In his book, The Halo Effect: … and the Eight Other Business Delusions That Deceive Managers, author Phil Rosenzweig discusses the following 8 delusions about success:
1. Halo Effect: Tendency to look at a company’s overall performance and make attributions about its culture, leadership, values, and more.
2. Correlation and Causality: Two things may be correlated, but we may not know which one causes which.
3. Single Explanations: Many studies show that a particular factor leads to improved performance. But since many of these factors are highly correlated, the effect of each one is usually less than suggested.
4. Connecting the Winning Dots: If we pick a number of successful companies and search for what they have in common, we’ll never isolate the reasons for their success, because we have no way of comparing them with less successful companies.
5. Rigorous Research: If the data aren’t of good quality, the data size and research methodology don’t matter.
6. Lasting Success: Almost all high-performing companies regress over time. The promise of a blueprint for lasting success is attractive but unrealistic.
7. Absolute Performance: Company performance is relative, not absolute. A company can improve and fall further behind its rivals at the same time.
8. The Wrong End of the Stick: It may be true that successful companies often pursued highly focused strategies, but highly focused strategies do not necessarily lead to success.
9. Organizational Physics: Company performance doesn’t obey immutable laws of nature and can’t be predicted with the accuracy of science – despite our desire for certainty and order.
A good risk manager will notice that all 8 of these delusions have a flip side that applies to risk analysis and risk management.
a. Bad results <> Bad Culture – there are may possible reasons for poor results. Culture is one possible reason for bad results, but by far not the only one.
b. Causation and Correlation – actually this one need not be flipped. Correlation is the most misunderstood statistic. Risk managers would do well to study and understand what valuable and reliable uses that there are for correlation calculations. They are very likely to find few.
c. Single explanations – are sometimes completely wrong (see c. above), they can be the most important of several causes, they can be the correct and only reason for a loss, or a correct but secondary reason. Scapegoating is a process of identifying a single explanation and quickly moving on. Often without much effort to determine which of the four possibilities above applies to the scapegoat. Scapegoats are sometimes chosen that make the loss event appear to be non-repeatable, therefore requiring no further remedial action.
d. Barn door solutions – looking backwards and finding the activities that seemed to lead to the worst losses at the companies that failed can provide valuable insights or it can lead to barn door solutions that fix past problems but have no impact on future situations.
e. Data Quality – same exact issue applies to loss analysis. GIGO
f. Regression to the mean – may be how you describe what happens to great performing companies, but for most firms, entropy is the force that they need to be worried about. A firm does not need to sport excellent performance to experience deteriorating results.
g. Concentration risk – should be what a risk manager sees when strategy is too highly concentrated.
h. Uncertainty prevails – precision does not automatically come from expensive and complicated models.
Severe and intense threats are usually associated with dramatic weather events, terrorist attacks, earthquakes, nuclear accidents and such like. When one of these types of threats is thought to be immanent, people will often cooperate with a cooperative ERM scheme, if one is offered. But when the threat actually happens, there are four possible responses: cooperation with disaster plan, becoming immobilized and ignoring the disaster, panic and anti-social advantage taking. Disaster planning sometimes goes no further than developing a path for people with the first response. A full disaster plan would need to take into account all four reactions. Plans would be made to deal with the labile and panicked people and to prevent the damage from the anti-social. In businesses, a business continuity or disaster plan would fall into this category of activity.
When businesses do a first assessment, risks are often displayed in four quadrants: Low Likelihood/Low Severity; Low Likelihood/High Severity; High Likelihood/Low Severity; and High Likelihood/High Severity. It is extremely difficult to survive if your risks are High Likelihood/High Severity, so few businesses find that they have risks in that quadrant. So businesses usually only have risks in this category that are Low Likelihood.
Highly Cooperative mode of Risk Management means that everyone is involved in risk management because you need everyone to be looking out for the threats. This falls apart quickly if your threats are not Severe and Intense because people will question the need for so much vigilance.
Highly Complex threats usually come from the breakdown of a complex system of some sort that you are counting upon. For an insurer, this usually means that events that they thought had low interdependency end up with a high correlation. Or else a new source of large losses emerges from an existing area of coverage. Other complex threats that threaten the life insurance industry include the interplay of financial markets and competing products, such as happened in the 1980′s when money market funds threatened to suck all of the money out of insurers, or in the 1990′s the variable products that decimated the more traditional guaranteed minimum return products.
In addition, financial firms all create their own complex threat situations because they tend to be exposed to a number of different risks. Keeping track of the magnitude of several different risk types and their interplay is itself a complex task. Without very complex risk evaluation tools and the help of trained professionals, financial firms would be flying blind. But these risk evaluation tools themselves create a complex threat.
Highly Organized mode of Risk Management means that there are many very different specialized roles within the risk management process. May have different teams doing risk assessment, risk mitigation and assurance, for each separate threat. This can only make sense when the rewards for taking these risks is large because this mode of risk management is very expensive.
Highly Unpredictable Threats are common during times of transition when a system is reorganizing itself. “Uncertain” has been the word most often used in the past several years to describe the current environment. We just are not sure what will be hitting us next. Neither the type of threat, the timing, frequency or severity is known in advance of these unpredictable threats.
Businesses operating in less developed economies will usually see this as their situation. Governments change, regulations change, the economy dips and weaves, access to resources changes abruptly, wars and terrorism are real threats.
Highly Adaptable mode of Risk Management means that you are ready to shift among the other three modes at any time and operate in a different mode for each threat. The highly adaptable mode of risk management also allows for quick decisions to abandon the activity that creates the threat at any time. But taking up new activities with other unique threats is less of a problem under this mode. Firms operating under the highly adaptive mode usually make sure that their activities do not all lead to a single threat and that they are highly diversified.
Benign Threats are things that will never do more than partially reduce earnings. Small stuff. Not good news, but not bad enough to lose any sleep over.
Low Cooperation mode of Risk Management means that individuals within their firm can be separately authorized to undertake activities that expand the threats to the firm. The individuals will all operate under some rules that put boundaries around their freedom, but most often these firms police these rules after the action, rather than with a process that prevents infractions. At the extreme of low cooperation mode of risk management, enforcement will be very weak.
For example, many banks have been trying to get by with a low cooperation mode of ERM. Risk Management is usually separate and adversarial. The idea is to allow the risk takers the maximum degree of freedom. After all, they make the profits of the bank. The idea of VaR is purely to monitor earnings fluctuations. The risk management systems of banks had not even been looking for any possible Severe and Intense Threats. As their risk shifted from a simple “Credit” or “Market” to very complex instruments that had elements of both with highly intricate structures there was not enough movement to the highly organized mode of risk management within many banks. Without the highly organized risk management, the banks were unable to see the shift of those structures from highly complex threats to severe and intense threats. (Or the risk staff saw the problem, but were not empowered to force action.) The low cooperation mode of risk management was not able to handle those threats and the banks suffered large losses or simply collapsed.
Do you have a clear distinction between “What’s Risk vs What’s Actuarial?” It seems that the roles of Risk Management and Actuarial are utterly intertwined and overlapping, thus causing utter confusion, within the company of my employ. While we have internally agreed to a segregation of duties over two years ago, the organization has barely moved forward to align itself accordingly.
Any attempt I have made to seek external guidance has not resulted in any definitive clarity. In response to the question “What’s Risk vs What’s Actuarial?”, most consultants offer “it depends on the company”. Solvency II guidance seems to indiscriminately interchange, say, risk management function (risk management is everyone’s job) with Risk Management Department.
I should clarify – when I refer to Actuarial, I am referring to “all four legs of the actuarial stool” – namely, Pricing, Modeling/Projections, Valuation, and Experience Studies.
