The title sounds a mouthful?
Well, you can thank WordPress: the original title was “Non-regulatory approach toward systemic risk management and entropy reduction” 
An idea (and business/marketing plan) that I built in late 1990s.
A cross between an IMF-style and Nature-style title…
Moving down to Earth- what is the purpose of this posting?
Sharing, as usual, experience. But this time, something more: a business model and plan.
The reason is simple: I have been sitting on this article since late 2008, when I decided not to revive the project with an industrial partner, due to a change in organizational structure.
Why waiting? Because the business model presented in this document is actually potentially applicable in other industries, beside banking risk.
And from December 2008 I was actually providing some information to a startup on how to apply the same approach to a completely different case.
Now that the first six months of “coaching” are done, I decided that I can share the original model online.
Therefore, from this point on I will drop any industry-specific language, and summarize the model and its structure.
The basic required needs?
- a set of risks that could damage more than the directly ‘hit’ organization, involving also its counterparts
- a working market, i.e. one where pre-emptive group pressure could be more effective than “the day after” hastily designed regulation
- the presence or potential of a shared trustworthy party to manage information confidentiality
I hope that this article willl be enjoyable also for people that are not directly involved in a specific business
Be it simple voters (it is your present and future money that the crisis is lavishly spreading around), consultants, politicians, or… employees in a position of suggesting new approaches and ideas.
Or organizing around an idea or project.
As usual with relatively longer articles…
What will be inside this article
Why “systemic” risk?
The inspiration
The model
Making it happen
If you are interested also in the financial/marketing model and team building part of the business plan, to build your own “look-alike” structure, or just get inspired let me know.
If I get enough requests, I will simply produce a “neutral” version, and post it online, so that you can (freely) generate your own.
The document will be the full business plan, including the marketing material, business case, and so on.
I believe that copyright and IPR have a value: but that, eventually, any good idea will be developed by somebody; the value is only in the timing.
And no idea is worth anything if it just sits in a (virtual) closet. So, let’s say that it is “Creative Commons for attribution”.
Of course, if you want my help in applying it to something else, let me know.
I am currently based in Brussels, but also if I will probably move soon, my motto used to be “have a brain, would travel” (ok, this is for my American friends)
Enjoy the reading!
R
Why “systemic” risk?
The first point in the basic required needs is a partial definition of “systemic”.
I will avoid a dissertation- let’s just simply expand on the concept “a set of risks that could damage more than the directly ‘hit’ organization, involving also its counterparts”.
And the best approach is using an example.
Look around you: do you see anything that does not require a power source (including your computer, mobile, and so on)?
Probably, to communicate, travel, pay- you use most of the time something that requires a power source.
Therefore, if the electricity grid is offline long enough, it is not only your computer that will not work. Or the elevator.
But also the gas station around the corner. And the supermarket checking out counters. And, eventually, also your mobile (ok- let’s ignore solar-cell chargers).
The failure spreads from the originating source (maybe a single power station) to the distribution grid.
Eventually, it affects directly all the customers, and indirectly all the activities that are linked either directly or indirectly to the the power grid.
As shown in recent years, the current electrical system is advanced enough to ensure that, even in the worst case, only the structure without a backup generator will be affected, and maybe just for minutes.
And, after the completion of the distribution “ring” that spans Europe and Nord-Africa, there will be even more flexibility to avoid future disruption (and other regions are creating or planning similar systems).
The “continuity” should a “disaster” occur is therefore based on shared information about the “routes” available, and other technical information, like maximum capacity, and so on (go search the IEEE Spectrum online to read more information, “The Ties That Bind“, published in November 2008).
If you want- like for highways, you have a “map” that allows you to move point-to-point.
Moreover, the “map” includes also the marking on maximum height, maximum weight, length of the vehicles, angle of each turn, etc. Everything needed to reroute through the “electrical highway”.
If we move one level up in the feeding chain, to the computer/telecommunication network (is there any real difference, nowadays?), things get a little bit more iffy.
What happens is simple: the electricity grid is an utility that usually is considered critical and managed under central supervision or through joint agreements toward a common purpose
I remember that few years ago, while discussing a startup project, I was told that a visual 3D computer model had distortions in the height of buildings within a town.
