Unlike most fields, modern financial risk management can be traced back to a specific time and place, and a relatively small group of people. Some quants in New York City, between 1987 and 1993, codified knowledge from a variety of fields, thrashed out disagreements and created the basic foundations of risk management which remain valid to this day. Of course, much of the intellectual heavy lifting had been done before 1987, but it was not organized systematically nor known to any one person. And there has been much progress since 1993, but no shift in fundamental principles.

**What’s in a name?**

During the years of development, we discussed what to call the field. We wanted to distinguish it from fields like portfolio management and physical risk control that tried to minimize risk. We also wanted to exclude voodoo risk experts. In primitive societies, these witch doctors took credit for any good thing that happened (“the gods were pleased by your donation”) and selected victims to sacrifice after every bad thing (“that one, the one who gave nothing to the temple, has angered the gods”). They always urge conservatism, but if an innovation works out, are quick to explain they supported it all along. In modern times the words have changed, but the basic technique is the same. These descendants of shamans still vastly outnumber the people with serious and useful quantitative knowledge about risk.[prbreak][/prbreak]

In the 1980s, financial institutions did not have Chief Risk Officers or risk managers. They had controllers and compliance officers and committees to set trading limits or approve credit exposures. These people made risk decisions but from the standpoint of minimizing risk subject to constraints, or the inverse problem of limiting risk and letting everyone maximize profit subject to that constraint. The one area in which professionals were actively carving out a role for

__managing__

risk was insurance. Non-financial organizations hired quantitative experts to decide what level of physical and legal risk was appropriate and which risks should be mitigated directly, which should be self-insured and which should be subject to purchased insurance policies. These experts were known as “risk managers,” emphasizing their task of optimizing rather than minimizing. Since no one was using the term in finance, we adopted it as the best simple description of what we did.

Unfortunately, confusion began immediately. Too many academics ignored the professional field, and responded to the demand for papers and courses on risk management with traditional portfolio management topics. There are entire “Risk Management” textbooks out there without a word of risk management inside. Professionally, a lot of voodoo practitioners jumped on the bandwagon and adopted the title risk manager. These are the ones who stand around looking worried about everything, who discourage every risk, take credit for every success, and point fingers for every failure. They spend all their energies attempting to predict and prevent disaster.

You can easily identify a real risk manager. She is cheerful and usually advises more risk. She looks for the danger in every success, and makes sure to mine the silver lining of every failure. She thinks people who predict are her enemies, they’re the ones who say, “Build the wall on the north side of town, that’s where we expect the attack.” She says instead, “I don’t care what you expect, if you leave any gap in the walls, that’s where they’ll come. Risk management is about preparing for anything that might happen, not guessing what will happen.” And she has no interest in preventing failure, which can only be done by eliminating risk. She is happiest when people fail fast, and when the organization is robust enough to survive many failures. These are the conditions that encourage the creativity and innovation required for evolutionary success, not just surviving each day.

**Baseball risk management**

A new pitcher comes in when the team is up by six runs in the ninth inning. What does his catcher tell him? “Throw strikes.” Why? That reduces the standard deviation of the distribution of runs the other team is likely to score. It sacrifices some expected value, but with a six run lead, reducing volatility is more important than decreasing expected value. On the other team, the batter will be told to “just make contact” to “only good pitches.” He’s sacrificing expected value in order to maximize standard deviation.

This is what a risk manager means by “risk,” a parameter you dial up or down to achieve a goal. It’s not good or bad, there’s no general reason to maximize or minimize it. Everyone understands this in sports. The team that’s behind tries to increase volatility of outcome: pulling the goalie in football, throwing long passes in American football, three point shots in basketball; the team that’s ahead uses opposite tactics to reduce volatility.

Compare this to the “risk” of a player getting injured. This is something to be minimized, subject to constraints. The better word for this is “danger.” It is one-sided, if you have a sudden change of health while playing football, it’s unlikely to be a positive one. Also, it’s measured in different units than other decision. We can’t answer, “How many points is a broken collarbone worth?” or even, “How many broken fingers are as bad as one broken leg?”

