The comment “risks cannot be reduced only transferred” has received some recent prominence. This post develops my response to a post that used this phrase in answer to a question on LinkedIn’s Financial Services Regulation group; “How do you govern risk if you have no visibility into your risk? How do you identify risk? If you cannot identify risk, you are unable to mitigate it.”
It gives me an opportunity to build on a point The Epicurean Dealmaker raised in his 2007 blog”Nobody Expects the Spanish Inquisition”, a four year old but timeless commentary on the use/abuse of credit derivatives and risk transfer.
“Risk is incompressible: it cannot be eliminated, only transferred (for a price).”
TED makes clear he is referring to risks associated with derivative insrtuments. Risk transfer between financial institutions frequently focuses on transferring irreducible risk associated with a third-party entity that neither the seller or buyer can directly influence through their actions. So financial institutions lobby to indirectly influence outcomes. Currently, we are seeing this influence being exerted across the Eurozone where the Olympian “Game of Finance” is approaching it’s final stages. Cost of entry to watch this game is high, everyone can be assured of a ticket allocation as the ticketmasters have our tax details and the cost for adults is lower than it is for chidren.
For 20+ years I worked in the regulated insurance industry. It is impossible for protection buyers to profit from an adverse catastrophic event that crystallizes losses to identifiable assets of certain value which the buyer has no insurable interest in. “Regulated” insurance,? Insurance entities where policyholders assets are ring-fenced in the event of the entities failure for the benefit of policyholders. Many financial commentators use the term “insurance” for some financial products. this is a fertile fallacy that pays off for market participants who use it. “Insurance policies” or “credit risk mitigants” are often no more effective than soluble umbrellas or chocolate teapots wrapped in a thin, porcelain skin. Insurance policies cannot be leveraged or valued at multiples of its nominal value. In the regulated insurance world, protection buyers interests align with those of the sellers. Continuously and actively seeking to mitigate the probability of an occurrence and/or the consequences of a sudden and unforeseen catastrophic event benefits both parties. It is an anathema in regulated insurance for one participant to profit from anothers risk blindness.
It helps to understand that risks/adverse events and their economic costs fall into two categories. Events:-
1) we can influence by our thoughts, actions and behaviour dependent on the strength of Internal Controls & governance for example.
2) we cannot influence by our thoughts, actions and behaviour such as earthquakes.
In both categories, the size of economic losses are directly influenced by decisions that are taken before and after the occurrence of an adverse event. However, our actions can both trigger an adverse event and influence its outcome in only one of these categories; endogenous as opposed to exogenous risk. This is where the role of effective governance is key.
Identifying adverse events which can be triggered by weak internal controls and their effective mitigation is a primary function of a company’s Board. When structured effectively, risk transfer creates a positive feedback mechanism that reduces not only the probability of a catastrophic event but also it’s cost. Essentially, Unlike banks, regulated insurers cannot “profit” from adverse events they underwrite. This is because credit risk transfer between financial market participants seeks to capitalize on risk asymmetries and the destruction/arson of economic value in a zero sum game. Collaborative risk transfer, on the other hand protects and creates economic value. For example, by reducing the probability and cost of an adverse event that reduces cash-flow and increases credit risk, effective governance and risk management can help ensure Capital costs don’t spike. But this point will not be shouted from the roof-tops by many corporate financial advisers. They rely on traditional financial methodologies and tools to generate fee income. They focus little on how their clients manage risk. Taleb’s Procrustean Bed is still the only accommodation financial institutions are willing to offer their customers. In the world of complex financial markets, only sophisticated financial participants understand “risk”. And the adverse events non-financial companies have been taught to fear most (& which drives executive remuneration in most companies) over the last fifty years is damage to their cost of Capital. BP’s historical approach to risk management and transfer offers a tangible insight.
AIG collaborated with BP to create risk transfer structures dealing with adverse events such as fire, explosion, earthquakes, floods and windstorms. The positive feedback mechanism relied on identifying risks in large complex and highly hazardous facilities. Risk engineering programs ensured industry-wide risk management best practices were shared and Probable Maximium Losses calculated for counterparties. Underpinning this was AIG Global Energy’s broad understanding of industry loss events, trends in proximate causes and relationships with Original Equipment Manufacturers. Ten or so years ago, BP elected to self-insure. As I recall the reason given by the Company Secretary was to allocate Capital more effectively. What followed is history. Now, it would be wrong to conclude that losses occurred because this feedback mechanism stopped. However, it is indicative of a fertile fallacy taught by business schools over the last 40 years. Financial Markets demanded consistency & predictability in earnings growth forecasts. Short-term growth in profitability and Return on Capital Employed took precedence over Risk-Adjusted Return on Capital. This oversight is costing societies hugely. “Efficiency” may remove redundancy and overheads that improve short-term ROCE and lift earnings expectations. But an adverse event can cause significant damage to cash-flow and earnings. This increasingly leads to confidence draining fast from investors and trading and funding partners as rumours sprea, weak crisis management fails to suppress this volatility and share price falls.
