Created by Materia for OpenMind Recommended by Materia
Start The Ethics of Risk Management: a Post-Crisis Perspective
Article from the book Values and Ethics for the 21st Century

The Ethics of Risk Management: a Post-Crisis Perspective

Estimated reading time Time 25 to read
The recent financial crisis has been different from those in the past, with regard to the prominent role played by risk management. In view of this novel factor, it is pertinent to identify the ethical issues presented by risk management and examine how these issues should be addressed. Specifically, this article considers the social impact of risk management, the implications for the accountability, responsibility and regulation of financial institutions, as well as problems in the practical application of risk management techniques. With the benefit of hindsight after the recent financial crisis, it is now possible to begin the critical task of recognizing the challenges of using risk management responsibly.

The financial crisis from which the world is slowly emerging has not only destroyed an immense amount of wealth but also profoundly impacted people’s thinking about our financial system. Like the Depression of the 1930s, the crisis that commenced in 2007 has left a deep, indelible mark on the social, political, and economic fabric. This crisis has also occasioned a searching examination of its causes, remedies, and consequences. Despite an outpouring of scholarly research, journalistic reporting, government investigation and industry self-examination, much still remains uncertain about what happened and how to prevent a recurrence.

The recent financial crisis followed a very familiar script: the bursting of an asset-price bubble precipitated a near breakdown of the banking system. Such crises have occurred with relentless regularity. The book This Time is Different: Eight Centuries of Financial Folly (Rogoff and Reinhart 2009) amply demonstrates that financial crises are remarkably similar, even to the belief that high asset prices are justified this time by some new development. However, this time was different regarding a factor that did not, by itself, justify the asset price bubble but that facilitated it and contributed as well to the resulting banking crisis. That factor was risk management, which has come into widespread use only in the past two or three decades.

That risk management was a novel factor in the recent financial crisis is beyond dispute. The more controversial and unexamined question is whether the use (or abuse) of this valuable resource has anything to do with ethics. And if it does, what are the ethical issues in the use of risk management, and how should these ethical issues be addressed? These are the questions examined in this chapter, and because of the answers offered, ethics in the twenty-first century must take account of the need to use risk management responsibly, with attention to the possible ways in which it can be misused to devastating effect.

The role of risk management in the crisis

Risk management in some form has always been a part of finance. J. P. Morgan once remarked, The fact is that bankers are in the business of managing risk. Pure and simple, that is the business of banking (Buder 2009, 143). Managing risk is also the traditional province of the insurance industry. In his book Against the Gods: the Remarkable Story of Risk, Peter Bernstein (1996b) dates the development of risk management to the Renaissance period with the discovery of the mathematics of probability. Despite this long history, modern risk management began around 1970 with theoretical advances in finance, including modern portfolio theory, the capital asset-pricing model, the Black-Scholes-Merton option pricing model, and the efficient market hypothesis. Building on this theory, practitioners transformed risk management in finance by developing sophisticated mathematical models for asset pricing, portfolio risk assessment, and a host of other matters. The distinctive feature of risk management in finance is the ubiquity of mathematical models of all kinds.

Risk management played a role in the recent financial crisis, first, by facilitating the construction of collateralized debt obligations or CDOs, which are securities that bundle together large numbers of loans and divide them into tranches with different risks and rates of return. These securities would have been impossible to construct without mathematical models to determine the risks and hence the appropriate prices for individual tranches. The rating agencies relied on the same or similar models to rate these new securities. More mathematical models were needed for the construction of other exotic financial instruments, such as synthetic CDOs, which are second- and third-order derivatives based on CDOs, and credit default swaps, which are essentially insurance policies on debt instruments that can be purchased by any investor, even those who do not hold the loans or securities being insured. Not only did the major banks issue CDOs and other securities, collecting hefty fees for doing so, but they also held many of them for their own account and used credit default swaps issued by other firms to insure their positions.

A second use of risk management occurred when banks assessed the risk of their portfolios, which included large volumes of CDOs and other similar securities. Although they assumed very substantial risks by leveraging their capital – in some instances more than thirty to one – the banks were able to do so with great confidence because they measured their risks very precisely by newly-developed model-based techniques. In particular, value at risk (VaR) became a widely adopted tool for determining the risks posed by a bank’s portfolio. Developed at the request of the CEO at J.P. Morgan, who wanted a single measure of the bank’s total risk at the end of each trading day, VaR provided all subsequent users with a great sense of confidence that their firm’s risks were being managed prudently. This sense of confidence was also shared by regulators, who, under the guidance of the Basel II Accord, set minimum capital requirements – and hence the permissible amount of leverage – on the adequacy of a banks risk management systems. Under Basel II, this kind of risk-based regulation of capital requirements replaced a rule-based system in which fixed minimum levels were applied to all banks.

