You may recall a time when we understood risk (or, at least we believed we did). It was not that long ago, really, but now it's clear just how difficult it is for us to recapture the comfort we once derived from what may have been itself a misplaced confidence in our own sophistication around risk.
THEN:
“Risk Management” managed risk
Until recently, it was believed that common risk management practices, proven in past decades, were sufficient to manage risk. Naturally, a deep water oil exploration and drilling business has far different types of risk than a resort hotel operator. One does not necessarily have “greater risk” than the pother, just different risk. Understanding that these practices vary greatly by industry, and that many smaller organization rely on fairly basic forms of insurance as perhaps a sole risk mitigation technique, there are basic methods that had come to stand for sound risk management in most medium to large sized enterprises. These would have included:
- Risk assessment: examination of both points of exposure, and their respective probabilities, to produce at minimum, a rough ranking of the larger risks
- Risk prevention and mitigation programs to reduce risks outright. An example may be a physical modification that all company vehicles be upgraded with brighter brake lights, or a safety training program for all company employees, etc.
- Risk insurance, usually aligned to provide materially meaningful levels of compensation as to the magnitude of the possible risk, in relation to its expected probability.
The reality in most enterprises large and small is that there are many more risks than can be adequately addressed. By the time the organization had acquired insurance sufficient to cover every conceivable event from hurricanes, foreign uprisings and slippery floors in the employee lounge to insect infestations, officer’s liability and unknown propane leaks, a large share of earnings may be flowing to insurance as opposed to shareholders, employees and bondholders. And still there would undoubtedly be risks left unaddressed. So in practice there is a sequence of the obvious and most potentially damaging risks, down to lesser and lesser risks. As one works down the list, there is a point at which nearly every company simply determines it will leave the remaining risks in a category generally seen as “self-insured” – that is, the company accepts the fact that if these (perhaps) rare and unusual occurrences actually happened, they would be prepared to pay the consequences out of current cash reserves, rather than pay ongoing premiums, the cost of complete mitigation, or some combination of both.
Most businesses have high-priority risk areas that are obvious. A railway has multitudes of risks associated with moving thousand-ton trains across country at high speeds in all types of weather conditions. Likewise airlines, electrical utilities, food products companies, pharmaceutical companies and a host of other industries were the top risks are seen as either risks inherent in company operations (vehicles, dangerous chemical processing, etc.) or product/service liability related risks (food products, cosmetics, medical clinics, etc.).
However, it turns out that for most companies, the risks in both product liability and in the very nature of company operations themselves, are usually the best understood risks of all. While the conventional risk mitigation and risk insurance practices are necessary, they are only as good as our perception of the likelihood of the types of risks we expect.
What about the risks we do not expect? These include the unusual weather event, civil unrest, and economic upheaval. In the 21st century, even piracy – a risk virtually eradicated before the 20th century – made a comeback as a legitimate and very real risk to shipping operations, the energy industry and even leisure cruises in certain parts of the world.
Do we have adequate ability to assess the likelihood of these more infrequent “spontaneous” risks? Is there any relationship between our knowledge of a given risk and our willingness to prepare for it? Is there a relationship to our having experienced a risk, among our collective experience represented in our individual enterprise, and the likelihood of that risk actually materializing? These are two entirely different questions. But in the 21st century, the answers to these questions, taken together, have resulted in a breathtaking sweeping away of what we believed we knew about risk management.
NOW:
Only small and medium risks turn out to have been managed by traditional “Risk Management”
One of the most striking consequences of the failure of our older notions around risk management to prove adequate in recent crises, is the realization that if a risk event proves large enough, it simply sweeps away our ability to deal with it entirely. While an entire book could be written on the subject of the risk management lessons coming out of AIG alone, it is valuable to focus on the AIG case as one clear and recent illustration of older, and now certainly obsolete notions being swept away.
AIG is also important to understand since we have perhaps the world’s largest risk manager, suddenly unable to manage its own risks. While the complexity of AIG’s operations were enormous and beyond our examination here, the important facts are AIG’s inability to properly assess the likelihood of risks associate with the risk-management policies it was issuing to its customers. We now understand AIG did not adequately understand risk – even for its own part, let alone on behalf of its clients, those paying fees to AIG primarily for the very purpose of managing risk. While there are endless small and large issues that contributed to the AIG case, the central fact remains that the largest risk-management enterprise in the world was unable to manage its own risks sufficiently to secure its own basic survival.
If the AIG story were an outlier, some one-off unusual circumstance, the lessons to be learned might be different. Having myself been a Partner at Arthur Andersen in the early stages of the Enron collapse, I can well appreciate the differences. Enron was a sole large enterprise in the energy trading industry, which it had virtually pioneered itself. The practices which brought it down were a matter of criminal practices, as the legal system was ultimately able to determine.
In the case of AIG however, it appears that policies were issued in an ostensibly legitimate fashion, against risks that (at the time) were believed to have been correctly assessed. After these policies were in place, a sequence of events developed, in this case mortgage defaults, which developed into a pattern, frequency and volume that more than entirely overwhelmed their previous expectations. So much that even the abject liquidation of the entire enterprise could not have satisfied the claims outstanding.
Was it fraud? Not likely in my view. Similarly convulsive events swept through other large insurers, and both insurer and insured across the globe were caught nearly entirely unprepared. If it were fraud, our lessons learned would be largely about amending the regulatory system to fix newly identified holes, as in the post-Enron measures like Sarbanes-Oxley. In one sense, this would prove easier to adapt to than the real lessons from AIG.
Instead, we are left to attempt to reconcile the existential threat to AIG that emerged from the inability to effectively manage that which it was set up most to manage: risk.
“New” risks:
- Integration of the global financial system, resulting in a domino effect for many core institutions of capitalism
- Risks presented by debt at large, beyond traditional notions of debt which looked primarily at risks associated with an individual borrower and singular loan
- Risks associated with large-scale devaluations of currencies, bond market disruptions and radical, unanticipated shifts in central bank policies
- Risks of institutional failure, including the probability that insurance providers could fail, negating older, conventional notions about the ability to simply underwrite risk based on a contractual obligation from a third party
- Risk of “national default”, as in Iceland , Lithuania and potentially larger economies
- Risks arising from sharp, sometimes record-breaking swings in input costs, most notably commodity pricing, energy cost, raw materials costs, and supplier prices or even mere supplier viability due to supply chain risk associated with input costs
- Risks of certain markets attaining gridlock, such as the commercial real estate market in many countries during the global recession, wherein so little buying and selling went on for several years, that notions of fair market values were nearly indefinable
- Risks of major, unexpected shifts in regulation, government policy toward certain industries, and new or radically revised tax programs
With the onset of these new dynamics, risk management is having to remake itself, in order to continue to be actual risk management – that is, an effort that effectively addresses and manages the risks of today’s environment and forward. Not just the small and medium risks, but also the most massive risks, particularly those that serve to threaten the very survival of the firm itself. Risk management practices, to be considered such, now must step up to the sudden and dramatic rise of risks from external economic events, not the least of which is the myriad set of risks from the systemic upheavals in the global financial system, including the risks of collapse of the traditional providers of insurance and other risk management tools. It would seem this larger view of the risk management function – one that encompasses the management of risks inherent in the very techniques of risk management itself – is perhaps just the starting point for a fully capable approach to risk management – one that is sufficient to the realities of our current age.
