Nine Things they do not tell you about Risk Management

Some form of Informal Risk Management has been practiced by individuals since time immemorial as it is essential for survival, both at the individual and group level. This is the domain of intuitive decision-making, assessing situations on the spot and taking immediate action to avoid obvious risks. It is also the domain of folk wisdom, traditional knowledge and insights passed down orally through generations, expressed in proverbs, stories, and cultural practices (think e.g., Don’t put all your eggs in one basket or, There is never only one cockroach and the long list of Risk Management One-Liners ). This know-how reflects the collective experiences and beliefs of communities, providing guidance on how to successfully handle adverse scenarios.

1. Risks don’t fall from the sky. Nowadays they are generated by other People

One dramatic shift that characterises the present era is that long-gone are the days of hunter-gatherer or agrarian societies facing the threat of sabre-toothed tigers, or being at the mercy of the weather.

In modern societies many of the old risks we have been facing have actually been largely mitigated . Today the majority of risks faced by individuals today created and shaped, directly or indirectly, by the social and economic context in which people find themselves. Such risk existed always (as we are a social species) but have dramatically increased in relevance as other, external challenges have been overcome, reduced in relevance.

This new reality is particularly in the context of companies (corporate organization of economic activity) - which are entirely virtual and legal creatures, thus socially defined. Consider, e.g., the main risks managed by a modern company, especially in the financial sector: This includes risk types such as Business Risk , Credit Risk , Market Risk and a host of possible other risk types .

What all these risks share in common is that they have little to do with external physical risk factors. In fact, a quick-scan of an typical Risk Taxonomy suggests that old-fashioned physical risks are but a small fraction of all risk types. Even fundamental natural risk factors (such as floods, wildfires, hurricanes etc.) have nowadays a strong human flavor: They are generally well known and understood risks. The degree to which they represent Residual Risk depends quite strongly on our Risk Appetite to ignore e.g., flood or earthquake prone areas.

Extrapolating to the biggest risks we are currently facing, namely the long-term sustainability of the human enterprise, these risks too are the result of “other people”: the collective choices and behaviors all of us. Our sustainability risk emanates from such endogenous factors as our (in)ability to achieve collective behavioral change, to overcome narrow vested interests or avoid false transition paths . These are all effectively social and, in-principle, alterable characteristics.

Bottom line: The implication of the human-made nature of most risks is that formal Risk Management , namely techniques, practices and behaviors that aim to identify, measure and mitigate risks to an individual or an organization must draw from a mix of social and hard sciences. In particular they must avoid the Pretence of Knowledge as social / economic dynamics is still a poorly understood topic.

2. Every risk manager has at least two Blind Spots

The infamous blind spot of the human eye is a small circular area at the back of the retina, where the optic nerve enters the eyeball. It is devoid of rods and cones and thus it is not sensitive to light. The blind spot is normally passing unnoticed for individuals with two functioning eyes. The simple visual test below, though, suggests we all have to live with our blind spots.

If you haven’t done this test before, simply follow the instructions to convince yourself!

• Place the above image centrally on the screen you are now using to read this blog post.
• Close one eye (say the LEFT one) and focus with the other eye (RIGHT) on the letter R. Notice the letter R is on the left side of the screen but you are supposed to stare at it with your right eye!.
• Place your head a distance from the screen that is approximately equal to three times the distance between the R and the L letters (No need to be precise but normal reading distance form a monitor is larger than that!)
• Move your head towards / away from the screen until you notice the letter L disappear. Bingo! You’ve found your blind spot for that particular eye.
• Hints if you can’t find your blind spot:
  • Try to focus on the letter and do not bounce your gaze around
  • Don’t change position too fast
• Once you find your blind spot alternate your eye left and right for the disturbing realization that our common sense can actually easily betray us without any warning.

You can learn more about optical blind spots on Wikipedia, but for our purposes the exercise is really just a tangible illustration of the metaphor that many risks derive from (or get aggravated due to) intentional or unintentional ignorance.

