The Fallacy of Complete and Accurate Risk Quantification
Wow. The American taxpayer now owns AIG. Does that mean I can get a cheap rate?
The economic events of the past few days transitioned the months-long saga of financial irresponsibility past merely stunning into the realm of truly terrifying. We’ve leaped past the predictable into a maelstrom of uncertainty edging on a black hole of unknowable repercussions. True, the system could stabilize soon; allowing us to rebuild before the shock waves topple the relatively stable average family. But right now it seems the global economy is so convoluted we’re all moving forward like a big herd navigating K2 in a blinding snowstorm with the occasional avalanche.
Yeah, I’m scared. Frightened and furious that, yet again, the group think of the financial community placed the future of my family at risk. That we, as taxpayers, will have to bail them out like Chrysler in the 70’s, and the savings and loan institutions of the 80’s. That, in all likelihood, no one responsible for the decisions will be held accountable and they will all go back to lives of luxury.
One lesson I’m already taking to heart is that I believe these events are disproving the myth of the reliability of risk management in financial services. On the security side, we often hold up financial services as the golden child of risk management. In that world, nearly everything is quantifiable, especially with credit and market risk (operational is always a bit more fuzzy). Complex equations and tables feed intelligent risk decisions that allow financial institutions to manage their risk portfolios while maximizing profitability. All backed by an insurance industry, also using big math, big heads, and big computers; capable of accepting and distributing the financial impact of point failures.
But we are witnessing the failure of that system of risk management on an epic scale.
Much of our financial system revolves around risk- distributing, transferring, and quantifying risk to fuel the economy. The simplest savings and loan bank is nothing more than a risk management tool. It provides a safe haven for our assets, and in return is allowed to use those assets for its own profitability. Banks make loans and charge interest. They do this knowing a certain percentage of those loans will default, and using risk models decide which are safest, which are riskiest, and what interest rates to charge based on those levels of risk. It’s just a form of gambling, but one where they know the odds. We, the banks’ customers, are protected from bad decisions through a combination of diversification (spreading the risk, rather than just one big loan to one big customer), and insurance (the FDIC here in the US).
It’s a system that’s failed before; once spectacularly (the Depression), and again in the 80’s, but overall works well.
Thus we have empirical proof that even the simplest form of financial risk management can fail.
Fast forward to today. Our system is infinitely more complex than a simple S&L; interconnected in ways that we now know no one completely understands. But we do know some of the failures:
- Risk ratings firms knowingly under-rated risks to avoid losing the business of financial firms wanting to make those investments.
- Insurance firms, like AIG, backed these complex financial tools without fully understanding them.
- Financial firms themselves traded in these complex assets without fully understanding them.
- The entire industry engaged in massive group think which ignored the clear risks of relying on a single element (the mortgage industry) to fuel other investments. Lack of proper oversight (government, risk rating companies, and insurance companies) allowed this to play out to an extreme.
- Reduced compartmentalization in the financial system allowed failures to spread across multiple sectors (possibly a deregulation failure).
Let’s tie this back to information security risk management.
First, please don’t take this as a diatribe against security metrics- which I firmly support. My argument is that these events show that complete and accurate risk quantification isn’t really possible, for two big reasons.
- It is impossible to avoid introducing bias into the system; even a purely mathematical system. The metrics we choose, how we measure them, and how we rate them will always be biased. As with recent events, individual (or group) desires can heavily influence that bias and the resulting conclusions. We always game the system.
- Complexity is the enemy of risk, yet everything is complex. It’s nearly impossible to fully understand any system worth measuring risk on.
Which leads to my message of the day. Quantified risk is no more nor less valuable or effective than qualified risk. Let’s stop pretending we can quantify everything, because even when we can (as in the current economic fiasco) the result isn’t necessarily reliable, and won’t necessarily lead to better decisions. I actually think we often abuse quantification to support bad decisions that a qualified assessment would prevent.
Now I can’t close without injecting a bit of my personal politics, so stop reading here if you don’t want my two sentence rant…
<rant>
I don’t see how anyone can justify voting for a platform of less regulation and reduced government oversight. Now that we own AIG and a few other companies, it seems that’s just a good way to socialize big business. It didn’t work in the 80’s, and it isn’t working now. I support free markets, but damn, we need better regulation and oversight. I’m tired of paying for big business’s big mistakes and people pretending that this time it was just a mistake and it won’t happen again if we just get the government out of the way and lower corporate taxes. Enough of the fracking corporate welfare!
</rant>
Alex Sep 17
Rich,
I think that you’re actually upset about is the outcomes of models they used and how they were used to make decisions, not probability theory, nor the validity of making statements in a quantitative or qualitative nature - and these are independent subjects to address.
