I recently left a job in Risk Management. Mostly because the name was misleading, but that's a story for another day.
Having just left, I want to write —first of all for myself— what I learned. Just in case I need it one day in the future. Hopefully it will also be useful to others.
Everyone does risk management every day. If we have had a great sandwich for over a week in the fridge, we wonder: should I eat it? Pros: it was delicious. Cons: it might make me sick.
We weigh what can go wrong and what can go right and then make a decision. Companies do that too. Some companies establish a special department called "Risk Management". Ironically, sometimes they do manage risk, and sometimes they do not.
Note
Before I continue I must clarify that the rest of the post is partly serious and partly tongue-in-cheek. Which part is which is left as an exercise for the reader. Risk Management is a very important activity, and it is REALLY hard to do well. I will write about the latter in another post.
From my own experience and from talking to others, I have learned that companies have a whole bunch of reasons for setting up a Risk Management department. Some reasons are better than others.
What are the good reasons?
- A company is a complex web of relationships that, hopefully, delivers some valuable product. If one part of the company fails so spectacularly such that it brings down the whole company, that would be bad for shareholders and bad for society. Society would lose a provider of whatever it was the company was making. Shareholders would have to re-organize the company, which is expensive and quite distracting from the core purpose of making whatever-it-was-that-it-was-making -for-society. Spending some effort up-front in not blowing up is worth it, on a net present value basis.
- Most employees would also prefer that the company does not blow up tomorrow. However, many employees would not affected by the company blowing up in 20 years. There are some jobs that are able to create problems decades in the future. Those employees have an incentive to maximize their income today, whatever the cost for the company might be in 20 years. If you can increase sales of cancer-inducing powder or destructively additive medication and get a fat bonus for your efforts, maybe you will choose to do it, whether the company will be sued into oblivion or not. Spending some effort in stopping these guys before they harm the company is worth it.
- Some employees do not even care if the company blows up tomorrow. They will get a job elsewhere. Ironically, they might get a better job afterwards, as Matt Levine argues sometimes. Spending some effort in stopping these guys before they harm the company is definitely worth it.
These are all great reasons for having a Risk Management team. There are more, but I don't intend to make this a book on risk management.
After almost 20 years in the financial industry, I can also enumerate some bad reasons to have a Risk Management team.
- Bad reason #1: "Something might go slightly wrong somewhere". Most humans are risk-averse, which means they will rather have certainty over uncertainty. We also enjoy the feeling of improving something, large or small. When faced with the news that something somewhere has gone wrong, many people think "how could we make sure that this never goes wrong again?". That's a noble thought but sometimes misguided, especially in large companies. When we do risk management in our daily lives, we are impacted by the good and the bad. We might enjoy the sandwich, or get food poisoning. We have skin in the game. It is not the same in a company. If we hire a bunch of people and tell them it's their job to stop bad things from happening, it might play out in this way:
- first they try to stop really bad things from happening, which mostly means illegal behavior and bets that would bankrupt the company.
- without any real means of proving the counterfactual "if we weren't here, this company would be broke by now", they slowly develop a mentality that risk management is "always and everywhere a desirable phenomenon". Over time, they get used to being valued by what they do, not what they achieve.
- lastly, either out of the genuine desire to stop bad things from happening or a genuine desire to get a promotion, the scope of "bad things that should be stopped" starts to grow. And with that the size of the team. And with that the procedures they impose on the rest of the company. And with that the cost for the company, both in direct compliance cost and in lost business opportunities. Left unchecked, after a few years it's likely that your well-intentioned Risk Management team has written endless documents and cost millions of dollars in procedures to avoid pens from being misplaced (don't laugh, that's a real risk with real financial consequences!).
How could this happen? It's quite simple, the Risk Management team is only looking at the downside of things. And it's only being rewarded for doing something about it. Not for effectively tackling the worthwhile problems but for doing something about anything that could be argued it might be a problem.
The cost-benefit trade off does not work for a centralized Risk Management team to take care of minor loses and inconveniences. It is a bad reason for having an RM team. In statistics lingo, RM should take care of the tail, not the body of the loss distribution.
- Bad reason #2: to shield top management in case something bad happens somewhere. Top management is made of humans. No matter how clever they are, how much they love the company, or how hard they work, they cannot be everywhere. Some tasks have to be delegated to less clever, less company-loving or less hard-working people. Something will go wrong eventually. What it is really important in that in case, is that everyone can say that they followed proper procedure. That is the only chance at saving their jobs after some embarrassing incident. Governance was followed is the line that will allow the C-suite level to save face (it does not always work but it usually does). I rank this as another type of principal-agent problem. It's not worth for the shareholder to spend millions to prevent the C-suite from being embarrassed. The shareholder would be better off saving the cost of the burdensome internal compliance with endless and ill-conceived governance, and absorbing the occasional loss. If the C-suite is occasionally embarrassed by something outside of their control, then so be it. The shareholder is already paying them millions, they should learn to live with it.
Top comments (0)