There are two sides to every story, and there are two sides to the story of risk. We like upsides. We do not like downsides. But we accept one to get the other, and this is why risk-taking is inherent to business. Without risk-taking, there will be no upside. People fondly remember Steve Jobs because he decided what people would like, and gave them it. Apple became hugely profitable because it innovated successfully. But no innovation is guaranteed to succeed, as none of us can see into the future with certainty. So when we talk about risk management, we must remember that limiting risk-taking might restrict the upsides of risk as well as the downsides of risk.
A while ago I posted a humourous series of puns where I substituted the word ‘bottom’ for ‘risk’. There was a half-serious intention behind the wordplay. First, bottoms are somewhat rude. We cover them up, people might not like to talk about them, some will be prudish about them etc. But they exist and they are part of our being. As comical as it sounds, ignoring bottoms does not make them go away. I can only see my bottom in the mirror, but it is definitely there. That gives us an analogy to risk, another topic that some people will deal with in a matter-of-fact way, whilst others feel very uncomfortable about it. Second, some bottoms are desirable and other bottoms are not. This is as much about taste as it is about science, but the truth that people have perferences is undeniable. The same is true of risk. To want more or less risk is as daft as saying we want more or less bottoms. It may be very hard to put into words what we do want, but we trust that we know what we want when we see it.
Dan Baker commented on my ‘bottom’ post, and I want to repeat the comment in full so I can then give the reply it deserves.
This bottom business has got me curious. On the one hand, we know when a telecom marketing department gets too aggressive and creates a ton of services without minding the bottom line profitability of those services, the business could sink.
Then there’s the opposite scenario — the operator gets too cautious. It starts to cut corners by thinning down the ranks of the RA and fraud department, opening the door for negative black swans to fly in and do some damage.
So being too aggressive and too penny-pinching are both wrong, but for the life of me, how does risk department balances those things? They seem like apples vs. oranges.
How do you decide where to put the bottom ballast to keep the telecom ship sailing on an even keel?
To those of us not initiated in the dark art of risk management, an analogy to the real world would be most helpful. In the meantime, I tip my glass to you. Bottoms up.
Dan is completely correct, and will get no argument from me. I hope my attempt at humour did not confuse the basic issue that risk management is about delivering the right balance of risks. As I comically noted, some bottoms are desirable and are pursued – businesses actively seek some kinds of risk and then take them. Some will choose to grow a bigger ‘bottom’ – because they want more risk.
However, let us be honest. My post was about real risk managers as well as the theory of risk management. Whilst the theory is sound, businesses are unlikely to employ risk managers with the expectation they will drive an increase in risk-taking. Why? Because many managers in business should already be incentivized to take risk. Banks did not fail because CROs chose to take more risk, though we could ask if they were diligent enough in questioning the risks being taken. If we work on an assumption that it is relatively easy to motivate a broad cross-section of managers to take risk (through job descriptions, bonuses etc) and that it is relatively hard to monitor if they take excess risk (perhaps as a result of poorly understood combinatorial effects of decisions made in silos), then the risk manager is there primarily to understand and monitor levels of risk, ensuring the system does not fall out of balance because of the natural inclination towards risk-taking. As such, the risk manager inevitably tends to be like the doctor advocating healthy exercise and good diet as an antidote to obesity. If confronted by a patient that is malnourished, then the doctor would give different advice. But, in practice, many of us live in societies where food is easily available, cheap, and heavily promoted, just as many of us work in businesses where management is inclined to take risks to promote sales and boost profits. Hence the risk manager should be no more biased than a doctor; if they seem to keep giving the same prescription, it is only because they keep treating patients with the same ailment.
That said, I do not disagree that some organizations may have cultures which are too inhibited towards risk-taking. Indeed, when we talk about an organizational culture we are already generalizing. Whilst some management may be readily incentivized to take risks, others in the same business are incentivized to oppose risks, and the way the business is run is designed to work through an adversarial process to arrive at the right conclusion. This is apparent in the way business cases tend to be proposed, opposed, and ultimately judged. Whilst risk managers talk about ‘the’ culture of an organization, it is truer to say that subsets of an organization have differing cultures. If business is run in adversarial way, then the business can become too risk-averse overall if the risk-averse subsets of the business culture are too powerful relative to the risk-seeking subsets of the business culture. One danger for risk managers is that they become like doctors who generalize too much, and end up becoming advocates for one side of an adversarial process, always trying to strengthen the anti-risk camp in a bitter feud with the pro-risk camp. But this is not inherently healthy, any more than a starvation diet is inherently healthy.