In fact, it really does depend upon the company. That is because actuarial roles are extremely broad in some companies and very narrow in others.
The four legs of the actuarial stool referenced, “Pricing, Modeling/Projections, Valuation, and Experience Studies” are in fact a moderately broad definition. In the most narrowly drawn situations, the actuarial role is limited solely to situations where an actuarial opinion is required by law or regulation. In companies that define the actuarial role in that manner, there is almost no overlap with the Risk function.
But Risk can be defined differently in different companies as well. In some companies, the definition of the Risk function takes in only what is needed to get capital relief from regulators or rating agencies. Or to satisfy other requirements of the same audiences.
In companies where both the Actuarial and Risk roles are broadly defined, there is great potential for overlap.
The Actuarial Function in these firms will include not only “Pricing, Modeling/Projections, Valuation, and Experience Studies” but may also have a role in broad financial oversight and or broad risk oversight. In fact, RISKVIEWS worked for two insurers with such a broad definition of the actuarial function.
A broadly defined Risk function in these firms will overlap most clearly with those last two roles. With the installation of a separate Risk function, it seems clear that the broad risk oversight once performed by the Actuarial function needs to be surrendered. But there are Risk aspects of all five of the other functions listed.
Pricing – A strong Risk function will want to make sure that pricing is appropriate for the risks of the activities
Modeling/Projections – A strong Risk function will want to perform stress tests that are in fact simple projections.
Valuation – Since the definition of the capital of the firm is totally dependent upon the valuation of the liabilities of the firm and the Risk function usually has a major role regarding capital adequacy, a strong Risk function will have a high interest in Valuation of Liabilities.
Experience Analysis – The process that has been developed by actuaries to update Liabilities from year to year includes the collection and analysis of quite a large amount of information about the emerging experience of the firm. This information is also used in Pricing. And should be a main part of the information needed to evaluate the risks of the firm. Which makes this area of high importance to Risk.
Broad Financial Oversight – Actuaries in many insurers have already lost this role to CFOs years ago. But in the cases where they have not, the CRO becomes a new challenger with the idea that Risk should oversee the strategic risk and capital budgeting processes.
Some of the conflict is a matter of competition between the leader of a “new” function within the firm and the leader of an “old” function. The firms where this conflict is the worst would be the firms where there is a broadly defined Actuarial and Risk function. The development of a new Risk function in these firms can be interpreted as Actuarial losing influence. This perception would add to the conflict and to the confusion. Risk will want to control its own destiny, so would naturally want to control much of what had “always” been Actuarial. Actuarial would not want to lose any responsibility and may therefore seek to maintain parallel activities even where Risk is now performing a former Actuarial function.
At the other extreme, a number of companies see the very high degree of overlap between the Actuarial function and the Risk function and have named their Chief Actuary to be their Chief Risk Officer. The success of that approach will depend upon the degree to which the Chief Actuary is willing to appropriately prioritize the activities needed to support the new responsibilities. In these cases, the conflict described above between Risk and Actuarial will take place, but a large part of it will be inside the Chief Actuary / CRO’s head.
In essence, if ERM is to be implemented in a way which helps an entity get to where it wants to go, it needs to have a bias toward action which many applications currently lack. “The End of Enterprise Risk Management“ David Martin and Michael Power
In 2007, Martin and Power argued that the regulatory based Enterprise Risk Management programs that were COSO based provided the illusion of control, without actually achieving anything. Now if you are an executive of a firm and you believe that things are being done just fine, thank you very much, then an ineffective ERM program is just what you want. But if you really want ERM, the something else is needed. Martin and Power suggest that the activities of ERM are focused much too much on activities that do not reault in actions to actually change the risks of the firm. This is a favorite topic of RISKVIEWS as well. See Beware the Risk Management Entertainment System.
RISKVIEWS always tells managers who are interested in developing ERM systems that if some part of an ERM program cannot be clearly linked to decisions to take actions that would not have been taken without ERM, then they are better off without that part of ERM.
Martin and Power go on to suggest that ERM that uses just one risk measure (usually VAR) is difficult to get right because of limitations of VAR. RISKVIEWS would add that an ERM program that uses only one risk measure, no matter what that measure is, will be prone to problems. See Law of Risk and Light.
It is very nice to find someone who says the same things that you say. Affirming. But even better to read something that you haven’t said. And Martin and Power provide that.
Finally, there is a call for risk management that is Reflexive. That reacts to the environment. Most ERM systems do not have this Reflexive element. Risk limits are set and risk positions are monitored most often assuming a static environment. The static environment presumption in a risk management system works if you are operating in an environment that changes fairly infrequently. In fact, it works best if the frequency of change to your environment is less then the frequency of your update to the risk factors that you use. That is, if your update includes studying the environment and majing environment driven changes.
RISKVIEWS has worked in ERM systems that were based upon risk assessment based upon “eternal” risk factors. Eternal Risk factors are assumed to be good “for all time”. The US RBC factors are such. Those factors are changed only when there is a belief that the prior factors were inadequate in representing the full range of risk “for all time”.
But firms would be better off looking at their risks in the light of a changing risk environment. Plural Rationality theory suggests that there are four different risk environments. If a company adopts this idea, then they need to look for signs that the environment is shifting and when it seems to be likely to be shifting, to consider how to change their risk acceptance and risk mitigation in the light of the expected new risk environment. The idea of repeatedly catching this wave and correctly shifting course is called Rational Adaptability.
So RISKVIEWS also strongly agrees with Martin and Powers that a risk management system needs to be reflexive.
In “The End of ERM” Martin and Powers really mean the end of static ERM that is not action oriented and not reflexive with the environment. With that RISKVIEWS can heartily agree.
This story reveals several things about the nature of risk and the CRO job.
First, the nature of risk. Risk is always about the future. There will always be disagreements about the level of risk. True disagreements. People believing completely different things. And it is the future we are talking about. No one KNOWS for certain about the future. And also, risk is potential for loss. In many cases, even after the fact, no one can know how much risk that there was. A severe adverse event that had a likelihood of 10% might not happen in the coming year. Another equally severe event with a 0.1% likelihood migh happen. Exposure to the 10% event was certainly riskier than an equal sized exposure to the 0.1% event. Even if the less risky exposure produced a loss while the more risky exposure did not.
So the fact that the MF Global position produced a large, firm ending loss does not prove that the CRO was right.
In fact, what other stories reveal is that the board thought that the positions were more risky than Corzine. And that is pretty typical of what you will see at financial services firms. The top executives generally have the opinion that the environment is somewhat less risky than the board sees it while the non-executive employees generally see much, much more risk that either the executives or the board.
This tends to create exactly the dynamic that played out at MF Global where the CEO ignored the CRO warnings and the board very slightly restricted the CEO.
About the CRO
Many people forget that the Chief Risk Officer is usually not independent of the CEO. If there is a company where the CEO does not think that they are totally responsible for risk, then the CRO will not have enough power or influence with the board to remedy that problem. And if a CEO is aware that they are responsible for company results, good or bad, then clearly the job of the CRO, for better or for worse, is to execute the risk strategy of the CEO. NOT to critique that policy to the board.
RISKVIEWS tends to think of the risk appetite as the expression of the objective of the risk management system. The CRO should not be setting their own objective. So at MF Global, if the risk appetite was expressed as some sort of broad statement about corporate security, then the conflict became what is described above – a disagreement about the calibration of the risk model.
But the story says that the board approved some of the positions and disapproved a proposal to increase those positions even more that was made by the CEO. That makes it sound like there was a risk appetite and that the board, even if they did not say it in advance, knew when it was exceeded.
