‘Re-rethinking’ the relationship between risk management and regulatory systems

The current context of regulation

Who’d be a regulator today?  As more and more regulatory initiatives run in to trouble, it is harder than ever to get agreement domestically, let alone internationally, on what regulation in any sector should prescribe or proscribe and how it should operate.

In the UK, the findings of the inquiry by Lord Leveson in to the culture, practices and ethics of the press in the wake of scandals around phone hacking have resulted in a furious round of negotiations during which the Prime Minister has given major newspaper editors an ultimatum: regulate yourselves or we will regulate you. The latter option, which has been referred to tautologically as ‘statutory regulation’ (all regulation that is not self-imposed – in which case it is not regulation – is based on statutory authority), has evoked howls of outrage concerned with the end of freedom of expression.

In Europe, talks have stalled on creating a single European supervisor for the region’s 6,000 banks; creation of such a supervisor is seen as a key part of a plan to address the eurozone debt crisis; yet it is the German finance minister, Wolfgang Schaeuble, who has expressed reservations most persistently.

In the UK, the appointment of Mark Carney as the next Governor of the Bank of England has led to renewed calls, this time from a former member of the Bank’s Monetary Policy Committee, US economist Adam Posen, that the restructured position of Governor, overseeing both monetary policy and financial stability and financial regulation and supervision, creates a concentration risk.  The Telegraph reports Posen as saying:

It will take a great deal of wisdom and restraint on Carney’s part to not let that lead to over-reach by one individual.

On the world stage, the international regulatory body that Dr Carney chairs, the Financial Stability Board, delivered in June 2012 its assessment of progress against the goals established for the FSB when it was established at the London G20 summit in April 2009.  The conclusion: lots of expressions of ‘progress’; not many real results were documented.  Crucially, real progress on new ways of understanding risk propagation in the financial network, transmission and systemic interconnectedness – what the main BIS paper on the topic refers to as:

methodological progress and modelling advancements aimed at improving financial stability monitoring and the identification of systemic risk potential

– has been limited.  The BIS paper concludes:

work should be conducted that incorporates contagion effects in funding markets.

I thought that was one of the key reasons FSF was re-constituted as the FSB. The screaming need for research on the complex adaptive systems of financial markets was clearly identified in 2009-10 by multiple reports on the crisis, not least in our review of supervisory requirements for systemic risk (here) and the excoriating attack by the Dahlem Group on the failures of conventional general equilibrium macro-economics to model financial stability.

In a commentary published this week in the UK, accountants Grant Thornton report on insurers’ views on the progress towards implementation of the comprehensive European insurance regulation, Solvency II.  Grant Thornton finds:

frustration within the insurance industry over the introduction of Solvency II is at an all-time high . . . although 99% of respondents thought that the principles behind the new regime were good, 82% felt that those principles had been ruined by the complexity of the implementation.

Oh dear.  This matters, first, because we all pay the cost of such initiatives through insurance premiums and secondly, because, unlike its banking predecessor, Solvency II is both a rationalist and objectivist management framework applied to the sector it regulates.  The Grant Thornton commentary finds that

Almost half of actuaries and risk professionals consider Solvency II to be a box ticking exercise, while 60% of actuaries and 20% of risk professionals consider Solvency II as more red tape from Brussels . . . The implementation process, the constant delays, the complexity of the regime and the quantity of man hours that have been expended preparing for Solvency II, have all resulted in a loss of the market’s hearts and minds.

This represents good regulation being lost in translation to regulatory interpretation, supervisory expectations and firms’ practical requirements.

In the UK again, a joint committee of both houses of Parliament is investigating banking standards, focusing on professional standards and culture and lessons to be learned about governance, transparency and conflicts of interest; they are to make “recommendations on legislative and other action” by 18 December 2012.  Any media coverage to date has made the Committee appear more intent on extracting embarrassing, monosyllabic confessions than understanding the complexities of operation of the financial services markets.

In the US, despite several well-researched and highly critical submissions (including ours), COSO has been redrafted with minimal change to the previous draft text issued in December 2011.  This is a lost opportunity of gargantuan proportions.  The regulatory role it now fulfils under §404 of the Sarbanes Oxley Act affords COSO a global reach across the world’s largest businesses in the vital area of internal control.  Yet, while at publication COSO offered new perspectives and genuine insight, in its regulatory application and practical implementation it has been shown to be a seriously flawed construction with unintended consequences that may dwarf any benefit it delivers through improved diligence in financial reporting.

