Rossi, who saw the subprime meltdown from the inside of Citi, WaMu and Countrywide leading to the 2008 financial crisis, describes the collapse of the Bahamas-based exchange as “an age-old story of management hubris, excessive risk-taking, lack of regulation and risk management. It could be written as an epitaph of every failed financial institution or major risk event over time.”
Formerly a risk executive at several top financial institutions and a federal-banking regulator, Rossi entered academia shortly after the 2008 crisis. FTX ironically can be traced to this period in a widely circulated paper proposing a new financial system.
Rossi, who dissects the failure acknowledged by FTX founder Sam Bankman-Fried in a forthcoming CRO Outlook column for the Global Association of Risk Professionals, says: “Rarely do we see such an unforced admission by the head of a failed company. As the details of the collapse trickle out, it’s again a time to reflect on the importance of building a risk-oriented culture from the top down.”
The CEO – not the chief risk officer, or CRO — is the most important risk manager, Rossi says. “The risk appetite and effectiveness of risk management at an institution is directly proportional to the level of risk DNA exhibited by the CEO.” This, combined with Bankman-Fried’s dominating management style, set the conditions for the FTX fall.
“The CRO in some sense is held hostage to the CEO’s risk mindset,” Rossi explains from his own experience leading up to the 2008 financial crisis. As CRO for a bank subsidiary of a major non-bank financial institution, he built an enterprise risk management (ERM) organization and framework nearly from scratch. “However, it turned out that dominating personalities at the top of the organization seldom embraced the views and recommendations from the bank and instead forged ahead with their own skewed vision of risk-taking.”
Goldfish Theory and Risk DNA
Another way to understand FTX’s failed risk management is to apply the goldfish theory (the fish tank size determines the goldfish size). Management attitudes toward risk, Rossi says, determine the size of the fish tank reflected by the stature and effectiveness of risk management. “At FTX, Bankman-Fried admits that insufficient attention was given to risk management. It wasn’t for a lack of understanding the rules of the game either since he had previously worked in a trading group that had risk and control infrastructure. Left unfettered from regulatory and board of directors’ oversight, it was only a matter of time before FTX tipped over.”
More broadly, behind nearly every financial services firm failure or major risk event is a personality at the top taking outsized risks and relegating risk management to a minor functionary type of role, Rossi says. “At FTX, the fish tank was empty. Every board and CEO needs to ask themselves, ‘what size is our fish tank and is it large enough to handle our risk appetite?’”
However, he adds, only those CEOs with risk DNA can truthfully answer that question.
But can this risk DNA be edited?
U.S. regulators tried this in the wake of 2008 by introducing heightened expectations for risk management on the largest banking institutions, but episodic risk events flared up like the Wells Fargo retail account scandal and the JP Morgan London Whale event. Though this suggests risk DNA cannot be “edited,” “guidance is critical in setting a minimum level of risk management structure and oversight and it must come to the unregulated crypto market if it hopes to survive over the long-term.”
CEOs in the crypto exchange market, Rossi says, must embrace, not run from, risk management. The same is true for non-bank financial institutions where risk management tends to be much weaker than at regulated depositories. This starts with elevating risk practices not as window dressing but as a meaningful counterbalance to excessive risk-taking proclivities.
“Ultimately, CEOs must come to grips with market myopia, herd mentality, recency bias and work on integrating a risk mindset as a counterweight to these inherent biases,” he says. “Until that happens, regulation and strong board oversight is the only path, though not failsafe, to ensure effective risk management practices are in place to mitigate the recurrence of high stakes risk strategies of dominating CEOs.”