The complement on the good side is an “opportunity.” Consider the chance of a pitcher getting a no-hitter. This is considered so valuable, that a manager will leave a tiring pitcher in the game, increasing the risk of loss, rather than deprive him of the opportunity to complete a no-hitter. It is also one-sided and measured in different units than everyday decisions.

Risk managers must deal with dangers and opportunities, even though we typically have no particular wisdom to offer. The basic rules are simple. Decisions about dangers should be pushed down to the lowest level possible. If a company truck driver dies in an accident, you don’t want it to be because the Global Head of Maintenance decided to reduce the frequency of brake inspections, or the CFO increased the number of miles each driver had to log each month in order to earn a bonus. People near the danger are in the best position to assess things, and they accept dangers when they have control over the level. Since dangers cannot be quantified, they cannot be aggregated and balanced against money, so they cannot be managed from the top. There is also the advantage that if the person who dies is also the person responsible, one fewer living person has to feel guilty or get sued.

Opportunities, in contrast, should be spread as broadly as possible. Opportunity does not diminish by being shared. A pitcher is happy for pitching a no-hitter, his team is happy, the fans are happy, everyone wins. Although big corporation are usually portrayed at being indifferent to dangers, I think the more common corporate sin is to neglect opportunities.

Risk mangers must learn to distinguish dangers and opportunities from risks to make sure each is handled in the appropriate fashion. Treating a risk like a danger is cowardice. Treating a risk like an opportunity is irresponsible. Treating either a danger or an opportunity like a risk is inhuman. An essential skill for any risk manager is to recognize risk and manage it, wherever it resides, and to refuse to manage dangers and opportunities, relegating each to its proper level.

**Baseball portfolio management**

Where is our portfolio manager in all of this? She is also concerned about something properly called “risk,” but in a different way. In baseball, the pitching coach operates as a portfolio manager. She considers all of a pitcher’s pitches and locations and determines an optimal mix. She wouldn’t just use the pitcher’s best pitch, in the sense of the one with the best expected value of outcome. If the batters are sure which pitch is coming, it will be ineffective. On the other hand, she won’t mix the pitches uniformly, she wants to concentrate on the best pitches. She wants high expected value pitches, but she wants diversification as well. So she’ll come up with the best combination, the best portfolio, the mix of pitches that produces the best overall outcome.

To demonstrate the difference between the portfolio manager and the risk manager, the portfolio manager thinks strikes are the high-risk pitches. A strike is likely to result in extreme outcomes, outs or hits, even home runs. A curve off the inside corner will probably be either mildly good, the batter swings and misses, or mildly bad, the batter takes a ball and maybe walks. But the catcher, acting as risk manager, called for a strike when he wanted to

__minimize__

volatility.

Both are correct. The portfolio manager is correct that a fastball down the middle has a high volatility of outcome for the single pitch, the risk manager is correct that it leads to a lower volatility of game outcome. A team making outs and hits can easily score one or two runs, but it’s very difficult to put together a sequence that makes six runs. A team taking balls and walking has a hard time scoring a run, but only a slightly harder time scoring six runs.

Academic economists have trouble with this distinction because they think of both problems as being part of a complex optimization problem. A “portfolio” of pitches determines the probability distribution of outcomes for a single pitch. The game situation determines the “utility” of each outcome, in terms of effect on the chance of winning the game. It is a portfolio management problem to optimize the probability distribution of pitches for any game situation, which in turn determines the probability distribution of outcomes, in order to maximize expected utility.

**Professional specialties**

I have objections to that formulation, but they’re not my topic for today. I’m going to argue only that portfolio and risk management have evolved as separate professional specialties, with separate intellectual traditions and methods. It is certainly possible for one person to do both, but in my experience even these people make the two decisions separately. People who try to do the combined optimization fail.

Modern portfolio management goes back to Harry Markowitz. In 1950, sitting in the University of Chicago library, he wondered why investors don’t put all their money in the one stock they expect to have the highest return. He realized that you could do better by buying a portfolio of stocks with a higher ratio of expected return to standard deviation of return (later named “Sharpe ratio” if you subtract financing costs from the expected return). You get the weights for the portfolio with the best Sharpe ratio by multiplying the vector of expected returns by the inverse of the covariance matrix. Although he didn’t have either the data or the computer power to do the calculation, his seminal insight created the field of portfolio management.

