Organizations and Risks
The capacities of financial organizations to identify and manage risks vary according to many factors. Financial organizations are often reliant on risk modeling, which itself relies on the availability of good quality data. But the past is not always a good predictor of the future (particularly where data are drawn from a period of benign economic conditions), and data may be incomplete, poorly collated, and historically limited. Moreover, staff will vary in their ability to interpret these data. Organizations need to be open to identifying new risks and understanding that circumstances and personnel change, and these may well change the risks an organization faces. Stress testing—assessing the potential impact of alternative scenarios—can usefully supplement risk modeling by introducing risks that may not be evident from past data. Organizations tend to run these stress tests by assuming that the shocks are specific to them rather than systemwide, and they find it difficult to translate the results into positive action. They may fail to recognize that specific shocks can generate contagion and other externalities. These are some of the lessons of 2007, when liquidity dried up across the financial system. Risk modeling had been undertaken in a period of economic optimism and firms overestimated their ability to identify and control the risks associated with the innovative new products they were developing.
The routines and practices of different groups and people within the organization also require consideration. For example, risk-taking may be made to seem normal, or it may be unwittingly incentivized, as in the Barings and Société Générale cases. Or organizations may deny the severity of a risk and thus inhibit their ability to deal with underlying problems. This is typically done by blaming individuals or part of an organization for something that is much more systemic and dangerous. Again, the Barings case is illustrative—the rogue trader was blamed and the responsibility of the organization in permitting and supporting his risky activities were initially ignored. Remuneration incentives based on short-term sales performance are an integral part of the rogue traders’ stories. The 2007–09 crisis has continued to demonstrate that the excessive risk-taking such bonuses can incentivize has not led to organizations learning lessons.
The organizational origins of crises are well documented. In 1984 Charles Perrow coined the term “normal accidents” to emphasize the inevitability of something going wrong.1 He focused on complex systems where the interaction of unexpected multiple failures can lead to catastrophe, this being most likely where the system is tightly coupled and has no slack to cope with such eventualities. Opinions differ about organizations’ ability to prevent and contain risks, but most agree that large, complex, transnational organizations give rise to distinctive difficulties of risk detection, proof, responsibility, and power. This is well exemplified by the cases of AIG and UBS in 2008, where varying risk management practices in different parts of their transnational organizations led to financial crisis. One commentator remarked “AIG has 125,000 employees. Basically, 80 of them tanked the firm.”2