CRO Outlook

FTX Fiasco: Risk Management Lessons Learned

The failure of the crypto giant has shined a spotlight on the crucial role of CEOs, who must lead the development of comprehensive, engaging risk cultures.

Friday, December 16, 2022

By Clifford Rossi


The stunning collapse of FTX is an age-old story of management hubris, excessive risk-taking and insufficient regulation and risk management. But the catastrophe has also given us more food for thought on the importance of risk leadership and culture.  

Sam Bankman-Fried, the co-founder and ex-CEO of FTX, conceded that the company “completely failed on risk.” The same could be said, of course, about every other financial institution that suffered a meltdown over the past 20 years. Rarely, however, do we see such an unforced admission by the head of a failed company.

As the details of the FTX disaster continue to trickle in, it’s a good time to reflect on the necessity of building a risk-oriented culture from the top down.

The Most Important Risk Manager is the CEO

Bankman-Fried’s domineering management style is not unique to the crypto market. Unfortunately, many well-known financial services companies over the years have succumbed to the egos and cognitive biases of their CEOs.

This is extremely problematic, because the most important risk manager at any company isn’t the CRO, but the CEO. The risk appetite and effectiveness of risk management at an institution is directly proportional to the level of CEO's risk DNA.

Risk managers must understand that our profession is in some sense held hostage to the CEO’s risk mindset.

In my first CRO role at a bank subsidiary of a major nonbank financial institution, I received a mandate and budget to build an entire ERM organization and framework nearly from scratch. At the time, I was naïve and thought that management was rather forward-thinking in its approach to risk management.

However, within a short time period, it became clear that the interest in building that infrastructure was largely to placate regulators concerned over the rapid growth of the bank. The domineering personalities at the top of that organization seldom embraced the views and recommendations from the CRO, and instead forged ahead with their own skewed vision of risk-taking.

Clifford RossiClifford Rossi

By the time I finished building our risk program, we had a robust ERM function that rivaled other peers. But it was a major grind.

One could argue that perhaps our risk group didn’t do a good enough job at convincing management about emerging risks, but, unfortunately, this same scenario unfolded at some of the largest depositories I worked for in the years leading up to the 2008 financial crisis.

The Goldfish Theory of Risk Management

In some sense, risk management operates under the goldfish theory, which, in short, states that the size of the fish tank determines the size of the goldfish. In financial services, the size of the risk management “fish tank” is determined by management attitudes toward risk. If management has a positive perspective on risk management, that will be reflected in the risk culture and the risk budget, which should be large enough to cover your firm’s risk appetite.

What happened at FTX is a cautionary tale for all companies and their risk management units. Bankman-Fried admits that insufficient attention was given to risk management. But why?

Well, since Bankman-Fried had previously worked in a trading group that had risk and control infrastructure, the problem, importantly, wasn’t a lack of understanding the rules of the game. Instead, it was largely caused by the hubris of a management team – led by an arrogant, risk-deficient CEO – who didn’t have to answer to regulators.

Left unfettered from regulatory and board of directors’ oversight, it was only a matter of time before FTX tipped over. Some will contend that’s easy to say after the fact, but just consider the reasons behind the carnage at other failed institutions like Lehman Brothers and MF Global.

The fact is that if you examine the circumstances behind nearly every financial services failure or major risk event, there’s a domineering personality at the top that takes outsized risks and relegates risk management to a minor functionary type of role.

At FTX, the risk management fish tank was so tiny that it was barely perceptible. The lesson? Every crypto CEO needs to ask whether the company's fish tank is large enough to handle its risk appetite.

CEOs who have risk embedded in their DNA are in the best position to answer that critical question.

Regulatory Genome Editing?

If a company’s risk management effectiveness is largely dictated by the risk DNA of its CEO, can it be edited, much like today’s genome editing technologies of human DNA?

After the 2008 financial crisis, U.S. regulators tried to push CEOs at large banks toward developing stronger risk cultures by introducing heightened expectations for risk management.

Regulation is certainly critical in setting a minimum level of risk management structure, and it must come to the unregulated crypto market if it hopes to survive over the long-term. However, despite stronger regulatory guidelines that were in place following the GFC, episodic risk events (e.g., the Wells Fargo retail accounts scandal and the JPMorgan Chase London Whale) have flared up among even among highly-regulated entities.

Regardless of the industry in which it operates, a firm’s risk DNA cannot be developed by regulatory edict alone.

Parting Thoughts

The taint from FTX hangs like a pall over every other crypto exchange and company. To avoid future disasters, CEOs in that market must embrace risk management, rather than run away from it. The same is true for nonbank financial institutions (NFI), where risk management tends to be much weaker than at regulated depositories.

Indeed, at crypto companies and NFIs, risk practices must serve as a meaningful counterbalance to excessive risk-taking proclivities, as opposed to window dressing.

Right now, strong board oversight is the only roadblock for reckless CEOs who operate in unregulated markets and who regularly employ high-stakes risk strategies in lieu of more effective risk management approaches. But even the most vigilant boards are not a failsafe.

Ultimately, crypto and NFI CEOs must come to grips with market myopia, herd mentality and inherent recency biases, and then work on integrating a risk mindset as a counterweight to these problems.

Clifford Rossi (PhD) is a Professor-of-the-Practice and Executive-in-Residence at the Robert H. Smith School of Business, University of Maryland. Before joining academia, he spent 25-plus years in the financial sector, as both a C-level risk executive at several top financial institutions and a federal banking regulator. He is the former managing director and CRO of Citigroup’s Consumer Lending Group.


BylawsCode of ConductPrivacy NoticeTerms of Use © 2024 Global Association of Risk Professionals