound a warning like an old testament prophet and then wait quietly for the stoning. Whether we look ex-ante or ex-post, it would seem obvious that organizations that structure reporting hierarchies with conflicts of interest are increasing their risk of failure and simultaneously increasing the magnitude of any loss. This problem is not unique to the financial community.
For a corporation to succeed long term, to demonstrate true stewardship of the shareholder’s assets, it must address internal and external threats and meet regulatory requirements. It must fully understand the true costs of mistakes and where this is unknown prepare. It must be able to withstand shocks. The risk control groups within the typical enterprise, (insurance, audit and information security), need to provide their advice to those whose best interest is in heeding it, not those who have a “perverse incentive” to ignore it. Where does internal audit report in your organization? Where does information security report?
When dealing with both endogenous and exogenous risks, if we wish to learn from past errors, we need to have the reporting structures free of any conflict of interest. A typical conflict in large corporations is where the information security manager is reporting to the CIO or worse a director. We have seen many large projects where critical risk mitigation strategies are ignored because they increase costs on the front end. Enterprises that persist in this direction are leaving themselves open to essentially unlimited risk. It would be far better for organizations to take a total risk management approach placing information security, insurance, business continuity planning, internal audit, privacy and like functions under a single manager who reports to the CEO. Absent this structure then reporting structures will depend largely on the type of business, industry, product, or relevant regulation. Let’s examine the foregoing using Professor John Boardman’s Systemigrams which are particularly well suited to providing insight into both solution and problem domains.
In this simplified example (actual risk can be more subtle), we have a typically hierarchical organizational structure wherein the risk management function (information security in this case) reports back into information technology (IT) and information technology is reporting into finance (CFO). The problems do not develop until late in deployment . The weakness in the system (which may or may not meet regulatory compliance) eventually impacts profitability. This receives the attention of finance which subsequently applies pressure to IT.
Frequently there is no impact on profitability and the problem remains until it is detected by internal audit. Depending on whether the company is subject to US regulations, it may not ever be addressed. As a practical matter system vulnerabilities can go undetected and unexploited ad infinitum. We have seen companies who are surprisingly blithe about the level of risk they are assuming and they can point to years of experience in which nothing damaging has occurred. This is a fundamental weakness in human psychology. Lack of previous exploitation tells us nothing about the future probability of it occurring. In fact, small regular loses will draw immediate attention but disasters will only produce heroic figures and scapegoats. Someone once wrote “crisis is the best opportunity”. Preventing the crisis goes unrecognized as we have pointed out in another post.
Let’s take the foregoing example and alter the reporting structure. In this diagram we are focused only on the risk elements and ignore many of the more subtle dimensions for the sake of illustration. The reporting of IT risks is detached from IT, audit is detached from finance and they are equal partners in a dialog concerning risks. Given that the modern corporation is not purely hierarchical containing also elements of networks and properties of networks, risk subject matter experts (SME’s) are detached and work within the business elements they support. Their insight provides valuable perspective on emergent properties of networks they are affiliated with. This will reduce checklist, purist or ivory tower type decision making on risks. The importance of this cannot be understated. Businesses must take risks to excel and those risks must be measured, intelligently taken, and balanced. With the correct strategies and structures in place, the business can move forward confidently and while not immune from losses and failures, neither is should it be the architect of its own collapse.
We have attempted to show certain structures can be detrimental to the long term health of the enterprise by permitting it to take on excessive levels of risk. We have also attempted to show one general approach that permits the organization to consider risks and mitigate them before it reaches the level of a disaster, irrespective of the risk domain. Proper structure allows the enterprise to plan for foreseeable risks and remain flexible and adapt to those that are unseen. Obviously this is a single dimension of risk management and prudent organizations will have a plan covering all areas.