Beginning around 1995, this revolution in risk management spread beyond financial institutions and was adopted by a broad range of business firms as integrated or enterprise risk management (ERM). This new development is described by one writer as involving the identification and assessment of the collective risks that affect firm value and the implementation of a firm-wide strategy to manage those risks (Meulbroek 2002, 56). Guiding the development of ERM was the belief that all kinds of risks – which are commonly classified as market, credit, and operational risks – could be managed in the same way regardless of the line of business. For financial and non-financial firms alike, the goal of ERM is to maximize the value of the enterprise by shaping the firm’s risk profile. This consists of identifying all the risks faced by the firm, including their likelihood and potential costs; determining which risks to assume and which to avoid or shift; targeting an acceptable level of risk; developing a plan to keep risks within the preferred limits; and carefully monitoring the implementation of this plan. The main tools for implementing ERM are financial instruments to hedge or transfer risks, operational changes that avoid or reduce risks, and capital reserves to avoid insolvency in cases of loss due to risks.

Ethical issues in risk management

It seems only prudent to manage risk. This is certainly true if the only alternative is a return to the superstition and blind acceptance of fate that Bernstein describes in Against the Gods. The development of sophisticated risk management techniques based on a mathematical treatment of probability has been a decided boon for mankind. However, important questions can be raised about the general enterprise of risk management because, as Bernstein cautions, risk management could become a new kind of religion, a creed that is just as implacable, confining, and arbitrary as the old (Bernstein 1996a, 47). An overreliance on numbers may lead to errors as serious as those committed by ancient priests who relied on omens and offerings. As Niall Ferguson (2008) has quipped, those whom the gods want to destroy they first teach math.

Modern risk management is a distinctive recent historical development in which certain kinds of risks are treated in a certain manner by certain actors for certain ends. There is no question that risk ought to be managed, but it matters immensely which risks are managed, by whom, with what means, and for whose benefit. In modern risk management, the risks in question are losses to a firm and its shareholders, and the risks are managed by senior managers, including, in some firms, a chief risk officer. The standard categories of market, credit, and operational risks are commonly addressed today by traditional insurance, financial instruments, operational modifications, and capital structure. The goal of modern risk management is to maximize firm value by shaping the risk profile so as to avoid or reduce some risks, transfer or hedge others, and retain those that constitute a firm’s core business or else cannot be avoided or transferred. A firm’s risk profile represents its appetite or tolerance for risk in ways that take maximum advantage of its core competencies, available capital, and overall strategy. Although risk management in some form has long been practiced, its modern form is distinguished by the systemic manner in which the categories of risks have been expanded and all risks are considered together at the highest levels of management, instead of being treated separately in silos by lower-level personnel. This transformation has been facilitated by developments in computers and information technology, along with theoretical advances in finance, which are the basis, in particular, of sophisticated financial instruments.

From an ethical point of view, the crucial characteristic of modern risk management is the way in which multiple risks that affect everyone in a society are made the province of corporate decision making and subjected to the conditions of decision making in such narrowly economic enterprises. The risks of business are of concern to everyone, and yet in modern risk management, the task of identifying these risks, deciding on their treatment, and, perhaps most important of all, shaping a risk profile that reflects a firm’s own risk preference are delegated by society to business corporations. Risk-management decisions inevitably involve a selection of the risks to be managed, choosing some and ignoring others; and the means chosen for managing these risks involve costs and benefits, which are distributed, often unequally, among different groups that are impacted by corporate activity. Modern risk management has arisen, in part, to meet a demand by society that business take greater responsibility for the management of risks, but this response by business has ethical implications insofar as it involves an allocation of the responsibility for managing risk between, most notably, corporations and government. The rise of modern risk management has further implications for the way in which government regulates business. Finally, questions of ethics arise about the specific techniques of risk management, especially given their central role in the recent financial crisis.

There is no question that risk ought to be managed, but it matters immensely wich risks are managed, by whom, with what means, and for whose benefit

These points can be organized under three broad headings: the ethical implications of the impact on non-corporate constituencies from the adoption of modern risk management; the ethical implications of the allocation of accountability, responsibility, and regulation that such an adoption entails; and the practical application of risk-management techniques. To speak of the ethical implications in connection with risk management is not necessarily to be critical of this development, which overall has proven very beneficial. However, these ethical implications have gone largely unidentified and unexamined, and a consideration of them is especially urgent in view of the role of risk management in the recent financial crisis.

