In the last few weeks, I've been asked more questions about risk and risk management than I recall hearing in the last year, and at no time has that been more clear than on a day that saw global indices fall 4%. For something we refer to so often, "risk" has proved an elusive concept. Still, it appears every day in the media, not to mention our own conversations. But what is "risk", exactly?

## What is "risk"?

We can't even begin to discuss risk management without a clear understanding of the underlying concept itself. (To be clear, I'm going to talk about financial risk: that which is associated with a specific investment or portfolio. This includes risk due to market forces as opposed to operational or liquidity constraints.) Many possible definitions of "risk" may spring to mind:

- The most you can lose on an investment
- The most you can lose on an investment, with some confidence level
*alpha* - The average return of the investment
- The market value of an investment
- The notional value of an investment
- A one-standard deviation loss
- A six-standard deviation loss
- The chance that a company goes bankrupt
- The chance that a counterparty goes bankrupt
- The chance that you go bankrupt

These are all very useful ideas -- we'll talk about why in a second -- but they dance around the issue. They are merely shadows or projections of financial risk. I list them here because ultimately "risk" must be defined in a way that is consistent with all of these projections; in fact it must actually encompass them all. In order to complete that definition, we'll need to borrow some statistical thinking -- but no math, don't worry.

**I propose that "risk" is a distribution of probable outcomes**. Specifying "probable outcomes" is somewhat redundant because, in a statistical sense, a distribution is a catalogue of every possible outcome as well as its associated probability. Nonetheless I state it explicitly here because it's important to realize that we must consider *all *outcomes, even those which are extremely unlikely.

## Risk as a distribution

What does it mean to say risk is a distribution? Put another way, this suggests that if I truly know the risk of an investment, I know the probability of any given outcome. I think that's a fairly broad characterization that satisfies both the requirement of encompassing the examples I listed earlier and an intuitive understanding of the concept. Volatility is frequently substituted for risk, as investors interpret volatility as uncertainty and risk, when viewed as a distribution, represents uncertainty in future outcomes.

We can now discuss the nature of distributions and their study. In some cases, it's actually possible to know the true distribution. Flipping a fair coin is the canonical example, but we can also consider rolling a die or drawing a card. In fact, it should come as no surprise that the entire gambling industry is premised on the idea that the public will only be comfortable putting their money at risk if they feel fully informed about possible outcomes. With a coin, there are two outcomes, for argument's sake let's say 0 and 1, and each has a 50% probability of being realized. That's it, we just fully characterized the risk in this investment with a simple Bernoulli distribution. How about the die? There are six outcomes -- for simplicity let's say {1, 2, 3, 4, 5, 6} -- and each one has a 16.67% chance of realization. Thus, the risk of the investment is fully captured by a six-part uniform distribution.

Coins and dice are nice illustrations, but they are only toy examples. In the real world, the full list of outcomes may be difficult to ascertain and their respective probabilities even harder. This is where statistics enters the picture. At its core, statistics is the study of distributions. All I've received in years of studying is a bunch of tools for analyzing and describing these lists of potential outcomes. If an investment lacks an easily described set of outcomes, we search for clues as to what the underlying distribution could look like. This could include the type of security, its sensitivities to various external shocks, its historical movements, our expectations of the future, etc. From these indications, we can put together an arbitrarily complex picture of an investment's underlying distribution.

Or at least, we *think* we can. Creating that picture is a little like trying to draw an object based only on its shadow. In statistics, we refer to this as a hidden or latent factor, or one that can not be observed directly. By sifting the data -- the clues -- in the right way, we can gain insight into what characteristics the distribution must have and, subsequently, it's general form.

## Choosing the distribution

Many distributions have properties called *sufficient statistics*. These quantities fully characterize the distribution, allowing it to be perfectly (or sometimes approximately) reconstructed without needing to carry around all the data that originally led to its discovery. Some of these summary statistics lurk in plain sight: mean and standard deviation are two of the most obvious. A dataset that follows a normal distribution, or standard bell curve, can be perfectly summed up with these two quantities. For example, if you made a list of the heights of everyone in your office, it would likely lie on a normal distribution (and for example's sake, let's say that is does). If you want to work with that distribution or build any sort of measurement of it, you need to keep a list of all (say) 200 people and their heights. But if you know it's a normal distribution, all you need is the mean (average) and standard deviation (dispersion around the mean). Those two numbers give you enough information to know the probability of observing any height in your original dataset, without the need to consult the data itself. They are sufficient statistics for the distribution.

