How Does One Audit a Fund Manager's Risk Management?

I just got off the phone with Ken Akoundi, a civil engineer turned risk manager who just left fund-of-funds group Optima Fund Management after running its risk-management operations. He agrees with me that some kind of risk auditing function or business model is needed, but it's going to be very hard to construct, for a lot of reasons.

Akoundi says that the single biggest problem with risk-management professionals today is that of independence. They nearly all report to C-level executives: the CFO, or COO, or CIO, or CEO. At hedge funds, they generally report to the founder of the company. What's more, they're paid more when the firm does well, and less when the firm does badly: exactly the same incentive structure as the risk-takers they're paid to police. "Every risk manager is a politician in the last quarter," says Akoundi -- which is a serious problem when the stock market starts tanking spectacularly in October.

These problems can at least be solved: pay risk managers a flat rate, and have them report directly to the board, rather than to executives.

Other problems are less tractable, however. A huge one is that auditors, in general, simply tend not to have the skillset needed to perform a detailed risk audit which would uncover serious red flags. More generally, risk management doesn't scale: as hedge funds or fund-of-funds grow, their risk managers find it harder and harder to find the time and human capital needed to keep on top of everything.

What's more, many funds, and fund-of-funds, hire risk managers first and foremost with a marketing goal in mind: the goal is not to manage risk so much as to reassure their investors that they're managing risk. How can an investor who can't afford his own risk manager tell the difference?

One model is that of Amber Partners, which has set itself up as an "independent operational risk certification firm to the hedge fund industry". I like this model, but it does run into the Moody's problem: they're being paid by the people they're certifying, which gives them an incentive to be lenient.

The alternative is for investors to go out and hire seasoned risk managers to do due diligence for them, if they can't afford to employ one full-time. That works for huge investors running billions of dollars, and does carry the implication that anybody who isn't willing to spend a few hundred thousand dollars on due diligence shouldn't really be investing in hedge funds in the first place.

Ken's toying with the idea of setting up such a company, which would work for the investors rather than the funds. He'd like to staff it with civil engineers, like himself, rather than financial engineers: "Civil engineers know that if something goes wrong with something they've designed, people get hurt," he says.

And what, in his view, is the single biggest mistake that risk managers made in recent years? According to Ken, it was their failure to observe their lack of failure. Their models said they should be wrong 1 in 20 times, but in reality they were only wrong 1 in 40 times, or 1 in 60 times. That should have been a red flag, but generally it wasn't.

It certainly would have caught Madoff -- but there was no shortage of red flags in the Madoff case. More to the point, if it had been implemented in the big banks, it might have caught a lot of the CDO shenanigans as well, and saved the world a very great deal of pain.