Part One
Managing Risk
Chapter 1
Risk Management versus Risk Measurement
Managing risk is at the core of managing any financial organization. This statement may seem obvious, even trivial, but remember that the risk management department is usually separate from trading management or line management. Words matter, and using the term risk management for a group that does not actually manage anything leads to the notion that managing risk is somehow different from managing other affairs within the firm. Indeed, a director at a large financial group was quoted in the Financial Times as saying that āA board can't be a risk manager.ā1 In reality, the board has the same responsibility to understand and monitor the firm's risk as it has to understand and monitor the firm's profit or financial position.
To repeat, managing risk is at the core of managing any financial organization; it is too important a responsibility for a firm's managers to delegate. Managing risk is about making the tactical and strategic decisions to control those risks that should be controlled and to exploit those opportunities that can be exploited. Although managing risk does involve those quantitative tools and activities generally covered in a risk management textbook, in reality, risk management is as much the art of managing people, processes, and institutions as it is the science of measuring and quantifying risk. In fact, one of the central arguments of this book is that risk management is not the same as risk measurement. In the financial industry probably more than any other, risk management must be a central responsibility for line managers from the board and CEO down through individual trading units and portfolio managers. Managers within a financial organization must be, before anything else, risk managers in the true sense of managing the risks that the firm faces.
Extending the focus from the passive measurement and monitoring of risk to the active management of risk also drives one toward tools to help identify the type and direction of risks and tools to help identify hedges and strategies that alter risk. It argues for a tighter connection between risk management (traditionally focused on monitoring risk) and portfolio management (in which one decides how much risk to take in the pursuit of profit).
Risk measurement is necessary to support the management of risk. Risk measurement is the specialized task of quantifying and communicating risk. In the financial industry, risk measurement has, justifiably, grown into a specialized quantitative discipline. In many institutions, those focused on risk measurement will be organized into an independent department with reporting lines separate from line managers.
Risk measurement has three goals:
1. Uncovering known risks faced by the portfolio or the firm. By known risks, I mean risks that can be identified and understood with study and analysis because these or similar risks have been experienced in the past by this particular firm or others. Such risks are often not obvious or immediately apparent, possibly because of the size or diversity of a portfolio, but these risks can be uncovered with diligence.
2. Making the known risks easy to see, understand, and compareāin other words, the effective, simple, and transparent display and reporting of risk. Value at risk, or VaR, is a popular tool in this arena, but there are other, complementary, techniques and tools.
3. Trying to understand and uncover the unknown, or unanticipated risksāthose that may not be easy to understand or anticipate, for example, because the organization or industry has not experienced them before.
Risk management, as I just argued, is the responsibility of managers at all levels of an organization. To support the management of risk, risk measurement and reporting should be consistent throughout the firm, from the most disaggregate level (say, the individual trading desk) up to the top management level. Risk measured at the lowest level should aggregate in a consistent manner to firmwide risk. Although this risk aggregation is never easy to accomplish, a senior manager should be able to view firmwide risk, but then, like the layers of an onion or a Russian nesting doll, peel back the layers and look at increasingly detailed and disaggregated risk. A uniform foundation for risk reporting across a firm provides immense benefits that are not available when firmwide and desk-level risks are treated on a different basis.
1.1 Contrasting Risk Management and Risk Measurement
The distinction I draw between risk management and risk measurement argues for a subtle but important change in focus from the standard risk management approach: a focus on understanding and managing risk in addition to the independent measurement of risk. The term risk management, unfortunately, has been appropriated to describe what should be termed risk measurement: the measuring and quantifying of risk. Risk measurement requires specialized expertise and should generally be organized into a department separate from the main risk-taking units within the organization. Managing risk, in contrast, must be treated as a core competence of a financial firm and of those charged with managing the firm. Appropriating the term risk management in this way can mislead one to think that the risk takers' responsibility to manage risk is somehow lessened, diluting their responsibility to make the decisions necessary to effectively manage risk. Managers cannot delegate their responsibilities to manage risk, and there should no more be a separate risk management department than there should be a separate profit management department.
