Out of Chaos Comes Order — and Consequences

Illustration by II

Illustration by II

Lessons on catastrophe from a veteran of Norges Bank and the University of California.

Not long ago — even though it feels like another era — just before the crisis, market indicators arguably screamed for our investment executives to take action. What did our chief investment officers and chief risk officers do about it? Were the hedges in place, were the continuity plans tested?

Then came the crash. Did they scoop up assets in fire sales back in March or just get lucky and follow the partial recovery back up? Did they perhaps just run and rerun their forecasting and risk models over and over again — which they had spent the last decade building, fine-tuning, and perfecting just for this “next big one” — but still not want to believe the output? Or did they ignore their analysts and the evidence that the bull run was about to end — that it was just a matter of what the trigger would be? It arrived as an invisible enemy: Covid-19, one of those remote-but-catastrophic scenarios on the likelihood-consequence matrix. The sort of thing risk managers and CIOs should have planned for.

Without some level of preparedness, they’d leave their staff leaderless and in distress, toiling unproductively for a significant period of time. But did they? The rigor and smarts of our large institutions, their leaders, and fund managers will dictate our collective financial recovery. How they planned and acted over the last few months was a real-life stress test, with the outcome of immense importance to pensioners, taxpayers, and the economy at large.



Back in 2003, I lived through SARS in Asia, witnessing firsthand what it did to the economy, particularly travel and hospitality. Local governments and hospitals were in distress. Everyone was trying to figure out how to handle that deadly outbreak — which was far smaller than the full-blown pandemic we’re living through now.

In 2008, post-Lehman Brothers’ collapse, I was part of the recovery operation and risk team at the renowned, now $1 trillion-plus sovereign fund Norges Bank Investment Management (NBIM) in Oslo. I have dug into 100 or more fund managers and investments of every stripe, as well as most major custody banks, brokers, and the myriad service providers required to make a multibillion- (or trillion-) dollar portfolio tick. I’ve reviewed every off-the-shelf trading platform and accounting system, along with countless custom concoctions and homebrewed hodgepodges. I also have worked closely with more than a handful of fund managers to get them up that all-important bar of institutional quality. I led the operational risk and compliance efforts at the University of California’s $100 billion-plus investment office. On pandemics, I am no expert and don’t pretend to be. But a career in risk proves the value of having a plan, of preparation, and, when the crises hit, of keeping one’s head clear of the fog of war.

Here’s what I’ve learned.

Enterprise and Operational Risk

Know your processes, limitations, and providers’ weaknesses. Then do something about them. Back at NBIM, we started early on this, well before the Bernie Madoff scandal and the awakening it caused. Our initial focus with external fund managers was safeguarding our assets from ill intent, fraud, and misappropriation. Should we fail to keep the baddies out, we’d built a swift recovery response and a plan to deal with the inevitable reputational consequences. But in doing so, we quickly realized that having a well-oiled machine internally wasn’t enough. Our fund managers and counterparties needed to have them too.

At NBIM, we checked that these partners did what they said they’d do and invested properly in their people and systems. After all, the finance industry remains a people business. We were probably among the first of the large international institutions to require near real-time holdings and on-trade-day transaction data from all our external managers, regardless of their time zone or location. Now, more than a decade later, this is finally becoming industry best practice.

The main goal was transparency — offering our constituents a close-to-real-time valuation of the fund — and to avoid securities and issuers we weren’t supposed to hold. But we also hungered to know our exposures, all of the under- and overweights at any given time, so we could take appropriate actions quickly if need be. Achieving this was a main reason Norway’s fund emerged relatively unscathed from the 2008 financial crisis. Alongside being a long-term buyer, we could quickly turn around and buy big at very large discounts, recovering our losses quickly in the aftermath. To completely hedge a multi-asset and multi-hundred-billion-dollar fund is a science of its own, and hugely expensive to get wrong. But one thing is certain: Know what you own, or you’ll never make it out alive.

