Risk management: the process of harnessing risk in pursuit of better investment returns
In a broad sense, how should nonprofit institutional investors think about investment risk and risk management? Just about every nonprofit will answer that question somewhat differently; what is a considerable risk for one organization may be less of a concern for another. Large nonprofits may have a chief risk officer; at smaller and mid-sized organizations, investment risk management is the responsibility of the board, investment committee and senior staff members. For organizations whose mission is investment management, risk and risk management take on a wholly different complexion and level of complexity. Still, there are commonalities that may help even the smallest of institutional investors conceptualize an approach to risk management that is workable and effective.
Risk is a fact of life for every institutional investor. One way to view risk is to think of it as the fuel that generates portfolio returns, and risk management as the process of harnessing that risk to fuel the pursuit of better investment returns.
As the graphic on this page indicates, to capture those returns, investors’ money must go on a round-trip into the capital markets and back. This involves passing through financial intermediaries, custodians and asset managers and into economic assets that will produce returns. We believe an enterprise-wide risk framework should be built and maintained so as to mitigate the uncompensated risks in this process—including counterparty, operational, legal, compliance and regulatory risk—while harnessing the compensated investment risks.
Enterprise risk management and the nonprofit
Just what does enterprise-level risk management mean to most nonprofits? To some, the term implies that in some way, shape or form risk management is the responsibility of every staff member, not just risk specialists, senior management and the board. At investment management organizations that may be true. But, even smaller and mid-sized institutions can adapt the thinking behind enterprise-level risk management and use it to inform their own policies and practices.
One way of doing that is simply to recognize the linkage between effective risk management and sound governance. Governance sets the tone and tenor of the organization; it’s the level at which the mission, vision and values of the organization are established and maintained. Enterprise risk management contributes to an institution’s ability to fulfill the mission and realize the vision; it’s about maximizing the likelihood that your institution achieves its strategic objectives.
Enterprise risk management is formulated and implemented by the board, senior management and other key personnel in the organization to address anything that might challenge their ability to achieve strategic objectives. Within that context, enterprise risk management is about pulling together a wide range of risk factors to create a risk profile, assess it, measure it, monitor it and, ultimately, to report on it in a meaningful way so that all of the risks in the organization are identified and, importantly, that their interdependence is understood. Investment risk specifically involves understanding what is in your portfolio and how that portfolio might behave, under both normal and extreme circumstances. From an even larger perspective, investment risk for institutions with long-term horizons chiefly involves inflation and illiquidity. To fulfill their missions, institutions’ portfolio returns need to beat inflation. And, institutions need to have the liquidity to fund programs when and as needed.
As a practical way of thinking about risk management, it may help to remember the number sequence “4-3-3.” These numbers refer to four risk disciplines, three lines of defense and three characteristics that define a robust risk management framework.
The four risk disciplines
We like to think of investment risk management as being built on four disciplines, or pillars. These are:
Risk identification and ownership — seeking to ensure that no risk falls through the cracks or fails to be identified and, thus, results in surprises.
Risk measurement and monitoring exposures — seeking to estimate exposures to various risks. Here it is important to recognize that some risks are, in fact, not measurable. Nonetheless, these risks can be monitored qualitatively even if they cannot be measured with precision.
Organizational checks and balances — having internal controls in place. Checks and balances are particularly effective at controlling operational risks.
Centralized risk management — aggregating risk information across portfolios, analyzing it and bringing that analysis to bear on investment decisions. In the case of an investment manager offering an array of asset classes and strategies, it means bringing specialized, complementary skills into the organization; for most nonprofits, it means having access to these skills via managers or consultants.
The three key lines of defense
In implementing this framework, there are also three key lines of defense, or allies, that work together.
The first line is your internal resources — Your investment or financial management team, your investment committee and your board establish and implement the investment policy and ensure that it is followed by external resources. As needed, your internal team is supported by others in areas such as legal, compliance and accounting.
The second line is investment managers — Due diligence processes should strive to ensure that the managers an organization selects are disciplined in their risk-taking and have the requisite risk management capabilities to safely invest their clients’ funds.