Ignorance (namely risks hiding in the risk manager’s blind spot) may reflect either the ability or the willingness to be informed. Ignorance may take various forms:

• Mundane and common classes of risks that are amenable to “knowing” and thus managing - if one would only apply themselves to the task! In our blind spot analogy this would mean purposefully moving one’s eyes around rather than staring at the correct spot.
• We can’t always remove our blind spots. E.g., one common manifestation of unintentional ignorance is the perennial complaint by risk managers about the lack, or low quality, of Risk Data. Various practical reasons (e.g. cost) may prevent filling the information gaps in our Risk Profile .
• In the most extreme, unknown-unknowns, black swans and other Tail Risk phenomena associated with fundamental Uncertainty . Here we touch the limits of risk management. Quite frequently this sort of introspection happens after significant and publicly visible risk management failures, but the objective might be exculpation.
• Finally, ideological blind spots can hide major sources of risk. Environmental sustainability is a prime example of such a mental blind spot. For centuries our living environment (the Biosphere) has been treated by both theoretical (economic) and practical (business) thought as an external “asset” that is simply there for the exploitation by the most entrepreneurial spirit. We are discovering at an accelerated pace that this is not the case.

Bottom Line: Identifying risks suffers from blind spots, but blind spots are not all of the same nature. Some are more easy to avoid than others.

2. Risk Mitigation may open the door to new risks

Effective management of a given risk (using some form of Risk Mitigation ) can give rise to new risks in what might thought as the “curse of Sisyphus”.

Such phenomena are termed variably Residual Risks or Risk Compensation or emergent behavior such as Unintended Consequences.

The result is that the job of the Risk Manager is never really “done”. After the initial risk profile has been modified (with whatever risk management action that has been applied), there is a new risk profile that is related but also distinctly different from the previous one, like a never-ending helix:

There are several reasons underlying this never-ending Risk Helix:

• The focus on specific risk metrics may help highlight and reduce a given quantum of risk - but the metric may eventually get manipulated (Goodhart’s Law ). It may also lead to risk buildup of a different type.
• Removing risk of one type may structurally generate another risk. For example, Risk Transfer using risk management instruments and contracts may generate a new dependency or a systemic risk link. This arises from the mitigation mechanism itself (for example risks cumulating to the implicit or explicit insurers of risk).
• Risk compensation (adding more risk), because of the comfort and confidence that risks have been managed and are under control.

Bottom Line: It is the task of good risk managers not to rest on their proverbial laurels, and continuously be on the lookout of a mutating and transforming risk landscape.

4. The Pareto principle (20/80 rule) applies to risk management

The Pareto principle states that, for many outcomes, roughly 80% of consequences come from 20% of causes. Other names for this principle are the 80/20 rule or, more formally, the principle of factor sparsity (the relatively small number of true factors).

The Pareto principle is of vital importance for the practicing risk manager. The manifestations are to be seen in many areas of Risk Management:

• The biggest risks usually lurk inside a few major exposures . Concentration risk (or Risk Concentration!)
• The market price uncertainty of large numbers of securities can usually be explained by a small number of factors.
• The truly independent drivers of credit performance are fewer than the myriad of attributes tracked by credit systems .

Unfortunately this parsimonious distribution of the “real causes” of risk events may be in conflict with the professional incentives of Risk Managers. Such incentives may entice risk managers to emphasize comprehensive analytical enumerations (beating around the bush) and/or the proliferation of checklists .

Bottom Line: Zeroing-in on the stuff that matters is the surest way for Risk Managers to gain credibility with the stakeholders of the risk management process (but it must be stressed that it is not always possible to isolate such 20/80 factors).

5. Risk Quantification has unavoidable pathologies

It is a typical expectation from stakeholders that Risk Managers will distill objective and relevant quantitative risk metrics to help support decision-making. Yet very few systems (typically only natural phenomena with little or no human interference) can be analysed with the rigor and longevity of method that is associated with physical laws.