Impacts on non-shareholder constituencies

Risk management is undertaken to increase the value of a firm, with shareholders as the direct, intended beneficiaries. Although finance theory suggests that shareholders derive no benefit from the management of risk because they can adjust their own portfolios to achieve any desired risk profile, advocates of risk management cite numerous sources of added value, many of which shareholders cannot realize on their own. Chief among these sources of value creation are the contributions of risk management in limiting volatility of earnings, reducing tax liabilities, ensuring internal funds for investments, providing cost savings from managing all risks together, and lowering the amount of equity required to secure a desired credit rating. Perhaps the main source of added value, though, is the role of risk management in reducing the probability and the severity of financial distress, especially from the kind of low-probability, high-cost outcomes that produce unexpected collapses. René Stulz (1996, 24) characterizes such investments in risk management as the purchase of well-out-of-the-money put options designed to limit downside risk.

All corporate decisions, and not only those about risk, affect non-shareholder constituencies (which are also referred to as stakeholders). Decisions about the management of risk, especially those aimed at preventing financial distress, generally benefit non-shareholders along with the intended beneficiaries. Indeed, they may derive even greater benefit than shareholders with respect to financial distress since shareholders with limited liability can lose only their investment whereas the losses to employees, suppliers, customers, and community members can be large and are essentially uninsurable. Despite the obvious benefits of risk management to non-shareholder constituencies, they are also liable to be harmed in some ways from a firm’s risk-management activities. They suffer impacts that arguably ought to be considered in a firm’s decision making. As Lisa Meulbroek (2002, 65) has written: Risk management is not only a decision about how much risk the firm should bear, it is also a decision about how much risk the firm’s customers or suppliers are prepared to bear. As a more general matter, suppliers, customers, community members, firm shareholders, and employees are all risk bearers for a firm. Managers must determine the optimal level of risk for all parties and consider not only how each individual risk affects the firm’s total risk exposure, but also evaluate the optimal way of managing and distributing those risks.

Despite this argument for considering the impacts of risk management on all affected parties, firms generally practice risk management only with a view to the firm’s own objective, which is to say shareholder wealth maximization.

Whether managers should consider non-shareholder constituencies in practicing risk management or, indeed, in all decision making is a question at the heart of the debate over corporate social responsibility. That debate aside, the same finance theory argument supporting the claim that shareholders are unaffected by risk decisions applies to non-shareholder constituencies inasmuch as they, too, can adjust their own financial situation to achieve a desired risk profile, or so the argument claims. Since much of the risk that they bear with a firm is non-residual in character, the argument contends that they are vulnerable only in the event of insolvency, so any risk-management activity that affects only residual returns should leave them unaffected. This argument is even less persuasive in the case of non-shareholders than it is for shareholders not only because the costs of the possible adjustments may be very high but also because the means for making such adjustments may be unavailable. Moreover, shareholders incur their losses voluntarily and with compensation, whereas the impacts of financial distress on non-shareholder constituencies may occur without their consent and without the potential return that shareholders enjoy from the risks that are incurred by a firm. Thus, any impacts of risk- management activity on non-shareholder constituencies are causes for ethical concern, regardless of whether they ethically ought to be considered in a firm’s decision making.

What specific impacts can a firm’s practice of risk management have on non-shareholder constituencies? First is the obvious point that a firm identifies only those risks that create a potential loss for the firm itself and ignores any impacts that are borne solely or predominantly by other parties. This category of risks is indefinitely elastic as firms succeed in their relentless quest to externalize costs and to exploit situations of moral hazard. This category also includes systemic risk, which is not only beyond the power of any one firm to manage but is also a risk that affects all groups in an economy. In the recent financial crisis, the risks of loans, including subprime mortgages and the CDOs that were securitized from them, were of little concern to banks once these risks were transferred to other parties. The main risks that were managed were confined to the banks own portfolios; the losses that might result from these toxic assets were someone else’s problem. Similarly, the moral hazard that the implicit government guarantee provided to too-big-to-fail institutions and the systemic risk that their activities posed were opportunities to be exploited, without regard for the consequences to others.

Second, non-shareholder constituencies are affected by the means that firms select to manage risk. In broad outline, there are five kinds of responses: a firm may avoid a risk entirely, for example, by not entering a certain line of business; it may seek to reduce a risk by taking appropriate action; the risk may be hedged so that a loss-inducing event is off-set by some gain; the risk may be transferred so that it is assumed by another party, often with compensation as in the case of purchasing insurance; or it may be borne. This latter response may be taken either because the risk cannot be avoided, reduced, hedged, or transferred or else because it represents a business opportunity in which the firm can profitably employ its core competencies and investment resources. Indeed, the competitive advantage of any firm lies in its ability to exploit the opportunities created by the right, carefully selected risks.