Now I vehemently disagree with your core argument that:
1.) Financial Risk (variance from expected return) is the same as Operational Risk (Frequency & Impact of Threat Event). There is a etymological problem we English speakers are now forcing upon the world that blurs the two - but they are completely different problems that need different ways to address them.
2.) Accuracy is unattainable (precision I would agree with).
Of course, accuracy is within the context of the quality of the decision the existing uncertainty causes. So accuracy is certainly attainable, but It seems to me that it’s a case by case basis, based on the decision makers subjective willingness to act - not something you can say across the board.
Rafal Sep 17
@Rich…
- First off, to the point of your rant. AMEN brother, is what I say.
- Second off, I’ve been preaching this for years and no one listens… sadly.
But to address your entire article, and it’s a good one indeed, well-put… the bottom line on everything is greed. It goes back to what drives human nature - GREED. Greed is what had us here in the 20’s, 70’s, 80’s, late 90’s and now today, and it’ll keep driving us to the brink of extinction like this repeatedly over the course of history. Let’s not kid ourselves… people are greedy and no matter how we regulate, no matter how we try … no one is above greed. I know I’m not - as virtuous as I try and be . What can we do but take all the failed CEOs to the middle of Wall Street, hang ‘em high, and try to make sure no one forgets?
Dennis Groves Sep 17
I am starting to wonder if it still isn’t a good time to invest in gold, because despite how high it is - stuff like this really makes one seriously wonder if it isn’t going to get a lot worse; driving the value of gold even higher. Seriously, how in the hell can it get better?
Dennis Groves
Rodney Sep 17
Good write-up Rich!
I don’t know the American regulatory environment well enough (I am an Aussie) - but it looks as though a large part of the problem is a lack of enforcement of existing regulations.
The American taxpayer is now up for $900 billion - all because executives who received multi-million dollar bonuses deliberately engaged in promiscuous financing. Companies that survived the Great Depression have been killed - without even a proper recession to blame it on.
Will they pay back their multi-million dollar salaries and bonuses?
In 2003/4 Warren Buffet warned everyone of the financial “weapons of mass destruction” being used around the world. Now that it al blows up… people are acting as though it is a surprise!
David Smith Sep 17
I think the mistake that most organisations make is treating Risk Management as a “science” when in fact it is an “art”. What we are all trying to do is to predict what might happen in the future (both risk and opportunity) and then put systems in place to either mitigate the potential threats or to seize the opportunity. Is it any surprise that we find that trying to preduct uncertainty is well……… UNCERTAIN - hardly an earth shattering realisation.
At best Risk Management is a best guess about what might happen in the future. Hopefully given our modelling, common sense and experience it is an educated best guess, but at the end of the day it is still our best guess about what might happen.
I often find in organisation where complex metrics and methodology is used that people and decision makers in particular tend to treat Risk Management as a science with mathematical certainty. The complex metrics aid this opinion.
As risk managers we often forget that our methodologies are based upon assumptions which even if backed by a large amount of data are still assumptions that are trying to predict future uncertainty. The assumptions tend to be forgotton amongst complex mathematicall formulae.
Now don’t get me wrong I am not saying that risk metrics are wrong, but what I am saying that they are an aid to assist professional judgement not to replace it.
Is it the best we have? Sure - but we shouldn’t forget that assumptions may be wrong and that the future may unearth a different threat that we wouldn’t even consider on our radar today.
For example in an engineering context harmonic reasonance was a danger that wasn’t even considered prior to the Washington bridge collapse, and I doubt if any Dutch company had cartoons of Mohammed on their risk registers but many suffered huge sales losses from the middle east due to their appearance in a Dutch newspaper.
Anyway at the end of the day we don’t manage any risks we only manage people’s (including ours and our CEO’s) perception of risk!!!
And don’t forget - our organisations have only one risk - the decisons they make.
Good luck because as Napoleon said “I would rather have a lucky risk manager (general) than a good one”
ds Sep 18
>>
I don’t see how anyone can justify voting for a platform of less regulation and reduced government oversight. Now that we own AIG and a few other companies, it seems that’s just a good way to socialize big business. It didn’t work in the 80’s, and it isn’t working now. I support free markets, but damn, we need better regulation and oversight. I’m tired of paying for big business’s big mistakes and people pretending that this time it was just a mistake and it won’t happen again if we just get the government out of the way and lower corporate taxes. Enough of the fracking corporate welfare!
