The recent disclosure of a multi-billion dollar trading loss at JPMorgan Chase reminds us again of the challenge and complexity of risk management, the subject of our June 2012 HBR article, "Managing Risks: A New Framework." Many people, including quite a few U.S. legislators and regulators, believe that risks can be managed by establishing and following rules, standards and guidelines. But for certain categories of risk, this is a false and dangerous assumption.
Our article classifies risks based on their degree of controllability and their connection to the strategy. We identify and describe three categories of risk: preventable risks, strategy risks, and external (non-preventable) risks. Each requires customized risk management processes.
A rules and compliance-based approach may work well for managing preventable risks, but is inadequate for strategy and external risks as companies that failed during the financial crisis illustrated all too well. The compliance-oriented risk manager of a failed U.K. bank observed that his organization had "a cultural indisposition to challenge" and that the task of "being a risk and compliance manager...felt a bit like being a man in a rowing boat trying to slow down an oil tanker."
We have learned, time and again, that rules don't overcome the various individual and organizational biases that prevent people from imagining and discussing the things that can go wrong with complex strategies. Processes that foster open and challenging debates can, however, overcome these biases, which is why highly interactive risk management processes need to remain central for any company's risk management function. But can effective risk management be sustained?
During the global financial crisis, while several investment banks failed, JP Morgan was using a very different approach to risk management. First, CEO Jamie Dimon was widely acknowledged as the "ultimate chief risk officer of the bank." Second, the formal head of the risk management function reported directly to Mr. Dimon and was part of the executive team with continual access to the company's board of directors.
Apart from these well-reported facts, having studied the risk management processes in JP Morgan Private Bank during the 2008-2009 financial crisis (Mikes, Rose, and Sesia, 2010, HBS Case 311-003), we were struck by a pioneering approach: in addition to independent risk managers, the private banking unit also deployed a group of local, "embedded" risk managers who were sufficiently savvy, informed and empowered about the complexity of risks being assumed that they could be active risk advisers to the investment managers.
We do not know to what extent this approach was replicated within the bank and cannot, therefore, say whether it was applied in the CIO unit that incurred the recent trading losses. But according to Dina Dublon, former CFO at JPMorgan Chase and currently HBS professor of management practice, the empowerment and deployment of embedded risk managers was part of formal risk management at the bank well before the financial crisis.
This raises the question: was JP Morgan's multi-billion dollar trading loss a failure of risk management as a staff function, or was it a failure that goes beyond the realm of what we can expect risk officers to do?
Mr. Dimon attributes the loss to a "bad strategy, executed poorly" as well as "many errors, sloppiness and bad judgment." A number of executives in the Chief Investment Office (CIO), where the loss was incurred, left the bank soon after the loss had been revealed. But none of these was a high-profile risk officer. By all evidence, the bank has not blamed the risk management function for the loss.
In fact, last week a group of risk managers (described by Dimon as "some of our best people") was parachuted into the CIO unit to investigate and "fix" the problems. Former JP Morgan executive Dina Dublon commented to us "he [Dimon] would hang the manager of the business, as the one with the ultimate responsibility for taking and managing risks, before touching a functional risk manager. Risk management cannot be a fully-delegated responsibility."
Yet the press was quick to declare JP Morgan's loss as a spectacular failure of risk management. But was it? Certainly, not all losses are failures of risk management ? unless we expect to take no risk at all. Finance professor Rene Stulz, for example, has made the point that a large loss in itself is not evidence of a risk management failure, because a large loss can happen even if risk management is flawless (Six Ways Companies Mismanage Risk, HBR, March 2009).
He outlines six types of risk-management failure: the mis-measurement of known risks; ignoring known risks; miscommunicating risks; failure in monitoring risks; devising the wrong response to risk; and measuring risk with the wrong metrics. We can think of this catalog of failure types as the preventable risks of risk management itself. This can help us understand if JP Morgan's "egregious" trading loss was the consequence of a combination of detectable problems ? or whether it occurred despite a fairly rigorous process of risk management.
What is at stake is not only what expectations we have on risk management as a management discipline, but ultimately, whether we believe that good risk management practices are sustainable. Success breeds complacency ? and it is possible that firms that believe they have a good handle on their risks may start losing their grip as they become confident, or even, overconfident, about their risk management. Good risk management should take into account the risks of risk management, too.
Can we continue to rely on firms to manage such risks by themselves? Understandably, the current media coverage is teeming with highly politicized arguments suggesting that politicians, regulators and commentators do not trust banks to be able to do so. But we must ask ourselves, what kind of regulators (regulations) would have caught (prevented) the increasing risk exposure at JP Morgan's Chief Investment Office? What would be the costs of such regulations?
Whatever the technical arguments will be, as accounting professor Michael Power warns us, the forthcoming debates cannot be abstracted from social questions of the credibility and legitimacy of experts (risk experts, regulators and so on): the "how" of risk management remains inextricably linked to the status of "who" does it.
In our article, we express our belief that risk management (with all its risks) is a viable, valuable, and learnable practice for organizations ? but it works only if it is tailored to the context in which it is deployed and is not taken for granted. It has to remain an intrusive, non-intuitive process, because it often goes against people's deeply-held beliefs, including the desire to demonstrate high profits and returns from their actions. Effective risk management is also costly, because it has to be separate from existing strategy-oriented functions. As Gentry Lee, chief systems engineer at NASA's Jet Propulsion Laboratory, describes it: "Risk mitigation is painful; not a natural event for humans to perform."
In all this, let's not lose sight of the purpose of risk management, which is to limit the downside exposure from the optimism inherent when traders, project managers and executives expect high returns from risky strategies, whether making markets in new financial securities, sending missions into space, or drilling for oil and gas three miles below the surface of the Gulf of Mexico. But limiting the downside does not mean inhibiting risk-taking. Quite the opposite; it should actually enable organizations to engage in daring, innovative strategies that promise high expected returns.
shipwreck jose aldo vs chad mendes lana del rey john 3 16 alex smith 49ers miss america 2012 hgtv dream home
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.