Notice that for Markowitz, risk is something bad, something to be minimized. People came up for various justifications for that. Utility theory in economics argued that people with concave utility functions prefer less risk. Some economists claimed people do have concave utility functions, others that people should have concave utility functions and others that the people with convex utility functions don’t matter because they can get all the risk they want free by betting with each other. Behavioral psychologists argued that losses make people feel bad more than gains make them feel good. Practitioners tended to emphasize that risk made planning difficult, and also that it hard to measure manager skill. Mathematicians pointed out that at the same arithmetic average return, the higher the standard deviation, the lower the terminal wealth.

I think all those reasons are silly, but that’s another topic for another day. The point is none of them matter. Nobody knows enough about expected returns or covariances to maximize Sharpe ratio. All Markowitz needed was a constraint to force diversification. What people do in practice is either to make some assumptions about expected returns and covariances that force a solution, or balance portfolios according to entirely different principles. The basic insights of portfolio management are brilliantly illustrated by the toy example of working with known parameters to maximize Sharpe ratio, but nobody ever did it.

Around the time Markowitz was arguing with Milton Friedman about whether or not this work justified a PhD in Economics, John Kelly was at Bell Labs, thinking about the problem that launched modern risk management. Suppose you knew the true probability of a horse winning a race, and it was higher than the betting odds implied. How much should you bet? Kelly realized there was a rule guaranteed to do better in the long run than any essentially different strategy.

Rather than explain Kelly’s derivation (which is well worth reading) I prefer to break the idea down into three simple sub-ideas to separate the math from the model. Suppose you will be offered a series N bets at some payout ratio R (that is, for each dollar you bet you receive $R if you win and pay $1 if you lose), and you know you will win exactly K of them. You can bet a constant fraction of your wealth each time, between -1 and 1, how much should it be? Elementary calculus shows the answer is [K – (N – K) / R] / N. Risk has nothing to do with this, you always do best this way. For the same reason, utility functions have nothing to do with it. With more complicated bets the wealth proportion does not have a simple closed-form solution, but it’s always easy to compute.

Why restrict the strategies to constant proportions of wealth? It makes the end result independent of the order in which the wins and losses occur. And why assume you know how many times you will win? Because in the long run, results tend toward expected values. So these two assumptions are equivalent to a situation in which you know the probability of winning, there will be a very long series of bets and the bets are independent. Note that these will not hold exactly in practice, they are a model of reality rather than mathematical truth. But the basic Kelly insight can be generalized to finite sequences of dependent bets and uncertainty about probability distributions.

**When Harry met John**

Markowitz taught us how to think about relative allocations among simultaneous dependent bets in order to maximize a utility function. Kelly taught us how to think about absolute risk amounts over sequential independent bets, without reference to utility. Together these define unique investment amounts for each asset. Markowitz’s key ratio is excess return divided by standard deviation (Sharpe ratio), Kelly’s is excess return divided by variance. Note that these have different dimensionality. Sharpe ratio depends on time horizon, but not on bet size; Kelly ratio depends on bet size, but not on time horizon.

In practice, investment decisions do not fall neatly into Markowitz or Kelly idealizations. We live in a finite period world, not one period nor infinite periods. Everything depends on both size and time horizon. So portfolio managers and risk managers cannot inhabit separate silos, they must often confer to make good joint decisions. But there are reasons to separate the decisions as well. Portfolio management is highly multidimensional and data-dependent, it is forced to be at least partly parametric. Risk management is low-dimensional and uses much less data, it relies on non-parametric methods. The most important question for a portfolio manager is expected return, the most important question for a risk manager is worst-case return. While it’s possible for one person to do both, the fields are so different that it usually makes sense to separate the jobs.

This is the vision of risk management that was hashed out from 1987 to 1993, along with specific mathematical tools for implementation. The initial problem was how to set the optimal position risk for a trading desk. There were three major starting points. I was in the “value” camp which held the key measure was daily P&L, ignoring trades done during the day, in normal markets. The “capital” camp focused on the economic resources necessary to support a level of risk-taking, and the “earnings” camp modeled the effect on earnings. This was a bottom-up movement of traders and other financial risk-takers trying to run their own businesses better.

