Monday, October 19, 2009

Black Swans in YOUR Future? Elfren Sicangco Cruz on Risk Management

By Elfren Sicangco Cruz

New world of risk management

In the new world of enterprise risk management (ERM), the term "Black Swans" refers to unlikely but potentially devastating risks that should merit, but often do not receive, board-level attention like the closure of Lehman Brothers, the AIG meltdown, and the Madoff-scale frauds.

It is true that low probability, high-impact events are almost impossible to predict. In fact, none of the forecasting models, think tanks, and business forums predicted the depth of the current financial meltdown in the West and the global economic recession.

However, this economic crisis has made it more important to reduce the impact on the business firm of threats we don’t understand. According to Taleb, Goldstein, and Spitznage in a recent Harvard Business Review article:
"Because of the Internet and globalization, the world has become a complex system, made up of a tangled web of relationships and other interdependent factors. Complexity not only increases the incidence of Black Swan events but also makes forecasting even ordinary events impossible. All we can predict is that companies that ignore Black Swan events will go under.

"Instead of trying to anticipate low-probability, high-impact events, we should reduce our vulnerability to them. Risk management, we believe, should be about lessening the impact of what we don’t understand — not a futile attempt to develop sophisticated techniques and stories that perpetuate illusions of being able to understand and predict the social and economic environment."

Lapses in ERM have resulted in significant losses and even bankruptcies for companies in different industries and countries all over the world. Among them are toy factories in China, software companies in India, investment banks in the United States, and commercial banks in Finland and the UK.

For the still uninformed, the traditional definition of enterprise risk management, sometimes referred to as integrated risk management, is as follows: "A comprehensive and integrated framework for managing credit risk, market risk, operational risk, economic capital and risk transfers in order to maximize firm value."(Lam)
James Lam, in his book Enterprise Risk Management: From Incentives to Controls, published in 2003, five years before the ongoing global economic crisis, identified what he called seven "key lessons" for risk management:

Know your business.

Establish checks and balances.

Set limits and boundaries.

* Keep your eye on the cash.

Use the right yardstick.

Pay for the performance you want.

Balance the yin and yang.

In ERM, the hard side (yin) focuses on processes, systems, and reporting. The soft side (yang) focuses on the people, skills, culture, values, and incentives.

While risks come in all shapes and sizes, risk professionals generally recognize three major types. Operational risk is the risk that people, processes, or systems will fail or that an external event (e.g., earthquake, fire, floods) will negatively impact the company. Market risk is the risk that prices will move in a way that has negative consequences for a company. Credit risk is the risk that a customer, counterparty, or supplier will fail to meet its obligations.
Other types of risks have also been suggested. Business risk is the risk that future operating results may not meet its expectations. Organizational risk is the risk that arises from a badly designed organizational structure or lack of sufficient human resources. Also cultural risks and reputational risks are viewed either as part of operational risks or as separate forms of risks.

Now in the midst of the ongoing global crisis, Taleb, Goldstein, and Spitznagel have written what could be a new framework for risk management. The article’s title is "The Six Mistakes Executives Make in Risk Management." According to them these are:

1. We think we can manage risk by predicting extreme events. One, we have an abysmal record of predicting Black Swan events. Two, by focusing our attention on a few extreme scenarios, we neglect other possibilities. In the process we become more vulnerable.

2. We are convinced that studying the past will help us manage the risk. You often hear risk managers use the excuse "This is unprecedented." They assume that if they try hard enough, they can find precedents for anything and predict everything. But Black Swan events don’t have precedents. In addition, today’s world does not resemble the past.

3. Recommendations of the "don’t" kind are usually more robust than "dos." Positive advice is the province of the charlatan. The business sections in bookstores are full of "success stories." There are far fewer tomes about failure.
4. We assume that risk can be measured by standard deviation. Used extensively in finance as a measure of investment risk, standard deviation should not be used in risk management.... Anyone looking for a single number to represent risk is inviting disaster.
5. We don’t appreciate that what’s mathematically equivalent isn’t psychologically so. Providing a best-case scenario usually increases the appetite for risk. Always look for different ways in which risk can be presented to ensure that you aren’t being taken in by the framing of the math.
6. We are taught that efficiency and maximizing the shareholder value don’t tolerate redundancy. In companies, redundancy consists of apparent inefficiency: idle capacities, unused parts, and money that isn’t put to work. The opposite is leverage , which we are taught is good. It isn’t; debt makes companies — and the economic system — fragile. If you are highly leveraged, you could go under if your company misses a sales forecast, interest rates change or other risks crop up.

Time will tell whether there will indeed be a new ERM framework. In the meantime, for general managers and risk managers, welcome to the new world of risk management which is increasingly becoming dominated by Black Swans.

Elfren S. Cruz is a professor of Strategic Management at the Ramon V. del Rosario Sr. Graduate School of Business, College of Business & Economics, De La Salle University. E-mail comments to

1 comment:

Fay Feeney said...

Thank you for the great introduction to ERM also called Risk Intelligence and Strategic Risk.

The benefit of thinking about business risk is you can manage/mitigate/exploit those risks that impact your strategy.

Smart executives do this all the time. Now to bring process and expertise to it. Thanks for bring this subject forward.

Fay Feeney
CEO, Risk for Good
An advisory firm for Independent Directors to strengthen risk governance.