The Harvard Business Review has an excellent article on "Six Ways Companies Mismanage Risk", by Rene Stulz, in its March issue. (Link is to the executive summary, which is available for free online.) The six ways are:
- Relying on historical data. The issue there is that you might not have historical data that is relevant for the situation at hand. For instance in the mortgage industry, "those data didn't cover a period during which the market saw a downturn while a large number of subprime mortgages were outstanding." In addition, risky asset classes tend to be correlated with each other (even more so in periods of crisis), which further increases risk in positions held by the banks. In a sense, financial innovation has made historical data useless, or downright misleading.
- Focusing on narrow measures. The author takes issue with the concept of daily VaR (Value-at-Risk). For instance, if a company's daily 99% VaR is 50 million dollars, there is only a 1% chance that the company will lose more than 50 million dollars in a day. But this is meaningless "when the firm is stuck with the portfolio for a much longer period" - in other words, the losses are not necessarily limited to a day when it takes longer than that to unwind positions. The author also gives an interesting example related to UBS and its failure "to keep up with the dramatic changes in market conditions." The author also points out the fact that VaR does not give any idea of how big the losses can be when they exceed 99% VaR, a fact that is well-known by now (I still don't understand why no magazine mentions the concept of Conditional Value-at-Risk, which takes the average of the losses in that 1% of bad cases).
- Overlooking knowable risks. This section abounds in real-life anecdotes about four categories of risk: (a) risks that are managed by another unit ("Risk managers often distinguish among market, credit, and operational risks, which they measure differently and in isolation.") (b) risks incurred by hedging (the example of high-yielding Russian debt, where hedge fund managers mistakenly thought they had hedged against default risk and exchange-rate risk, was quite enlightening), (c) market-concentration risks (the assumption that markets are frictionless, and what happened to LTCM), (d) value-assumption risks (when "transactions are too infrequent to provide clear price signals")
- Overlooking concealed risks. Desk traders are rewarded for taking risks, and it is easier for them to take such risks if they are not well-monitored.
- Failing to communicate. The message there is that risk managers need to be able to explain what they are doing to the board and the CEO, and resist the temptation to "overstate the company's ability to measure risk." Again, UBS is given as an example.
- Not managing in real time. Risks in finance change very fast.
The author does offer a few suggestions to improve risk management systems. In particular, he recommends to perform scenario analysis, in the spirit of disaster management. His idea is that you shouldn't spend so much time trying to estimate the probability of a crisis, but instead have a strategy in place for the day it does strike.