By Julian Birkinshaw and Huw Jenkins/ Financial Times
Why is it that very smart executives can sometimes make extraordinarily poor risk decisions? This question has bothered observers of the business world for generations, but in the past 18 months it has gained extra importance as we try to make sense of the implosion of the financial services industry.
Of course, the problem of poor risk management is not confined to banking: sectors as different as oil and gas, pharmaceuticals and telecommunications have all experienced their share of poorly judged risks. But the banking industry, and the credit crisis in particular, provides a rich context for understanding where risk management goes wrong and how it can be improved.
In the years leading up to the credit crisis, most financial services companies focused on the formalisation of risk management, by developing multi-stage procedures with many signatories to evaluate and adjudicate on what risks were worth taking. They also relied on externalisation of risk management to a large degree – the use of expertise and approval from outside parties such as auditors, regulators and credit ratings agencies. We suggest that in future they need to give more attention to the personalisation of risk management. This requires greater quality of insight, greater personal accountability and a stronger support culture for risk management.
Personalisation of risk management does not mean throwing out the traditional systems and support structures. Rather, it means a subtle shift in emphasis from the management of a portfolio of risks to the underwriting of individual risk decisions. This approach is relevant across all sectors of the economy, not just to the world of financial services companies.
How do companies manage risk
Risk management requires companies to balance two distinct types of risks: the “false positive” risk associated with investing in a potential opportunity that does not transpire; and the “false negative” risk associated with failing to act on an opportunity that did transpire.
The consequences of false positive and false negative errors are very different. For example, if an oil and gas company is extremely cautious about investing in new oilfields, it can generally avoid costly false-positive mistakes in the form of dry wells, but it risks leaving money on the table that other competitors can pick up.
So how do companies manage risk? How do they bring to bear the necessary level of knowledge and expertise on difficult decisions? And how do they ensure that individuals act in the best interests of the company, rather than themselves? Historically, the answer to these questions was bureaucracy. While the term is often used in a pejorative sense, bureaucracy has benefits: namely, it encourages the development of formal rules and procedures that transcend individual idiosyncracies and historical orthodoxies. However, it also has many unwanted side effects: it can become overly rigid and specialised, it discourages individual thought, and it can lead to depersonalisation and a lack of ownership on the part of employees.
It is this last effect that is most salient here. As companies grow, they need to build formal systems to generate economies of scale and scope, but they need to balance that with the agility, personal accountability and freedom of expression that comes from a small, more entrepreneurial environment. While this point is often made in the context of innovation and creativity, it is just as valid in the management of risk.
Consider, for example, the winners and losers in the credit crisis. While there were certainly some notable failures among small players such as hedge funds, the big losses were borne disproportionately by the very large banks. This was partly because small financial services companies did not have the credit ratings or balance sheets to carry the so-called “super senior” tranches of the collateralised debt obligations that ultimately got the big investment banks into trouble. But it was also partly because the decision makers were close to the action, highly knowledgeable and personally accountable for the outcomes of their decisions. As one leading hedge fund executive commented: “We have robust informal systems, we communicate naturally, and we develop our own views on what risks to take. We get a return on our judgment.” This is the exact opposite of a bureaucratic system, and a world away from the thousand-person strong risk functions that some of the large investment banks had built up during the boom years.
To put it another way, there are three complementary approaches to managing risk in large companies.
•Formalisation involves using formal procedures and rules to evaluate and adjudicate on what risks are worth taking.
•Externalisation involves making use of the expertise and seal of approval provided by third parties – some required by law (auditors and regulators), others optional but widely used (credit ratings agencies). Both of these approaches are manifestations of bureaucracy – the former controlled by the company’s management, the latter controlled by third parties.
•Personalisation involves pushing the responsibility for evaluating and making a judgment on risk to those individuals who are making decisions.
While all three are necessary and used to varying degrees all the time, the recent evidence in banking and elsewhere suggests that we need to redress the balance back towards personalisation, especially in large companies.
Goldman Sachs, one of the best performers through the credit crisis, is frequently held up as the acme of personalisation. As Gillian Tett, FT global markets editor, has observed: “Employees [at Goldman] typically view themselves as being affiliated to the bank, not the business line, and there is a strong ethos of shared accountability.” But Goldman is the exception that proves the rule: the rest of the industry has relied heavily on bureaucratic approaches to risk management and the strategies of the major players have gradually converged over time.
How to personalise risk management
What does personalisation of risk management mean in practice? The concept has intuitive appeal, but many people struggle with how to balance the need for personalisation with broader systems of control and management. We suggest three necessary and supporting elements.
High-quality insight. Those who make decisions require good quality information, effective analytical tools and the competence to interpret this information. But it is rare for all these things to come together. It is more likely for decisions to be made with poor insight from self-interested sources, and with the relevant information fragmented across different parts of the company.