Corporate Boards owe their shareholders a duty of care to prevent adverse events from causing significant loss. They are responsible for establishing Internal Controls that protect against adverse events. A simple example may be to retrofit buildings in an earthquake prone area to voluntarily comply with updated best practice engineering that reduces the loss impact. This isn’t just complying with minimum legal requirements. This is doing far more. As the quality of financial, physical, political or corporate structures have shown over the last few years, accountability at the top of organizations is poor. There are a tiny number of vocal policy “architects” who have become financially bloated not because of any directly attributable management skill but because of credit their companies gorged on, self-belief and erudition. Rather than take their medicine, they have passed the costs of their disease onto taxpayers. Until politics addresses the issue of accountability more fully ( and David Cameron has been mentioning it a great deal) , it is unlikely that many of the politically disillusioned will agree that we are “all in this together”.
The loss outcome for a company whose buildings are damaged by an earthquake is essentially no different to outcomes from other adverse events which their employees actions can trigger. But risk identification is lax in many Boards. If a Board required reporting of any adverse event on the 30th day of each calendar month, executives would find it impossible to take timely decisions that limit the size of a loss event triggered on Day 1. Shareholders would laugh at such a weak internal control. Fortunately for Boards “Risk Managment” is low profile. In News Corp’s 2010 Annual Report there is no mention on “risk management”. This quality of governance and risk control occurs in many, many companies. A Board can approve a CEO’s strategy to increase RoE by reducing the ratio at which it replaces old equipment. This can take place by extending the life of old equipment. This is likely to increase the probability of a catastrophic loss. However, making that decision in year one may not cause a loss for ten years, by which time the executive has left with their remuneration intact. Executives should be held accountable for these types of decision that increase the probability of a loss outcome in Extremistan. Rule one of Risk Management 101 must be accountability.
We’re seeing the effects of poor accountability and governance at News Corporation. An adverse event that first became “visible” to the Board 8 years ago is now escalating with a significant potential cost to shareholders. This failure suggests fundamental Internal Control weaknesses. This was coupled with a reliance on “legal opinion” regarding allegations made against News Corporation on whether a risk event had occurred. Lawyers aren’t the most objective risk hunters; Like truffle pigs, they look for what they have been trained to look for within tight terms of reference. Adverse events do not wait for a “legal opinion” before triggering. This is a significant oversight by many Boards.
I had first-hand experience of Internal Control failures; not only within an organization run for many years by a strong-minded, driven and successful octogenarian who bulit the company over 40 years ago, but also as a catastrophe underwriter for hazardous industries and unaccountable executives worldwide. Risk visibility can be suppressed in a Culture driven to”outperform” rivals. “Don’t bring me problems, bring me solutions” was a common phrase at AIG by executives who signed off your bonus. Yet, many executives will say “Risk is a necessary part of capitalism” as if there is good risk and bad risk. Others pay lip-service to safety. “We have a zero tolerance for loss of life” they used to tell me. However, I knew their remuneration was barely aligned with this outcome. It is human nature for us to believe we are “good” people doing the “right thing” as we believe we are all better drivers than the average. This leads to misinformed comments (hubris?) such as “we will have a laser like focus on risk.” Nassim Taleb calls it epistemic arrogance. Executives generally only see risks that will impact their remuneration. Allowing a successful CEO to build a company in his image works until it doesn’t. No CEO should be served by their company’s shareholders. News Corporation shareholders are now asking themselves tough questions.
How do we begin to put this right ? First, let’s drop the fallacy that Systemic Risk is confined to financial markets; it isn’t. It is endemic across corporate entities. Strengthening Internal Controls is central to addressing the risks of adverse events. Complex organizations need a Chief Risk Officer (CRO) who :-
1) report directly to the Board, Chairman ,CEO or Risk Management Committee; not to the CFO.
2) has responsibility for internal audit/policing; not lawyers, accountants or non-execs who should support the process.
3) protect the reputation of the listed company.
4) draft clear contractually binding Risk Authorities for identified key executives whose decisions can cause catastrophic adverse events. These Authorities should align individual goals with corporate goals and governance. If these include Corporate Social Responsibility policies, words and deeds can be aligned. The public will be sure to note any misalignment.
5) Act as a conduit for whistleblowers.
This is one of the only ways I can think of – except for lengthy and ineffective regulation – that the trust that has been broken between shareholders and Boards of companies who have suffered reputational harm can begin to be repaired. It is also voluntary.
The CRO is the person who, on behalf of shareholders, asks the tough “what if” questions regarding Return on Equity/ Return on Capital Employed metrics driving most executive compensation schemes. “What-if” uncovers the “risk-adjusted” element to be mitigated.
The conceit of those supporting the “ROE/ROCE” performance agenda and opposing RAROC is that they are the risk takers & dynamic wealth creators. Over the last 30 years, Piper-Alpha, BP, AIG, Lehman and now News Corp have shown the economic cost of weak Internal Controls. Those seeking to impose stronger Internal Controls have been considered a cost-centre who hinder economic development and reduce economic growth.
This conceit is dead. CRO’s may increase the sustainability of the Net Present Value of future cash flows at a cost of a few basis points less of short-term income or RoE. But this cost doesn’t get close to the estimated $60-200Trillion of NPV of economic growth lost during the global financial crisis that Andrew Haldane of the Bank of England has suggested.
Time to bury the fertile fallacy that people with a strong risk focus are poorer at delivering economic value and growth than CEO’s focused on ROE/ROCE, maximising their remuneration at ultimate cost to shareholders and society. Companies with a strong risk focus will not only ultimately win, but will be seen by investors as having both eyes on the road.