Leptokurtic operations: Shunning Certain Risk

With the recent Virginia Tech shooting, I was reminded this week of the difficulties policy makers face in comprehending risk. In particular, executives and politicians alike tend to fear certain risk and end up structuring policies that trade off manageable "expected risk" for the mostly unmanageable, statistically difficult world of outlier uncertainty events. This choice unfortunately distorts the probability model of the risk environment and trades out often normal distributions with what are known as leptokurtic models.

Consider VT's recent change in policy that banned the legal concealed carrying of handguns by individuals confirmed by the State of Virginia to be free from felony convictions, mental disability, and other disqualifying conditions. The VT administration held a mostly irrational fear (when measured from national statistical data of crimes committed by legal concealed carry handgun owners, which is conclusively nearly zero) that a permitted concealed carry individual would commit a violent crime in an act of uncontrolled rage. By enacting policy which prohibited this improbable event, VT administration narrowed the probability of such events, at the unfortunate expense of significantly fattening the risk tails. With a mostly undefended campus (and certainly given a lack of deterrence), they chose to make a highly catastrophic outlier event much more certain. A campus lacking any capacity to defend itself in real-time is an environment ripe for out-of-control outlier events.

Such policy behavior is most unfortunate and exceptionally irresponsible. While catastrophic risk is impossibly difficult to quantify with precise certainty, expected risk usually yields to risk management techniques we possess. VT's experience is a lesson corporate executives and risk managers could certainly learn from as well.

From a policy perspective, it's valuable to examine operational policies and procedures for indications that they're inducing leptokurtosis. Is certain risk (which can and should be managed through insurance, reduction, transfer, etc.) instead being avoided or shunned, causing participants in the process to distort information or engage in activities that transfer the expected risk to outlier categories?

Leptokurtic Model
Orange = Standard Distribution
Yellow = Leptokurtic Distribution

Image source: www.trade-ideas.com

A good example of this dynamic is in the handling of capital technology assets past the conclusion of their underlying depreciation schedule and/or capital lease interval. Normally, the forecasted financial life of the asset should provide a reasonable indication of the low-risk lifetime. Not only is such equipment in a new state within engineered MTBF (mean-time between failure) and usually supported by insurance or vendor replacement provisions, but it is recent enough to have current internal expertise and documentation. A loss of the equipment during this period is well protected by risk mitigation measures in place at various levels.

Once an asset has been fully depreciated, management experiences an increase in profitability from its operation, at the expense of increased catastrophic/outlier risk. This is where our normal distribution gets narrower and taller at the center, while developing alarming fat tails at the outliers. Replacement parts become rare, personnel familiar with the configuration and operation of the system depart, and documentation disappears. Normal vendor support for the antiquated technology asset also disappears. While the center of the risk model rises with the gains realized from lower-cost operation of the asset, leptokurtic fat-tails grow. When the inevitable system failure occurs, recovery is nearly impossible. Configurations are lost, internal and vendor knowledge absent and companies are often left with very few options for recovery. Occasionally, some firms don't survive the experience.

The best solution for leptokurtic operational risk may be no different than practices accepted in credit and market risk: incur certain risk daily to keep risk models normal. As the certain expense of an insurance policy represents in a sense a real, certain loss every month for the policy holder, operational risk environments should seek similar policy counterparts. Operate only current technology assets under depreciation and schedule their replacement at the conclusion of depreciation. Specify certain lifespans of applications and kill legacy system with regularity. Force the company to bear the expense to keep the risk distribution mostly normal so that traditional risk management controls can be effective. Absent this recurring culling effort and known expense, catastrophic risk is certain to develop.