Around 1990, some large financial institutions got concerned about several different businesses unknowingly making the same bet. The top executives wanted reports to aggregate risk throughout the institution. “Value” was the only candidate for a measure, because P&L was the only thing that was defined consistently and controlled in all businesses, and it was the only one available daily. However, we value people tended to use complex metrics that could not be easily aggregated. The only simple metric was the one capital people used. They worried about how much capital was “at risk,” in the sense of how much you could lose at a level of probability equal to the default probability of bonds of a certain credit rating (knowing that allowed you to compute the market cost of your capital). Thus Value-at-Risk (VaR) was born, a name that makes no sense except historically.

**There are no voodoo VaR’s**

Every year, a few thousand people discover that VaR is not a measure of risk. They always seem to think they are the first people to notice that. You don’t get good portfolios by maximizing expected return subject to a VaR constraint, and you don’t encourage good risk management by setting VaR limits nor holding capital based on a multiple of VaR. Although people have done all of these things, they are abuses of VaR based on taking a risk management concept and interpreting it as a portfolio management one. You also can’t compute VaR parametrically or by historical simulation. What people call parametric VaR and historical simulation VaR can be useful numbers to know, but they are not VaR’s.

VaR is defined by a backtest. You publish a number every day, including days when your systems are messed up or there are reconciliation problems among positions. You never restate the number afterwards, all that matters is the number you published for decisions. You test how many days of normal markets had losses from beginning-of-day positions that were larger than your published VaR. That should equal the VaR confidence level, within statistical error, and your VaR breaks should be independent in time and also independent of the level of VaR. There are no voodoo VaR’s. In fact, you should be willing to bet on future VaR breaks at the odds implied by the confidence level (and any quant who managed trading desk risk in the early 90s did exactly that).

It turns out to be remarkably hard to produce a VaR with a solid backtest, which taught us that we really didn’t understand our center risk. You have to understand the center before you can begin to have useful opinion about the tails. When you put a real VaR together, you discover that having robust approximations for missing or incorrect data, and for systems problems, is considerably harder than modeling market movements or pricing positions (yet I interview people with graduate degrees in Risk Management who cannot define a relational database or tell me what a controller does). Your world is quite different from the portfolio managers.

Another difference between risk managers and portfolio managers, is risk managers worry when VaR is too low. VaR is the region in which you have plenty of data, the region in which you people, systems and models are well tested. Outside VaR you little idea what will happen. Risk within VaR limits is never a concern, it diversifies away too quickly to matter (what does matter a lot is the portfolio manager’s focus, what expected return value it is varying around).

Once you know your VaR, you know the region of risk. You investigate this with a number of tools, including stress tests and scenario analyses. But you never attach probability estimates to these, so they are irrelevant to a portfolio manager. One point of these exercises is to develop contingency plans to deal with each. Of course, the disasters that do happen will never resemble any of your tests. A key principle of risk management is the hope that preparing for the bad things you can foresee will give you the knowledge and discipline to react to the bad things that actually happen.

It is sometimes said that all the value of risk management is the experience gained by producing a VaR and working through stress scenarios. There’s some truth to that, but only some. The quantitative goal of risk management is to use the stress scenario analysis to set worst cases for performance, which can be used to construct Kelly-like optimal risk levels. Left to their own devices, portfolio managers are apt to take risk up too much during times of low volatility, wait too long to cut after volatility and losses, then cut too much and wait far too long to take risk back up again. All of these things are good for maximizing long-term Sharpe ratio, but bad for making sure you survive long enough to realize anything long-term. And conditional on survival, long-term Sharpe ratio is a poor objective function both in the sense that it’s difficult to control and that it is unrelated to how well off either the manager and the investor is.

Someday, this will all be in a textbook: how the modern field of financial risk management developed, what practicing financial risk managers actually do, and what knowledge and skills you need to help in the professional effort and advance the state of the art. Someday, students will be taught that risk “management” does not mean “constrained minimization of” risk, and that “risks” are distinct from “dangers” and “opportunities.” Someday, John Kelly (and Ed Thorp who developed Kelly’s ideas for risk management) will have more space in risk management textbooks than Harry Markowitz or William Sharpe. Until then, you’ll have to rely on your quantitative skills to figure it out for yourself.