Why some think that there is No Need for Storm Shelters

The BBC featured a story about the dearth of storm shelters in the area hit last week by tornadoes.

Why so few storm shelters in Tornado Alley hotspot?

The story goes on to discuss the fact that Americans, especially in red states like Oklahoma, strongly prefer keeping the government out of the business of providing things like storm shelters, allowing that to be an individual option.  Then reports that few individuals opt to spend their money on shelters.

The answer might well be in the numbers…

Below, from the National Oceanic and Atmospheric Administration (NOAA) is a list of the 25 deadliest tornadoes in US history:

1. Tri-State (MO, IL, IN) – March 18, 1925 – 695 deaths
2. Natchez, MS – May 6, 1840 – 317 deaths
3. St. Louis, MO – May 27, 1896 – 255 deaths
4. Tupelo, MS – April 5, 1936 – 216 deaths
5. Gainesville, GA – April 6, 1936 – 203 deaths
6. Woodward, OK – April 9, 1947 – 181 deaths
7. Joplin, MO – May 22, 2011 – 158 deaths
8. Amite, LA, Purvis, MS – April 24, 1908 – 143 deaths
9. New Richmond, WI – June 12, 1899 – 117 deaths
10. Flint, MI – June 8, 1953 – 116 deaths
11. Waco, TX – May 11, 1953 – 114 deaths
12. Goliad, TX – May 18, 1902 – 114 deaths
13. Omaha, NE – March 23, 1913 – 103 deaths
14. Mattoon, IL – May 26, 1917 – 101 deaths
15. Shinnston, WV – June 23, 1944 – 100 deaths
16. Marshfield, MO – April 18, 1880 – 99 deaths
17. Gainesville, GA – June 1, 1903 – 98 deaths
18. Poplar Bluff, MO – May 9, 1927 – 98 deaths
19. Snyder, OK – May 10, 1905 – 97 deaths
20. Comanche, IA & Albany, IL – June 3, 1860 – 92 deaths
21. Natchez, MS – April 24, 1908 – 91 deaths
22. Worcester, MA – June 9, 1953 – 90 deaths
23. Starkville, MS to Waco, AL -April 20, 1920 – 88 deaths
24. Lorain & Sandusky, OH – June 28, 1924 – 85 deaths
25. Udall, KS – May 25, 1955 – 80 deaths

Looks scary and impressively dangerous.  Until you look more carefully at the dates.  Most of those events are OLD.  In fact, if you look at this as a histogram, you see something interesting…

You see from this chart, why there are few storm shelters.  Between the 1890′s and 1950′s, there were at least two very deadly tornadoes per decade.  Enough to keep people scared.  But before the last week, there had not been a decade in over 50 years with any major events.  50  years is a long time to go between times when someone somewhere in the US needed a storm shelter to protect them from a very deadly storm.

This is not to say that there have not been storms in the past 50 years.  The chart below from the Washington Post, shows the losses from tornadoes for that same 50 year period and the numbers are not small.

It is RISKVIEWS’ guess that in the face of smaller, less deadly but destructive storms, people are much more likely to attribute their own outcome to some innate talent that they have and the losers do not have.  Sort of like the folks who have had one or several good experiences at the slot machines who believe that they have a talent for gambling.

Another reason is that almost 45% of storm fatalities are folks who live in trailers.  They often will not even have an option to build their own storm shelter.  There it is probably something that could be addressed by regulations regarding zoning of trailer parks.

Proper risk management can only be done in advance.  The risk management second guessing that is done after the fact helps to create a tremendous drag on society.  We are forced into spending money to prevent recurrence of the last disaster, regardless of whether that expenditure makes any sense at all on the basis of frequency and severity of the potential adverse events or not.

We cannot see the future as clearly as we can see the past.  We can only prepare for some of the possible futures. 

The BBC article stands on the side of that discussion that looks back after the fact and finds fault with whoever did not properly see the future exactly as clearly as they are now able to see the past.

A simple recent example of this is the coverage of the Boston Marathon bombers.  Much has been made of the fact that there were warnings about one or more members of the family before the event.  But no one has chosen to mention how many others who did not commit bombings were there similar or even much more dire warnings about.  It seems quite likely, that the warnings about these people were dots in a stream of hundreds of thousands of similar warnings.

A Risk Register is the Siren Song of Risk Management

Before we go any further, let me state unequivocally that filling in boxes in a risk register chart is not Risk Management.

But on numerous occasions, RISKVIEWS has come across risk officers who have been concentrating on managing a Risk Register for multiple years.  That is why the Risk Register is the siren song of Risk Management.  No not the siren that makes a loud noise for the Fire Department.  The Sirens of Homer’s Odyssey.

The siren’s song attracted sailors who as they got closer to listen crashed upon the rocks and died.

So with risk managers and risk registers.  Risk registers provide two convenient things: plenty of tasks and evidence of accomplishment.  However the tasks are ultimately lower value and the accomplishment is usually only internal to the Risk Register.  The risk manager who is enthralled by the song of the risk register gets further and further into the world of the risk register and loses touch with the world of the company.  They try to find ways to entice others into the world of the risk register.

But real risk management requires only a simple list of risks, risk owners and risk mitigation activities.  This should never be maintained on spreadsheets in formats that can only be printed with 8 point type or never seen in total because there are just too many columns of important details.  Nor should the list of risks require a special purchased system that allows only registered users to view or enter information.

Managing the process of

Adding cash or profits now while adding risk

-or-

reducing cash or profits now while decreasing risk

is real risk management.  

Because the real job of risk management is not the manufacture of lists that are elevated in status by the name register.  Real risk management involves making difficult decisions and taking actions based upon those decisions.  Those decisions always involve a trade-off between cash or profits now and risk later.  Adding cash or profits now while adding risk later or reducing cash or profits now while decreasing risk later.  That is real risk management.

Learnings from the Superstorm

From the FSOC 2013 Annual Report with minor paraphrasing…

• Planning and testing: It is important that your company and all of your important counterparties, vendors, and sub contractees, fully understand the functionality of contingency systems, and that key operations and business personnel communicate efficiently to assure enterprise-wide clarity. Expanded testing exercises would enhance assurance of failover reliability. Such testing should involve all parties inside and outside your firm that you depend upon to continue functioning, and should also involve providers of essential services such as power, water, and telecommunications.

• Incident management: Protocols for assuring a timely decision on whether and when to close or open the company would benefit from review and streamlining by the responsible parties. Likewise, protocols for assuring timely decisions within the firm on whether and when to leverage back-up sites would benefit from continued regular testing. Furthermore, operational interdependencies need to be fully incorporated in the decision-making process.

• Personnel: The resilience of critical components of the company requires geographic dispersal of both electronic systems and personnel sufficient to enable an organization to operate despite the occurrence of a wide-scale disruption affecting the metropolitan or geographic area of the organization’s primary operations, including communities economically integrated with, adjacent to, or within normal commuting distance of the primary operations area. Organizations, including major firms, need to continuously and rigorously analyze their routine positioning and emergency repositioning of key management and staff. This is an ongoing requirement as technology, market structure, and institutions evolve rapidly. Developed business continuity plans should be implemented, and key staff should be sent to disaster recovery sites when there is advance notice of events.

• Dependencies: Cross-industry interdependencies require constant review, reassessment, and improvement by organizations to mitigate the impact of energy, power, transport, and communications failures during severe incidents, and to help ensure reliable redundancy.

FROM THE ERM SYMPOSIUM IN CHICAGO

Post to Financial Training

• ERM Symposium Take aways

Posts to WillisWire:

• Has Risk Management become a Spectator Sport
• Actuarial Professional Risk Management
• ERM For Financial Intermediaries

Tweets:

1. Neil Cantle ‏@NJCantle 24 Apr

   Former FDIC Chairman Sheila Bair speaking at #ermsymposium warns #SolvencyII against internal models as they encouraged banks to take risk
2. Max Rudolph ‏@maxrudolph 24 Apr

   What happened to last year’s discussion of a country CRO at the #ermsymposium?
3. Max Rudolph ‏@maxrudolph 24 Apr

   Speaker from Fed at #ermsymposium says CTE no good since you don’t know distribution. How was the product priced? Not with stress tests!

   Retweeted by SocietyofActuaries

4. Neil Cantle ‏@NJCantle 23 Apr

   Seems that insurance industry may need to save up more cash to cover Nat Cat if forecasts on climate change are right! #ermsymposium
5. Max Rudolph ‏@maxrudolph 23 Apr

   Systemic risk decreases with transparency. #ermsymposium
6. Neil Cantle ‏@NJCantle 23 Apr

   So, we trust national security to causal models because data does not work. But we trust financial systems to statistics. #ermsymposium
7. Neil Cantle ‏@NJCantle 23 Apr

   Just hearing all the great things about Bayesian models…expert judgement, ease of communication to C-suite #ermsymposium #Bayesrules

   1. Dave Ingram ‏@dingramerm 23 Apr Must look at risk measures in the context of your business model. C Lawrence #ermsymposium
   2. Dave Ingram ‏@dingramerm 23 Apr

      Need to invest in the future of risk profession. Mark Abbott #ermsymposium
   3. K Andemichael ‏@that_art_guy 21 Mar

      I just heard the coolest story from Hall of Achievement Inductee Gary Peterson #ERMSymposium pic.twitter.com/1un0ZwJl1D
   4. Milliman, Inc. ‏@millimaninsight 20 Apr 12

      Neil Cantle: Complex adaptive systems are more than the sum of their parts. #ERMSymposium http://www.tout.com/m/nphp8d 
   5. Risk Institute ‏@riskinstitute 20 Apr 12

      What is the biggest misconception about enterprise risk management? http://bit.ly/JUbWb9  #ERMSymposium #ERM #risk

      Retweeted by Milliman, Inc.

   6. Risk Institute ‏@riskinstitute 18 Apr 12

      What role does economic capital modeling play in your organization? http://bit.ly/ISWFM7  #ERMSymposium #ERM

      Retweeted by Neil Cantle and 1 other

   7. Max Rudolph ‏@maxrudolph 18 Apr 12

      Business Insurance article focuses on the Emerging Risks Survey and includes some quotes from me. #ERMSymposium http://lnkd.in/M2P3xv 
   8. Max Rudolph ‏@maxrudolph 18 Apr 12

      CFO magazine article quoting me and talking about the Emerging Risks Survey! #ERMSymposium http://lnkd.in/-g-Dar 

1. CRO needs to have a 360 degree view of risk. #ermsymposium
   from Chicago, IL Dave Ingram ‏@dingramerm 24 Apr
2. New risk: longevity risk transfer products take a risk that was regulated into non-regulated areas. S Wason #ermsymposium from Chicago, IL Dave Ingram ‏@dingramerm 24 Apr
3. Companies do not always believe in their own mortality which undermines any risk mgt culture. #ermsymposium
   from Chicago, IL Dave Ingram ‏@dingramerm 24 Apr
4. Interconnectedness is THE issue for financial regulation going forward. #ermsymposium from Chicago, IL Dave Ingram ‏@dingramerm 24 Apr
5. CEO needs to be very hands on with risk. Deniability is not an option. S Bair #ermsymposium from Chicago, IL Dave Ingram ‏@dingramerm 24 Apr
6. Predictive analytics in US healthcare #ermsymposium from Illinois, US Dave Ingram ‏@dingramerm 24 Apr
7. Canadians using ERM to improve financial management of health firms. #ermsymposium Dave Ingram ‏@dingramerm 23 Apr
8. Professional Standards for Actuarial Risk Managers effective May 1, 2013 http://lnkd.in/mYwr6d Dave Ingram ‏@dingramerm 23 Apr
9. Too many think the risk equations are a closed form solution for the future when they are really about the past. M McCarthy #ermsymposium Dave Ingram ‏@dingramerm 23 Apr
10. When you crossed a limit you HAD to take an ACTION. B Mark #ermsymposium from Chicago, IL Dave Ingram ‏@dingramerm 23 Apr
11. Key goal of regulators is now financial stability. Zero tolerance for “fat tailed” failure. C Lawrence #ermsymposium
    from Chicago, IL Dave Ingram ‏@dingramerm 23 Apr
12. Bank returns jumped from 7% to 20% in 1970s & believed that risk was under control. C Lawrence #ermsymposium Dave Ingram ‏@dingramerm 23 Apr
13. Biggest risks are when we choose not know about potential problems that we did know about. Turning off fire alarms. W Fisher #ermsymposium Dave Ingram ‏@dingramerm 23 Apr
14. ERM can find offsetting risks and notionally create capital and opportunity. This gets enthusiastic buy in from mgt. M Stein #ermsymposium Dave Ingram ‏@dingramerm 23 Apr
15. The ERM program needs to show success on the opportunity side ot risk. J Kollar #ermsymposium Dave Ingram ‏@dingramerm 23 Apr
16. Accounting can cloud risk issues. Challenge to reconcile different statement. M Stein #ermsymposium from Chicago, IL Dave Ingram ‏@dingramerm 23 Apr
17. Disconnect between economics and accounting a challenge for ERM. Makes it harder to get buy in for ERM C Gilbert #ermsymposium Dave Ingram ‏@dingramerm 23 Apr
18. CRO Council papers Model Validation & Emerging Risks M Stein #ermsymposium Dave Ingram ‏@dingramerm 23 Apr
19. Key for CRO to be able to create a coherent summary of risk information for board M Stein #ermsymposium Dave Ingram ‏@dingramerm 23 Apr
20. Get board involved asking the risk questions. This create engagement in the organization to answer those questions W Fisher #ermsymposium Dave Ingram ‏@dingramerm 23 Apr
21. Wayne Fisher addressing Risk Profile at CRO panel #ermsymposium

But even with all those tweets, #ermsymposium did not make it to the top list of trending categories

Provisioning – Packing for your trip into the future

There are two levels of provisioning for an insurer.  Reserves and Risk Capital.  The two are intimately related.  In fact, in some cases, insurers will spend more time and care in determining the correct number for the sum of the two, called Total Asset Requirement (TAR) by some.

Insurers need an realistic picture of future obligations long before the future is completely clear. This is a key part of the feedback mechanism.  The results of the first year of business is the most important indication of business success for non-life insurance.  That view of results depends largely upon the integrity of the reserve value.  This feedback information effects performance evaluation, pricing for the next year, risk analysis and capital adequacy analysis and capital allocation.

The other part of provisioning is risk capital.  Insurers also need to hold capital for less likely swings in potential losses.  This risk capital is the buffer that provides for the payment of policyholder claims in a very high proportion of imagined circumstances.  The insurance marketplace, the rating agencies and insurance regulatory bodies all insist that the insurer holds a high buffer for this purpose.

In addition, many valuable insights into the insurance business can be gained from careful analysis of the data that is input to the provisioning process for both levels of provisioning.

However, reserves are most often set to be consistent with considerations.  Swings of adequate and inadequate pricing is tightly linked to swings in reserves.  When reserves are optimistically set capital levels may reflect same bias. This means that inadequate prices can ripple through to cause deferred recognition of actual claims costs as well as under provisioning at both levels.  This is more evidence that consideration is key to risk management.

There is often pressure for small and smooth changes to reserves and risk capital but information flows and analysis provide jumps in insights both as to expectations for emerging losses as well as in terms of methodologies for estimation of reserves and capital.  The business pressures may threaten to overwhelm the best analysis efforts here.  The analytical team that prepares the reserves and capital estimates needs to be aware of and be prepared for this eventuality.  One good way to prepare for this is to make sure that management and the board are fully aware of the weaknesses of the modeling approach and so are more prepared for the inevitable model corrections.

Insurers need to have a validation process to make sure that the sum of reserves and capital is an amount that provides the degree of security that is sought.  Modelers must allow for variations in risk environment as well as the impact of risk profile, financial security and risk management systems of the insurer in considering the risk capital amount.  Changes in any of those elements may cause abrupt shifts in the amount of capital needed.

The Total Asset Requirement should be determined without regard to where the reserves have been set so that risk capital level does not double up on redundancy or implicitly affirm inadequacy of reserves.

The capital determined through the Provisioning process will usually be the key element to the Risk Portfolio process.  That means that accuracy in the sub totals within the models are just as important as the overall total.  The common practice of tolerating offsetting inadequacies in the models may totally distort company strategic decision making.

This is one of the seven ERM Principles for Insurers.

Does Anyone Care about Risk Appetite?

RISKVIEWS got a private comment on the Risk Portfolio post. The comment can be summed up by the title above.

And if you think about the insights about ERM from the Plural Rationality discussion, you might echo that question.

If your risk attitude is what we call MAXIMIZER, then you will believe that you should be able to accept as much adequately priced risk as you can find.

