Dennis Doody

Can't do anything about risks associated with your investment program? Not so. There is plenty that healthcare organizations could and should do. But it takes a firm commitment, the nurturing of a risk culture, and an open, collaborative environment.

For the past 18 months, we have been living through an unprecedented period of intense strategic, market, credit, liquidity, and operational risk that has challenged all market participants. From the demise of Bear Stearns to the rescue of Fannie and Freddie to the collapse of the likes of Washington Mutual and Lehman Brothers to passage of the U.S. Treasury's $700 billion rescue fund, we have lived through-survived may be a better word-a remarkable period.

When looked at collectively, these events coalesce into what is a unique phenomenon, whereby chronic contagion has resulted in the destabilization of normal investment flows and the weakening of the capital base of all banks, brokers, and investment managers. The level of uncertainty and unpredictability created by these events has undermined confidence in the risk management techniques built for normal market environments and for stress events that are related to historical experience.

This situation has thrust risk management-not returns, asset allocation, or spending needs-front and center on the agendas of most healthcare organizations. As a result, those organizations that have spent little time refining their risk management policies and processes may now find themselves struggling to quickly develop and implement a risk management program. A lot of damage has been done this time, but it's not too late. And it's definitely not too late to look ahead and prepare for the future.

The philosophy supporting an effective risk management framework is based upon the belief that a strong risk culture-driven by collective analytical insight, experienced judgment, and active collaboration-is key to effective risk management. This philosophy is not about try-ing to predict the unpredictable; rather, it is about a process of analyzing and considering possible outcomes, ensuring that an action plan is in place, and moving rapidly and effectively to mitigate conditions as new or unexpected developments arise.

Comprehensive Risk Management

Bear in mind that an effective risk culture thrives on open, active collaboration.

The risk management process is dynamic, forward-looking, and comprehensive in its coverage of potential sources of financial harm, reputational damage, or operational failure. Most organizations need to deal with seven risk factors: strategic, investment, liquidity, balance sheet, credit/counterparty, operational, and by-product.

None of these risk factors should be treated as isolated or independent, as there is considerable overlap and seepage among all of them.

Strategic risk. Dealing with strategic risk requires a forward-looking, top-down stress/scenario assessment of how fundamental shifts in external factors might affect the organization's long-term strategy and investment policy.

    Example: Market turmoil and continued uncertainty lead to a reassessment of spending plans and systemic change in investment policies of healthcare organizations.

Investment risk. This risk factor covers all aspects of market risk as well as the returns associated with any investment. In addition, while bank-oriented risk management focuses on the potential loss distribution (e.g., value at risk [VaR]), an assessment of investment risk also considers the potential gain distribution to ensure that any investment opportunity offers the potential for a consistent, risk-adjusted return over time. In statistical terms, it involves assessing both tails of the distribution of potential returns-the upside as well as the downside. The risk process then works to understand the drivers of unexpected volatility and ensure that these factors are attributable to intended risk.

    Example: Portfolio diversification strategies do not perform as expected, resulting in unexpected volatility driven by highly correlated asset class performance.

Liquidity risk. Liquidity needs, from both an organizational and investment perspective, should be understood and considered fully when setting both business strategy and investment strategy. To accrue the full benefit of managing pools of assets and maintain purchasing power through time, long-term investments must be able to play out. Any need for short-term liquidity, including a budget for the unexpected, should be assessed fully within the longer-term strategy and annual business planning cycle.

    Example: Inability to sell assets at prices reflecting expected terminal value due to a reduction in the number of market-makers and reduced risk appetite of investment managers.

Balance sheet risk. As with investment risk and liquidity risk, all potential risk implications of other activities that would hit the organization's balance sheet should be considered, including short- to intermediate-term financing, swaps transactions to manage interest rate exposure, and other structured products.

    Example: Market dislocations result in increased levels of basis risk between debt issuance and related interest rate swap hedges.

Credit/counterparty risk. Today, more than ever, it is essential to employ a market-based methodology of assessing the creditworthiness of one's trading counterparties-looking at long- and short-term ratings, downgrades, bond credit spreads, credit default swaps, credit spreads, and equity trading indicators-and to have in place a robust process for collateral management.

