Ethics of Risk Management
Business is, in many ways, all about risk. It’s about investing in R&D and in productive processes that may or may not result in products that customers want to buy. It’s about hiring people and then putting your company’s reputation into their hands. It’s about trying and doing new things, always aware of the chance of failure. Society flourishes because businesses are willing to take risks. Of course, some risks should not be taken, and others should be taken only subject to suitable safeguards. Risk, in other words, needs to be managed.
Modern risk management, as that term is used in corporate contexts, has its roots in finance and refers primarily to the management of financial risks. It relies heavily on mathematical models used for asset pricing and portfolio assessment. Banks use risk management techniques to determine how many loans and mortgages of what kinds to hand out, and on what terms, and to figure out (within regulated limits) how much capital they need to keep on hand in case depositors come calling to reclaim their deposits. This all requires careful calculations. Take too little risk, and you’ve got money sitting idle. Take too many risks and, well, you end up with what we saw back in 2008.
Last week I had the pleasure of hosting Professor John Boatright, as part of the Business Ethics Speakers Series that I run at the Ted Rogers School of Management. John is the guy who literally wrote the book on ethics in finance. He’s author of Ethics in Finance and editor of Finance Ethics: Critical Issues in Theory and Practice. There simply is no one better on issues of ethics in finance. And his topic last week was an important one: “The Ethics of Risk Management: A Post-Crisis Perspective.”
As John’s talk pointed out, the advent of modern risk management strategies is, somewhat ironically, implicated in the financial crisis of ’08-’09, from which we are still recovering. The mathematical models risk managers use made possible the popularization of collateralized debt obligations (CDOs) and credit default swaps (CDSs). And the fact that there were actual hard-core equations behind these instruments — which Warren Buffett “financial weapons of mass destruction” — made them seem far safer than they were. This illusion of safety encouraged very high levels of leveraging, with what we now know to be disastrous consequences.
One of the other things that John’s talk clarified for me was that there’s a kind of ambiguity in the very term “risk management.” To the public, the idea of “managing” risks sounds very much like the idea of “reducing” risks. And that, of course, sounds like a very good thing. But risk management absolutely is not the same as risk reduction. Indeed, it can be quite the opposite. Risk management is the art of finding the right level and mix of risks, the right ‘risk profile.’ What matters ethically, as John pointed out is which risks are managed, by whom, by what means, for whose benefit.
The other point from John’s talk that I want to highlight here has to do with the ‘corporatization’ of risk management. As John pointed out, business firms both encounter and create risk, and risks are encountered by both firms and by individuals in society. If, as seems to be the case, risks to individuals are increasingly being managed by corporations, we as a society need to be acutely aware of the way corporations think about risk. John quoted author Michael Power as saying that “Risk is the basis for corporations to process morality.” In other words, risk is the lens through which corporations consider and act upon their obligations.
The problem here is clear: risk is an inherently outcomes-based construct, and not everything we care about ethically is a matter of outcomes. We also care about rights and duties, and about justice in the way good and bad outcomes are distributed. If risk becomes the lens through which obligations are examined, something important is being left out. Corporate risk management, in other words, is itself a mechanism that brings risks that need to be managed.