One of the biggest revelations of the 2008 financial crisis was that the scope of risk management is almost unlimited. The violations of sound risk practices that generated the crisis spanned numerous industries and sectors: Home loan originators actively relaxed mortgage lending standards, investment banks concealed the risky nature of the resulting mortgages while packaging them into bonds for sale, and the list goes on.
Oversight was also lacking as ratings agencies stamped seals of approval on those bonds without examining them closely, and entities seemingly unconnected to the mortgage industry sold esoteric financial products that essentially insured those dangerous bonds. Government regulators failed to control the hazardous activities, and some public officials even promoted ultimately disastrous practices.
Unexpected consequences abounded as a result of the meltdown, endangering markets and businesses that initially appeared unconnected to the mortgage industry. The crisis demonstrated that the business world had become so complex and interconnected that risk management needed to widen its scope accordingly. It became evident that, because threats can come from unexpected sources, risk awareness needs to be spherical.
In the past, risk management could be viewed as a single sphere containing the most direct hazards facing a business, but this approach must now expand. Every factor and entity impacting a business should be examined individually, in terms of its own sphere containing its own influencers. These secondary spheres will frequently extend beyond the limits of the original sphere surrounding a business and usually will overlap yet more spheres. Those overlaps represent an organization’s potential second- and third-order threats, whose connection to the company might not be readily apparent. While it may be impossible to sever the interconnections linking you to these outside influences, identifying them allows you to prepare for their possible effects.
Before going any further, consider two important lessons from the 2008 financial crisis. First, the information is out there, but getting it requires effort. While there was plenty of warning that lending standards had declined prior to the meltdown, only a few entities recognized the danger this posed. Detailed information on the deteriorating quality of home loans was available, and the story might have been quite different if the entities rating and buying mortgage bonds had scrutinized their underlying assets.
Second, remember the importance of questioning what you are being told. Many people who doubted the overall health of the mortgage industry later accepted explanations they should have challenged. Assertions that the business had fundamentally changed and somehow become virtually risk-free turned out to be simply wrong.
Remember that unscrupulous or incompetent players frequently suffer little harm from their actions—in fact, some of them actually benefit from misfortune. You cannot rely on someone else to provide warning of approaching danger.
With these lessons in mind, the following three-step process will help you gauge your company’s risk exposure.
Look in the Mirror
The first step is thinking of your business as a sphere that contains all the different factors and entities of direct influence. Then, analyze each of those influences in terms of risk. This should be familiar ground, as it is similar to basic risk analysis and disaster recovery planning. List the factors and entities that directly affect you, then examine each of them for potential problems. Identify areas of concern and take action to mitigate or control them.
This list will be extensive, as it includes everything you do and more. Starting with your own operations, examine the threats in such basic categories as communications, transaction processing and product delivery. That is the first sphere, and its analysis never ends.
Next, think of your business as a system with a system of systems. This includes, but is not limited to, topics such as markets, applicable laws and regulations, and workforce considerations.
Take a hard look at your business finances. The financial crisis demonstrated that disruptions in supposedly unrelated industries can adversely affect credit elsewhere. Your business finances can cover a lot of ground—from working capital to pension funds—and each of these requires close examination in terms of vulnerability to market disruptions or unidentified threats.
The insurance you purchase requires an even harsher scrubbing to determine if it is truly sufficient and to identify the soundness of its providers. The blurring lines between banks and non-bank actors pose a real danger here, as a disruption in the banking industry can jump to the insurance world just when you need your insurer in top form. The insurance industry practice of using reinsurers to reduce risk concentrations is a further concern, as the soundness of these secondary players is sometimes found wanting during a crisis. Find out exactly who is supposed to fulfill the requirements of your policy by conducting detailed and ongoing review.
Know the state of your own industry. Peers can sink your business if they behave irresponsibly, as proven during the financial crisis. The activities of mortgage originators and bond creators destroyed or damaged numerous large banks, costing the jobs of many ethical and competent people whose work seemed to have no relation to mortgages. Reputation risk is also critical. Because your company’s name can be tarnished by the actions of your peers, take the time to find out if they are cutting corners.
Examine Your Influences’ Influences
Next, think of each of your influences as having its own sphere, containing the factors and entities that impact it, and analyze those as well.
The financial crisis proved that a business can be radically affected by bad things happening elsewhere. The business world is becoming more complex and interconnected, and that increases the number of threats while, at the same time, making them harder to see. As a result, seemingly unrelated products, markets and entities can be dangerously linked, and it sometimes takes a lot of work to recognize those connections.
AIG’s role in the crisis is a good example of this. Selling credit default swaps (essentially insurance policies on mortgage bonds) exposed AIG to the meltdown of an industry to which it had little connection. Many of their business partners did not know about that dire situation, and its revelation was a major surprise for entities that relied on AIG for insurance. It was hard for the managers of those organizations to understand how a collection of bad home loans could rob them of their insurance coverage. When mortgage bonds began defaulting in record numbers, however, the credit default swaps sold by AIG (and others) had to be paid off.
As the crisis spun out of control, ramifications for other industries became clear. Predictably, businesses related to the mortgage industry were affected, such as home construction and building material supply. But the contagion then spread in unexpected ways.
Businesses with no direct link to mortgages found themselves threatened by their relationships with endangered entities, or by the disruption of vital functions in the financial markets. Ignorance of the activities and vulnerabilities of business partners, suppliers and providers of essential services left a great many organizations unsure of their own survival. In the post-financial crisis world, what you don’t know can hurt you badly.
Ask “What If?”
The third step in the risk assessment process is to ask, “What if this happens here?” Do so at different points on the chain of interconnection, then consider how you can avoid, mitigate or react to potential harm.
Completing the first two steps of this process should provide a clear picture of the influences on your business. That initial analysis may reveal some threats on its own, but now is the time to identify the dangers that are not readily apparent.
Asking “what if?” helps identify the consequences of different potential occurrences, regardless of whether or not they are possible. Worst-case analysis is essential: the financial crisis witnessed several developments previously deemed so unlikely that they were not seriously considered in risk planning. Examining the effects of each of these scenarios can reveal potentially hazardous outcomes.
Start with the list of assumptions under which you or your influencers operate. A key assumption in the financial crisis involved the historically low default rate in American mortgages. This would have been a reasonable planning figure if the same lending standards generating that low incidence of default had remained.
Unfortunately, lending standards had eroded so much that the figure was simply wrong for use in modeling. Assuming a low default rate on highly risky loans suggested that the bonds made up of those loans were a sound investment. Once the loans began to go bad in large numbers, however, the bonds did too, setting off the crisis.
Modest adjustment of the criteria used in mortgage bond risk modeling would have radically altered the expected outcome, in some cases changing a huge profit to a disastrous loss. Question how your models are set up and how they function, and never accept being told that the model cannot be explained.
Once you have identified a threat or weakness, take action. Apply a method similar to your disaster recovery plan by identifying potential problems and attempting to reduce or avoid them before trouble arrives. Put a realistic plan in place for what you will do if the worst-case scenario actually comes to pass, and review it frequently.
Finally, take charge of identifying the hidden connections that could impact your business. As long as they are unknown, there is no way to prepare for them.