For the coin toss, the sufficient statistic is the probability of 50%, which fully describes the underlying Bernoulli distribution. For the die, it is the range [1,6], which characterizes the discrete uniform distribution in question. When the list of potential outcomes deviates from well-known distributions, we have two options:

- Work with the unknown distribution
- Approximate the unknown distribution with a well-known one that has similar properties

While it seems like option 1 is the best choice, it can be a dangerous one. Recall that we may not actually know what the underlying distribution looks like; all we have is a picture based on its shadows. If we made mistakes creating that picture, we'll have trouble making informed decisions later. Moreover, we will likely be stuck with a branch of statistics called "nonparametric analysis" that can be difficult to make good use of.

Option 2 is likely the better choice, provided that we can glean enough information about the underlying decision to make an informed choice for the approximating distribution. There is a tendency to always choose a normal distribution, but I think the anti-Gaussian media has beaten that horse to death. Alternatively, there are many families of distributions available; we just want to pick one that describes the investment's outcomes well while retaining a simplicity that makes any math tractable (and, hopefully, easy).

Option 2 also lets us come up with sufficient statistics for the investment. If all investments were normally distributed, then our portfolio analysis would boil down to their means and standard deviations (and correlations with each other, because the portfolio is a multivariate distribution). This assumption drove the mean-variance finance paradigm that was pioneered by Harry Markowitz in the 1950's. Today we try to use more sophisticated distributional assumptions, but the idea remains the same: come up with a simple set of numbers that summarize your data and use them to analyze the whole.

Returning for a second to the height example, imagine I asked you to estimate the probability of a colleague being over 6'5". If you retained the original dataset (option 1), you would start by counting tall people, divide them by the total count and give me your probability estimate. If you used an approximation (option 2), you'd pop the sufficient statistics into a well-known and exhaustively studied equation and know immediately not just the probability but also a measure of confidence in that number. More complicated analyses might be simply impossible without the distributional assumption. When we are unsure of the best approximation, some compromise of options 1 and 2 will result.

It's very important to note that **in describing the distributions or risk of these investments we made no judgments about quality**. Surprisingly, we can't even say whether they are "risky" or "safe"! Despite my claiming that "we know the risk of the investment," all we've done is describe the outcomes; subjective and qualitative assessments are yet to come.

## Risk as a metric

Once we have some idea of what an investment's distribution of outcomes looks like, we have identified its "risk". But as I've mentioned, we can't yet do anything with that information. We need to create some sort of measurement that allows us to make comparisons and decisions. *Risk metrics* are those measurements.

Risk metrics are usually *summary statistics* of the underlying risk distribution. Summary statistics give information about the distribution, but, unlike sufficient statistics, they may not provide enough detail to recreate the distribution entirely. For example, the mean by itself or the standard deviation by itself or the minimum value all give some insight into the distribution but fail to characterize it completely. Frequently, estimates of these summary statistics are the "shadows" from which a picture of the true distribution is formed. When you measure the heights of everyone in your office, the observed mean and standard deviation constitute two of the clues you would use to construct the representative bell curve.

We have now learned enough to understand that the risks I listed earlier were actually summary statistics of an investment's true distribution, or underlying risk. At the risk of redundancy, here they are again with explanations (note that some of these return to the distribution of returns, others to the distribution of portfolio values; it is easy enough to convert between the two):

- The most you can lose on an investment
*(the minimum of the distribution)* - The most you can lose on an investment, with some confidence level
*alpha (the 1 - alpha quantile of the distribution, also referred to as Value at Risk)* - The average return of the investment
*(the mean of the distribution)* - The market value of an investment
*(the most recent observation from the distribution)* - The notional value of an investment
*(the minimum or maximum of the distribution)* - A one-standard deviation loss
*(the standard deviation of the investment)* - A six-standard deviation loss
*(the standard deviation of the investment)* - The chance that a company goes bankrupt
*(a specific outcome from the distribution and its associated probability)* - The chance that a counterparty goes bankrupt
*(a specific outcome from the distribution and its associated probability)* - The chance that you go bankrupt
*(a specific outcome from the distribution and its associated probability)*

It is clear that without knowledge of the underlying distribution, none of these quantities can be known. I want to hammer home the difference between knowing *risk*, the distribution, and *risk metrics*, summary statistics of that distribution. The distinction is even more important -- and confusing -- because sometimes the summary statistics are observed first and the distribution is inferred thereafter.

I mentioned earlier that volatility is frequently used to describe risk, because of its tie to uncertainty. We can now view it as just one more summary statistic (specifically, standard deviation). However, volatility has a special place in the risk paradigm because it was explicitly labeled as such in the mean-variance paradigm (it's counterpart, return, is played by the mean). That legacy has held and is in many ways justified: more stable returns (less volatility) are associated with return distributions that are well-known and usually characterized by a lack of large losses. As volatility increases, the probability of losses generally increases as well. The distribution becomes more dispersed and various risk metrics take turns for the worse. Thus, volatility is a risk bellwether: easy to calculate and usually indicative of most other metrics.