The third line is external partners — Many institutions, both small and large, have chosen to outsource their investment management function and, with it, the day-to-day oversight of investment risk. Responsibility for investment policy remains with the board, but the greater resources of the outsourcing partner should allow for more consistent and robust risk monitoring. Other organizations may call upon consultants to help them identify risk parameters and measure and monitor them through time.
The board is the source of effective risk management, not only in its oversight capacity but also as the creator and preserver of values and culture.
The three characteristics of risk management framework
Earlier, we cited the importance of governance. The board is the source of effective risk management, not only in its oversight capacity but as the creator and preserver of an organization’s values and culture (two factors that are invaluable in risk management). In the ideal structure of an investment management firm, the Chief Risk Officer reports to the board and the CEO. He or she should have the duty, authority and independence to protect client interests. The Chief Risk Officer does not represent the interests of owners or shareholders nor those of in-house or external portfolio managers. This independence should manifest itself in the authority to raise issues with respect to any investment and to escalate issues to the board.
What is the corollary in a nonprofit organization? Probably it is a senior staff member or the investment committee. The key to effectiveness is independence. The person (CIO or investment committee chair) or persons (in the case of a committee) must to be able to bring issues to the board and believe that they will receive a fair hearing. What happens if the board doesn’t want to discuss the issue? Come back again; reintroduce the topic and, if necessary, introduce it again in the next board meeting.
You have to be persistent and make the board understand why it’s important. Obviously, judgment is a factor; not every issue can be escalated to a board-level decision and one has to be armed with facts in order to preserve all-important credibility.
Investment tools and strategies have become increasingly complex over the years. In response, investors need to keep pace with their own level of understanding and insight into the investment strategies they employ in their portfolios. Very few nonprofit institutions have the staff, financial and technology resources to perform comprehensive, rigorous risk management in house. So, when it comes to executing and implementing your investment process, who’s going to monitor your managers? Who’s going to ensure that the investment plan that you’ve put a lot of effort into crafting is executed the way you intend, only taking the risks you want and, hopefully, generating the returns that you’ve targeted? That process depends on your model for implementing the portfolio. If you choose to go direct, your institution needs to have people on staff who can evaluate and monitor what your managers are doing. If you choose to go with a hybrid approach, you may have someone who can help you pick managers and who can aggregate portfolio positions and reporting. That is usually a consultant. Or, you can partner with a third party by outsourcing the investment (and risk) management function in an outsourced chief investment officer (OCIO) model, as many institutions of all sizes have chosen to do.
Institutions are long term; most would prefer to think they are perpetual. But, too often, they fall victim to short-term thinking.
Institutions are long term; most would prefer to think they are perpetual. But, too often, they fall victim to short-term thinking. Institutional investors should be thinking in terms of five- and 10-year returns, not monthly or annual returns. This is a fundamentally different risk management challenge in that traditional tools for risk management, such as the short-term, volatility-based measures like value at risk, start to lose their usefulness when managing longer-term risks. Fundamental economic trends, maximum drawdowns, upside and downside participation rates, capturing liquidity premiums and market inefficiencies, and the effectiveness of diversification strategies in tail risk events are much more important to long-terms returns.
Although most investment management firms consider shorter-term, volatility-based measures, they should also seek to align their core risk management disciplines with the longer-term horizons of their clients. Consequently, scenario analysis very often plays a major role in risk management. Think back, for instance, to the federal government shutdown and debt ceiling fight in fall 2013. It ended relatively well, but there were many worse outcomes possible. Scenario analysis is a tool investors may use to monitor issues such as this through time. In this type of analysis, investors have the ability to scan the markets for macroeconomic risks, political risks, asset bubbles, correlation shifts, major changes in asset flows across countries or asset classes, and changes in risks being signaled in the derivatives markets via their price movements.
One simple model for discerning threats and opportunities relative to your strategic plan may be to identify key risks—perhaps five to 10 of them—and place them in a matrix whose axes are probability of occurrence and impact on your organization should they occur. In a 2×2 quadrant, you may decide to take risk in the lower left, but mitigate risk in the upper right. You may also want to evaluate how controllable certain risks are. If they are controllable, your institution should put controls in place. If they are beyond the institution’s ability to control, or are totally unpredictable but significant, your institution may want to mitigate the risk through risk sharing, i.e., various forms of insurance.