In retrospect, it’s clear that the heart of the 2008 credit crisis was a failure in risk management. Indeed, the crisis provides a rich context for understanding where risk management goes wrong and how it can be improved. Banks overextended themselves, but the root cause was not individual bad judgment. It was formalization: the institutional bad judgment that comes from habitual reliance on regulations and structures (or, as Max Weber defined it, bureaucracy) to control activity.
Historically, bureaucratic control has had many benefits: It establishes formal rules and procedures that transcend individual idiosyncrasies and traditional orthodoxies. However, it also has many unwanted side effects: It can become overly rigid and specialized, it encourages groupthink, and it can lead to depersonalization and a lack of commitment on the part of employees. Reliance on rules can bring down companies because it inhibits them from taking the right risks in the right way.
That is precisely how bureaucracies failed many of the large investment banks. During the 2000s, the banks developed, with many signatories, multistage procedures to evaluate which risks were worth taking. These procedures were so elaborately defined that, as Andrew Kuritzkes put it, well-intentioned managers could no longer see the forest for the trees. The banks also externalized risk management, relying on expertise and approval from outside parties such as auditors, regulators, and credit-rating agencies. This allowed individuals to detach themselves — legally and morally — from the system in which they were working.
The banks that survived the credit crisis most effectively, such as Goldman Sachs and JPMorgan Chase, had a different approach to risk: personalization. Instead of embracing bureaucracy, they pushed more responsibility to individual decision makers and required them to live with the consequences of their choices. This in turn required a higher quality of insight, greater personal accountability, and a stronger supportive culture for risk management. Gillian Tett of the Financial Times reported about this in January 2008: “Employees [at Goldman] typically view themselves as being affiliated to the bank, not business line, and there is a strong ethos of shared accountability.” Similarly, at JPMorgan Chase, CEO Jamie Dimon has been known to take an active personal role in risk briefings.
Most smaller players, such as hedge funds, also escaped relatively unscathed. This was partly because their decision makers were close to the action, highly knowledgeable, and personally accountable for the outcomes of their decisions. As one leading hedge fund executive commented to us, “We have robust informal systems, we communicate naturally, and we develop our own views on what risks to take. We get a return on our judgment.”
Successful companies in other sectors also have highly developed forms of personalization. In the pharmaceutical industry, for example, firms make high-stakes investments in new drugs all the time. These firms have sophisticated formal systems and stringent external regulations, but in addition they rely on the strong ethical norms and professional standards of the medical community.
Insight, Accountability, and Culture
For us, the importance of personalization became clear in a research project we conducted on risk management in large organizations, beginning in late 2007. We interviewed executives in financial-services, pharmaceutical, oil and gas, mining, and telecommunications companies, and in the public sector, particularly among law enforcement agencies in the United Kingdom. We found that the concept of personalization has great intuitive appeal. Nonetheless, people struggle with applying it in large organizations that rely on formal systems to get work done.
Our research suggests three elements are necessary. Each of them can be fostered through organizational practices.
1. High-quality insight. Effective personalization of risk management requires putting the right information in the hands of those making a decision, and then rapidly transforming that information into insight, based on collective deep experience. The U.K. police force provides one example: When an incident flares up and becomes serious, an employee of any rank can call on a cross-force “critical incident” group to pull together all the available information about the situation and the larger community. Critical incidents are called only occasionally — when the officer’s “antennae” are “twitching” — but they provide an effective way of quickly bringing to bear all the different views on an issue and reaching a thoughtful decision.