Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Squid Teething Toy |
| Teaching Risk Analysis in School »
January 26, 2009
Risk Mismanagement on Wall Street
Long article from the New York Times Magazine on Wall Street's risk management, and where it went wrong.
The most interesting part explains how the incentives for traders encouraged them to take asymmetric risks: trade-offs that would work out well 99% of the time but fail catastrophically the remaining 1%. So of course, this is exactly what happened.
Posted on January 26, 2009 at 7:08 AM
• 22 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
they should have read the book "Fooled By Randomness" by Nassim Taleb.
While having contrarian views like Taleb's is useful for breaking through groupthink, I think the more nuanced view of VAR expressed later in the article is right.
VAR is just a tool, it doesn't tell you what to do, and its numbers do not literally mean what the statistical theory implies that they mean. But it is interpretable, and movements in VAR bear significant information, so long as alert humans are using judgment to interpret them. The problem occurs when under-brain-powered portfolio managers take the numbers at face value, or worse, use VAR as a reassuring sales/marketing tool to entice fund shoppers.
I thought NY Times piece was disappointing. It missed the basic point that securitization losses had nothing to do with "risk" as it pertains to the market and that VaR could therefore not be relevant, despite the cheerleading for GS. The risks here all had to do with fraud and conflict of interest.
For an actual analysis of the agency conflicts of the securitization process, try "The Future of Securitizaton" by Francke & Krahnen: www.ifk-cfs.de/fileadmin/downloads/publications/wp/08_31.pdf.
Casinos understand risk management. They limit bets. A table paying out too much will be shut down even if the problem is not identified. They police the players and their own people, actively hunting for cheats. If they take too great a loss, they will borrow money to cover it and will repay the loan promptly.
Bookies understand risk management. If the action they're taking starts putting them at too much risk, they'll turn down the wrong bets, or they'll lay off some of the risk on other bookies, thereby reducing their own risk at the cost of accepting less profit.
Wall street bankers obviously don't understand risk. If they don't know basic probability -- if they cannot calculate the house percentage at craps or roulette -- they have no business doing business.
The idea of worrying about only the best 99% without regard to the worst 1% is a fundamental flaw in their mathematics and logic.
It never rains in California, but the DMV is smart enough to require all cars to have windshield wipers to cover that 1% of the time it does rain.
When your lowest level assumptions are wrong, the pyramid you build on top of them won't be very stable.
In some ways, I think that the VaR discussion in this article is similar to Bruce's discussions of our human abilyt to measure and react to risk. VaR is good steady police work; looking for Black Swans is designing everything around preventing child abduction.
Forgive the sci-fi analogy, but it reminds me of Isaac Asimov's Foundation series. The "psycho-historian" (a sci-fi science), Hari Seldon uses statistics to predict the future (at a galactic scale, the sample set is large enough to be reliable). He predicts the collapse of the galactic empire and creates a foundation to help civilization get through the (psycho-historically predictable) problems in the coming dark ages. The reliance on mathematical models and the fact that it works and is useful 99% of the time makes all this all seems to me very much like VaR.
Hari Seldon (Isaac Asimov's character, and so by connection Isaac Asimov himself) was wise enough to see the limits of statistics, and so set up a Second Foundation to hedge his hedge fund against the acts of individuals (a sample set of one invalidates the use of statistics). The model is excellent at prediction, but needs watchmen who look outside the model's capability. Perhaps this is also predicted by the Godel Incompletness Theorem (I'm currently re-reading Hofstadter's Godel, Esched Bach).
So economic security or national security or any other kind of security needs two fronts, the statistical model complemented by vigilance for things outside the model. Passengers put up with security screening (ideally implemented in smart ways like good behavioral profiling instead of stopping the previous terrorist attack), but that needs to be complemented by vigiliance in the form of boots-on-the-ground intelligence and watching for the threats that are not in the current model.
To be honest I'm somewhat uncomfortable with this "reasoning by analogy", but perhaps it is fertile ground for hypotheses that can be vetted with empiricism from those who know better than I.
The 99% / 1% rule kind of reminds me about the quote (paraphrased here) "In the long term, the market is a very rational beast. Unfortunately, it can at times behave irrationally longer than any investor is able to remain solvent". This was true in the case of the Long Term Capital Management debacle, and certainly true here as well. Sorry, but my last remaining gray cells cannot recall to whom I should attribute the original quote - someone famous in the investment / economic universe for sure. Anyone out there care to say who it was? :-)
the "masters of the universe" accidentally the entire universe, didn't they? these are the folks we were told were worth 20-30 million dollars in bonuses every year because their acumen so greatly exceeded that of us mere mortals that they were essentially priests of an arcana forever beyond our ken.
the article was okay, but it neglected to address one thing which may validate the risk managers' thinking. when you climb a big mountain and you get into bad trouble 3/4 of the way up, you just whip out your cellphone and call search & rescue, summoning a helicopter if need be, which is paid for by the people on the ground, small as ants from your exalted perch.
when the risk managers and their firms got into bad trouble, they whipped out their cellphones and called their compliant, bought-and-paid-for congress, which committed to shower them with sufficient money to preserve not only their firms, but their bonuses too.
when you enter a carnival midway and look around, you will see two kinds of people, operators and suckers. if you don't know which kind you are, it means you're a sucker. good morning, my fellow suckers!
Even if the risk equations are well characterized, using a 99% cutoff is just plain stupid. If that risk is per trading day, you're going to have a potential over-limit loss in less than six months. If per week, in two years. In a big market with lots of players (ahem) somebody is going to risk an over-limit loss every day. For VAR to have been doing what it claimed to be doing rather than just being another thumb-in-the-wind measure, you'd want to be out to a lot more nines.