Finally, in the UK, at a conference I chaired in November, the chair of the FRC Codes and Standards Committee, Jim Sutcliffe, stated that FRC would shortly publish a draft of up-dated guidance for directors on risk and internal control (ie. Turnbull).  He indicated that no major changes were planned.  Again, a significant lost opportunity.

Rethinking risk management all over again (with apologies to Yogi Berra)

In a seminal paper in 1996 titled ‘Rethinking risk management’, US academic René Stulz proposed a goal for corporate risk management:

Primary goal of risk management is to eliminate the probability of costly lower-tail outcomes – those that would cause financial distress or make a company unable to carry out its investment strategy . . . while preserving a company’s ability to exploit any comparative advantage in risk-bearing it may have.

René went further, stating

Once a firm has decided that it has a comparative advantage in certain financial risks [“through its financial instruments and liability structure as well as its normal operations”], it must then determine the role of risk management in exploiting this advantage . . . Risk management may, paradoxically, enable the firm to take more of these risks that it would [otherwise].

In a paper a decade later discussing enterprise risk management or ERM (here), co-written with Brian Nocco, a senior US insurance executive, René repeated the essential message.  In that paper, the authors wrote that

companies should be guided by the principle of comparative advantage in risk-bearing.  A company that has no special ability to forecast market variables has no comparative advantage in bearing the risk associated with those variables. In contrast, the same company should have a comparative advantage in bearing information-intensive, firm-specific business risks because it knows more about these risks than anybody else.

The implications of this – the ‘paradox of risk management’ – were essentially repeated from the earlier paper:

One important benefit of thinking in terms of comparative advantage is to reinforce the message that companies are in business to take strategic and business risks. The recognition that there are no economical ways of transferring risks that are unique to a company’s business operations can serve to underscore the potential value of reducing the firm’s exposure to other, “non-core” risks . . . By reducing non-core exposures, ERM effectively enables companies to take more strategic business risk—and greater advantage of the opportunities in their core business.

Nocco and Stulz differentiated between what they called the macro and micro benefits of ERM.  To gain the micro benefits – improved decisions and aligning businesses’ risk-bearing with the risk interests of the corporate whole – Nocco and Stulz identified two essential disciplines for firms:

  1. The requirement to evaluate the marginal impact of a proposed project in terms of the firm’s portfolio of investments and risks, and
  2. Divisional performance evaluation linked to the cost of capital absorbed by the division to support the risks it is taking – allocating an imputed capital charge at divisional level, reflected in divisional managers’ performance.

The authors conclude that:

With the help of these two mechanisms that are essential to the management of firm-wide risk, a company that implements ERM can transform its culture. Without these means, risk will be accounted for in an ad hoc, subjective way, or ignored.

In this neat and defensible way, the authors defined the elements of a firm’s risk system; they segue from corporate systems of allocation and financial accountability to behavioural impact and change – from structure and analysis to behaviour.  The authors go on to note:

But if ERM is conceptually straightforward, its implementation is challenging.

Rather like regulation.

Time for a renewed regulatory focus on human & system behaviour

Many of the problems experienced in regulatory change in the UK and further afield come from losing sight of these simple but powerful insights about the behaviour of firms and people in firms, or of any complex behavioural system.  Culture change cannot and does not arise instrumentally through pulling ‘culture levers’ or driving ‘culture metrics’, nor does culture change because new policies are issued stating that it should.  It cannot be measured meaningfully among groups, only observed and reported, nor can results be compared quantitatively across groups; the psychometric tools on which individuals’ assessments are based are simply not robust to that form of aggregation.  Doing so is like saying that a psychopath and a sociopath can add up to zero; it just doesn’t mean anything.

Regulators must accept, however reluctantly, that culture emerges spontaneously from the history and multi-layered patterns of interactions between unpredictable human beings.  It cannot be prescribed, measured or ‘changed’; behaviours can change and be changed and a different culture – a different set of cultures – will emerge in a firm as a result.  Far too many regulators seem enthusiastic about meddling with culture which they can neither change nor control and which few appear to understand.  Indeed, the quotes from Grant Thornton appear to suggest that any cultural change resulting thus far from Solvency II – a genuinely objectivist regulatory instrument in the original – is not for the better.

This leaves regulators where they have always been: able to prescribe structure, analytic routines (though not the use of information; merely ‘that it be used’) and to influence behavioural routines.  Where these coincide, regulatory prescription and proscription remain feasible, but only within the limits of these core elements of structure, analysis (and reporting thereof) and behaviour.  For example, structure and analysis combine to indicate the allocative and decisional routines of the type described by Nocco and Stulz; from here, they observe, the behaviour results, the culture emerges. All regulatory initiatives must consider these core elements of the system; all too often, behaviour is overlooked and unintended consequences emerge.