If your risk attitude is what we call CONSERVATOR, then you will believe that you should mostly accept only risks that are very similar to what you write already, to what you are comfortable with.  You might fear that setting an appetite would improperly encourage folks to take more risk even it it does not really fit that very stringent criteria.

If your risk attitude is what we call PRAGMATIST, then you will believe that it is a waste of time to set down a rule like that in advance.  How would you know what the opportunities will be in the future?  You might easily want to accept much more or much less.  You would think that it is a waste of time to worry about such an unknowable issue.

Only the companies that are driven by what we call the MANAGERS would embrace the risk appetite idea.  They would say that you must have a risk appetite for your ERM program to have any meaning.  Many regulators have the same MANAGER risk attitude.  They agree with the fundamental idea of ERM, with the idea that risk managers are needed to assist insurance company managers, to assess risks and to make sure that the insurer does not take too much risk.  The risk managers should also be able to help the top management of the company to select the corporate strategic balance, reflecting the best combination of risks to optimize the risk reward balance of the company.

And MANAGERS will do the best for the company when they manage the risks of the firm during times of moderate volatility.  Then their choices of risks will likely perform just as their models will predict.  However in times when opportunities are best, the MANAGERS will doubtless hold the company back from the sort of gains in profitable business that the MAXIMIERS will achieve in the companies that they run.  And in times when the red ink is running all over, the MANAGERS will urge insufficient caution and will see larger losses than their models would indicate.

In the sort of uncertain times that we have lived with for 5 years now, the MANAGER’s models will not be able to adequately point the way either.  Results will languish or bounce unexpectedly.

But it is just not true that nobody cares about Risk Appetite.

ERM Control Cycle

The seven principles of ERM for Insurers can be seen as forming an Enterprise Risk Control cycle.

The cycle starts with assessing and planning for risk taking.  That process may include the Diversification principle and/or the Portfolio principle.

Next to the steps of setting Considerations and Underwriting the risks.  These steps are sometimes operated together and sometimes separate, usually depending upon the degree to which the risks are  small and homogeneous or large and unique.

The Risk Control cycle is then applied to the risks that have been accepted.  That step is needed because even if a risk is properly priced and appropriately accepted, the insurer will want to manage the aggregate amount of such risks.  Within the risk control cycle, there is a risk mitigation step and within that step an insurer may choose to reduce their total risk or to increase their risk taking capacity.

Risks that have been accepted through the underwriting process and that the insurer is retaining after the risk control cycle process must be assessed for Provisioning, both for reserve and capital.

Finally, for this discussion of the ERM Cycle, the insurer needs to consider whether there are additional risks that have been unknowingly accepted that may emerge in the future.  The Future risk principle provides a path for that step.

For the ERM Cycle, there is actually no such thing as FINALLY.  As a cycle, it repeats infinitely.  The picture above has many two headed arrows in addition to the one way arrows that represent a single circular process.

The ERM idea sits in the middle of these seven principles.  The ERM idea is the idea that an insurer will follow a cycle like this for all of the risks of the insurer and in addition for the aggregation of all risks.  This will be done to protect all of the stakeholders of the insurers, policyholders, stockholders, bondholders, management, employees and communities to the greatest extent that their sometimes contradictory interests allow.

Most firms will put different degrees of emphasis on different elements.  Some will have very faint arrows between ERM and some of the other principles.  Some insurers will neglect some of these principles completely.

It may be that the choice of which principles to emphasize are tightly linked with their view of the risk environment.

This a part of the discussion of the seven ERM Principles for Insurers

Risk Portfolio Management

In 1952, Harry Markowitz wrote the article “Portfolio Selection” which became the seed for the theory called Modern Portfolio Theory. Modern Portfolio Theory (MPT) promises a path to follow to achieve the maximum return for a given level of risk for an investment portfolio.

It is not clear who first thought to apply the MPT ideas to a portfolio of risks in an insurer. In 1974, Gustav Hamilton of Sweden’s Statsforetag proposed the “risk management circle” to describe the interaction of all elements in the risk management process, including assessment, control, financing and communication. In 1979, Randell Brubaker wrote about “Profit Maximization for a multi line Property/Liability Company.” Since then, the idea of risk and reward optimization has become to many the actual definition of ERM.

Standard & Poor’s calls the process “Strategic Risk Management”.

“Strategic Risk Management is the Standard & Poor’s term for the part of ERM that focuses on both the risks and returns of the entire firm. Although other aspects of ERM mainly focus on limiting downside, SRM is the process that will produce the upside, which is where the real value added of ERM lies.“

The Risk Portfolio Management process is nothing more or less than looking at the expected reward and loss potential for each major profit making activity of an insurer and applying the Modern Portfolio Management ideas of portfolio optimization to that risk and reward information.

At the strategic level, insurers will leverage the risk and reward knowledge that comes from their years of experience in the insurance markets as well as from their enterprise risk management (ERM) systems to find the risks where their company’s ability to execute can produce better average risk-adjusted returns. They then seek to optimize the risk/reward mix of the entire portfolio of insurance and investment risks that they hold. There are two aspects of this optimization process. First is the identification of the opportunities of the insurer in terms of expected return for the amount of risk. The second aspect is the interdependence of the risks. A risk with low interdependency with other risks may produce a better portfolio result than another risk with a higher stand alone return on risk but higher interdependence.

Proposals to grow or shrink parts of the business and choices to offset or transfer different major portions of the total risk positions can be viewed in terms of risk-adjusted return. This can be done as part of a capital budgeting/strategic resource allocation exercise and can be incorporated into regular decision-making. Some firms bring this approach into consideration only for major ad hoc decisions on acquisitions or divestitures and some use it all the time.

There are several common activities that may support the macro- level risk exploitation.

Economic Capital
Economic capital (EC) flows from the Provisioning principle. EC is often calculated with a comprehensive risk model consistently for all of the actual risks of the company. Adjustments are made for the imperfect correlation of the risks. Identification of the highest-concentration risks as well as the risks with lower correlation to the highest-concentration risks is risk information that can be exploited. Insurers may find that they have an advantage when adding risks to those areas with lower correlation to their largest risks if they have the expertise to manage those risks as well as they manage their largest risks.

Risk-adjusted product pricing
Another part of the process to manage risk portfolio risk reward involves the Consideration principle. Product pricing is “risk-adjusted” using one of several methods. One such method is to look at expected profits as a percentage of EC resulting in an expected return-to-risk capital ratio. Another method reflects the cost of capital associated with the economic capital of the product as well as volatility of expected income. The cost of capital is determined as the difference between the price to obtain capital and the rate of investment earnings on capital held by the insurer. Product profit projections then will show the pure profit as well as the return for risk of the product. Risk-adjusted value added is another way of approaching risk-adjusted pricing.

Capital budgeting
The capital needed to fulfill proposed business plans is projected based on the economic capital associated with the plans. Acceptance of strategic plans includes consideration of these capital needs and the returns associated with the capital that will be used. Risk exploitation as described above is one of the ways to optimize the use of capital over the planning period. The allocation of risk capital is a key step in this process.

Risk-adjusted performance measurement (RAPM)
Financial results of business plans are measured on a risk-adjusted basis. This includes recognition of the cost of holding the economic capital that is necessary to support each business as reflected in risk-adjusted pricing as well as the risk premiums and loss reserves for multi-period risks such as credit losses or casualty coverages. This should tie directly to the expectations of risk- adjusted profits that are used for product pricing and capital budgeting. Product pricing and capital budgeting form the expectations of performance. Risk-adjusted performance measurement means actually creating a system that reports on the degree to which those expectations are or are not met.

For non-life insurers, Risk Portfolio Management involves making strategic trade-offs between insurance, credit (on reinsurance ceded) and all aspects of investment risk based on a long-term view of risk-adjusted return for all of their choices.

Insurers that do not practice Portfolio Risk Management usually fail to do so because they do not have a common measurement basis across all of their risks. The recent move of many insurers to develop economic capital models provides a powerful tool that can be used as the common risk measure for this process. Economic capital is most often the metric used to define risk in the risk/reward equation of insurers.

Some insurers choose not to develop an EC model and instead rely upon rating agency or regulatory capital formulas. The regulatory and rating agency capital formulas are by their nature broad market estimates of the risk capital of the insurer. These formulae will over-state the capital needs for some of the insurer’s activity and understate the needs for others. The insurer has the specific data about their own risks and can do a better job of assessing their risks than any outsider could ever do. In some cases, insurers took high amounts of catastrophe exposure or embedded guarantee and option risks, which were not penalized in the generic capital formulas. In the end, some insurers found that they had taken much more risk than their actual loss tolerance or capacity.

Risk Portfolio management provides insurers with the framework to take full advantage of the power of diversification in their risk selection. They will look at their insurance and investment choices based on the impact, after diversification, on their total risk/reward profile. These insurers will also react to the cycles in risk premium that exist for all of their different insurance risks and for all of their investment risks in the context of their total portfolio.

Sales of most insurance company products result in an increase in the amount of capital needed by the business due to low or negative initial profits and the need to support the new business with Economic Capital. After the year of issue, most insurance company products will show annual releases of capital both due to the earnings of the product as well as the release of supporting capital that is no longer needed due to terminations of prior coverages. The net capital needs of a business arise when growth (new sales less terminations) is high and/or profits are low and capital is released when growth is low and/or profits are high.

The definition of the capital needs for a product is the same as the definition of distributable earnings for an entire business: projected earnings less the increase in Economic Capital. The capital budgeting process will then focus on obtaining the right mix of short and long term returns for the capital that is needed for each set of business plans.

Both new and existing products can be subjected to this capital budgeting discipline. A forecast of capital usage by a new product can be developed and used as a factor in deciding which of several new products to develop. In considering new and existing products, capital budgeting may involve examining historic and projected financial returns.

Pitfalls of Risk Portfolio Management

In theory, optimization processes can be shown to produce the best results for practitioners. And for periods of time when fluctuations of experience are moderate and fall comfortably within the model parameters, continual fine tuning and higher reliance on the modeled optimization recommendations produce ever growing rewards for the expert practitioner. However, model errors and uncertainties are magnified when management relies upon the risk model to lever up the business. And at some point, the user of complex risk models will see that levering up their business seems to be a safe and profitable way to operate. When volatility shifts into a less predictable and/or higher level, the highly levered company can find it self quickly in major trouble.

Even without major deviations of experience, the Risk Portfolio Management principles can lead to major business disruptions. When an insurer makes a major change in its risk profile through an acquisition or divestiture of a large part of their business, the capital allocation of all other activities may shift drastically. Strict adherence to theory can whipsaw businesses as the insurer makes large changes in business.

Insurers need to be careful to use the risk model information to inform strategic decisions without overreliance and abdication of management judgment. Management should also push usage of risk and reward thinking throughout the organization. The one assumption that seems to cause the most trouble is correlation. The saying goes that “in a crisis, all correlations go to one”. If the justification for a major strategic decision is that correlations are far from one, management should take note of the above saying and prepare accordingly. In addition management should study the variability of correlations over time. They will find that correlations are often highly unreliable and this should have a major impact on the way that they are used in the Risk Portfolio Management process.

Risk Portfolio Management is one of the Seven ERM Principles for Insurers

Future Uncertainty

Often called emerging risks. Going back to Knight’s definitions of Risk and Uncertainty, there is very little risk contained in these potential situations.  Emerging risks are often pure uncertainty.  Humans are good at finding patterns.  Emerging risks are breaks in patterns.

What to Do about Emerging Risks…

Emerging risks are defined by AM Best as “new or evolving risks that are difficult to manage because their identification, likelihood of occurrence, potential impacts, timing of occurrence or impact, or correlation with other risks, are highly uncertain.” An example from the past is asbestos; other current examples could be problems deriving from nanotechnology, genetically modified food, climate change, etc. Lloyd’s, a major sufferer from the former emerging risk of asbestos, takes emerging risks very seriously. They think of emerging risks as “an issue that is perceived to be potentially significant but which may not be fully understood or allowed for in insurance terms and conditions, pricing, reserving or capital setting”.

What do the rating agencies expect?

AM Best says that insurers need “sound risk management practices relative to its risk profile and considering the risks inherent in the liabilities it writes, the assets it acquires and the market(s) in which it operates, and takes into consideration new and emerging risks.” In 2013, Best has added a question asking insurers to identify emerging risks to the ERM section of the SRQ. Emerging Risks Management has been one of the five major pillars of the Standard & Poor’s Insurance ERM ratings criteria since 2006.

How do you identify emerging risks?

A recent report from the World Economic Forum, The Global Risks 2012 report is based on a survey of 469 experts from industry, government, academia and civil society that examines 50 global risks. Those experts identified 8 of those 50 risks as having the most significance over the next 10 years:

•   Chronic fiscal imbalances
•   Cyber attacks
•   Extreme volatility in energy and agriculture prices
•   Food shortage crises
•   Major systemic financial failure
•   Rising greenhouse gas emissions
•   Severe income disparity
•   Water supply crises

This survey method for identifying or prioritizing risks is called the Delphi method and can be used by any insurer. Another popular method is called environmental scanning which includes simply reading and paying attention for unusual information about situations that could evolve into future major risks.

What can go wrong?

Many companies do not have any process to consider emerging risks.  At those firms, managers usually dismiss many possible emerging risks as impossible.  It may be the company culture to scoff at the sci fi thinking of the emerging risks process.  The process Taleb describes of finding ex post explanation for emerging Black Swan risks is often the undoing of careful plans to manage emerging risk.  In addition, lack of imagination causes some managers to conclude that the past worst case is the outer limit for future losses.

What can you do about emerging risks?

The objectives for emerging risks management are just the same as for other more well-known risks: to reduce the frequency and severity of future losses. The uncertain nature of emerging risks makes that much more difficult to do cost effectively. Insurers can use scenario testing to examine potential impact of emerging risks and to see what actions taken in advance of their emergence might lessen exposures to losses. This scenario testing can also help to identify what actions might lessen the impact of an unexpected loss event that comes from a very rapidly emerging risk. Finally, insurers seek to identify and track leading indicators of impending new risk emergence.

Reinsurance is one of the most effective ways to protect against emerging risks, second only to careful drafting of insurance contract terms and conditions

Many of the largest insurers and reinsurers have developed very robust practices to identify and to prepare for emerging risks.  Other companies can learn from the insurers who practice emerging risk management and adapt the same processes to their emerging risks.

Normal risk control processes focus on everyday risk management, including the management of identifiable risks and/or risks where uncertainty and unpredictability are mitigated by historical data that allow insurers to estimate loss distribution with reasonable confidence. Emerging risk management processes take over for risks that do not currently exist but that might emerge at some point due to changes in the environment. Emerging risks may appear abruptly or slowly and gradually, are difficult to identify, and may for some time represent an ill formed idea more than factual circumstances. They often result from changes in the political, legal, market, or physical environment, but the link between cause and effect is fully known in advance. An example from the past is asbestos; other examples could be problems deriving from nanotechnology, genetically modified food, climate change, etc. 
For these risks, normal risk identification and monitoring will not work because the likelihood is usually completely unknown. Nevertheless, past experience shows that when they materialize, they have a significant impact on the insurers and therefore cannot be excluded from a solid risk management 
program. So insurers have implemented unique specific strategies and approaches to cope with them properly.

Identifying emerging risks

Emerging risks have not yet materialized or are not yet clearly defined and can appear abruptly or very slowly. Therefore, having some sort of early warning system in place, methodically identified either through internal or external sources, is very important. To minimize the uncertainty surrounding these risks, insurers will consistently gather all existing relevant information to amass preliminary evidence of emerging risks, which would allow the insurer to reduce or limit growth of exposure as the evidence becomes more and more certain.  However, Insurers practicing this discipline will need to be aware of the cost of false alarms.

Assessing their significance

Assess the relevance (i.e. potential losses) of the emerging risks linked to a company’s commitment— which classes of business and existing policies would be affected by the materialization of the risk—and continue with the assessment of the potential financial impact, taking into account potential correlation with other risks already present in the firm. For an insurer, the degree of concentration and correlation of the risks that they have taken on from their customers are two important parameters to be considered; the risk in question could be subject to very low frequency/high intensity manifestations, but if exposure to that particular risk is limited, then the impact on the company may not be as important. On the other hand, unexpected risk correlations should not be underestimated; small individual exposures can coalesce into an extreme risk if underlying risks are highly interdependent. When developing extreme scenarios, some degree of imagination to think of unthinkable interdependencies could be beneficial.

A further practice of insurers is to sometimes work backwards from concentrations to risks. Insurers might envision risks that could apply to their concentrations and then track for signs of risk emergence in those areas. Some insurers set risk limits for insurance concentrations that are very similar to investment portfolio credit limits, with maximum concentrations in specific industries in geographic or political regions. In addition, just as investment limits might restrict an insurer’s debt or equity position as a percentage of a company’s total outstanding securities, some insurers limit the percentage of coverage they might offer in any of the sectors described above.

