Managing differences between diversifiable and systemic risk

A hierarchical risk management system is not the best way to go. It is costly and the benefits are insufficient. Diversification suggests a different approach.

In a letter to JPMorgan shareholders published in the company’s 2012 Annual Report, CEO Jamie Dimon dreams the impossible dream. “Controls must match risk,” he writes, calling the idea “Risk Management 101.”

It was a poor choice of words, similar to Dimon’s “tempest in a teapot” comment about his bank’s London Whale disaster. Controls and risk are not symmetrical.

RM 101 teaches there are fundamentally two types of risk: those we can manage and those we cannot. Risks we can attempt to manage are ‘diversifiable.’ Risks we have to live with to be in business are ‘systemic’ or ‘irreducible.’ Combined, the two make up the external risk environment facing any particular business.

We can minimize risk but not eliminate it

Finance students are familiar with diversification – the idea that combining assets in a portfolio reduces overall risk. The portfolio should possess better risk and return characteristics than any single constituent asset.

Students also understand diversification effects are limited. At most, diversification reduces a portion of any portfolio’s risk. Systemic risk is irreducible; it exists as part of the system and is beyond the reach of risk reduction efforts. A good example of this idea is market risk. Another is uncertainty.

In the graph below, the pink area illustrates risk reduction through diversification. The blue area is systemic risk. The white area in between shows remaining risk to be diversified by the addition of assets. One obvious feature is that diversification quickly reaches a limit.

Any business is a portfolio of assets

In the 1950s and 1960s, a British psychiatrist named W. Ross Ashby (1903-1972) created a theory to describe the self-organization and control of complex systems. Ashby’s work is part of the ‘theory of machines’ that attempts to understand how things behave. His theory addresses the question, “What does it do?”

An important part of Ashby’s work is the law of requisite variety, which he laid out in his 1956 book, An Introduction to Cybernetics. For Ashby, ‘variety’ means ‘information.’ Ashby’s Law says, “in order to deal properly with the diversity of problems the world throws at you, you need to have a repertoire of responses which is (at least) as nuanced as the problems you face,” as one Ashby-inspired website puts it.

There are many practical implications of Ashby’s Law, but one in particular is of interest to risk management and risk management culture. If the external risk environment is more complex than the internal risk culture, a company’s risk management system must adapt or function inefficiently. Stuart Umpleby of George Washington University summarizes this nicely: “When confronted with a complex situation,” he writes, “there are only two choices – increase the variety in the regulator, usually by hiring staff, or reduce the variety in the system being regulated.”

Ashby’s Law is manifest in the current response to risk. According to The Wall Street Journal, one of the “hottest” career fields in business today is risk and compliance. Industry is seeing “a hiring spree.” HSBC announced plans in 2013 to “hire thousands of additional compliance officers,” reports Compliance Week. After JPM’s 2012 Report stated, “Our control agenda is now priority #1,” The WSJ reported JPMorgan “plans to spend US$4 billion and commit 5000 extra employees to clean up its risk and compliance problems.”

Facing an asymmetrical condition

Their work is cut out for them. The best risk management can do is attempt to deploy a strategy limited in its ability to pit a complex and nuanced internal system against the constantly-growing and evolving complexity of the external risk environment.

“Controls must match risk” is bad strategy because it cannot be achieved. The risk environment in which organizations routinely operate is almost always more complex than their risk management systems and risk cultures. Much of it is irreducible, if only because of uncertainty. Ashby’s Law means risk control cannot match risk perfectly.

We have discussed Frank Knight’s concepts of risk and uncertainty before. For all practical purposes, the amount of uncertainty corporations must manage is vast. This has interesting implications for the pricing of risk and for the calculation of its present value costs, but the corporate resources available for managing risk and uncertainty are comparatively limited.

The graph below illustrates the risk and control asymmetry.

This asymmetry means organizations must constantly improvise and innovate risk management systems. This is the fundamental reason why corporate strategy needs to extend (or ‘diversify’) risk responsibilities and culture beyond the C-level to include more of the corporate structure. The Board, the Audit Committee and the Risk Management Committee and their policies may be the repository of risk management sophistication, but they are too limited structurally. They are not the sole source of risk information. They cannot adequately match the complexity and nuance of the external risk environment, and are typically not up to the task.

A hierarchical risk management structure limits the ‘variety in the regulator’ and weakens risk strategy. There is a point of diminishing returns at which risk control efforts can be optimized. Extending the risk management culture and responsibilities further down in the organization consistent with that point helps increase the complexity of risk management systems.

More minds are better than fewer. Empowering this extended culture with risk management heuristics provides the necessary nuance to handle risk situations as they arise. A more robust system results.

A corporate risk management function and culture need to be as flat as possible. As the graph above shows, the risk reducing effects under a flatter structure are similar to the effects of diversification. The benefits of the approach can be understood in a similar fashion.

