It’s All About Risk

I like to break economic systems, like business firms, down into sets of roles and routines. For all the gory details of this you’ll have to wait for my book on the somewhat grandiose topic of the theory of the firm, but for now I want to take a stab at bank reform through that analytical lens.

All risk management, and the supervision of banking is at its core an exercise in risk management, has to balance two methods of control. This balance van be captured by the question: how much latitude do we extend managers?

In my framework this question becomes one of establishing the proper mix of roles and routines. All economic processes, the long series of activities that ‘gets something done’, can be decomposed into separate steps. each step is either a role or a routine.

“Having a mix of roles and routines is essential. No system can survive through time if it utilizes only one or the other”

Roles are points of discretion. They are, as the name suggests, embedded in jobs that people have. We speak of so-and-so playing a certain ‘role’. A role in this context is a decision making nexus. It is a point in a process where an inflection can be introduced or an adaptation to new circumstances made. Assembly lines have very few roles because each step is inflexibly fixed as part the necessary sequence of production. Football teams have many roles because the fluid nature of the game requires constant re-calibration.

Routines, as you may have gathered, are the points of non-discretionary action. the activities implemented as part of a routine are fixed. There is no latitude. An assembly line worker performs a routine because the process is fixed: there can be no improvisation. An American football quarterback often has to improvise in the face of a changed game situation even though the original ‘play’ sent in by the coaches is analogous to a routine. So the quarterback is fulfilling a role.

Having a mix of roles and routines is essential. No system can survive through time if it utilizes only one or the other.

The press of competition sets up a bias towards routines in all decision making systems: they are efficient because they lack redundancy, they are specific, and they are easily replicable. This makes them cheap. Routines do not consume lots of resources. So they are abundant in the world. The natural world is full of routines: DNA and all genetics are based upon the fulfillment of specific tasks, these tasks are routines that living things execute in order to survive. Adaptation comes from the selection down of routines that perform well in the prevailing environment. Changes in the environment often call for new routines, and so if such routines exists, as they often do simply through chance, the system endowed with those new routines will flourish at the expense of those unfortunate enough not to have the new routines. Businesses too have a bias towards routines for exactly the same reason: they are easy to institute, replicate, and manage. More to the point they have entirely predictable outcomes. Execute routine ‘A’ and you will always get product ‘X’. Always. Managers love that predictability.

Roles enter into nature with the emergence of self-conscious decision making or cognitive skills. Roles endow their owner with an additional defense against environmental change. Now, rather than simply relying on pure chance in order to own the right routines, a system can adapt by trying to develop survival routines. In other words the system can ‘think’. The problem with roles is that their outcomes are unpredictable. And they are costly to maintain since they are inherently redundant and consist of expensive cognitive machinery: think skilled rather than unskilled labor.

What’s this all got to do with risk management?

As I said: all risk management must balance roles and routines.

If the environment is highly uniform and therefore eminently predictable the risk system should be built from routines. Bank capital standards can be set in stone; banks risk managers can establish ‘cast-in-stone’ risk assessment rules and so on safe in the knowledge that these rules will cover all eventualities. The main management issue then becomes enforcing the rules. Similarly the regulatory regime needs little latitude: once the rules are set the regulators can go about auditing banks to make sure that compliance is high.

The problem we face is that we don’t seem to live in such a world: the environment is always changing.

I believe that such change is an inherent property of all complex systems such as an economy. Competition begets reaction, which begets adaptation, which alters the prevailing environment for competitors, which instantiates a new reaction and so on. Once the machinery of complexity is unleashed it never stops.

As a result any regulatory or management regime has to accommodate constant adaptation. Else it will fail. It therefore needs to introduce sets of roles or discretionary decision points in order to allow for systemic development.

And therein lies the trick.

Too many roles implies too much discretion and the chances are high that the system will be inefficient and possibly may fly off on a self-destructive trajectory. Such systems may become random: the absence of rules means that they lack all coherence.

Too few roles and the opposite risk emerges. Rigidity in the face of change is equally as destructive. Systems consisting entirely or routines cannot bring about change from within themselves. They lack flexibility and therefore become brittle.

Deep within any regulatory or management solution therefore is a choice about the mix of roles and routines.

This is apposite right now as the administration and other governments worldwide try to learn from the current crisis and establish the new mix going forward. there seems to be a prevailing wisdom that not enough attention was paid to systemic features of risk. In other words the old regulatory regime focused too much on the ‘safety and soundness’ of individual banks, and not enough on the disruptive ‘system wide’ or ripple effects that particular banks may have had. So ‘systemic regulation’ is all the rage.

We can expect a flurry of new routines to manage and control systemic risks. In some quarters this new regime is called ‘prudential regulation’ as if all regulation should not be ‘prudential’!

It is natural for risk managers to see all things as risks to be managed. It’s what they do. But beyond risk lies uncertainty and ne’er the twain shall meet. As Frank Knight taught us risk and uncertainty are two different concepts. Managing uncertainty as if were risk is an illusion.

Let me explain: risk is something that I can put a dimension to. I do not know for certain that an event will occur, but I know that it will occur with a predictable probability. I can therefore analyze likely outcomes in the context of this probability: I have a known ‘risk profile’. But there is no known risk profile for many events. I have no basis for attaching a probability to their outcomes. that makes them uncertain.

Returning to risk management: a regulatory regime has to cover both risk and uncertainty. Routines are ideal instruments for quantifiable risks. I can establish capital ratio requirements within the parameters of an economic risk profile that covers, with a known error rate, all circumstances. Uncertainty I cannot manage in tis a priori fashion. For that I need roles: they give me ad hoc latitude to make appropriate changes as the circumstances arise.

A good example of the mess that set rules can make stems from the ‘Basle 1’ system. Basle 1 refers to the internationally accepted capital ratio rules for banks adopted during the 1980’s. It treated all mortgages as equally risky and therefore allowed banks to set up capital against prime and non-prime mortgages as if they had identical risk profiles. This was clearly a failed routine. Anyone following this routine would inevitably end up under-providing capital if they held sub-prime mortgages.

The lesson is that you cannot legislate a priori to cover all eventualities. There has to be sufficient scope for adaptation.

So.

Turning to the recently released set of proposals from the administration: it seems to me to be a bureaucrats heaven. It is a smorgesbord of rule changes. Lots of them. But it leaves the crucial and pivotal role definitions very vague. It looks like the result of an auditor convention. Every conceivable situation that has recently gone wrong is mentioned along with a corrective routine to be adopted.

Great.

But that assumes that the list of ‘conceivable situations’ is exhaustive.

And the one thing we know is that it isn’t.We know far less than we think we know.

That’s why roles are so important. They allow a system to learn.

Roles are a risk management system’s safety valve. I don’t see enough of them in the proposed legislation.

That’s why I think it will be insufficient.

Print Friendly, PDF & Email