News & Commentary

11:54 AM
Kathy Burger
Kathy Burger
Connect Directly

Science Versus Art in Risk Management: Lessons from Merrill Lynch

Merrill Lynch’s former head of market risk oversight sounds off on what he sees as the failures of current risk management practices. Is he right?

The belief that science is better than art or going by the gut is becoming increasingly widespread in U.S. society. We see it in the push for testing and teacher standards in education; in the rise of Sabermetrics and the Moneyball philosophy in baseball; and perhaps most significantly in the current thinking about risk management in banking and financial services. This is being fueled by the big data-driven explosion of information available to organizations for analysis, new and advanced modeling and quantification tools and capabilities, and an influx of physicists, statisticians and quants into the industry – not to mention regulatory requirements for stress tests and other numbers-based reporting. The conventional wisdom is that stricter adherence to the science of risk management -- models, tools, objective calculations -- could have prevented the worst of the subprime meltdown and global financial crisis.

[7 Insights On Hiring Data Gurus]

A fascinating article in the New York Times suggests that this is not necessarily the case. Jesse Eisinger, a reporter for Times partner ProPublica, spoke with John Breit, a former physicist who went into the private sector and eventually became head of market risk insight for Merrill Lynch (he resigned from the position in 2005). Breit, now retired, offers some very astute and disturbing analyses of the state of risk management in financial services. Specifically, this quant contends that there's too much reliance on science and numbers in financial services risk management. At Merrill Lynch, Eisinger writes, Breit "learned that his job was really psychologist, confessor and detective. He became the financial version of a counterintelligence officer, searching for the missed clues and hidden dangers in the firm's trading strategies." The article continues:

Instead of fixating on models, risk managers need to develop what spies call "humint" -- human intelligence from flesh and blood sources. They need to build networks of people who will trust them enough to report when things seem off, before they become spectacular problems. Mr. Breit, who attributes this approach to his mentor, Daniel Napoli, the former head of risk at Merrill Lynch, took people out drinking to get them to open up. He cultivated junior accountants. "They see things first," he said. "Almost every trading debacle was sitting on some accountant's desk."

According to Breit, most bad trades have more to do with hubris and delusion than with dishonesty or deliberate intent to game the system.

Most traders who get into trouble, he thinks, aren't bad guys. The bad ones, who try to cover up improper trades, are relatively easy to detect. The real threat, he said, comes from the "crazy ones" who really believe they've found ways to spin flax into gold. They can blow up a firm with the best of intentions.

But the current practice of risk management -- driven at least in part by regulatory requirements -- is not conducive to detecting these potential disasters. According to Breit, "Regulators have reduced risk managers to box checkers, making sure they take every measure of risk and report it dutifully on extensive forms. 'It just consumes more and more staff, turning them into accountants and rotting brains.'"

Breit believes risk management procedures should be less standardized in order to reflect the strategies, approaches and decisions of particular firms. At the same time, risk managers should have more autonomy as well as more open communications with senior management, including the CEO, he says:

"The cynic in me thinks this is all in the interests of senior management and regulators to avoid blame. They may not think they can prevent the next crisis, but they then can blame the statistics." Instead, Mr. Breit says he believes that regulators should encourage firms when they reach different conclusions on what is risky and what is safe. That creates a diverse ecosystem, more resilient to any one pestilence. And the regulators should empower risk managers by finding out how many times they meet with chief executives and what they have recently vetoed, and by judging whether the traders respect the executive. "It's all completely unquantifiable and vague," he said, adding that a risk manager should be divorced from the profit and loss statement, the one "who throws sand in the gears."

Breit ultimately felt marginalized at Merrill Lynch and may have an axe to grind; and of course it's always possible to be insightful in hindsight. But I think he offers some really provocative observations here, and they don't apply only to risk management. What are the limits of data, rules and standards? When is flexibility, nuance and imagination appropriate?

It's not as simple as saying, "Let's hire English majors and philosophers, not scientists." Furthermore, given the intense and generally unfriendly regulatory and political scrutiny on banks, it's unlikely we're going to see any organizations buck the science and quantification trend. At least not before the next crisis.

[For insights into technology's potential role in regulatory compliance, read Top Quotes from SWIFT Operations Forum Americas 2013]

Katherine Burger is Editorial Director of Bank Systems & Technology and Insurance & Technology, members of UBM TechWeb's InformationWeek Financial Services. She assumed leadership of Bank Systems & Technology in 2003 and of Insurance & Technology in 1991. In addition to ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
4/8/2013 | 7:07:44 PM
re: Science Versus Art in Risk Management: Lessons from Merrill Lynch
Right. I understand the thinking. The problem is our desire for everything to be black-and-white, either/or, and to not account for nuance/context. But gut alone is no good either.
User Rank: Author
4/5/2013 | 4:50:01 PM
re: Science Versus Art in Risk Management: Lessons from Merrill Lynch
The emphasis on data and models has a lot to do with accountability. If you have the all these numbers and analysis in front of you, it's easier to find the person/people to blame. When the financial crisis occurred there wasn't any small group of people who were held accountable, and that angered a lot of people. But that also ignores the systemic issues that led to the crisis. It's the same thing that's going on in education. They're collecting the data to zero in on bad teachers, who can then be held accountable for student failures. But it doesn't address issues that could be spread throughout the system.
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This is a secure windows pc.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.