Any of these responses will have impacts on different groups, and the choices made will distribute these impacts differently. For example, a firm that avoids certain risks might deny benefits that people would otherwise enjoy, as when the uncertainties of flood damage lead insurance companies to cease issuing such policies, thereby forcing homeowners to assume that risk. A company that reduces the risk of workplace injury by making safety improvements does so in a way that benefits workers, but if it chooses instead to transfer that risk by purchasing an insurance policy, then the benefit to workers is changed. They have traded ex ante safety on the job for ex post compensation in the event of an accident, which may not be their preference. Hedging and transferring of risk are possible because the risk is assumed by parties who can, in theory, bear it more efficiently. However, the transactions in question may occur without full understanding, so that risks are assumed unknowingly and without consent. Thus, some of the risks of subprime mortgages were transferred to unwitting borrowers, who in some cases lost their life savings, and these risks were also borne by savers who were unaware that their mutual funds and pension funds contained securities backed by these same subprime mortgages. Although banks thought that they had transferred the risk of securities in their own portfolios by means of credit default swaps, the risk returned to them – and to taxpayers! – when the issuers of these swaps were unable to pay claims.

The transfer of risk, which often occurs without much awareness or consideration, is a major development in recent history. In The Great Risk Shift, Jacob Hacker (2006) documents how corporations and governments are shedding many of their traditional responsibilities and putting a greater burden on ordinary people in such areas as employment, healthcare, education, and retirement, with a resulting erosion of economic security. Much of this shedding of traditional responsibilities was due to the pursuit of profit, as banks ceased to bear the risk of loans by securitizing them and collecting fees instead of interest payments, and many corporations changed the forms of their pension plans so as to shift the risk in retirement portfolios to employees. It has also been driven by an ideology of personal freedom and responsibility that would reduce the role of government in people’s lives, and by a decline in large corporations as a source of support and a corresponding increase in the importance of financial markets (Davis 2009). This massive transfer of risk, whether good or bad, is certainly a fit subject for ethical examination.

A third area in which risk management has wider social impacts lies in the determination of what constitutes an acceptable level of risk. In managing risk, a firm identifies its own appetite or tolerance for risk and acts accordingly. Because shareholders generally prefer a higher level of risk than other groups do, risk-management systems, which generally lessen risks, serve to reduce conflicts between shareholders and other groups over risk preferences. However, conflicts may remain not only over the level of risk but also over the types of risk. Although individuals can respond to any chosen level of firm risk and seek to secure their own risk preferences, the opportunities are limited, so they may still bear some risks they would prefer to avoid. Moreover, this kind of self-protection may be costly.

Aside from the issue of control over the setting of an acceptable level of risk, risk management creates the possibility of a false sense of confidence that leads firms to assume too much risk and also leads the public to accept too high a level of risk as well. The existence of apparently sophisticated risk-management systems may create an illusion that all risks are understood and under control so that even a high level of risk is deemed acceptable. As Nassim Taleb (2007) has observed, the greater danger comes not from a high level of known risks but from the unknown risk of low-probability high-impact events, which are by their nature unpredictable – and hence unmanageable. So risk-management systems may themselves be a source of risk by creating a false sense of confidence that blinds managers and the public to the hazards that they actually face. There is ample evidence that the recent financial crisis occurred despite an abundance of attention to risk management. The leaders of major banks who took great risks in their portfolios were relying on sophisticated risk-management systems with such seemingly objective measures as VaR.

Accountability, responsibility and regulation

Because of the strong bearing of risk on welfare, the management of risk has always been a preeminent social concern, which historically has been the province of government (Moss 2002). Sociologists such as Ulrich Beck (1992) and Anthony Giddens (1990) developed the concept of the risk society in which people are obsessively concerned about safety and the future. The result has been a public demand, more insistent recently, that risks of all kinds be managed and, in particular, that business take responsibility for risk management and be held accountable for its performance. However, the business response to this demand raises ethical concerns about the legitimacy of corporations as risk managers with respect to issues of accountability and responsibility. As Michael Power (2004, 11) observes, Risk management is much more than a technical analytical practice; it also embodies significant values and ideals, not least of accountability and responsibility. Since government has traditionally been the primary risk bearer for society, ethical concerns arise about the division of responsibility between government and business and also about the government regulation of business in the presence of corporate risk management.

