Operational Risk = Investment Risk
August 17, 2011 § 3 Comments
The historical focus on securities analysis, valuation and prediction has centered on the tracking of historic prices. Investment Risk has been measured based on price volatility, particularly historic price volatility. Price valuation ( stock or bond values) have historically been measured based on the financial performance, cash position and cash flow of the issuing corporation. Most measures review comparable financial ratios and industry benchmarks to form an assessment of proper pricing. This practice of value pricing is flawed. Future prices have little to do with past price behavior and risk is in no way correlated to price volatility. Risk has everything to do with specific operational exposure, legal exposure, regulatory risk, as well as financial risk. Price risk is the tail – not the dog and we are wasting our time measuring price trading patterns of any particular security.
Risk is not something any company, operational unit, financial arm or investment firm can ever fully manage. Risk is part of existence. Risk is part of living as individuals as well as companies. Minimizing operational risk, while noble in its cause is also completely inadequate toward satisfying investor risk. Investors are best served with their risk profile when companies handle adverse events in the most adaptable, expedient and agile manner. Companies that know how to respond to the unknown unknowns – not only the expected risk scenarios. Those are the companies that know how to deal with risk and those are the companies that survive and thrive for decades or centuries. This operational maturity for handling adverse events is where risk truly lies and what measurements are most relevant for investors to understand. As is everything we measure, operational risk is relative and how one organization measures in comparison to other comparable companies in the appropriate industry sector should determine the risk premium investors apply to prices and price change expectations.
Market Shifts: Could Blockbuster See the Netflix Threat?
So, how is there ever a solid method of valuating stocks – understanding the risk inherent in the security and making a value judgment on its price relative to alternative securities within a similar risk class? I believe the analysis needs to be based on the management of operational, financial and legal risk along with understanding the operational objectives, measures, tracking ability and business agility that each relevant comparable company displays. How could the valuation of Blockbuster drop so precipitously? Could we have measured their market position in 2003? Of course! Could we have measured their operational and financial controls? Absolutely! Could we also see how unprepared they were to alter their market model to deal with alternate competitive models? Yes, we could have see this risk as Blockbuster had very little ability to manage their processes and alter them as needed. They could not move when the market shifted and they took years to try to compete with Netflix. Why? Because they were NOT agile. They couldn’t just change their model even though they know they needed to. By the time they implemented a competing service to Netflix’s, their lunch had been eaten.
What about Barclays circa 2003? A phishing attack; wherein a hacker steals email information from Barclays. The hacker then sends emails to the Barclay’s customers asking them to change their password. The hacker steals the real passwords and immediately changes them, thus locking out customers. Finally, the hacker transfers funds from each account, effectively stealing tens of millions of dollars in a two day span. What’s astonishing isn’t that Barclays or any other bank could be fooled with this scheme. In the early 2000’s, this type of phishing attack was a new method of fraud and they couldn’t have foreseen it coming as much as it might seem obvious today. What is astonishing is that Barclays didn’t have system parameters on their password change function that prevents such outlier events from occurring. When thousands of users are changing their passwords in a few hours, there was not an automated trigger to shut down this service. If the normal rate of password changes is only 100 per day, multiple standard deviations away from an average event usually means something is wrong and the service needs to be halted and evaluated. But Barclays did not have such processes in place and they were not protecting their assets in a prudent manner in 2003. As a shareholder, the most important question relative to your risk with your investment in Barclays must be, “Does Barclays have their arms around their processes? Do they consistently look to improve and tighten their risk and control structure? How do they govern their processes? How visible are their processes? How much risk is embedded into individual or small department knowledge domains wherein a rogue trader can bring down the entire company; such as what occurred at Barings Bank in 1995? We don’t have to look far for examples. How about the latest with Newscorp’s wiretapping scandal? How well did Rupert Murdoch and the rest of the leadership team understand the risks they were taking?
Where traditional investment analysis becomes moot is when we consider these outlier events (market shifts, fraud attacks, internal fraud, legal rulings, reputational loss), etc. While Sarbanes-Oxley put some basic, prudent rules in place for public companies in the US, this regulation does nothing to reveal the true risk position of the investment. And it’s risk that is the issue here. Every investment provides a risk/reward proposition. If I’m going to incur greater risk – I’d better have the opportunity for greater rewards. And vice-versa, I may choose to limit my risk exposure – knowing full well that my return opportunity is modest. US Treasuries are considered among the least risky securities to hold and consequentially they yield very small returns relative to other bond notes with identical coupon and duration. You are virtually guaranteed your 3.25% return on a 10-year note and “virtually” no risk of default. Okay, if we use the US Treasury as a benchmark for no risk, then what constant above this risk illustrates relative risk and how much should investors be compensated for each 1% of additional risk?
Starting in the 1970’s, financial scholars embraced the idea that a stock’s risk was associated with price volatility. Further, they measured past volatility as a likely indicator of future volatility and thus the inherent risk. Barr Rosenberg’s consulting firm, Barra, would eventually develop the “Beta”, a quantified measure that represents a stock’s sensitivity to movements in the overall market. A stock with a Beta of 1 would have identical price volatility as the broader market; more than 1 meant more volatile and less than 1, less volatile. Suddenly, the risk factor of a stock could be calculated, quantified and estimated. Another economist, Robert Engle, would win a Nobel prize in 2002 for his independent view of this same idea. Amazing. There you have it. Investment Risk is all about past pricing. Nonsense, I say.
The High Impact of Unlikely Events
In 2007, Nassim Taleb published what would become a Wall Street favorite, “The Black Swan” (not a lot of ballet in this one), “The Impact of the Highly Improbable”. The important core theory that Mr. Taleb establishes is that unexpected events happen and the impact that some of these events have is astronomical. Whether we’re talking about 9/11, the capital markets collapse of 2008, BP’s oil catastrophe in the Gulf of Mexico, or Baring Bank’s rouge trader. Micro level events or macro level events; either of which may be completely unpredictable have potential to be game-changing events. The big question becomes: how well positioned are we to deal with such events? Forget about trying to capture, measure and plan for each exact event. That’s all fine and good. But, how capable is the organization; how agile is the organization to respond when the big-one hits?
When a competitor exploits a new technology that undermines our traditional sales and delivery models, how well can we analyze the issues, develop strategic approaches, institute new models and underlying processes to maintain our market position? These are the questions that Blockbuster could not answer adequately. Their event wasn’t even an overnight impact. They had many months to adjust, but like a big aircraft carrier, they just couldn’t change course quickly enough.
Only The Nimble Survive
In a recent blog post by Torben Rick http://bit.ly/lQpHYn, he asserts that “Business history is punctuated by seismic shifts that alter the competitive landscape. These mega trends create inescapable threats and game-changing opportunities. They require businesses to adapt and innovate or be swept aside.” So, when we return to the topic of risk and how well organizations are managing risk, let’s not focus on stock price volatility. Rather, let’s look at how organizations approach their business models in an agile manner. Just how well are they positioned to change processes quickly and respond to “Black Swan” events? Because the question of whether or not there will be such events is certain. There will. Another fine recent blog post is by Norman Mark’s http://linkd.in/qyQazb who notes, “an organization needs not only to understand and assess its risks, but it needs to have a culture that embraces the active consideration of risk…”. It’s this consideration that I suggest includes active response to the unexpected.
If you are dealing with management that is not capable of rapid change, you are dealing with high risk. Now, my definition of risk might not be quite as quantifiable and as easily comparable as a risk quotient like Barra’s “beta”. But for my money, it’s what really matters.