<<
I think you miss the point in a way that most do. Deregulation only works if the people taking the risk suffer the consequences. Now, we are socializing the risk but the rewards are still in private hands. The government should get out of the way, period. The answer isn’t to over regulate on the front to prevent this downside, the solution is to clear out and let people fall off a cliff if they make bad decisions.
If we don’t do that, we get where we are today. We don’t have independant boards, we don’t have investor transparency, we don’t have people taking sensible risks, all because as investors, we hope someone else will look out for our interests. Collectively, we are complacent as a socieity, and here is the result.
Also, this excessive risk taking by business is largely due to the Government holding down intertest rates too low for too long, forcing these financial firms to look for creative ways to make money. Also, our lovely housing boom/bust has also been caused by the same irresponsible fiscal policy, teamed with the Government “encouraging” lenders to offer loans to people who weren’t really qualified in the first place… and that brings us to Fannie and Freddie, which we also own.
So the moral of the story is: stop incenting negative behavior and it goes away.
Sub-text: stop trying to save people from themselves and we’ll all be happier.
Chris Hayes Sep 19
“Which leads to my message of the day. Quantified risk is no more nor less valuable or effective than qualified risk.” I do information risk assessments for a living. There is value in attempting to quantify information security risk and business executives are beginning to demand this. 4 “highs”, 20 “mediums” and 65 “lows” is not valuable information to a decision maker that needs to manage a budget, determine how best to use his resources, while trying to achieve the company’s goals. I think it is irresponsible to poo-poo an emerging discipline within our industry because of the failures or shortcomings within the financial industry.
Allen Baranov Sep 19
I think the question you hinted to but didn’t actually pose in this article is “how do we correctly manage risk?” and the answer is accountability.
This is not fun to do and so it is not really done.
You also say that you support free markets but want more regulation. These are not contradictory.
Free markets work because mistakes and bad judgements are punished in the cruelest way - your company goes under and you lose your job and all you have invested.
Since it is now possible that the people who own a company are not the same people who make the decisions of the company we have regulations and controls in place so that the people who own the company can watch those that run the company. Essentially annual statements etc. These give those that would feel the pain of a bad decision (the shareholders/owners) the ability to monitor the company and, if need be, force their will on the company by firing the top management. This makes the workers accountable to the shareholders.
The problem with a bank/financial institution is that the government can’t allow the institution to be punished (by closing down and hence making shareholders lose their money) because that would shake the markets.
So, the government becomes a stakeholder (not shareholder) in the business because it will have to help out if there is an issue. And, as such, should have regulations in place to make sure that it would not need to jump in and sort things out.
Taking this to Information Security - I am working on an idea I call “Shareholder-centric Security”. ;)
Basically a Shareholder could be anyone and is defined as a person who has the most to lose if something bad happens. Information Security advise all shareholders on what the threats are and together they work out what the risks are. The shareholder then accepts the risk and takes steps to mitigate it.
Getting back to “accountability” - there is a natural tendency to understate risk basically because the compensating controls will then be cheaper. There has to be accountability in that shareholder will *want* to get a good idea of the risks so that they can cover themselves properly.
rmogull Sep 19
@Chris,
Just because the business wants numbers, and you can make up numbers, doesn’t mean they are accurate or reflect the real risk. You are irresponsible if you provide a purely quantified assessment that leads to a poor risk decision.
Not all risk can be quantified. Please respond to my core points if you think that I am wrong that a quantified assessment is both just as prone to error as a qualified assessment, and in many cases can lead to worse decisions.
Chris Hayes Sep 19
@Rich – Luckily, I leverage a risk methodology that breaks risk into elements that I can numerically represent based off my experience, the data I have available, and with input from other subject matter experts. In addition, the same methodology accounts for my confidence (or lack there of) in what you refer to as “made up numbers”. There will always be an element of uncertainty with risk. 2006 and 2007 were expected to be some of the worst years on record for hurricanes in the US – and there were no major hurricanes – do we write that off to “made up numbers” as well.
If the business wants numbers, then we should strive to meet their needs and show value – not bury our head and admit defeat. How I articulate a risk scenario is probably more important then the risk being represented because that decision maker knows there is an element of uncertainty and yet a level of reasonableness behind it. And guess what? The decision maker can agree or not agree with my findings. I have had some state the risk is not enough but very few that though the risk was more then what was being articulated.
I understand your frustration and skepticism, but please understand that information security risk quantification is occurring, it is wanted by businesses, it can facilitate cost benefit analysis in terms of risk vs. cost to mitigate, it is not wild guessing or “made up” numbers, and it can result in better decision making. Finally, I do not work for an information security / risk management vendor – I work for a company that understands risk (financial services industry) and embraces these concepts for treating operational risk exposures (information security risks) like product risk.