Define appropriate responses

Responses to emerging risks might be part of the normal risk control process, i.e., risk mitigation or transfer, either through reinsurance (or retrocession) in case of insurance risks, through the financial markets for financial risks, or through general limit reduction or hedging. When these options are not available or the insurer decides not to use them, it must be prepared to shoulder significant losses, which can strain a company’s liquidity.  Planning access to liquidity is a basic part of emerging risk management.  Asset-selling priorities, credit facilities with banks, and notes programs are possible ways of managing a liquidity crisis.

Apart from liquidity crisis management, other issues exist for which a contingency plan should be identified in advance. The company should be able to quickly estimate and identify total losses and the payments due. It should also have a clear plan for settling the claims in due time so as to avoid reputation issues. Availability of reinsurance is also an important consideration: if a reinsurer were exposed to the same risks, it would be a sound practice for the primary insurer to evaluate the risk that the reinsurer might delay payments.

Advance Warning Process

For the risks that have identified as most significant and where the insurer has developed coherent contingency plans, the next step is to create and install an advanced warning process.  To do that, the insurer identifies key risk indicators that provide an indication of increasing likelihood of a particular emerging risk.

Learn

Finally, sound practices for managing emerging risks include establishing procedures for learning from past events. The company will identify problems that appeared during the last extreme event and identify improvements to be added to the risk controls.  In addition, expect to get better at each step of the emerging risk process with time and experience.

But emerging risk management costs money.  And the costs that are most difficult to defend are the emerging risks that never emerge.  A good emerging risk process will have many more misses than hits.  Real emerged risks are rare.  A company that is really taking emerging risks seriously will be taking actions on occasion that cost money to perform and possibly include a reduction in the risks accepted and the attendant profits.  Management needs to have a tolerance for these costs.  But not too much tolerance.

 

This is one of the seven ERM Principles for Insurers

Getting Paid for Risk Taking

Consideration for accepting a risk needs to be at a level that will sustain the business and produce a return that is satisfactory to investors.

Investors usually want additional return for extra risk.  This is one of the most misunderstood ideas in investing.

“In an efficient market, investors realize above-average returns only by taking above-average risks.  Risky stocks have high returns, on average, and safe stocks do not.”

Baker, M. Bradley, B. Wurgler, J.  Benchmarks as Limits to Arbitrage: Understanding the Low-Volatility Anomaly

But their study found that stocks in the top quintile of trailing volatility had real return of -90% vs. a real return of 1000% for the stocks in the bottom quintile.

But the thinking is wrong.  Excess risk does not produce excess return.  The cause and effect are wrong in the conventional wisdom.  The original statement of this principle may have been

“in all undertakings in which there are risks of great losses, there must also be hopes of great gains.”
Alfred Marshall 1890 Principles of Economics

Marshal has it right.  There are only “hopes” of great gains.  These is no invisible hand that forces higher risks to return higher gains.  Some of the higher risk investment choices are simply bad choices.

Insurers opportunity to make “great gains” out of “risks of great losses” is when they are determining what consideration, or price, that they will require to accept a risk.  Most insurers operate in competitive markets that are not completely efficient.  Individual insurers do not usually set the price in the market, but there is a range of prices at which insurance is purchased in any time period.  Certainly the process that an insurer uses to determine the price that makes a risk acceptable to accept is a primary determinant in the profits of the insurer.  If that price contains a sufficient load for the extreme risks that might threaten the existence of the insurer, then over time, the insurer has the ability to hold and maintain sufficient resources to survive some large loss situations.

One common goal conflict that leads to problems with pricing is the conflict between sales and profits.  In insurance as in many businesses, it is quite easy to increase sales by lowering prices.  In most businesses, it is very difficult to keep up that strategy for very long as the realization of lower profits or losses from inadequate prices is quickly realized.  In insurance, the the premiums are paid in advance, sometimes many years in advance of when the insurer must provide the promised insurance benefits.  If provisioning is tilted towards the point of view that supports the consideration, the pricing deficiencies will not be apparent for years.  So insurance is particularly susceptible to the tension between volume of business and margins for risk and profits,
and since sales is a more fundamental need than profits, the margins often suffer.
As just mentioned, insurers simply do not know for certain what the actual cost of providing an insurance benefit will be.  Not with the degree of certainty that businesses in other sectors can know their cost of goods sold.  The appropriateness of pricing will often be validated in the market.  Follow-the-leader pricing can lead a herd of insurers over the cliff.  The whole sector can get pricing wrong for a time.  Until, sometimes years later, the benefits are collected and their true cost is know.

“A decade of short sighted price slashing led to industry losses of nearly $3 billion last year.”  Wall Street Journal June 24, 2002

Pricing can also go wrong on an individual case level.  The “Winners Curse”  sends business to the insurer who most underimagines riskiness of a particular risk.

There are two steps to reflecting risk in pricing.  The first step is to capture the expected loss properly.  Most of the discussion above relates to this step and the major part of pricing risk comes from the possibility of missing that step as has already been discussed.  But the second step is to appropriately reflect all aspects of the risk that the actual losses will be different from expected.  There are many ways that such deviations can manifest.

The following is a partial listing of the risks that might be examined:

• Type A Risk—Short-Term Volatility of cash flows in 1 year

• Type B Risk—Short -Term Tail Risk of cash flows in 1 year
• Type C Risk—Uncertainty Risk (also known as parameter risk)
• Type D Risk—Inexperience Risk relative to full multiple market cycles
• Type E Risk—Correlation to a top 10
• Type F Risk—Market value volatility in 1 year
• Type G Risk—Execution Risk regarding difficulty of controlling operational
losses
• Type H Risk—Long-Term Volatility of cash flows over 5 or more years
• Type J Risk—Long-Term Tail Risk of cash flows over 5 years or more
• Type K Risk—Pricing Risk (cycle risk)
• Type L Risk—Market Liquidity Risk
• Type M Risk—Instability Risk regarding the degree that the risk parameters are
stable

See “Risk and Light” or “The Law of Risk and Light“

There are also many different ways that risk loads are specifically applied to insurance pricing.  Three examples are:

• Capital Allocation – Capital is allocated to a product (based upon the provisioning) and the pricing then needs to reflect the cost of holding the capital.  The cost of holding capital may be calculated as the difference between the risk free rate (after tax) and the hurdle rate for the insurer.  Some firms alternately use the difference between the investment return on the assets backing surplus (after tax) and the hurdle rate.  This process assures that the pricing will support achieving the hurdle rate on the capital that the insurer needs to hold for the risks of the business.  It does not reflect any margin for the volatility in earnings that the risks assumed might create, nor does it necessarily include any recognition of parameter risk or general uncertainty.
• Provision for Adverse Deviation – Each assumption is adjusted to provide for worse experience than the mean or median loss.  The amount of stress may be at a predetermined confidence interval (Such as 65%, 80% or 90%).  Higher confidence intervals would be used for assumptions with higher degree of parameter risk.  Similarly, some companies use a multiple (or fraction) of the standard deviation of the loss distribution as the provision.  More commonly, the degree of adversity is set based upon historical provisions or upon judgement of the person setting the price.  Provision for Adverse Deviation usually does not reflect anything specific for extra risk of insolvency.
• Risk Adjusted Profit Target – Using either or both of the above techniques, a profit target is determined and then that target is translated into a percentage of premium of assets to make for a simple risk charge when constructing a price indication.

The consequences of failing to recognize as aspect of risk in pricing will likely be that the firm will accumulate larger than expected concentrations of business with higher amounts of that risk aspect.  See “Risk and Light” or “The Law of Risk and Light“.

To get Consideration right you need to (1)regularly get a second opinion on price adequacy either from the market or from a reliable experienced person; (2) constantly update your view of your risks in the light of emerging experience and market feedback; and (3) recognize that high sales is a possible market signal of underpricing.

This is one of the seven ERM Principles for Insurers

Underwriting of risks is a key part of risk management for insurers

Underwriting is the process of reviewing and selecting risks that an insurer might accept, under what terms, and assigning those an expected cost and level of riskiness.

• Some underwriting processes are driven by statistics.  A few insurers who developed a highly statistical approach to underwriting personal auto coverages have experienced high degree of success.  With a careful mining of the data from their own claims experience, these insurers have been able to carefully subdivide rating classes into many finer classes with reliable claims expectations at different levels.  This allows them to concentrate their business on the better risks in each of the larger classes of their competitors while the competitors end up with a concentration of below average drivers in each larger class.  This statistical underwriting process is becoming a required tool to survive in personal auto and is being copied in other insurance lines.
• Many underwriting processes are highly reliant on judgment of an experienced underwriter.  Especially commercial business or other types of coverage where there is very little close commonality between one case and another.  Many insurers consider underwriting expertise to be their key corporate competency.
• Usually the underwriting process concludes with a decision on whether to make an offer to accept a risk under certain terms and at a determined price

How underwriting can go wrong:

• Insurers are often asked to “give away the pen” and allow third parties to underwrite risks on their paper. Sometimes a very sad ending to this.
• Statistical underwriting can spin out of control due to antiselection if not overseen by experienced people.  The bubble of US home mortgage securities can be seen as an extreme example of statistical underwriting gone bad.  Statistics from prior periods suggested that sub prime mortgages would default at a certain low rate.  Over time, the US mortgage market went from one with a high degree of underwriting of applicants by skilled and experienced reviewers to a process dictated by scores on credit reports and eventually the collection of data to perform underwriting stopped entirely with the no doc loans.  The theory was that the interest rate charged for the mortgages could be adjusted upwards to the point where extra interest collected could pay for the excess default claims from low credit borrowers.
• Volume incentives can work against the primary goals of underwriting.
• Insurance can be easily undone by underwriting decisions that are good risks, but much too large for the pool of other risks held by the insurer.

To get Underwriting right you need to:

• Have a clear idea of the risks that you are willing to accept, your risk preferences.  And be clear that you are going to be saying NO to risks that are outside of those preferences.
• Not let the pen get entirely out of the hand of an experienced underwriter that is trustable to make decisions in the interest of the firm, either to a computer or to a third party.
• Oversight of underwriting decisions needs to be an expectation at all levels.  The primary objective of this oversight should be to continually perfect the underwriting process and knowledge base.
• Underwriters need to be fully aware of the results of their prior decisions by regular communication with claims and reserving people.

This is one of the seven ERM Principles for Insurers

Delusions about Success and Failure

In his book, The Halo Effect: … and the Eight Other Business Delusions That Deceive Managers, author Phil Rosenzweig discusses the following 8 delusions about success:

1. Halo Effect: Tendency to look at a company’s overall performance and make attributions about its culture, leadership, values, and more.

2. Correlation and Causality: Two things may be correlated, but we may not know which one causes which.

3. Single Explanations: Many studies show that a particular factor leads to improved performance. But since many of these factors are highly correlated, the effect of each one is usually less than suggested.

4. Connecting the Winning Dots: If we pick a number of successful companies and search for what they have in common, we’ll never isolate the reasons for their success, because we have no way of comparing them with less successful companies.

5. Rigorous Research: If the data aren’t of good quality, the data size and research methodology don’t matter.

6. Lasting Success: Almost all high-performing companies regress over time. The promise of a blueprint for lasting success is attractive but unrealistic.

7. Absolute Performance: Company performance is relative, not absolute. A company can improve and fall further behind its rivals at the same time.

8. The Wrong End of the Stick: It may be true that successful companies often pursued highly focused strategies, but highly focused strategies do not necessarily lead to success.

9. Organizational Physics: Company performance doesn’t obey immutable laws of nature and can’t be predicted with the accuracy of science – despite our desire for certainty and order.

By Julian Voss-Andreae (Own work) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0)%5D, via Wikimedia Commons

A good risk manager will notice that all 8 of these delusions have a flip side that applies to risk analysis and risk management.

a.  Bad results <> Bad Culture – there are may possible reasons for poor results.  Culture is one possible reason for bad results, but by far not the only one.

b.  Causation and Correlation – actually this one need not be flipped.  Correlation is the most misunderstood statistic.  Risk managers would do well to study and understand what valuable and reliable uses that there are for correlation calculations.  They are very likely to find few.

c.  Single explanations  – are sometimes completely wrong (see c. above), they can be the most important of several causes, they can be the correct and only reason for a loss, or a correct but secondary reason.  Scapegoating is a process of identifying a single explanation and quickly moving on.  Often without much effort to determine which of the four possibilities above applies to the scapegoat.  Scapegoats are sometimes chosen that make the loss event appear to be non-repeatable, therefore requiring no further remedial action.

d.  Barn door solutions – looking backwards and finding the activities that seemed to lead to the worst losses at the companies that failed can provide valuable insights or it can lead to barn door solutions that fix past problems but have no impact on future situations.

e.  Data Quality – same exact issue applies to loss analysis.  GIGO

f.  Regression to the mean – may be how you describe what happens to great performing companies, but for most firms, entropy is the force that they need to be worried about.  A firm does not need to sport excellent performance to experience deteriorating results.

g.  Concentration risk – should be what a risk manager sees when strategy is too highly concentrated.

h.  Uncertainty prevails – precision does not automatically come from expensive and complicated models.

Risk and Return – A Balancing Act

From Max Rudolph

There are similarities between value investing and enterprise risk management (ERM) methods. For some, especially portfolio managers, this may be obvious. These investors come to the table with experience using risk as a constraint while trying to optimize returns. Years of experience have taught this group that risk balances return, and that return balances risk. Value is added by creating favorable imbalances. The investor with high returns and average risk has succeeded, as has the investor reporting average returns and low risk.
Many concepts are shared between ERM and value investing. When defining risk, which is generally unique to the individual, an analyst considers uncertainty, downside risk, and optimization. Value investors look at concepts like conservative assumptions, margin of safety, and asset allocation. These concepts are comparable, and this paper uses the International Actuarial Association’s Note on enterprise risk management (ERM) for capital and solvency purposes in the insurance industry to take the reader through general ERM topics. This is followed by a comparable value investing discussion and a comparison of the two practice areas.

In some firms, a risk manager is placed in a position with little authority, limiting the benefits of ERM. A process driven ERM function can identify risks and risk owners, create a common language, and send useful reports to the Board. A stronger risk officer adds value by using transparency to understand risk interactions, scanning for emerging risks and generally keeping a focus on how an entity’s risk profile is evolving.

Continued in Value Investing and Enterprise Risk Management: Two Sides of the Same Coin

Has the risk profession become a spectator sport?

The 2013 ERM Symposium goes back to Chicago this year after a side trip to DC for 2012. This is the 11th year for the premier program for financial risk managers.   April 23 and 24th.

This year’s program has been developed around the theme, ERM: A Critical Self-Reflection, which asks:

• Has the risk profession become a spectator sport? One in which we believe we are being proactive, yet not necessarily in the right areas.
• For the most significant headlines during the past year, how was the risk management function involved?
• Since the financial crisis, has there been genuine learning and changes to how risk management functions operate?
• What are the lessons that have been learned and how are they shaping risk management today? If not, why?
• Does risk management have a seat at the table, at the correct table?
• Are risk managers as empowered as they should be?
• Is risk management asking the right questions?
• Is risk management as involved in decision making and value creation as it should be, at inception of ideas and during follow through?

On Wednesday, April 24 Former FDIC Chairman Sheila Bair will be the featured luncheon speaker

Sheila C. Bair served as the 19th chairman of the Federal Deposit Insurance Corporation for a five-year term, from June 2006 through July 2011. Bair has an extensive background in banking and finance in a career that has taken her from Capitol Hill to academia to the highest levels of government. Before joining the FDIC in 2006, she was the dean’s professor of financial regulatory policy for the Isenberg School of Management at the University of Massachusetts-Amherst since 2002.

The ERM Symposium and seminars bring together ERM knowledge from the insurance, energy and financial sectors.  Now in its 11th year, this premier global conference on ERM will offer: sessions featuring top risk management experts; seminars on hot ERM issues; ERM research from leading universities; exhibitors demonstrating their ERM services.  This program has been developed jointly by the Casualty Actuarial Society (CAS), the Professional Risk management International Association (PRMIA) and the Society of Actuaries (SOA).

