The Devolution of Risk Management
We find ourselves in an environment where risk management has been hopelessly confused with compliance. Compliance or regulation is necessarily historically based; it addresses the sins of the past and is not designed to anticipate the future. That is what the management of risk is supposed to be about. Clearly, given the continuing collapse of the financial system, risk management functions throughout the world have failed. How did we get here? We narrowed the definition of risk and created staggering complexity at the same time.
One of the key elements in the devolution of risk management in the United States was the passage of FDICIA (Federal Deposit Insurance Improvement Act) in 1991. It had unintended consequences. In response to the savings and loan scandal, this act resulted in a fundamental shift in the structure of regulation in the financial services industry. In the past, regulators would announce their arrival, examine various parts of the operational and financial aspects of a bank’s organization and issue a report. The savings and loan scandal demonstrated the futility of that process. In passing FDICIA the regulators essentially conceded that there were more ways to fiddle the system than they could police so they transferred the process of regulation to the banks themselves. The act basically states that financial institutions accepting deposits had to review their processes on a regular basis and disclose any “material weakness” to the FDIC.
CEO’s and CFO’s had to sign off on these reports and there were criminal penalties associated with knowingly deceiving the regulators. That was supposed to put some teeth into the legislation although prosecutions under the statue are negligible. The unintended consequence was that risk management organizations expanded to take on what is a compliance function. No one asked then and seemingly, no one has asked since, how obeying the law is an exercise in the management of risk.
The passage of Sarbanes Oxely codified the regulatory reliance on self-assessment for all publically held companies; essentially we now have FDICIA for everyone. Once again, risk management organizations embraced this new function and for several years there was a boom in SOX consulting. Unless something changes we are likely in for another round of regulation and legislation that will again expand the number of risk managers dedicated to compliance functions.
The problem is not regulation; certainly the unregulated derivatives markets have demonstrated the crying need to establish some level of order and trust. The problem is not the self-assessment and reporting that are central to these two pieces of legislation; those efforts are a necessary part of maintaining the minimum standards that we require of companies to play in the market. The problem is that we have actually not expanded the scope of the management of risk. Indeed, we have actually narrowed it to the point where we are all dancing on the head of a pin.
Ask yourself how often you think about the content of your insurance policy when you get in your car and turn the key in the ignition? How often do you review all the laws relating to your responsibilities and liabilities as the owner and operator of a motor vehicle before you pull out of the driveway? What you think about is where you want to go. You’ve taken the necessary legal precautions required of you before you set off on your journey. What you think about are the options you have, what routes you could take and how one might be better than the other depending on the time of day and the weather. You marshal those resources and you manage their associated risks and seek your destination
Human beings have managed risk since the beginning of time. No doubt experience has been a factor in modifying behavior and strategy but it has been the taking of risk that has led to success. It is the taking of risk that needs management in our complex interconnected world. It is the taking of risk that cries out for the convergence of perception of those risks in the context of what an organization wants to achieve.
Compliance is a very important function in any business or governmental organization. Obeying the law is central to any civil society and economic system. It’s just not the province of risk management.
Great Post Bill
I appreciate your well reasoned analysis.
So who do we get to see that these folks comply?
Who do we get to see that those folks get those other folks to comply?
What if any consequences so all these foks involved in all this compllance
suffer if they fail?
I don’t really see a lot of people complying, and I don’t see a lot of oversight,
and most importantly I don’t see anyone suffering any consequences,
except for people who risked their entire life savings in a giant Ponzi scheme.
You see Bill I agree that we need people to obey the law for a civil society.
If I were to steal a loaf of bread I would go to jail. If I were to defraud people out
of billions of dollars I would get house arrest. We seem to have a lot of enforcement of laws
with minimal impact on society and almost none for laws which could lead to the meltdown of the entire U.S.
economy. Pleasse explain why Chris Cox when asked if he needed more resources to ensure
compliance he declined.