What the world would be like if we used qualitative labels for everything that costs money:
Loaf of bread A: LOW RISK, cost unknown until you get to the register
Loaf of bread B: HIGH RISK, cost unknown until you get to the register
Loaf of bread C: MEDIUM RISK, cost unknown until you get to the register
Thoughts?
Jack Sep 21
Rich, you start out with a focus on the challenges we face as a result of bad financial risk management. Can’t argue with your frustration there. Then you attribute these woes to a failure in quantitative analysis, with the reasoning that:
• The world is too complex to know perfectly (or, in your words, “completely” and “accurately”).
• People game systems to achieve personal objectives
• Financial risk management can fail — empirical proof no less!
A few observations:
• Yes, it is highly unlikely that we’ll ever understand complex real-world issues perfectly. But somehow, you imply, qualitative analysis isn’t subject to this??? No, it’s vulnerable too, but the tendency is to just sweep the details under the red/yellow/green rug and pretend they don’t matter. BTW — how do you defend/describe a qualitative value without the use of quantitative values? Unless, of course, you use other qualitative terms that can be equally vague.
• Yes, people game systems. This is true of qualitative systems and quantitative systems. Over the years I’ve seen many qualitative “risk assessments” that were nothing more than a security practitioner’s attempt to justify their existence or budget request.
• All things can fail. See the first observation above. The question that’s begged, however, is which aspect of the process failed. Was it the modeling, the data, or the decision? Or, perhaps, some combination of the three. Based on what I’ve read, greed and lack of consequence played a significant role. Darned human bias. Always seems to muck things up. That said, you’re right that no model (quantitative or qualitative) of complex systems will be perfect. If that weren’t the case, we could predict the future with absolute certainty.
How is qualified risk analysis/management any better? You don’t tell us. Perhaps in a future post you can share how you propose a financial system — or any system that deals in quantities of things — might go about qualitatively evaluating and making decisions on issues related to future events. Maybe it goes something like this…
Customer: “Hi. I’d like a loan.”
Lender: “Certainly. How much would you like?”
Customer: “Some. But not too much. What would the interest rate be on that.”
Lender: “Oh, not that much. We’re very competitive. What are your current assets worth?”
Customer: “Quite a lot, actually.”
Lender: “Terrific. And how much do you get paid?”
Customer: “Not as much as I’m worth, but my employer says I can expect a big raise in the not-too-distant future.”
Lender: “That sounds good. I guess based on this information we can go ahead with the loan.”
Customer: “Thanks! When can I expect to see that?”
Lender: “Soon. Very soon.”
Obviously, this is tongue-in-cheek, but my point is that I have a difficult time understanding how a qualified analysis would be practical in many (any?) financial risk management scenarios.
You then go on to state that qualitative and quantitative approaches aren’t better or worse than one another. So, logically, this same mess we’re in would have occurred if we’d been using a qualitative approach to financial risk?? Hmmm. But then in the same paragraph you turn around and claim that qualified analyses would prevent bad decisions that are based on quantified analyses. I’m afraid you’ll have to explain your rationale behind that one.
One thing you said that caught my eye was your statement that we should “… stop pretending that we can quantify everything, because even when we can the result won’t necessarily be reliable, and won’t necessarily lead to better decisions.” A couple of thoughts on this one:
• The results of any sort of analysis won’t necessarily be reliable — including qualitative analysis. People make honest mistakes, input information (quantitative or qualitative) may be incomplete or inaccurate, some folks game their analyses for personal gain and, at least in the qualitative world, there can be inconsistency in what’s meant by qualitative values (i.e., one person’s “high” can be another persons “medium” and vice versa) .
• Bad decisions occur all the time, even when the data and models are good. Greed, maliciousness, poor judgment, stupidity, and other human failings often drive “bad” decisions regardless of what information they’re based on.
Bottom line — Your points are not exclusive to quantitative approaches.
I’m firmly in your camp, however, when it comes to holding people accountable for their decisions. Of course, responsibility for the current financial market mess falls on the financial market executives, real estate professionals, lending agents, the government, investors, and borrowers (plus some groups I’ve probably left out). Consequently, it would be interesting to see how blame and consequence would be apportioned. Then again, perhaps accountability is exactly what we’re experiencing as a culture right now, albeit not equitably.
WRT regulation, based on the regulations I’ve seen to-date, I have no confidence that “more” is better. What’s likely to happen is a knee-jerk reaction to satisfy the public’s desire for response. And if that reaction runs true to the past, it’ll be messy, largely ineffective, and stand a good chance of buggering things up even more.