Risk Management: Yippee Ki Yay, Rogue Traders

he holiday season is upon us, and with it comes a slew of reruns of classic holiday films along with the annual financial reporting season and its attendant analysis of institutions’ risk management capabilities. Seemingly unrelated? Actually, the two are inextricably linked via one of the greatest holiday season films of all time: Die Hard.

At its heart, the Die Hard franchise is a veritable case study in risk management, with stress testing and the role of an “on-the-ground” risk manager front and center.

What closely aligns the film series with practical risk management are the recurring themes of:

• Distraction – Typically the villains engage in a more elaborate “meta plan” which fully occupies the law enforcement agencies, while they (the villains) concentrate on a far smaller, and often simple robbery
• Automation – The law enforcement agency moves through a tried and tested “playbook” in response to the more elaborate plan, which leaves the underlying crime being committed largely undetected until it is too late

This has always struck me as being exactly the situation risk managers face. Typically, when risk tolerance breaches are detected, there is a reasonably automated response, which runs something along the lines of:

1. System alerts a breach
2. Breach is identified to risk-taking area (trading, portfolio management, etc.)
3. Risk-taking area refute the basis of the breach (bad data, incorrect trade representation, bad risk models, etc.)
   1. Risk analysts scramble to check data inputs and re-validate models
   2. Risk-taking area continues with the position
   3. Risk finally (re)prove those elements in doubt
   4. Position is closed by risk-taking area
   5. Profits were made (or losses were incurred) on a position that was out of risk tolerance

It is not reasonable to suggest that every time a trader or portfolio manager doubts the risk reporting they are, in fact, using the system to maintain an out-of-compliance open position, but there are certainly cases where this is the case and even when not the case, the risk of losses from a position that was identified as out of tolerance exists and needs to be addressed.

The only way that this (deliberate or accidental) distraction play can be beaten is to start with a more transparent base for the results. This means that when the breach is identified, the underlying parameters of that breach are also identified. This would include:

• Trades, and the representation used by the risk engines, shown in the risk reports
• Market data used to calculate the risk disclosed within the risk reporting
• Back-testing of risk models shown within the risk reporting

Once these areas are made open for scrutiny, it becomes much harder to simply send the risk analyst back to the risk department to check their data, and far more likely to initiate a discussion regarding the underlying cause of the risk tolerance breach. Of course, opening up the models for scrutiny can create more initial negative feedback, but does result in a far more bought-in and well-grounded risk architecture.

But back to the film. Die Hard is not just a well-made warning against distraction and automated responses. Perhaps its greatest contribution to the genre of risk management is in its attitude to stress testing.  The first, third and fourth in the series are particularly striking in this regard. It is interesting how the stress testing within the films magnifies with each installment:

• Robbery of bond certificates using law enforcement protocols around hostage-taking to guarantee the “fail-proof” safe will open
• Robbery of gold bullion using law enforcement protocols around threatening multiple schools, in New York to guarantee no police interference
• Theft of electronic financial records using law enforcement protocols around an organized cyber-attack, on the US infrastructure, to avoid detection of actual crime

Each of these stress tests is dynamic and designed to test the infrastructure to failure. Each uses the technology and incentives of the time and each shows holes in the fabric of the risk management in place. These are textbook descriptions of what a financial institution’s stress tests should be designed to do.

Note that this is not the same as regulatory stress testing, mandated by the system to test that system’s resiliency, but more about ensuring that the practical risk management in place in a financial services firm is robust enough to detect, and flexible enough to operate, at the practical level, to be effective during an unexpected event. Determining exposures and risk sources at the tail in a high pressure situation should be within the remit of a risk management system.

The final lesson of the franchised powerhouse is the need to maintain human control. Notably, it is Bruce Willis’s hard bitten cop who initiates the override of the automated response and takes control of the situation, thwarting the underlying crime. This is a subtle yet compelling message to risk managers.

Risk management architecture and tools are just that: tools. They should aid the risk management, but to be truly effective, risk managers need to understand the underlying rationale for the tools, the underlying math of the risk engines and the underlying purpose of the risk management department itself.

If they can do that, they should rarely find themselves “in the wrong place at the wrong time.”