First, the demand for accountability creates both a challenge and an opportunity for business. Although resources are required to operate risk-management systems, they serve to inspire public confidence in corporations, counter fear and suspicion of corporate activity, and defuse or deflect blame when things go wrong. Thus, risk-management systems play a valuable role in legitimizing the power of corporations (Power 2007). When such legitimacy is earned, then everyone benefits, but there is also the danger that risk-management systems serve to deceive the public by erecting a managerial smokescreen to maintain myths of control and manageability (Power 2004, 10). Risk, especially from low-probability, high-impact events is very difficult, if not impossible, to manage, but the legitimacy of business may depend on maintaining a convenient fiction of competent control. Mary Douglas and Aaron Wildavsky (1982, 1) ask, Can we know the risk we face, now or in the future? No, we cannot: but yes, we must act as if we do.

Second, making firms responsible for risk management has important consequences for how risk is actually managed. Large firms are bureaucratic organizations which operate with a certain organizational rationality that utilizes formalized routines, processes, and policies. Such an organization is a Procrustean bed in which to lay a risk-management system. Organizational routines, process and policies are best suited for common, well-known mishaps and malfunctions, not the kind of unknowable rare events with which risk management ought to be concerned. The danger, therefore, is a kind of displacement in which firms focus on what can be managed by an organization rather than on the real sources of risk, which may, in truth, be unmanageable. Thus, Power (2004, 30) writes, The burden of managing unknowable risks is replaced by an easier task which can be successfully reported to seniors.

Risk is very difficult to manage, but legitimacy of business may depend on maintaining a convenient fiction of competent control

Furthermore, an organizational treatment of risk necessarily involves an assignment of responsibility among the various functional units in an organization. Although firms typically claim that the management of risk is everyone’s task, this is difficult to achieve in practice, and modern integrated or enterprise risk management tends to push responsibility up to the highest levels, to senior executives who are often not equipped to evaluate the results that mathematical models generate. The danger here is that an organization may make a suboptimal distribution of responsibility in which the units with the greatest expertise in evaluating risk are not directly involved in decision making. Although modern risk management seeks to overcome the silo-treatment of risks by grouping all risk together, some silos may contain better evaluators of risk. Also, some risks may not be identified as the responsibility of any one party. One observer noted that in the recent financial crisis, the risk of CDOs was not widely recognized because they fell between market and credit risks, and the parties responsible for each of these risks thought the problem belonged to the other (Anonymous 2008).

A further feature of the organizational treatment of risk is the development of expert systems that effectively replace individual judgment. The routines, procedures, and policies that are characteristic of organizational rationality not only may fail to focus on real sources of risk but may also prevent the intelligent assessment of information that is available. Amar Bhidé (2010) in A Call for Judgment warns about the overuse or misuse of mechanistic decision-making tools that are ubiquitous in modern business organizations and calls for a balanced blend in decision making of both expert systems and the seasoned judgments of individuals. He notes that the problems with subprime mortgage lending occurred after quick computer-generated approval of applicants replaced the slower, individualized assessment of loan officers. Similarly, the rating agencies relied on sophisticated mathematical models in rating CDOs without attempting an independent evaluation of the information that was available to them – much less seek out new sources of information, which they regarded as beyond their role.

Third, the adoption of risk management by business has significant consequences for government regulation in matters of risk. Moss (2002) describes government as the ultimate risk manager. However, government manages risk partly through direct government regulation and partly by relying on business self-regulation. Indeed, a major thrust of recent law has been a strategy by government to encourage greater business self-regulation, including the development of risk-management systems, a practice which Ayers and Braithwaite (1992) call enforced self-regulation. Measures such as the 1991 Federal Sentencing Guidelines for Organizations and the 2002 Sarbanes-Oxley Act have provided strong incentives for improving corporate internal control systems. As noted previously, a major incentive for banks to adopt a risk-management system has been the Basel II Accord, which recommends that capital requirements be based on the adequacy of such a system. The better the risk-management controls, the less capital a bank may be required to hold. The Basel II approach to capital standards reflects a more general shift from rule-based regulation to risk-based regulation.

Enforced self-regulation in general and risk-based regulation in particular have many advantages over the main alternative of direct government, rule-based regulation. Government is relieved of the need to formulate and enforce detailed rules; regulation is embedded in the internal corporate decision-making process in ways that align it with corporate objectives; it overcomes the information asymmetry between government and corporations and reduces the antagonistic regulator-regulatee relationship; it also places the responsibility for monitoring the risk-management function on the firm itself and assigns government regulators only the task of evaluating the quality of the risk-management system. A further advantage of risk-based regulation is that firms have flexibility to choose the means for meeting any required level of risk. For example, a firm may choose among the alternatives of improving its risk-management controls, reducing its level of risk, or increasing the amount of equity held in reserve to protect against losses.