We might also say my last paragraph suffered from a bias in how risk is framed, where by ‘framing’ I mean that the way something is described has a significant influence on the human response. I talked about being risk-averse and risk-seeking, and these phrases are widely used and understood. But being risk averse does not mean deciding not to take risks. Doing nothing may be taking a risk. If the patient is sick, the doctor may need to act. Even if the patient is not seriously unwell, the doctor may recommend changes that will make the patient healthier. If we stick to the bare bones definition, then risk is uncertainty. Doing nothing may very likely – but not certainly – lead to a degree of stagnation and lost competitiveness over time. What degree? We are not certain! So even the extreme of risk ‘aversion’ is still choosing one kind of risk over other risks. There are no absolutely risk-free decisions in this world. For the proof of that, once again look at the financial crisis, and more specifically its second phase involving the governments of the Eurozone and, to a lesser extent, the US government. Many have lost their AAA credit rating. The Basel banking regulations have supposed a so-called ‘risk free’ class of assets. In short, it was supposed that banks needed no cover for default of high-quality government bonds. Whilst I would not go as far as this writer in Businessweek, I would agree that ‘risk-free’ was a shorthand for ‘risk so small we cannot be bothered to measure it’. But even governments can fail, and many national political arguments stem from disputes about whether national economies are competitive and the best way to promote growth. In those Western countries where the post-crisis economic debate still dominates politics, the issue can be crudely simplified to whether the previous stimulus provided by private sector lending and public sector spending failed to promote a proportionate degree of fundamental economic growth (all spending leads to growth – the question is how lasting the effects will be). Hence the debate about the correct response comes down to the extent to which it is better to substitute public sector stimulus for a reduction in private sector lending, or to accept more economic pain in the short run in order to weed out inefficiencies. So on the level of national governments, nobody is suggesting there is a simple dichotomy between the ‘risk-averse’ and the ‘risk-seeking’. On the contrary, the decisions are rightly seen as one of balance based on what kinds of risks are taken, public sector vs. private sector, short-term vs. long-term, workers vs. investors, and so forth. The parallel with risk management in businesses should be clear. Despite the way ERM theory is framed, businesses have the same challenge of finding the right balance.
With this in mind, even doing nothing can be repositioned as a decision to take a kind of risk – taking the kind of risk that you will lose market share etc as competitors improve their rival offerings. High-probability low-impact risks are still risks. Over a sufficiently extended period, being ‘risk averse’ just means taking a recurring high-probability low-impact risk that you lose competitiveness… and with the odds stacked the way they are then we know with a high degree of confidence that, in the long run, as competitors innovate, the business that is too risk averse will lose competitiveness.
How does a risk manager decide what amount of risk is too much risk? Well, here I can be definitive. That is not a decision the risk manager should take, though many do get involved in that decision because they are unclear about their goals. The right amount of risk is a decision for the business as a whole, as reflects the desires of stakeholders, also taken as a whole. Risk managers are there to monitor the variance from the desired level of risk, just as a doctor may monitor a patient’s weight and compare it to an ideal. What confuses the issue is there may be no definitive statement of the ideal degree of risk. Just as there are adversarial forces within the business, there are adversarial forces within its stakeholders. The challenge of expressing the goal is difficult, and may be sidelined into the kind of fudge that we observe politicians make: they accentuate the upsides in how their favoured policies promote job creation and growth, and talk down the downsides that are inherent to any real decision. From a governance perspective, risk managers need to promote the transparency and efficiency of the decision-making process, just as good government involves transparency and clear decisions. The risk manager should not pick a side in the adversarial debate. Slavishly focusing on the reduction of downside risk causes some risk managers to neglect the overarching downside caused by a recurring failure to take decisions with upside potential.
From the analogy of government, risk managers play a role equivalent to establishing an effective judiciary – they do not decide the laws, but they want to promote a system that reaches the right specific decisions and works inexorably towards reducing inconsistency in the system of laws. The jury makes the actual specific decisions, and in this case the jury consists of the whole management team. A good risk manager needs the strictly limited authority of a good judge, ensuring the evidence is heard (both for and against), the goal (the law) is understood by the decision-makers, and that there is consistency in decision-making, as far as that is humanly possible. They implement the scales of balanced risk-taking like a judge institutes the scales of blind justice. Good judges of risk do not favour keeping upside risk down, any more than our judiciary should favour punishing the wicked at the cost of bias against the innocent. Is this complicated and hard to perfect in practice? Of course! But we must keep the ideal in mind whilst dealing with the practicalities of how people think and make decisions.