So the CROs job is not to stand in judgment of both the CEO and the Board. The CROs job is to work within the risk appetite of the board.
Half a league, half a league, Half a league onward,
All in the valley of Death Rode the six hundred.
“Forward, the Light Brigade!
“Charge for the guns!” he said:
Into the valley of Death Rode the six hundred.
From Charge of the Light Brigade, by Alfred, Lord Tennyson
In about 30 minutes, over 2/3 of the British Light Brigade were slaughtered in 1854. Horsemen with swords charged cannon and rifles and grapeshot. Tennyson made it sound grand and brave and somehow an admirable thing. But Tennyson points out the the fact that it made no sense to do what they were doing – that the soldiers knew it.
“Forward, the Light Brigade!”
Was there a man dismay’d?
Not tho’ the soldier knew Someone had blunder’d:
Theirs not to make reply,
Theirs not to reason why,
Theirs but to do and die:
Into the valley of Death Rode the six hundred.
Military schools have used the story of the charge as an example of what can go wrong when intelligence is weak at the command center and when orders are ambiguous.
The Earl of Cardigan who was in command, reported to Parliament:
But what, my Lord, was the feeling and what the bearing of those brave men who returned to the position. Of each of these regiments there returned but a small detachment, two-thirds of the men engaged having been destroyed? I think that every man who was engaged in that disastrous affair at Balaklava, and who was fortunate enough to come out of it alive, must feel that it was only by a merciful decree of Almighty Providence that he escaped from the greatest apparent certainty of death which could possibly be conceived.
You might ask what this might have to do with Risk Management?
While the willingness to follow orders might have appealed to the Victorian English, those are not the sort of folks that you want handling risk. Following orders that are that far wrong is not what you want someone doing with the risks to your firm’s existence.
You want people in both your risk management area and in the front line areas where there is the most risk taking to be the sorts who question authority when they do not understand why a new order makes sense.
Risk needs to be attended to at both the center and the fringes. And thoughtfully attended to. When the risk seems high to someone, that should be a signal to reconsider.
Risk has traditionally been a minor part of strategy discussions in many firms.
Usually you get it out of the way at the very start with a Strengths, Weaknesses, Opportunities and Threats (SWOT) discussion. As quickly as possible, the planners shift into concentrating on discussion of Opportunities. That is what they are there for anyway – Opportunities.
Utility theory and the business education that flows from utility theory suggests very little consideration of risk. Not none at all, but very little. Opportunities where the gains from the expected opportunities exceed the losses from the expected threats are considered good. That is one spot where risk creeps in. In addition, risk might be also reflected as an externality – the capital required by a regulator or ratings agency.
Financial economics came along and offered a more complicated view of risk. Instead of using a fuzzily determined present value of risk from utility theory, Financial Economics substitutes the market cost of risk.
Risk management suggests a completely different and potentially contradictory approach.
The risk management approach to bringing risk into planning and strategy is to make risk appetite central to strategy selection. The internal risk appetite becomes the constraint instead of the external capital constraint. For firms that were using that external capital constraint as a key factor in planning, this could be an easy switch. But often is actually is not.
The boards and management of most firms have failed to choose their own risk appetite constraint.
Riskviews believes that this is because the folks who have spent their entire careers under and external constraint system are ill equipped to set their own limits. They do not have the experience with trial and error of setting risk appetite unlike the long experience that they have with most of their other management decisions. For most management decisions, they came up through the management ranks watching their predecessors make good and bad decisions and succeed or fail. When they reached their current positions, they had a lifetime of experience with most of the types of decisions that they need to make.
Now risk managers and regulators and rating agencies and consultants tell them that they need to make an entirely new decision about risk appetite, and then lever all of their other important decisions off of that one decision. And when they look back upon their education and experience there was no mention at all of this risk appetite stuff.
And as the discussion at the start of this post states, the business education did not include risk appetite either.
But there are other ways that risk can be incorporated into the planning and strategy.
Risk Profile. A part of the statement of the impact that the plan will have on the company should be a before and after risk profile. This will show how the plan either grows the larger risks of the firm or diversifies those risks. Risk cannot be fully described by any one number and therefore there is not one single pie chart that is THE risk profile of the firm. The risk profile should be presented so that it shows the key aspects of risk that are the consequences of the plan – intended or unintended. That may mean showing the geographic risk profile, the product by product risk profile, the risk profile by distribution system or the risk profile by risk type. By looking at these risk profiles, the planners will naturally be drawn to the strengths and weaknesses of the risk aspects of the plan. They will see the aspects of risk that are growing rapidly and therefore need extra attention from a control perspective. And even if there are none of those reactions, the exposure to the risk information will eventually lead to a better understanding of risk and a drift towards more risk aware planning.
Risk management view of gains and losses. Planning usually starts with a review of recent experience. The risk managers can prepare a review of the prior year that describes the experience for each risk in terms of the exceedence probability from the risk models. This could lead to a discussion of the model calibration and possibly to either better credibility for the risk model or a different calibration that can be more credible.
Risk Controls review. Each risk operated within a control system. The above review of recent experience should include discussion of whether the control systems worked as expected or not.
Risk Pricing review. The review of gains and losses can also be done as a review of the risk margins compared to the risks for each major business or product or risk type. Comparison to a neutral index could be considered as well. With this review, the question of whether the returns of the firm were a result of taking more risk or from better selection and management of the risks taken should be addressed.
Some management groups will be much more interested in one or another of these approaches. The risk manager must seek to find the approach to discussing risk that fits management’s interests for risk to become a part of planning and strategy. Without that match, any discussions of risk that take place to satisfy regulatory or rating agency pressures will be largely perfunctory.
Independence of the risk function is very important. But often, the wrong part of the risk function is made independent.
It is the RISK MEASUREMENT AND REPORTING part of the risk function that needs to be independent. If this part of the risk function is not independent of the risk takers, then you have the Nick Leeson risk – the risk that once you start to lose money that you will delay reporting the bad news to give yourself a little more time to earn back the losses, or the Jérôme Kerviel risk that you will simply understate the risk of what you are doing to allow you to enhance return on risk calculations and avoid pesky risk limits.
When Risk Reporting is independent, then the risk reports are much less likely to be fudged in the favor of the risk takers. They are much more likely to simply and factually report the risk positions. Then the risk management system either reacts to the risk information or not, but at least it has the correct information to make the decision on whether to act or not.
Many discussions of risk management suggest that there needs to be independence between the risk taking and the entire risk management function. This is a model for risk disaster, but a model that is very common in banking. Under this type of independence there will be a steady war. A war that it it likely that the risk management folks will lose. The risk takers are in charge of making money and the independent risk management folks are in charge of preventing that. The risk takers, since they bring in the bacon, will always be much more popular with management than the risk managers, who add to costs and detract from revenue.
Instead, the actual risk management needs to be totally integrated within the risk taking function. This will be resisted by any risk takers who have had a free ride to date. So the risk takers can decide what would be the least destructive way to stay within their risk limits. In a system of independent risk management, the risk managers are responsible for monitoring limit breaches and taking actions to unwind over limit situations. In many cases, there are quite heated arguments around those unwinding transactions.
Under the reporting only independence model, the risk taking area would have responsibility for taking the actions needed to stay within limits and resolving breaches to limits. (Most often those breaches are not due to deliberate violations of limits, but to market movements that cause breaches to limits to grow out of previously hedged positions.)
Ultimately, it would be preferable if the risk taking area would totally own their limits and the process to stay within those limits.
