The 2013 ERM Symposium goes back to Chicago this year after a side trip to DC for 2012. This is the 11th year for the premier program for financial risk managers. April 23 and 24th.
This year’s program has been developed around the theme, ERM: A Critical Self-Reflection, which asks:
Has the risk profession become a spectator sport? One in which we believe we are being proactive, yet not necessarily in the right areas.
For the most significant headlines during the past year, how was the risk management function involved?
Since the financial crisis, has there been genuine learning and changes to how risk management functions operate?
What are the lessons that have been learned and how are they shaping risk management today? If not, why?
Does risk management have a seat at the table, at the correct table?
Are risk managers as empowered as they should be?
Is risk management asking the right questions?
Is risk management as involved in decision making and value creation as it should be, at inception of ideas and during follow through?
On Wednesday, April 24 Former FDIC Chairman Sheila Bair will be the featured luncheon speaker
Sheila C. Bair served as the 19th chairman of the Federal Deposit Insurance Corporation for a five-year term, from June 2006 through July 2011. Bair has an extensive background in banking and finance in a career that has taken her from Capitol Hill to academia to the highest levels of government. Before joining the FDIC in 2006, she was the dean’s professor of financial regulatory policy for the Isenberg School of Management at the University of Massachusetts-Amherst since 2002.
The ERM Symposium and seminars bring together ERM knowledge from the insurance, energy and financial sectors. Now in its 11th year, this premier global conference on ERM will offer: sessions featuring top risk management experts; seminars on hot ERM issues; ERM research from leading universities; exhibitors demonstrating their ERM services. This program has been developed jointly by the Casualty Actuarial Society (CAS), the Professional Risk management International Association (PRMIA) and the Society of Actuaries (SOA).
Riskviews will be a speaker at three sessions out of more than 20 offered:
Regulatory Reform: Responding to Complexity with Complexity – Andrew Haldane, executive director of Financial Stability at the Bank of England, recently made a speech at the Federal Reserve Bank of Kansas City’s Jackson Hole Economic Policy Symposium titled “The Dog and the Frisbee” warning that the growing complexity of markets and banks cannot be controlled with increasingly complex regulations. In fact, by attempting to solve the problem of complexity with additional complexity created by increased regulation, we may be missing the mark—perhaps simpler metrics and human judgment may be superior. Furthermore, in attempting to solve a complex problem with additional complexity, we may not have clearly defined or understand the problem. How does ERM fit into the solutions arsenal? Are there avenues left unexplored? Is ERM adding or minimizing complexity?
We are drowning in data, but can’t hope to track all the necessary variables, nor understand all or even the most important linkages. Given the wealth of data available, important signals may be lost in the overall “noise.”
Unintended consequences maybe lost/hidden in the maze of complexity thereby magnifying the potential impact of future events.
The importance of key variables changes throughout time and from situation to situation, so it’s not possible to predict in advance which ones will matter most in the next crisis.
We experience relatively few new crises that are mirror images of prior crises, so we really have limited history to learn how to prevent or to cure them.
Complex rules incent companies and individuals to “manage to the rules” and seek arbitrage, perhaps seeding the next crisis.
Actuarial Professional Risk Management - The new actuarial standards for Risk Evaluation and Risk Treatment bring new help and new issues to actuaries practicing in the ERM field. For new entrants, the standards are good guidelines for preparing comprehensive analyses and reports to management. For more experienced practitioners, the standards lay out expectations for a product worthy of the highly-qualified actuary. However, meeting the standards’ expectations is not easy. This session focuses on clarifying key aspects of the standards.
Enterprise Risk Management in Financial Intermediation - This session provides a framework for thinking about the rapidly evolving, some would say amorphous, subject of ERM, especially as applied at financial institutions and develops seven principles of ERM and considers their (mis)application in a variety of organizational settings. The takeaways are both foundational and practical.
A. Risk management is a key part of our corporate management. Its task is not only to safeguard the Group’s financial strength in order to satisfy our obligations to clients and create sustained value for our shareholders, but also to protect Munich Re’s reputation. We achieve these objectives through global risk management encompassing all areas of our operations. (Munich Re)
B. The financial crisis has demonstrated the importance of a strong and independent risk management function, as well as the need for an integrated approach to assessing and controlling risks. To this end, we further enhanced our risk management by establishing a more robust governance process, intensifying our risk oversight and strengthening our liquidity management. (Swiss Re)
C. We employ an enterprise-wide approach to all risk taking and risk management activities globally. The enterprise risk management framework sets out policies and standards of practice related to risk governance, risk identification and monitoring, risk measurement, and risk control and mitigation. In order to ensure that we can effectively execute our risk management we continuously invest to attract and retain qualified risk professionals, and to build and maintain the necessary processes, tools and systems. (Manulife Financial)
D. Management believes that effective risk management is of primary importance to the success of Goldman Sachs. Accordingly, we have a comprehensive risk management process to monitor, evaluate and manage the principal risks we assume in conducting our activities.
E. AEGON’s risk management and control systems are designed to ensure that these risks are managed as effectively and efficiently as possible. For AEGON, risk management involves:
· Understanding which risks the company is able to underwrite;
· Assessing the risk-return trade-off associated with these risks;
· Establishing limits for the level of exposure to a particular risk or combination of risks; and Measuring and monitoring risk exposures and actively managing the company’s overall risk and solvency positions.
F. The mission of Zurich’s Enterprise Risk Management is to promptly identify, measure, manage, report and monitor risks that affect the achievement of our strategic, operational and financial objectives. This includes adjusting the risk profile in line with the Group’s stated risk tolerance to respond to new threats and opportunities in order to optimize returns.
G. QBE’s risk management strategy is underpinned by a number of robust processes which are aimed at reducing uncertainty and volatility and avoiding unwelcome surprises. Risks are subject to rigorous identification and evaluation throughout the business management cycle.
H. The management of risk is a core skill supporting the Group’s ability to offer both sustainable risk transfer solutions to its clients and attractive returns to shareholders. The management and identification of risk is the day to day responsibility of many of our staff and is a feature of all our business activities. (Amlin)
I. Diversification is used as a tool to reduce the Group’s overall insurance risk profile by spreading exposures, thereby reducing the volatility of results. QBE’s approach is to diversify insurance risk, both by product and geographically.
J. The Group employs a comprehensive risk management framework to identify, assess, manage and monitor the risks arising as a result of operating the business. The framework includes a comprehensive suite of risk policies, procedures, measurement, reporting and monitoring techniques and a series of stress tests and scenario analyses to ensure that the Group’s risk exposures are managed appropriately. (RSA)
The good news for risk managers is that times have been tough, so that company management is listening more and more to your message.
The bad news for risk managers is that times have been tough, so there is not much budget for anyone, let alone an area where there is no hope of new revenue generation.
So risk managers are being asked to do more and more with less and less.
Here are some tips for how to manage to meet expectations without crashing the budget:
Identify the area or activity that now has the most expensive risk oversight process. Identify the reason for that expense and make sure that a) there really is a need for that much oversight, b) if so, that the profit margins of the activity support the expense of the oversight and c) if there is a way that the riskiest 20% of that activity produces a high proportion of the profits. Can a shift in the risk acceptance criteria or the risk limits make a drastic change in oversight needs without a drastic change in profitability?
Get more people involved in risk management. This seems counter to the idea of decreasing costs of risk management, but in fact it can work well. Study the things that the risk management staff is spending time on and determine which of those activities can be transfered to the business unit staff who can do the oversight on a very part time basis. Your risk management staff can then shift to periodic review of their activities instead. This should be promoted as a natural evolution of risk management. Ultimately, the business units should be managing their own risk anyway.
Find out which risk reports are not being used and eliminate them. Constructing management information reports can be a very time consuming part of your staff’s time. Some of those reports are hopefully being relied upon for major decisions, but there may be some that just sit unread in the in boxes.
Reduce staff support for risk management in areas where activity levels are falling. It is very important that risk management be ramped up with volumes and just as important that it be seen to ramp down with volumes.
Leverage outside resources. In fat times, you may be declining free support from vendors and other business partners. In lean times, they may be even more happy to provide their support. Just make sure that the help that they give supports your needs.
Reduce frequency of time consuming model runs for risks that just do not change that much from run to run or that change proportionately with volumes of business. See recent post on model accuracy.
Expand your own personal capacity by delegating more of the matters that have become more routine. There is a natural tendency for the leader to be involved in everything that is new and important. Sometimes, you forget to transfer those responsibilities to someone on your staff or even someone outside your staff once you are sure that it is up and going smoothly. Let go. Make sure that you have the time that will be needed to take up the next new thing. Lean times will not last forever and you need to be available to pay attention to the thing that will pull your firm forward into the next stage of robust growth.
These are all the sorts of things that every manager in your firm should be thinking about. Risk managers should be doing the same sorts of thinking. You and your function are another natural part of the business environment of the firm. You will not be immune from the pressures of business, nor should you expect to be.
In a recent post, RISKVIEWS stated six key parts to ERM. These six ideas can act as the outline for describing an ERM Program. Here is how they could be used:
1. Risks need to be diversified. There is no risk management if a firm is just taking one big bet.
REPORT: Display the risk profile of the firm. Discuss how the firm has increased or decreased diversification within each risk and between risks in the recent past. Discuss how this is a result of deliberate risk and diversification related choices of the firm, rather than just a record of what happened as a result of other totally unrelated decisions.
2. Firm needs to be sure of the quality of the risks that they take. This implies that multiple ways of evaluating risks are needed to maintain quality, or to be aware of changes in quality. There is no single source of information about quality that is adequate.
REPORT: Display the risk quality of the firm. Discuss how the firm has increased or decreased risk quality in the recent past and the reasons for those changes. Discuss how risk quality is changing in the marketplace and how the firm maintains the quality of the risks that are chosen.
3. A control cycle is needed regarding the amount of risk taken. This implies measurements, appetites, limits, treatment actions, reporting, feedback.
REPORT: The control cycle will be described in terms of who is responsible for each step as well as the plans for remediation should limits be breached. A record of breaches should also be shown. (Note that a blemish-less record might be a sign of good control or it might simply mean that the limits are ineffectively large.) Emerging risks should have their own control cycle and be reported as well.
4. The pricing of the risks needs to be adequate. At least if you are in the risk business like insurers, for risks that are traded. For risks that are not traded, the benefit of the risk needs to exceed the cost in terms of potential losses.
REPORT: For General Insurance, this means reporting combined ratio. In addition, it is important to show how risk margins are similar to market risk margins. Note that products with combined ratios over 100% may or may not be profitable if the reserves do not include a discount for interest. This is accomplished by mark-to-market accounting for investment risks. Some insurance products have negative value when marked to market (all-in assets and liabilities) because they are sold with insufficient risk margins. This should be clearly reported, as well as the reasons for that activity.
5. The firm needs to manage its portfolio of risks so that it can take advantage of the opportunities that are often associated with its risks. This involves risk reward management.
REPORT: Risk reward management requires determining return on risk for all activities as well as a planning process that starts with projections of such and a conscious choice to construct a portfolio of risks. This process has its own control cycle. The reporting for this control cycle should be similar to the process described above. This part of the report needs to explain how management is thinking about the diversification benefits that potentially exist from the range of diverse risks taken.
6. The firm needs to provision for its retained risks appropriately, in terms of set asides (reserves or technical provisions) for expected losses and capital for excess losses.
REPORT: Losses can be shown in four layers, expected losses, losses that decrease total profits, losses that exceed gains from other sources but that are less than capital and losses that exceed capital. The likelihood of losses in each of those four layers should be described as well as the reasons for material changes. Some firms will choose to report their potential losses in two layers, expected losses, losses that reach a certain likelihood (usually 99.5% in a year or similar likelihood). However, regulators should have a high interest in the nature and potential size of those losses in excess of capital. The determination of the likelihood of losses in each of the four layers needs to reflect the other five aspects of ERM and when reporting on this aspect of ERM, discussion of how they are reflected would be in order.
Actuarial Review of Enterprise Risk Management Practices –
A Working Group formed by The Enterprise and Financial Risks Committee of the IAA has started working on a white paper to be titled: “Actuarial Review of Enterprise Risk Management Practices”. We are seeking volunteers to assist with writing, editing and research.
This project would set out a systematic process for actuaries to use when evaluating risk management practices. Actuaries in Australia are now called to certify risk management practices of insurers and that the initial reaction of some actuaries was that they were somewhat unprepared to do that. This project would produce a document that could be used by actuaries and could be the basis for actuaries to propose to take on a similar role in other parts of the world. Recent events have shown that otherwise comparable businesses can differ greatly in the effectiveness of their risk management practices. Many of these differences appear to be qualitative in character and centered on management processes. Actuaries can take a role to offer opinion on process quality and on possible avenues for improvement. More specifically, recent events seem likely to increase emphasis on what the supervisory community calls Pillar 2 of prudential supervision – the review of risk and solvency governance. In Solvency II in Europe, a hot topic is the envisaged requirement for an ‘Own Risk and Solvency Assessment’ by firms and many are keen to see actuaries have a significant role in advising on this. The International Association of Insurance Supervisors has taken up the ORSA requirement as an Insurance Core Principle and encourages all regulators to adopt as part of their regulatory structure. It seems an opportune time to pool knowledge.
The plan is to write the paper over the next six months and to spend another six months on comment & exposure prior to finalization. If we get enough volunteers the workload for each will be small. This project is being performed on a wiki which allows many people to contribute from all over the world. Each volunteer can make as large or as small a contribution as their experience and energy allows. People with low experience but high energy are welcome as well as people with high experience.
