Financial risk management has become ritualised. It is more important to follow the correct procedures than to control essential risks. Why and what does it mean for us?

A couple of weeks ago, I participated in a conference panel on state-of-the-art methods for measuring risk and got three excellent questions:

  1. “Do financial regulations and risk management practices make use of state-of-the-art methods?”
  2. “And if not, will that change?”
  3. “Will regulations use modern concepts of uncertainty in their work?”

My answers to these three questions were no and no and no.

It took us a long time to get here. A hundred years ago, financial institutions were left to manage their own risk the way they saw fit. Regulations targeted activities, not risk. It remained that way until the 1980s when finance was increasingly globalised, and activity restrictions were seen as old fashioned. The solution was controlling risk, helped by computerisation and new statistical techniques. If you want the starting date, Basel I in 1991 and the 1996 market risk amendment to it is a good one.

Since then, the regulators have assumed increasing control of how risk is measured and managed, a trend that shows no sign of letting up.

The 2008 crisis illustrates the drivers nicely. One of the main causes of the crisis was bad risk measurements. That had to be fixed.

There are two lessons that could have been drawn. Either the old way was fundamentally sound but implemented incorrectly, or the old way was unsound and needed to be changed. The first lesson prevailed.

Today, almost every financial institution is hyper-compliant. They have to. Their very existence, and license to operate, depends on it.

Is it ritual for ritual sake or does it make the system more safe and efficient?

Financial regulations or internal risk management in banks, tend not to use modern risk measurement techniques. I suspect few statistical methods in day-to-day use in financial risk management are younger than 30 years, emphasising the state-of-the-art circa 1990. And that is not likely to change.

Why? Models used in regulations aim at aim at consistency, standardisation, comparability across enterprises and verifiability, which tends to lead to the lowest common denominator. The easiest to implement and monitor. Ease of implementation and compliance monitoring trumps other considerations.

What matters to both the regulated and the regulators is compliance. The controls make it less likely any individual bank gets into trouble, which both parties like, and the costs get passed onto the clients. Compliance costs also create a comfortable barrier to entry, protecting incumbents.

But ritual risk control does nothing to make a major crisis less likely. The same ritual, followed by all, guarantees that shocks are shocks to all and increases their severity. But of course, no-one can be blamed for the crisis that the risk ritual did not predict — collective failure covers individual failure — and these costs will be passed on to taxpayers. Crises do not much affect incentives for regulator or regulated.

Ritualised risk management contributes to short term stability but will also contribute to the severity of the next crisis — low volatility and thicker tails.

Weather using all the state-the-art techniques would improve things is a different question for a later date.