However, if the risk measurement and reporting is independent, then the limit breaches are reported and the decisions about what to do about any risk taking area that is not owning their limits is a top management decision, rather than a risk manager decision that sometimes gets countermanded by the top management.
A risk policy specifies which risks a company will be willing to assume and which risks it will not. The risk policy of an insurance company focuses on:
creating and protecting shareholders’ value from the volatility of its financial results, and
containing the impact of this volatility on the cost of its capital and thus also, the cost of its risk capacity
Since insurance contracts involve assumption of insurance and investment risks, risk policies of insurance companies must include distinct insurance and investment components.
Insurance risk policy
To develop its insurance risk policy, a company needs to takes into account its ability to establish and sustain a competitive advantage by leveraging superior capabilities (e.g. underwriting expertise, claim management, risk management, etc.). It must evaluate the attractiveness of individual insurance markets based on analysis and assessment of key factors that shape business strategy, including:
Market structure and characteristics (size in premium revenue, number of accounts, distribution of exposures by location, industry, etc.)
Revenue growth potential
Business acquisition and underwriting expenses
Changes in customer needs and value perceptions
Assessment of relative competitive positions
Loss frequency and severity, and expected loss ratio
Correlations with macro economic factors (e.g., inflation and GDP growth rates), and other markets served by the company.
Systemic insurance risk
Availability, cost and anticipated use of reinsurance
Insurance companies can use data available from public and private sources (e.g., brokers) to estimate the level and volatility of revenues and earnings associated with specific exposure types, i.e. to develop an “ex-ante” assessment of the risks it considers accumulating. The underlying loss distributions can then be used to develop estimates of i) capital intensity, ii) the impact of the accumulation of specific exposures on the company’s risk profile, iii) the utilization of its risk capacity and iv) financial performance under alternative risk policies. In every situation, there is a need to verify that a company’s capital and earnings base are sufficient relative to limits written and the probable maximum loss of the portfolio to protect the company’s ratings and ensure the viability of the company as a going concern.
Investment risk policy
The investment risk policy needs to address the following two effects of investment value volatility that might cause:
The absolute market value of invested assets to fall in a given time period, thereby reducing available capital and risk capacity
Changes in the market value of invested assets relative to the value of liabilities that increase the volatility of the company’s capital position, thereby also increasing the probability of downgrading, or of intervention by regulators in company management
These effects of investment value volatility are addressed through reinsurance and asset strategies that contain the volatility of net assets. Insurance companies determine the extent and manner in which these strategies can be optimized, and supplemented in certain cases by arrangement of back-up lines of credit, through analysis of the volatility of their cash flows, taking into consideration the execution of their strategy, the potential liquidity and value volatility of their invested assets and the payment patterns of their liabilities. Note that liabilities of insurance companies, unlike bank demand deposits and overnight funding, are a source of relatively stable funding. Many companies take investment positions that take advantage of this relative illiquidity to create value.
The objective of an investment risk policy is to guide management in ascertaining when, to what extent and how a company should deviate from investing in a portfolio that replicates its liabilities. Its investment risk policy, at a minimum, should specify:
Which asset classes are permissible, by type, rating class, liquidity, etc.
Which risk types may be assumed to enhance returns, given a company’s risk capacity (e.g. interest rate, credit, inflation, currency, beta, idiosyncratic, liquidity, etc.)
How much of the assets may be invested in alternative assets, including illiquid positions (e.g. venture capital, real estate, hedge funds, funds of funds, etc.)
Guidelines for diversification within and between asset classes
How much volatility in investment income and portfolio value is consistent with the respective solvency and value risk tolerances of the company’s stakeholders
Guidelines for using hedging strategies, and controlling counterparty risk
To develop this policy, a company needs to simulate the impact of alternative guidelines in relation to liabilities and the risk capital consumed, assess their contribution to economic objectives, and identify the range of acceptable asset allocations and strategies. Ultimately, the policy should provide a framework within which a company can determine how much of its return to seek through investment in risk-free instruments, or instruments that provide extra “market return” (beta) or even additional skill-based returns (alpha).
Revision of risk policy
Although it is widely recognized that an insurance company needs to develop its risk policy when it starts operating, there is no consensus on how often an established company needs to revise its risk policy.
Many insurance companies review their risk policy when they are contemplating an acquisition or entering a new business. Because such decisions can have a significant impact on their risk profile, companies often perform detailed pro-forma actuarial analyses to develop the risk insights they need before making a commitment. However, when no significant change in business portfolio is contemplated, insurance executives are often reluctant to invest time to revisit their company’s risk policy.
The recent crisis suggests, however, that there is hardly any activity of greater importance to the survival and success of insurance companies.
Note: This article is abstracted from the “Risk Management and Business Strategy in P/C Insurance Companies” briefing paper published by Advisen (www.advisen.com) and available at the Corner Store.
Many people struggle with clearly identifying how to measure the success of their risk management program.
But they really are struggling with is either a lack of clear objectives or with unobtainable objectives.
Because if there are clear and obtainable objectives, then measuring success means comparing performance to those objectives.
The objectives need to be framed in terms of the things that risk management concentrates upon – that is likelihood and severity of future problems.
The objectives need to be obtainable with the authority and resources that are given to the risk manager. A risk manager who is expected to produce certainty about losses needs to either have unlimited authority or unlimited budget to produce that certainty.
The most difficult part of judging the success of a risk management program is when those programs are driven by assessments of risk that end up being totally insufficient. But again the real answer to this issue is authority and budget. If the assumptions of the model are under the control of the risk manager, that is totally under the risk manager’s control, then the risk manager would be prudent to incorporate significant amounts of margin either into the model or into the processes that use the model for model risk. But then the risk manager is incented to make the model as conservative as their imagination can make it. The result will be no business – it will all look too risky.
So a business can only work if the model assumptions are the join responsibility of the risk manager and the business users.
But there are objectives for a risk management program that can be clear and obtainable. Here are some examples:
The Risk Management program will be compliant with regulatory and/or rating agency requirements
The Risk Management program will provide the information and facilitate the process for management to maintain capital at the most efficient level for the risks of the firm.
The Risk Management program will provide the information and facilitate the process for management to maintain profit margins for risk (pricing in insurance terms) at a level consistent with corporate goals.
The Risk Management program will provide the information and facilitate the process for management to maintain risk exposures to within corporate risk tolerances and appetites.
The Risk Management program will provide the information and facilitate the process for management and the board to set and update goals for risk management and return for the organization as well as risk tolerances and appetites at a level and form consistent with corporate goals.
The Risk Management program will provide the information and facilitate the process for management to avoid concentrations and achieve diversification that is consistent with corporate goals.
The Risk Management program will provide the information and facilitate the process for management to select strategic alternatives that optimize the risk adjusted returns of the firm over the short and long term in a manner that is consistent with corporate goals.
The Risk Management program will provide information to the board and for public distribution about the risk management program and about whether company performance is consistent with the firm goals for risk management.
Note that the firm’s goals for risk management are usually not exactly the same as the risk management program’s goals. The responsibility for achieving the risk management goals is shared by the management team and the risk management function.
Goals for the risk management program that are stated like the following are the sort that are clear, but unobtainable without unlimited authority and/or budget as described above:
X1 The Risk Management program will assure that the firm maintains profit margins for risk at a level consistent with corporate goals.
X2 The Risk Management program will assure that the firm maintains risk exposures to within corporate risk tolerances and appetites so that losses will not occur that are in excess of corporate goals.
X3 The Risk Management program will assure that the firm avoids concentrations and achieve diversification that is consistent with corporate goals.
X4 The Risk Management program will assure that the firm selects strategic alternatives that optimize the risk adjusted returns of the firm over the short and long term in a manner that is consistent with corporate goals.