Why? Because the height was derived from telecommunication information.
If the data on a publicly available model had been used by competitors, they would have been able to assess information that was useful to compete.
It is as if your highway map had misleading markings, so that you have to double check everything.
Now, let’s assume an emergency- how can you re-route traffic, if you do not know which information about the highway network is true, and which is false?
As I wrote in other contexts recently (cyber-defense), the most critical aspect is certainly educating all the parties involved in the “systemic” aspect.
Interestingly, if all the companies were belonging to conglomerates, spanning across multiple industries, they would, by necessity, clearly understand the systemic risk.
The excessive specialization of industries (vertical integration) creates often a “tunnel vision”, that reduces the incentives to reducing the systemic risk, assuming that building higher gates would keep the barbarians out.
And forgetting that, no matter how high your gates and walls will be- you will still need to receive supplies- and deliver your products, if your organization is focused on delivering a business.
And it does not matter if your products are physical or virtual.
But do not blame telecommunication companies: the higher up you go in the feeding/complexity chain, the less details you, or also a “watchdog” can access about what your competitors are doing.
Yes, you have “data exchange” agreements.
But if, as recently shown by various financial scandals, the “raw” information is managed only internally, and then disclosed selectively to others in your own industry, you get once in a while a Bernard Madoff.
The lack of transparency is an incentive toward “cutting some corners”.
An older example is what happened with the Lloyd’s asbestos and other claims.
In that case, instead of spreading the risk (”re-insuring” outside Lloyd’s), the lack of transparency allowed to generate commissions while keeping all the risks in the Lloyd’s system.
When the scandal happened, I remember eventually buying a then just published book on how not to manage risk, (For Whom the Bell Tolls: Lessons of Lloyd’s of London
I think that it is still worth reading now (despite having been published in 1992).
As discussed in many articles on this blog, my concept of risk is that risk cannot be removed: it can be assessed, monitored, analyzed, and, through pre-emptive actions derived from your monitoring, reduced. But not removed.
Moreover: risk is dynamic.
Why did I highlight pre-emptive. Because everyday you can read proposal to regulate everything. And it is fine. But: you regulate what you know.
You probably heard of Basel II.
The point is: having in place checks and balances to identify trends and, yes, by using as a crude measure some parameters, ensure that you have enough resources to cope with events.
It is interesting to read about the “failure of Basel II”, and then, in the same line, quoting that the US financial and insurance failures are a clear example of the weakness of the system.
But, unfortunately, whoever writes those articles forgets to check the details (or lacks the time to do so).
Because US had decided not to extend the Basel II framework to the same institutions that in other countries have been required to.
And if you are trading with uncovered entities, you are also importing their risks.
Moreover- if you read the details, you will see that, again, it is a lack of transparency across the system the real issue.
No independent player was keeping the information needed to assess the value of assets and institutions.
Rating agencies? Yes. Maybe.
But… how independent can be an organization, when it depends from the same customers that it audits for consulting activities (that are more profitable than the audit itself).
And when they extend their rating activities from few items that they can monitor in detail (with dedicated analysts) with public data available through the market, to a constant avalanche of products with more limited reporting rules?
Ops. Sorry. I wrote “audit”- I meant “define the rating”. But, thinking again… I was right.
Because the rating agencies issue is a “déjà vu” of something that I lived through in the late 1980s and 1990s.
I mean: the issue with the auditing companies that had also a consulting branch, and supposedly a Chinese wall (rock) between the two entities, that was mocked by customers as a Japanese wall (paper).
And the customer was playing often… scissors, asking auditors to share information with consultants, or giving the same information to both- when not acting as a de-facto communication channel (look at Enron, Parmalat, and others).
So, we have now all the minimal elements that, in my view and experience, contribute to increasing systemic risk (under the definition listed above):
- lack of understanding of the interdependencies by seemingly independent organizations
- lack of transparency/excessive compartmentalization
- lack of trust/lack of an independent “benchmarking” party
- excessive reliance on regulation built on past experience
The inspiration
The inspiration actually came in “segments”.
First, in late 1980s, I was working first on the development, then also the PMO (we had multiple teams/sub projects involved), and finally the roll-out of the General Ledger for an Italian bank.
Therefore I was able to see all the connections with all the other systems within the bank.
