
#2: Creating Resiliency
Risk management involves setting an acceptable range for returns and controlling your risk levers to keep within these ranges. But this is not just for normal times – or even somewhat unusual times - but for all scenarios. This is a constrained optimisation too, not all risk versus return states are accessible… or sensible, or manageable.
Resilience in Risk Management is making sure your firm will survive possible but surprising circumstances. It is like avoiding the gamblers ruin problem; or more technically you need push the expectation of ruin beyond the long term horizon of your entity. You've got to create resiliency. This is hard. Resiliency is important.
Remember that a firm can decide to be a risky firm and have a very large possible range of outcomes (both good or bad) and a significant risk of failure. This should be a positive choice, not a passive choice or an unexpected choice.
Firstly you need to have a picture of the what events, situations and challenges are approaching. This is horizon scanning. Then for these events, you need to decide how resilient to be to each one. Often one sees firms who have set their strategy based on their prediction (or maybe expectation) of the future. They take the risk their prediction happens. This can be a good strategy for a start-up. But for any fairly diversified business it is important that they can survive and prosper when their strategy, and their assumptions on the future, are only partially accurate. This can be paraphrased as: test your strategy in all your future likely scenarios, and make sure you survive in all the ones you expect are possible.
Part of the devil is in finding the scenarios. Some will be economic; some will be political; some may be market based; some may be more operational. I recommend using some generally accepted scenarios (for instance what may come out from chatGPT or a risk survey of similar firms by consultants). But you do need to think about risks particular to your firm.
A useful place to look is in a firm’s Risk Register. This is where you have laid out your businesses and the things that may affect each component of that business. For a bank this can be a very detailed approach to Operational Risk management. It may not seem very helpful because it becomes minutiae focused by design. It needs to be re-order-able by events themselves (rather than businesses). If done right this’ll show what types of irritating operational errors individual business lines think they can cope with, but which sum to a possible large risk at the firm level. In banking think payments processing and IT releases or unforeseen IT outcomes on change. These will add up, and create reputational damage if they occur.
In the above I also assumed that Horizon Scanning is easy. It is not; it is an art not a science. And it is going to have significant human bias in the creation of the unlikely scenarios. Here all of us have to stop and allow for things one dislikes or disagrees with to be considered. Be especially careful of self-created blind spots: places you feel there are issues large enough it’s better not to look at too closely. True blind spots can only be found by having diversity of thought and allowing those thoughts to be expressed and discussed. Thus a risk culture of openness and ability to speak up and voice subversive or differentiated views is important.
Now you must prepare. Role playing your scenarios - though at the beginning feels somewhat false and a bit silly – will, always in my experience, highlight actions and responses which need to be prepared in advance. What one is is doing is creating a play book to deal with unforeseen events. A simple example is a bank liquidity crisis: making sure the right people are quickly in a position to agree actions based on up to date data, and execute any required actions, is critical to calming any emerging liquidity draw. This is obvious – but if you haven’t agreed the who and how, then a lot of time and effort will be wasted communicating up and down an organisation, when action is imperative. Also though most banks will have practiced a liquidity draw play book, they may not have done the same or a cyber incident or other disruptive events.
Next is action. Risk management is about taking actions, making choices and balancing positives and negatives. Making sure the actions available to you are known and how possible they are to execute is a key part of a play book. In a crisis this will be tested. Things will not work out how one expects. But if you have practiced and tested your firm you are much more likely to get the offsetting actions done and survive.
Lastly rebuilding. This is not so much part of crisis management, but it is part of resiliency. For a firm there may be many longer term decisions and changes needed post a crisis. Having a clearly articulated strategy and showing commitment to it will count for a lot. A small crisis (say an earnings miss from a large idiosyncratic loss) may have a year of overhang on the prior strategies. A firm-threatening crisis (say GFC) will have an overhang of 5 to 10 years.
The future is ever changing and the chance of a crisis is always higher than one thinks. The outcome will always be at the poorer end of expectation; the more so the longer it takes to discover or play out (such as legal, or conduct type issues). This is not a static space.
Good Luck.
Lewis O'Donald
11th July 2023
Comments