For example, one study has shown that mortgage loans securitised and sold on to non-banks in the early 2000s were far more likely to end up in default than when they were sold to affiliates of the originator. It is not surprising that banks that were selling loans had a different level of focus on the likelihood of default than those that held such loans to maturity. What is more surprising is that regulators and investors did not concern themselves more with this potential bias.
Effective personalisation of risk management is, therefore, about building a system that puts the right information into the hands of those making decisions, and then transforming that information into insight through experience.
Here is one example of how this works in a different setting. The UK police force gathers intelligence on a daily basis about criminal activities, community affairs and so on. Usually these are dealt with quickly and without note, but occasionally an incident escalates and becomes more serious. To better alert themselves to these escalations, the police have instituted a “critical incident” approach, in which an employee of any rank can call together a cross-force group to pull together all the available information about an incident, and make a decision on how to react. Critical incidents only arise occasionally, but they provide an effective way of quickly bringing to bear the disparate views on an issue and reaching a thoughtful decision.
Personal accountability. Effective risk management requires personal accountability, but most companies get this wrong as well. Sometimes there are too many decision makers, or the decision maker is too far removed from the action to feel any genuine responsibility. And often there is no link between the decisions taken and the rewards provided.
For example, in recent years, banks traded in risky securities to optimise short-term profits without giving due regard to the appropriate cost of capital or the long-term behaviour of these securities. Many people have argued that a large factor in the creation of the current financial crisis was this focus on short-term accounting profit and the reward systems aligned with it.
Instead, we need a system where personal accountability is rewarded, and where the individual or team with high-quality insight is also the one making the decision. For example, one of the basic principles that every airline captain knows is: make risk decisions at the appropriate level. Appropriate here means the level where the individual has the necessary experience and maturity to make a good decision. The captain may delegate specific decisions to engineering specialists or dispatchers, but the decision to fly the plane rests with him or her – not on the wishes of the air traffic controllers or the airline’s chief executive.
This logic has clear applicability to the business world. Some of the best performers through the credit crisis, such as JPMorgan Chase and Goldman Sachs, were well known for their collegial, team-based decision processes, built on open debate, intellectual honesty, and sufficient self confidence to take contrarian decisions.
Supportive culture. The informal norms of behaviour in a company – its culture – should support the principles of high-quality insight and personal accountability. But all too often, these informal norms end up undermining the effectiveness of decision making. Some companies exhibit a fear culture where bad news is hidden from top executives; some are purely mercenary, where everyone looks out for themselves; some suffer from chronic risk aversion, with almost zero tolerance for false-positive errors.
Of course, there is no simple way to build a supportive culture. It takes many years of consistent messages and actions from leaders. But there are, nonetheless, a couple of basic principles that can be applied.
One is the need for transparency of purpose. Consider, for example, a leading mining company that committed a decade ago to eliminating one type of risk: employee injuries at work. All leaders signed up to this goal, all employees were trained on the company’s safety standards, measures of lost-time injuries were monitored for all sites, and managers’ compensation was linked to safety. Today, all meetings – even those in white collar environments – start with a safety update. Safety thinking is deeply ingrained in the minds of individuals throughout the company, and the safety record is impressive. Cultural transformation, in other words, is possible when it is tied to a very clear purpose that everyone can identify, and when it is reinforced through consistency of action. To return to the police force example earlier, a key feature of the “critical incident” model is to acknowledge the efforts of the individual who calls it, even if it proves to be a false alarm.
The other principle is a refusal to simplify the big picture. Studies have been conducted of nuclear power plants and aircraft carriers where errors can have catastrophic consequences, and they have sought to understand how these “high reliability” organisations function. It has emerged that one of the key features is that individual employees – involved, for example, in routine maintenance activities – are expected to take responsibility for seeing how their work fits into the big picture. So, rather than compartmentalising every task, employees are encouraged to look across and to understand how their work has implications for others.
This approach has obvious relevance in the financial services industry. As one leading hedge fund manager explained: “We need to remain humble. I don’t claim I know the answers; that is the golden rule. Strengths become weaknesses in a dislocation. We make our biggest mistakes where people claim we are strong.”
The credit crisis was brought about by the accumulation of a large number of circumstantial factors, but it was exacerbated and ultimately triggered by poor risk management decisions, and structures, at many large financial services companies. By turning the spotlight on these weaknesses, we have identified some key principles for effective risk management, not just in financial services but in other sectors as well.
But there is one important caveat. Good decision making in the world of financial services is not just about making objectively correct decisions, it is also about making decisions in the context of rapidly changing market conditions. Even the best decisions can look foolish in retrospect if market forces change fundamentally.
So, if the first challenge is how to make better quality decisions, the second challenge is learning how to adapt them to accommodate the market. But that is a matter for a separate article.
Julian Birkinshaw is professor of strategic management at London Business School
Huw Jenkins is executive in residence at London Business School