Statisticians and even bomber pilots knew this kind of stuff 65 years ago -- if your odds of coming back alive are 99%, then 75 missions later you're probably dead.
I still don't get the obsession that people need to borrow money to keep an economy going. Doesn't that mean by definition they don't have the money in the first place?
Reminds me of this quote:
"People do not understand exponential curves". By unknown.
Now which part of even 1% growth is *not* exponential?
How long do we want between busts?
At 10% growth then there needs to be more than a 100 times more "wealth" after 50 years than before. Wealth here is either the debt you have to pay or the debt you are owed. YMMV on what you can do with it.
Sooner or later the finite size of the universe will kick in.... And so the obsession of high ROI in stock markets almost guarantees that there will be a collapse reasonably frequently. I mean a public company can't even weather a bad patch because the lower reported profits translate to share price crash ( which is 90% speculated value only, no real assets).
I've been saying this since things started to go south last fall.
If you take a big risk for the company and it comes through, what happens? You get a big pile of money as a commission or bonus.
If you take a big risk for the company and it fails, what happens? At the very worst, you get fired. At the very worst.
Your personal risk/reward is almost completely decoupled from the company's risk/reward, in a way that rewards vastly riskier behavior on the part of individual employers than what would be good for the company.
What risk? They got their bonuses, and you and I are bailing them out with our tax money and coming hyperinflation...
Even the 50 Billion Ponzi guy is free on a $1M bail.
I like to read the excellent posts above by P K Koop and Roy together as one.
Given that there are known ways to manage and offset risk more appropriately, as seen in many other industries and documented in Basel II, preventing fraud and conflict of interest should be the focus of the investigations now.
The description of asymmetric risks as "trade-offs that would work out well 99% of the time but fail catastrophically the remaining 1%" reminds me of the phrase "low probability-high consequence events" or LPHCs.
LPHC is often used to describe things such as WMD incidents, air crashes, and such. Evaluating the risks and measures in which to invest regarding LPHCs is can be tricky. One help -- not the only one -- is including investment in resilience that is useful for more common events as well as the low probability ones.
It's always amusing to watch the comments of people who read a newspaper article and think they understand the topic as well as the reporter, not to mention the experts who were interviewed and misunderstood.
@Seth: I agree. A linguistics professor of mine was interviewed by a regional newspaper. The reporter misunderstood her to a fair degree, even about relatively basic things. So if you think you understand a topic well by reading a newspaper, you probably don't.
It isn't clear to me that Joe Nocera (the "reporter") understood the topic particularly well.
The idea of VaR is to build a statistical model of the future paramerized with historical data. Implicit in this plan is the assumption that the risks to be modelled are exogenous; from this perspective, the crash in the housing market is either "natural disaster", like a hurricane, or the result of a speculative bubble - hard to model, maybe, but fundamentally random.
But in fact, all players in the rise and fall of house prices acted rationally (in terms of economic self-interest) and the risk measurement of asset-backed products was part of a dynamically coupled system that drove the increase in house prices. It is as if the act of writing hurricane insurance were to make hurricanes more likely.
There is nothing wrong with VaR for managing the "noise" of a trading position, but it is not a good measure of capital adequacy. The issue is not only with the technical properties of VaR - banks have other measures such as Expected Shortfall that measure tail risk (and unlike VaR, are mathematically coherent.) But one should not apply a statistical approach to a situation that must be treated specifically - mainly, by proper alignment of interests.
The feel-good story about Goldman selling down its position when it saw VaR anomalies is beside the point because VaR cannot be used in this way to prevent a systemic collapse; had every bank drawn the same conclusions, they would all have wanted to sell at the same time. The goal of a risk regulator is to prevent banks from trading into bankrupting positions, not to see which clever ones can win at musical chairs.
I'm a security guard. Do I let someone in without proper identification?
99% of the time they are not going to cause a problem and get me fired. 1% of the time they are going to cause a problem.
But if I don't let them in, 10% of the time they are going to cause me a problem that may lead to me getting fired.
What do I do?
Whatever doesn't get me fired. If doing my job will get me fired, I won't do my job.
I'm not the best security guard I can be, I'm the best security guard I can be without getting fired.
...and, of course, blaming the crisis on the poor risk assesment by the bankers is totally missing the point. I understand that for someone with a hammer (security risk analysis) everything looks like a nail, but the booms and busts are quite predictable (if you're an Austrian economist, not a some kind of a charlatan) and, in fact, the current depression was predicted years ago - it was explained how and why it would happen.
Something predictable is not a risk. Ignoring the prediction is not bad luck, it's plain stupidity.
Booms are created by the inflationary policy of the Fed during "good" times. These booms result in serious and unsustainable resource misallocation (easy credit makes riskier-than-normal enterprises and projects to look acceptable). Eventually, the Fed has to curb credit expansion or risk hyperinflation, and that causes bust and massive write-offs of suddenly "non-performing" assets. In fact., financial institutions and entrepreneurs behave quite rationally during the business cycle; what irrational is monetary policy.
As is, the Austrian Business Cycle Theory provides the only explanation of the cycle not reducible to the "animal spirits of the market" or equivalent neo-Keynesian bullshit.
@wkwillis. Exactly. The equivalent risk for market dealers is that, if your personal profits put you in the bottom 25% of traders on your desk, you get fired.
So there are no old, bold^H^H^H^H cautious traders.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.