Volunteers are needed to help to make this into a real resource. Over 200 books, articles and papers have been identified as possible resources ( http://ermbooks.wordpress.com/lists-of-books/ )
Posts to this website give a one paragraph summary of a resource and identify it within several classification categories. 15 examples of posts with descriptions and categorizations can be found on the site.
Volunteers are needed to (a) identify additional resources and (b) write 1 paragraph descriptions and identify classifications.
If possible, we are hoping that this site will ultimately contain information on the reading materials for all of the global CERA educational programs. So help from students and/or people who are developing CERA reading lists is solicited.
Participants will be given author access to the ermbooks site. Registration with wordpress at www.wordpress.com is needed prior to getting that access.
Please contact Dave Ingram if you are interested in helping with this project.
If you really want to have Enterprise Risk Management, then you must at all times abandon all presumptions. You must make sure that all of the things to successfully manage risks are being done, and done now, not sometime in the distant past.
A pilot of an aircraft will spend over an hour checking things directly and reviewing other people’s checks. The pilot will review:
the route of flight
weather at the origin, destination, and enroute.
the mechanical status of the airplane
mechanical issues that may have been improperly logged.
the items that may have been fixed just prior to the flight to make certain that system works
the flight computer
the outside of the airplane for obvious defects that may have been overlooked
the paperwork
the fuel load
the takeoff and landing weights to make sure that they are within limits for the flight
Most of us do not do anything like this when we get into our cars to drive. Is this overkill? You decide.
When you are expecting to fly somewhere and there is a last minute delay because of something that seems like it should have really been taken care of, that is likely because the pilot finds something that someone might normally PRESUME was ok that was not.
Personally, as someone who takes lots and lots of flights, RISKVIEWS thinks that this is a good process. One that RISKVIEWS would recommend to be used by risk managers.
THE NO PRESUMPTION APPROACH TO RISK MANAGEMENT
Here are the things that the Pilot of the ERM program needs to check before taking off on each flight.
1. Risks need to be diversified. There is no risk management if a firm is just taking one big bet.
2. Firm needs to be sure of the quality of the risks that they take. This implies that multiple ways of evaluating risks are needed to maintain quality, or to be aware of changes in quality. There is no single source of information about quality that is adequate.
3. A control cycle is needed regarding the amount of risk taken. This implies measurements, appetites, limits, treatment actions, reporting, feedback
4. The pricing of the risks needs to be adequate. At least if you are in the risk business like insurers, for risks that are traded. For risks that are not traded, the benefit of the risk needs to exceed the cost in terms of potential losses.
5. The firm needs to manage its portfolio of risks so that it can take advantage of the opportunities that are often associated with its risks. This involves risk reward management.
6. The firm needs to provision for its retained risks appropriately, in terms of set asides (reserves) for expected losses and capital for excess losses.
A firm ultimately needs all six of these things. Things like a CRO, or risk committees or board involvement are not on this list because those are ways to get these six things.
The Risk Manager needs to take a NO PRESUMPTIONS approach to checking these things. Many of the problems of the financial crisis can be traced back to presumptions that one or more of these six things were true without any attempt to verify.
Riskviews was once asked by an insurance sector equity analyst for 10 questions that they could ask company CEOs and CFOs about ERM. Riskviews gave them 10 but they were trick questions. Each one would take an hour to answer properly. Not really what the analyst wanted.
Here they are:
What is the firm’s risk profile?
How much time does the board spend discussing risk with management each quarter?
Who is responsible for risk management for the risk that has shown the largest percentage rise over the past year?
What outside the box risks are of concern to management?
What is driving the results that you are getting in the area with the highest risk adjusted returns?
Describe a recent action taken to trim a risk position?
How does management know that old risk management programs are still being followed?
What were the largest positions held by company in excess of risk the limits in the last year?
Where have your risk experts disagreed with your risk models in the past year?
What are the areas where you see the firm being able to achieve better risk adjusted returns over the near term and long term?
They never come back and asked for the answer key. Here it is:
There are a number of issues relating to this question. First of all, does the insurer ever trim a risk position? Some insurers are pure buy and hold. They never think to trim a position, on either side of their balance sheet. But it is quite possible that the CEO might know that terminology, but the CFO should. And if the insurer actually has an ERM program then they should have considered trimming positions at some point in time. If not, then they may just have so much excess capital that they never have felt that they had too much risk.
Another issue is whether the CEO and CFO are aware of risk position trimming. If they are not, that might indicate that their system works well and there are never situations that need to get brought to their attention about excess risks. Again, that is not such a good sign. It either means that their staff never takes and significant risks that might need trimming or else there is not a good communication system as a part of their ERM system.
Risks might need trimming if either by accident or on purpose, someone directly entered into a transaction, on either side of the balance sheet, that moved the company past a risk limit. That would never happen if there were no limits, if there is no system to check on limits or if the limits are so far above the actual expected level of activity that they are not operationally effective limits.
In addition, risk positions might need trimming for several other reasons. A risk position that was within the limit might have changed because of a changing environment or a recalibration of a risk model. Firms that operate hedging or ALM programs could be taking trimming actions at any time. Firms that use cat models to assess their risk might find their positions in excess of limits when the cat models get re-calibrated as they were in the first half of 2011.
And risk positions may need to be trimmed if new opportunities come along that have better returns than existing positions on the same risk. A firm that is expecting to operate near its limits might want to trim existing positions so that the new opportunity can be fit within the limits.
SO a firm with a good ERM program might be telling any of those stories in answer to the question.
Riskviews was once asked by an insurance sector equity analyst for 10 questions that they could ask company CEOs and CFOs about ERM. Riskviews gave them 10 but they were trick questions. Each one would take an hour to answer properly. Not really what the analyst wanted.
Where have your risk experts disagreed with your risk models in the past year?
What are the areas where you see the firm being able to achieve better risk adjusted returns over the near term and long term?
They never come back and asked for the answer key. Here it is:
1. The first step in real risk management is to be able to think of the firm from a risk point of view. Any CEO can do that from a sales point of view and from a profits point of view. They know that 40% of the revenues come from the pumpkin business in South Florida and 25% of the profits from the Frozen Beet Juice Pops product line. Those statistics are a part of the sales profile and the profits profile. A first step to having a real ERM system is for the CEO to have an equal command of the Risk Profile. Any firm where the CEO does not have an equal command of risk as they do for sales does not have ERM yet. So this question is first and most important. The CEOs who are most likely to be unable to answer this question are the leaders of larger more complex companies. The investor need to make sure that top management of those firms has actual command of all of the key issues regarding the firm and its business. Risk really is a key issue. A vague or slow answer to this question indicates that Risk has not really been an issue that the CEO has attended to. That may work out fine for the company and the investors. If they are lucky.
Risk has traditionally been a minor part of strategy discussions in many firms.
Usually you get it out of the way at the very start with a Strengths, Weaknesses, Opportunities and Threats (SWOT) discussion. As quickly as possible, the planners shift into concentrating on discussion of Opportunities. That is what they are there for anyway – Opportunities.
Utility theory and the business education that flows from utility theory suggests very little consideration of risk. Not none at all, but very little. Opportunities where the gains from the expected opportunities exceed the losses from the expected threats are considered good. That is one spot where risk creeps in. In addition, risk might be also reflected as an externality – the capital required by a regulator or ratings agency.
Financial economics came along and offered a more complicated view of risk. Instead of using a fuzzily determined present value of risk from utility theory, Financial Economics substitutes the market cost of risk.
Risk management suggests a completely different and potentially contradictory approach.
The risk management approach to bringing risk into planning and strategy is to make risk appetite central to strategy selection. The internal risk appetite becomes the constraint instead of the external capital constraint. For firms that were using that external capital constraint as a key factor in planning, this could be an easy switch. But often is actually is not.
The boards and management of most firms have failed to choose their own risk appetite constraint.
Riskviews believes that this is because the folks who have spent their entire careers under and external constraint system are ill equipped to set their own limits. They do not have the experience with trial and error of setting risk appetite unlike the long experience that they have with most of their other management decisions. For most management decisions, they came up through the management ranks watching their predecessors make good and bad decisions and succeed or fail. When they reached their current positions, they had a lifetime of experience with most of the types of decisions that they need to make.
Now risk managers and regulators and rating agencies and consultants tell them that they need to make an entirely new decision about risk appetite, and then lever all of their other important decisions off of that one decision. And when they look back upon their education and experience there was no mention at all of this risk appetite stuff.
And as the discussion at the start of this post states, the business education did not include risk appetite either.
But there are other ways that risk can be incorporated into the planning and strategy.
Risk Profile. A part of the statement of the impact that the plan will have on the company should be a before and after risk profile. This will show how the plan either grows the larger risks of the firm or diversifies those risks. Risk cannot be fully described by any one number and therefore there is not one single pie chart that is THE risk profile of the firm. The risk profile should be presented so that it shows the key aspects of risk that are the consequences of the plan – intended or unintended. That may mean showing the geographic risk profile, the product by product risk profile, the risk profile by distribution system or the risk profile by risk type. By looking at these risk profiles, the planners will naturally be drawn to the strengths and weaknesses of the risk aspects of the plan. They will see the aspects of risk that are growing rapidly and therefore need extra attention from a control perspective. And even if there are none of those reactions, the exposure to the risk information will eventually lead to a better understanding of risk and a drift towards more risk aware planning.
Risk management view of gains and losses. Planning usually starts with a review of recent experience. The risk managers can prepare a review of the prior year that describes the experience for each risk in terms of the exceedence probability from the risk models. This could lead to a discussion of the model calibration and possibly to either better credibility for the risk model or a different calibration that can be more credible.
Risk Controls review. Each risk operated within a control system. The above review of recent experience should include discussion of whether the control systems worked as expected or not.
Risk Pricing review. The review of gains and losses can also be done as a review of the risk margins compared to the risks for each major business or product or risk type. Comparison to a neutral index could be considered as well. With this review, the question of whether the returns of the firm were a result of taking more risk or from better selection and management of the risks taken should be addressed.
Some management groups will be much more interested in one or another of these approaches. The risk manager must seek to find the approach to discussing risk that fits management’s interests for risk to become a part of planning and strategy. Without that match, any discussions of risk that take place to satisfy regulatory or rating agency pressures will be largely perfunctory.
In some situations, things go better if you can explain them in plain language. In others, having lots and lots of unintelligible pseudo scientific jargon is what is needed.
If your situation is the former and someone wants to know about risk management, tell them
PaPaTaCom
That is short for:
Plan Ahead
Pay Attention
Take Action
Communicate
Really, that is what is involved in risk management. Saying it is very, very simple. Doing it is difficult.
Plan Ahead means that you need to know in advance how much risk you expect to take and how much mor or less than that you are willing to take. Very easy to say, but not very easy to do. But maybe if you just say it in plain language like this, instead of calling it risk appetite and risk tolerance, folks will understand and do that.
Pay Attention means that you need to know at all times, how much risk you are actually taking and how that compares to your plan. It means that you really do know what your risks are and what your plan is.
Take Action means that if your plan says that you active manage your risks as you go along, that you actually do that. If your risk positions grow much faster or much slower than your plan, that you do something about that also. Take action means that you never just sit there unless that is what you planned to do. (See Risk Management Entertainment System)
Communicate means that everyone tells each other what is planned, what the find when they are paying attention and what they do when they are taking action.
All of the fancy words around risk management are all a long winded and complicated way to say these four simple ideas.
But if your risks are complicated, as many, many organizations’ risk are, then this is only simple to say but never simple to do.
If your risks produce troublesome losses infrequently, it is very difficult to tell how much risk that you can or want to take. It is also difficult to tell what your risk actually is at any point in time. It is difficult to know whether to do something or not. And so it sometimes seems like there is nothing that needs to be communicated.
If your risks are complicated and variable, then it is also difficult. Knowing how much risk that you have been taking is slippery. Knowing how much you might want to take is difficult and paying attention, that is measuring, is also tricky. Taking actions might just fix one aspect of a risk and expose you to large dose of another aspect (see Risk and Light). So what exactly do you communicate?
So these simple words do not help too very much. Because even if you can tell the boss that risk management is easy to describe, you will be in big trouble when it is not easy to do.
So this is perhaps another one of those posts that you might have been better of if you did not read……
But what should you do SECOND? The list of ERM practices is long. Riskviews uses an eight item list of ERM Fundamentals to point the way to early ERM developments.
And you want to make sure that you avoid Brick Walls and Touring Bikes.
But the Second Step is not a practice of ERM. The Second Step is to identify the motivation for risk management. As mentioned in another post, there are three main motivations: Compliance, Capital Adequacy and Decision making.
If Compliance is the motivation, then the ERM development process will be to obtain or develop a checklist of items that must be completed to achieve compliance and to work to put something in place for each of those items that will create the ability to check off that item.
If Capital Adequacy is the motivation, then building an Economic Capital model is the main task that is needed for ERM development.
If Decision making is the motivation, then the process becomes somewhat more involved. Start with identifying the risk attitude of the firm. Knowing the risk attitude of the firm, the risk management strategy can then be selected. Each of the ERM Fundamentals can then be implemented in a way that is adapted to the risk strategy.
This process has been described in the post Risk Attitudes and the New ERM Program.
But knowing the motivation is key. A newly appointed risk management officer might have fallen in love with literature describing the Risk Steering strategy of ERM. They would set up a big budget for capital modeling and start to set up risk committees and write rules and policy statements…..
And then hit a brick wall.
