The Risk Management Learning Center: Fill & Download for Free

I have a very long-winded answer.First of all, the goal of risk management is not to prevent disaster. Attempting that just chokes off innovation and blocks the profits you need to cushion the inevitable bad surprises. Instead, the goal is to come up with a coherent view of risk and ensure all stakeholders know it (they don’t have to agree with it) and accept a negotiated strategy for managing it. This clearly did not happen at JPMorgan.The basic story is a common one. The bank had more risk exposure than it wanted, in this case to European corporate credit risk. This is inherent to a bank’s business, part of its job is to understand credit risk and make bets on it. But it also looks for cost effective ways to lay off some of that risk, just like an insurance company might buy reinsurance against an unexpectedly large amount and and size of claims.JPMorgan appointed a trader to lay off European credit risk in an opportunistic manner. That is, they didn’t want him just to buy general protection at the going rate, but to pick and choose, buying protection when and where it was cheap, and retaining credit risk when and where protection was overpriced.The trader went further and actually sold protection when and where it was overpriced. His net exposure was still long protection; that is his positions made money in a general credit decline. And their net size was what the bank wanted. But their gross size was much larger, meaning he made large profits when credit didn’t move, if he guessed right about where things were overpriced and underpriced. Of course that opens up the possibility of large losses if he’s wrong.This happens all the time on Wall Street. Outsiders hate it. They see a guy hired to buy insurance who instead runs off to Las Vegas to make wild bets. They are appalled as the excessive gross leverage caused by long and short partially offsetting positions. But it’s accepted practice on Wall Street. You could hire a clerk cheaply to buy insurance in a systematic way, kind of like running an index fund. But leading financial institutions make their money by hiring top people and giving them the chance to make extraordinary profits for themselves and the bank; at the risk of costing extraordinary losses for the bank and losing their jobs. You can’t get top people to do rote insurance buying, and sending less than top people to financial markets with deep pockets is an invitation to get taken.One strategy used by the London Whale, in simplified form, was to buy underpriced credit protection on an index, then sell overpriced credit protection on some of the individual names that JPMorgan didn’t have exposure to. Another was to buy twice the amount of protection he needed in five year swaps and sell one time the amount he needed in a ten year swap. If credit spreads went up or down the position approximately broke even, because the ten year value moved twice as much as the five year. But in an actual default within five years, he collected twice and paid once, so he was insured. This captured the protection against actual default that JPMorgan needed, while not paying for—actually profiting from—ups and downs of market estimates of future default probability.This is what creates the need for sophisticated risk management. With individuals making large complex bets, it’s imperative that everyone understand the risks.There are three main risk management tools for this: value at risk, stress tests and scenario analyses. The London Whale always did fine on stress tests, and no one has questioned their accuracy. In any plausible combination of actual default events, even extreme ones, the positions made money in line with JPMorgan’s overall net exposure goals. A stress test is an instantaneous shock to market prices.Scenario analyses are stories of events in sequence; A happens, we trade B, C happens, we trade D and so on. These were more controversial. They did show some scenarios in which the portfolio had large mark to market losses, but not as large as actually occurred. This does not contradict the stress tests. You can have a position that makes money if a company defaults, and if it doesn’t default. So your stress tests are fine. But there might be intermediate times when default is uncertain where your position has large mark to market losses, for which you have to post cash collateral. Moreover, you might have a risk mitigation strategy that causes you to trade at unfortunate times; this does not affect the stress tests, which are shocks to existing positions, but it does affect the scenario analyses.Value at risk is estimated every day and tested rigorously against price movements. The existing bank VaR models were not working: they weren’t giving the right number of breaks, and the breaks had patterns. This is common, it means you don’t understand the center risk—the risk on most days. If you don’t understand the center risk, you can’t be confident you understand the tail risk. You’re not running under risk control.So you try to fix the VaR models in order to learn more about the center risk. The analysts discovered that the problem was the market prices were strongly affected by the London Whale trading, and by countertrading fighting his positions. There are two ways to think about this. You could say that it’s impossible to estimate VaR because it’s a self-referential problem; the VaR depends on our trading. That would normally lead to either trading being shut down, or a separate risk management framework being set up for the strategy that explicitly considered the issues raised by price impact.The other thing you could say, and this is what the risk managers chose, is to say the problem is with the prices we’re using to backtest the VaR. We need to explicitly adjust for liquidity risk and price impact. The danger here is that you’re now testing your risk assumptions against your opinions rather than objective market measurements. It’s not crazy, sometimes it’s the best thing to do when you have deep understanding of trading markets, but it’s always dangerous. After doing this for a while, the risk managers decided to stop.Okay, now what should have happened? The scenario tests showed potential mark to market losses large enough that this should have been on the list of things the Chief Risk Officer briefed top management, including the CEO, on. In my opinion, it even merited reporting to the risk committee of the board. The message would have been, “We have this highly successful European credit hedging operation that’s generating large profits, and gives us significant protection in a major credit downturn, as we want. But our scenario analyses show that it could have large mark to market losses an we should discuss right now whether we would tolerate $X billion losses during quarters without much change in overall credit, if we remained confident that the portfolio was doing its job. Moreover, limiting the losses assumes a certain trading liquidity that our VaR analyses suggest might not exist even in normal markets, much less during a crisis. In fact, we’re not confident about our VaR estimates, so there might be risks we’re missing.”My guess is the decision would have been made to retain the strategy, but to pull it out of the VaR framework in favor of risk management based on actual positions. Position sizes would have been cut, and the highest leverage parts of the strategy pruned. The result would have been a portfolio less vulnerable to mark to market attack; and if the attack occurred anyway, top management and the board would have been prepared to commit the necessary capital to defense.Of course, it’s also possible that the decision would have been to cancel the strategy; or to leave the strategy under the existing risk managers. But even in the latter case, the CEO would not have been surprised and embarrassed when the losses came to light. Arguably, that did as much damage as the losses themselves. Instead of denying the losses, he would have said they were part of a hedging strategy under risk control, that management and the board had confidence in, and that the mark to market losses were acceptable in light of the long-term program goals. Instead of doing a fire-sale at the worst time, the program could have continued until it returned to profitability, or been closed down deliberately to minimize losses.So how did the risk management message get lost in translation? I have some personal opinions based on discussions with people involved, but they’re just guesswork. In general, I think the line-level risk management was unimaginative and timid, but not incompetent. I think the actual trading was aggressive but not unreasonable if the bank had really been willing to back it up. I think more information filtered up higher than people later admitted. While top people were not informed as clearly as they should have been, this was more a problem of willful downplaying of risk than true ignorance about the situation.But I blame top risk management because it’s part of the job not only to inform people clearly, but to get them to acknowledge being informed. This is the only way to establish clear responsibility for risk. It’s not a question of pointing fingers afterwards, it’s making sure authority and responsibility are in the same place. As it happens, I think authority was pushed down too low, and responsibility pushed up too high, so when losses mounted the people in a position to do something about it didn’t feel responsible, and the people responsibility didn’t have the ability to fix it.