Riskviews will be a speaker at three sessions out of more than 20 offered:

• Regulatory Reform: Responding to Complexity with Complexity – Andrew Haldane, executive director of Financial Stability at the Bank of England, recently made a speech at the Federal Reserve Bank of Kansas City’s Jackson Hole Economic Policy Symposium titled “The Dog and the Frisbee” warning that the growing complexity of markets and banks cannot be controlled with increasingly complex regulations. In fact, by attempting to solve the problem of complexity with additional complexity created by increased regulation, we may be missing the mark—perhaps simpler metrics and human judgment may be superior. Furthermore, in attempting to solve a complex problem with additional complexity, we may not have clearly defined or understand the problem. How does ERM fit into the solutions arsenal? Are there avenues left unexplored? Is ERM adding or minimizing complexity?
  • We are drowning in data, but can’t hope to track all the necessary variables, nor understand all or even the most important linkages. Given the wealth of data available, important signals may be lost in the overall “noise.”
  • Unintended consequences maybe lost/hidden in the maze of complexity thereby magnifying the potential impact of future events.
  • The importance of key variables changes throughout time and from situation to situation, so it’s not possible to predict in advance which ones will matter most in the next crisis.
  • We experience relatively few new crises that are mirror images of prior crises, so we really have limited history to learn how to prevent or to cure them.
  • Complex rules incent companies and individuals to “manage to the rules” and seek arbitrage, perhaps seeding the next crisis.

• Actuarial Professional Risk Management  -  The new actuarial standards for Risk Evaluation and Risk Treatment bring new help and new issues to actuaries practicing in the ERM field. For new entrants, the standards are good guidelines for preparing comprehensive analyses and reports to management. For more experienced practitioners, the standards lay out expectations for a product worthy of the highly-qualified actuary. However, meeting the standards’ expectations is not easy. This session focuses on clarifying key aspects of the standards.
• Enterprise Risk Management in Financial Intermediation  -  This session provides a framework for thinking about the rapidly evolving, some would say amorphous, subject of ERM, especially as applied at financial institutions and develops seven principles of ERM and considers their (mis)application in a variety of organizational settings. The takeaways are both foundational and practical.

Please join us for some ERM fun and excitement.

 

 

What happens if there are no new posts?

There was no plan for March to be a test of no new posts.  But when it got into the 20′s and there were no new posts, the experiment started to sound like a good idea.

So what happened?

• 2000 Visitors
• 3200 hits
• Those totals exceed December, January and February, when there were 18 new posts
• 160 different pages or posts were viewed
• 1200 of the hits were to the Risk Management Quotes page and post
• The most popular topical post was “Getting Started with a Risk Management career“

Some say “Less is More”.  In this case, None has been More.  What a surprise.

Two Fundamental Flaws of Solvency II

Many people in Europe have worked very hard for many years, attempting to perfect solvency oversight for insurers. The concepts underlying Solvency II are the best thinking about risk regulation that the world has ever seen.

However, there are two fundamental flaws that are drivers of the problems that Solvency II is having in getting to the point of actual implementation.

The first flaw is the targeted level of required capital.  When Solvency II was first imagined, banks seemed to be well run and well regulated.  And under that system banks were reporting returns in the high 20′s.  Insurer returns rarely hit the perennial 15% target.  Banks tended to operate right at their level of regulatory required capital.  Insurers looked at that and suggested that the capital requirement for Solvency II should be at a level that the largest insurers would be comfortable operating at.  There was also a big push for a single set of books.  So with a solvency requirement at the level where a rational insurer would want to operate that would mean that in addition to having only one set of books, there would only be one important capital target.  (for discussion of the flaw in the idea of “one number” management, see Risk and Light.)   But the reason why setting the required capital at that high of a level is that it then leaves no room for error or for disagreement.  (Disagreement is absolutely inevitable.  See Plural Rationalities.) The capital calculation needed to be just right.  A capital requirement that was at say 2/3 of the level a prudent company would want to operate at would leave room for errors and disagreements.  If for some risks the requirements were even 50% higher than what some would feel is the correct number, then companies could in fact live with that.  It would become known in the marketplace that companies that write that risk are likely to have tighter solvency margins, and everyone would be able to go about their business.  But with a target that is so very high, if some risk is set too high, then there would be firms who are forced to hold higher capital than makes sense in their minds for their risks.  That completely destroys the idea of management relying upon a model that is calibrated to what they believe is the wrong result.  It also encourages firms to find ways to get around the rules to only hold what they believe is the right level of capital.  What we are seeing now is the inevitable differences in opinions about riskiness of some activities.  The differences of opinion mean the difference between being in business and not for companies concentrated in those activities.  Or for being in those businesses or not for more diversified groups.  If the Solvency II target was set at, for instance, a 1 in 100 loss level, then there might be room for compromise that would allow that activity to continue for firms willing to run a little tight on solvency margin.

==========================================

The second flaw, that surprisingly has only been raised very recently is to total lack of any cost benefit criteria for the process.  If further refinement of Solvency II could prevent one insolvency over a 10 year period, yet would cost other insurers $100 million in expenses and $1 billion in additional capital, is that a good trade-off?  This is the exact sort of thinking that Solvency II REQUIRES of insurers.  EIOPA ought to have a complex model of the insurance industry in Europe so that they can show the risk reward relationship of all of their rules.  What?  You say that is terribly difficult and complicated and would not provide reliable guidance?  EIOPA should  live in the same world that they are requiring of insurers.  Without even a simple minded cost benefit requirement, anything can make it into Solvency II.  The exposure process allows questions to be raised about cost/benefit, but in many cases, that has not happened.  Besides, with no stated criteria for cost benefit, the question is ultimately solved by judgment.  So now we have insurers saying that they will withdraw from parts of the Solvency II process because they are too expensive.  Those insurers have not put forward an objective criteria under which they reached that conclusion either.

It seems unlikely at this point that either of these flaws of Solvency II will be fixed.  A lower standard would seem to too many to be a retreat, a dilution of the power of Solvency II.  Imposing a risk reward or cost benefit rule would result in crazy inconsistencies between decisions made after the rule with those made before or else a very long wait as all of the parts of Solvency II are examined under such a rule.

So it is yet to be seen whether those faults will in the end be fatal.  Solvency II could be tied up in arguments until it is abandoned, it could limp into practice with very mixed support and then be pulled after a few years and enough unanticipated implementation issues, or it could soar for a long run of effective prudential oversight as its designers originally hoped.

I am sure that someone in London can quote you odds.

R E A C T

In 1986, two Canadian professors of management, MacCrimmon and Wehrung,  published a book titled Taking Risks. That book details the results of a survey that they did with over 600 business managers about their approach to risk.  Included in the book is their view of risk and risk management.  The risk management process is described with the REACT model:

1. Recognize Risks
2. Evaluate Risks
3. Adjust Risks
4. Choose Actions
5. Track Outcomes

Their survey found that managers felt that they should be risk takers.  So all of their answers were probably shaded by an effort to fulfill that expectation. They also found that over 90% of managers were not satisfied to simply accept risks in the gambling model that game theory was based upon.  Almost all managers sought to adjust the risks that the might be exposed to.

Risk is seen by the authors to have three primary characteristics:

A.  Lack of Control

B.  Lack of Information

C.  Lack of Time

The adjustments to risk, step 3 above were defined as efforts to increase control, increase information and/or to increase time.

It is dangerous to ignore the idea of conscious and systematic risk management.  It is almost as dangerous to become complacent about your risk management because you have developed a state of the art systematic risk management system.

Riskviews finds that ERM systems are usually like a deck of cards.  The different ERM systems all use essentially the same deck, but they shuffle the cards into different piles and construct new names for the piles.  In the end, there is nothing new or even different, just a rearrangement.

The REACT model is just a reshuffling of the same elements.  However, this was published in 1986, so they were not copying off the same deck that ERM consultants have been using for the past 15 years.  What this shows is that the ERM deck of practices is older than ERM.

And the suggestion that risk comes from Lack of Control, Information and/or Time is something to think about.  What their study goes on to show is that for the most part, when managers are faced with a problem situation, they usually seek to increase their information, their control and to seek more time.

What about you?  Do you seek time,  information, and control?  Of course you do.

 

Marking Risks to Market

If financial statements are set to mark to market, why aren’t they marking uninsured risks to market?
Under all accounting systems, a business that buys no fire insurance will show a better result then a similar company who is buying insurance. Except in the year when they have a claim. The market price for their risk is an insurance premium.  But for some reason, risk has never been treated in this way.

If risk was market to market, then a firm that buys no insurance, or does not hedge a risk would not report a gain, they would need to put aside an amount at least equal to the insurance premium. That amount could be put into a fund and released when they have an event that would have generated an insurance claim.

Of course, to be mathematically correct, they would need to make adjustments to the insurance premiums. One to remove the profit margin/risk charge in the premium and another to reflect the fact that they are in effect creating an insurance pool with one participant which appropriately replaces the risk charge.
An insurance pool with one participant? That doesn’t make any sense. But that is what a business who is not buying insurance is doing. What then would be the correct premium, not loaded for profits, for an insurance pool of one? The pool would have to bare the cost of holding capital (or a contingent capital facility) for the entire maximum claim amount to the extent that amount exceeds the reserves (or the amount in the pool).
So if the cost of capital is 3%, and the claims rate is 1%, then the mark to market cost would be about 400% of expected claims at first, declining as the fund builds up.
Pretty expensive. But that would make the financial statement make sense on a mark to market basis for risk.
This approach could be applied to unhedged risks as well. The mark to market accounting is actually much too lenient on hedgable risks that are unhedged. The MTM accounting in effect allows those companies to reflect the cost of hedging even if they are not hedging. In fact, when they do not hedge, they are self insuring and need to reflect a much higher cost as described above.

Not managing risk is expensive, particularly to investors.  Investors deserve appropriate information on risk.  The longstanding accounting paradigm that ignors risk gives investors the exact wrong information and needs to be immediately corrected.

One of the main reasons that risk management is not already completely embedded in all firms is that they can get away with this scam on their investors, supported by their accounting statement.

Risk needs to be accounted for properly, especially when it is not managed.

Spreadsheets are not the problem

The media have latched on to a story.

Microsoft’s Excel Might Be The Most Dangerous Software On The Planet

The culprit in the 2012 JP Morgan trading loss has been exposed.  Spreadsheets are to blame!

The only problem with this answer is that it is simply incorrect.  It is blaming the bad result on the last step in the process.  Like the announcers for a football game who blame the last play of the game for the outcome.  It really wasn’t missing that one last ditch scoring effort that made the difference.  It was how the two teams played the whole game.

And for situations like the JP Morgan trading loss, the spreadsheet was one of the last steps in the process.

But the fundamental problem was that they were allowing someone in the bank to take very large risks that no one could understand directly.  Risks that no one had a rule of thumb that told them that they were nearing a situation where any bad day, they could lose billions.

That is pretty fundamental to a risk taking business.  To understand your risks.  And if you have no idea whatsoever of how much risk that you are taking without running that position through a model, then you are in big trouble.

That does not mean that models shouldn’t be used to evaluate risk.  The problem is the need to use a model in the heat of battle, when there is no time to check for the kinds of mistakes that tripped up JP Morgan.  The models should be used in advance of going to market and rules of thumb, or heuristics for those who like the academic labels, need to be developed.

The model should be a tool for building understanding of the business, not as a substitute for understanding the business.

Humans have developed very powerful skills to work with heuristics over tens of thousands of years.  Models should feed into that capability, not be used to totally override it.

Chances are that the traders at JP Morgan did have heuristics for the risk and knew that they were arbitraging their own risk management process.  They may not have known why they gut told them that there was more risk than the model, but they are likely to have known that there was nore risk there.

The risk managers are the ones who most need to have those heuristics.  And management needs to set down clear rules about the situations where the risk models are later found to be in error that protect the bank, rather than the traders bonuses.

No, spreadsheets are not the problem.

The problem is the idea that you can be in a business that neither top management nor risk management has any “feel” for.

Real Resilience is not what you think it is

There is confusion about the term Resilience.  To many people, it means the ability to withstand stress. To some people, the ultimate resilience comes from thick walls (or huge capital requirements).  The picture above is one of many thousands like it that shows the ultimate result of seeking resilience in a static manner.

The dictionary has something slightly different:

the power or ability to return to the original form, position, etc., after being bent, compressed, or stretched; elasticity.

But Holling, a prominent ecologist, suggests something much more robust.  He suggests that a resilient species will survive all of the stressors that attack it from its environment and thrive when conditions become benign.

“a major strategy selected is not one maximizing either efficiency or a particular reward, but one which allows persistence by maintaining flexibility above all else. A population responds to any environmental change by the initiation of a series of physiological, behavioral, ecological, and genetic changes that restore its ability to respond to subsequent unpredictable environmental changes. Variability over space and time results in variability in numbers, and with this variability the population can simultaneously retain genetic and behavioral types that can maintain their existence in low populations together with others that can capitalize on opportunities for dramatic increase. The more homogeneous the environment in space and time, the more likely is the system to have low fluctuations and low resilience.”  CS Holling, Resilience and Stability of Ecological Systems

Real resilience is ADAPTABILITY.  The ability to change your approach.  To find the way to survive the extreme adverse scenario without devoting so much resources to safety that you miss the chance to “capitalize on opportunities for dramatic increase” as Holling says.

Does your ERM program build walls, thicker and thicker, or does it build adaptability?

How many people in your organization do you think would know what to do in the event of an adverse situation that has never happened before?

But what is this adaptablity?  In two studies in the late 1990′s, researchers studied thousands of crisis situations and identified 8 dimensions of adaptability for individuals.  See study here.

Handling emergencies or crisis situations

Reacting with appropriate and proper urgency in life threatening, dangerous, or emergency situations; quickly analyzing options for dealing with danger or crises and their implications; making split-second decisions based on clear and focused thinking; maintaining emotional control and objectivity while keeping focused on the situation at hand; stepping up to take action and handle danger or emergencies as necessary and appropriate.

Handling work stress

Remaining composed and cool when faced with difficult circumstances or a highly demanding workload or schedule; not overreacting to unexpected news or situations; managing frustration well by directing effort to constructive solutions rather than blaming others; demonstrating resilience and the highest levels of professionalism in stressful circumstances; acting as a calming and settling influence to whom others look for guidance.

Solving problems creatively

Employing unique types of analyses and generating new, innovative ideas in complex areas; turning problems upside-down and inside-out to find fresh, new approaches; integrating seemingly unrelated information and developing creative solutions; entertaining wide-ranging possibilities others may miss, thinking outside the given parameters to see if there is a more effective approach; developing innovative methods of obtaining or using resources when insufficient resources are available to do the job.

Dealing with uncertain and unpredictable work situations

Taking effective action when necessary without having to know the total picture or have all the facts at hand; readily and easily changing gears in response to unpredictable or unexpected events and circumstances; effectively adjusting plans, goals, actions, or priorities to deal with changing situations; imposing structure for self and others that provide as much focus as possible in dynamic situations; not needing things to be black and white; refusing to be paralyzed by uncertainty or ambiguity.

Learning work tasks, technologies, and procedures

Demonstrating enthusiasm for learning new approaches and technologies for conducting work; doing what is necessary to keep knowledge and skills current; quickly and proficiently learning new methods or how to perform previously unlearned tasks; adjusting to new work processes and procedures; anticipating changes in the work demands and searching for and participating in assignments or training that will prepare self for these changes; taking action to improve work performance deficiencies.

Demonstrating interpersonal adaptability

Being flexible and open-minded when dealing with others; listening to and considering others’ viewpoints and opinions and altering own opinion when it is appropriate to do so; being open and accepting of negative or developmental feedback regarding work; working well and developing effective relationships with highly diverse personalities; demonstrating keen insight of others’ behavior and tailoring own behavior to persuade, influence, or work more effectively with them.

Demonstrating cultural adaptability

Taking action to learn about and understand the climate, orientation, needs, and values of other groups, organizations, or cultures; integrating well into and being comfortable with different values, customs, and cultures; willingly adjusting behavior or appearance as necessary to comply with or show respect for others’ values and customs; understanding the implications of one’s actions and adjusting approach to maintain positive relationships with other groups, organizations, or cultures.

Demonstrating physically oriented adaptability

Adjusting to challenging environmental states such as extreme heat, humidity, cold, or dirtiness; frequently pushing self physically to complete strenuous or demanding tasks; adjusting weight and muscular strength or becoming proficient in performing physical tasks as necessary for the job.

The questions that remains are:

Is adaptability of a company anything different from adaptability of the people in the company?

How does a company get adaptable people?  Are people born that way or can they be trained?

2012 Survey for Japanese Risk Managers

The following is an excerpt from the Executive Summary of the report:

Defining Risk Management within an Organization:

Results of the 2012 Survey for Japanese Risk Managers

by Kenji Fujii and Yuji Morimoto

This survey was conducted early this year by the Tokyo Risk Managers Association (TRMA) as a follow-up to the TRMA financial crisis questionnaire in 2009. 

Following is the summary of what we learned from the survey result.