That is because they did not clearly identify the motivation for their appointment to be the risk management officer. The term ERM actually means something totally different to different folks. Usually one of the three motivations: Compliance, Capital Adequacy, or Decision Making.
A company that is primarily motivated by Capital Adequacy will have minimal interest in any of the active parts of the ERM practices. A company motivated by compliance will want to know that each and every step in their ERM process satisfies a requirement. Talking about enhanced decision making as the reason for steps in the ERM development process will either confuse or even anger management of these companies.
The reaction to a mismatch of ERM program to motivation is similar to someone who booked a cruise for their vacation and found themselves on a cross country biking tour.
Most modern cruise ships feature the following facilities:
Casino – Only open when the ship is in open sea
Spa
Fitness center
Shops – Only open when ship is in open sea
Library
Theatre with Broadway style shows
Cinema
Indoor and/or outdoor swimming pool
Hot tub
Buffet restaurant
Lounges
Gym
Clubs
Keep that contrast in mind when you are making your plans for a new ERM system.
In insurance companies, where “production” consists of risk assumption and risk accumulation, measuring a company’s risk capacity and risk capacity utilization is not as straightforward as in companies that manufacture widgets. Like industrial companies, insurance companies need to measure and manage their “production” or rather “risk” (accumulation) capacity.
The recent crisis has demonstrated that insurance companies need to measure and manage their risk capacity utilization in relation to the amount of risk capacity lest they become overextended. In insurance companies, risk capacity needs to be determined so as to satisfy:
Solvency concerns of policyholders, for which insurance strength ratings assigned by the leading independent rating agencies and A.M. Best are generally accepted as proxies. Shareholders are also interested in these ratings, which they view as indicators of companies’ ability to attract and retain customers and achieve their financial objectives.
Maintenance of regulatory Risk Based Capital (RBC) adequacy ratios sufficient to prevent regulators from intervening in company management.
Risk capacity is most commonly a measure of an insurance company’s ability to accumulate risk exposures, on a going concern basis, while meeting risk tolerance constraints of solvency-focused stakeholders (policyholders, rating agencies and regulators). Risk concerns of these stakeholders are generally expressed as confidence levels at which a company is capable of meeting particular standards of performance, (e.g. maximum probability of default, maintenance of the capital needed to support a target rating or RBC adequacy level) over a defined time horizon.
A company’s risk capacity is customarily measured by its available capital and its risk capacity utilization is measured by the amount of capital needed to meet the risk tolerance constraints of credit-sensitive stakeholders, given its present portfolio of risk exposures. In order to gain the confidence of investors and customers and to enjoy a viable future, an insurance company needs to understand how its strategic plan impacts the prospective utilization of its risk capacity, and therefore the adequacy of its capital in relation to its projected financial performance and growth aspirations.
To perform this assessment, a company needs to estimate its prospective risk capacity utilization (i.e. capital required) for executing its strategic plan. To perform this analysis, it needs to project its risk profile over a three to five years planning horizon (approximating going concern conditions), under growth assumptions embedded in its strategic plan. A properly constructed risk profile should enable a company to consider the impact of extreme conditions, often scenarios that include multiple catastrophes or financial crises, as well as the contribution of earnings retention to risk capacity. This basic strategic planning exercise, completed in a risk-aware framework will demonstrate the risk capital (and, thus, capacity utilization) required to execute the strategic plan.
Ideally, the required financial models should be capable of producing i) full distributions of financial outcomes rather than tail sections of these distributions, ii) elements of the balance sheet and P&L statements needed to calculate earnings, earnings volatility, downside risk from planned earning amounts in future periods, iii) calculations of RBC, and associated capital adequacy ratios, including A.M. Best’s capital adequacy ratio (BCAR) and iv) financial performance reports developed under multiple accounting standards, including statutory and GAAP or IFRS, or on an economic basis. These data are needed for management to explore how capital requirements and thus also risk capacity utilization respond to changes in risk strategy and business strategy.
The company’s risk profile can be derived from the aggregation of the distributions of financial results of individual lines or business segments based on the amount and volatility characteristics of exposures, limits assumed, applicable reinsurance treaties, and asset mix, over a three to five year time horizon so as to approximate going concern conditions.
The use of multi-year solvency analyses of companies’ risk profile, instead of a one year horizon required under the regulatory provisions of many jurisdictions, typically results in significantly higher estimates of risk capital requirements and risk capacity utilization than those obtained under the one year horizon. As a result, companies that rely primarily on one year solvency analyses to assess the adequacy of their capital tend to understate their capital requirements and are more likely to overextend themselves. Importantly, the underlying assumption that capital shortfalls could be covered as and when needed by raising capital from investors has been shown to be unrealistic during the recent financial crisis, highlighting what may be a fundamental flaw in the widely touted Solvency II framework.
Note: This article is abstracted from the “Risk Management and Business Strategy in P/C Insurance Companies” briefing paper published by Advisen (www.advisen.com) and available at the Corner Store.
Over the years, Riskviews has seen many risk management systems that are developed by people, usually auditors, from the COSO guide to ERM. What is most commonly seen is that COSO based ERM system has a few characteristics in common:
They usually take at least a year to implement phase 1. By the end of that year, no actual improvements or changes to actual risk treatment activities take place. The most common product of that year’s efforts is a risk register.
The risk register usually contains at least 100 risks. Many of these systems have closer to 200 risks identified.
Top management is completely baffled about why they need to spend their time paying any attention to such activity. If you ask them anything about risk or risk management at the end of the year, you will often find that they cannot recall anything specific about the process.
The COSO process seems to be totally a Loss Controlling approach to ERM. This approach would appeal to companies and managers of companies who have the Conservator risk attitude. Riskviews has found that a small minority of insurance company management have the Conservator risk attitude and that almost zero insurance firms are managed with a Conservator risk approach. That is another way of saying that COSO does not fit well with insurance company management approaches.
ISO 31000 is new risk management standard that was developed from the Australia/New Zealand standards that have been used and improved over the past 15 years. The following post gives a discussion of the differences between the two.
ISO 31000 does not clearly fall into the Loss Controlling category of ERM approach. It seems to seek to be in the Risk Steering camp. Which makes it much more applicable to insurers, many of which are managed with the Manager risk approach.
Riskviews main complaint about ISO 31000 is with the degree to which it emphasizes endless process over actual risk treatment action.
ISO 31000 encourages firms to adopt what Riskviews calls a Risk Management Entertainment System. Sadly, this is not a joke. Many firms will proudly present a show and tell about their reports and meetings and org charts and policy statements when asked about ERM and be flummoxed when asked about any actual risk treatment that is taking place and where it fits into the risk management system.
That is a major problem with detailed prescriptive systems like ISO 31000. While that document says nearly all the right things, the people who pick it up and seek to apply it quite often do not get the sense of what is IMPORTANT and what is less important in developing an ERM system.
In fact, what is actually IMPORTANT is that ERM helps management to focus on the important risks of the firm and making the right moves so that exposures to those risks are of the size that they would choose. Human beings have limitations and those limitations would suggest that these important risks need to number less than 10 if they are really going to get top management attention.
And in practice, the people who implement COSO and ISO 31000 risk management systems often miss that most important objective.
‘No institution, including our own, should be too big too fail’. Jamie Dimon
‘We did eat our own cooking – and we choked on it’. Brian Moynihan
So it is said that if you know your enemies and know yourself, you can win a hundred battles without a single loss. If you only know yourself, but not your opponent, you may win or may lose. If you know neither yourself nor your enemy, you will always endanger yourself. Sun Tzu
“We focus on risk before we focus on return. The best investors do not target return. They focus first on risk.” Seth Klarman
Barings was always described as this wake up call that nobody would ever forget, but the fact is, only lip service was ever played to the fact that risk management needed to improve Nick Leeson (in 2009)
Information about causation, even if imperfect, is powerful. It is ignored in the frequentist approach at a great loss for the risk manager. Organizing one’s understanding about how the world might work into a coherent and tractable analytical probabilistic framework is not an easy task. Ricardo Rebonato
Fill your bowl to the brim and it will spill. Lao Tzu
The essential problem is that our models—both risk models and economic models—as complex as they have become, are still too simple to capture the full array of critical variables that govern global economic reality. Alan Greenspan
Economies are in greatest peril not when investors willfully take crazy financial risks but when no one seems to perceive risk and the need to insulate the economy from it. Nicole Gelinas
“What one does see, again and again, in the history of financial crises is that when an accident is waiting to happen, it eventually does.” Reinhart & Rogoff
We are pleased to announce the fourth global webinar on enterprise risk management. The programs are a mix of backward and forward looking subjects as our actuarial colleagues across the globe seek to develop the science and understanding of the factors that are likely to influence our business and professional environment in the future. The programs in each of the three regions are a mix of technical and qualitative dissertations dealing with subjects as diverse as regulatory reform, strategic and operational risks, on one hand, and the modeling on tail risks and implied volatility surfaces, on the other. For the first time, and in keeping with our desire to ensure a global exchange of information, each of the regional programs will have presentations from speakers from the other two regions on subjects that have particular relevance to their markets.
For more information and to register: http://www.soa.org/professional-development/event-calendar/event-detail/erm-economic/2011-01-12/default.aspx
That’s how many different pageviews there have been of Riskviews in the first year of operation as a blog. The best month in that first year was the last month, July 2010.
Thanks. This will continue.
Riskviews is one of 141 million blogs operating on the web. Riskviews has stayed on its theme of Risk and Risk Management. There were approximately 4 new posts per week over that first year. Thanks to the many people who provided guest posts and especially to the “Regular Contributors“
To celebrate this first anniversary of the start of the blog, I decided to feature one post from each month of that first year:
All Things Being Equal (January 2010) Talks about the danger that arises because the “standard assumptions” are rarely stated, let alone tested for validity.
Burn out, Fade Away …or Adapt (February 2010) The landscape of risk keeps changing. Risk management needs to be adaptable if the firm is going to survive over the long run.
Is ERM Ethical? (March 2010) Tries to tie risk management and other points of view commonly found within firms to different schools of ethics, rather to “right and wrong”.
Window Dressing (May 2010) Suggests an alternative basis for determining regulatory capital.
Regulatory Risk Management (June 2010) The extreme pitfalls of a high degree of regulatory involvement in risk management.
Crippling Epistemology (July 2010) Be careful that that expensive and impressive risk information system do not actually obscure the information needed to make risk decisions.
There are four different Risk Attitudes that are found among business managers:
Conservators who are concerned that the environment is extremely risky and they must be very careful.
Maximizers who believe that the environment is fairly benign and that they need to take risk to be rewarded.
Managers who believe that the environment is risky but can be managed with the help of experts.
Pragmatists who do not know whether things are risky or not because they do not believe that anyone can know the future.
Now you are tasked with creating a new ERM program for your firm and how can you use knowledge of these Risk Attitudes to help you?
The first thing to do is to recognize which of those four attitudes predominates in the decision-making of your firm.
This question is a little tricky, because that is not the same thing as the Risk Attitude of the head of the firm in all cases. Good leaders may choose a path for their firm that is based upon the capacities and circumstances of the firm, even if they might prefer a different strategy if they were blessed with unlimited resources and no constraints.
But in the end, you can look at the decisions of the firm over a period of time and discern which Risk Attitude is driving firm decisions and orient the new ERM program to the predominant Risk Attitude.
If the predominant risk attitude is Conservator, then the first place to take your ERM program is to worst case losses. The risk management system can be based upon a series of stress tests, where the stresses are worst cases. The exposure to these worst cases can be added up and reported regularly. A limit system can be established based upon these worst case exposures to make sure that the exposure does not accidentally get any higher. Hedging and reinsurance programs should be considered to reduce the extent of these losses. Risk management decisions will always be made with loss potential in mind.
If the predominant risk attitude is Maximizer, then the risk management system should be focused on sales. The risk reports will be risk weighted sales reports. In addition, they should clearly show the amount of profit margin in the sales so that the risk weighted sales can easily be compared to the profit margin. Maximizers will want to make sure that the company is getting paid for the risk that it takes. Note that there are two kinds of Maximizers. Those who believe that you can lose a dollar per thousand and make it up on volume and those who believe that a sale without a profit is not a sale. Stay away from the first type. A company run by them will not last long. Risk management decisions will always be made with revenue in mind.
If the predominant risk attitude is Manager, then the risk management system will sooner or later be based upon an Economic Capital Model. As the model is built, you can start to build the systems and reports that will work off of the model for capital budgeting, product pricing, risk reward monitoring and risk adjusted incentive compensation. The Managers will very much want to form a risk tolerance for the firm and to base the risk limits off of the tolerance and to create a process for monitoring those limits. Risk adjusted return is the banner for Managers.
If the predominant risk attitude is Pragmatist, then the risk management system will need to focus first on the spread of risk. Reports will show the degree to which the firm holds very different risks. Otherwise, risk reports will need to be flexible. The Pragmatists will be irregularly be changing their minds about what they think might be most important to pay attention to about risk. And whatever is the important topic of the moment, the risk reports need to be there to probe very deeply into that topic. Pragmatists will want a deep dive on the hot risk topic of the day and will have a very hands on approach to decision making about that issue.
Sounds confusing. But get it wrong and you will find that the key decision makers will quickly lose interest. Imagine putting the information desired by the Conservators in front of a Maximizer. Or putting the details desired by a Pragmatist in front of a Manager who wants things summarized into neat packets of information. Get it wrong and you are done for.
It is easy to blame CROs (Chief Risk Officers) and ERM (Enterprise Risk Management) for the impact of the crisis on companies, but such blame is often unfair and disingenuous. In few companies did CROs have the power to prevent the execution of strategies that, although fraught with risk, were pursued to deliver on investor profit expectations and management incentive targets.