This flexibility may also be a disadvantage, insofar as it allows firms to engage in regulatory arbitrage by choosing the most advantageous means of compliance, which may not be the most effective one from a public policy point of view. Other observers have noted that risk-based regulation may perversely lead managers to focus on using a firm’s risk-management system to meet regulatory requirements instead of actually managing risk. The system is being used, in such cases, not to manage risk but to manage regulation (Haldane 2005). Along the same lines, Raghuram Rajan (2010, 140) has commented, In many of the firms that got into trouble, risk management was used primarily for regulatory compliance rather than as an instrument of management control.

A more technical problem with risk-based regulation is the charge made by Daníelsson, Jorgensen, and de Vries (2002) that its use in regulation can affect the quality of the risk-management systems employed. They argue that an unregulated bank might prefer to employ a high quality risk-management system for its competitive benefits. However, when a bank is required to adopt such a system, any investment in the quality of the system that exceeds the regulatory requirements would place it at a competitive disadvantage. A main source of the disadvantages in using a high quality system in the presence of regulation is the loss incurred from greater transparency when information must be shared with regulators. A bank may respond with a lower quality system that involves less disclosure. An additional cost is the duplication of systems that are designed to meet the needs of the bank and the regulatory requirements. Competitors who incur the costs of a system designed to meet only the regulatory requirements will have a competitive advantage. Thus, they conclude that the presence of regulation may induce a bank to decrease the quality of its risk-management system (Daníelsson et al. 2002, 1407). This problem is an instance of a more general phenomenon described by Daníelsson as a corollary of Goodhart’s Law (Daníelsson 2002). To Goodhart is attributed the insight that any statistical relationship will break down when used for policy purposes because the behavior of people following the policy will systematically alter the statistical relationship. The corollary drawn by Daníelsson is that risk-management systems (which rely on statistical relationships) will break down when used for regulatory purposes.

The application of risk management

The mere fact that modern risk management played an essential role in the recent financial crisis does not necessarily mean that it was at fault in any way. Some risks are worth taking, and even great risks may be rationally chosen if the returns are sufficiently high. Stulz (2008, 60) observes, In sum, effective risk management does not provide a guarantee against failure. Even in companies with the best risk management people and systems, large losses can and will occur as long as taking the risk of large losses increases expected profits sufficiently for top management to be willing to take that risk. The task of risk management is to ensure that top management knows and understands the risks and the potential gains and makes prudent trade-offs. Nevertheless it is evident in the recent financial crisis, that the leaders of financial institutions of all kinds did not understand the risk they were taking and made decisions that not only turned out badly but were objectively unwarranted at the time. However, mistaken judgment is not necessarily ethical failure, and a question for ethics is how to determine when incompetence becomes immorality. This question is especially difficult to answer when there is no intent, which is a standard factor in fault finding, and everyone is thinking and acting in the same ways. Under such circumstances, if anyone is to be blamed, then everyone is.

The law provides some guidance in addressing this question through the concept of negligence, which is a level of care that is less than what a reasonable and prudent person would exercise. Applying this legal approach to risk management would entail an examination of the possible ways in which adequate care might not be taken. Much has been written about the failures of risk management in the recent financial crisis, and in its practice generally, that cannot be fully covered here. In general, critics identify two theoretical problems that sharply limit the use of risk-management techniques and also discuss numerous practical mistakes that can be made in the use of these techniques.

On the level of theory, risk management attempts to quantify the probability of extremely rare events that occur far out on the tails of normal distribution curves.  Some experts question whether such assignments of probabilities are even meaningful (Rebonato 2007), while others note the inherent unreliability of decisions based on any such probability measurements. This is the problem of fat tails or black swans (Taleb 2007), which either have no known distributions or else distributions too scant to be successfully modeled. Risk management also assumes that the past is a reliable guide to the future, so that predictions can be made with models that use historical data. In the case of extremely rare events, however, historical data may be unavailable or of little predictive value, and data for even more common events may become unreliable when circumstances change, as occurs, for example, with technological developments. A more serious theoretical problem is that models assume a deterministic world that operates according to laws that can be expressed mathematically. Not only is economic behavior an extremely complex phenomenon, with far too many variables to be accommodated in any model, but also the presence of models can affect the behavior that is being predicted, especially in times of crisis (Daníelsson 2002). Models assume randomness, but they can lead traders to take identical positions based on the same information and, in crises, to take identical actions, so that the market ceases to be random. The October 1987 stock market crash is often used as an example of this phenomenon. Because of such model-inspired herd behavior, Daníelsson (2002, 1274) argues, The basic statistical properties of market data are not the same in crisis as they are during stable periods; therefore, most risk models provide very little guidance during crisis periods.