The worst case situation for a risk manager is to have the position in a firm where there are no clear risk management goals for the organization (item 4 above) and where they are judged on one of the X goals but which one that they will be judged upon is not determined in advance.
Unfortunately, this is exactly the situation that many, many risk managers find themselves in.
But what should you do SECOND? The list of ERM practices is long. Riskviews uses an eight item list of ERM Fundamentals to point the way to early ERM developments.
And you want to make sure that you avoid Brick Walls and Touring Bikes.
But the Second Step is not a practice of ERM. The Second Step is to identify the motivation for risk management. As mentioned in another post, there are three main motivations: Compliance, Capital Adequacy and Decision making.
If Compliance is the motivation, then the ERM development process will be to obtain or develop a checklist of items that must be completed to achieve compliance and to work to put something in place for each of those items that will create the ability to check off that item.
If Capital Adequacy is the motivation, then building an Economic Capital model is the main task that is needed for ERM development.
If Decision making is the motivation, then the process becomes somewhat more involved. Start with identifying the risk attitude of the firm. Knowing the risk attitude of the firm, the risk management strategy can then be selected. Each of the ERM Fundamentals can then be implemented in a way that is adapted to the risk strategy.
This process has been described in the post Risk Attitudes and the New ERM Program.
But knowing the motivation is key. A newly appointed risk management officer might have fallen in love with literature describing the Risk Steering strategy of ERM. They would set up a big budget for capital modeling and start to set up risk committees and write rules and policy statements…..
And then hit a brick wall.
That is because they did not clearly identify the motivation for their appointment to be the risk management officer. The term ERM actually means something totally different to different folks. Usually one of the three motivations: Compliance, Capital Adequacy, or Decision Making.
A company that is primarily motivated by Capital Adequacy will have minimal interest in any of the active parts of the ERM practices. A company motivated by compliance will want to know that each and every step in their ERM process satisfies a requirement. Talking about enhanced decision making as the reason for steps in the ERM development process will either confuse or even anger management of these companies.
The reaction to a mismatch of ERM program to motivation is similar to someone who booked a cruise for their vacation and found themselves on a cross country biking tour.
Most modern cruise ships feature the following facilities:
Casino – Only open when the ship is in open sea
Spa
Fitness center
Shops – Only open when ship is in open sea
Library
Theatre with Broadway style shows
Cinema
Indoor and/or outdoor swimming pool
Hot tub
Buffet restaurant
Lounges
Gym
Clubs
Keep that contrast in mind when you are making your plans for a new ERM system.
Risk management has two important phases. The first phase is Between Crises (BC) and the second phase is During Crises (DC). The skills and activities needed for these two phases are totally different. This post will talk about the DC phase.
During the Crisis, the concentration of the risk manager must shift to survival. Much has been made of the famous saying from Baron Rothchild
“Buy when there’s blood in the streets, even if the blood is your own.“
But Rothchild famously made his own luck by arranging that he was the first to know the outcome of the battle of Waterloo. And when the crisis hits, that is what you will hope that you, or your predecessor did before the crisis – make some of that sort of luck.
One of the things that often happens is that the organization will seem to shift right out from under you. The norms and objectives that you thought were agreed are no longer in place. You will be judged by a set of rules that are being written right now.
An old (1938) article by Robert Merton, SOCIAL STRUCTURE AND ANOMIE, suggests that there are five ways that people can react to situations where they are unhappy with how the rules and norms are working:
Conformity
Innovation
Ritualism
Retreat
Rebellion
Conformity means that they simply continue to operate under the old rules and norms as if nothing has happened. In many cases, risk managers act as if this is the only possibility however.
Innovation means that they try to come up with a new way to solve their problem within the same structure that was in place. Innovation may or may not work and if it does not work, then one of the other responses will be next. Often the risk manager is trying to innovate the way out of the crisis.
Ritualism means that they start to go through the motions of following the old rules, even though there is a strong sense that those rules no longer work as that had been working. Things get more rigid and hierarchical. Stepping on the wrong person’s toes has become a more significant infraction than it had been.
Retreat means that the organization freezes. In some cases, it is the CEO who retreats, simply disappearing from the scene and lines of authority become blurry.
Rebellion means that the old rules and norms of the company are overthrown and new rules and norms replace the old quite rapidly. This is most often accompanied by major management personnel changes. But sometimes not.
The risk manager needs to be aware of these possibilities and make plans accordingly.
My suggestion it that rather than starting with someone else’s idea of ERM, you start with what YOUR COMPANY is already doing.
In that spirit, I offer up these eight Fundamental ERM Practices. So to follow my suggestion, you would start in each of these eight areas with a self assessment. Identify what you already have in these eight areas. THEN start to think about what to build. If there are gaping holes, plan to fill those in with new practices. If there are areas where your company already has a rich vein of existing practice build gently on that foundation. Much better to use ERM to enhance existing good practice than to tear down existing systems that are already working. Making significant improvement to existing good practices should be one of your lowest priorities.
Risk Identification: Systematic identification of principal risks – Identify and classify risks to which the firm is exposed and understand the important characteristics of the key risks
Risk Language: Explicit firm-wide words for risk – A risk definition that can be applied to all exposures, that helps to clarify the range of size of potential loss that is of concern to management and that identifies the likelihood range of potential losses that is of concern. Common definitions of the usual terms used to describe risk management roles and activities.
Risk Measurement: What gets measured gets managed – Includes: Gathering data, risk models, multiple views of risk and standards for data and models.
Policies and Standards: Clear and comprehensive documentation – Clearly documented the firm’s policies and standards regarding how the firm will take risks and how and when the firm will look to offset, transfer or retain risks. Definitions of risk-taking authorities; definitions of risks to be always avoided; underlying approach to risk management; measurement of risk; validation of risk models; approach to best practice standards.
Risk Organization: Roles & responsibilities – Coordination of ERM through: High-level risk committees; risk owners; Chief Risk Officer; corporate risk department; business unit management; business unit staff; internal audit. Assignment of responsibility, authority and expectations.
Risk Limits and Controlling: Set, track, enforce – Comprehensively clarifying expectations and limits regarding authority, concentration, size, quality; a distribution of risk targets
and limits, as well as plans for resolution of limit breaches and consequences of those breaches.
Risk Management Culture: ERM & the staff – ERM can be much more effective if there is risk awareness throughout the firm. This is accomplished via a multi-stage training program, targeting universal understanding of how the firm is addressing risk management best practices.
Risk Learning: Commitment to constant improvement – A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses, both within the firm and from outside the firm.
To date Riskviews has featured discussions of issues relating to Risk Culture 27 times. While we talk about the Eight ERM Fundamentals, Culture is THE ERM FUNDAMENTAL.
While Standard & Poor’s uses this category to include a variety of practices including governance, disclosure and risk appetite, here we mean solely the manner that people outside of the risk management department are brought into the risk management process in a firm.
Decisions need to be made regarding who to get involved in doing and then who else to tell about the objectives and plans and activities of risk management in the firm.
Some companies do this on a need to know basis, involving only those who must get involved to make things work and only telling those who have an active role.
At the opposite extreme are firms who say that risk management is everyone’s job and who therefore work very hard to make sure that everyone understands everything that is going on.
The firms in the first group are focused on efficiency. Management usually believes that everyone must stay focused upon their own primary responsibilities. A select few are given responsibility for risk management activities and everyone else is kept out of the way. Knowledge of the risk management work in these firms is usually restricted to top management and line management only in the situations where the risk management efforts need to be integrated into the operational unit’s activities.