The primary objective of crisis mitigation must be to realign risk exposures with risk bearing capital and to improve capital adequacy. Realigning exposures with capital (and implied “risk capacity”) enhances insurance strength ratings and the confidence of investors and customers. Without such confidence, a company’s business and franchise would erode rapidly.
In response to the present crisis, many companies improved capital adequacy by (a) cutting expenses, (b) decreasing dividend payments, (c) discontinuing share repurchase programs, and (d) selling assets and non-strategic operating subsidiaries, all to preserve or increase capital. There are few buyers during a crisis, however, and so divestitures and asset sales are at lower prices than in normal times (e.g. sale of HSB Group by AIG) and are therefore very expensive sources of capital.
Realignment strategies also involve retrenchment from businesses with substandard returns on capital. Typical outcomes are: (a) sales of blocks of business and renewal rights, (b) cessation of certain coverage types, (c) sales of entire subsidiaries, (d) changes in underwriting limits, terms, and exclusions, (e) reinsurance strategies, etc. ERM risk analysis models provide a basis for assessing the relationship between capital needs and value contributions of various businesses. Without that assessment, it is hard to align risk exposures with available capital.
Estimates of capital requirements based on risk measures over a one-year horizon (typical of solvency regulations) are not credible during a crisis because they assume that fresh “recovery” capital can be raised. Rating agencies, regulators, and investors, however, know that many solvent companies cannot raise fresh capital during a crisis. Capital is only adequate if it can sustain the company’s operations on a “going concern” basis in the absence of access to recovery capital, but with credit for capital generated internally.
Companies need robust insights from ERM to assess their capital needs (on or off balance sheet, including contingent capital) and to develop effective mitigation strategies. Their ERM must:
Measure capital consumption by activity and risk type
Identify the relative value creation of individual businesses, with appropriate recognition for differences in risk
Demonstrate the impact and future value creation of alternative retrenchment strategies
Through such ERM informed views of capital utilization, capital adequacy, and value creation, insurance companies can chart effective strategies to restore their capital adequacy and mitigate the impact of crises.
In the recent post, Rational Adaptability, four types of ERM programs are mentioned. One of those four types of ERM is Diversification.
The fourth type of ERM program focuses on Diversification.
Modern practitioners may not agree that a program of Diversification IS in any sense a risk management program. But in fact it has been one of the most successful risk management programs.
Think about it. Dollar Cost Averaging is fundamentally a Diversification based risk management program. The practitioner is admitting that at any point in time, they do not know which risk is better or worse than another. So they rebalance to eliminate the concentration that has crept into their portfolio.
A diversification risk strategy would also mean taking very different risks. Firms that focus on a true Diversification strategy will be regularly moving into entirely new businesses. They are not seeking the mathematical diversification of the Managers with their Risk Steering that tries to take advantage of similar risks that are not totally correlated. Firms that follow the Diversification strategy want risks that are totally unrelated. Soap and machine parts. Their business choices may seem totally insane to the tidy Managers.
Diversification can be shown to provide two benefits for the firm that practices it. First, they will seek to avoid having too much at risk in any one situation or company. So avoiding concentration is their prime directive. Second, there is an upside benefit as well. Since they are involved in many different markets, they feel that they are likely to be in at least one and possibly two hot products or markets at any one time. Unsuccessful practitioners of this strategy will find that they have found a way to buy into different risks that are all duds at the same time.
The practitioners of this strategy will also tend to adopt the same sort of approach to the day to day work of their risk management program. That would be the “high attention, low delegation” approach. The conglomerates that operate in this manner will have frequent meetings between the managers and the people at the top of the conglomerate, possibly even with the top person. Warren Buffett (Berkshire Hathaway) and Jack Welsh (GE) are two examples of this high touch style as is Hank Greenberg (AIG).
Seems pretty simple. Mix it up and pay attention.
A few firms have managed to combine the high tech economic capital modeling approach with a Diversification ERM system. In those firms, they have strict concentration limits requiring that at most a small percentage of their economic capital ever be from any one risk. One such firm will never take on any large amount of any one risk unless they are able to grow all of their other risks.
It seems that Solvency II is perfectly designed to reproduce the conditions that led US banks to believe that they were impervious to risks. They and the regulators believed that they knew what they were doing with regard to Risks and Risk Management.
In 2004, the US Federal Reserve allowed investment banks to cut their capital levels by 2/3, tripling their potential leverage! Not to worry, they knew how to manage risk.
European insurers are all being told that they need to have economic capital models to manage risks. A few firms have had these models for more than five years now. Those models tell us that those firms can reduce their capital by a third or more.
But everyone leaves out of their thinking two important things that will always happen.
The first is called the Peltzman effect by economists. John Adams calls it the Risk Thermostat effect. In both cases, it means that when people feel risk decreasing due to safety measures, they often respond by increasing the riskiness of their behaviors. So the success of Solvency II will make some firms feel safer and some of them will take additional risks because of that.
The second effect is what I call the Law of Risk and Light. That says that you will accumulate risks wherever you are not looking out for them. So anywhere that there is a flaw in the Economic Capital model, the activity that accentuates that flaw will look like the best, most desirable business to be in.
But read Maggid’s post. He provides some actual analysis to support his argument.
In the recent post, Rational Adaptability, four types of ERM programs are mentioned. One of those four types of ERM is Risk Steering.
If you ask most actuaries who are involved in ERM, they would tell you that Risk Steering IS Enterprise Risk Management.
Standard & Poor’s calls this Strategic Risk Management:
SRM is the Standard & Poor’s term for the part of ERM that focuses on both the risks and returns of the entire firm. Although other aspects of ERM mainly focus on limiting downside, SRM is the process that will produce the upside, which is where the real value added of ERM lies. The insurer who is practicing SRM will use their risk insights and take a portfolio management approach to strategic decision making based on analysis that applies the same measure for each of their risks and merges that with their chosen measure of income or value. The insurer will look at the possible combinations of risks that it can take and the earnings that it can achieve from the different combinations of risks taken, reinsured, offset, and retained. They will undertake to optimize their risk-reward result from a very quantitative approach.
For life insurers, that will mean making strategic trade-offs between products with credit, interest rate, equity and insurance risks based on a long-term view of risk-adjusted returns of their products, choosing which to write, how much to retain and which to offset. They will set limits that will form the boundaries for their day-to-day decision-making. These limits will allow them to adjust the exact amount of these risks based on short-term fluctuations in the insurance and financial markets.
For non-life insurers, SRM involves making strategic trade-offs between insurance, credit (on reinsurance ceded) and all aspects of investment risk based on a long-term view of risk-adjusted return for all of their choices. Non-life SRM practitioners recognize the significance of investment risk to their total risk profile, the degree or lack of correlation between investment and insurance risks, and the fact that they have choices between using their capacity to increase insurance retention or to take investment risks.
Risk Steering is very similar to Risk Trading, but at the Total Firm level. At that macro level, management will leverage the risk and reward information that comes from the ERM systems to optimize the risk reward mix of the entire portfolio of insurance and investment risks that they hold. Proposals to grow or shrink parts of the business and choices to offset or transfer different major portions of the total risk positions can be viewed in terms of risk adjusted return. This can be done as part of a capital budgeting / strategic resource allocation exercize and can be incorporated into regular decision making. Some firms bring this approach into consideration only for major ad hoc decisions on acquisitions or divestitures and some use it all of the time.
There are several common activities that may support the macro level risk exploitation:
Economic Capital. Realistic risk capital for the actual risks of the company is calculated for all risks and adjustments are made for the imperfect correlation of the risks. Identification of the highest concentration of risk as well as the risks with lower correlation to those higher concentration risks is the risk information that can be exploited. Insurers will find that they have a competitive advantage in adding risks to those areas with lower correlation to their largest risks. Insurers should be careful to charge something above their “average” risk margin for risks that are highly correlated to their largest risks. In fact, at the macro level as with the micro level, much of the exploitation results from moving away from averages to specific values for sub classes.
Capital Budgeting. The capital needed to fulfill proposed business plans is projected based on the economic capital associated with the plans. Acceptance of strategic plans includes consideration of these capital needs and the returns associated with the capital that will be used. Risk exploitation as described above is one of the ways to optimize the use of capital over the planning period.
Risk Adjusted Performance Measurement (RAPM). Financial results of business plans are measured on a risk-adjusted basis. This includes recognition of the economic capital that is necessary to support each business as well as the risk premiums and loss reserves for multi-period risks such as credit losses or casualty coverages.
Risk Adjusted Compensation. An incentive system that is tied to the risk exploitation principles is usually needed to focus attention away from other non-risk adjusted performance targets such as sales or profits. In some cases, the strategic choice with the best risk adjusted value might have lower expected profits with lower volatility. That will be opposed strongly by managers with purely profit related incentives. Those with purely sales based incentives might find that it is much easier to sell the products with the worst risk adjusted returns. A risk adjusted compensation situation creates the incentives to sell the products with the best risk adjusted returns.
A fully operational risk steering program will position a firm in a broad sense similarly to an auto insurance provider with respect to competitors. There, the history of the business for the past 10 years has been an arms race to create finer and finer pricing/underwriting classes. As an example, think of the underwriting/pricing class of drivers with brown eyes. In a commodity situation where everyone uses brown eyes to define the same pricing/underwriting class, the claims cost will be seen by all to be the same at $200. However, if the Izquierdo Insurance Company notices that the claims costs for left-handed, brown-eyed drivers are 25% lower than for left handed drivers, and then they can divide the pricing/underwriting into two groups. They can charge a lower rate for that class and a higher rate for the right handed drivers. Their competitors will generally lose all of their left handed customers to Izquierdo, and keep the right handed customers. Izquierdo will had a group of insureds with adequate rates, while their competitors might end up with inadequate rates because they expected some of the left-handed people in their group and got few. Their average claims costs go up and their rates may be inadequate. So Izquierdo has exploited their knowledge of risk to bifurcate the class, get good business and put their competitors in a tough spot.
Risk Steering can be seen as a process for finding and choosing the businesses with the better risk adjusted returns to emphasize in firm strategic plans. Their competitors will find that their path of least resistance will be the businesses with lower returns or higher risks.
JP Morgan in the current environment is showing the extreme advantage of macro risk exploitation. In the subprime driven severe market situation, JP Morgan has experienced lower losses than other institutions and in fact has emerged so strong on a relative basis that they have been able to purchase several other major financial institutions when their value was severely distressed. And by the way, JP Morgan was the firm that first popularized VaR in the early 1990’s, leading the way to the development of modern ERM. However, very few banks have taken this approach. Most banks have chosen to keep their risk information and risk management local within their risk silos.
This is very much an emerging field for non-financial firms and may prove to be of lower value to them because of the very real possibility that risk and capital is not the almost sole constraint on their operations that it is within financial firms as discussed above.
The VBM process helps companies compare the value contribution of alternative strategies and select a course that would increase company value,
Weaknesses in its VBM process can prevent an insurance company from restoring its risk capacity through earnings retention or the raising of additional capital. Such weaknesses thereby limit its ability to resume growing and recover from a crisis
Access to capital is a critical strategic advantage during a financial crisis.
Companies with a strong reputation for value creation can raise new “recovery” capital without excessive shareholder dilution (e.g. Goldman Sachs). Others find it more difficult, or impossible, to access the public market. This makes them vulnerable to inroads by competitors or unsolicited tender offers. The primary purpose of VBM frameworks and processes is to ensure that companies consistently meet investor value creation expectations and survive crises.
VBM frameworks help managers compare alternatives, so that they can direct capital towards uses that would support the achievement of a sustainable competitive advantage, and also create value. This is challenging in the insurance industry because competitors can duplicate innovations in product features, service delivery, or operational effectiveness in relatively short times and can redirect capital at the stroke of a pen. Such competitive dynamics call for companies to compete by developing organizational capabilities that (a) are tougher to duplicate by competitors and (b) provide a pricing or cost advantage based on service quality, underwriting insights, investment performance, and risk and capital management
Because risk drives capital utilization in insurance businesses, the integration of ERM and VBM frameworks is required in order to develop strategies and plans that meet value expectations. Integration rests on (a) superior insights into risk exposures and capital consumption and (b) consistent risk metrics at the level of granularity needed to achieve a loss ratio advantage (possibly on the same level of granularity as loss ratios are calculated). In practice, these insights and metrics lead to decisions to reject businesses and strategies that will not create value. They provide a foundation for:
Measuring capital utilization by line, by market, and in aggregate
Driving a superior, more disciplined underwriting process
Optimizing product features
Maintaining pricing discipline through the underwriting cycle
Pricing options and guarantees embedded in products fairly
Controlling risk accumulation, by client and distribution channel
Managing the composition of the book of business
Driving marketing and distribution activities
Optimizing risk and capital management strategies
Achieving superior shareholder returns is critical for a company to earn investor trust and maintain access to affordable capital. Having access to capital during a financial crisis may well be the ultimate indicator of success for a company’s VBM framework.
Anecdotal evidence suggests that insurance companies that consistently trade at significant premiums over book value have such insights about risk and maintain a highly disciplined approach to writing business.
The present crisis has increased the cost of capital dramatically, but not equally for all insurers. Capital remains most affordable to those with a strong record of value creation and adequate capital as a result of good risk management. Conversely, it has become prohibitive for those with a lesser record of value creation and who lost credibility as stewards of shareholders’ interests. The latter are at risk of forced mergers or liquidation, which may be punishment for not integrating ERM and VBM processes more effectively.