The task of risk management is to ensure that top management knows and understands the risks and the potential gains and makes prudent trade-offs

Some of the practical problems with risk-management techniques are more technical in nature whereas others concern their managerial application. Among the latter kind of problems, managers have been criticized for using risk-management tools as justifications for taking even greater risks in a search for maximum returns without fully understanding the extent of these risks. Such a reliance on the results generated by models provides a plausible defense under the business judgment rule but is hardly good risk-management practice. As Rajan (2010, 144) observes, Not taking risks one doesn’t understand is often the best form of risk management. Using risk-management results solely as a justification for risk taking also does not take full advantage of their usefulness for other risk-reducing purposes. Joe Nocera (2009) tells the story of how Goldman Sachs bankers decided to rein in their risks after they sought to discover the cause of declining results from their profit and loss models, which were still satisfactory but worrisome. Thus, Goldman Sachs avoided some losses by asking questions about their risk-management measures that were overlooked by competitors. Significant changes also often occur slowly over time, and so risk- management results must be analyzed to detect long-term trends. Furthermore, recent indicators before a crisis are generally benign, even promising, and that, John Cassidy (2010) observes, is the time to get worried.

More technical problems in using risk management include the point that it is difficult to anticipate the interactions among variables, which can often result in the compounding of consequences from small changes. This problem, which is known as procyclicality, may result when small changes in such factors as prices, volatility, and liquidity, which often occur in crises, lead to vicious feedback loops that produce large, unexpected effects. The nonlinear dependence involved in such large magnitudes of change may be more of a problem than fat tails, because, as Daníelsson (2003) explains, it is harder to detect and model. Even a single, seemingly insignificant innovation can produce major disruptions. For example, an academic article on the correlation of loan defaults has been described as the formula that killed Wall Street (Salmon 2009). This article by a quantitative analyst David X. Li (2000) appeared to provide an easy way to compute the probability that any two assets would default at the same time, thereby facilitating the hitherto impossible task of pricing CDOs composed of large numbers of mortgages. The formula depended on two assumptions – that defaults were normally distributed (a Gaussian copula function) and that probabilities could be determined from current market information and not historical data. Both assumptions turned out to be far from reality. Although Li made the assumptions fully explicit, overeager bankers ignored them with disastrous results.

Risk management attemps to quantify the probability of extremely rare events that occur far out on the tails of normal distribution curves

Finally, a great deal of criticism has been directed toward value at risk as a measure. VaR is a recent development that utilizes extremely sophisticated mathematical formulas to circumvent the need to perform an immense number of calculations about each asset in a portfolio. Its widespread adoption is due to the convenience of a single dollar figure that represents the maximum amount that a portfolio might lose in a certain period of time with a specified degree of probability. In addition to its use to determine the risk of a portfolio, VaR has also proven useful as a means to monitor the performance of traders and allocate capital among them. VaR proved to be of limited value in the recent crisis in part because it leaves the possible losses in extremely rare conditions unspecified. Measures of VaR with a 95% or a 99% degree of probability do not even attempt to estimate the losses that could occur in the realm of the 5% or the 1% range, which could be enormous. Moreover, VaR assumes normal distributions of even very rare tail events, but as critics such as Taleb (2007) argue, this underestimates the probability of some adverse event or other occurring. Furthermore, VaR does not work well in crises because it assumes that positions can be sold or hedged costlessly, whereas in times of stress, when liquidity or confidence is lacking, assets may have no buyers or may be sold only at a deep discount. For this reason, VaR has been compared to an airbag that always works except in crashes (Einhorn and Brown 2008).


In its short history, modern risk management has assumed a central position in business decision making, especially in financial institutions, and it played a significant role in the recent financial crisis. Although much has been written about the technical problems with this practice, comparatively little attention has been given to the ethical issues involved. This chapter at least begins this much-needed examination by raising questions about the ethical implications of the adoption of risk management for groups other than shareholders and for matters of corporate accountability, responsibility, and regulation. Finally, some consideration is given to ethical issues in the application of specific risk-management techniques. Like all new technologies, risk management has great promise as well as destructive potential. With the benefit of hindsight after the recent financial crisis, it is now possible to begin the critical task of recognizing the challenges of using risk management responsibly.


Anónimo. 2008. “Confessions of a Risk Manager: A Personal View of the
Crisis”, /The Economist/, 7 de agosto.

Ayers, Ian, y John Braithwaite. 1992. /Responsive Regulation:
Transcending the Deregulation Debate. /Nueva York: Oxford University Press.

Beck, Ulrich. 1992. /Risk Society. /Londres: Sage Publications. Existe
traducción española: 2007. /La sociedad del riesgo: hacia una nueva
modernidad. /Barcelona: Paidós.

