On Risk

We, as competitive monkeys, did not evolve to deal with risk on large scales well. We understand the risk a lion poses (get eaten) or a drought poses (no food) but we do not deal well with large, abstract risk. We dismiss it as a “1 in a million phenomena.” This is a well studied phenomena in computer security: it is difficult to get buy-in from those with the money in security without external pressure like, say, being hacked.

Understanding risk is important to understanding what happened in the Gulf and also what happened on Wall Street. For the Gulf, the issues with dealing with risk are simpler to understand: in a straight up but difficult engineering project quantizing and assessing risk is a well-known process, but dealing with mitigating risk is a matter of money. One must pay for the extra layers of protection or reinforcement. Even if risk is properly assessed, it costs money to mitigate the risks. Spending the money to mitigate the risks cuts into profit margins and adds to project overheads. BP made business choices over engineering choices to maximize profits at the expensive of mitigating risk. Destroying the entire Gulf of Mexico is a difficult consequence to conceptualize — it looks awful big! have you seen it? — so the risk of something that catastrophic is pulled off the table and labeled as “ridiculous.” Engineers are over-conservative whiners, anyway, when money can be made.* Risks were taken with the implicit assumption that if something did happen, the US would step in and BP’s liability would be capped.

The Wall Street risk is similar to the Gulf although the damage is in numbers instead of the environment. The risk of actually damaging the world economy is too large of a risk to contemplate. It cannot possibly happen! So we can over-leverage (Lehman Brothers) or create huge bad investments (Goldman Sachs) or insure all these bad investments (AIG) and nothing bad can happen! Because the numbers may be large but they certainly are not as large as the entire economy. Besides, the FDIC insures depositors so what does it matter if a proprietary trading desk loses everyone’s money? Sure the bank might close and the trader might lose their job if things go bad but look at all this money to invest!

Risk is calculable; most risk is known on a certain level. Risk is understood. But risk pays off in large financial reward, so humans wired to seek out large financial reward will pursue the risk. And they have found a way to fob off the downsides.

The core problem we have right now, today, is that risk is a throw of the dice and the system is rigged so if the dice come up snake-eyes the results are socialized. The bigger the risk, the more the downsides are subject to being covered by the Government. “Privatize the profits and socialize the risk.” When the risk is socialized corporations, constantly in the pursuit of profits, will negate any downside to risk to maximize their returns. This is what a corporation does. Without external pressure for culpability for the downsides of risk, a corporation will never mitigate the risk (expensive) in return for profits. If the corporation is not responsible for the downsides of risk, they’ll just rampage.

This is where the Government has a role to play. The Government can do precisely three things to reign in this behavior:

* Regulate. The Government can enforce a standard playing field with a certain floor of risk mitigation in return for safety and assurance. In return, the Government gives its stamp of approval.

* Litigate. The Government can sue in a post-mortem after disaster to recoup the funds used for cleaning up disaster after risk failed to pay out.

* Regulate AND Litigate. Force corporations to adhere to basic standards and then sue for liability depending on how may of these standards were met.

In an ideal world, we want the Government to do #3. We want the Government to be a licensing and auditing body that forces corporations to a certain level of responsibility and litigate for damages to recoup costs post-disaster. They are supposed to be a third party, not-for-profit, objective body that says, “You do X or else.” Today, for these “Too Big to Fail” institutions, we have none of these.** It’s cheaper to lobby/bribe than it is to comply to regulations, and it is cheaper to pay out on lawsuits than apply safety standards to mitigate the risk. Government is not properly funded with auditors to audit everything that needs auditing. Regulations have been continuously relaxed over the last thirty years.

We should be pressing the Government to enforce the same standards on everyone:

* No one is too big to fail, not even enormous banking institutions or car companies or oil companies.
* Assume a “you break it you bought it” mentality.
* Force corporations to build walls between “risky” business practice and routine business practice.
* Fund Government auditing with teeth.

I don’t think we’re going to do any of these because we, as Americans, are so wrapped up in the concept that a lack of regulations == jobs and short term profits that we cannot get off the mark — and it’s simply not true. It’s a PR job done by the corporations.

The core problem is risk. We need to start having a real conversation about risk across the board. It’s an abstract subject but we’re not having it so the big corporations are being allowed to walk away with their risks still being socialized.

* Engineers who are trained to be paranoid doubly-so.
** Small to mid-sized companies are regulated up the wazoo. Don’t get me wrong. It seems that the bigger you are, the less the regulations mean to you because you can cover the costs of the inevitable litigation by finding the change in the seat cushions and you can afford a huge PR media buy to cover your butt.