• First of all, the involvement of senior management in risk management has increased.
• On the other hand, there were many responses stating that effective discussions at Risk Management Committee meetings had not progressed very much; that the status and authority of Chief Risk Officers (CRO) had not been strengthened very much; and that sufficient resources are still not being allocated to Risk Management Divisions. These responses suggest that although senior management are expressing an increased interest in risk management, this interest does notnecessarily tie into concrete reinforcements.
• Regarding the risk appetite, more than half of respondents were of the opinion that risk should be used as a standard when creating business plans, but at the same time, it became clear that this approach has not penetrated or become entrenched as part of actual operations.
• Regarding capital management, two opinions were at odds; the opinion that regulatory capital and economic capital are approaching one another, and the opinion that they are drifting apart. Responses also indicated continued struggles with regard to the structure of approaches and frameworks regarding capital management, and a greater number of respondents expressed the opinion that there is meaning in creating recovery and resolution plans.
• Regarding stress tests, there were indications that integrated stress tests are being employed more broadly, and it appears that reports to management on test results have already become commonplace. The issue raised most frequently with regard to stress tests was the “establishing appropriate scenarios.”
• Although many respondents indicated that liquidity risk management has improved, these opinions were not yet in the majority. There were also conflicting opinions regarding whether or not the strengthening of liquidity risk regulations reduced liquidity risks.
• Regarding risk data, although many respondents said that there have been improvements, it became clear that many members are concerned about the fact that this data continues to be stored in various systems in a scattered fashion.

The entire paper is available here.

Five components of resilience – robustness, redundancy, resourcefulness, response and recovery

Adapted from the WEF Global Risks 2013 Report  (Minimal editing to focus discussion on “an organization” rather than “a country”)

Resilience Characteristics (Robustness, Redundancy and Resourcefulness)

The following three components of resilience are used to describe an organization’s state of resilience. These components should be designed into a system and, as such, will enable assessments of an organization’s inherent resilience capabilities.  

A. Robustness

Robustness incorporates the concept of reliability and refers to the ability to absorb and withstand disturbances and crises. The assumptions underlying this component of resilience are that: 1) if fail-safes and firewalls are designed into an organization’s critical networks, and 2) if that organization’s decision-making chains of command become more modular in response to changing circumstances, then potential damage to one part of an organization is less likely to spread far and wide.

Example of Attributes

– Monitoring system health: Regularly monitoring and assessing the quality of the subsystem ensures its reliability.

– Modularity: Mechanisms designed to prevent unexpected shocks in one part of a system from spreading to other parts of a system can localize their impact, as happened with the contagion from investment banking to retail banking during the 2007-2008 financial crisis.

– Adaptive decision-making models: Networked managerial structures can allow an organization to become more or less centralized depending on circumstances, such as when branch offices of the Japanese retailer Lawson’s continued operating through the serious disruptions of the Great East Japan Earthquake in 2011.  These measures can include having in place the right investment and incentive structures to overcome competing interests.

B. Redundancy

Redundancy involves having excess capacity and back-up systems, which enable the maintenance of core functionality in the event of disturbances.  This component assumes that an organization will be less likely to experience a collapse in the wake of stresses or failures of some of its infrastructure, if the design of that organization’s critical infrastructure and institutions incorporates a diversity of overlapping methods, policies, strategies or services to accomplish objects and fulfill purposes.

Examples of Attributes

– Redundancy of critical infrastructure: Designing replication of modules which are not strictly necessary to maintaining core function day to day, but are necessary to maintaining core function in the event of crises.

– Diversity of solutions and strategy: Promoting diversity of mechanisms for a given function. Balancing diversity with efficiency and redundancy will enable organizations to cope and adapt better than those that have none.

C. Resourcefulness

Resourcefulness means the ability to adapt to crises, respond flexibly and – when possible – transform a negative impact into a positive.  For a system to be adaptive means that it has inherent flexibility, which is crucial to enabling the ability to influence of resilience.  The assumption underlying this component of resilience is that if organizations can build trust within their networks of suppliers, employees and customers and are able to self-organize, then they are more likely to spontaneously react and discover solutions to resolve unanticipated challenges when larger industry and community institutions and governance systems are challenged or fail.

Example of Attributes

– Capacity for self-organization: This includes factors such as the extent of social and human capital, the relationship between social networks and organizational structures, and the existence of institutions that enable face-to-face networking. These factors are critical in circumstances such as failures of government institutions when organizations need to self-organize and continue to dobtain essential services.

– Creativity and innovation: The ability to innovate is linked to the availability of spare resources and the rigidity of boundaries between disciplines, departments and social groups within the organization.

Resilience Performance (Response and Recovery)

These two components of resilience describe how a system performs in the event of crises. They provide evidence of resilience when actual crises occur.  Response and recovery are dependent on risk, event and time. These components will provide the ability to compare systems and feed the measurements and results to calibrate the resilience characteristics.

D. Response

Response means the ability to mobilize quickly in the face of crises. This component of resilience assesses whether an organization has good methods for gathering relevant information from all parts of society and communicating the relevant data and information to others, as well as the ability for decision makers to recognize emerging issues quickly.

Example of Attributes

– Communication: Effective communication and trust in the information conveyed increase the likelihood that, in the event of a crisis, stakeholders are able to disseminate and share information quickly, and to ensure cooperation and quick response from the audience.

– Inclusive participation: Inclusive participation among all stakeholders can build a shared understanding of the issues underpinning crises and acute risks to the organization, reduce the possibility of important interdependencies being overlooked, and strengthen trust among participants.

E. Recovery

Recovery means the ability to regain a degree of normality after a crisis or event, including the ability of a system to be flexible and adaptable and to evolve to deal with the new or changed circumstances after the manifestation of a risk.  This component of resilience assesses the organization’s capacities and strategies for feeding information throughout the organization,  and the ability for decision-makers to take action to adapt to changing circumstances and  incorporating new situations into business strategies,.

Example of Attributes

– Active “horizon scanning”: Critical to this attribute are multi-stakeholder processes tasked with uncovering gaps in existing knowledge and commissioning research to fill those gaps.

– Responsive feedback mechanisms: Systems to translate new information from horizon-scanning activities into action – for example, defining “automatic policy adjustments triggers” – can clarify circumstances in which policies must be reassessed.

As an example of the overlapping and complementary nature of these attributes, inclusive participation is listed as a key attribute of response, but it is also vital in other areas such as recovery and resourcefulness. Also inherent in all resilience characteristics, though referenced above only in the attribute of adaptive decision-making models, are investment and incentive structures and design requirements to overcome collective action problems and competing interests. There are many individual stakeholders who would benefit from greater shared resilience but currently lack either the incentive or feel too pressed for time and resources to take the necessary actions.

Diversification of Risks

There are records showing that the power of diversification of risks was known to the ancients.  Investors who financed trading ships clearly favored taking fractions of a number of ships to owning all of a single ship.

The benefits of diversification are clear.  The math is highly compelling.  A portfolio of n risks of the same size A that truly independent have a volatility that is a fraction of the volatility of totally dependent risks.

Here is a simple example.  There is a 1 in 200 chance that a house will be totally destroyed by fire.  Company A writes an insurance policy on one $500,000 house that would pay for replacement in the event of a total loss.  That means that company A has a 1 in 200 chance of paying a $500,000 claim.  Company B decides to write insurance that pays a maximum of $50,000 in the event of a total loss.  How many policies do you think that Company B needs to write to have a 1 in 200 chance of paying $500,000 of claims if the risks are all totally independent and exactly as prone to claims as the $500k house?

The answer is an amazing 900 policies or 90 times as much insurance!

When an insurer is able to write insurance on independent risks, then with each additional risk, the relative volatility of the book of insurance decreases.  Optimal diversification occurs when the independent risks are all of the same size.  For insurers, the market is competitive enough that the company writing the 900 policies is not able to get a profit margin that is proportionate to the individual risks.  The laws of micro economics work in insurance to drive the profit margins down to a level that is at or below the level that makes sense for the actual risk retained.  This provides the most compelling argument for the price for insurance for consumers, they are getting most of the benefit of diversification through the competitive mechanism described above.  Because of this, things are even worse for the first insurer with the one policy.  To the extent that there is a competitive market for insurance for that one $500k house, that insurer will only be able to get a profit margin that is commensurate with the risk of a diversified portfolio of risks. 

It is curious to note than in many situations, both insurers and individuals do not diversify.  RISKVIEWS would suggest that may be explained by imagining that they either forget about diversification when making single decisions (they are acting irrationally), or that they are acting rationally and believe that the returns for the concentrated risk that they undertake are sufficiently large to justify the added risk.

The table below shows the degree to which individuals in various large companies are acting against the principle of diversification.

From a diversification point of view, the P&G folks above are mostly like the insurer above that writes the one $500k policy.  They may believe that P&G is less risky than a diversified portfolio of stocks.  Unlike the insurer, where the constraint on the amount of business that they can write is the 1/200 loss potential, the investor in this case is constrained by the amount of funds to be invested.  So if a $500k 401k account with P&G stock has a likelihood of losing 100% of value of 1/200, then a portfolio of 20 $25k positions in similarly risky companies would have a likelihood of losing 15% of value of 1/1000.  Larger losses would have much lower likelihood.

With that kind of math in its favor, it is hard to imagine that the holdings in employer stock in the 401ks represents a rational estimation of higher returns, especially not on a risk adjusted basis.

People must just not be at all aware of how diversification benefits them.

Or, there is another explanation, in the case of stock investments.  It can be most easily framed in terms of the Capital Asset Pricing Theory(CAPM) terms.  CAPM suggests that stock market returns can be represented by a market or systematic component (beta) and company specific component (alpha).  Most stocks have a significantly positive beta.  In work that RISKVIEWS has done replicating mutual find portfolios with market index portfolios, it is not uncommon for a mutual fund returns to be 90% explained by total market returns.  People may be of the opinion that since the index represents the fund, that everything is highly correlated to the index and therefore not really independent.

The simplest way to refute that thought is to show the variety of returns that can be found in the returns of the stocks in the major sectors:

The S&P 500 return for 2012 was 16%.  Clearly, all sectors do not have returns that are closely related to the index, either in 2012 or for any other period shown here.

Both insurance companies and investors can have a large number of different risks but not be as well diversified as they would think.  That is because of the statement above that optimal diversification results when all risks are equal.  Investors like the 401k participants with half or more of their portfolio in one stock may have the other half of their money in a diversified mutual fund.  But the large size of the single position is difficult to overcome.  The same thing happens to insurers who are tempted to write just one, or a few risks that are much larger than their usual business.  The diversification benefit of their large portfolio of smaller risks disappears quickly when they add just a few much larger risks.

Diversification is the universal power tool of risk management.  But like any other tool, it must be used properly to be effective.

This is one of the seven ERM Principles for Insurers

2012 in RISKVIEWS

The WordPress.com stats helper monkeys prepared a 2012 annual report for this blog.

Here’s an excerpt:

4,329 films were submitted to the 2012 Cannes Film Festival. This blog had 42,000 views in 2012. If each view were a film, this blog would power 10 Film Festivals

Click here to see the complete report.

An ERM Carol

You awake with a start.  There is an eerie presence in your bedroom.  A voice says “Come with me!”

You see yourself, many years ago, starting out in your career.  With an interest in risk, you feel lucky that you were able to land a position in an insurance company.  You are encouraged when you hear your boss say “its all about risk and reward”.  But it didn’t take you too long to find out that while there were daily, weekly, monthly, quarterly, annual and special reports about the rewards that the company was experiencing, there was not one single report about risk.  You confront your manager about this and he tells you that “risk isn’t something that you measure”, it is in your gut.  You just know when something is risky. “.  He advised that once you were more experienced, you too would be able to tell when something was risky or not.  

You drift back to sleep when a second voice calls you to “Behold!”.  You see yourself a manager in an insurance company:

You are being told that risk is very important. Your company takes risk management very seriously. Several years ago, the company spent millions to build a state of the art Economic Capital Model.  Now, all plans and all performance is viewed in terms of the amount of risk associated with each and every activity.  And you hate the whole thing!

To you, this has become a technocratic nightmare.  Your performance is judged by a computer using an algorithm that seems to be spewing forth somewhat random values.  It seems like your promotions and bonuses are being determined by a slot machine, but a slot machine with no window to see what is happening inside.

The high priests of risk operate the model.  But they are too busy to actually explain what is going on in a manner that could help the business.

So if somehow, you are lucky enough to get to the top, that will be the last day for that complex risk model.

And you pull the covers up over your head.  This is too much like a workday.  You need your sleep.  But before long, a third voice wakes you again.   “This way…”

You are on the hot seat.  The board wants to know how the company was able to get into such a problem.  Didn’t you see that there were such enormous build ups of exposures to that risky indoor snow experience sector?  The frostbite claims were double what they were last year.  Dividends will have to be eliminated.  And we probably need to turn down the corporate air conditioners.  No longer could the offices be kept at a tolerable 31 degrees.  Next summer would be unbearable.  Your only defense is that your gut told you that there was little risk and big rewards in the indoor snow business.  But that is not how it went.  They end the meeting by letting you go.  The inglorious end to your career as a risk manager. 

You wake up shouting that it was not your fault.  And you see the light coming in the window.  You turn on the TV to find that all this happened in one night.  You get dressed and go back into the office.  You are finishing up your staff meeting and you direct your attention to your risk management staff.

Starting today, I want you to spend more of your time making your models more transparant and the findings more actionable.  I am tired of risk being something that comes at us after the fact to tell us that something was wrong.  We need to focus on leading indicators that all of the managers can use in real time to manage the business.  You can still use that fancy model that you all so love, but I only want to hear about the model when it actually explains something about the business that I can use next quarter to do a better job of managing my risk and reward.

And with that, we ended the meeting and all went to our holiday party.  Next year will be interesting…..

Does your Risk Management Program have a Personality?

Many people are familiar with the Myers-Briggs Personality Type Indicator.  It is widely used by businesses.  What a shocker to read in the Washington Post last week that psychologists are not particularly fond of it.

The Myers-Briggs Personality types were developed directly from the work of Carl Jung, who is not highly regarded by modern psychologists according to the Washington Post story.

Psychologists have their own personality types.  The chart below is from The Personal Growth Library, and is called the Five Factor Model.

You may be able to find options here that would allign with your ERM program. 

Stability – You may seek Resilience, and settle for Responsiveness. 

Originality – You may want to be an Explorer, but much more likely, your ERM program is a Preserver.

Accommodation – Your goal is to be a Challenger, you end up a Negotiator. 

Consolidation – You should be able to achieve a Focused ERM program, but pressures of business and the never ending crises force you to be Flexible much too often. 

That seems to provide some valuable introspection. 

Next you need to look at the overall enterprise personality.  Many successful companies will have a personality that is very different from the choices that you want to steer towards as the risk manager for your program.  You should check it out and see.

If there is an actual allignment between your overall organization’s personality and the personality that you aspire to for your ERM program, then you will be running downhill to get that development accomplished. 

What does that mean when the personality that you want for your ERM program is almost totally different from the personality of your organization?  It means that you will be pulled constantly towards the corporate personallity and away from what you believe to be the most effective ERM personality.  You then have to choose whether to run your ERM program as a bunch of outsiders.  You then will need to form a tight knit support group for your outsiders.  And make sure that you watch the movie Seven Samuri or The Magnificant Seven. 

Or you can rethink the idea you have of ERM.  Think of a version of ERM that will fit with the personality of your company.  Take a look at The Fabric of ERM for some ideas.  Along with the rest of the Plural Rationality materials.

Principles of ERM for Insurance Organizations

RISKVIEWS has published this list before.  You will notice that it is different from many other lists of the parts of ERM.  That is because we do not presume that there is some sort of risk management process already in place that “automatically” takes care of several of these things.  Many writers implicitly make that assumption so that they can focus solely upon the new, more exciting things, especially number 6 on the list below.  But in fact, ERM must include all seven of these things to actually work to manage risk as most managers expect.

1. DIVERSIFICATION: Risks must be diversified. There is no risk management if a firm is just taking one big bet.
2. UNDERWRITING: These must be a process for risk acceptance that includes an assessment of risk quality.  Firm needs to be sure of the quality of the risks that they take. This implies that multiple ways of evaluating risks are needed to maintain quality, or to be aware of changes in quality. There is no single source of information about quality that is adequate.
3. CONTROL CYCLE: There must be a control cycle to manage the amount of risk taken. This implies measurements, appetites, limits, treatment actions, reporting, feedback
4. CONSIDERATION: There must be a process for assuring that the consideration received for accepting risk is adequate.  For risks that are not traded, such as operational risks, the benefit of the risk needs to exceed the cost in terms of potential losses.
5. PROVISIONING: There must be appropriate provisions held for retained risks, in terms of set asides (reserves) for expected losses and capital for excess losses.
6. PORTFOLIO:  There must be an awareness of the interdependencies within the portfolio of risks that are retained by the insurer.  This would include awareness of both risk concentrations and diversification effects.  An insurer can use this information to take advantage of the opportunities that are often associated with its risks through a risk reward management process.
7. FUTURE RISKS: There must be a process for identifying and preparing for potential future emerging risks.   This would include identification of risks that are not included in the processes above, assessment of the potential losses, development of leading indicators of emergence and contingent preparation of mitigation actions.

