In many ways, business is all about risk. It’s about investing in R&D and in productive processes that may or may not result in products that customers want to buy. It’s about hiring people and then putting your company’s reputation into their hands. It’s about trying and doing new things, always aware of the chance of failure. Society flourishes because businesses are willing to take risks. Of course, some risks should not be taken, and others should be taken only subject to suitable safeguards. Risk, in other words, needs to be managed.
Modern risk management, as that term is used in corporate contexts, has its roots in finance and refers primarily to the management of financial risks. It relies heavily on mathematical models used for asset pricing and portfolio assessment. Last week I hosted Professor John Boatright as part of the Business Ethics Speakers Series at the Ted Rogers School of Management. Boatright is the guy who literally wrote the book on ethics in finance. He’s the author of Ethics in Finance and editor of Finance Ethics: Critical Issues in Theory and Practice. His topic last week was an important one: “The Ethics of Risk Management: A Post-Crisis Perspective.”
As Boatright’s talk pointed out, the advent of modern risk management strategies is, somewhat ironically, implicated in the financial crisis of ’08-’09, from which we are still recovering. The mathematical models risk managers use made possible the popularization of collateralized debt obligations (CDOs) and credit default swaps (CDSs). And the fact that there were actual hard-core equations behind these instruments—which Warren Buffett called “financial weapons of mass destruction”—made them seem far safer than they were. This illusion of safety encouraged very high levels of leveraging, with what we now know to be disastrous consequences.
One of the other things that Boatright’s talk clarified for me is that there’s a kind of ambiguity in the very term “risk management.” To the public, the idea of “managing” risks sounds very much like the idea of “reducing” risks. And that, of course, sounds like a very good thing. But risk management absolutely is not the same as risk reduction. Indeed, it can be quite the opposite. Risk management is the art of finding the right level and mix of risks, the right ‘risk profile.’ What matters ethically is which risks are managed, by whom, by what means, for whose benefit.
Another important point Boatright made has to do with the ‘corporatization’ of risk management. As he pointed out, firms both encounter and create risk, and risks are encountered by both firms and by individuals in society. If, as seems to be the case, risks to individuals are increasingly being managed by corporations, we as a society need to be acutely aware of the way corporations think about risk. He quoted author Michael Power who said “Risk is the basis for corporations to process morality.” In other words, risk is the lens through which corporations consider and act upon their obligations.
The problem here is clear: risk is an inherently outcomes-based construct, and not everything we care about ethically is a matter of outcomes. That is, we also care about rights and duties, and about justice in the way good and bad outcomes are distributed. If risk becomes the lens through which obligations are examined, something important is being left out. Corporate risk management, in other words, is itself a mechanism that brings risks that need to be managed.
Chris MacDonald is Director of the Jim Pattison Ethical Leadership Education & Research Program at the Ted Rogers School of Management.