In risk management applications risk models fail regularly, sometimes spectacularly so. Manifestations of failing risk quantification abound in practically all domains where risk models have been applied (See post for earlier commentary).

The propensity for eventual failure of risk quantification is formally denoted as Model Risk . It is something that can be reduced through the labours of systematic Model Validation but it cannot be eliminated.

The reasons for this pathology are manifold, but typically reduce to this: risk management being an intrinsically social enterprise means that it is subject to the complexity, subjectivity and volatility of all things related to human affairs. Similar to another regularly faltering field, the art and science of economic forecasting, risk management is subject to the sin of physics-envy : aspiring to a level of reliability that is simply not available.

Here is a well known example of design failure. The picture below illustrates so-called “Desire Paths” (ad-hoc footpaths carved by people in defiance of implemented paths). The architect has set the rules, limits and recommendations and assumes that people will stick to the formal paved paths. Yet the reality of collective decision-making creates its own alternative.

Bottom Line: Risk Managers must be comfortable handling this precarious state of affairs. Quantitative approaches have a limited shelf-life and must be continuously updated to reflect evolving information about “the system”. As mentioned, structured approaches to limiting model risk (Model Validation) can help ensure that the tools are used within their “envelope of safe operation” and their irreducible weaknesses are explicitly acknowledged and managed.

6. Risk Accounting and how it is different from Financial Accounting

Since the Renaissance Financial accounting is used widely by companies in their regular reporting. It focuses on capturing the state of the world as far as the organization is concerned, or at least the state of the world that certain stakeholders consider important.

Financial reporting creates a snapshot of the present state of financial and broader economic affairs of a given entity. This creates transparency and supports decision-making. In addition, over time, it becomes a history of snapshots, which can be analysed to provide further insights about the dynamics (evolution) of an entity.

Risk Management slices the world in a different way. It aims to support decision-making as well, but it is oriented towards analysing potential future outcomes.

The questions asked by risk management (and the decisions that hinge on these answers) are always in relation to possible future events. Typical questions are:

• How likely that event Y or condition X will happen within Z years?
• What will happen if we change variable X by a Y amount?
• What is the worst that can happen to variable X if we do nothing for the next Y months?

The current and past historical record as captured by financial accounting are useful for risk management, but only to the degree that they provide us with data and insights about the nature of system and its risks (and hence how it might evolve under different scenarios).

Financial accounting provides a standalone picture of the present without reference to what might happen in the future, but Risk Accounting aims to do the same by including metrics that quantify the relative probabilities of future states. The tools for doing consistent, valid and useful Risk Accounting are preliminary (and even controversial).

How does risk accounting work? The algorithm can be stylized as follows:

• Start with the basic picture of (non-risk adjusted) facts, aka, standard accounting
• Derive subjective (individual) or consensus/market based risk assessments (such as risk ratings or risk premia). These data points express the future likelihoods of various scenarios.
• Average (derive the expected outcome) over “all possible scenarios” (this set is obviously just an assumption)
• Adjust reported accounting metrics to reflect these expectations

A major and instructive example is the risk based accounting of credit risk (namely accounting for the risk that economic agents will not fulfil legal obligations of a financial nature):

The worlds of risk management and accounting come together when one attempts to account for the present state of entities such as banks and insurers (under standards such as IFRS 9 ). These entities pursue risk taking as an essential element of their business model. Ignoring such risks when reporting their financial state is less than full transparency.

When considering the broader challenge of Sustainability Accounting we are still in a pre-embryonic stage: Financial reporting hardly address the externalities of economic activity in conventional accounting at all, hence it is quite premature to think about integrating and reporting sustainability risks on an expectation basis.

Bottom Line: Compiling and reporting an accurate risk profile of an entity requires moving beyond conventional accounting and developing fully integrated risk accounting methods. Yet that process is largely incomplete.

