How Do Your Organization's Risks Stack Up? Lessons Learned from the Financial Meltdown

ARMA International: Information Management Magazine

How Do Your Organization’s Risks Stack Up?
Lessons Learned from the Financial Meltdown

As marked by the recent growth in the number of publications related to information risks, records managers have increasingly begun using risk management principles and practices to make decisions about retention periods, destruction of records, and technology spends, as well as to protect vital records and ensure business continuity.

Victoria Lemieux, Ph.D.

Risk management is also a framework through which records managers can demonstrate value to their organizations (e.g., by showing how effective records management can help organizations avoid or mitigate risks, such as litigation risk). Many organizations have established risk management oversight groups, with which records managers may have to interact in performing their functions.

For these reasons, lessons learned about risk management from the financial crisis are as relevant for records managers as they are for bankers or banking supervisors.

Recapping the Global Financial Crisis

The first obvious signs of trouble occurred well before the September 2008 collapse of Lehman Brothers, generally accepted as the point at which global financial troubles escalated into crisis mode. In March 2008, Bear Stearns was pushed into the arms of J.P. Morgan Chase for $2 per share, sending an early warning of things to come. By the time Lehman Brothers collapsed, the crisis was truly under way.

After Lehman failed, no financial institution seemed safe; lending froze and global economies went into economic meltdown. This forced the U.S. Federal Reserve to open its discount window for the first time since the Great Depression. Central banks around the world cut interest rates to historic lows. Most shocking was the spectacle of the U.S. and UK governments taking stakes in banks.

Thus began the search for explanations for what went wrong and plans to introduce new regulation to ensure “this will never happen again.” These efforts offer a number of valuable lessons on managing risk – lessons learned the hard way.

Lesson 1: Identify risks – search for the unknown unknowns.

One of the lessons to be learned from the global financial crisis is that we do not always see “black swans,” – a term Nassim Nicolas Taleb uses to refer to fortunate or unfortunate high impact, random events; that is, we do not always see risks. This requires understanding much more about the processes by which risks are identified – not only in relation to methodologies or frameworks but also in terms of cognitive processes.

The banks’ success relied upon the quality of managers’ risk analysis. Yet, in hindsight, though the stakes were high, managers’ risk decisions suffered from huge blind spots, which spawned grave consequences. Numerous individuals, like Taleb, predicted problems in the global financial markets before the collapse of Lehman Brothers. But, despite knowing about these risks, many in the financial sector were blind to the actual extent of the risks.

This is far from being a problem that afflicts only the financial sector. Professors of business administration Max H. Bazerman and Dolly Chugh observe that the “bounded awareness” phenomenon causes people, no matter the context in which they work, not to see or to ignore critical information when making risk decisions.

Cognitive scientist Daniel Gilbert in his book Stumbling on Happiness cites research that shows how the human mind is limited by its own imagination. Individuals can easily see and detect patterns in what is there, but they have a hard time seeing what is not there. Unfortunately, when it comes to avoiding risk, this is just not good enough.

Taleb has called upon individuals to “think the unthinkable” about risk. But how can we take our blinders off? Bounded awareness can occur at three points in the risk analysis process, according to Bazerman and Chugh:

A failure to see or seek out important information needed to identify risk and make sound risk decisions
A failure to use the information because of blindness to its relevance
A failure to share information with others, thereby limiting the organization’s awareness

Managers can use process changes and technology to overcome the problem of bounded awareness.

From a process perspective, Bazerman and Chugh call for managers to “know what you are looking for, and train your eyes.” By regularly asking questions, such as “What if we’re wrong?” and “How would we know?,” managers can train themselves to pay attention to areas of which they typically are unaware.

Another step that can be taken is to seek out information that contradicts the data you already have. This can be achieved by assigning someone on the team the role of devil’s advocate, an individual who argues the opposite point of view.

For high stakes risks, it is extremely important to spend time and resources to seek out as much information as possible. Once this information is collected, managers need to use it by ensuring they are not focussing exclusively on one or two areas at the expense of other important areas. By consciously thinking about the full context of the situation, managers are less likely to ignore critical information.

Sharing information is also important. Everyone has unique information, and combining this unique information increases collective awareness. To encourage information sharing, managers may need to make an individual within their organizations responsible for collecting it, or at the least they should encourage sharing the information.

Technology also can help overcome cognitive limitations. One such technology is “visual analytics” (VA). Defined as the science of analytical reasoning facilitated by interactive visual interfaces, VA combines computer science with cognitive and perceptual sciences to generate interactive applications for knowledge work based on scientific underpinnings. Using VA is one way to see emerging patterns and gaps in large amounts of data, which can then be used to help identify risks.

Lesson 2: Assess the impact and probability of risks.