The firms in the second group believe that risk management is everyone’s job because crippling risks can take many forms, both currently known and unknown. And that these risks can emanate from any part of the firm. They do not believe that just because there has never been a large problem from one activity, that there never can be.
For the first type of firm, risk management culture means that risk management is one of those things that separates the cognoscenti from the rest of the firm. Risk management culture means keeping those in the know up to date on everything that is important about risk and risk management. Each one of the restricted group must take a major responsibility to join in this activity.
For the second type of firm. there will be a totally different type of activity supporting risk management culture. That will involve training sessions and informational newsletters. One firm holds an annual conference about risk management and allows anyone at the supervisory level and above in the firm to attend. Another firm puts an ERM related message on the intranet home page and changes that message at least once per week.
The second type of firm will welcome input from anyone to their ERM processes.
This is one of the eight Fundamental ERM practices. These practices are the foundations of a new ERM program.
Risk Language is not commonly recognized in most ERM literature as a fundamental practice. But all you need to do is to talk with a management team that has a common risk language and another who does not and it is difficult to see why it is not. The management with the common language can much more often articulate a common vision of risk management and especially of risk appetite. The objectives of the ERM program of a firm without a common risk language are usually not understood similarly by more than a tiny handful of people.
When hearing the story of ERM at a firm it seems to be a much more likely explanation for the firm without the common language that their ERM program exists mostly for the purpose of entertaining outsiders than for impacting the management of the firm.
At the earliest stage of development of an ERM program, the lack of a language should become apparent. Ask any two managers what they think is meant by an unacceptably large loss and you are likely to get as many different answers as you have answerers.
Ask that same set of people what would be an acceptable level of sales or profits and they will all usually be able to clearly state the company goals for the current year.
So the objective in this area as it is with measurement is to put risk on the same footing as sales and profits, to give it the same clarity and unanimity of understanding and purpose.
There are several steps to gaining a risk language for a firm.
Existing Risk Terms – Making a collection of existing risk terminology used commonly in different parts of the company is a good first step. Notice where different parts of the company have different terms for one idea and other places where people have different meanings for the same term. Those conflicts need to be resolved so that there is one main set of terms used within the company for those ideas.
Standard Risk terms – It is not necessary that each firm adopts an entire vocabulary about risk from outside the firm. But on the same token, there are a wide variety of standardized terms for risk. Take a look at Risk Glossary, for example. A good first step would be to take a short list of terms from a source like that and start to make sure that everyone starts to learn those terms.
New Risk Terms – As ERM grows within the company, new terminology will develop for particular ideas. Some of that terminology will emanate from the risk department and some will come from the executives as they seek to repeat things that they hear at the risk committee meetings. For some time, everyone needs to be deliberate about the process of coining new terminology. Conscious that one way of saying something seems to “stick” better than another. Encourage the formation of this vocabulary.
Besides forming this new vocabulary, it is extremely important that both the risk staff and the other managers who are members of risk committees make sure to use the new risk terminology inn their everyday work. Language is naturally built by usage, not by dictionaries.
One last thought… ERM practice is a combination of some very expensive things and very simple things. In general, the largest firms can afford the very expensive things more easily while the simple things are usually executed much more effectively in small firms. This is one of the simple things.
Who should have responsibility for risk management?
Is it the CRO? Is it the Business Unit Heads? Is it everyone? or is it the CEO (As Buffet suggests)?
My answer to those questions is YES. Definitely.
You see, there is plenty of risk to go around.
The CEO should be responsible for the Firm Killing Risks. He/She should be the sole person who is able to commit the firm to an action that creates or adds to a firm killing risk position. He/She should have control systems in place so that they know that no one else is taking and Firm Killing Risks. He/She should be in a constant dialog with the board about these risks and the necessity for the risks as well as the plans for managing those sorts of risks.
At the other end of the spectrum, there are the Bad Day Risks. Everyone should be responsible for their share of the Bad Day Risks.
And somewhere in the middle are the risks that the CRO and Business Unit Heads should be managing. Those might be the Bad Quarter Risks or the Bad Year Risks.
As the good book says, “To each according to his ability”. That is how Risk Management responsibility should be distributed.
Once you think of it, it seems obvious. Risk Managers need humility.
If you are dealing with any killer physical risk, there are two types of people who work close to that risk, the humble and the dead.
Being humble means that you never lose sight of the fact that RISK may at any time rise up in some new and unforeseen way and kill you or your firm.
Risk managers should read the ancient Greek story of Icarus.
Risk managers without humility will suffer the same fate.
Humility means remembering that you must do every step in the risk management process, every time. The World Cup goalkeeper Robert Green who lets an easy shot bounce off of his hands and into the goal has presumed that they do not need to consciously attend to the mundane task of catching the ball. They can let their reflexes do that and their mind can move on to the task of finding the perfect place to put the ball next.
But they have forgotten their primary loss prevention task and are focusing on their secondary offense advancement task.
The risk managers with humility will be ever watchful. They will be looking for the next big unexpected risk. They will not be out there saying how well that they are managing the risks, they will be more concerned about the risks that they are unprepared for.
Risk managers who are able to say that they have done all that can be done, who have taken all reasonable precautions, who can help their firm to find the exact right level and mix of risks to optimize the risk reward of the firm are at serious risk of having the wax holding their feathers melt away and of falling to earth.
Sometimes quants who get involved with building new economic capital models have the opinion that their work will reveal the truth about the risks of the group and that the best approach is to just let the truth be told and let the chips fall where they may.
Then they are completely surprised that their project has enemies within management. And that those enemies are actively at work undermining the credibility of the model. Eventually, the modelers are faced with a choice of adjusting the model assumptions to suit those enemies or having the entire project discarded because it has failed to get the confidence of management.
But that situation is actually totally predictable.
That is because it is almost a sure thing that the first comprehensive and consistent look at the group’s risks will reveal winners and losers. And if this really is a new way of approaching things, one or more of the losers will come as a complete surprise to many.
The easiest path for the managers of the new loser business is to undermine the model. And it is completely natural to find that they will usually be completely skeptical of this new model that makes their business look bad. It is quite likely that they do not think that their business takes too much risk or has too little profits in comparison to their risk.
In the most primitive basis, I saw this first in the late 1970′s when the life insurer where I worked shifted from a risk approach that allocated all capital in proportion to reserves to one that recognized the insurance risk as well as the investment risk as two separate factors. The term insurance products suddenly were found to be drastically underpriced. Of course, the product manager of that product was an instant enemy of the new approach and was able to find many reasons why capital shouldn’t be allocated to insurance risk.
The same sorts of issues had been experienced by firms when they first adopted nat cat models and shifted from a volatility risk focus to a ruin risk focus.
What needs to be done to diffuse these sorts of issues, is that steps must be taken to separate the message from the messenger. There are 2 main ways to accomplish this:
The message about the new level of risks needs to be delivered long before the model is completed. This cannot wait until the model is available and the exact values are completely known. Management should be exposed to broad approximations of the findings of the model at the earliest possible date. And the rationale for the levels of the risk needs to be revealed and discussed and agreed long before the model is completed.
Once the broad levels of the risk are accepted and the problem areas are known, a realistic period of time should be identified for resolving these newly identified problems. And appropriate resources allocated to developing the solution. Too often the reaction is to keep doing business and avoid attempting a solution.
That way, the model can take its rightful place as a bringer of light to the risk situation, rather than the enemy of one or more businesses.
In late 2008, the The CAS, CIA, and the SOA’s Joint Risk Management Section funded a research report about the Financial Crisis. This report featured nine key Lessons for Insurers. Riskviews will comment on those lessons individually…
6. Insurers must pay special attention to high growth/profit areas in their companies, as these are often the areas from which the greatest risks emanate.
