Exchange Ideas

The interactions between risk management and technology

Focus both on technology developments that can help improve risk management, but also on other aspects such as operational and potentially strategic risks caused by advances in technology

 

October 01, 2009

Lessons from the Current Crisis

Last week I attended a PRMIA lecture series where we were treated to a fascinating presentation by David Rowe, EVP for Risk Management at Sungard. Entitled "Lessons for Financial Risk Management from the Current Crisis",  he presented 5 crucial lessons that we must learn from the debacle of the past few years. Concise and well-presented, the presentation and subsequent panel discussion got me thinking about the technology implications of these lessons.

The 5 points Dave made were:

  1. Statistical Entropy: Taking a cue from thermodynamics, data cannot be created, only used. In other words, trying to generate risk metrics from data that does not exist is monumental folly comparable to medieval alchemists trying to turn lead into gold.

  2. Structural Imagination: This can be pithily summarized as "thinking outside the box". Use imagination to look for predictors that are not being scrutinized.

  3. Self-Referential Feedback: In engineering terms, this points to the dangers of positive feedback loops. Both up- and down-moves can be highly exacerbated by such effects leading to larger than anticipated risk.

  4. Complexity and Dark Risk: Beware of complexity in products and market structure for its own sake. The more complex a situation, the more reason to mistrust risk numbers that purport to inform on it.

  5. Alternate Means of Valuation: Simply put, every model must have a Plan B.
The point about statistical entropy seems obvious, but is my pet candidate for the single biggest contributor to crisis. When one considers that the whole market in higher-order structured mortgage securities (such as CDOs) only came into being during past decade's unabated bull market, it should have been obvious that their ratings were promising more than they could deliver. There simply was not enough historical data to properly calculate their risk under truly adverse conditions. Market practitioners, on the other hand, cheerfully went about ignoring this basic law and creating models that were mostly based on a wing and a prayer.

What also caught the attention of the physics student in me was the economic equivalent of the laws of thermodynamics - not only is risk modeling at best a zero-sum game when it comes to data, but you can't even expect to break even. There is always some residual chaos in data. Therefore it pays off to reduce this data and technology entropy as much as possible since that's all we have.

I have alluded to the needs for technology to support structural imagination in a previous posting. Most data and business intelligence infrastructure environments are currently too fragile or inflexible to support this sort of blue-sky thinking. Make it difficult to think outside-the-box and organizational inertia will ensure that structural imagination is simply banished from the corporate firmament.

The point about complexity has gotten me thinking quite a bit about how to measure it. There has been some research in the space of software architecture to this effect - is it possible to adapt some of this research to come up with a "complexity index" for products or market structure? if we could come up with a measure, presumably we could require that ratings (both internal to a firm and those generated by ratings agencies) come with the complexity index attached which can tell the user how much to rely on a risk rating. Look for more on this subject - seems like a fruitful area of thought.

The last point on alternative means of valuation is perhaps the simplest, and in my mind, the most unforgivable. There in fact is a simple alternative means of valuing complex mortgage securities. If all the mortgages that belonged to a security were precisely known (along with their weights, and the terms and conditions of the security itself) it would be a relatively simple issue to create a model that could calculate the value of the security under different conditions of mortgage default and recovery rates. That this currently seems impossible is a telling commentary on the irresponsibility of the markets - critical issues of data integrity and sharing was not given adequate attention. At the end of the day it's simply the case of paying attention to proper management of reference data and metadata. Seems to me that no matter how difficult the data management problem is, it could have been solved for the hundreds of billions that have been written down in this debacle. For further detail on this subject - see Charles Smithson's many articles.

The more I study the subject and talk to leading thinkers on the matter, the more I'm convinced that giving technology the short-shrift has been one of the biggest contributors to our current sorry state. Yet I see only hesitant steps being taken in the large Financial Institutions which would be the biggest beneficiaries. Hard to pinpoint the reasons, but you can be sure this question will occupy my musings in posts to come.

Agree with my sentiments? Disagree? Any and all comments and criticisms welcomed.