Each of these elements exists in a context and faces resulting constraints: structure must follow company law and risk-bearing; analysis requires access to and a means to deliver relevant, accurate, repeatable and comparable data, the competence to manipulate the data and to interpret the results; behaviour requires cognizance of how people actually behave and the discrepancies between espoused and actual behaviours.  And all interact.

Regulation, its interpretation, application in firms, resulting supervision and enforcement all create a complex regulatory system of interpretation and implementation and operation that is an essential part of achieving any regulatory objective.  Regulators who claim that firms just should have implemented better the stated regulatory requirements have only two feasible options: enforcement of pre-defined sanctions or additional regulatory intervention; ‘light-touch regulation’ and ‘self-regulation’ are and always were oxymoron.  They are merely ‘absence of effective supervision and/or enforcement action’ and ‘self-control’ respectively.  Regulations are made by regulatory agencies or other agencies with powers delegated under statute; but they are only as good as their enforcement.  It’s that simple.  Economic and legal scholars such as Gary Becker and Richard Posner have made this point consistently for decades. It should come as no surprise to politicians or regulators.

Regulatory regimes that kill off the patient through excessive ‘box-ticking’ bureaucracy or through managerial fashion – such as near-universal development of technically-flawed and meaningless risk matrices – have only their conceivers to blame.  Regulators must be aware of the commercial and human (including knowledge) contexts in which their regulation is implemented and adjust either their ambitions or their regulation accordingly.  Name-calling and mea culpas in parliamentary select committees after the fact are no substitute for thinking through regulatory systems in advance of implementation and close monitoring of their impact and outcomes relative to the objectives set for them.

Reconciling risk & regulation

Most importantly, firms responding to regulation must keep their commercial objectives, their risk-generation potential, risk-bearing capacity and risk absorption and transmission (ie. through externalized individual or systemic effects of risk) front-of-mind; it is the transmission of risk to other parties that is the focus of regulation.  Both at regulators and in regulated firms, far too many regulatory initiatives are delegated to implementation teams whose task is to implement the regulation as written.  This is inevitably a mistake.  Most regulations should not be implemented as written, even in the febrile atmosphere of a financial crisis or a phone-hacking scandal.  They must be translated in to the workings and operating routines of firms as they operate and, where necessary, that operation should adapt.  They must never be left to a ‘regulatory process’; this simply guarantees loss of boardroom attention, added cost, irrelevance and eventual transgression.

Whether it be a press regulator, a financial regulator, a corporate reporting regulator, a central bank or the FSB, any regulatory regime exists to manage risks, be they perceived or actual; manifest or imaginable.  A fuller and more honest appreciation of those risks and of the corporate routines for dealing with them is essential both to effective regulation and effective response to regulation.  Regulators and firms alike must consider the interplay of the risk and regulatory systems – the market and behavioural contexts within which risks arise and parties are exposed to the risks, how risks are recognized institutionally and are managed or transferred, how limit breaches and other violations are detected and punished, and the systems through which directors and executives receive assurance over the processes and outcomes.

Surely, the devil is in the detail, but someone must retain the ‘30,000 ft view’. Hence, Nocco’s and Stulz’s insight about the effect of marginal risk decisions (qua regulation) on the portfolio is essential – regulators must consider each new regulatory step in light of its combined effect with the existing body of regulation, implementation, supervision and enforcement. Regulators must address their risk at the system level.  The greater the energy absorbed in consideration of detail, the less is available for consideration of system operation and impact; attention to the macro and micro must be balanced.

The history of the last decade has been one of failed regulatory initiatives and/or oversight across a wide range of settings.  Regulation has proceeded with limited reference to regulated firms’ operating and risk systems or to the behaviour of firms and sub-firm ‘actors’; emphasis has been on application and process rather than outcome; sanctions have been almost non-existent. We now observe a crowded regulatory agenda and new-found enthusiasm for intervention as well as growing frustration among the regulated with bureaucratic implementation.  If regulators and firms do not refocus their efforts to the system level to concentrate sensibly and realistically on how regulation should operate in practice alongside and within the commercial risk-bearing systems of regulated firms – regardless of context – the next decade is likely to be no better.


We address many of the issues identified in this blog in a series of seminars on risk and risk-taking in January & February 2013.  For details, see here.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s