It is insufficient to assess risks in isolation and based on past experience – managers must look at risks in context, and their risk assessments must be forward looking. The world’s recent economic troubles clearly demonstrate the inadequacies of assessing risks in isolation, according to the Basel Committee on Banking Supervision (BCBS), which found that banks:

Lacked the internal infrastructure that would have permitted them to assess the impact of risks across all parts of their business
Used historical statistical models to assess the impact of risks, which turned out to be a flawed approach because these historical models indicated benign conditions, failed to predict and account for a severe shock, and did not account for the build up of vulnerabilities
Did not account for risk scenarios that reflected mild shocks, which made them assume shorter durations and underestimate the correlations between different positions, risk types, and markets due to system-wide interactions and feedback effects

The major problem with assessing risks this way is organizations can fail to see how different risks interact dynamically, especially under conditions of stress. As a result, they can fail to predict “contagion effects.”

According to the BCBS, a stress test refers to the evaluation of a bank’s financial position under a severe, but plausible, scenario to assist in decision making within the bank. If undertaken effectively, stress tests can:

Provide forward-looking assessments of risk
Overcome limitations of models and historical data
Inform the setting of an organization’s risk tolerance
Facilitate the development of risk mitigation or contingency plans across a range of stressed conditions

According to the BCBS, “The depth and duration of the financial crisis has led many banks and supervisory authorities to question whether [banks] stress testing practices were sufficient prior to the crisis ...” The committee highlighted four weaknesses in banks’ stress testing practices:

Use of stress testing and integration in risk governance
Stress testing methodologies
Scenario selection
Stress testing of specific risks and products

To rectify these deficiencies, the BCBS has called for banks to:

Integrate stress testing into overall risk governance and transform it into a regular part of risk management practice as opposed to past “one off” exercises
Improve stress testing methodologies by integrating testing across business lines and relying less on historical data
Expand the range and severity of risks considered in developing risk scenarios for stress testing

On this last point, successful scenario analysis requires that organizations understand how risks are interconnected. Within the financial sector, as within many sectors, there is only a basic understanding of the dynamics of risk. This is particularly the case for how records- and information-related risks link to other types of operational- and sector specific risks (e.g., market, credit).

For this reason, the Centre for the Investigation of Financial Electronic Records is conducting research into how records- and information-related risks are linked to operational, credit, market, and other risk types that can destabilize financial institutions and financial systems. Strengthened scenario analysis compensates for a critical flaw in earlier risk analysis techniques that viewed risks as independent and unconnected to one another.

Lesson 3: Define and manage risk tolerance.

Another lesson learned from the global financial crisis relates to establishing risk tolerance levels. The problem that led to the financial crisis was not so much that risk tolerance levels had not been set, but that the compensation practices at global financial institutions encouraged bankers to tolerate excessive amounts of risk.

According to the Financial Stability Board, a new agency established in the wake of the financial crisis to provide oversight of systemic risk, “Compensation practices at large financial institutions are one factor among many that contributed to the financial crisis that began in 2007. High shortterm profits led to generous bonus payments to employees without adequate regard to the longer-term risks they imposed on their firms. These perverse incentives amplified the excessive risk-taking that threatened the global financial system and left firms with fewer resources to absorb losses as risks materialised. The lack of attention to risk also contributed to the large, in some cases extreme absolute level of compensation in the industry.”

Rather than being rewarded for prudence, bankers in many of the world’s financial institutions received huge payouts for taking positions that put their banks’ capital at risk.

Financial industry regulators and supervisors are now paying greater attention to how compensation encourages risk-taking. As the Financial Stability Board states, “In principle, if risk management and control systems were strong and highly effective, the risk-taking incentives provided by compensation systems would not matter because risk would stay within the firm’s appetite. In practice, all risk management and control systems have limitations and, as the current crisis has shown, they can fail to properly control risks. The incentives provided by compensation can be extremely powerful. Without attention to the risk implications of the compensation system, risk management and control systems can be overwhelmed, evaded, or captured by risk-takers.” On the heels of the global financial crisis, the G20 have introduced a range of measures “... to implement strong international compensation standards aimed at ending practices that lead to excessive risk-taking ...”

As a result of these measures and the principles on compensation issued by the Financial Stability Board, bank managers and supervisors will now need to assign greater priority to the link between compensation and risk management systems. The extent to which these recommendations lead to changes within banking practice remains to be seen and will be largely dependent upon how the global recommendations are implemented by banking supervisors within each jurisdiction. Even if an organization is not related to the financial sector, it is worth reflecting on how an organization’s internal compensation systems might encourage or discourage risk taking.

Learning the Hard Lessons

In good times, it is easy for managers to forget about any risks, not just financial risks. However, paying attention to risks and employing best risk management practices will help managers avoid having to learn these same lessons again – the hard way. Whether in banking or records management, the global financial crisis offers many valuable lessons on how to manage risks more effectively to avoid repeating the pitfalls of the past.

Victoria Lemieux can be contacted at vlemieux@interchange.ubc.ca.

From January - February 2010