Once you think of it, it seems obvious. Risk Managers need humility.
If you are dealing with any killer physical risk, there are two types of people who work close to that risk, the humble and the dead.
Being humble means that you never lose sight of the fact that RISK may at any time rise up in some new and unforeseen way and kill you or your firm.
Risk managers should read the ancient Greek story of Icarus.
Risk managers without humility will suffer the same fate.
Humility means remembering that you must do every step in the risk management process, every time. The World Cup goalkeeper Robert Green who lets an easy shot bounce off of his hands and into the goal has presumed that they do not need to consciously attend to the mundane task of catching the ball. They can let their reflexes do that and their mind can move on to the task of finding the perfect place to put the ball next.
But they have forgotten their primary loss prevention task and are focusing on their secondary offense advancement task.
The risk managers with humility will be ever watchful. They will be looking for the next big unexpected risk. They will not be out there saying how well that they are managing the risks, they will be more concerned about the risks that they are unprepared for.
Risk managers who are able to say that they have done all that can be done, who have taken all reasonable precautions, who can help their firm to find the exact right level and mix of risks to optimize the risk reward of the firm are at serious risk of having the wax holding their feathers melt away and of falling to earth.
There you will find information regarding over 30 sources for ERM reading and learning along with several lists of additional books and articles that were borrowed from several sources.
Please feel free to leave your comments about how helpful you found any of these books and papers. Also, if there is a good resource missing, please leave information in a comment and it will soon be added.
Any volunteers who are willing to add to the posts to include all of the ERM sources that are being used for ERM education would be welcomed.
There have been many definitions of ERM. Most suffer from the “too many words” syndrome. They are too long, making it likely that a casual reader will suffer reading fatigue before completing and therefore will decide that the topic is too complicated to be useful.
Here is a try at a very crisp definition:
ERM is a system for enhancing decision making under uncertainty that requires consideration of ALL of the risks of the enterprise.
And also for plain “Risk Management”
Risk Management is a system for enhancing decision making under uncertainty that focuses on risks as well as returns.
Fundamentally linking ERM and Risk Management to decision making is important, vitally important. Otherwise funders of ERM programs will be quickly disenchanted with the expensive staffs and systems needed to support a Risk Management Entertainment System.
All ERM and Risk Management activities should be judged in terms of how well they support important decisions.
The important decisions that can be supported by ERM and Risk Management are many. Primary among them are:
How much risk should the company take?
How best to transition from the risk level that the company is taking to the risk level that the company should be taking?
How to assure that the company takes no more risk than it should take?
Which Risks should the company take?
How best to transition from the risks that the company is taking to the risks that the company should be taking?
How to manage the likelihood that the company will fall short of its earnings targets?
If a firm already has complete processes in place to make all of those decisions, then it already has ERM. With the rising calls for ERM from regulators, rating agencies and boards, those firms will need to make sure that they can fully articulate the processes that they use to make those decisions.
If, on the other hand, a firm generally makes one or several of those decisions by default, as a fallout from other decisions or on a totally flexible basis as it happens in response to various market forces or on a purely momentum based process that ultimately relies upon some past decisions that may or may not have been made with any concern for risk; then future development of ERM could be vitally important.
The support that ERM provides to all of these decisions is of the nature of an eyes open approach to risk. This general theme is perhaps the reason why ERM often seems to be a massive management information exercize.
But management information about risk is the means to supporting risk focused decision making, not the ends.
In late 2008, the The CAS, CIA, and the SOA’s Joint Risk Management Section funded a research report about the Financial Crisis. This report featured nine key Lessons for Insurers. Riskviews will comment on those lessons individually…
6. Insurers must pay special attention to high growth/profit areas in their companies, as these are often the areas from which the greatest risks emanate.
All high growth areas are not risk problems, but almost all risk problems come from areas of high growth.
And high growth areas present several special problems for effective risk management.
High growth in the financial services field usually results when a firm has a new product or service or territory. There is almost always a deficit of experience and data about the riskiness of the new area. Uncertainty rules.
In new high growth areas, pricing can be far off the mark at the outset. If the initial experience is benign, then the level of pricing can become firmly set in the minds of the distributors, the market and the management. When adverse experience starts to undermine the pricing, it may be initially dismissed as an anomaly, a temporary loss. It may be very difficult to determine the real situation.
If risk resources were included in the plan for the high growth activity, they were probably not increased when the growth started to exceed expectations. As growth occurs, the risk resources are most often held at the level called for in the initial plan. Any additional resources that are applied to the growing area are needed to support the higher level of activity. Often this is simply a natural caution about increasing expenses in what may well be a temporary situation. This caution is often justified as growth ebbs. But in the situations where growth does not wane, a major mismatch between risk resources and business activity develops.
There is usually a political problem within the firm. The management of the highest growth area are most likely the current corporate heroes. It is very highly unlikely that the CRO will have as much clout within the organization as the heroes. The only solution to this issue is support from the CEO for the importance of risk.
Risk efforts need to be seen not as “business prevention” but as a partner with the business in getting it right. This is difficult to accomplish unless risk is involved from the outset. If the business gets going and growing with procedures that are questionable from a risk perspective, then it is quite possible that changing those procedures might well hurt the growth of the area. Risk needs to be involved form the outset so that appropriate procedures and execution of those procedures does not become a growth issue later on.
This is the most difficult and important area for the risk management of the firm. The business needs to be able to take chances in new areas where good growth is possible. The Risk function needs to be able to help these new activities to have the chance to succeed.
At the same time, the organization needs to be protected from the sort of corner cutting that leads to growth through drastically under-priced risks.
It is a delicate balancing act that requires a high degree of political skill as well as good business judgment about when to dig in the heels and when to let go.
I had occasion recently to search the Basel website to try to document the history of their involvement in risk management.
The oldest document that is still available there that has the term Risk Management in its title is July 1994, Risk Management Guidelines for Derivatives. That matches up with my impression that modern risk management can be traced back to the efforts of banks and banking supervisors to contain the risks associated with derivatives trading that had lead to several blow-ups in the early 1990′s.
But the first real classic is the next oldest document on the Basel website, Principles for the management of interest rate risk, from September 1997. That document clearly lays out the structure and process for a full scale risk management system. If you take that link, it will tell that the 1997 document has been superceded. But if you look at the 2004 update and the 1997 original, you will see that they have added lots of details and lost most of the clarity to the original. So if you want trees, take the 2004 version, if you want forest, like me, you would prefer the original 1997 version.
What I particularly liked about the original is that it really wasn’t about interest rate risk at all. It really captured the essence of risk management and applied that essence to interest rate risk. Therefore, I believe that the document can easily be used as a guide to building a risk management system for any risk.
The document is built around 1o Principles:
The role of the board and senior management
Principle 1: In order to carry out its responsibilities, the board of directors in a bank should approve strategies and policies with respect to interest rate risk management and ensure that senior management takes the steps necessary to monitor and control these risks. The board of directors should be informed regularly of the interest rate risk exposure of the bank in order to assess the monitoring and controlling of such risk.
Principle 2: Senior management must ensure that the structure of the bank’s business and the level of interest rate risk it assumes are effectively managed, that appropriate policies and procedures are established to control and limit these risks, and that resources are available for evaluating and controlling interest rate risk.
Principle 3: Banks should clearly define the individuals and/or committees responsible for managing interest rate risk and should ensure that there is adequate separation of duties in key elements of the risk management process to avoid potential conflicts of interest. Banks should have risk measurement, monitoring and control functions with clearly defined duties that are sufficiently independent from position-taking functions of the bank and which report risk exposures directly to senior management and the board of directors. Larger or more complex banks should have a designated independent unit responsible for the design and administration of the bank’s interest rate risk measurement, monitoring and control functions.
Policies and procedures
Principle 4: It is essential that banks’ interest rate risk policies and procedures be clearly defined and consistent with the nature and complexity of their activities. These policies should be applied on a consolidated basis and, as appropriate, at the level of individual affiliates, especially when recognising legal distinctions and possible obstacles to cash movements among affiliates.
Principle 5: It is important that banks identify the risks inherent in new products and activities and ensure these are subject to adequate procedures and controls before being introduced or undertaken. Major hedging or risk management initiatives should be approved in advance by the board or its appropriate delegated committee.
Measurement and monitoring system
Principle 6: It is essential that banks have interest rate risk measurement systems that capture all material sources of interest rate risk and that assess the effect of interest rate changes in ways that are consistent with the scope of their activities. The assumptions underlying the system should be clearly understood by risk managers and bank management.
Principle 7: Banks must establish and enforce operating limits and other practices that maintain exposures within levels consistent with their internal policies.
Principle 8: Banks should measure their vulnerability to loss under stressful market conditions – including the breakdown of key assumptions – and consider those results when establishing and reviewing their policies and limits for interest rate risk.
Principle 9: Banks must have adequate information systems for measuring, monitoring, controlling and reporting interest rate exposures. Reports must be provided on a timely basis to the bank’s board of directors, senior management and, where appropriate, individual business line managers.
Internal controls
Principle 10: Banks must have an adequate system of internal controls over their interest rate risk management process. A fundamental component of the internal control system involves regular independent reviews and evaluations of the effectiveness of the system and, where necessary, ensuring that appropriate revisions or enhancements to internal controls are made. The results of such reviews should be available to the relevant supervisory authorities.
I would generalize these with very simple editing. Here is Generalized Principle 1:
Principle 1: In order to carry out its responsibilities, the board of directors in a firm should approve strategies and policies with respect to risk management and ensure that senior management takes the steps necessary to monitor and control these risks. The board of directors should be informed regularly of the risk exposure of the firm in order to assess the monitoring and controlling of such risk.
This was done by simply deleting 2 instances of the words “interest rate” and exchanging the word “firm” for the word “bank”.
This mindless editing can be done to almost every one of the 10 principles and the result is not just usable, but is a very clear and basic guideline for any risk management program.
The new CARE report has been posted to the IAA website this week.
It raises a point that must be fairly obvious to everyone that you just cannot manage risks without looking at them from multiple angles.
Or at least it should now be obvious. Here are 8 different angles on risk that are discussed in the report and my quick take on each:
MARKET CONSISTENT VALUE VS. FUNDAMENTAL VALUE - Well, maybe the market has it wrong. Do your own homework in addition to looking at what the market thinks. If the folks buying exposure to US mortgages had done fundamental evaluation, they might have noticed that there were a significant amount of sub prime mortgages where the Gross mortgage payments were higher than the Gross income of the mortgagee.
ACCOUNTING BASIS VS. ECONOMIC BASIS - Some firms did all of their analysis on an economic basis and kept saying that they were fine as their reported financials showed them dying. They should have known in advance of the risk of accounting that was different from their analysis.
REGULATORY MEASURE OF RISK - vs. any of the above. The same logic applies as with the accounting. Even if you have done your analysis “right” you need to know how important others, including your regulator will be seeing things. Better to have a discussion with the regulator long before a problem arises. You are just not as credible in the middle of what seems to be a crisis to the regulator saying that the regulatory view is off target.
SHORT TERM VS. LONG TERM RISKS - While it is really nice that everyone has agreed to focus in on a one year view of risks, for situations that may well extend beyond one year, it can be vitally important to know how the risk might impact the firm over a multi year period.
KNOWN RISK AND EMERGING RISKS - the fact that your risk model did not include anything for volcano risk, is no help when the volcano messes up your business plans.
EARNINGS VOLATILITY VS. RUIN - Again, an agreement on a 1 in 200 loss focus is convenient, it does not in any way exempt an organization from risks that could have a major impact at some other return period.
VIEWED STAND-ALONE VS. FULL RISK PORTFOLIO - Remember, diversification does not reduce absolute risk.
CASH VS. ACCRUAL - This is another way of saying to focus on the economic vs the accounting.
Read the report to get the more measured and complete view prepared by the 15 actuaries from US, UK, Australia and China who participated in the working group to prepare the report.
In the 1980′s a dozen or more firms in the US and Canadian Life Insurance sector created and used what were commonly called required surplus systems. Dale Hagstrom wrote a paper that was published in 1981, titled Insurance Company Growth . That paper described the process that many firms used of calculating what Dale called Augmented Book Profits. An Augmented Book Profit later came to be called Distributable Earnings in insurance company valuations. If you download that paper, you will see on page 40, my comments on Dale’s work where I state that my employer was using the method described by Dale.
In 1980, in the first work that I was able to affix my newly minted MAAA, I documented the research into the risks of Penn Mutual Life Insurance Company that resulted in the recommendation of the Required Surplus, what we would now call the economic capital of the firm. By the time that Dale’s paper was published in 1981, I had documented a small book of memos that described how the company would use a capital budgeting process to look at the capital utilized by each line of business and each product. I was the scribe, the ideas come mostly from the Corporate Actuary, Henry B. Ramsey. We created a risk and profit adjusted new business report that allowed us to show that with each new product innovation, our agents immediately shifted sales into the most capital intensive or least profitable product. It also showed that more and more capital was being used by the line with the most volatile short term profitability. Eventually, the insights about risk and return caused a shift in product design and pricing that resulted in a much more efficient use of capital.
Each year, throughout the 1980′s, we improved upon the risk model each year, refining the methods of calculating each risk. Whenever the company took on a new risk a committee was formed to develop the new required surplus calculation for that risk.
In the middle of the decade, one firm, Lincoln National, published the exact required surplus calculation process used by their firm in the actuarial literature.
By the early 1990′s, the rating agencies and regulators all had their own capital requirements built along the same lines.
