Systemic Dependency Risk breaks the risk management and insurance framework – we need a “Risk 3.0”
Risk management and insurance are facing a frog-in-boiling-water crisis of declining relevance. We simply do not have the tools to deal with the big, existential risks of disruption – both at an individual company scale and at an economy-wide scale – that seem to be increasingly prevalent as a result of changes in business models, globalization and technology that create complex and systemic dependency patterns. As one insurance industry executive has somewhat flippantly put it: “The problem with our business is that buildings don’t burn down any more.”
“Black swans” like the 2008-09 financial crisis and COVID in 2020 are so big that they almost get a pass for breaking the risk management framework. If an event is deemed sufficiently improbable with sufficiently widespread severity, there may be some safety in numbers for a company that suffers badly but in line with its peers. For example, the major US airlines are mostly not considered irresponsible for needing a $54 billion bailout to make it through COVID without massive layoffs and/or bankruptcies.
But we’ve also had a recent string of concerning “near miss” business disruption events, including some high-severity regional or sector-specific incidents like the Suez Canal blockage by the Ever Given running aground in March 2021, the run on Silicon Valley Bank and ensuing regional bank crisis in March 2023,the Change Healthcare ransomware attack in February 2024, and the Francis Scott Key Bridge collapse and Port of Baltimore closure in May 2024.
We’ve also seen broader, but fortunately less severe incidents like
the Colonial Pipeline ransomware attack in May 2021,
The Clearing House processing error in November 2023,
and the Crowdstrike incident in July 2024 that illustrate the potential for widespread impact and contagion while falling short of “existential” threat magnitudes.
To be sure, crises such as these spawn plenty of recriminations, government interventions to mitigate the damage, and reactionary new rules (e.g. Dodd-Frank from the 2008-10 financial crisis) that try to limit future exposure to a recurrence of the immediate past crisis. But these responses tend to narrowly target the perceived causes of the preceding crisis and thus fail to generalize to the broader issue: risks are transmitting across companies, sectors, regions and economies along lines of dependence. This risk goes beyond some fuzzy sense of correlation, and it is increasingly inadequate to classify them as exotic “tail” risks; if black swans become commonplace, they’re not really “black swans” anymore.
So why call it “Risk 3.0”?
My professional career began in the early 1990s at the cusp of a quiet revolution in risk management. The old tried and true ways – still widespread today and not at all invalid – were about risk minimization: identify, assess, mitigate, transfer, monitor, etc. The “Risk 2.0” revolution (we never called it that, so far as I know) was about risk quantification: determining the potential severity and probability of bad outcomes. But it wasn’t about quantification for the sake of quantification, or as a more sophisticated version of the “assess” and “monitor” components of “Risk 1.0”; it was about turning risk into an economic cost in order to make better decisions.
The risk quantification revolution naturally began in financial services, where risk-taking is inherently part of the core business. Limits, underwriting criteria, policies, etc. (old school Risk 1.0 approaches) that limited the risk would still be part of the solution going forward, but with a stronger emphasis on maximizing the profit vs. risk tradeoff. We developed concepts like Risk Adjusted Return on Capital (RAROC – and yes, RORAC makes more sense as the acronym if you feel strongly about it) and Net Income After Capital Charge (NIACC) that incentivized taking more risk if the expected profitability justified it, while avoiding even small risks if the expected profitability wasn’t sufficient. Trading desks’ risk were quantified in terms of Value-at-Risk (VaR) which was in turn linked to capital. Loan portfolio profitability was measured with a deduction for Expected Loss rather than more erratic Net Charge Offs, and capitalized in relation to a quantified Unexpected Loss volatility metric. The most sophisticated banks began to drive this discipline down to the individual loan level, and it went hand-in-hand with some of the earliest data science applications to score individual borrowers (e.g. FICO) in relation to their expected Probability of Default.
Risk 2.0 was at its best in situations in diversified portfolios comprised of baskets of individual risks where the relationship between those risks could be described in terms of statistical correlation, or perhaps a conditional dependence on common systematic factors. These approaches were capable of measuring the systemic risk in a portfolio as well as dealing with idiosyncratic risks as a result of potential “lumpiness” in that portfolio. Sophisticated catastrophe risk models were developed to address the case of complex geospatial “correlation” of risks affected by earthquakes, hurricanes and other disasters, weaving together natural sciences, engineering, financial and probabilistic model components.
The Risk 2.0 revolution reached its pinnacle in financial services when regulators adopted many of the risk quantification advances into the 2004 Basel II framework for internal models-based capital requirements. In theory this was a brilliant exercise in “invisible hand” economics wherein the financial services sector would optimize the allocation of risk-bearing capacity across the economy, including the aggregate risk to government backstops (e.g. FDIC), on the basis of each individual entity compiling a portfolio of risk-efficient decisions at the individual borrower and/or transaction level. In practice, this great experiment would swiftly be undone by rules based on lessons learned from the 2008-09 financial crisis and superseded by the Basel III framework published in 2010 (as well as Basel 3.1 in 2017 and various other additional modules).
Over the last decade or so, the risk quantification revolution has crept into the non-financial sector’s insurance buying behavior. Partly driven by the need for increasingly bigger companies to expand their insurance limits, and partly driven by the desire to offset the cost of increasing insurance rates, many companies began to take a harder look at the cost/benefit economics of “working layer” insurance (i.e. the range of losses where the likelihood of claims is not that low) and increased their deductibles and retentions into layers where the expected net cost (premium minus expected claims) was high. The most sophisticated companies model an enterprise-wide risk profile and optimize their insurance program across lines of coverage to maximize their overall risk reduction for a given net spend on insurance.
So while “Risk 2.0” has mostly been a tremendous success story over the past three decades, it all falls apart in the face of systemic dependency risks. They’re not modeled well with statistical approaches relying on some sense of correlation, we don’t have a structural topographic understanding of how these risks arise and transmit (in cat modeling terms, we are lacking both the natural sciences models and the map on which to apply them), and insurance companies don’t have the capacity to offer solutions. These challenges will require a new set of approaches and tools – Risk 3.0 – in order for risk management to regain relevance.
The next post on this blog will take a deeper dive into defining Systemic Dependency Risk. After that, future posts will explore other aspects of Systemic Dependency Risk and how to deal with it, such as:
- how the economic environment has changed to give rise to Systemic Dependency Risk
- why Systemic Dependency Risk slips through the commercial insurance “protection gap”
- why does insurance matter – why Systemic Dependency Risk needs to be insured
- what should risk managers do if they have Systemic Dependency Risks (or if they are one)
- how to fix our regulatory approaches for a future with more Systemic Dependency Risk
There may be tangential topics from time to time, particularly foundational building blocks for how to think about “tail” risks.
Along the way, we’ll take occasional looks back at case studies and lessons learned from past Systemic Dependency Risk incidents and comment on new ones as they arise. We’ll also flesh out some potential future Systemic Dependency Risk scenarios so that hopefully we can prepare without needing future lessons learned.
Feel free to nominate additional topics in the comments section, and of course feedback is always welcome.
SystemicDependencyRisk.com 
Leave a comment