The Law of Risk and Light applies to these aspects of risk management just as it applies to aspects of risk.  The risk management that you do is in the light, the risk management that you skip is in the dark.  When parts of a full risk management program are in the dark, the risk that part of the risk management process would have protected you from will accumulate in your organization.

Future posts will explain these elements and focus on why ALL of these principles are essential.

During a Crisis – A Lesson from Fire Fighters

The fire cycle: “The action-cycle of a fire from birth to death follows a certain pattern.  The fire itself may vary in proportion from insignificance to conflagration, but regardless of its proportions, origin, propagation or rate of progression, the cycle or pattern of controlling it includes these phases:

1. the period between discovery and the transmittal of the alarm or alerting of the fire forces;

2. the period between receipt of alarm by the fire service and arrival of firemen at the scene of the fire; and, finally,

3. the period between arrival on the fire ground and final extinguishment of the fire itself.

It is important to fire fighting to make sure that the right things happen during each phase and that each step takes as little time as possible.  For the first phase, that means having fire detection equipment in place and working properly that produces a signal that will be noticed and conveyed to the fire forces.  In the second phase, the fire fighters need to be organized to respond appropriately to the alarm.  And the third phase includes the process of diagnosing the situation and taking the necessary steps to put out the fire.

That is a good process model for risk managers to contemplate.  Ask yourself and your staff:

1. This is about the attitude and preparedness of company staff to accept that there may be a problem.  How long will it be before we know when an actual crisis hits the company?  How do our alarms work?  Are they all in functioning order?  Or will those closest to the problems delay notifying you of a potential problem?  Sometimes with fires and company crises, an alarm sounds and it is immediately turned off.  The presumption is that everything is normal and the alarm must be malfunctioning.  Or perhaps that the alarm is correct, but that it it calibrated to be too sensitive and there is not a significant problem.  As risk manager, you should urge everyone to err on the side of reporting every possible situation.  Better to have some extra responses than to have events, like fires, rage completely out of control before calling for help.
2.  This is about the preparedness of risk management staff to begin to respond to a crisis.  One problem that many risk management programs face is that their main task seems to be measuring and reporting risk positions.  If that is what people believe is their primary function, then the risk management function will not attract any action oriented people.  If that is the case in your firm, then you as risk manager need to determine who are the best people to recruit as responders and build a rapport with them in advance of the next crisis so that when it happens, you can mobilize their help.  If the risk staff is all people who excel at measuring, then you also need to define their roles in an emergency – and have them practice those roles.   No matter what, you do not want to find out who will freeze in a crisis during the first major crisis of your tenure.  And freezing (rather than panic) is by far the most common reaction.  You need to find those few people whose reaction to a crisis is to go into a totally focuses active survival mode.
3. This is about being able to properly diagnose a crisis and to execute the needed actions.  Fire Fighters need to determine the source of the blaze, wind conditions, evacuation status and many other things to make their plan for fighting the fire.  They usually need to form that plan quickly, mobilize and execute the plan effectively, making both the planned actions and the unplanned modifications happen as well as can be done.  Risk managers need to perform similar steps.  They need to understand the source of the problem, the conditions around the problem that are outside of the firm and the continuing involvement of company employees, customers and others.  While risk managers usually do not have to form their plan in minutes as fire fighters must, they do have to do so quickly.  Especially when there are reputational issues involved, swift and sure initial actions can make the world of difference.  And execution is key.  Getting this right means that the risk manager needs to know in advance of a crisis, what sorts of actions can be taken in a crisis and that the company staff has the ability to execute.  There is no sense planning to take actions that require the physical prowess  of Navy Seals if your staff are a bunch of ordinary office workers.  And recognizing the limitations of the rest of the world is important also.  If your crisis effects many others, they may not be able to provide the help from outside that you may have planned on.  If the crisis is unique to you, you need to recognize that some will question getting involved in something that they do not understand but that may create large risks for their organizations.

 

What Do Your Threats Look Like?

Severe and intense threats are usually associated with dramatic weather events, terrorist attacks, earthquakes, nuclear accidents and such like.  When one of these types of threats is thought to be immanent, people will often cooperate with a cooperative ERM scheme, if one is offered.  But when the threat actually happens, there are four possible responses:  cooperation with disaster plan, becoming immobilized and ignoring the disaster, panic and anti-social advantage taking.  Disaster planning sometimes goes no further than developing a path for people with the first response.  A full disaster plan would need to take into account all four reactions.  Plans would be made to deal with the labile and panicked people and to prevent the damage from the anti-social.  In businesses, a business continuity or disaster plan would fall into this category of activity.

When businesses do a first assessment, risks are often displayed in four quadrants: Low Likelihood/Low Severity; Low Likelihood/High Severity; High Likelihood/Low Severity; and High Likelihood/High Severity.  It is extremely difficult to survive if your risks are High Likelihood/High Severity, so few businesses find that they have risks in that quadrant.  So businesses usually only have risks in this category that are Low Likelihood.

Highly Cooperative mode of Risk Management means that everyone is involved in risk management because you need everyone to be looking out for the threats.  This falls apart quickly if your threats are not Severe and Intense because people will question the need for so much vigilance.

Highly Complex threats usually come from the breakdown of a complex system of some sort that you are counting upon.  For an insurer, this usually means that events that they thought had low interdependency end up with a high correlation.  Or else a new source of large losses emerges from an existing area of coverage.  Other complex threats that threaten the life insurance industry include the interplay of financial markets and competing products, such as happened in the 1980′s when money market funds threatened to suck all of the money out of insurers, or in the 1990′s the variable products that decimated the more traditional guaranteed minimum return products.

In addition, financial firms all create their own complex threat situations because they tend to be exposed to a number of different risks.  Keeping track of the magnitude of several different risk types and their interplay is itself a complex task.  Without very complex risk evaluation tools and the help of trained professionals, financial firms would be flying blind.  But these risk evaluation tools themselves create a complex threat.

Highly Organized mode of Risk Management means that there are many very different specialized roles within the risk management process.  May have different teams doing risk assessment, risk mitigation and assurance, for each separate threat.  This can only make sense when the rewards for taking these risks is large because this mode of risk management is very expensive.

Highly Unpredictable Threats are common during times of transition when a system is reorganizing itself.  “Uncertain” has been the word most often used in the past several years to describe the current environment.  We just are not sure what will be hitting us next.  Neither the type of threat, the timing, frequency or severity is known in advance of these unpredictable threats.

Businesses operating in less developed economies will usually see this as their situation.  Governments change, regulations change, the economy dips and weaves, access to resources changes abruptly, wars and terrorism are real threats.

Highly Adaptable mode of Risk Management means that you are ready to shift among the other three modes at any time and operate in a different mode for each threat.  The highly adaptable mode of risk management also allows for quick decisions to abandon the activity that creates the threat at any time.  But taking up new activities with other unique threats is less of a problem under this mode.  Firms operating under the highly adaptive mode usually make sure that their activities do not all lead to a single threat and that they are highly diversified.

Benign Threats are things that will never do more than partially reduce earnings.  Small stuff.  Not good news, but not bad enough to lose any sleep over.

Low Cooperation mode of Risk Management means that individuals within their firm can be separately authorized to undertake activities that expand the threats to the firm.  The individuals will all operate under some rules that put boundaries around their freedom, but most often these firms police these rules after the action, rather than with a process that prevents infractions.  At the extreme of low cooperation mode of risk management, enforcement will be very weak.

For example, many banks have been trying to get by with a low cooperation mode of ERM.  Risk Management is usually separate and adversarial.  The idea is to allow the risk takers the maximum degree of freedom.  After all, they make the profits of the bank.  The idea of VaR is purely to monitor earnings fluctuations.  The risk management systems of banks had not even been looking for any possible Severe and Intense Threats.  As their risk shifted from a simple “Credit” or “Market” to very complex instruments that had elements of both with highly intricate structures there was not enough movement to the highly organized mode of risk management within many banks.  Without the highly organized risk management, the banks were unable to see the shift of those structures from highly complex threats to severe and intense threats. (Or the risk staff saw the problem, but were not empowered to force action.)  The low cooperation mode of risk management was not able to handle those threats and the banks suffered large losses or simply collapsed.

Tug of War Between Intertwined Roles

A question posed to RISKVIEWS:

Do you have a clear distinction between “What’s Risk vs What’s Actuarial?”  It seems that the roles of Risk Management and Actuarial are utterly intertwined and overlapping, thus causing utter confusion, within the company of my employ. While we have internally agreed to a segregation of duties over two years ago, the organization has barely moved forward to align itself accordingly.

Any attempt I have made to seek external guidance has not resulted in any definitive clarity. In response to the question “What’s Risk vs What’s Actuarial?”, most consultants offer “it depends on the company”. Solvency II guidance seems to indiscriminately interchange, say, risk management function (risk management is everyone’s job) with Risk Management Department.

I should clarify – when I refer to Actuarial, I am referring to “all four legs of the actuarial stool” – namely, Pricing, Modeling/Projections, Valuation, and Experience Studies.

In fact, it really does depend upon the company.  That is because actuarial roles are extremely broad in some companies and very narrow in others.

The four legs of the actuarial stool referenced, “Pricing, Modeling/Projections, Valuation, and Experience Studies” are in fact a moderately broad definition.  In the most narrowly drawn situations, the actuarial role is limited solely to situations where an actuarial opinion is required by law or regulation.  In companies that define the actuarial role in that manner, there is almost no overlap with the Risk function.

But Risk can be defined differently in different companies as well.  In some companies, the definition of the Risk function takes in only what is needed to get capital relief from regulators or rating agencies.  Or to satisfy other requirements of the same audiences.

In companies where both the Actuarial and Risk roles are broadly defined, there is great potential for overlap.

• The Actuarial Function in these firms will include not only “Pricing, Modeling/Projections, Valuation, and Experience Studies” but may also have a role in broad financial oversight and or broad risk oversight.  In fact, RISKVIEWS worked for two insurers with such a broad definition of the actuarial function.
• A broadly defined Risk function in these firms will overlap most clearly with those last two roles.  With the installation of a separate Risk function, it seems clear that the broad risk oversight once performed by the Actuarial function needs to be surrendered.  But there are Risk aspects of all five of the other functions listed.
  • Pricing – A strong Risk function will want to make sure that pricing is appropriate for the risks of the activities
  • Modeling/Projections – A strong Risk function will want to perform stress tests that are in fact simple projections.
  • Valuation – Since the definition of the capital of the firm is totally dependent upon the valuation of the liabilities of the firm and the Risk function usually has a major role regarding capital adequacy, a strong Risk function will have a high interest in Valuation of Liabilities.
  • Experience Analysis – The process that has been developed by actuaries to update Liabilities from year to year includes the collection and analysis of quite a large amount of information about the emerging experience of the firm.  This information is also used in Pricing.  And should be a main part of the information needed to evaluate the risks of the firm.  Which makes this area of high importance to Risk.
  • Broad Financial Oversight – Actuaries in many insurers have already lost this role to CFOs years ago.  But in the cases where they have not, the CRO becomes a new challenger with the idea that Risk should oversee the strategic risk and capital budgeting processes.

Some of the conflict is a matter of competition between the leader of a “new” function within the firm and the leader of an “old” function.  The firms where this conflict is the worst would be the firms where there is a broadly defined Actuarial and Risk function.  The development of a new Risk function in these firms can be interpreted as Actuarial losing influence.  This perception would add to the conflict and to the confusion.  Risk will want to control its own destiny, so would naturally want to control much of what had “always” been Actuarial.  Actuarial would not want to lose any responsibility and may therefore seek to maintain parallel activities even where Risk is now performing a former Actuarial function.

At the other extreme, a number of companies see the very high degree of overlap between the Actuarial function and the Risk function and have named their Chief Actuary to be their Chief Risk Officer.  The success of that approach will depend upon the degree to which the Chief Actuary is willing to appropriately prioritize the activities needed to support the new responsibilities.  In these cases, the conflict described above between Risk and Actuarial will take place, but a large part of it will be inside the Chief Actuary / CRO’s head.

More than Just Words

“We believe that effective risk management is critical to the success of our business and is the responsibility of all of our employees. All of our employees are risk managers. Employees are expected and encouraged to escalate incidents and any matters of concern to management and to our compliance and risk departments in order to effectively manage risk. Consequently, we have established — and continue to evolve and improve — a global enterprise wide risk management framework that is intended to manage all aspects of our risks.”

This is from a 10-k.  Sounds like a great declaration of risk management.  And this is about the clearest example of why much more than just words are needed for risk management.

These words are from the 2011 10-K of MF Global.

Knowing and Thinking must be linked to Doing

“One of the things that we’re trying to do is to get people to think more rather than know more,” said Rick Nason, associate professor of finance at Dalhousie University’s School of Business in Halifax, Nova Scotia. “In risk management we’ve gotten into a regulatory mode of knowing more, and unfortunately we’re stuck on techniques and forget how to think about risk. Going beyond knowing is what we’re trying to stress.”

Too few risk managers are actually empowered to actually DO anything.  Natural human nature steps in which leads these disempowered risk managers to elevate the importance of the things that they are empowered to do.  Knowing and Thinking are two of those things.

It is of course important to KNOW your risks and the possible paths to loss that go with each risk as well the current status of your exposures.  Nason rightly points out that regulatory risk management requirements work on the assumption that if a management team KNOWS about their risks that they can necessarily be counted on to react.  But that is often an unstated and unrequired assumption.  Perhaps regulators shy away from going any further in their prescriptions because of lack of authority.

Risk Management systems, such as ISO31000, build up a massive infrastructure of steps that are required to support the KNOWing objective.  A risk manager applying ISO31000 can keep very, very busy for several years building up that infrastructure without getting to the step of actually infringing upon management of the company.

Nason is right to suggest that THINKing is a step further.  But by focusing on THINKing, he makes the same sort of assumption, that if someone THINKs about their risks, they surely must eventually DO something about them.

The risk manager who wants to be effective must start with the end in mind (see Covey).  DOing must be the purpose of a risk management system.  A system that focuses on KNOWing or THINKing is merely a Risk Management Entertainment System.

Is this just MATH that you do to make yourself feel better?

Megyn Kelly asked that of Karl Rove on Fox TV on election night about his prediction of Ohio voting.

But does most risk analysis fall into this category as well?

How many companies funded the development of economic capital models with the expressed interest in achieving lower capital requirements?  How many of those companies encouraged the use of “MATH that you do to make yourself feel better” MTYDTMYFB

Model validation is now one of the hot topics in Risk model land.  Why? Is it because modelers stopped checking when they got the answer that was wanted, rather than working at it until they got it right?  If the later was the answer, then there would be zero additional work to do to validate a model.  That validation work would already be done.  MTYDTMYFB

The Use Test is quite a challenge for many.  First part of the challenge is to produce an example of a situation where they did modeling of a major risk decision before that decision was finalized.  Or are the models only brought into play after all of the decisions are made?  MTYDTMYFB

There are many other examples of MTYDTMYFB.   Many years ago when computers were relatively new and dot matrix printers were the sign of high tech, it was possible to write a program to print out a table of numbers that had been developed somewhere else.  The fact that they appeared on 11 x 14 computer paper from a dot matrix printer gave those numbers a sheen of credibility.  Some managers were willing to believe then that computers were infallible.

But in fact, computers, and math, are about as infallible as gravity and about as selective.  Gravity will be a big help if you need to get something from a higher place to a lower place.  But it will be quite a hindrance if you need to do the opposite.  Math and computers are quite good at some things, like analyzing large amounts of data and finding patterns that may or may not really exist.

Math and computers need to be used with judgement, skepticism and experience.  Especially when approaching the topic of risk.

Statistics works like gravity helping us take things downhill when you are seeking to estimate the most likely value of some uncertain event.  That is because each additional piece of data helps you to hone in one the average of the distribution of possibilities.  Your confidence in your prediction of the most likely value should improve.

But when you are looking at risk, you are usually looking for an estimate for extremely unlikely adverse results.  The principles of statistics are just like the effect of gravity on moving heavy things uphill.  They work against you.