AND THEN IT HAPPENED.
Companies quickly stopped allocating resources to the development and enhancement of their own capital models. By the mid-1990′s, most had fully adopted the rating agency or regulatory models in the place of their own internal models.
When a new risk came around, everyone looked into how the standard models would treat the new risk. It was common to find that the leading writers of a new risk were taking the approach that if the rating agency and regulatory capital models did not assess any capital to the new risk, then there was NO RISK TO THE FIRM.
Companies wrote more and more of risks such as the guaranteed minimum benefits for variable annuities and did not assess any risk capital to those risks. It took the losses of 2001/2002 for firms to recognize that there really was risk there.
Things are moving rapidly in the direction of a repeat of that same exact mistake. With the regulators and rating agencies more and more dictating the calculations for internal capital models and proscribing the ERM programs that are needed, things are headed towards the creation of a risk management regime that focuses primarily on the management of regulatory and rating agency perception of risk management and away from the actual management of risks.
This is not what anyone in the risk management community wants. But once the regulatory and rating agency visions of economic capital and ERM systems are fully defined, the push will start to limit activity in risk evaluation and risk management to just what is in those visions – away from the true evaluation of and management of the real risks of the firm.
It will be clear that it is more expensive to pursue the elusive and ever changing “true risk” than to satisfy the fixed and closed ended requirements that anyone can read. Budgets will be slashed and people reassigned.
Many people would put reputation risk at the top of their list of the most important risks to their firms.
However, their very next conclusion is that since a good reputation is something that you either have or you do not, then it is not very manageable. By thinking of Reputation Risk as a cliff, there seems to be very little to monitor or manage. There are several problems with this view. First of all, reputations can be destroyed in many ways. Think of a reputation as a glass and a spill of water from the glass as a busted reputation. The glass can be made to overflow all at once with one big pour of water from a large pitcher, or it can be made to overflow by a long slow steady set of small drips.
Usually hits to the reputation are caused by problems that come from other risks that the organization faces. Each risk of the firm should be examined and the degree to which a reputation problem might arise from the risk identified. Moderate risks that have a significant potential reputational hit probably should be elevated to be treated among the major risks.
The incidence of the small hits to reputation can and should be tracked. The impact of these events upon the reputation also can and should be monitored. They are monitored by constantly checking with customers and potantial customers about the reputation of the firm.
So if these hits to reputation are tracked, then actions to improve reputation can be undertaken and efforts redoubled when these hits reach a critical level. This means figuring out the ways to take the water back out of the glass.
Also, the other major way to manage reputation risk is to plan ahead for the response to major reputational problems. One of the major differences between situations where firms have been devastated by reputation damaging events and firms that have quickly recovered from similar events is the degree to which the firm has a rapid and sure-footed response to the event. These types of repsonses can only come from advance planning and preparation. That is not to say that a firm must anticipate every possible reputation damaging event. However, it is important to anticipate a wide range of events. The anticipation and advance planning may prove to provide the exact plan for a specific event that comes up, but more likely what the exercize will provide is some experience in formulating the types of responses needed. Managers who have participated in these exercizes will be more likely to perform as needed when the real reputation hit happens.
Finally, there is one type of reputation risk that is real, but is used often as a red herring to distract risk managers from the main reputational risks as described above. This is the risk from an undeserved blow to reputation from the mdeia, regulators or courts. This is something that can and should be anticipated, but should not be an excuse for not anticipating the other and usually much more likely reputation risks that can come from within the firm.
The title of an old Jethro Tull song. It sounds like the theme song for the economy today!
Now we all know. The correlations that we used for our risk models were not reliable in the one instance where we really wanted an answer.
In times of stress, correlations go to one.
That is finally, after only four or five examples with the exact same result, become accepted wisdom.
But does that mean that Diversification is dead as a strategy?
I would argue that it certainly puts a hurt to diversification as a strategy for finding risk free returns. Which is how it was being (mis) used in the Sub Prime markets.
But Diversification should still reign as the king of risk management strategies. But it needs to be real diversification. Not tiny diversification that is observable only under a mathematical microscope. Real Diversification is where risks have completely different drivers. Not slightly different statistical histories.
So in Uncertain Times, and these days must be labeled Uncertain Times (or the thin ice age), diversification is the best risk management strategy. Along with its mirror image twin, avoidance of concentrations.
The banks had given up on diversification as a risk strategy. Instead they believed that they were making risk free returns by taking lots and lots of concentrated risk that they were either fully hedging or moving the risk off their balance sheets very quickly.
Both ideas failed. Hedging failed when the counter party was Lehman Brothers. It succeeded when the counter party was any of the other institutions that were bailed out, but there was an extended period of severe uncertainty about that before the bailouts were finally put into place. Moving the risks off the balance sheet failed in two ways. First it failed because they were really playing hot potato without admitting it. When the music stopped, someone was holding the potato. And some banks were holding many potatoes. It also failed because some banks had been offloading the risks to hedge funds and other investors who they were lending funds to finance the purchase. When the CDOs soured, the loans secured by the CDOs were underwated and the CDOs came back onto the bank balance sheets.
The banks that were hurt the least were the banks who were not so very concentrated in just one major risk.
The cost of the simple diversification strategy is that those banks with real diversification showed lower returns during the build up of the bubble.
So that is the risk reward trade off of real diversification – it will often produce lower returns than the mathematical diversification but it will also show lower losses in proportion to total revenue than a strategy that concentrates in the most profitable risk choices according to a model that is tuned to the accounting or performance bonus system.
Diversification is the risk management strategy for the Thin Ice Age.
The ERM Symposium is now 8 years old. Here are some ideas from the 2010 ERM Symposium…
Survivor Bias creates support for bad risk models. If a model underestimates risk there are two possible outcomes – good and bad. If bad, then you fix the model or stop doing the activity. If the outcome is good, then you do more and more of the activity until the result is bad. This suggests that model validation is much more important than just a simple minded tick the box exercize. It is a life and death matter.
BIG is BAD! Well maybe. Big means large political power. Big will mean that the political power will fight for parochial interests of the Big entity over the interests of the entire firm or system. Safer to not have your firm dominated by a single business, distributor, product, region. Safer to not have your financial system dominated by a handful of banks.
The world is not linear. You cannot project the macro effects directly from the micro effects.
Due Diligence for mergers is often left until the very last minute and given an extremely tight time frame. That will not change, so more due diligence needs to be a part of the target pre-selection process.
For merger of mature businesses, cultural fit is most important.
For newer businesses, retention of key employees is key
Modelitis = running the model until you get the desired answer
Most people when asked about future emerging risks, respond with the most recent problem – prior knowledge blindness
Regulators are sitting and waiting for a housing market recovery to resolve problems that are hidden by accounting in hundreds of banks.
Why do we think that any bank will do a good job of creating a living will? What is their motivation?
We will always have some regulatory arbitrage.
Left to their own devices, banks have proven that they do not have a survival instinct. (I have to admit that I have never, ever believed for a minute that any bank CEO has ever thought for even one second about the idea that their bank might be bailed out by the government. They simply do not believe that they will fail. )
Economics has been dominated by a religious belief in the mantra “markets good – government bad”
Non-financial businesses are opposed to putting OTC derivatives on exchanges because exchanges will only accept cash collateral. If they are hedging physical asset prices, why shouldn’t those same physical assets be good collateral? Or are they really arguing to be allowed to do speculative trading without posting collateral? Probably more of the latter.
it was said that systemic problems come from risk concentrations. Not always. They can come from losses and lack of proper disclosure. When folks see some losses and do not know who is hiding more losses, they stop doing business with everyone. None do enough disclosure and that confirms the suspicion that everyone is impaired.
Systemic risk management plans needs to recognize that this is like forest fires. If they prevent the small fires then the fires that eventually do happen will be much larger and more dangerous. And someday, there will be another fire.
Sometimes a small change in the input to a complex system will unpredictably result in a large change in the output. The financial markets are complex systems. The idea that the market participants will ever correctly anticipate such discontinuities is complete nonsense. So markets will always be efficient, except when they are drastically wrong.
Conflicting interests for risk managers who also wear other hats is a major issue for risk management in smaller companies.
People with bad risk models will drive people with good risk models out of the market.
Inelastic supply and inelastic demand for oil is the reason why prices are so volatile.
It was easy to sell the idea of starting an ERM system in 2008 & 2009. But will firms who need that much evidence of the need for risk management forget why they approved it when things get better?
If risk function is constantly finding large unmanaged risks, then something is seriously wrong with the firm.
You do not want to ever have to say that you were aware of a risk that later became a large loss but never told the board about it. Whether or not you have a risk management program.
Learn the Latest in Risk Management: Register Now for the 2010 ERM Symposium
Attend this Symposium, April 12-14 in Chicago, where enterprise risk management (ERM) experts will be exploring hot topics in ERM. The 2010 ERM Symposium will offer general sessions featuring ERM leaders offering their perspective on key risk issues facing organizations; concurrent sessions; a call for papers program showcasing new applied research in ERM; a track of sessions featuring academics presenting ERM research from leading universities; several pre-program workshops on hot ERM issues; networking opportunities with close to 500 ERM professionals to renew and expand your list of ERM contacts; and exhibitors demonstrating their ERM services and knowledge.
Or more properly, must ERM be based upon an ethical position?
If so, is it possible that the ethical position that underlies many ERM programs is different from the ethical system of the firm?
One school of ethics, Utilitarianism, suggests that we should pursue the “greatest good for the greatest number”. Unknown to many who subscribe to this ethical school, Utilitarianism is a close cousin to Hedonism, that has the famous motto “Eat, Drink and be Merry for Tomorrow we may Die”.
In fact Adam Smith provides a direct link between those two mottoes with his invisible hand. If each individual follows the Hedonism rule, then the Utilitarianism objective will be met according to Smith.
Risk Management is based more on an Epicurean ethic. Philosophical Epicureans are not the art and wine connoisseurs of popular definition. They pursue tranquility that is achieved through banishment of fear.
Epicureans observed that indiscriminate indulgence sometimes resulted in negative consequences. Some experiences were therefore rejected out of hand, and some unpleasant experiences endured in the present to ensure a better life in the future. The summum bonum, or greatest good, to Epicurus was prudence, exercised through moderation and caution. (Wikipedia)
Interestingly, Thomas Jefferson spoke of himself as a Epicurean. The arguments between factions expressed in the Federalist Papers among other places among the US founders was in part an argument between Utilitarians and Epicureans.
And that is the same argument that plays itself out between Risk Management and business leaders in today’s firms. Some Risk Managers would argue that Risk Management is Ethical whilst their opponents are simply greedy. But looking behind the surface of that argument reveals that there are simply two different ethical schools.
Risk Managers need to find the common ground and show the value of their ethic to the Utilitarian/Capitalist school of ethics. Not an easy sale. But as a result of the Financial Crisis, more and more folks are coming to doubt the ultimate infallibility of that Invisible Hand. Epicurean thought is gaining traction.
In 1984, Warren Buffet gave a speech about value investing at Columbia University. Here is a quote from that speech:
“it is extraordinary to me that the idea of buying dollar bills for 40 cents takes immediately with people or it doesn’t take at all. It’s like an inoculation. If it doesn’t grab a person right away, I find that you can talk to him for years and show him records, and it doesn’t make any difference. They just don’t seem to be able to grasp the concept, simple as it is.” Warren Buffett
Not about risk management but, if you can get your head around Buffett’s comment about upside, there is a logical counterparty about downside.
“Either the idea of buying dollar bills at $2 seems risky to someone immediately or it never will. If the response is, ‘if that is what the market rate is’ then just dig into your pocket and look for some dollars to sell.” Dave Ingram
In the book “The Greatest Trade Ever: The Behind-the-Scenes Story of How John Paulson Defied Wall Street and Made Financial History”, Greg Zuckerman tells just how difficult it was to be among the few investors who saw that the US mortgage market was overheated – that the market value of the houses and the securities written on the mortgages on those houses were all dollar bills being traded over and over again at $2.
But that was aggressive trading. The risk management response with that knowledge would been to stay away. And many, many financial institutions did stay away. All of the press went to the firms that played that game to their and all of our detriment.
So the Paulson story of good to read because it tells about the other side of some of the trades. And there always in another side, no matter how poorly the press chooses to cover it.
And the other side of the risk mismanagement by the largest banks and AIG is the risk management of the firms who were not exposed to overpriced mortgage securities. But it is hard to make a story about the exposures that those firms did not have.
Which is one of the puzzles of risk management. Sometimes the greatest successes are when nothing happens.
In late 2009, the The CAS, CIA, and the SOA’s Joint Risk Management Section funded a research report about the Financial Crisis. This report featured nine key Lessons for Insurers. Riskviews will comment on those lessons individually…
2. Risk management is most effective at prevention. Failing at prevention results in damage control, which is often expensive and ineffective.
This “lesson” is based upon an old car repair commercial where the mechanic says “You pay me now or pay me later”.
But Loss Prevention is only one of three major goals of risk management. There is much confusion about the fact that there are really three different things that are all called risk management by different people.
However, many people do not realize that there are really three separate systems involved in those three types of risk management and end up adopting elements of all three systems without necessarily adopting all of any of the three. That is one of the things that creates much frustration with ERM among general management.
And some ERM systems are not clear themselves about which of the three types of ERM goals that they are trying to accomplish.
Just to be clear, the three goals are:
Controlling the Frequency and Severity of Losses
Managing the risk reward trade-off on a transactional level
Managing the risk reward trade-off on a macro (line of business or subsidiary) level
As you could imagine, completely different people are involved in executing each of the three. And each of these three types of ERM include activities and goals that existed in most firms before the existence of ERM.