"“It is better to debate a question without settling it than to settle a question without debating it.” - Joseph Joubert

Posted by dkrishna at 12:13 PM | Comments (1)

September 09, 2009

Splendid Solitudes

It's been a while since I wrote a post on the blog - an omission that's as inexplicable as it is unforgivable. It will be my endeavor going forward to avoid  long absences.

I was thinking the other day about the evolving nature of risk management sophistication and it's impact on system architecture. It is now conventional wisdom (driven by the events of the past couple of years) that simply looking at traditional measures of risk (such as Var) is highly inadequate. I refer here not to esoteric arguments about the inadequacies of specific models. Rather, it's becoming clear to me that at some macro level all these risk measures depended in a subtle way on the argument that the proverbial Black Swan (i.e. an extremely rare but not impossible, and cataclysmic, event) did not exist. To put it more precisely, there was a vague acknowledgment that one should be watching out for a black swan, but since we did not really believed that it existed, we need to only apply some crude multiplier factor to gross calculations as a "comfort factor" that we'd addressed the occurrence of an exceedingly rare but disastrous event. In other words, most people did not take the probability of stress events occurring very seriously. And if they did, it was certainly not reflected in the risk systems of most organizations. How this happened, and the human dynamics that made this all possible will be left for others to ponder.

A lot has changed in the past two years. The world has seen what stress events can do to hitherto fine, upstanding companies like Bear Stearns, Lehman, AIG et al (to take only the US example). Stress tests are all the rage, whether mandated by the government or by newly energized corporate governance advocates, board members and senior management of financial corporations. At the same time, financial companies also seem to be getting "risk-aware" in their day-to-day business. There is increased interest in ensuring that risk-based pricing be done right. Of course, the flip side of this coin - ensuring that employee compensation is properly risk-adjusted - has generated a lot of interest as well.

What does all this have to do with technology? A lot, as it turns out. Let's take a look at the sample loss-distribution below.

Loss_Distribution.bmp

We see three distinct areas: risks that are covered by pricing, those that are addressed by capital and those risks (that are above some predetermined level of probability - in the example 99%) that are quantified by stress scenarios. It's an interesting exercise to map these to risk systems commonly found in banks. The left-most risks are usually embedded into pricing mechanisms. The integration of these mechanisms into systems depends on the products that are being priced. Large corporate loans credit pricing systems take expected risks as direct inputs into the pricing algorithm for each customer, while for mass retail products (such as credit cards) such risks are priced into the product via behavioral scores. An element of capital is often embedded into the pricing as well - the popular RAROC hurdle rate measure is an example of such a mechanism. Of course such capital must take into account all risks associated with the products - not only the obvious credit risks but also operational risks such as fraud.

What's interesting is the assumption that the risks on the right-hand side - those covered by capital and the extreme risks (that should also be covered) are assumed to be priced in as well. Those products that are covered by a measure such as RAROC have at least considered the possibility of prices being adjusted for capital consumption. But even for these products the question is - have extreme risks been truly factored in? In other words, is the capital attributed to the deal a true reflection of the capital required to secure the deal? In the past FIs (and regulators) made vague assumptions that these outsized risks could be addressed via a multiplier on the calculated capital. This assumption has now been proven a fallacy, so more needs to be done to actually quantify the risks.

The systems implications of these changes are interesting. Every self-respecting bank attempts to do a reasonable job calculating capital of the existing portfolio of the firm (though far too many, it seems, take undefensible shortcuts). In the case of pricing there are two additional challenges however. First, firm-capital must be parsed into the capital for a specific deal and customer. This is itself a non-trivial task given the sorry state of customer files, reference data on hierarchies, inaccurate exposure information and unclear data semantics that one finds in most financial firms. But pricing needs to take it one step further and analyze what the capital would be for the deal if it were added to the portfolio. It's clear that the current crude averaging techniques will not pass muster in the future; capital calculation systems will need to be much more coupled with front-office pricing systems.

