As a former risk manager, I have made my share of assumptions that turned out to be wrong. Part of the job is to project the future. But the future is uncertain so projections will not always be correct. While this is natural, some incorrect assumptions are more serious than others. And the worst are mistaken assumptions about the nature of risk management itself. Here are three that no risk manager can afford to make.
Assumption #1
Risk Management Is Performed for Someone Else
It is not uncommon to believe that risk management is performed at the behest of regulators or rating agencies. This presumption can easily become ingrained in a company's outlook given the litany of risk-related regulations that exist.
Yes, regulators and other external parties do benefit from risk managers' work. And, yes, the rules and standards must be followed. But the true beneficiaries of risk management are the company's shareholders. Risk managers practice risk management to protect and enhance the value of their companies-not for compliance's sake.
Identifying and quantifying risks to the company's value enables risk taking consistent with the company's capacity and its risk appetite. This sets the stage for decision making that rewards responsible risk taking. With this objective in mind, risk managers are compelled to go beyond the risk identification and quantification codified by external rules and standards.
Consider a scenario in which the rules overlook a critical risk or quantify it below its true value. If the risk manager's work, going beyond the rules, demonstrates that this circumstance does carry significant risk, should he or she proceed as if, as the rules indicate, there is little or no risk? Of course not; the task is not circumscribed by regulators.
Instead, risk managers need to bring their best judgment to ensure that the company's risk position is properly understood and that business decisions seek reward for that risk. Defining risk management's role in this way focuses it on finding better ways to both protect and improve the business. Complying with the rules is necessary -- but it is not sufficient to do the job well.
Assumption #2
Risk Management Is Part of Financial Reporting
Historically, organizationally and as commonly perceived, risk management is seen mostly as a subset of financial reporting. But there are significant differences. Risk managers need to see their task as related to, but separate from, financial reporting.
Many risks are simply not reflected in the company's financial statements. In fact, the risks that are not on the balance sheet are often the root cause of variability that ultimately appears as financial risk. Operational risk and reputational risk, to name only two, are excluded. The well-defined rules for what is to be included in financial statements do not provide an adequate platform for effective risk identification. So it would be a mistake for risk managers to limit their attention or regard nonfinancial risks as somehow less important.
Financial reporting presents one set of values calculated in accordance with generally accepted rules. Much discussion, especially in a financial crisis, takes place to define "generally accepted." After all, if only one approach and one answer are sought, every effort should be made to make it the right approach and the right answer.
On the other hand, risk is about variability of outcomes. Risk management contemplates many potentially right answers. So efforts to find the one right answer in risk management are counterproductive. Certainly, the generally accepted financial reporting value will be among the potential values considered. But others must also be weighed.
An effective risk management mind-set is the opposite of an effective financial reporting approach. All meaningful potential values should be embraced. Discussion and deliberation need to focus not on selecting the one right answer, but on understanding and preparing for the many other potential outcomes.
One final difference concerns the effective utilization of financial reporting output compared with the utilization of risk management output. The single set of financial reporting values is meant for public display and comparison with different reporting entities.
To the contrary, out-of-context risk management values are meaningless, and even damaging, when they stand alone. Risk management values are only effective when management duly considers their range and individual likelihood.
Assumption #3
One Metric Tells Us All We Need to Know
Although we see risk as uncertainty of outcome, we are often far too quick to conflate the range of results and limit our attention to a single statistical metric. Focusing attention on a single distribution of outcomes may cause us to miss insight that can be gained from considering different perspectives.
Certainly, when faced with a diversity of risks, a common methodology needs to be selected through which different risks can be aggregated into a single enterprise profile. Some metrics work better for this task than others. And assessing which metrics are more suitable as aggregators warrants ongoing dialogue. But this dialogue should not necessarily eliminate other metrics that may be useful when dealing with particular types of risks or business decisions.
For example, a distribution that represents potential changes in economic value over the course of a year is useful and enlightening. But so is a distribution representing potential changes over a shorter or longer duration. Scenario analysis is often a better tool than statistics. Liquidity risk, for example, is best understood by considering the unusual circumstances that reduce the availability of cash to meet earlier, or greater, than anticipated liability demands. Developing and studying such shocks is a much more fruitful route to addressing them than constructing a statistical metric.
At a minimum, it would seem that risk analysis should encompass at least three perspectives: a value-oriented long-term view, an earnings-oriented shorter view and, especially for liquidity risk, a scenario-based analysis. Taken together, these will provide a more complete statement of risk taking appetite and capacity than any single metric.
Finally, by redirecting attention from a search for the single best risk number toward a multiplicity of information, risk managers will more clearly see the extent to which all the different values are supported by estimates and assumptions. With these elements more visible, we can expect that they will be reassessed more thoroughly and more often.