I think if I were to ask you what you thought the best way to manage risk was, there would be a significant risk that you would give me a very boring answer. I imagine it would involve complicated mathematical valuation systems, stochastic models and spreadsheets, lots of spreadsheets, risk indicators, traffic light arrangements, risk registers. If you work for an insurance company, particularly on the actuarial side, it would be very quantified, with calculations of the reserves required to meet “1 in 200 year” risks featuring heavily. Recently even operational risk is increasingly being approached from a more quantifiable angle, with Big Data being collected across many users to pool and estimate risk probabilities.

Now you can argue about these approaches, and particularly about the Value at Risk (VaR) tool which has brought this 1 in 200 probability over the next year into nearly every risk calculation carried out in the financial sector, and the Gaussian copula which allows you to take advantage of a correlation matrix to take credit for the “fact” that combinations of very bad things happening are vanishingly rare (the “Gaussian” referring to the normal distribution that makes events more than three standard deviations or “sigma” away from the average vanishingly rare), rather than actually quite likely once the market environment gets bleak enough. The losses at Fortis and AIG 2008 were over 5 and 16 sigma above their averages respectively.

The news last week that the US Attorney for the Southern District of New York had charged two JP Morgan traders with fraud in connection with the recent $6.2 billion “London whale” trading losses reminded me that VaR as it is currently used was largely cooked up at JP Morgan in the early 90s. VaR is now inescapable in the financial industry, having now effectively been baked into both the Basel 2 regulatory structure for banks and Solvency 2 for insurers.

The common approaches to so-called “quantifiable” risk may have their critics, but at least they are being widely discussed (the famous debate from 1997 between Phillippe Jorion and Nassim Nicholas Taleb just one such discussion). However, one of the other big problems with risk management is that we rarely get off the above “boring” topics, and people who don’t get the maths often think therefore that risk management is difficult to understand. In my view we should be talking much more about what companies are famous for (because this is also where their vulnerability lies) and the small number of key people they totally rely on (not all of whom they may even be aware of).

If you asked most financial firms what they were famous for, I imagine that having a good reputation as a company that can be trusted with your money would score pretty highly.

A recent survey of the impact of the loss of reputation amongst financial services companies on Wall Street revealed that 44% of them lost 5% or more in business in the past 12 months due to ongoing reputation and customer satisfaction issues. Losses based on total sales of these companies are estimated at hundreds of millions of dollars. There was an average loss of 9% of business among all companies surveyed.

And the key people we totally rely on? Well, just looking at the top five rogue traders (before the London Whale), we have:

1. SocGen losing 4.9 billion Euros in 2008 when Jerome Kerviel was found guilty of breach of trust, forgery and unauthorized use of the bank’s computers in their Paris office with respect to European Stock Index futures.
2. Sumitomo Corp losing $2.6 billion in 1996 when Yasuo Hamanaka made unauthorised trades while controlling 5% of the world’s copper market from Tokyo.
3. UBS losing $2.3 billion in 2011 when Kweku Adoboli was found guilty of abusing his position as an equity trade support analyst in London with unauthorised futures trading.
4. Barings Bank losing $1.3 billion in 1995 when Nick Leeson made unauthorised speculative trades (specifically in Nikkei Index futures) as a derivatives broker also in London.
5. Resona Holdings losing $1.1 billion in 1995 when Toshihide Iguchi made 30,000 unauthorized trades over a period of 11 years beginning in 1984 in US Treasury bonds in Osaka and New York.

None of these traders will, of course, have done anything for the reputations of their respective organisations either.

These are risks that can’t be managed by just throwing money at them or constructing complicated mathematical models. Managing them effectively requires intimate knowledge of your customers and what is most important in your relationship with them, who your key people are (not necessarily the most senior, Jerome Kerviel was only a junior trader at his bank) and what they are up to on a daily basis, ie what has always been understood as good business management.

And that doesn’t involve any boring mathematics at all.