The only organization that makes money is a bank. The Federal Reserve creates or “prints” money. As the effective interest rate at the Fed is essentially zero that money is basically being given to its shareholders, the chartered banks of the United States. Those banks can then create more money through the process of fractional reserve lending.
All the rest of us have to make a product or a service. We have gotten to the point where the only metric that we use to determine the success of our efforts is an accounting of how much money we take in by selling our product or service. That metric, by its very nature, tells us how we have done, not how we are doing or how we might do in the future. Nonetheless, we all seem to be transfixed by how much money we have made or lost in the past and we make decisions about the future based on very dated information. No matter how many times this approach blows up in our faces we perseverate. It is Einstein’s definition of insanity.
Those of us who are involved in this new profession called risk management are in a lot of trouble. If we look at the past we can see that we have generated a good deal of income. Sarbanes Oxely was a godsend. Dodd/Frank holds out the same promise. Foolishly, some of us feel that we can breathe easier. The time between regulatory implementations can be a tough slog.
Except it is becoming clearer to everyone that none of this activity actually manages risk. From a structural standpoint it is impossible for individual companies to do anything more than comply with laws and regulations. In obeying the law they achieve the lowest acceptable standards for participating in the marketplace. It is true that regulations are an attempt to manage systemic risk but the risk manager in the two examples mentioned above is, heaven help us, Congress. The fact that regulations cannot and have not ever managed systemic risk is a subject for a different day. Suffice it to say that those of us who are involved in helping companies comply with the law are earning an honest living but we aren’t remotely managing risk.
So, if risk management is not about obeying the law, what exactly is it. Recently a few alternate explanations have emerged. One is that risk managers are the conscience of the organization. They act as the voice of reason to CEO’s who want to embark on some sort of misadventure and Boards of Directors who are all too ready to let them. It’s a bit delusional. If senior executives are intent on destructive behavior is it really conceivable that they will suddenly see the light because of what someone in the risk management department has to say? Witness the elaborate risk management diagrams and organizational charts produced for BP’s Board even as the companies operating environment was blowing people up years before the Gulf spill and you will have your answer.
We are in perilous times. Our global monetary system is collapsing. Our consumer economy is shrinking. Companies are reporting increased profits along with decreased revenues. If the definition of risk is about making sure that bad things don’t happen, it is truly a fool’s errand these days.
At the same time human knowledge is expanding with an ever increasing velocity. The potential to produce products and services that address fundamental issues has never been greater. Great companies, regardless of their size understand that “making money” is a byproduct of excellence. For those companies the management of risk requires the answering of two questions:
What do we want to achieve?
How do we want to achieve it?
And the asking of one:
What do we need to do to be successful?
The response to this last question is the list of risks that need to be embraced and managed. Taking a chance is the only thing that allows for success. What chance to take can only be determined by understanding what it is that you actually want to achieve.