All high growth areas are not risk problems, but almost all risk problems come from areas of high growth.
And high growth areas present several special problems for effective risk management.
High growth in the financial services field usually results when a firm has a new product or service or territory. There is almost always a deficit of experience and data about the riskiness of the new area. Uncertainty rules.
In new high growth areas, pricing can be far off the mark at the outset. If the initial experience is benign, then the level of pricing can become firmly set in the minds of the distributors, the market and the management. When adverse experience starts to undermine the pricing, it may be initially dismissed as an anomaly, a temporary loss. It may be very difficult to determine the real situation.
If risk resources were included in the plan for the high growth activity, they were probably not increased when the growth started to exceed expectations. As growth occurs, the risk resources are most often held at the level called for in the initial plan. Any additional resources that are applied to the growing area are needed to support the higher level of activity. Often this is simply a natural caution about increasing expenses in what may well be a temporary situation. This caution is often justified as growth ebbs. But in the situations where growth does not wane, a major mismatch between risk resources and business activity develops.
There is usually a political problem within the firm. The management of the highest growth area are most likely the current corporate heroes. It is very highly unlikely that the CRO will have as much clout within the organization as the heroes. The only solution to this issue is support from the CEO for the importance of risk.
Risk efforts need to be seen not as “business prevention” but as a partner with the business in getting it right. This is difficult to accomplish unless risk is involved from the outset. If the business gets going and growing with procedures that are questionable from a risk perspective, then it is quite possible that changing those procedures might well hurt the growth of the area. Risk needs to be involved form the outset so that appropriate procedures and execution of those procedures does not become a growth issue later on.
This is the most difficult and important area for the risk management of the firm. The business needs to be able to take chances in new areas where good growth is possible. The Risk function needs to be able to help these new activities to have the chance to succeed.
At the same time, the organization needs to be protected from the sort of corner cutting that leads to growth through drastically under-priced risks.
It is a delicate balancing act that requires a high degree of political skill as well as good business judgment about when to dig in the heels and when to let go.
In the 1980′s a dozen or more firms in the US and Canadian Life Insurance sector created and used what were commonly called required surplus systems. Dale Hagstrom wrote a paper that was published in 1981, titled Insurance Company Growth . That paper described the process that many firms used of calculating what Dale called Augmented Book Profits. An Augmented Book Profit later came to be called Distributable Earnings in insurance company valuations. If you download that paper, you will see on page 40, my comments on Dale’s work where I state that my employer was using the method described by Dale.
In 1980, in the first work that I was able to affix my newly minted MAAA, I documented the research into the risks of Penn Mutual Life Insurance Company that resulted in the recommendation of the Required Surplus, what we would now call the economic capital of the firm. By the time that Dale’s paper was published in 1981, I had documented a small book of memos that described how the company would use a capital budgeting process to look at the capital utilized by each line of business and each product. I was the scribe, the ideas come mostly from the Corporate Actuary, Henry B. Ramsey. We created a risk and profit adjusted new business report that allowed us to show that with each new product innovation, our agents immediately shifted sales into the most capital intensive or least profitable product. It also showed that more and more capital was being used by the line with the most volatile short term profitability. Eventually, the insights about risk and return caused a shift in product design and pricing that resulted in a much more efficient use of capital.
Each year, throughout the 1980′s, we improved upon the risk model each year, refining the methods of calculating each risk. Whenever the company took on a new risk a committee was formed to develop the new required surplus calculation for that risk.
In the middle of the decade, one firm, Lincoln National, published the exact required surplus calculation process used by their firm in the actuarial literature.
By the early 1990′s, the rating agencies and regulators all had their own capital requirements built along the same lines.
AND THEN IT HAPPENED.
Companies quickly stopped allocating resources to the development and enhancement of their own capital models. By the mid-1990′s, most had fully adopted the rating agency or regulatory models in the place of their own internal models.
When a new risk came around, everyone looked into how the standard models would treat the new risk. It was common to find that the leading writers of a new risk were taking the approach that if the rating agency and regulatory capital models did not assess any capital to the new risk, then there was NO RISK TO THE FIRM.
Companies wrote more and more of risks such as the guaranteed minimum benefits for variable annuities and did not assess any risk capital to those risks. It took the losses of 2001/2002 for firms to recognize that there really was risk there.
Things are moving rapidly in the direction of a repeat of that same exact mistake. With the regulators and rating agencies more and more dictating the calculations for internal capital models and proscribing the ERM programs that are needed, things are headed towards the creation of a risk management regime that focuses primarily on the management of regulatory and rating agency perception of risk management and away from the actual management of risks.
This is not what anyone in the risk management community wants. But once the regulatory and rating agency visions of economic capital and ERM systems are fully defined, the push will start to limit activity in risk evaluation and risk management to just what is in those visions – away from the true evaluation of and management of the real risks of the firm.
It will be clear that it is more expensive to pursue the elusive and ever changing “true risk” than to satisfy the fixed and closed ended requirements that anyone can read. Budgets will be slashed and people reassigned.
Enterprise risk management experts, and surely even many neophytes, are fairly adept at identifying exposures and events that can impede their organizations. What is much more difficult is measuring the potentially adverse impact of risks, making this the biggest X factor in the ERM process.
Consequently, it is quite challenging to determine how much risk exposure an organization can “tolerate”—that is, the extent of adverse risk impact a company can absorb so that the attainment of its goals will not be jeopardized.
It is equally difficult to assess a company’s “threshold” to absorb these risk consequences—that is, the cross-over points beyond which significant strategic and operational changes need to be made.
What Might Your Stakeholders Do?
TRIGGERS:
Financial Outcomes: impact on capital and earnings
Business Line inadequacy: products and features, service
Business Misconduct and reputational impairment: putting future viability at risk
REACTIONS:
Customers or producers might cease doing business with firm or reduce volume
Investors might sell stock lowering the price in the process
Board might replace management or reduce compensation
Lenders might charge a higher price for capital
Rating agencies might downgrade
Institutional customers might not be permitted to do business with firm
As a result, it is likely that many organizations are exposed to risks that would materially compromise not only their current course but their very existence. In fact, the events of the last two years have dramatically highlighted this exposure, and many firms have been greatly harmed. Just ask AIG and Lehman Brothers. Measurement of risk impact—both quantitative and qualitative—is clearly the most critical endeavor to perform accurately in determining an organization’s tolerance for risk. It is possible for each element of the risk measurement and reporting process to be flawed, as they are often performed in a vacuum—the result can be too narrow and theoretical in scope. The quantifying component of risk measurement is built upon mathematics and modeling, utilizing:
A series of approximations and assumptions.
Identification of elements/variables to measure.
Determination of the relationship between the various risk factors and the outcomes they might jeopardize
The qualifying component, however, is often built on psychology—its effect on decision-making and the “emotional intelligence” of the individuals making judgments on risk. Consider the following:
People work on problems they think they can solve, and they avoid those they don’t think they can solve—due to complexity or political reasons. Elements in the latter category won’t be addressed.
They are slow and cautious in reacting to new information and reluctant to admit ignorance or mistaken assumptions. Solutions to risk mitigation may exist, but might not be implemented without inordinate study—paralysis by analysis.
They look at fewer as opposed to more perspectives, possibly missing a better solution.
They often place greater value on what they themselves have created than on what others have done, and may well miss out on higher-order thinking generated by a group and on the critical perspectives of others.