Have a centralized group. Drowning in risk assessments and creating a plethora of methodologies and structures is a perfect recipe for risk fatigue. For example, in one of the organizations I worked for, the risk identification and mapping was done by one of the Big Four accounting firms, but with limited internal ownership. After having spent hundreds of hours talking with all teams, mapping out all processes down to every last step, they were proud to present that they had found more than 4,000 risks, and now we should just go about solving them all. The to-do list included mitigating the risks of handing out misspelled business cards as well as — and with close to equal urgency — key process and system failures, pandemics, and global unrest. We should have focused on what truly mattered, stuck to the right level, and avoided all those unnecessary duplications. Instead, we ended up drowning in all the noise. The lack of clear accountability and structure was obvious, but back then, good off-the-shelf risk tools didn’t really exist. We had to scratch, regroup, and then redo the whole thing. We learned the hard way. The second time around, we formed a central dedicated group with the proper mandate to drive change alongside the capabilities and resources to do it. The turnout was quite different.

Be systematic. Enterprise risk management should center on a thorough and uniform rating/assessment methodology combined with a healthy business impact analysis. Why? Senior executives may not be thinking of all relevant risks or scenarios, since they typically stay out of the engine room and daily grind. Basing assessments on relationships and rank rather than objective criteria invites bias. This team must see the big picture of how groups, functions, and processes connect, and not become victim to, as the Swedish say, tomma tunnor skramlar mest (“empty vessels make the most noise”). Loud and uninformed people can tend to take the most space in a discussion.

Have the centralized group facilitate risk assessment sessions and establish and connect the many-to-many relationships between the different nodes (i.e., the risks, incidents, processes, and associated tasks). Nowadays, there is an abundance of pretty decent software that can help. Pick the one best suited for the job’s particulars, and with a user-friendly enough interface to be used properly.

Flex the operational due diligence with fund managers and vendors. A full article could be written on this topic alone, but I will address this in one paragraph. A strong and independent ODD team that runs full engine-room diagnostics, versus just kicking tires, is key to any value add. Do it well or don’t do it at all — as a fiduciary, your clients and constituents should expect nothing less. The ODD team needs to get involved early on and collaborate with the investment teams. At times, they could also be challenged to ensure that the investment, fund managers, or key providers get where they need to be prior to funding or agreements. The ODD team should also be obligated to bring home any lessons learned from the field, such as new systems and best practices that could benefit the home office. Vendor management — besides making sure contracts and service-level agreements are up to date and kept — should know their providers’ strengths and weaknesses, ensure that the providers are at the top of their game, and leverage them to the fullest extent, especially when facing disruption and other challenges.

Empower the CRO. Until recently, in many financial/investment organizations, the head of risk typically spent all or most of their time tinkering with risk models, allocation studies, and numbers. I strongly believe that the CRO should have a much wider obligation to own enterprise and operational risk — perhaps more closely resembling many other nonfinancial/traditional businesses where the CRO’s main focus is on preventing and preparing for things going wrong. To truly enable this, one needs to create an incentive to dare to pull the brake, and to establish a clear mandate to deploy the risk-reduction measures or hedges in time.

Consider having the operational due-diligence functions as well as business continuity under the CRO. That group or person should have a complete picture of the organization’s key systems, providers, and dependencies, as well as weaknesses and strengths. While the different subject-matter experts and process owners might be spread throughout the organization, the enterprise/operational risk management team will have a holistic view. They are the extended arm of the leadership in handling risks and mitigations, and setting the priorities thereof. Their separation, change mindset, and collaborative approach should help keep risk management from becoming yet another compliance function and instead make it a partner-level check on the rest — in particular, the COO’s side of the organization. Empowering the risk team and widening its duties also invites a diverse mix of quantitative and qualitative mindsets.

Business Continuity

Quantifying the resilience to business disruption and systems/process failures among external managers and key service providers is imperative. That analysis should tell you what service providers you are most dependent on. If they go down, know how much you’ll struggle. You need to ensure that they will continue to provide valuable data and specific services in a timely fashion despite disruption, which is often when you’ll most need it. Any provider/manager under review needs more than a plan collecting dust on a shelf. I want proof of an aspiration, dedication, and a mandate to actually mitigate risks and add resilience for a crisis.

You can’t plan for everything. Plan to communicate through anything. Without a solid communication plan, crisis-management and business-continuity plans are likely to fail, regardless of how well thought out they are. In the current crisis, we have been fortunate, at least to some degree, that we still have well-functioning power grids, internet, phone lines, and cellphone networks, and we have the luxury of technology that enables us to stay connected as teams and organizations. Technology providers have been able to scale their services exponentially and almost seamlessly for end users. It would look very different if one or more of these essential utilities/services were down even for a limited period of time due to, for example, earthquakes, hurricanes, or wildfires with large material devastation and chaos.