Stress testing (the right-most region in the image above) adds another wrinkle. New deals could cause increase in stress numbers either on an individual basis or more commonly by adding to the concentration of existing risks (such as geographical or asset-class concentration). The question for deals that generate high stress risks is a) should these deals be done at all? and b) if so, at what price? Considering that comprehensive stress testing is a only just a developing art, it's easy to see how there is a gap in integrating this discipline into deal-making systems. As stress systems develop into production-ready environments in their own right, one would hope that they provide the kind of software interfaces that would allow easy access to generated information.

To sum up, a good way to look at risk management systems in a financial institution is to consider a typical loss-distribution curve. The current landscape shows systems efforts in three distinct clusters, which are typically not designed to talk to each other. Going forward, it seems clear to me that a major challenge in risk system design will be to break down these solitudes to form one integrated platform.

Posted by dkrishna at 12:21 AM | Comments (3)

November 05, 2008

Can Business Intelligence handle the stress?

I recently read an interesting article that asked a provocative question? Could business intelligence (BI) have provided advance notice to the meltdown in the markets (read the article)? The article mostly references two specific technologies: Analytic Tools and so-called Complex Event Processing (CEP) technologies.

Analytics tools span a wide variety of technologies that allow users to examine huge quantities of data in a concise manner. There are increasingly sophisticated tools available nowadays to create dashboards that condense complex metrics into a view that one can read at a glance. The relevance to risk management is obvious - if the risk of an institution (or indeed, the economy) can be represented on a dashboard hotspots can quickly be identified (and presumably addressed).

Complex Event Processing (CEP) has recently been gaining popularity. CEP solutions are designed to capture and analyze data in real-time. For example, CEP may be employed on a funding desk to calculate intra-day liquidity and set off alerts when a threat to the funding situation was perceived.

The article also identifies a critical point underlying these capabilities - the analysis can only be as good as the data. The term "data integration" is used as a catchall phrase describing the ability to present a unified picture of a firm's risk exposures. When a firm wants to understand it's concentration to California mortages, it needs data integration. When it needs to understand it's outstanding exposures to Lehman Brothers the day after bankruptcy was declared, it needs data integration (mistakes can be costly as KFW found).

While the article does a good job tying BI to risk management, it doesn't go far enough in defining the subtleties of data integration in this crisis. One of the key learnings from the credit crisis is the need for an ability to create crisis scenarios and analyze the results. Scenario analysis depends on the ability to bring together data, impute realistic if extreme assumptions on the data and the analyze the results. The ability to perform effective scenario analysis (and it's close cousin - stress testing) is a fundamental capability that risk systems will need in the future.

On the face of it scenario analysis seems easy enough to do. Get the data together, make assumptions about where the factors will be when things go to hell and calculate the value of the portfolio. The devil, as they say, is in the details.

Recently I had a spirited converstation with a friend who ran BI for a large international bank that has had it's share of run-ins with the credit crisis. When we talked about stress-testing, he was vehement that the bank in fact had a robust stress testing regime but said that "it did not help". Why? Because the executives did not believe the stress scenarios. To understand why they did not believe, imagine being presented with a stress scenario where the ABX index was assumed to be 43, when in it's entire history it has only ever traded above 90. This scenario would suffer from, to put it mildly, a lack of credibility if the only frame of reference was the portfolio of CDOs themselves. In fact, out of embarrasment the risk manager would probably only build a "reasonable" stress scenario and write down the index to say 70. In fact, recent quotes for the ABX-HE-AAA 07-2 index (available at the Markit Partners web-site) show the index in the 40s.

Why the incredulity with what has, in fact, turned out to be realistic index values? Because there was no history of the index trading at the stressed levels, partly due to the youth of the index itself. On the other hand, what if the stress test was not done by imputing market prices on the higher degree structured products (such as CDOs and CDO-squareds) but on the underlying sub-prime mortgages? Imagine a system constructed with the portfolio of CDOs, the mortgage-backed securuities underlying them as well as the subprime mortgages underlying these securities. Further imagine that the system was constructed so that we could change the default rates of the mortgages, from which the prices of the MBS and CDOs would be automatically derived. Given enough evidence, a responsible stress test would in fact raise mortgage default rates to multiples of their historical values. The toxic concentration effects of these types of mortgages on the structured portfolio would have at least been recognized if not fully appreciated, giving both risk manaqers and business managers something to work with.