(Another way to think of risk metrics is as low-dimensional projections of the underlying (and potentially high-dimensional) distribution.)

## Choosing the metric

And now I'd like you to forget everything we just discussed. In practice, when we talk about "risk" we're referring to risk metrics rather than the underlying distribution. The reason for that is pragmatic: what good does it do to tell someone what the distribution is? Returning to the heights example, knowing the distribution doesn't give you any answers. In fact, if you're a statistician it probably gives you a bunch of questions. Summary statistics (and more advanced results) provide answers. They take the large risk distribution and condense it into a useable form. The appeal is clear: I could tell you every possible outcome of the stock you're about to buy, or I could tell you that you're 90% likely to never lose more than 20%. Which is more useful (putting aside all arguments of whether the latter can truly be known)?

So when we talk about risk we're talking about metrics. How do we choose those metrics? Well, if part 1 of the risk manager's job is to model the underlying distribution, then part 2 is deciding which metrics are useful and calculating them. Needless to say, this part is more art than science. Contrary to popular belief, there is no magic number that contains all risk information and lets you make investment decisions without further analysis. You may have heard of these holy grails, they go by names like "value at risk", "Sharpe ratio", "Sortino ratio", "return over maximum drawdown", "omega ratio", and so forth. These are like weight loss pills -- they make promises grounded in just enough math to either convince or confuse (depending on the customer) and appear to work as advertised on the surface. *Caveat emptor*.

We have already learned why there is no "one number" solution: because risk metrics are summary statistics and not sufficient statistics. Now, even if they were sufficient statistics for the risk distribution, there still wouldn't be a silver bullet, because the risk distribution does not allow qualitative judgments. It is merely a list of outcomes. If you could condense it to one number, you'd have a number that represented all your outcomes, good and bad, and not necessarily one that would provide an indication of value.

What's really necessary is to look at many of these metrics together. Each one provides some information about the risk distribution, like various shadows from different light sources. By considering many of them at once, our understanding of risk (and equivalently, our picture of the underlying distribution) is enhanced.

There are a couple risk metrics that are always useful:

- The most you can lose is an important one: investors need to bear in mind that zero is a real possibility. For most cash investments, this will be equal to the market value of the investment. Why isn't this enough? If you bought a million shares of stock and sold a million puts on the same, the max loss on the stock would be greater than that of the options, and you might conclude that the stock was the riskier play. However, I don't know anyone who would agree that buying stock is riskier than selling puts. We reach that conclusion by considering other outcomes of the respective distributions, or other summary statistics.
- A reasonable upside estimate is also key. This may not fit the traditional intuition behind a "risk measure", but it would help differentiate between the stock and option portfolios just described. The stock has large potential for gains; the puts are capped. Thus, the downside in the stock is mitigated by the positives but the put's downside -- though almost equal to the stock's -- is not similarly offset. The decision of what constitutes a "reasonable" upside is in the art category rather than science, so unfortunately I can't provide an algorithm.
- An understanding of an investment's volatility. Volatility, as mentioned, is like a risk bellwether. As it increases, so does the uncertainty about the future outcomes. Another way to express this idea is to say that the entropy of the risk drops as the volatility increases (this idea hasn't been explored nearly enough in the literature). Popular metrics like the Sharpe ratio try to capitalize on this idea by expressing the "return per unit of risk [volatility]". Presumably, the more risk one takes through an investment, the greater the return that should be received. (This notion took a turn for a disaster when, in late 2008, angry investors wondered why they lost money in stocks as compared to bonds -- the answer (that stocks are more risky) was staring them in the face, but they were accustomed to that risk resulting in greater yields and refused to accept any alternatives.)
- Event-driven idiosyncrasies. Is your investment subject to legal/regulatory risk? Operational risk? Other highly-targeted risks unique to that security? If so, the risk distribution becomes much harder to estimate accurately because these characteristics distort it to the point that approximations fail to capture it fully. It is important to understand not only what these idiosyncrasies are, but how they can impact your estimates of risk. As a simple example, consider an illiquid stock that doesn't trade except for a few times a year, when it jumps up or down 15%. Any distributional assumptions should be tossed out the window here; stick with more "nonparametric" qualifications like maximum loss and rely on an excellent understanding of the risk specific to the investment.