Take correlation, for example.  The chart above can be easily reproduced by anyone with a spreadsheet program.  RISKVIEWS simply created two columns of random numbers that each contained 1000 numbers.  The correlation of these two series for all 1000 numbers is zero to several decimal places.  This chart is created by measuring the correlation of subsets of that 1000 that contained 10 values.

What this shows is how easy it is to get any answer that you want.  MTYDTMYFB

How Much Resilience Do We Need?

Much too much of what we do relies upon the simplest idea of linear extrapolation.  It must be hard wired into human brains to always think first of that process.  Because we frequently seem to miss when extrapolation does not work.

Risk managers desperately need to understand the idea of system capacity.  The capacity of a system is a point beyond which the system will fail or will start to work completely differently.

The obvious simple example is a cup with a small hole in the bottom.  If you pour water into that cup at a rate that is exactly equal to the rate of the leak from the hole at the bottom, then the water level of the cup will be in equilibrium.  A little slower and the cup will empty.  A little faster and it will fill.  Too long in the fill mode and it will spill.  The capacity will be exceeded.

The highly popular single serving coffee machines are built with a fixed approach to cup capacity.  The more sophisticated will allow for two different capacities, but usually leave it to the human operator to determine which limit to apply.

For the past several years, there have been a number of events, the latest a hurricane that damaged an area the size of Western Europe, that have far exceeded the resilience capacity of our systems.  The resilience capacity is the amount of damage that we can sustain without any significant disruption.  If we exceed our resilience capacity by a small amount, then we end up with a small amount of disruption.  But the amount of disruption seems to grow exponentially as the exceedance of resilience capacity increases.

The disruption to the New York area from Hurricane Sandy far exceeded the resilience capacity.  For one example, the power outages still continue two weeks after the storm.  The repairs that have been done to date have reflected herioc round the clock efforts by both local and regional repair crews.  The size of the problem was so immense that even with the significant outside help, the situation is still out of control for some homes and businesses.

We need to ask ourselves whether we need to increase the resilience capacity of our modern societies?

Have we developed our sense of what is needed during a brief interlude of benign experiences?  In the financial markets, the term “Great Moderation” has been used to describe the 20 year period leading up to the bursting of the dot com bubble.  During that period, lots of financial economics was developed.  The jury is still out about whether those insights have any value if the world is actually much more volatile and unpredictable than that period of time.

Some weather experts have pointed out that hurricanes go in cycles, with high and low periods of activities.  Perhaps we have been moving into a high period.

It is also possible that some of the success that mankind has experienced in the past 50 years might be in part due to a tempory lull in many damaging natural phenomina.  The cost of just keeping even was lower than over the rest of mankind’s history.

What if the current string of catastrophes is just a regression to the mean and we can expect that the future will be significantly more adverse than the mild past that we fondly remember?

We need to come to a conclusion on those questions to determine How Much Resilience Do We Need?

Getting Started in a Risk Management Career

RISKVIEWS got an email request…

I am a senior ‘Risk Management & Insurance’ and ‘Finance’ double major at Butler University. I was wondering if you would be able to lend some advice for my future career endeavors. One question is “what made you chose the consulting risk management side over more of a singular corporation risk management position?”  My basic concern is that unlike finance, I feel the path for a student to get involved with the risk management industry is much less defined. I keep hearing how most risk managers usually start in a completely different corporate function. I am just trying to do my due diligence and research to get insight into all career paths before I choose which way I want to go.   Daniel Gable

Daniel, some Risk Management career paths are very new.  New enough that there are not yet any people who entered the field out of college and who are now in retirement.  Now, if you are majoring in “Risk Management and Insurance”, then you are aware that there is a long established career centering upon the management of corporate insurance purchasing programs.  But the risk management programs that go beyond insurance purchasing, in banks, insurance companies and in many other industries are all new enough that they mostly had to go outside the field for at least initial leadership.  Those people will value skills and experiences that come from a wider range of experiences than someone might have who has always worked in risk management.  So their senior staff positions will have some people who also did not start out in a risk management career.

RISKVIEWS’ perspective is that risk management will be best served if a balance of highly trained risk management specialists along with a significant number of people with broader business perspectives and especially experiences working in the areas where the risk is taken on.

The highly trained risk management specialists are needed to keep the technical rigor of the risk management program up to a similar level to the areas that originate the risk taking.

WARNING: SPORTS ANALOGY AHEAD

The best sports teams prevail against their rivals only if they have great natural players in both offensive and defensive positions.  There are an extremely small number of players who can excel at either offense or defense.  Most players in most sports are much better at one or the other.  Risk management programs need to find the natural defenders who also excel at the technical skills that are needed to monitor the risk taking effectively.

But only some risk management work can be accomplished by highly technically competent trained risk managers.  Some of risk management requires people with the experience and gut instincts about the business who can tell when something just “smells” wrong.   To get this experience, one needs to have lived in the business, understand the motivations and choices that are available to the people in the business as well as their competition and the markets that they operate in.  This is all experience that is very difficult to get working from within the risk management program.

At the top of the risk management system is a Chief Risk Officer.  Like most senior executives, this person will need a high degree of leadership/managerial/political skills.  Perhaps much more so than most of the people who work in the risk management program.  In the last year or so, there have been a steady stream of bank CROs moving to CEO positions.  So in many places, it is a position with a serious future.

Finally, Daniel asked about consulting vs. working inside a company?  First of all, many consulting firms hire few if any entry level people.  They usually look to find people with at least a few years of experience inside of the firms that they are likely to consult for.  Once you have enough experience to have a choice, the option is for breadth vs. depth.  RISKVIEWS has over ten years of experience in both situations.  Inside of a company, a person may get the chance to develop a deep understanding of one or several aspects of the company operations.  Many people get a feeling of satisfaction from mastering their environment in this way and developing the ability to work with people and situations that they know very well.  Many corporate jobs are also in a fixed location, so that people who have strong reasons to want to be home most nights would prefer that.  While there is some uncertainty about continuation of corporate jobs, many jobs are secure for a decade or more at a time.  Consulting positions on the other hand provide the person to get a very broad perspective on the many different ways that things are being done in the industry.  Consulting often offers the possibility of doing different work without it having a significant impact on career path.  Consultants often travel, some a little and most quite a bit.  An advantage for some and a big disadvantage for others.  Consulting work is insecure, often it is unknown what work a consultant will be doing in six months.  Some people are very excited by the variety and uncertainty of consulting work.  Consultants need to have excellent communications skills, especially the “client facing” consultants.

In both the question of starting out in risk management or moving to risk management after working in a business and the question of starting early in consulting vs. after some work inside of a business, the considerations end up being similar.  A few people have the talent to pick up enough of the details of the business life to be able to be effective consultants or risk managers from outside of the business, but most people need to live it to be really effective risk managers or consultants.

Daniel is studying Finance as well as Risk Management.  RISKVIEWS cannot give any advice in finance careers, but will observe that with the effect of the financial crisis and the resulting changes to regulation of banks, the future finance career path may well be very different than it has been for the past 20 years.

 

Math Wins

The emerging US election results are showing that the more math based people like Nate Silver were extremely accurate in predicting the outcome of the election and the GUT based people were totally off base. See NYT.

This is the same comparison that psychologists have been doing for 50 years between clinical judgement and statistical reasoning.  See The Evolution of Thinking.

The pundits making GUT predictions seem to be totally fooled by the Confirmation Bias.  They only gave any credibility to information that matched their preferred conclusion.

Risk managers need to take care.

This does not mean that the statistical risk models must be right.

That is because risk models are fundamentally based upon opinions.  They are fundamentally a tool of the Confirmation Bias.

Risk models are not models of “what is” as much as they are models of “what will be”.  They always reflect one or more biases:

• A bias that the future is predictable.  That has not particularly been the case for the past 4 years or so.  The future has been decidedly unpredictable.  Uncertain is the word that we read over and over.  Companies with highly complex models have had less of an advantage over companies without than during the Great Moderation.
• The bias that the future will be just like the past.  This bias manifested itself as a totally disastrous blindness to the risks that led to the Great Recession.  Or the Fukishima  Reactor disaster.  It was thought that something could not happen if it has not happened before.
• The bias that the market reflects all available information.  The market value of sub prime mortgage CDO in 2006 when mortgage defaults first started happening just does not confirm this bias.  And at least half of all corporate defaults happen in a cliff, not a gradual decline.
• The bias that things will be much worse than everyone else thinks.  (This is the position of folks like Nassim Taleb and Nouriel Roubini.  They can predict disaster every week and be right occasionally.  But this is not a useful position for risk managers to take in general.  Chicken Little was right, but just once.

So risk managers need to be careful about taking too much comfort from the win for statistics in the Presidential race.

Embedded Assumptions are Blind Spots

Embedded assumptions are dangerous. That is because we are usually unaware and almost always not concerned about whether those embedded assumptions are still true or not.

One embedded assumption is that looking backwards, at the last year end, will get us to a conclusion about the financial strength of a financial firm.

We have always done that.  Solvency assessments are always about the past year end.

But the last year end is over.  We already know that the firm has survived that time period.  What we really need to know is whether the firm will have the resources to withstand the next period. We assess the risks that the firm had at the last year end.  Without regard to whether the firm actually is still exposed to those risks.  When what we really need to know is whether the firm will survive the risks that it is going to be exposed to in the future.

We also apply standards for assessing solvency that are constant.  However, the ability of a firm to take on additional risk quickly varies significantly in different markets.  In 2006, financial firms were easily able to grow their risks at a high rate.  Credit and capital were readily available and standards for the amount of actual cash or capital that a counterparty would expect a financial firm to have were particularly low.

Another embedded assumption is that we can look at risk based upon the holding period of a security or an insurance contract.  What we fail to recognize is that even if every insurance contract lasts for only a short time, an insurer who regularly renews those contracts is exposed to risk over time in almost exactly the same way as someone who writes very long term contracts.  The same holds for securities.  A firm that typically holds positions for less than 30 days seems to have very limited exposure to losses that emerge over much longer periods.  But if that firm tends to trade among similar positions and maintains a similar level of risk in a particular class of risk, then they are likely to be all in for any systematic losses from that class of risks.  They are likely to find that exiting a position once those systematic losses start is costly, difficult and maybe impossible.

There are embedded assumptions all over the place.  Banks have the embedded assumptions that they have zero risk from their liabilities.  That works until some clever bank figures out how to make some risk there.

Insurers had the embedded assumption that variable products had no asset related risk.  That embedded assumption led insurers to load up with highly risky guarantees for those products.  Even after the 2001 dot com crash drove major losses and a couple of failures, companies still had the embedded assumption that there was no risk in the M&E fees.  The hedged away their guarantee risk and kept all of their fee risk because they had an embedded assumption that there was no risk there.  In fact, variable annuity writers faced massive DAC write-offs when the stock markets tanked.  There was a blind spot that kept them from seeing this risk.

Many commentators have mentioned the embedded assumption that real estate always rose in value.   In fact, the actual embedded assumption was that there would not be a nationwide drop in real estate values.  This was backed up by over 20 years of experience.  In fact, everyone started keeping detailed electronic records right after…… The last time when there was an across the board drop in home prices.

The blind spot caused it to take longer than it should have for many to notice that prices actually were falling nationally.  Each piece of evidence was fit in and around the blind spots.

So a very important job for the risk manager is to be able to identify all of the embedded assumptions / blind spots that prevail in the firm and set up processes to continually assess whether there is a danger lurking right there – hiding in a blind spot.

Emerging Risk Survey

TAKE PART IN THE ANNUAL EMERGING RISKS SURVEY

Posted by Max Rudolph

The Joint Risk Management Section, sponsored by the Casualty Actuarial Society, Canadian Institute of Actuaries, and the Society of Actuaries, is interested in better understanding how risk managers deal with emerging risks. The objective of this effort is to examine and ultimately give guidance to risk managers on how to deal with these unknown and developing risks.

To achieve this, we have designed an online survey to gather information about emerging risks and related issues. This survey is a follow-up to earlier surveys on emerging risks and will help to provide insight to changes and trends in this evolving field.

We would greatly appreciate you taking the time to complete the survey by October 26. It should take less than 10 minutes to complete the basic survey, but we hope you will share your thoughts in comment boxes, as well. Please share this survey link with other risk managers (internal and external) who might be interested in sharing their thoughts. We hope to gather a wide variety of perspectives from the survey.

It is our hope that the results of this survey will help risk managers deal with information that exists outside historical data sets. We assure you that results will be reported anonymously and that your specific responses will be held under the strictest confidence.

If you have questions about the survey, please contact Barbara Scott.

Thanks very much for your consideration! We expect to report results in December.

Follow this link to the Survey:
Take the Survey

Or copy and paste the URL below into your internet browser:

http://soa.qualtrics.com/WRQualtricsSurveyEngine/?SID=SV_5upsMMiVNJE1pBj&RID=MLRP_6zJ0LSMyi4Qysux&_=1

***** REMINDER ***** DEADLINE IS FRIDAY, OCTOBER 26 ***** REMINDER *****

Many thanks to those of you who have already participated in this survey!

Risk Evaluation by Actuaries

The US Actuarial Standards Board has promulgated a new Actuarial Standard of Practice number 46 Risk Evaluation in Enterprise Risk Management.

ASB Adopts New ASOP No. 46

At its September meeting, the ASB adopted ASOP No. 46, Risk Evaluation in Enterprise Risk Management. The ASOP provides guidance to actuaries when performing professional services with respect to risk evaluation systems used for the purposes of enterprise risk management, including designing, developing, implementing, using, maintaining, and reviewing those systems. An ASOP providing guidance for activities related to risk treatment is being addressed in a proposed ASOP titled, Risk Treatment in Enterprise Risk Management, which will be released in late 2012. The topics of these two standards were chosen because they cover the most common actuarial services performed within risk management systems of organizations. ASOP No. 46 will be effective May 1, 2013 and can be viewed under the tab, “Current Actuarial Standards of Practice.”

 

The End of ERM

In essence, if ERM is to be implemented in a way which helps an entity get to where it wants to go, it needs to have a bias toward action which many applications currently lack.   “The End of Enterprise Risk Management“  David Martin and Michael Power

In 2007, Martin and Power argued that the regulatory based Enterprise Risk Management programs that were COSO based provided the illusion of control, without actually achieving anything.  Now if you are an executive of a firm and you believe that things are being done just fine, thank you very much, then an ineffective ERM program is just what you want.  But if you really want ERM, the something else is needed.  Martin and Power suggest that the activities of ERM are focused much too much on activities that do not reault in actions to actually change the risks of the firm.  This is a favorite topic of RISKVIEWS as well.  See Beware the Risk Management Entertainment System. 

RISKVIEWS always tells managers who are interested in developing ERM systems that if some part of an ERM program cannot be clearly linked to decisions to take actions that would not have been taken without ERM, then they are better off without that part of ERM. 

Martin and Power go on to suggest that ERM that uses just one risk measure (usually VAR) is difficult to get right because of limitations of VAR.  RISKVIEWS would add that an ERM program that uses only one risk measure, no matter what that measure is, will be prone to problems.  See Law of Risk and Light. 

It is very nice to find someone who says the same things that you say.  Affirming.  But even better to read something that you haven’t said.  And Martin and Power provide that. 

Finally, there is a call for risk management that is Reflexive.  That reacts to the environment.  Most ERM systems do not have this Reflexive element.  Risk limits are set and risk positions are monitored most often assuming a static environment.  The static environment presumption in a risk management system works if you are operating in an environment that changes fairly infrequently.  In fact, it works best if the frequency of change to your environment is less then the frequency of your update to the risk factors that you use.  That is, if your update includes studying the environment and majing environment driven changes. 

RISKVIEWS has worked in ERM systems that were based upon risk assessment based upon “eternal” risk factors.  Eternal Risk factors are assumed to be good “for all time”.  The US RBC factors are such.  Those factors are changed only when there is a belief that the prior factors were inadequate in representing the full range of risk “for all time”. 

But firms would be better off looking at their risks in the light of a changing risk environment.  Plural Rationality theory suggests that there are four different risk environments.  If a company adopts this idea, then they need to look for signs that the environment is shifting and when it seems to be likely to be shifting, to consider how to change their risk acceptance and risk mitigation in the light of the expected new risk environment.  The idea of repeatedly catching this wave and correctly shifting course is called Rational Adaptability. 

So RISKVIEWS also strongly agrees with Martin and Powers that a risk management system needs to be reflexive. 

In “The End of ERM” Martin and Powers really mean the end of static ERM that is not action oriented and not reflexive with the environment.  With that RISKVIEWS can heartily agree.