Usually, the difference between an ERM approach to these objectives and the pre-ERM approach is two things:
A commitment to pursuing the goals consistently throughout the entire enterprise
A common definition of RISK and metrics for measuring RISK applied to all risks
The Risk Management Quotes page of Riskviews has consistently been the most popular part of the site. Since its inception, the page has received almost 2300 hits, more than twice the next most popular part of the site.
The quotes are sometimes actually about risk management, but more often they are statements or questions that risk managers should keep in mind.
They have been gathered from a wide range of sources, and most of the authors of the quotes were not talking about risk management, at least they were not intending to talk about risk management.
The list of quotes has recently hit its 100th posting (with something more than 100 quotes, since a number of the posts have multiple quotes.) So on that auspicous occasion, here are my favotites:
Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. Douglas Adams
“when the map and the territory don’t agree, always believe the territory” Gause and Weinberg – describing Swedish Army Training
When you find yourself in a hole, stop digging.-Will Rogers
“The major difference between a thing that might go wrong and a thing that cannot possibly go wrong is that when a thing that cannot possibly go wrong goes wrong it usually turns out to be impossible to get at or repair” Douglas Adams
“A foreign policy aimed at the achievement of total security is the one thing I can think of that is entirely capable of bringing this country to a point where it will have no security at all.”– George F. Kennan, (1954)
“THERE ARE IDIOTS. Look around.” Larry Summers
the only virtue of being an aging risk manager is that you have a large collection of your own mistakes that you know not to repeat Donald Van Deventer
Philip K. Dick “Reality is that which, when you stop believing in it, doesn’t go away.”
Everything that can be counted does not necessarily count; everything that counts cannot necessarily be counted. Albert Einstein
“Perhaps when a man has special knowledge and special powers like my own, it rather encourages him to seek a complex explanation when a simpler one is at hand.” Sherlock Holmes (A. Conan Doyle)
The fact that people are full of greed, fear, or folly is predictable. The sequence is not predictable. Warren Buffett
“A good rule of thumb is to assume that “everything matters.” Richard Thaler
“The technical explanation is that the market-sensitive risk models used by thousands of market participants work on the assumption that each user is the only person using them.” Avinash Persaud
There are more things in heaven and earth, Horatio,
Than are dreamt of in your philosophy.
W Shakespeare Hamlet, scene v
When Models turn on, Brains turn off Til Schuermann
You might have other favorites. Please let us know about them.
In late 2009, the The CAS, CIA, and the SOA’s Joint Risk Management Section funded a research report about the Financial Crisis. This report featured nine key Lessons for Insurers. Riskviews will comment on those lessons individually…
1. The success of ERM hinges on a strong risk management culture which starts at the top of
a company.
This seems like a very simple statement that is made over and over again by most observers. But why is it important and why is it very often lacking?
First, what does it mean that there is a “strong risk management culture”?
A strong risk management culture is one where risk considerations make a difference when important decisions are made PERIOD
When a firm first adopts a strong risk management culture, managers will find that there will be clearly identifiable decisions that are being made differently than previously. After some time, it will become more and more difficult for management to notice such distinctions because as risk management becomes more and more embedded, the specific impact of risk considerations will become a natural inseparable part of corporate life.
Next, why is it important for this to come from the top? Well, we are tying effective risk management culture to actual changes in DECISIONS and the most important decisions are made by top management. So if risk management culture is not there at the top, then the most important decisions will not change. If the risk management culture had started to grow in the firm,
when middle managers see that top management does not let risk considerations get in their way, then fewer and fewer decisions will be made with real consideration risk.
Finally, why is this so difficult? The answer to that is straight forward, though not simple. The cost of risk management is usually a real and tangible reduction of income. The benefit of risk management is probabilistic and intangible. Firms are compared each quarter to their peers.
If peer firms are not doing risk management, then their earnings will appear higher in most periods.
Banks that suffered in the current financial crisis gave up 10 years of earnings! But the banks that in fact correctly shied away from the risks that led to the worst losses were seen as poor performers in the years leading up to the crisis.
So what will change this? Only investors will ultimately change this. Investors who recognize that in many situations, they have been paying un-risk adjusted multiples for earnings that have a large component of risk premiums for low frequency, high severity risks.
They are paying multiples, in many cases where they should be taking discounts!
Here are New Decade Resolutions for firms to adopt who are looking to be prepared for another decade
Attention to risk management by top management and the board. The past decade has been just one continuous lesson that losses can happen from any direction. This is about the survival of the firm. Survival must not be delegated to a middle manager. It must be a key concern for the CEO and board.
Action oriented approach to risk. Risk reports are made to point out where and what actions are needed. Management expects to and does act upon the information from the risk reports.
Learning fromown losses and from the losses of others. After a loss, the firm should learn not just what went wrong that resulted in the loss, but how they can learn from their experience to improve their responses to future situations both similar and dissimilar. Two different areas of a firmshouldn’t have to separately experience a problem to learn the same lesson. Competitor losses should present the exact same opportunity to improve rather than a feeling of smug superiority.
Forwardlooking risk assessment. Painstaking calibration of risk models to past experience is only valuable for firms that own time machines. Risk assessment needs to be calibrated to the future.
Skeptical of common knowledge. The future will NOT be a repeat of the past. Any risk assessment that is properly calibrated to the future is only one one of many possible results. Look back on the past decade’s experience and remember how many times risk models needed to be recalibrated. That recalibration experience should form the basis for healthy skepticism of any and all future risk assessments.
Drivers of risks will be highlighted and monitored. Key risk indicators is not just an idea for Operational risks that are difficult to measure directly. Key risk indicators should be identified and monitored for all important risks. Key risk indicators need to include leading and lagging indicators as well as indicators from information that is internal to the firm as well as external.
Adaptable. Both risk measurement and risk managementwill not be designed after the famously fixed Ligne Maginot that spectacularly failed the French in 1940. The ability needs to be developed and maintained to change focus of risk assessment and to change risk treatment methods on short notice without major cost or disruption.
Scope will be clear for risk management. I have personally favored a split between risk of failure of the firm strategy and risk of losses within the form strategy, with only the later within the scope of risk management. That means that anything that is potentially loss making except failure of sales would be in the scope of risk management.
Focus on the largest exposures. All of the details of execution of risk treatment will come to naught if the firm is too concentrated in any risk that starts making losses at a rate higher than expected. That means that the largest exposures need to be examined and re-examined with a “no complacency” attitude. There should never be a large exposure that is too safe to need attention. Big transactions will also get the same kind of focus on risk.
Perhaps we will look back at 2009 and recall that it is the turning point year for Risk Management. The year that boards ans management and regulators all at once embraced ERM and really took it to heart. The year that many, many firms appointed their first ever Chief Risk Officer. They year when they finally committed the resources to build the risk capital model of the entire firm.
On the other hand, it might be recalled as the false spring of ERM before its eventual relegation to the scrapyard of those incessant series of new business management fads like Management by Objective, Managerial Grid, TQM, Process Re-engineering and Six Sigma.
The Financial Crisis was in part due to risk management. Put a helmet on a kid on a bicycle and they go faster down that hill. And if the kid really doesn’t believe in helmets and they fail to buckle to chin strap and the helmet blows off in the wind, so much the better. The wind in the hair feels exhilarating.
The true test of whether the top management is ready to actually DO risk management is whether they are expecting to have to vhange some of their decisions based upon what their risk assessment process tells them.
The dashboard metaphor is really a good way of thinking about risk management. A reasonable person driving a car will look at their dashboard periodically to check on their speed and on the amount of gas that they have in the car. That information will occasionally cause them to do something different than what they might have otherwise done.
Regulatory concentration on Risk Management is. on the whole, likely to be bad for firms. While most banks were doing enough risk management to satisfy regulators, that risk management was not relevant to stopping or even slowing down the financial crisis.
Firms will tend to load up on risks that are not featured by their risk assessment system. A regulatory driven risk management system tends to be fixed, while a real risk management system needs to be nimble.
Compliance based risk management makes as much sense for firms as driving at the speed limit regardless of the weather, road conditions or the conditions of the car’s breaks and steering.
Many have urged that risk management is as much about opportunities as it is about losses. However, that is then usually followed by focusing on the opportunities and downplaying the importance of loss controlling.
Preventing a dollar of loss is just as valuable to the firm as adding a dollar of revenue. A risk management loss controlling system provides management with a methodology to make that loss prevention a reliable and repeatable event. Excess revenue has much more value if it is reliable and repeatable. Loss control that is reliable and repeatable can have the same value.
Getting the price right for risks is key. I like to think of the right price as having three components. Expected losses. Risk Margin. Margin for expenses and profits. The first thing that you have to decide about participating in a market for a particular type of risk is whether the market in sane. That means that the market is realistically including some positive margin for expenses and profits above a realistic value for the expected losses and risk margin.
Most aspects of the home real estate and mortgage markets were not sane in 2006 and 2007. Various insurance markets go through periods of low sanity as well.
Risk management needs to be sure to have the tools to identify the insane markets and the access to tell the story to the real decision makers.
Finally, individual risks or trades need to be assessed and priced properly. That means that the insurance premium needs to provide a positive margin for expenses and profits above the realistic provision for expected losses and a reasonable margin for risk.
There were two big hits to insurers in 2009. One was the continuing problems to AIG from its financial products unit. The main lesson from their troubles ought to be TANSTAAFL. There ain’t no such thing as a free lunch. Selling far out of the money puts and recording the entire premium as a profit is a business model that will ALWAYS end up in disaster.
The other hit was to the variable annuity writers. In their case, they were guilty of only pretending to do risk management. Their risk limits were strange historical artifacts that had very little to do with the actual risk exposures of the firm. The typical risk limits for a VA writer were very low risk retained from equities if the potential loss was due to an embedded guarantee and no limit whatsoever for equity risk that resulted in drops in basic M&E revenue. A typical VA hedging program was like a homeowner who insured every item of his possessions from fire risk, but who failed to insure the house!
So insurers should end the year of 2009 thinking about whether they have either of those two problems lurking somewhere in their book of business.
Are there any “far out of the money” risks where no one is appropriately aware of the large loss potential ?
Are there parts of the business where risk limits are based on tradition rather than on risk?
Growth does not always mean excessive risk, but excessive risk is almost always associated with high growth.
Growth has a way of masking problems. Things are changing and it is often very difficult to understand whether the changes are just a lag in reporting the good things that come from healthy growth or if they are leading indicators of major problems.
The firm needs to grow risk management analysis and attention along with highest growth activities. That needs to be demanded from the top. No middle or even high level risk officer will ever have the authority to slow down the part of the company that is growing the best. Firms need to have CEO commitment to extra risk analysis of the fastest growing business.
The firm needs to establish its operational capacity for handling growth. The most common reaction to unexpected growth is to delay hiring additional staff (along with delaying adding additional risk staff as mentioned above). After more delay and more growth, the business might seem much more profitable than expected. Some of that excess profitability is coming from the understaffing. Some of the profitability might be coming from mistakes in recordkeeping due to the understaffing. A sudden delayed effort to fix the under staffing will most often hurt more than it helps in the short run.
And what is most likely to be shortchanged in an understaffed growing situation Why it is quality control and recordkeeping. So if there is a growing problem it is very hard to notice it.
So what to do?
Every great mistake has a halfway
moment, a split second when it can be
recalled and perhaps remedied.
Pearl Buck
Part of the process of planning for each new thing that might grow, if it is as successful as is hoped, needs to be to determine where that halfway moment might be.
Are you working with live ammunition with your risk management program?
What I mean is, when the risk models and the risk reports show a problem, is the reaction to promptly fix the problem, or is the reaction to start a study of the problem?
The question really is whether the risk management information streams are considered primary information for managing the firm or are they secondary systems?
If the reaction to an indication of a problem from the risk management systems is to initiate a study, then the implied presumption is that the real information systems say that everything is ok, and this secondary system says not. So we need to check this out.
Many commentators about risk management have been calling for “RISK” to be given authority. What I think that means is that RISK would be empowered to act when the risk management system tells of a problem. RISK would order that something be bought or sold or whatever to fix the problem.
I think that the presumption there is that there is no possibility that anyone other than RISK would actually ever act upon a warning from the risk management systems. So if risk management is to be taken seriously, then it must be for RISK to do that.
Well, wouldn’t it be much better if the risk management information was considered to be a primary information source for the folks who actually run the businesses? Think about it. If you run a bus company and want the drivers to stay within the speed limit, do you put someone in the back of the bus with a speedometer and a break pedal who will step on the brake whenever the bus starts to go too fast? Or do you train the bus driver to use the brake pedal herself?
Risk Management needs to be everyone’s job. If the CEO of the firm is not willing to hold business managers responsible for risk, then he really does not want risk management.
The job of RISK is not to over ride the bus drivers, it is to make sure that the speedometers and brakes work right, that the acceleration pedal does not stick down and that the driver is well trained in how to interpret the speedometer and use the brakes in the right way. RISK keeps the CEO and the Board informed about the effectiveness of the risk management system and helps top management to understand the risk reward choices that they are faced with when the major decisions about the firm’s future are being made.
Time magazine is calling the 00′s, the Decade From Hell. At least from an American point of view (admitting that things in China, India or Brazil have been very different in the past 10 years).
Here is a partial list of the problems:
Y2K – one of the highlights actually
2000 Presidential Election
Tech Bubble bursting
9/11 WTC
Hurricane Katrina
War in Afghanistan
War in Iraq
Enron & Worldcom & Madoff
2004 Tsunami
Housing Bubble bursting
Banking Crisis
Time reminds us of Ronald Regan’s famous question “Are you better off than 10 years ago?”
