J.P. Morgan's recent trading loss highlights the need for an effective risk management function at banks and investment managers of all sizes, and from both sides of the buy/sell equation. To date, much of the response to this huge loss has been intensified debate about increased regulation and elimination of various types of “high-risk” securities.
While these responses might be necessary in some fashion, a more direct means of limiting much of the high-risk activity taken on by many is a robust risk management function.
Of course, many financial services providers have a risk management function. But it is confounding to consider just how many don't have a risk function of any kind or how often those that do witness a previously unanticipated — even unimaginable — level of risk, such as that which resulted in J.P. Morgan's $2 billion trading loss. The current examination of factors — including prior misestimation of risk — contributing to the trading loss demonstrates that not all companies approach risk management either effectively or with sufficient oversight to ensure that best practices are employed consistently across the investment operation. All of this suggests that we could all benefit from a risk management best practices refresher.
There are four essential characteristics of an effective risk management function.
The first is independence. The risk manager and risk management function must be independent of the investment and sales functions. This helps ensure that the focus of the risk function is solely on investment risk. This is critical as the risk function is not a profit center, but one that should properly be viewed as purchasing an option to mitigate large, downside risks. To ensure this independence, the chief risk officer should report directly to the CEO and board of directors. The objective function of the CRO is to manage, control and limit downside tail risk.
The second is override authority. In order for the risk function to effectively mitigate risk it must have the authority to direct changes in risk profiles. Without that authority, the risk function is toothless, a provider of models and insights that other functions can use or ignore at their discretion. A recent example is MF Global. Press reports indicate the “independent” risk function alerted the board of directors and CEO to very large and concentrated levels of risk. Yet the CRO appears not to have had the authority to direct risk reduction. Nor is it clear that limits — requiring action if breached — were set in advance. In this case, the risk function might well have recognized and alerted senior personnel to the extreme risks being taken, but simply lacked the authority (or credibility) to do anything about it. The results speak for themselves.
Risk measurement and stress testing are the third leg of a robust risk process. There are a multitude of models available that enable risk managers to attempt to quantify risk, the most popular being value at risk. As all risk models are imperfect, it is critical that the risk manager also incorporate stress testing, which can help quantify the impact when certain model parameters are assumed to be in error. Rather than relying on a single set of outputs, employing a variety of models and stress tests enables the CRO to examine a variety of possible outcomes and thereby avoid overreliance on a bad model or misestimate. The VaR estimated at J.P. Morgan's chief investment office nearly tripled when J.P. Morgan “switched” to the “old” VaR model from the “new” one. Risk estimates from one model to another should not make huge leaps and, when they do, should serve as a large red flag that something is not right.
Having built and used such models for a number of years, I find the enormous jump in risk estimates experienced by J.P. Morgan frightening, as I am sure Jamie Dimon does. One of the worst types of risk is the one that is unanticipated by the risk process. I doubt J.P. Morgan's risk team expected that a loss of this magnitude was likely using the “new” model in isolation. For this reason, it is absolutely critical that the risk process involve multiple models and stress testing to help ensure that such large risks are not being taken unknowingly.
The fourth and often most critical piece of a well-functioning risk process is establishing limits and sticking with them during a crisis. Even if the above three elements are in place, things can melt down quickly if, when confronted with a risk event, the risk management function is indecisive or unclear about required actions. The point of risk management is to set limits and plans of action for when those limits are breached. It is important to understand that breaching limits is not a bad thing in and of itself, as taking risk and being compensated for it is at the heart of managing investments of all types. A simple analogy is a fire drill where one plans an escape route in advance of the fire. Having a well thought out and rehearsed plan is critical to saving as many lives as possible. If a fire erupts in the absence of a plan, chaos ensues and any reactively made decisions will surely be impaired. This fire-in-a-theater scenario is quite similar to what hit the U.S. financial system during the Great Recession. That firms managed through that fire with varying degrees of success was often determined by how well they had decided to manage risks before a crisis hit.
Having all four of these elements in place is essential for a risk management function to effectively estimate and mitigate risk. Missing any one is like having a table with only three legs: It might look like a table, but it won't be secure for use and, when loaded, the results can be disastrous. n
John Sprow is chief risk officer and credit committee chairman at Smith Breeden Associates Inc., in Boulder.