Banking accounting is something- moreover, if you add the Italian tax system on top of that.
I have been doing my own accounting first as a VAT-based freelance in Italy for five years, then for 10 years drafting the balance sheet in UK before my accounting firm completes it.
I am not a CPA, but more than once I had to give advice on specific rules to people that should actually know those rules 
But, despite what they say (covering multiple currencies, customers, countries, activities- with just one person ), it is nowhere as complex as the General Ledger I saw then.
At the time, most major Italian banks belonged to a central government agency.
Part of the rules to avoid systemic risk required the major banks to act as a backup data center, to avoid impacts on all the banking system, should a major one have a technical issue (probably derived from the terrorist issues in late 1970s in Italy).
First inspiration: You can have competitors cooperate if you create the appropriate framework of mutual trust.
Then, for few years, I was helping controllers and CFOs or marketing directors across different industries building their control and monitoring models, e.g. when they had external distribution networks/agents, or tens of controlled companies.
Second inspiration: you need some shared motivation to share the information, like: linking the bonuses not only to sales results, but also to audits and inspections.
Then, after a couple of years in methodology, I was back into banking, defining and deploying the methodology for a large banking outsourcing company.
As the CEO said, to prove that I was able to walk the talk, I worked on any critical/highly visible project as an “advisor” to the manager (organizational cross-bank projects) or project manager (technical/vertical projects).
Italy belongs to the “strong” regulatory approach- and the central bank, Banca d’Italia, is not really a government entity.
At the time, it acted then both as a market-moderator/facilitator and as an industry self-watchdog, but with higher social standing than most institutions (including the Parliament).
Therefore, rules issued by the Banca d’Italia carried a political value.
Also because, at the time, there was a limited number of licenses, by county (”provincia”), and auctions to obtain vacant licenses, and inspections to ensure compliance with rules.
Also, most observer said, to protect the Italian banking market (at the time, notoriously inefficient: it operated with a spread of up to 750 basis point, i.e. 7.5% difference between the interest paid and the interest received; the most innovative Italian banks were said to spend up to 1/3 of that spread on ICT, i.e. 2.5%- as much as, at the time, major US banks had as spread!).
The Banca d’Italia had both sticks and carrots to use with the industry.
A core system was a centralized reporting system, to manage risks.
The system, called “Centrale dei Rischi”, was compulsory, and in more recent times it has been extended beyond the banking industry (see online one the most recent offspring, from 2007,Archivio Unico Informatico- i.e. unified electronic file, containing all the information required to track the financial activities of individuals and institutions).
The idea was simple: each institution provided information, and received summary information on its customers. With some more variations on the theme, not relevant for our discussion.
In mid-1990s, through my English contacts I met a company that provided risk-management solutions, and I negotiated a deal (it was a lengthy negotiation) between the English company (it would provide its own front-end technology) and an Italian customer (it would provide to its banking customers the new technology as a “pretty face” for the “Centrale dei Rischi”, allowing also statistical analysis, integration with other data banks, and so on).
I did not know at the time that UK did not have a centralized system.
So, the negotiation activity evolved into something larger: integrating the English technology with the Italian centralize data.
Also, I saw the opportunity to add few features- a centralized, unique data bank allows to assume that data are, well, properly verified before inclusion in the data bank.
Therefore, I proposed to add something more- adding also analysis by industry, region, and so on- if you want, adding a macroeconomic dimension (at the same time, I was spending my summers at LSE on International Political Economy- you see what joining micro-economics and macro-economics can have on some brains )
The negotiation went through different planning phases, coming to the close… when my English customer decided de-facto to double the price at the last minute (never hide “surprises” from your negotiator :@).
Third inspiration maybe, instead of just importing in Italy British risk-management technology, it could work also the other way around.
But the legal framework in UK was completely different.
Anyway, in my DSS/EIS activities from 1980s I saw that the best approach to “change the mindset” was to create circles of influence, and then expand by coopting.
I call it the “oasis” approach.
Fourth inspirationadopt the “oasis” approach, by developing a “core” group, and coopt others (for an additional fee, to payback the “pioneers”); the larger it grew, the better it would become, because also the others outside would feel the advantages of joining (with the appropriate marketing initiatives).