The simple answer for me is that it is not possible to legislate ethical behavior. We seem to have a big problem understanding this and it is probably why we have more people in jail than any other country in the world.
I think what the Crash Course brings home to me is that we have a system that requires unethical behavior – not just at the margins but at the core. It’s important to understand that a debt based growth system drives the kind of behavior that we see in the derivatives markets. Sarbanes Oxely requires companies to have transparency in their financial systems and the SEC has oversight of the capital markets. As a result, unregulated markets were created (derivatives) that dwarf the equities and fixed income markets. While I have no problem with the prosecution of the Madoff’s of the world, at the end of the day putting him in jail doesn’t solve the problem.
The escalating debt is the issue. It drives behavior and we could triple the size of the SEC and every other regulatory agency and we would only drive more sophisticated financial products into existence. I really don’t know the way out of this – I think that is what is going to be very interesting about the next 20 years. I do know, however, that regulation is necessarily backward looking (we seek to ensure that problems that have already occured don’t occur in the future) and is not designed to manage the risks in the future. In order to do that we have to actively decide what kind of culture we want to live in – I don’t see any way around that.
The simple answer for me is that it is not possible to legislate ethical behavior.
In order to do that we have to actively decide what kind of culture we want to live in – I don’t see any way around that.
Our laws need to be consistent toward bringing out the best, not worse in individuals and society. Besides transparency and accountability…crucial to involve and empower as many people toward 2 things: 1.) Decison making; 2.) Strengthen Human Values.
Can one visuallize this subject Chris has elegantly framed, is a symptom of a far greater problem? In others words, we’ve been making wrong decisions for a long time for us to have gotten to here. Please think about this.
i take it then that no amount of punishment will deter unethical behavior among white collar criminals.
I work in the medical development industry.
When a company brings an FDA approved product to market, they have to anticipate that at some unknown time down the road the FDA will suddenly appear (without advance notice) at their doorstep. If they have all their ducks in a row and pass the surprise inspection, all is good. If they don’t, they could be shut down immediately if the faults are egregious enough. This tends to ensure that medical companies follow the rules more often than not. Those who don’t will quickly find themselves out of business.
Based on this, I have two suggestions:
1. Beef up the enforcement arm of the SEC with no-nonsense, ethical staff (Elliot Ness where are you?).
2. Begin surprise visits to financial companies and demand to see their books. If they are above board and complying with all the rules, all is well. If not, the offending company should be immediately prohibited from operating and all of their clients should be reimbursed to the extent possible.
A criminal investigation should then immediately begin with the goal of ensuring the "perps" spend a sufficient amount of time in jail to discourage any such activity in the future. This would also send a very clear warning signal to others who were doing the same thing or thinking of doing so.
Mind you, we need investigators who don’t coddle the company being investigated as they did with Madoff. If we can’t get that to happen, then items 1 and 2 become pointless and we might as well all go live with Matrix!
I think the point that I am trying to make is that the fundamentals of the system make enforcement nearly impossible. In the old days when there was a new regulatory requirement, banks and other financial institutions would move the goal posts a little. Over the past two decades they have left the stadium and built an unregulated theme park. The guys (and it is mostly guys) who run and work in the theme park are the best and brightest in the industry – they left the stock exchanges a long time ago. So even if we doubled the number of regulators it is unlikely that they would "catch" enough of the offenders to make a dent.
And by the way, the offenders are doing what we ask them to do – until the bubble bursts and then we get upset about what we chose not to pay attention to.
Bottom line, I don’t think regulation is the answer to fixing the problem. The problem is systemic. Until we deal with a system that requires bubbles to generate money to pay interest at the compounding rate that the Crash Course describes we will never regulate ourselves into a sustainable and ethical economic system.
So, I think we are still dealing with symptoms and not root causes.
I think that many of those highly complex high risk modern financial instruments should never have become legal. They are the economical equivalent to allowing companies and individuals to own nukes. Inevitably, once in a while some of those economical nukes will explode.