The standard view posits risk management as a separate discipline and an independent department. I argue that risk measurement indeed requires technical skills and often should exist as a separate department. The risk measurement department should support line managers by measuring and assessing riskāin a manner analogous to the accounting department supporting line managers by measuring returns and profit and loss. It still remains line managers' responsibility to manage the risk of the firm. Neither risk measurement experts nor line managers (who have the responsibility for managing risk) should confuse the measurement of risk with the management of risk.
1.2 Redefinition and Refocus for Risk Management
The focus on managing risk argues for a modesty of tools and a boldness of goals. Risk measurement tools can go only so far. They help one to understand current and past exposures, which is a valuable and necessary undertaking but clearly not sufficient for actually managing risk. In contrast, the goal of risk management should be to use the understanding provided by risk measurement to manage future risks. The goal of managing risk with incomplete information is daunting precisely because quantitative risk measurement tools often fail to capture unanticipated events that pose the greatest risk. Making decisions with incomplete information is part of almost any human endeavor. The art of risk management is not just in responding to anticipated events, but in building a culture and organization that can respond to risk and withstand unanticipated events. In other words, risk management is about building flexible and robust processes and organizations with the flexibility to identify and respond to risks that were not important or recognized in the past, the robustness to withstand unforeseen circumstances, and the ability to capitalize on new opportunities.
Possibly the best description of my view of risk management comes from a book not even concerned with financial risk management, the delightful Luck by the philosopher Nicholas Rescher (2001):
The bottom line is that while we cannot control luck [risk] through superstitious interventions, we can indeed influence luck through the less dramatic but infinitely more efficacious principles of prudence. In particular, three resources come to the fore here:
1. Risk management: managing the direction of and the extent of exposure to risk, and adjusting our risk-taking behavior in a sensible way over the overcautious-to-heedless spectrum.
2. Damage control: protecting ourselves against the ravages of bad luck by prudential measures, such as insurance, āhedging one's bets,ā and the like.
3. Opportunity capitalization:avoiding excessive caution by positioning oneself to take advantage of opportunities so as to enlarge the prospect of converting promising possibilities into actual benefits. (p. 187)
1.3 Quantitative Measurement and a Consistent Framework
The measurement of risk, the language of risk, seemingly even the definition of risk itselfāall these can vary dramatically across assets and across the levels of a firm. Traders may talk about DV01 (dollar value of an 01) or adjusted duration for a bond, beta for an equity security, the notional amount of foreign currency for a foreign exchange (FX) position, or the Pandora's box of delta, gamma, theta, and vega for an option. A risk manager assessing the overall risk of a firm might discuss the VaR, or expected shortfall, or lower semivariance.
This plethora of terms is often confusing and seems to suggest substantially different views of risk. (I do not expect that the nonspecialist reader will know what all these terms mean at this point. They will be defined as needed.) Nonetheless, these terms all tackle the same question in one way or another: What is the variability of profits and losses (P&L)? Viewing everything through the lens of P&L variability provides a unifying framework across asset classes and across levels of the firm, from an individual equity trader up through the board.
The underlying foundations can and should be consistent. Measuring and reporting risk in a consistent manner throughout the firm provides substantial benefits. Although reporting needs to be tailored appropriately, it is important that the foundationsāthe way risk is calculatedābe consistent from the granular level up to the aggregate level.
Consistency provides two benefits. First, senior managers can have the confidence that when they manage the firmwide risk, they are actually managing the aggregation of individual units' risks. Senior managers can drill down to the sources of risk when necessary. Second, managers at the individual desk level can know that when there is a question regarding their risk from a senior manager, it is relevant to the risk they are actually managing. The risks may be expressed using different terminology, but when risk is calculated and reported on a consis...