Pondering Pandemics: Can We Get Better at Responding to Systemic Risks?

An economic system balances in a seemingly precarious equilibrium. It is not unusual for a CRO to be asked how his or her organization will be impacted under a variety of circumstances, including normal market conditions, tail events and complicated events. These involve known unknowns, or unknown unknowns, or uncertainty.

Examples of such events are given below in Figure 1.

Figure 1: System Conditions

The list above provides a continuum of system states. Risk managers are familiar and most comfortable with the first three categories: normal, tail and complicated. We've evolved volatility-based risk measures and scenario stress tests that help explain and quantify the risks.

Moreover, we've developed mature responses in these states for non-financial risks. The risk management approach in complex and chaotic states is less well understood.

More extreme situations of uncertainty involve complexity, where a system is moving from one equilibrium to a new state, and chaotic states. Examples of a complex state include climate change and geopolitical populist nationalistic change.

A chaotic state is defined as unpredictable with unknown starting conditions. Examples include the COVID-19 pandemic and riot crowd behavior.

Risk and Uncertainty are Different

For the complex and chaotic events, standard risk measures do not apply. What's more, for these events, the importance of analytical risk measures diminishes compared to resilience planning.

For the normal and tail states, our day-to-day financial risk measures are models of a random process. We are comfortable with the volatility tools that help us explain the impact and probability of an event.

Any system that evolves over time will undergo chance, or random, fluctuations. A risk problem involves random fluctuations where the parameters and the functional forms required to determine the optimal decision are known. In an uncertain situation, at least one parameter, and perhaps all parameters, are unknown and must be estimated.

Figure 2 summarizes our approaches to financial and non-financial risk measurement, and the relative importance of each depending on the system condition.

Figure 2: Risk Measurement Approaches for Financial and Non-Financial Risks

Chaotic States, Complexity Analytics and Resiliency

Systemic risk can be thought of as the risks of breakdown or major dysfunction in a system. After the financial crisis of 2008, we thought of systemic risk primarily from the inside out: for example, how an event at a single financial institution could impact aggregate systemic risk levels, or, more specifically, the potential impact of the financial institution on the financial markets.

When thinking about systemic risks, we also need to consider the “outside in” view - or how systemic risks impact the organization. For financial and non-financial institutions, what is the impact of macro-economic or external trigger events on the organization? That's the nature of the question posed to the CRO when the event is complex or chaotic.

Complex situations surround us, and risk managers should not feel bashful about borrowing analytic approaches from other fields such as weather forecasting, epidemiology and entropy estimates. Rather than basing a decision on a single analytic, a dashboard of complexity analytics can be useful to summarize potential short- and long-term impacts, and provide direction on the best organizational responses.

Every organization must, of course, address key issues during a global pandemic, including whether its employees are prone to be stricken and whether it's safe for employees to travel to the office to work. (Many firms, in the interest of health and safety, have already provided employees with the option to work from home in response to COVID-19.)

Analytical tools can help measure uncertainty via (1) estimating when a threshold is hit, and assessing the likelihood of a system change by visualizing tensions in system structure ; (2) estimating epidemiological contagion rate; (3) estimating the proximity to a system change, such as a one-degree warming of an ocean; and (4) estimating the probability of a small system change - e.g., an earthquake or wildfire.

I would argue that chaotic states will migrate to complex states when we gain consensus about the problem, its definition and how it is measured. As the observation window lengthens and measurement (even if in other countries) improves, the complexity measures discussed above will become useful.

But far more important than the analytical estimates of probability and impact of the complex or chaotic event is the resiliency approach taken by an organization.

The list of possible disruptions caused by a complex or chaotic event is long, and far beyond the thinking behind the typical business continuity management (BCM) plan. For example, a corporate lens on a COVID-19 global pandemic will extend the BCM plan to highlight additional factors and the supporting external infrastructure and supply chains, including:

• Worker location and safety, and the health of their nearby family;
• Hospital systems and their supply chains;
• Access to food and water;
• Work arrangements and supporting technology infrastructure;
• Sources of complete and truthful information;
• Transportation protocols;
• Safety supplies;
• Weather forecasts; and
• Communication plans

Infrastructure companies, such as a financial exchange or a cloud provider, face reliability challenges, and may need to appeal to employees' commitment to the company mission.

Parting Thoughts: Rethink Readiness

Very few of us know if we have this potentially deadly virus. We could choose self-quarantine, but there's clearly a lot of work to do to ensure our organization responds well.

For organizations existing in a chaotic system, leadership is more important than ever. The value of financial risk measurement in this kind of environment is limited; communication, planning and actions matter more to organizational survival.

All aspects of a firm's supply chain become critical. For the firms leading critical infrastructure, such as the cloud and financial exchanges, a mission driven employee appeal may be required to keep lights on.

Across the board, labor safety and supply will be critical. Ironically, those companies with remote work approaches and culture may fare the best assuming their remote work infrastructure (e.g., Zoom meetings) continue to operate.

The CRO will be at the heart of an organization's resilience. He or she will require strong communication skills, an orientation to decisive action and an ability to translate opaque conditions into crisp steps that enhance organizational confidence.

Brenda Boultwood is an independent risk management consultant. She is the former senior vice president and chief risk officer at Constellation Energy, and has served as a board member at both the Committee of Chief Risk Officers (CCRO) and GARP. Previously, she was a senior vice president of industry solutions at MetricStream, where she was responsible for a portfolio of key industry verticals, including energy and utilities, federal agencies, strategic banking and financial services. Before that, she worked in a number of risk management, business roles and as the global head of strategy, Alternative Investment Services, at JPMorgan Chase, where she developed the strategy for the company's hedge fund services, private equity fund services, leveraged loan services and global derivative services. She currently serves on the board of directors at the Anne Arundel Workforce Development Corporation.