This is also the decade that saw the emergence of Risk Management as a serious discipline. We should ask ourselves “Was Risk Management a response to these crisis or was it a contributor?”
John Adams calls it the Risk Thermometer effect. Just like our body seeks to keep the same internal temperature no matter what the temperature outside, our risk thermometer seeks to keep the same level of risk. That means that when we add risk management for additional safety, we automatically add more risk to bring things back to the same level of risk.
The other claim is that risk management failed. At the very least, it was heavily over sold.
And finally, there is the argument made by the Senior Supervisors Group that risk management was actually under-bought, that few firms were actually doing risk management in the last decade.
So we have a month left in the decade. Most were touched by the adverse events of the past decade in some way. Risk Managers should be able to offer something for the future that is better than the 00′s.
Not listening to your CRO – having him too low down the management chain;
Hiring a CEO who “doesn’t want to hear bad news”;
Not linking the Board tolerance for risk to the risk management practices of the company;
Having the CRO report to the CFO instead of to the CEO or Board, i.e., not having a system of checks and balances in place regarding risk practices;
The board not leading the risk management charge;
Not communicating the risk management goals;
Not driving the risk management culture down to the lower levels of the organization;
Ignorance is not Bliss
Not doing your own risk evaluations;
Not expecting the unexpected;
Overreacting to risks that turn out to be harmless;
Don’t shun the risk you understand, only to jump into a risk you don’t understand;
Failure to pay attention to actual risk exposure in the context of risk appetite;
Using outsider view of how much capital the firm should hold uncritically;
Cocksureness
Believing your risk model;
The opinion held by the majority is not always the right one;
There can be several logical, but contradictive explanations for one sequence of events, and logical doesn’t mean true;
We do not have perfect information about the future, or even the past and present;
Don’t use old normal assumptions to model in the new normal;
Arrogance of quantifying the unquantifiable;
Not believing your risk model – waiting until you have enough evidence to prove the risk is real;
Not Seeing the Big Picture
Making major changes without heavy involvement of Risk Management;
Conflict of interest: not separating risk taking and risk management;
Disconnection of strategy and risk management: Allocating capital blindly without understanding the risk-adjusted value creation;
One of the biggest mistakes has to be thinking that you can understand the risks of an enterprise just by looking at the components of risk and “adding them up” – the complex interactions between factors are what lead to real enterprise risk;
Looking at risk using one single measure;
Measuring and reporting risks is the same as managing risks;
Risk can always be measured;
Fixation on Structure
Thinking that ERM is about meetings and org charts and capital models and reports;
Think and don’t check boxes;
Forgetting that we are here to protect the organization against risks;
Don’t let an ERM process become a tick-box exercise;
Not taking a whole company view of risk management;
Nearsightedness
Failing to seize historic opportunities for reform, post crisis;
Failure to optimize the corporate risk-return profile by turning risk into opportunity where appropriate;
Don’t be a stop sign. Understand the risks AND REWARDS of a proposal before venturing an opinion;
Talking about ERM but never executing on anything;
Waiting until ratings agencies or regulatory requirements demand better ERM practices before doing anything;
There is no obstacle so difficult that, with sufficient thought, cannot be turned into an opportunity;
No opportunity so assured that, with insufficient thought, cannot be turned into a disaster;
Do not confuse trauma with learning;
Using a consistent discipline to search for opportunities where you are paid to accept risk in the context of the entire entity will move you toward an optimized position. Just as important is using that discipline to avoid “opportunities” where this is not the case.
undertake positive NPV projects
risk comes along with these projects and should be priced in the NPV equation
the price of risk is the lesser of the external cost of disposal (e.g., hedging) or the cost of retention “in the context of the entire entity”;
also hidden in these words is the need to look at the marginal impact on the entity of accepting the risk. Am I better off after this decision than I was before? A silo NPV may not give the same answer for all firms/individuals;
What is important is the optimization journey, understanding it as a goal we will never achieve;
More Skin in the Game
Misalign the incentives;
Most people will act based on their financial incentives, and that certainly happened (and continues to happen) over the past couple of years. Perhaps we could include one saying that no one is peer reviewing financial incentives to make sure they don’t increase risk elsewhere in the system;
Not tying risk management practices to compensation;
Not aligning risk management goals with compensation;
A haphazard collection of over 100 quotes from people who might be either famous or knowledgeable or both. This page drew about 150 hits per month even when there was zero new activity on Riskviews for 3 months.
Names of over 75 firms around the world that have encoundered serious financial difficulties that may or may not have been related to poor risk management.
Much of what is written and discussed about risk management focuses on the needs and efforts of the largest firms. This post tells how ERM is different for a smaller firm.
Materials prepared for a week long seminar for TASK (The Actuarial Society of Kenya). Also includes slides from a 1/2 day workshop for Kenyan Bank and Insurance CEOs.
Part of a series of ten reflections on comments by Nassim Taleb on how to create a Black Swan Free World. This particular discussion is about complexity and simplicity.
Some good and not so good parts to this conference. Hosted by Courant Institute of Mathematical Sciences, it was surprisingly non-quant. In fact several of the speakers, obviously with no idea of what the other speakers were doing said that they were going to give some relief from the quant stuff.
Sad to say, the only suggestion that anyone had to do anything “different” was to do more stress testing. Not exactly, or even slightly, a new idea. So if this is the future of risk management, no one should expect any significant future contributions from the field.
There was much good discussion, but almost all of it was about the past of risk management, primarily the very recent past.
Here are some comments from the presenters:
Banks need regulator to require Stress tests so that they will be taken seriously.
Most banks did stress tests that were far from extreme risk scenarios, extreme risk scenarios would not have been given any credibility by bank management.
VAR calculations for illiquid securities are meaningless
Very large positions can be illiquid because of their size, even though the underlying security is traded in a liquid market.
Counterparty risk should be stress tested
Securities that are too illiquid to be exchange traded should have higher capital charges
Internal risk disclosure by traders should be a key to bonus treatment. Losses that were disclosed and that are within tolerances should be treated one way and losses from risks that were not disclosed and/or that fall outside of tolerances should be treated much more harshly for bonus calculation purposes.
Banks did not accurately respond to the Spring 2009 stress tests
Banks did not accurately self assess their own risk management practices for the SSG report. Usually gave themselves full credit for things that they had just started or were doing in a formalistic, non-committed manner.
Most banks are unable or unwilling to state a risk appetite and ADHERE to it.
Not all risks taken are disclosed to boards.
For the most part, losses of banks were < Economic Capital
Banks made no plans for what they would do to recapitalize after a large loss. Assumed that fresh capital would be readily available if they thought of it at all. Did not consider that in an extreme situation that results in the losses of magnitude similar to Economic Capital, that capital might not be available at all.
Prior to Basel reliance on VAR for capital requirements, banks had a multitude of methods and often used more than one to assess risks. With the advent of Basel specifications of methodology, most banks stopped doing anything other than the required calculation.
Stress tests were usually at 1 or at most 2 standard deviation scenarios.
Risk appetites need to be adjusted as markets change and need to reflect the input of various stakeholders.
Risk management is seen as not needed in good times and gets some of the first budget cuts in tough times.
After doing Stress tests need to establish a matrix of actions that are things that will be DONE if this stress happens, things to sell, changes in capital, changes in business activities, etc.
Market consists of three types of risk takers, Innovators, Me Too Followers and Risk Avoiders. Innovators find good businesses through real trial and error and make good gains from new businesses, Me Too follow innovators, getting less of gains because of slower, gradual adoption of innovations, and risk avoiders are usually into these businesses too late. All experience losses eventually. Innovators losses are a small fraction of gains, Me Too losses are a sizable fraction and Risk Avoiders often lose money. Innovators have all left the banks. Banks are just the Me Too and Avoiders.
T-Shirt – In my models, the markets work
Most of the reform suggestions will have the effect of eliminating alternatives, concentrating risk and risk oversight. Would be much safer to diversify and allow multiple options. Two exchanges are better than one, getting rid of all the largest banks will lead to lack of diversity of size.
Problem with compensation is that (a) pays for trades that have not closed as if they had closed and (b) pay for luck without adjustment for possibility of failure (risk).
Counter-cyclical capital rules will mean that banks will have much more capital going into the next crisis, so will be able to afford to lose much more. Why is that good?
Systemic risk is when market reaches equilibrium at below full production capacity. (Isn’t that a Depression – Funny how the words change)
Need to pay attention to who has cash when the crisis happens. They are the potential white knights.
Correlations are caused by cross holdings of market participants – Hunts held cattle and silver in 1908′s causing correlations in those otherwise unrelated markets. Such correlations are totally unpredictable in advance.
National Institute of Financa proposal for a new body to capture and analyze ALL financial market data to identify interconnectedness and future systemic risks.
If there is better information about systemic risk, then firms will manage their own systemic risk (Wanna Bet?)
Proposal to tax firms based on their contribution to gross systemic risk.
Stress testing should focus on changes to correlations
Treatment of the GSE Preferred stock holders was the actual start of the panic. Leahman a week later was actually the second shoe to drop.
Banks need to include variability of Vol in their VAR models. Models that allowed Vol to vary were faster to pick up on problems of the financial markets. (So the stampede starts a few weeks earlier.)
In the last ten years, we have had major problems from Credit, Natural Catastrophes and Equities all at least twice. Looking around at the risk exposures of insurers, it seems that we are due for a fall on Interest Rate Risk.
And things are very well positioned to make that a big time problem. Interest rates have been generally very low for much of the past decade (in fact, most observers think that low interest rates have caused many of the other problems – perhaps not the nat cats). This has challenged the minimum guaranteed rates of many insurance contracts.
Interest rate risk management has focused primarily around lobbying regulators to allow lower minimum guarantees. Active ALM is practiced by many insurers, but by no means all.
Rates cannot get much lower. The full impact of the historically low current risk free rates (are we still really using that term – can anyone really say that anything is risk free any longer?) has been shielded form some insurers by the historically high credit spreads. As the economy recovers and credit spreads contract, the rates could go slightly lower for corporate credit.
But keeping rates from exploding as the economy comes back to health will be very difficult. The sky high unemployment makes it difficult to predict that the monetary authorities will act to avoid overheating and the sharp rise of interest rates.
Calibration of ALM systems will be challenged if there is an interest rate spike. Many Economic Capital models are calibrated to show a 2% rise in interest rates as a 1/200 event. It seems highly likely that rates could rise 2% or 3% or 4% or more. How well prepared will those firms be who have been doing diciplined ALM with a model that tops out at a 2% rise? Or will the ALM actuaries be the next ones talking of a 25 standard deviation event?
Is there any way that we can justify calling the next interest rate spike a Black Swan?
The Bond insurers diversified out of their niche of municpal bonds into real estate backed securities and suddenly these two markets that previously seemed to have low correlation were highly correlated as the sub prime crisis brought down the Bond Insurers and their problems rippled into the Muni market.
(I say seemed uncorrelated, but of course they are highly dependent since a high fraction of municipal incomes comes from taxes relating to real estate values. That is a major problem with the statistical idea of correlation – statistical approaches must never be used uncritically.)
But the point of the first paragraph above is that interdependencies do not have to come from the fundamentals of two markets – that is to come from common drivers of risk. Interdependencies especially of market prices can and often do come from common ownership of securities from different markets. The practice of holding risks from seemingly unrelated risks or markets is generally thought to create better risk adjusted results because of diversification.
But the perverse truth is that like many things in real economics (not book economics) the more people use this rule, the less likely it is that it will work.
There are several reasons for this:
When a particularly large organization diversifies, their positions in every market will be large. For anyone to get the most benefit from diversification, they need to have positions in each diversifying risk that are similar in size. Since even the largest firms had to have started somewhere, they will have a primary business that is very large and so will seek to take very large positions in the diversifying markets to get that diversifying benefit. So there ends up being some very significant specific risk of a sudden change in correlation if that large firm runs into trouble. These events only ever happen once to a firm so there is never, ever any historical correlations to be found. But if you want to avoid this diversification pitfall, it pays to pay attention to where the largest firms operate and be cautious in assuming diversification benefits where THEY are the correlating factor.
When large numbers of firms use the same correlation factors (think Solvency II), then they will tend to all try to get into the same diversifying lines of business where they can get the best diversification benefits. This results in both the specific risk factor mentioned above and to a pricing pressure on those markets. Those risks with “good” diversification will tend to price down to their marginal cost, which will be net of the diversification benefit. The customers will end up getting the advantage of diversification.
Diversification is commonly believed to eliminate risk. THis is decidedly NOT TRUE. No risk is destroyed via diversification. All of the losses that were going to happen do happen, unaffected by diversification. What diversification hopes to accomplish is to make this losses relatively less important and more affordable because some risk taking activity is likely to be showing gains while others is showing losses. So people who thought that because they were diversified, that they had less risk, were willing to go out and take more risk. This effect causes more of the stampede for the exits behaviors when times get tough and the losses that were NOT destroyed by diversification occur.
The theory of a free lunch with diversification encourages firms who are inexperienced with managing a risk to take on that risk because their diversification analysis says that it is “free”. These firms will often help to drive down prices for everyon, sometimes to the point that they do not make money from their “diversification play” even in good years. Guess what? All that fancy correlation math does not work as advertised if the expected earnings from a “diversifying risk” is negative. These is no diversification from a losing operation because it has no gains to offset the losses of other risks.
