I recently responded to a question about risk management failure on one of the LinkedIn groups I subscribe to. Jacek Marczyk, a risk management consultant, responded to a CNN article entitled "The risk fallacy" by asking whether risk management is itself a source of risk.

Jacek's view, reflected in his article (here), seems to be that the Big Financial ferms failed because they neglected to factor market complexities into their risk models; and, moreover, that we all need to get better at modeling complexity. Although I agree with the second point (with a tip o' the hat to the quants out there), I disagree with the first. Now that government investigations, referenced below, and a heap of anlysis have exposed many of the factors behind The Fall, it seems fairly clear that AIG, Lehman, Morgan Stanley, and Bear Sterns suppressed risk management from the top down. Not only did they not go the extra mile with their risk models, they never really left the bench.

For those of us who support the quantification and qualification of risk, this is good news: the Big Financials' risk management failures cannot be taken as indicative of the futility of risk management, managerial or operational. Their chief indication is simply bad board oversight and excecutive accountabiility at the afflicted firms.

My rationale for this statement is copied below. If you have a LinkedIn account and are interested in this issue, I hope you will also read the complete discussion and its many other informed contributions. It is, as of this posting, an active and interesting discussion in the Risk, Regulation, and Reporting Group on LinkedIn.

Finally, if you have opinions or insight into this or related risk management and assessment issues, I'd like to hear from you. Please comment on this post via the form below or write me directly at This e-mail address is being protected from spambots. You need JavaScript enabled to view it .

Q: The risk fallacy: Do you agree that risk management itself is a source of risk?

A: Any kind of management performed incompetently or venally is a source of risk. However, since AIG, Lehman, and Morgan Stanley actively suppressed risk management, it's problematic to use them as any sort of lesson for companies making a good-faith effort at risk management.

AIG, Lehman, and Morgan Stanley's failures stemmed from performing bad risk management badly in three ways: 1) incomplete risk modeling, 2) inadequate access and oversight by risk management and audit functions, and 3) no managerial accountability for risky decisions.

We know that the risk models for mortgage-derivative products at Lehman, AIG, and Morgan Stanley reflected fantastic assumptions. This is partly due to the blind spots of VAR, insofar as it relies on historical data (of which there really wasn't any of relevance) and relies on third-party indicators, such as ratings (which were inaccurate). However, VAR's flaws are well known. The firms' financial modelers and managers would certainly have understood the uncertainties in their risk models. The problem was that they didn't reflect those uncertainties in their risk decisions. Moreover, they failed to track their degree of exposure to the products with the highest degrees of uncertainty.

Of course, even when uncertainty is relatively low, nobody relies solely on VAR---which brings us to the second failure. The firms' risk management and audit functions should have recognized and responded to the inadequacies of the risk models. They didn't because they couldn't. Lehman and AIGFP were risk black boxes. Morgan Stanley had no idea what its traders were doing. But it's not as if the firms passively failed to perform those audit and risk assessment functions. Their failures in that regard were reported, documented, and ignored well before the financial crisis broke. 

And that brings us to the third failure. All of the firms knew there were significant weaknesses in their risk management and assessment processes and models. Directors and executive officers had been told that there was no effective risk management in their most at-risk divisions, and they opted not to remediate. AIGFP's Cassano's comment to DeSantis about auditors "polluting" the process probably fairly encapsulates why.

In all cases, whatever the companies' marketing literature said, they were simply not managing risk. This is documented in May's [s/b October's] congressional hearing about AIG, in the GAO's review of regulators' oversight of financial firms' risk management systems [PDF], and in various other Google-able resources.

So, to address the initial question, "Do you agree that risk management itself is a source of risk?" --- the answer is yes...and no. Risk management is to some degree a recursive business function. It can fail in many ways, including the failure to diagnose its own failure. This, however, cannot be taken as an case against risk management efforts; rather, it's a warning that companies can choose to ignore risk in order to pursue market opportunities. In such cases risk management fails not because it's incompetently done, but because it fulfills its mission to fail.

There are, of course, many examples of effective risk management and modeling. Conventional mortgage risk models, of example, have served banks well. Where risk models work, they tend to differ from AIG et al's exotic and faulty models in the following ways: 1) they are based on sufficient and accurate data, 2) they reflect sound financial principles, and 3) they are subject to competent audit and managerial review. Companies looking to assess their own risk management practices should begin by scoring each of these criteria.