7. Risk Technology is essential for managing Risk in a complex world

The previous points suggest already that risk management is an information hungry (data intensive) pursuit. The past, present and likely future of potentially complex systems must be captured, represented and made amenable to analysis and what-if scenario questions in reliable, transparent and reproducible ways.

This process is a challenging task that increasingly employs digital technologies in significant ways. Given the quantification risks we discussed already, is such a RiskTech (technosolutionist!) dimension at all necessary? Could the 20/80 principle we discussed already help us avoid ineffective and even misleading “sophistication” that simply generates new risks?

The answer is firmly, No. The necessity of effective risk information systems follows from simple considerations and drivers that we cannot simply wish away:

• The sheer size of human societies and economies (billions of individuals) and organizational structures.
• The uncountably large number of material and conceptual artifacts that are involved in daily life (extraction, production, transport, trading) and the corresponding diverse contexts that create “risk-prone” situations
• The combinatorial nature of human affairs which drives dimensional explosions when many of the underlying factors combine in long causal chains, supply chains, dependencies etc.

Risk Technology is thus information technology that aims to create a “digital crutch” to help us cope with economic and social complexity. Its mission is to shape suitable tools to support the challenging task of capturing and delivering the information assets that can enable the risk management function.

RiskTech is not a final solution for any risk management challenges. It addresses most effectively some aspects of the known-unknown type of risk (those that involve large amounts of data) by providing information processing tools (data, algorithms, visualization and representation tools) to enable risk analysis, risk accounting and thus (ultimately) informed risk management.

Bottom Line: The limitations of RiskTech do not imply that it is a technique that is only useful when the risk landscape is trivial. It does mean that it must integrate with human intelligence in structured and transparent ways.

8. Risk Management is a young discipline with fragmented scholarship

Risk Management does not really exist as an established academic knowledge domain or even as an established profession in its own sake. It is always practiced within a sand-boxed and specific sectoral context (e.g. financial risk management) and in many sectors may not even be labelled as such.

This fragmented landscape includes a few relatively more developed areas (such as financial risk management and insurance risk). The fairly developed areas concern specific risks types that are managed professionally by financial intermediaries, typically in a corporate for-profit context.

Analysing and underwriting well-defined types of risk is thus a core part of the business model of these sectors. Yet the principles, tools and methodologies of risk management are applicable to practically any and all facets of human life. Other sectors grapple with many of the same problems. Much of the quantitative basis of risk analysis is based on statistics and is actually common across fields. For example the medical sector has been historically leading the development of statistical techniques without ever naming them “risk management” tools.

There is a danger or imperial overreach when attempting to uniformly apply an abstract conceptual risk management framework to specific domains. The devil is indeed always in the details. But it is also sub-optimal to not connect the dots across different domains, if nothing else, because the nature of the risk we are increasingly facing is deeply interconnected.

Bottom Line: Connecting the dots (also known as Holistic risk management ) is required by the mounting challenges facing modern societies. Transitioning towards sustainability requires expanding and connecting concepts of risks across a much wider array of domains than what we have been accustomed to do so far.

9. Risk Management is about the Future and its future is wide Open

We saw that Risk Management is a complex, still evolving, forward-looking, future oriented activity. It is an information hungry undertaking. While flawed and incomplete, it is constantly tasked by different stakeholders in society with constructing plausible scenarios, giving reliable shape to the untold multitudes of possible evolutionary paths. To produce a manageable cone of uncertainty.

The main deliverable is to help us steer within the range of safe possibilities, starting from top-level Planetary Boundaries down to each and every individual. To help identify future directions that better serve us as individuals or in collective undertakings.

Bottom Line: The exercise of building fact-based models of the future has a bright and open future. An open source and open data future!

Join us in this journey via any of the resources we are developing:

• Join our Open Risk Academy Courses
• Explore the Open Risk Manual
• Our open source risk platforms and models