No discussion of risk metrics would be complete without addressing value at risk. Value at risk, or VaR, was once a celebrated risk metric, introduced to the public by J.P. Morgan in 1994. More recently, it has become demonized and blamed for its contributions to excessive risk-taking and the collapse of many financial institutions. VaR has a clear definition: it represents a level of returns that will only be exceeded some percent of the time, 5% or 1%. In a strict statistical sense, VaR defines the beginning of a distributions tail. Unfortunately, it provides no information about what happens when returns actually exceed VaR and make it *into* the tail. As more financial institutions came to see VaR as a minimum return, rather than an unlikely-but-still-possible return, they increased the level of risk they were willing to accept. On days when returns exceeded VaR -- and they tended to do so by quite a bit -- those institutions took losses far greater than they ever anticipated were even possible. In other words, they failed to consider that the risk distribution extended past the VaR level.

In a statistical sense beyond the scope of this writing, VaR does not satisfy certain axioms that good risk metrics require (see Artzner's 1999 paper on coherent risk measures). Nonetheless, when used in compliance with its strict definition, it serves as just another summary statistic and can give limited insight to the risk distribution. It is useful to observe the evolution of VaR over time, for example (if VaR increases, risk is increasing, even if the absolute level of VaR is uninteresting). Extensions of VaR like expected shortfall (the average loss, conditional on that loss exceeding VaR in the first place) are also quite useful. An institution is not doing something "wrong" by calculating a VaR; it may be a red flag if they rely *solely* on the number, however.

## The risk management process

What I've laid out here is a rather dry blueprint of the risk management process. The procedure is initiated by searching for clues to an investment's underlying distribution. This could be any combination of quantitative (historical or modeled outcomes) and qualitative (fundamental analysis, opinions about the future) factors that provide the "shadows" of the distribution. From these, a complete picture of the distribution is constructed, either through the use of sufficient statistics or tailored models (if the distribution defies simple approximation). Finally, the distribution is used to generate risk metrics that allow investments to be assessed and compared. Those outputs become a critical input for the investment process, as decisions must be made in the context of the portfolio risk, and that risk must not be outsized relative to expected returns.

Once the investment is made, the risk manager will continue to exert influence on the portfolio distribution. For example, if the left tail becomes too big, he may take steps to reduce it by taking offsetting positions, or hedging. If exposure to a specific market force (such as interest rates, or currencies) becomes too large or too small, he may buy or sell securities to bring it back in line. This monitoring process is very important -- the risk of an investment continues to change long after the investment is put on (in fact, you should hope it does, for otherwise nothing has happened at all!)

There are a few key lessons that can be taken from this process:

- First, an appreciation for the lack of a silver bullet: there is no magic risk number that will protect your portfolio. I'm sorry.
- Second, a grasp of the constantly changing nature of an investment's risk. There is no "set it and forget it" in this process.
- Third, an understanding of noise vs signal: investments will tend to sample from all over their distributions, both on the upside and down. It is important to observe whether or not the observed returns (themselves summary statistics, or "shadows") match your understanding of the underlying distribution. If they deviate too much, be prepared to consider that your original assumption was wrong and start over.
- Fourth, but most important, an understanding that the forest must not be lost for the trees. Seizing on one or two risk measures will inevitably lead to ignorance of the complete distribution (with possibly disastrous consequences). Conversely, trying to compute every summary statistic there is will lead to information overflow and indecision. Risk metrics are tools that provide insight; there's a healthy balance between sparsity and indulgence. Thinking of the metrics as shadows from different lights really is a useful metaphor: too few and some details won't be resolved; too many and the data's redundancy will overwhelm any chance of learning from it.

Aside from these tips, I can't stress enough the importance of practicing good risk management. Many investors do it implicitly, as simply understanding each investment is usually tantamount to intuiting its distribution. It doesn't have to be a burdensome regime of additional steps, though many investors will find it useful to ask themselves, as an exercise, "What is the largest loss I can sustain and what is the likelihood of that event? What is the volatility of my portfolio, and am I earning enough to justify that allocation?" and so forth.

The risk management process is not unlike solving a puzzle by piecing together clues and constantly checking that the emerging picture matches up with expectations. I hope this explanation has been satisfactory and not too mathy (you don't want to see me when I'm mathy). There's a richness to the process which I'm afraid I won't be able to describe here -- for your sake and mine -- but I think this should serve as a good jumping-off point for further discussion.

In conclusion, the Hitchhiker's Guide to the Galaxy has this to say on the subject of tail risk:

The major difference between a thing that might go wrong and a thing that cannot possibly go wrong is that when a thing that cannot possibly go wrong goes wrong it usually turns out to be impossible to get at or repair.

{ 8 comments… read them below or add one }

{ 2 trackbacks }