Adam Litke is the Head of Enterprise Risk Services for Bloomberg. He is responsible for developing Bloomberg's strategy around risk models and software. Prior to this Litke was the head of Market Risk for the Securities and Investment Group of Wells Fargo and head of Market Risk for Wachovia where he managed market risk activities including quantitative risk management, counterparty risk modeling and direct management of market risk. Before that, he worked for Barclays Bank, PLC as the head of Market Risk in the Americas and head of Market Risk for Global Financing. Litke also served as the Global Head of Market Risk for Swiss Re Financial Products, and spent several years in various management roles with BNP Paribas.
Christopher P. Skroupa: How often should a company visit and refresh its risk management strategy?
Adam H. Litke: The simplest answer is: all the time. What I mean by this is that when you run a business you don’t live in a static environment. Whether you’re an auto company making a new car, or a bank that’s entering into a new type of trading or a new type of lending, that’s changing. The regulations around you are changing. Every time something changes, you need to make sure your risk management process keeps up with it.
Not every kind of change requires a whole scale refresh, but you need to refresh the risk management that touches on those areas that are changing as you go. If you don’t, you will end up with corner cases where you don’t know what’s happening. A refresh is different from a top to bottom review. Most businesses undertake some sort of strategic top to bottom review every five years or so. Sometimes they’re really in depth, and sometimes they’re less in depth. Risks should be part of the review, and the idea is to see if there’s been some gradual change to your business as opposed to a step-change.
A step-change would be, let’s say a bank wants to trade in a new market. It’s a US bank that has never traded in the Philippines, and wants to open up a trading desk. A gradual change would be a trading desk that slowly gets permission to trade new products and as they trade new products, their emphasis ends up changing completely. For example, somebody traded stocks, and then got permission to trade a few options. Five years later options become the main thing they are trading, and stock trading is less prominent. The risk management framework for that desk should be different, but the firm might not have kept up with it because the change was gradual.
It’s the same reason every time you see a new CEO come into a company they start to look at everything, changing divisions, reorganizing. Part of it is to put their stamp, and part of it is to say, “I’ve been doing a whole bunch of stuff, it worked for a long time, is it still the right thing to do?” This is what CEOs do when they take over because it’s easy to make change when you have other change going on. Still, a periodic review of business operations ensures your risk management procedures are up to date. When you’re managing a business you don’t want to operate with a false sense of security because you didn’t assess the effect of gradual change on the company’s risk exposure.
Skroupa: Some people feel the board shouldn’t be involved in risk management, but there are people who say the board should be involved regardless. What’s your opinion on this?
Litke: Well I think you’re missing a big one, which is that the board is supposed to set risk appetite. Risk appetite could mean a lot of different things. It could mean building a building, and deciding how much insurance to buy. It could be deciding whether or not to build a building and how much leverage to use. Every board in every company should understand where they’re willing to take risks. You could have someone who sells produce for instance. What level of supply chain control do they want to have to make sure that they don’t have a food poisoning outbreak?
Well, it costs money in order to have that supply chain control. So your risk appetite is how much am I willing to trust these other people to do it versus how much do I want to spend on control? It’s the board’s job, not management’s job, to say if they are willing to take a certain amount of monetary or reputational risk in any given area. It’s management’s job to figure out how to do the business and set the strategy.
Let’s say I want to go sell lettuce. There are two parts to selling lettuce – what are the basic economics of selling lettuce? I have to go and buy it from someone who grows it, I’ve got to ship it, I’ve got to get it in the stores, I have to promote my lettuce. There’s a second question: did the person I bought the lettuce from have proper controls on how they made sure that what they were selling me was clean. I can ask them, I can just say whoever gives me the best price gets my business, or I could say, “You know what, we’re the board and we want to make sure that you manage it and have control.”
Risk is inherent in any activity, any investment and any business. I could imagine that a board would just leave that up to management because ultimately that’s a risk reward decision within the approved risk appetite, so you’re not telling management on approving this business based on the fact that I like the risk reward tradeoff. You’re simply saying, as a board, I’m willing to accept this much risk in these types of areas. However, that has to happen for any business. There is no business with no risk. There might be a business without market risk or credit risk but there is no business without risk.
Skroupa: Moving on to the last question, it’s almost a cliche to say “expect the unexpected” but when trying to prepare for anything in risk management, there’s a certain sense of how do you anticipate something that has never been encountered before? As far as prioritizing a contingency plan for an extremely unlikely event, how important is that for a company?
Litke: I think it depends on the type of event. So you have to have a plan for every type of event but sometimes the plan is not event specific. Let’s say you look at a firm before the housing crisis. You can say there’s never been a crisis like the 2008 financial crisis. Management should have asked the question, “Under what circumstances is a business of this size going to get us in trouble?” They could then have decided how much risk they want to take for that extreme and unlikely event.
They might say, “Well there’s a one in a thousand chance that might happen.” I would doubt that any human can estimate a one in a thousand chance, but let’s say that’s it. Then they have to make the second choice: do we want to plan for it, do we want to accept that it might happen and might knock us out of business, or if it happens there are things we will have to do to deal with it but we have a general playbook for any crisis and things fall into different levels. Firms have disaster recovery plans.
Having to declare a disaster and use your disaster recovery plan is a rare event. In the first part of my career from 1987 to 2001, I had never seen a firm actually have to declare a disaster. Then we had 9/11 and a lot of firms had to declare disasters. Since then we’ve had Superstorm Sandy in the U.S. and Fukushima in Japan, and lots of other firms had to declare disasters. I’m talking about financial firms. Non-financial firms have had their own sets of disasters to manage.
We can see that these are events for which people had to be prepared and some are more extreme than others. Most businesses should have a plan for responding to disasters or other events that interrupt normal business operations, affects supply chain, or the safety and security of employees.
Risk factors can also come from within, unfortunately and are less obvious. There might be something like an HR crisis such as the one we’re seeing in the news today. A business might not have a plan for responding to an employee who acts inappropriately, or steals, or loses confidential company information. You’re going to need a crisis management plan for these types of events but the plan may not specify every step you need to take to handle a particular type of crisis. There are different types of planning but that doesn’t mean you should be spending an extraordinary amount of time thinking about this exact details of crisis response in the ordinary course of business.
However, you do have to classify the “what could kill me” scenarios and then decide if the “what can kill me” event is acceptable. Every day I get up in the morning and I ask, “What can kill me?” Smoking cigarettes can kill me, and so I don’t smoke cigarettes. Slipping and falling in the shower can also kill me, and I say I’m willing to take that risk. I don’t have a contingency plan for slipping and falling in the shower. There are different levels of risk and there are different levels of things that you just accept as a course of life. So you have to acknowledge it and then have to decide if that is an event which you want to have a plan for.
Skroupa: That’s great, thanks Adam. Do you have any final thoughts for us?
Litke: You can plan for the worst, but you shouldn’t spend all your time thinking about what a worst case scenario might be. If all you ever did was protect yourself against the worst, especially as a business, you would never make any money. If all you did was say the worst thing could happen you would take no risk, if you take no risk you earn the risk-free rate, by definition you are a savings account, not a business. To be a business you have to take some risk and I think that’s important for people to know.
There is no such thing as no risk. You can only decide which risks are worth taking.
Adam Litke will be a moderator for The Fundamental Review of the Trading Book: New Regulatory Capital Rules and Their Impact on Banks and Customers at The New Era for Regulatory Risk on November 30 in New York, NY.