    Example: Instability of financial intermediaries leads to the need to reengineer the collateral management process from monthly settlement to daily settlement (also see operational risk).

Operational risk. In addition to the strategic and financial risks described above, it is equally important for organizations to have the ability to assess the risk of loss resulting from human error or failed internal processes or systems, or from external events.

    Example: An organization's collateral management process is challenged as price volatility requires daily movement of collateral, processed via third-party managers.

By-product risk. This is the risk that arises through the interplay of the other six risk types and the need for active risk mitigation. Crisis management, for instance, has become an important by-product of the risk management process, as the ability to respond effectively to unexpected events is today a critically important risk-related process. Managing by-product risk also depends on effective collaboration between cross-functional areas.

    Example: Spiraling market events result in an environment requiring crisis management initiatives focused on resolving unexpected events.

It is important to bear in mind that during the collaborative process, one overriding quality is essential for the person charged with risk management: That person must have the strength of character to be independent and to be able to present an objective, dispassionate view on subjects that require a risk assessment. This quality is particularly needed when this person challenges a business decision or the status quo.

Another essential qualification that goes hand in hand with the need for independence and objectivity is knowledge and expertise: The person responsible for risk management or risk management team should be familiar with most investment types (e.g., equities, fixed income, commodities, private equity, hedge funds, real estate, banking, trading, derivatives, and structured products) and risk types (e.g., strategic, market, credit, and operational, etc.).

Earlier, I mentioned that a risk management process prepares an entity for the future. I should point out that this does not mean solely focusing on the downside, or the potential for loss. Many times, an indicator of potential future losses is the occurrence of outsized gains that are significantly greater than had been expected. Clearly, the role of risk management is not to prevent investment managers from realizing gains. Risk management seeks to ensure that there is a clear understanding of the components of the outsized gain and that the gains were driven by the intended risk assumed in portfolio construction.

Consider, for example, that a manager is expected to gain up to 2 percent per month. For the previous month, the portfolio's gain was 8 percent. Conclusion A: The manager had previously established a position that would benefit from a decline in the S&P. As the S&P declined significantly during the month, the portfolio benefited. Conclusion B: Due to quiet market conditions, the manager increased the leverage on the portfolio by four times. The primary driver of the outsized gain was not the directional investment strategy, but the high multiple of leverage. It's up to the investment team to address these investment activities with the manager to be sure that guidelines are being followed and that the outsized gains were the result of skill, not luck.

Managing Risk in an Unpredictable World

Is it possible to manage risk effectively in a financial world that is becoming more and more unpredictable? At the end of the day, is it really worth it? Today, these questions are reasonable. I believe the answer, if not self-evident, can surely be found in the actions of financial markets over the past 18 months.

The key elements that drive the effective and proactive management of risk fall into two dimensions: action and discipline. Effective action depends on accurate, timely data; specific assignment of decision-making authority that avoids unnecessary steps; and a clearly defined process for executing decisions that ensures errors are minimized and feedback is provided on actions taken. As for discipline, risk management provides a quality-control mechanism that seeks to bring a higher level of consistency and predictability to the way healthcare organizations operate during periods of acute uncertainty. That discipline is driven by a strong risk culture and by collaboration and open communication.


In today's volatile financial environment, those responsible for managing an organization's investment risk will be tested and challenged. The risk management process described in this article can be effectively implemented within any healthcare organization by following three broad steps:

  • Assemble a cross-functional team to define the risk management priorities of your organization.
  • Educate all of the people involved in relevant aspects of risk management.
  • Foster an environment that supports collaboration and open dialogue.

The collaborative approach to risk management is a people-dependent process. First and foremost, risk management is about people,
the decisions that they make, and how well they work together daily.


Dennis Doody, CPA, is managing director, health care, Commonfund, Wilton, Conn., and a member of HFMA's New Jersey Chapter (

Publication Date: Thursday, January 01, 2009

Login Required

If you are an existing member, please log in below. Username and password are required.



Forgot User Name?
Forgot Password?

If you are not an HFMA member and would like to access portions of our content for 30 days, please fill out the following.

First Name:

Last Name:


   Become an HFMA member instead