One cannot foresee or plan for every disruption or event in detail, especially how they will unfold or develop. Therefore, organizations need to be pragmatic and agile. Having a plan with their stated priorities, sets of communication tools, and approaches for different scenarios is a critical foundation, and the ability to flexibly adapt the plan is key. Plan elements can range from basic hotline/communication channels and call trees to “cold and warm” sites, satellite phones, and even radio and media broadcasting. First, consider your key vendors or providers: What do they have in place that you can leverage, and how can you send them or others instructions if the phone line and therefore the good old fax also are out? What does the SLA say and when was the emergency protocol last updated? Vendor management may need to up the game with your providers. For example, if you are not Swift enabled yourself, what about secure email or other emergency-instruction venues? Most banks and custodians have more or less elegant electronic solutions to perform transaction tasks.

Learn the hard and easy ways. Some of the best-prepared and most resilient investment managers I’ve reviewed have weathered a major storm together — sometimes literally. One East Coast manager, for example, was very open about the firm’s hardship during and after Hurricane Sandy, but they took it all to heart and saw it as a huge real-life learning opportunity, which resulted in their rebuilding large parts of their IT infrastructure and lifting their level of preparedness beyond most things I have seen. A Boston-based firm near the tragic marathon bombing lost electricity, data, connectivity, and hence the ability to trade. Again, the firm learned from it, and built a much stronger, decentralized setup with remote capabilities.

But the easy way to learn is from others’ hard lessons. Be proactive and fix things before they break under stress. Beyond testing and iterating on the plan, instill and nurture that learning mindset within your organization and have open discussions about failure: What worked and what didn’t? Most failures are not necessarily a bad thing. On the contrary, here what doesn’t kill you can make you stronger — but only if the struggles become new insights. From a due-diligence perspective, managers’ and vendors’ past failures can be viewed as assets in the form of resilience, stronger team dynamics, and experience.

Crisis reveals culture. Right now, as in any unstable moment, people will put up with anything to keep their jobs. But as soon as normalcy returns, and it always does, the leaders and companies that provided structure and transitioned smoothly through the crisis will come out stronger and with talent intact. From my perspective, these are opportunities to lead by example and to prove that you truly care about your people and their health and safety — not just their labor. The tone comes from the top. For example, pre-crisis, the management at a midsize investment firm wanted to foster internal transparency, better cross-level collaboration, and a sense of belonging. Instead of the typical open-door policy, management went all in with a no-doors policy. They removed their doors — hinges and all, no exceptions — to visually manifest what they wanted to achieve.

A crisis requires leaders to swiftly improvise and act resourcefully. Just getting communication going and gathering the troops can be a challenge of its own. In the very initial stages of an event, staff look for clear command-and-conquer leadership from the executives. There is no time for debate; the focus should be on minimizing damage or even loss of life. When the initial phase is over, clear direction remains key.

However, the style typically needs to shift when moving into the assessment and recovery phases. Prioritize emotional support and psychological safety. The typical micromanager can cause damage here — especially in remote-work settings, as people need to feel trusted to give their best.

Humans are social beings, and many feel depressed or even physically ill in isolation, so we need to prevent social recession. One way to heighten a sense of belonging and togetherness is to simply check in with employees regularly and make sure to provide time for authentic conversations. Set up agenda-free meetings and find out how people actually are doing in tragic and stressful circumstances.

My prediction is that humane and compassionate leaders and businesses will emerge from this crisis stronger, while the authoritarian or self-absorbed will fail long term, regardless of the strength of their balance sheets. Leaders need to make sure people feel engaged, motivated, and connected even in times of crisis. When crisis comes, we need a strategy for returning to our offices that is grounded in risk assessment and evidence, not fear.

Out of chaos comes order — and consequences.



Nic Winterstorm led operational risk and compliance at the University of California’s investment office and for a decade served in various senior roles at Norges Bank Investment Management. Most recently, he was the COO of a Silicon Valley fintech startup and the CCO and head of risk at a $90 billion California-based investment firm. Winterstorm is an MBA graduate, licensed stockbroker, and Stanford University scholar.

Related