So, to summarize, I had four inspirations:
- cooperative activity between competitors
- build a common business case
- export a model to another culture
- create a “core” group, and then coopt new members
The Model
Following my inspirations, once I moved in UK (1998, but for a legal glitch, as I was split between London and Paris, I registered in 1999), I started looking around.
I spent some of my spare time to check what was on the market, as I did expect that others would do it.
Instead, I found an Italian company that had adopted a lower entry- using the Italian logic to build a system that was competing with other bureaux.
What was missing in my picture? Simple.
If you move to a different culture, you need somebody that belongs there.
I had different colleagues working in the banking industry, or that had worked in the banking industry, who had the right connections.
But I needed somebody who, beside the connections, could be able to be an operational CEO, and technically savvy, as at the beginning he would need to “evangelize” the market, to get the first group.
Therefore, able to talk at the top floor, but credible with the line managers.
My role? Beside creating the idea and building all the team, bridging with Italy and the two regulatory frameworks.
I also prepared all the marketing and “corporate culture”, along with the business/marketing plans.
And I was supposed to train and coach the teams, leading the first projects, while my partner would act as the liaison with the industry, and the “first salesman”.
Before approaching him, I built what I usually write for startups: a one page speech, and a presentation of the business case, market need, etc.
If you want, a preliminary investment prospectus- without any specific figures on the turnover/costs, but the growth model and the market assessment.
My model is quite simple (I omitted some details- but use it as a checklist for your own activity):
- identify the need
- assess who should be the lead of your team to satisfy the need
- build the team with the right mix of skills
- create the “pillars” of the corporate culture
- produce the marketing material for each member of the team for the negotiation
- identify the partners needed, and their motivation
- select and discuss the key people
- evangelize the key people
- have the market contact assess the market, via face-to-face informal meetings
- do the same with the potential partners
- build the business case and draft business/marketing plan
- negotiate with the partners
- help the partners build their own business case and plan
- get the funding and start
The steps are both a description and the story (I funded all the negotiations phase myself, except the costs for the travels of the CEO-to-be).
The project eventually was stopped, of course, at the last point.
After a repeated review of the numbers (I actually built also the business plan for the Italian industrial partner), we arrived at the last board meeting before Christmas…
Just in time for a financial scandal worth eventually more then 10bln EUR to came along, affecting the balance sheet of shareholders- and the board of my industrial partner decided at the last minute to pull off the negotiation.
The interesting part was that, as part of my preparation activity, I had collected also documents from IBRD, IMF, and so on, about risk and risk management practices in all the major industrial countries.
The funny part was? Somebody in the banking industry in UK said- we certainly have something like that.
I had just to renew to my UK partner the reference to a document from an international financial institution (from 1990s!).
Clearly stating that… the main issue and potential systemic risk was that both UK and US had no centralized risk management repository, and that the data available from independent bureaux were of uneven quality, both in terms of content and process to feed the data to the system.
Making it happen
As I wrote in the introduction, if enough people will ask for it, I will publish online the full business plan and model.
More than the financials “per se”, what is really important is the timeline of the development- and that has to be adapted to the specific industry.
As an example: the timeline of each expansion was linked to the usual cycle of data, and the timing needed to integrate a bank into the new system.
If you were to use the same model for, say, the integration of the information concerning where the telephone antennas and other infrastructure are located in the territory, their bandwidth, and so on, you would need not just a different timeline, but also a “standard project charter” that is different.
If you were instead to use the approach to, why not, create a new consortium, by identifying who is the “gatekeeper” to each area or territory, and who is connected to each, and which “services” (s)he can provide to the others, you would need also to identify a minimal set of services and information-sharing to be part of the database.
Otherwise, you would risk having 200 contributing only what is irrelevant to them, and everyone asking for what they are unable to do.
That’s why my model has separate steps to build the corporate culture guidelines before starting.
Building a Collaborative systemic risk management requires first defining the basic “backbone” reason for the existence of the organization, and then adding members.
Yes, as the CEO of a customer said- it is, in the end, like building a sect
If you want to create an organization that is linked only by shared goals, you have to start by identifying the shared goals and how to evolve them.
Let me know if you need more information.
Tags: banking, basel II, ibrd, lloyd's, management, prevent, risk, systemic