Risk Management, PRMIA

I was emphatically not suggesting in the previous entry that risk technology could have saved business managers from their own actions. At the end of the day the managers of large financial organizations are responsible for it's management, and all such failures are ultimately the failure to manage (did I mention that management was important?). I also believe that in the recent past financial organizations have grown overly enamored with technology - when technology is taken in its wider sense to mean financial modeling, automated valuation models (see Appraising Zillow for an example) etc. Organizational culture matters. Risk can be truly contained only when a Managing Director who pulls in a several hundred million dollars in profits is put on a level playing field with a risk manager when it comes to reviewing the risk on a deal and making a go-no go decision.

That being said, I am convinced that technology can lead to better management - or at least can help the board and management avoid egregious errors. Consider for example an investment bank where the star player has figured out a way to supposedly print money. Over a period of months the profits flow in in ever-increasing amounts. Everybody's happy, especially the star player who sees a fat bonus check coming in at the end of the year. Trouble is, the more the Chief Risk Officer studies his strategy, the more worried he becomes about the potential for huge tail risk. How does the CRO convince the CEO of his concerns without appearing to be a party-pooper?

The answer is information. The better armed the CRO is the more effective he will be. Let's imagine the first meeting where the CRO, the CEO and the trading head are meeting to discuss these positions. The CRO presents his analysis, which the trading head loudly and vehemently protests with arguments to the contrary (say by suggesting that the correlation assumptions were too conservative). If all the CRO had was this one argument she would lose. But assume that the CRO had the technology to go back and immediately re-do the analysis taking into account the argument about correlation assumptions, by analyzing similar markets in stressed times and showing that these correlations were in fact higher than normal - proving in effect that the analysis was reasonable. After a few bouts of this action, armed with increasingly strong evidence, it's easy to see how the CRO could come out on top of this discussion.

At the end of the day risk management is all about being armed with the best information. Since risk management by definition deals with events that have not yet occurred rarely will a single piece of information be sufficient to win an argument. While strong risk policies and procedures can be mandated by the board and senior management, cultural change can come only by this sort of regular hand-to-hand combat. This is especially true in the extreme dynamism of today's markets. In such a situation analytical flexibility becomes critical.

IT systems and development methodologies are usually not setup to achieve such a result. A usual system development life-cycle goes something like this:

* Get the requirements
* Build to these specs
* Test against them
* Deliver to a presumably happy customer.

Changes during the project are considered impolite and usually controlled in a strict fashion under a "change control" methodology. In the risk technology space, it would seem increasingly that this paradigm will need to be turned on its head - deliver something quickly to an audience you know will not be thrilled with the result, and be ready to quickly respond to criticism - knowing full well that the changes will never stop coming. Since most risk tech shops and software are not well-positioned to do this, look out for big changes.