Bernstein, Peter L. 1996a. “The New Religion of Risk Management”,
/Harvard Business Review/ 74: 47-51.

Bernstein, Peter L. 1996b. /Against the Gods: The Remarkable Story of
Risk/. Nueva York: Wiley.

Bhidé, Amar. 2010. /A Call for Judgment: Sensible Finance for a Dynamic
Economy. /Nueva York: Oxford University Press.

Buder, Stanley. 2009. /Capitalizing on Change: A Social History of
American Business. /Chapel Hill, NC: University of North Carolina Press.

Cassidy, John. 2010. “What’s Wrong with Risk Models?”, /The New Yorker
/Blog, 27 de abril.

Daníelsson, Jón. 2002. “The Emperor Has No Clothes: Limits to Risk
Modelling”, /Journal of Banking and Finance /26: 1273-1296.

Daníelsson, Jón. 2003. “On the Feasibility of Risk Based Regulation”,
/Economic Studies/ 49: 157-179.

Daníelsson, Jón, Bjørn N. Jorgensen, Casper G. de Vries. 2002.
“Incentives for Effective Risk Management”, /Journal of Banking and
Finance /26: 1407-1425.

Davis, Gerald F. 2009. /Managed by the Markets: How Finance Re-Shaped
America. /Nueva York: Oxford University Press.

Douglas, Mary, y Aaron Wildavsky. 1982. /Risk and Culture: An Essay on
the Selection of Technological and Environmental Dangers. /Berkeley:
University of California Press.

Einhorn, David, y Aaron Brown. 2008. “Private Profits and Socialized
Risk”, /Global Association of Risk Professionals/, junio-julio, 10-26.

Ferguson, Niall. 2008. “Wall Street Lays Another Egg”, /Vanity Fair/,

Giddens, Anthony. 1990. /The Consequences of Modernity/. Stanford, CA:
Stanford University Press. Existe traducción española: 2002.
/Consecuencias de la modernidad. /Madrid: Alianza Editorial.

Hacker, Jacob S. 2006. /The Great Risk Shift: The Assault on American
Jobs, Families, Health Care, and Retirement And How You Can Fight Back.
/Nueva York: Oxford University Press.

Haldane, Andrew G. 2009. “Why Banks Failed the Stress Test”, Bank of
England, 9-10 de febrero.

Li, David X. 2000. “On Default Correlation: A Copula Function Approach”,
/Journal of Fixed Income/ 9: 43-54.

Meulbroek, Lisa K. 2002. “A Senior Manager’s Guide to Integrated Risk
Management”, /Journal of Banking and Finance/ 14: 56-70.

Moss, David A. 2002. /When All Else Fails: Government as the Ultimate
Risk Manager/. Cambridge, MA: Harvard University Press.

Nocera, Joe. 2009. “Risk Management: What Led to the Financial
Meltdown”, /The New York Times/, 4 de enero.

Power, Michael. 2004. /The Risk Management of Everything: Rethinking the
Politics of Uncertainty/. Londres: Demos.

Power, Michael. 2007. /Organized Uncertainty/. Oxford: Oxford University

Rajan, Raghuram G. 2010. /Fault Lines: How Hidden Fractures Still
Threaten the World Economy. /Princeton, NJ: Princeton University Press.

Rebonato, Ricardo. 2007. /The Plight of the Fortune Tellers: Why We Need
to Manage Finance Risk Differently/. Princeton, NJ: Princeton University

Rogoff, Kenneth, y Carmen M. Reinhart. 2009. /This Time is Different:
Eight Centuries of Financial Folly./ Princeton, NJ: Princeton University
Press. Existe traducción española: 2011. /Esta vez es distinto: ocho
siglos de necedad financiera, /Fondo de Cultura Económica de España.

Salmon, Felix. 2009. “Recipe for Disaster: The Formula that Killed Wall
Street”, /Wired Magazine/, 23 de febrero: 17-03.

Stulz, René M. 1996. “Rethinking Risk Management”, /Journal of Applied
Corporate Finance /9: 8-24.

Stulz, René M. 2008. “Risk Management Failures: What Are They and When
Do They Happen?, /Journal of Banking and Finance /20: 58-67.

Taleb, Nassim. 2007. /The Black Swan: The Impact of the Highly
Improbable. /Nueva York: Random House. Existe traducción española: 2008.
/El cisne negro: el impacto de lo altamente improbable. /Barcelona: Paidós.

Quote this content

Comments on this publication

Name cannot be empty
Write a comment here…* (500 words maximum)
This field cannot be empty, Please enter your comment.
*Your comment will be reviewed before being published
Captcha must be solved