New Riskviews Wiki – Actuarial Applications of Plural Rationality

For several years now, I have been working with a small group of people to explore and write about the ideas of Plural Rationality and how it can be used in the field of risk management.  We have presented these ideas at multiple actuarial meetings around the world and published articles in a number of places.  You may be aware of this.

Recently, I recruited two new actuaries to this work and their reaction has been very favorable as they work on this and thereby learn more.  The theory of plural rationality has fairly strong explanatory powers.  They are helping to find new insights in a field that I know little about.

That experience has inspired me to invite all of you to join this effort.

To that end, I have created a wiki for development of actuarial discussions of plural rationality.

https://riskviewswiki-actuarialapplicatifpluralrationality.pbworks.com

The list below are the pages/discussion topics that have been created so far.  The Background page includes links to most of the places where you can find the work that has been done to date on this by Michael, Thompson, Alice Underwood and I.  The others are blank pages that are example of possible discussion topics.  Other discussion topics are of course possible.

(This is all free, but to access, you will need to set up a pbworks account. I am not selling pbworks.  I just happen to like how it works. And it seems to let me do this for free.)

I believe that I need to send you a personal invitation to join the Riskviews network on pbworks so that you can set up the account.  So if you are interested, please send an email to  daveingram@optonline.net.  Feel free to forward this to anyone that you feel might have an interest.  This discussion is not necessarily restricted to actuaries.

• Background on Plural Rationality
• Implications for Risk Management
• Implications for Risk Measurement
• Implications for Catastrophe Risk measurement and management
• Implications for Pensions
• Implications for Equity Linked Life Insurance and Annuities
• Implications for Mutual Insurance
• Implications for Solvency II

If you are someone who has no idea what I am talking about and want to look at the Plural Rationality background materials without joining pbworks, you can see it at Plural Rationality and ERM page here on the Riskviews blog.

Dave Ingram

Driver of a Statement of Risk Tolerance

Many, many firms struggle with developing good statements of Risk Tolerance.  This is startling because a regulators and rating agencies alike say that good risk management requires a statement of Risk Tolerance.

For this post, Risk Tolerance will be used to mean the amount of risk that an organization might choose to retain after risk mitigation.  The term Risk Appetite, which is often used interchangably will be used to mean the amount of risk that and organization plans to take, usually an amount less than the Risk Tolerance.

An analogy might be to the speed of a car.  A particular driver in a particular car might be able to tolerate going 80 miles per hour on a highway that is well lit and that has little traffic.  But tonight,  they only plan to go 70 miles per hour on this trip.

Others use these terms to mean something else.  Riskviews does not have an opinion about the value of these other definitions.

To form a good risk tolerance statement, the management of a company needs just two things – (1) to identify what adverse event they will base their tolerance upon and (2) the likelihood of that adverse event at their tolerance level.

Alternately, a risk tolerance statement can be built upon something that is itself tied directly to some likelihood, like a risk capital value at a 1/200 loss or the top speed of a car that is implicitly tied to an (unstated) level of likelihood of an accident.

But that unstated likelihood for the car speed is really the key to understanding why risk tolerance is so difficult for many, many managers.

You see, most people who drive a car will develop a tolerance for speed over time as they get experience with driving.  They each have an internal mechanism that tells them that they have reached a speed that “feels” too dangerous.  It is that roller coaster flip in the gut when the car barely holds the road on a tight turn.  That adrenaline rush that comes right after the near accident.  They are not calculating probabilities there, but their resulting tolerance could be seen to be calibrated to some safety margin that varies by individual.

But the problem is that some company managers are trying to form a risk tolerance for their company before they have any experience driving with a speedometer, in effect.  That is because risks that a company takes are not always obvious to the management.  And even when individual risks are well known, their aggregation usually is not, to any degree of precision.

So the thing that is missing for most managers is the experiential feel for their risk.  Before setting a risk tolerance, they need to drive around with one eye on the speedometer of their company.  That is with continual awareness of the amount of risk that the company is taking.  They will need to do this for a multi year period so that they will see when their knuckles go white.

Waiting for this experience may not be the be the best approach, it would probably be better to look backwards at the risk level for the past 5 to 10 years of company history.  For managers who have been there long enough, they have a good feel for when the company had much worse results than desired.  The risk tolerance can be set by working from that worst year and figuring out how close to that situation that the company management is comfortable getting in the future.

Now to do this, it is much easier to simply pick a likelihood number.  The number then defines the risk calculation.  The risk would be the amount of loss that is expected at that likelihood value given the company plans for risk taking as well as the actual risks taken.

Then to build up that experience, managers need to look at the comparison between the risk and the capital or between the risk and the earnings of the company over their recent past and immediate future.

One thing to look for is how the actual risk taken to the plan.  In some companies, a goal is set in terms of premium dollars written.  But in some years, the premium goal is met, but the business written is actually much riskier than the plan.  This may be the reason behind the bad experiences that the company has experienced.  If that is the case, then the company needs to look to strengthen risk control practices before worrying about risk tolerance. 

In the example above, the company risk number was smaller than the surplus number in all years except year 4.  Company management agrees that they were too exposed to a major loss that year.  So they have set their risk tolerance to their risk measure at 90% of surplus.  With tolerance set at that level, every other year was within tolerance.

This is the best way for management to set a risk tolerance.  Based upon experience, just like a person’s driving speed tolerance is based upon their driving experiences.

Unintended Consequences – Distortion of Decisions

Central bankers have tools to help the economy, but for the most part, those tools all have the effect of lowering interest rates.

But there are consequences of overriding the market to change the price of something.  The consequences are that every decision that uses the information from the affected market prices will be distorted.

Interest rates are a price for deferral of receiving cash.  Low interest rates signal that there is very little risk to deferral of receiving cash.  So one only has to pay a little extra to pay later rather than now.

This is helpful in stimulating consumption.  People without the money right now can promise to pay later with low penalty for the deferral.

But is the risk from the deferral really lower?  The interest rates are very low because the central bank is overwhelming the market demand.  Not because anyone really believes that deferral of receipt of cash is low risk.

But anyone who simply uses the market interest rates is having their decision distorted.  They are open to taking deferral risk without expecting to be reasonably compensated for that risk.

To purists who believe that the only usable value is the market price, this is the only real information.

But if you want to make good decisions about transactions that stretch out over a long time, you might want to consider making your own adjustment for the risk of deferral.

Performance Pressure

It has become a pretty standard part of business management practice. Every year, the demand is for MORE with the same or fewer resources and in the same or less time.  The latest requirement to be a senior manager is the ability to stare a subordinate straight in the eye and demand that they significantly enhance productivity again when you have absolutely no idea how they will pull that rabbit out of their hat.

One very common way to work this magic is to spend less resources on things like risk management.  Risk Management is rarely one of those places where more productivity is being required.  In fact, during this productivity discussion, risk management is almost never mentioned.  That is the hint that risk management is one of the areas where adjustments can be made to pick up some slack.

In a firm without a clear risk management culture, risk management will often just be skipped altogether.  End of story.

But in a firm with a strong risk management culture, that would never be an acceptable course of action.  What instead will happen is that substitutions will be made.  Less time spent on risk management, less frequent checking of the need for mitigation.  Less, Less, Less.

And if this happens in “normal” times, then there will be no feedback from the environment that there is any problem with Less Risk Management.  If the original intention of the Risk Management was to protect against all but 1 in 100 year losses and there is a drift, an easing into Less Risk Management, then what was thought to be a 1/100 loss might become a 1/10 loss.  There is still a 90% chance that the extreme loss will not happen.

That is the “Drift into Failure” of the Safety Engineers.  In the book of that title, Dekker tells of an airplane maintenance schedule that drifts over time from the manufacturers recommended 350 hours of flight time to 2500 hours of flight time.  Then one maintenance cycle was skipped and a plane crashed.  The drift from 350 hours to 2500 hours was not one big decision.  It was many little decisions, each moving things up only 10% to 20%.  Skipping just one maintenance was not a big decision either.  Things were tight one month and they needed the plane.

So Risk Management procedures need to allow for natural drift caused by Performance Pressure.  And for normal degree of mistakes, like skipping a scheduled maintenance.

At JP Morgan, the Corporate Investment Office did not start out making gigantic trades for profit.  They were doubtless like lots of other hedging operations.  One quarter, they saw an odd situation where a profit could be made with a fairly high degree of certainty.  So they asked permission and took a small gain.  They were then told to look for other similar opportunities.  After a while, they started to get a profit goal along with all the other business units.  Like LTCM, they must have hit a period where such profit making opportunities stopped falling into their laps.  So the started to go very big on something with small reward.  One decision at a time.  And probably risk management oversight that was one or two stages of their evolution behind.

It may well not have been one big bad wrong decision, it may well have been a series of small seemingly easy, sensible decisions that together spelled disaster.

But no one looked at them all together.

Risk Risk Analysis

The other day, my boss asked me for the risk risk analysis report. You know, the one that shows the ratio between risk and risk for all of the activities of the firm. We are planning to make some important strategic decisions and we want to make sure that we are planning for enough risk, but do not want to be exposed to too much risk.
This report is being prepared for the Chief Marketing officer. Her job is to make sure that the company meets its risk goals each quarter, while the Chief Risk Officer is responsible for making sure that she does not expose the company to too much risk while doing that.

Of course, no one actually talks like that.  But many risk managers will adamantly claim that the definition of Risk must include both upside and downside.  That is usually followed with a statement about the importance of Risk and Reward management.  They do not seem to notice that it only took them one sentence to go back to the old definition of risk as downside potential.

There is nothing wrong with having risk and reward as separate ideas.  In fact, that is pretty much how the English language works.  Risk Managers who are trying to force people to think otherwise are fighting a losing battle.  And they actually lose it with the words out of their own mouth, thereby appearing foolish.

Rounding Up to Reduce Drift into Failure and Maintain Risk Karma

So what to do about Drift into Failure?

Think of DIF in simple math terms.  At every turn in the calculation, you are rounding down or truncating the values that you calculate.  With that process, your result will always be low.  Not always noticeably low but with a bias to be below the value that you would have calculated with carrying forward the value with all of the decimal points.

With a Risk Management or Safety system, it is the same thing.  If checking ten times will give a .9999 guaranty of safety, then nine times should be good enough.  If lubricating weekly produces no failures, how about lubricating every 9 days.  And so on.  If a hedge that is 98% effective works out fine most days, how about a hedge that is 96% effective.  A $5 million retention works, why not move it to $5.5 million.

In every case, the company rounds down.

So the practice that is needed to reduce DIF is to occasionally round up.  One year, try rounding up on half the risk systems.  Make the standards just a tiny bit tighter a few times.  Balance things that way.  Think of your firm as accumulating bad karma by allowing the shortcuts, the rounding down on the risk management and safety systems.  Protect the karma, by going the other way in the same sort of imperceptible small steps that are the evidence of the DIF.

Stop Drifting.   Join the Fight Against Bad Risk Karma Today.

The Risk of Paying too much Attention to your Experience

The Drift into Failure idea from the Safety Engineers is quite valuable.

One way that DIF occurs is when an organization listens too well to the feedback that they get from their safety system.

That is right, too much attention.  In the case of a remote risk, the feedback that you will get most days, most weeks, most months is NOTHING HAPPENS.

That is the feedback you are likely to get if you have a good loss prevention system or if you have none.

This ties to the DIF idea because organizations are always under pressure to do more with less.  To streamline and reduce costs.

So what happens?  In Safety and Risk Management, someone studies the risks of a situations and designs a risk mitigation system that reduces the frequency or severity of problem situations to an acceptable level.

Then, at some future time, the company management looks to reduce costs and/or staff.  This particular risk mitigation system looks like a prime candidate.  The company is spending time and money and there has never been a problem.  Doubtless, the same “nothing” could be achieved with less.  So the budget is cut, a position is elimated and they get by with less mitigation.

Then time pass and they collect the feedback, the experience with the reduced risk mitigation process.  And the experience tells them that they still have no problems.  The budget cutters are vindicated.  Things seem to be just fine with a less costly program.

If the risk here is highly remote, then this process might happen several times.

Which may eventually result in a very bad situation if the remote adverse event finally happens.  The company will be inadequately unprepared.  And no one made a clear decision to dilute the defense to an ineffective level.  They just kept making small decisions and eventually they drifted into failure.

And each step was validated by their experience.

Risk Language Needs to be Learned – By the Risk Officer

Language is not imposed.  Language develops from usage.  The first step in developing a common risk language WITHIN a firm is to understand the risk language that already exists.  The goal is to figure out what concepts are spoken of in different words in different parts of the firm.  And which risk management concepts are not already in use.
If you listen instead of talking, you will usually learn that almost all risk management concepts are already in use somewhere in the firm and there is already language.  When there is multiple terms in different areas, the solution is usually to teach both areas the terms that the other area uses.  Soon, the organization accepts the terms as synonyms.  (Languages have synonyms, you know).
Good luck to the risk officer who brings in a language and tells everyone which words to say.  The risk officer needs to learn the risk language that is already in use and concentrate on elevating the significance of the practices that the existing language describes.

There are experts who say that it is important for everyone to speak the same language about risk and risk management.  The private benefits are negligible.  The collective benefits are slim.  Absolutely everything else gets along just fine with each firm having their own private language.

A Learning Break

Riskviews has been taking a learning break.

Some times we are refreshed and invigorated by getting away from anything relating to their primary occupation.

But other times the most refreshing thing that you can do is to learn about how people faced with seemingly different, but fundamentally similar problems approach their work.

Riskviews has been learning small bits about Resilience.  That topic is usually associated with physical systems failures.  We are fooled into thinking that physical systems failures are all about engineering questions about the failures of metals or breakdown of lubricants.

But just as most failures in financial firms are directly related to human systems issues, so are most physical systems failures.  Studies about resilience are mostly studies of the human systems that are tightly linked to the physical systems that fail.

Here is a definition of resilience:

Resilience is the intrinsic ability of a system
to adjust its functioning prior to, during, or
following changes and disturbances, so that
it can sustain required operations under both
expected and unexpected conditions.

Already, Riskviews is learning something.  In much risk management literature, it is assumed that the system is determined via rules and that there is not necessarily ANY adjusting happening.  But from experience, we know that in almost all cases, systems will adjust to most significant changes and certainly will adjust to “disturbances”.

At the highest level, banks found out that a capital regime under which they held capital for a 1 in x event worked for absorbing the large loss, but it did not work for providing needed capital after the large loss.  They had a plan that worked up until the day after the event.

What both banks and insurers also found in the crisis was that their systems did adjust as things got insanely adverse.  But what they found was that in some cases, their systems adjusted so that they reduced the impact of the crisis and in other cases, made things worse.

One of the concepts that Resilience Engineers have developed is what they call “Drift into Failure.”  What they mean by that is that in many cases, complex systems fail, not because of some single part of person’s failure, but because of a series of small problems that in the end cause an avalanche type failure.

Here are four ideas that were discussed at a Resilience Engineering conference in 2004 from the notes of C Nemeth:

. Get smarter at reporting the next [adverse] event, helping
organizations to better manage the processes by which they decide
to control risk
. Detect drift into failure before breakdown occurs. Large system
accidents have revealed that what is considered to be normal is
highly negotiable. There is no operational model of drift.
. Chart the momentary distance between operations as they are,
versus as they are imagined, to lessen the gap between operations
and management that leads to brittleness.
. Constantly test whether ideas about risk still match reality. Keeping
discussions of risk alive even when everything looks safe can serve
as a broader indicator of resilience than tracking the number of
accidents that have occurred.

Resilience is a big topic and Riskviews will continue to share further learnings.

When You Find Yourself in a Hole, Stop Digging

Attributed to Will Rogers

Who knew that Will Rogers was a closet Risk Manager.   He must have been because that is great risk management advise.

If you have too much of something – the first thing that you should do is to STOP ADDING to your position.

We do not yet have the full story, but it is pretty safe to guess that neither MF Global or JP Morgan followed that idea.  It seems fairly obvious that at some point in time, the each had smaller positions that were already too big and then they ADDED to their positions.

The bank/hedge fund trading mentality suggests that the traders who really tener cojones will be able to keep raising the size of their position until the market breaks.

Insurance companies harbor the same mentality, except that they are never on the big win side of the bet.  Insurers win small on any one bet.  They win if there is no claim.  But even with that lopsided situation does not stop insurers from loading up on bets where they already have too much.

So the answer is to invite WIll Rogers into your Limit protocol.  When you are setting or reviewing your limits for the next period, set a new WILL ROGERS LIMIT.  The new WILL ROGERS LIMIT (WRL) is the point where you automatically stop adding to your position if there has not been a discussion and an exception to the WRL.

And that is what risk management is all about.  Just thinking ahead.  It is not magic.  Just listening to the great risk managers of the past.