I was about to have a minor surgery. The friend who was caring for me right after surgery went with me to a consultation about the surgery. We both worked in medical records, so were regularly schooled on HIPAA.We were in a tiny office with this sour old nurse while the surgery center was wrapping up for the day and prepping for the next day. A nurse at the counter out front had a question about a surgery the next day. She interrupted our meeting by calling out to sourpuss (she could see us sitting there), and asked about “John Smith’s” such-and-such surgery. My friend and I just looked at each other with appalled expressions.The next day while I was being prepped for surgery, I was left alone and was pacing around the room. There was a computer on the counter with a full screen of information open for viewing. I thought it would be my information that was available on the screen, so I took a look. It was a list of all of the surgeries at the hospital that day. Names and procedures.I wasn’t damaged by these actions and I certainly had no intention of using anything I had learned, but these practices were outrageous. When I went back for my follow-up, I made a stop at the Risk Management office to file a report. They had folks who understood privacy.Later I was talking with my next door neighbor (a nurse at the hospital) and found out she had transferred from the ED to Risk Management because of an injury. “Small world,” I said and then explained I’d been in to file a report about the things I’d experienced and wondered if she had processed it. She said she knew I’d filed a report, bur not what was in it. It had been assigned to her for evaluation, but as soon as she realized she knew the reporting party well, she closed the file and had it re-assigned.Having been in the hospital several times since then, I can say that my report definitely got some better practices put in place.

A strong wind could’ve toppled the 59-story Citicorp Center, but the construction flaw wasn’t noticed until a Princeton University student raised concerns a year after its 1977 opening. To avoid panicking New York City residents, workers labored only at night to make emergency repairs, and the secret was kept quiet for decades.The civil engineering student, Diane Hartley, contacted Citicorp’s architects to ask why she couldn’t get the math to work on her research paper about the building’s design. Hartley assumed her calculations were in error. They weren’t. Instead they revealed that the building’s unique configuration — perched on four stilts — made its corners vulnerable to wind load.Making matters worse, when architects looked further into the situation, they learned that a hasty change during construction — in which beams were bolted rather than welded as originally planned — further heightened the risk of catastrophic failure.It would take three months to make the repairs, and in the meantime, emergency management agencies put into place a plan to evacuate a 10-block radius of the building should it be necessary. At the darkest hour, Hurricane Ella threatened the East Coast. But fortunately the storm never made landfall. The repairs were made and the public was none the wiser.There are more amazing details to this compelling story which I highly recommend hearing via the podcast “99% Invisible.” The episode (#110) is called Structural Integrity.EDITS: Links to first-person narratives.The building’s designer, structural engineer William LeMessurier, recounts the crisis during an in-depth presentation at MIT in 1995:Interview with Diane Hartley: