Large losses can be suffered even when risk management is first-rate because organizations are in the business of taking risks. This article, authored by René M. Stulz, notes how failures of risk management can also cause large losses as evidenced by the current crisis, and when risk management fails, it typically fails in one or all of six basic ways.

Reliance on Historical Data

The first source of risk management failure is relying on historical data.  Risk management generally relies on extrapolating from the past to identify future risks, assuming that historical data provide a good approximation of future events.  However, if the data used do not cover an historical period with adequate fluctuations, risk estimates can be misstated.  Furthermore, the rapid financial innovation in recent years has made historical data less relevant because past data cannot predict the effect of these new classes of assets.  Finally, risk management systems often fail to properly estimate indirect effects on the full risk exposure of a given risk.  Price movements among asset classes are correlated and the correlation needs to be estimated correctly to determine the full risk exposure.  This is complicated by the fact that correlations are not constant, but actually increase in times of crisis making estimation more difficult.

Limited View of Risks

The second basic way in which risk management can fail is by focusing on narrow measures, thereby ignoring other risks that should be taken into account.  A daily value-at-risk (VaR) measure is the most common way of assessing the riskiness of securities trading at financial institutions.  This measure provides a maximum amount of money that might be lost at a given probability level and an organization can assign an upper limit to the VaR it is willing to accept.  Using VaR to protect against losses can lead to insufficient capital to support the risks being taken.  VaR overruns may say little about the company’s financial health without looking at the amounts of gains and losses experienced.  VaR does not capture catastrophic losses with a small probability of occurring, so it does not assess large losses that could threaten an organization.  Also, daily VaR does not capture the risk of a portfolio that has lost liquidity because daily VaR measures assume assets can be quickly sold or hedged so that losses can be limited within a day.

Overlooking Knowable Risks

A third source of risk management failure is overlooking knowable risks.  One type of knowable risk that is often overlooked is risk outside the normal risk class.  Many organizations manage market, credit, and operational risks in isolation, ignoring correlations and associations among these risks that could be more easily identified with a firmwide assessment of risk.  Risks incurred by hedging are often overlooked as organizations may perform risk assessments and implement plans but fail to assess all of the risks of the instruments used for risk mitigation.  Market-concentration risks are also sometimes overlooked because much of the theory underlying statistical risk models assumes markets are largely frictionless.  This assumption can lead to ignoring risks such as liquidity and pricing of assets arising from market frictions, which can occur when one organization accounts for a significant portion of a market’s transactions.  Value-assumption risks are another source of risk that is often overlooked.  Here, when markets are illiquid there is doubt about the true value of traded assets because trades are too infrequent to provide clear price signals.

Concealed Risks

Overlooking concealed risks is a fourth basic source of risk management failure.  Risk management may fail because people responsible for incurring risk do not report it, either deliberately if their compensation provides incentive for assuming risks or non-deliberately if risks involve positions using securities that are not yet established in the markets or positions held for short periods.  Aligning incentives with a firm’s risk-taking objectives is a good approach to managing this risk because it encourages innovation, provides employees with flexibility to perform their jobs well, and promotes employees to take more judicious risks.

Failure to Communicate

The fifth basic way in which risk management can fail is through a failure to communicate.  Risk management must be communicated effectively, timely, and without distortion to the board and CEO, who are ultimately responsible for making decisions about risk.  The board and CEO need to have a realistic understanding of the risk management capabilities of the organization so they do not have unwarranted confidence in the organization’s ability to measure risk.

Not in Real Time

The sixth source of risk management failure identified is not managing in real time.  Risk management is a dynamic process and risk managers need to constantly monitor, hedge, and mitigate a firm’s known risks to make sure the firm only takes the risks it wants to take.  This can be difficult in financial firms where derivative positions allow risks to change sharply and quickly even if no new positions are taken.  Accurate estimation and hedging of risk is even more difficult with mark-to-market accounting because the observer effect is present, where observing the value of a complex security can actually affect the value of that security.

As emphasized by the six described ways risk management can fail, conventional approaches to risk management present many potential pitfalls.  Therefore, to improve risk management, models should be augmented with scenario analyses of how crises may unfold depending on organizations’ reactions.  In this way, instead of focusing on the idea that the probabilities of catastrophic risks are extremely small, the organization can have scenarios built for these catastrophic risks and can design strategies for surviving these risks.