The Fallacy of Complete and Accurate Risk Quantification
Wow. The American taxpayer now owns AIG. Does that mean I can get a cheap rate? The economic events of the past few days transitioned the months-long saga of financial irresponsibility past merely sturn ing into the realm of truly terrifying. We’ve leaped past the predictable into a maelstrom of uncertainty edging on a black hole of unknowable repercussions. True, the system could stabilize soon; allowing us to rebuild before the shock waves topple the relatively stable average family. But right now it seems the global economy is so convoluted we’re all moving forward like a big herd navigating K2 in a blinding snowstorm with the occasional avalanche. Yeah, I’m scared. Frightened and furious that, yet again, the group think of the financial community placed the future of my family at risk. That we, as taxpayers, will have to bail them out like Chrysler in the 70’s, and the savings and loan institutions of the 80’s. That, in all likelihood, no one responsible for the decisions will be held accountable and they will all go back to lives of luxury. One lesson I’m already taking to heart is that I believe these events are disproving the myth of the reliability of risk management in financial services. On the security side, we often hold up financial services as the golden child of risk management. In that world, nearly everything is quantifiable, especially with credit and market risk (operational is always a bit more fuzzy). Complex equations and tables feed intelligent risk decisions that allow financial institutions to manage their risk portfolios while maximizing profitability. All backed by an insurance industry, also using big math, big heads, and big computers; capable of accepting and distributing the financial impact of point failures. But we are witnessing the failure of that system of risk management on an epic scale. Much of our financial system revolves around risk- distributing, transferring, and quantifying risk to fuel the economy. The simplest savings and loan bank is nothing more than a risk management tool. It provides a safe haven for our assets, and in return is allowed to use those assets for it’s own profitability. Banks make loans and charge interest. They do this knowing a certain percentage of those loans will default, and using risk models decide which are safest, which are riskiest, and what interest rate to charge based on that level of risk. It’s just a form of gambling, but one where they know the odds. We, the banks customers, are protected from bad decisions through a combination of diversification (spreading the risk, rather than just one big loan to one big customer), and insurance (the FDIC here in the US). It’s a system that’s failed before; once spectacularly (the Depression), and again in the 80’s, but overall works well. Thus we have empirical proof that even the simplest form of financial risk management can fail. Fast forward to today. Our system is infinitely more complex than a simple S&L; interconnected in ways that we now know no one completely understands. But we do know some of the failures: Risk ratings firms knowingly under-rated risks to avoid losing the business of financial firms wanting to make those investments. Insurance firms, like AIG, backed these complex financial tools without fully understanding them. Financial firms themselves traded in these complex assets without fully understanding them. The entire industry engaged in massive group think which ignored clear risks of relying on a single factor (the mortgage industry) to fuel other investments. Lack of proper oversight (government, risk rating companies, and insurance companies) allowed this to play out to an extreme. Reduced compartmentalization in the financial system allowed failures to spread across multiple sectors (possibly a deregulation failure). Let’s tie this back to information security risk management. First, please don’t take this as a diatribe against security metrics- of which I’m a firm supporter. My argument is that these events show that complete and accurate risk quantification isn’t really possible, for two big reasons. It is impossible to avoid introducing bias into the system; even a purely mathematical system. The metrics we choose, how we measure them, and how we rate them will always be biased. As with recent events, individual (or group) desires can heavily influence that bias and the resulting conclusions. We always game the system. Complexity is the enemy of risk, yet everything is complex. It’s nearly impossible to fully understand any system worth measuring risk on. Which leads to my message of the day. Quantified risk is no more or less valuable or effective than qualified risk. Let’s stop pretending we can quantify everything, because even when we can (as in the current economic fiasco) the result isn’t necessarily reliable, and won’t necessarily lead to better decisions. I actually think we often abuse quantification to support bad decisions that a qualified assessment would prevent. Now I can’t close without injecting a bit of my personal politics, so stop reading here if you don’t want my two sentence rant… rant I don’t see how anyone can justify voting for a platform of less regulation and reduced government oversight. Now that we own AIG and a few other companies, it seems that’s just a good way to socialize big business. It didn’t work in the 80’s, and it isn’t working now. I support free markets, but damn, we need better regulation and oversight. I’m tired of paying for big business’s big mistakes and people pretending that this time it was just a mistake and it won’t happen again if we just get the government out of the way and lower corporate taxes. Enough of the fracking corporate welfare! /rant Share: