Risk Management Failures – What Are They and When Do They Happen?

After completing this reading, you should be able to:

• Explain how a large financial loss may not necessarily be evidence of a risk management failure.
• Analyze and identify instances of risk management failure.
• Explain how risk management failures can arise in the following areas: measurement of known risk exposures, identification of risk exposures, communication of risks, and monitoring of risks.
• Evaluate the role of risk metrics and analyze the shortcomings of existing risk metrics.

Why a Large Financial Loss May Not Necessarily Be Evidence of a Risk Management Failure

Risk management entails three key steps:

1. Identifying and assessing the impact of all risks facing a firm
2. Communicating these risks to decision-makers
3. Continuous monitoring and management of these risks to keep them within healthy limits

To manage risks, firms work with the output of a given risk measurement tool such as duration, beta, and the value at risk (VaR). Once the firm has established the possible loss amounts, it has to ensure that all its activities take into account the target risk amount. If the risk taken is less than the amount considered safe, the firm should take a bit more risk to maximize shareholder value. If the amount of risk taken exceeds the sale levels, the firm should cut back and reduce its exposure.

A large loss is not always indicative of risk management failure. As long as a firm assesses the risks it faces and develops risk management policies that guide all its operations, the risk management function is considered effective.

In other words, the purpose of risk management is not to reduce losses to zero. Rather, the goal is to establish a loss appetite and keep loss levels at non-threatening amounts which the firm can comfortably withstand. However, firms are also expected to develop contingency plans for extra-large losses that have the potential to threaten a firm’s very existence as a going concern.

Instances of Risk Management Failure

Several events could constitute a risk management failure. These include the inability to:

• Measure risks correctly
• Communicate risks to decision-makers (senior management)
• Monitor risks adequately
• Recognize some risks
• Use the appropriate risk metrics

It is imperative to understand the correct distribution of returns. Only then can loss estimates be considered reliable.

Failure to recognize risks can be expanded further to include:

• Ignoring a well-known risk
• The failure to properly incorporate risk into risk models
• The failure to unearth all risks facing the firm

Risk Metrics and their Shortcomings

Risk metrics provide managers with a target to achieve. VaR is the most widely used risk metric. For example, the management could strive to keep the 99% VaR at, say, $100 million. Monitoring the VaR allows managers to manage risk appropriately.

However, VaR has several shortcomings:

• It does not measure worst-case loss. For example, even at 99% confidence, we would still expect the loss to exceed the VaR amount 2-3 trading days in a year.
• It incorrectly assumes that the distributions of losses are not correlated over time. As witnessed during the 2007/09 financial crisis, huge losses on one day would trigger larger losses the following day.
• Different VaR methods lead to different results. For instance, the historical VaR method yields a figure that’s different from that of Monte Carlo VaR.