The central issue here is the ability to bring together diverse sets of data while preserving all the complexities involved - complex structured products such as CDOs, residential mortgage securities and underlying mortgages all need to be combined, taking into account the connections with one another. While data integration in a traditional sense is still relevant (e.g. bringing exposures together for reporting), in the case of complex structured products it needs to be taken to an entirely new and sophisticated level. For these products data integration necessitates data consolidation followed by painstakingly constructing all the relevant interconnections. Additionally these need to be maintained on an ongoing basis.

Data integration is being recognized as a key competency in the fight to gain a better understanding of the firm's risk - but it's not, as they say, "your father's data integration". Rather a whole new competency needs to be developed in all financial institutions. The good news is that I'm seeing some companies waking up to this need - let's hope for the sake of the industry that this is a trend that continues - in fact accelerates.

Posted by dkrishna at 01:48 PM | Comments (3)

September 20, 2008

What's tech got to do with it?

This has been an interesting week to say the least - two of the largest investment banks in the world felled by events by seemingly unforeseen circumstances, with a third being brought to the brink; the world's largest insurance company being felled with the same chilling efficiency by the markets. If you're like me, your head must be spinning with the questions.

Why did it happen? How did this come to pass? And most humanly - who was responsible? Predictably uninformed, political types jumped on the economy bandwagon calling for fixing the "greed" in the "casino on Wall Street".

In the midst of all this, a risk techie like myself was asking (with apologies to the fabulous Ms. Turner) - "what's tech got to do with it (if anything)?". Does risk technology matter? Did any deficiency in risk technology have a role to play in the current crisis? Could better technology have helped?

With all the talk of transparency, corporate governance and control, one could be forgiven for assuming that this was all the fault of a few men sitting in smoky, oak-paneled rooms cutting deals that left the rest of the economy in shambles. The uninformed might reasonably assume that if only the people in the places of power had demanded better control, or had been more ethical, or had put in place better governance policies, we would not be in this sorry shape.

My submission is that the reality could not be more different. There's no denying that these factors played an important role. However even the best intentions can have an effect only when they are implemented. This week's hand-wringing about the need for increased corporate transparency seems to suggest that the titans of the financial industry were actively trying to hide their financials. While doubtless there are (and will always be) a few bad apples, let's take an example:

- Merrill Lynch announced on Oct 5, 2007 that it would take write-downs of $4.5 billion due to mortgage exposures (I know - this seems like small potatoes now, but believe me, back in the old days this was a shocker).
- Barely three weeks later, Merrill announced that no, it was so sorry; the real number was $7.9 billion.

Ok, if we are now so numb to the size of these numbers, perhaps it'll help to talk in percentages - the new disclosures, coming just 3 weeks after the old one, was seventy-five percent higher (for full details, see Merrill's $3.4 billion balance sheet bomb). It seems hard to believe that it was in erstwhile CEO Stan O'Neill's best interest to shield the truth (a week later he paid the price by being forced to resign) or even less plausibly, that the mortgage market soured so badly in three weeks as to warrant such an increase in write-downs. It seems clear that he did not know the size of the disclosures. Making the logical assumption that everyone under the CEO had the same self-interest in ensuring full disclosure, the only logical conclusion is that no one knew the size of the exposures. Following this episode, many other storied financial institutions came out with their own write-downs in the same haphazard manner.

The real secret is that financial markets have become so complex and interconnected that it's impossible to perform "back-of-the-envelope" calculations of risk exposure. My conclusion is that not only is technology relevant to the present financial crisis - rather, better technology is essential to solving the problems facing the US and world economy today. Given the size, scope, interconnectedness and complexity involved, every aspect of risk management - measurement, monitoring, transparency and controls - depends on technology more than ever. In the near future it will even more critical that we not rely on a band-aid ridden risk infrastructure to drive the world-economy forward. Rather it's critical that adequate attention be paid to this important aspect of risk management.

Posted by dkrishna at 12:18 PM | Comments (1)