Jim Collins wrote the popular book “Good to Great” at the peak of the Dot Com boom. His latest book is titled “How the mighty Fall” and features the five stages of rapid decline:
Stage 1: Hubris Born of Success
Stage 2: Undisciplined Pursuit of More
Stage 3: Denial of Risk and Peril
Stage 4: Grasping for Salvation
Stage 5: Capitulation to Irrelevance or Death
Strategic failure of a firm – which could come from a hubris fueled rapid decline or simply a shift of your customers when you are not paying enough attention is really a risk that for most firms dwarfs the risks that are measurable and that are managed through the techniques of quantitative risk management.
According to a study conducted by Royal Dutch Shell the average life expectancy of Fortune 500 firms is 40 to 50 years. That implies a 2% to 2.5% average annual failure rate.
Firms that are holding capital for measurable risks at a 1/200 level are pretending to protect their firm at a 0.5% annual failure rate.
But are quantitative risk management programs focusing too much resources on the things that can be measured and creating the Hubris, the false sense of invulnerability that is number one on the list above.
Certainly at some banks and some insurers that was the case.
Once you are convinced that you “know how to control risk” you are likely to go for it – the Undisciplined pursuit of More of the second item. Even if quantitative risk management is doing most of what is needed, successful risk management can and will lead to Hubris and undisciplined growth.
Of course, sooner or later that lack of discipline will result in a misstep. And here is where risk management needs to be ready to make it real. The most common reaction to a problem in this situation is to assume that (a) this is not real, (b) this could not be happening to us – we are too good for this and when the bad news persists and grows in size and scope (c) this will turn around soon, it is only a temporary blip. Those attitudes result in waiting too long to start doing anything. That is where risk management must be ready to step in again with realisim and good plans for what to do next.
Unless risk management is caught up in the Hubris and Denial.
So try to make your move, risk managers, before it is to volunteer as a pall bearer.
The ERM Symposium is now 8 years old. Here are some ideas from the 2010 ERM Symposium…
Survivor Bias creates support for bad risk models. If a model underestimates risk there are two possible outcomes – good and bad. If bad, then you fix the model or stop doing the activity. If the outcome is good, then you do more and more of the activity until the result is bad. This suggests that model validation is much more important than just a simple minded tick the box exercize. It is a life and death matter.
BIG is BAD! Well maybe. Big means large political power. Big will mean that the political power will fight for parochial interests of the Big entity over the interests of the entire firm or system. Safer to not have your firm dominated by a single business, distributor, product, region. Safer to not have your financial system dominated by a handful of banks.
The world is not linear. You cannot project the macro effects directly from the micro effects.
Due Diligence for mergers is often left until the very last minute and given an extremely tight time frame. That will not change, so more due diligence needs to be a part of the target pre-selection process.
For merger of mature businesses, cultural fit is most important.
For newer businesses, retention of key employees is key
Modelitis = running the model until you get the desired answer
Most people when asked about future emerging risks, respond with the most recent problem – prior knowledge blindness
Regulators are sitting and waiting for a housing market recovery to resolve problems that are hidden by accounting in hundreds of banks.
Why do we think that any bank will do a good job of creating a living will? What is their motivation?
We will always have some regulatory arbitrage.
Left to their own devices, banks have proven that they do not have a survival instinct. (I have to admit that I have never, ever believed for a minute that any bank CEO has ever thought for even one second about the idea that their bank might be bailed out by the government. They simply do not believe that they will fail. )
Economics has been dominated by a religious belief in the mantra “markets good – government bad”
Non-financial businesses are opposed to putting OTC derivatives on exchanges because exchanges will only accept cash collateral. If they are hedging physical asset prices, why shouldn’t those same physical assets be good collateral? Or are they really arguing to be allowed to do speculative trading without posting collateral? Probably more of the latter.
it was said that systemic problems come from risk concentrations. Not always. They can come from losses and lack of proper disclosure. When folks see some losses and do not know who is hiding more losses, they stop doing business with everyone. None do enough disclosure and that confirms the suspicion that everyone is impaired.
Systemic risk management plans needs to recognize that this is like forest fires. If they prevent the small fires then the fires that eventually do happen will be much larger and more dangerous. And someday, there will be another fire.
Sometimes a small change in the input to a complex system will unpredictably result in a large change in the output. The financial markets are complex systems. The idea that the market participants will ever correctly anticipate such discontinuities is complete nonsense. So markets will always be efficient, except when they are drastically wrong.
Conflicting interests for risk managers who also wear other hats is a major issue for risk management in smaller companies.
People with bad risk models will drive people with good risk models out of the market.
Inelastic supply and inelastic demand for oil is the reason why prices are so volatile.
It was easy to sell the idea of starting an ERM system in 2008 & 2009. But will firms who need that much evidence of the need for risk management forget why they approved it when things get better?
If risk function is constantly finding large unmanaged risks, then something is seriously wrong with the firm.
You do not want to ever have to say that you were aware of a risk that later became a large loss but never told the board about it. Whether or not you have a risk management program.
If any of you heard me give the luncheon talk last year at the ERM Symposium, you will have to mark your calendars to attend a follow-up session on the same topic this year. This year, Michael Thompson will be doing most of the talking.
That topic is the application of Plural Rationalities (aka Cultural Theory) to risk management.
Over the year since I gave that speech I have been working with Michael Thompson, one of the original authors of the Cultural Theory book, to explain the ways that the ideas from anthropology help to explain and can help to plan for the various experiences.
The key idea is called Surprise! That is the name for what happens when someone expects one thing and another happens. Thompson will be explaining how Surprise is a key driver of how people experience the risk environment.
In addition, I will be discussing an agent based model called The Surprise Game that demonstrates the dynamics of a system that runs under the rules of Plural Rationalities.
Thompson will wrap up with a discussion of the Clumsy solutions that have been found to be the answer to the puzzle of the world of risk.
So if I caught anyone’s interest last year at lunch with my smiley faces, come back this year for some serious discussion of the four part world of Plural Rationalities.
Or more properly, must ERM be based upon an ethical position?
If so, is it possible that the ethical position that underlies many ERM programs is different from the ethical system of the firm?
One school of ethics, Utilitarianism, suggests that we should pursue the “greatest good for the greatest number”. Unknown to many who subscribe to this ethical school, Utilitarianism is a close cousin to Hedonism, that has the famous motto “Eat, Drink and be Merry for Tomorrow we may Die”.
In fact Adam Smith provides a direct link between those two mottoes with his invisible hand. If each individual follows the Hedonism rule, then the Utilitarianism objective will be met according to Smith.
Risk Management is based more on an Epicurean ethic. Philosophical Epicureans are not the art and wine connoisseurs of popular definition. They pursue tranquility that is achieved through banishment of fear.
Epicureans observed that indiscriminate indulgence sometimes resulted in negative consequences. Some experiences were therefore rejected out of hand, and some unpleasant experiences endured in the present to ensure a better life in the future. The summum bonum, or greatest good, to Epicurus was prudence, exercised through moderation and caution. (Wikipedia)
Interestingly, Thomas Jefferson spoke of himself as a Epicurean. The arguments between factions expressed in the Federalist Papers among other places among the US founders was in part an argument between Utilitarians and Epicureans.
And that is the same argument that plays itself out between Risk Management and business leaders in today’s firms. Some Risk Managers would argue that Risk Management is Ethical whilst their opponents are simply greedy. But looking behind the surface of that argument reveals that there are simply two different ethical schools.
Risk Managers need to find the common ground and show the value of their ethic to the Utilitarian/Capitalist school of ethics. Not an easy sale. But as a result of the Financial Crisis, more and more folks are coming to doubt the ultimate infallibility of that Invisible Hand. Epicurean thought is gaining traction.
There are repeated calls from the bank risk management community for more “AUTHORITY” for Chief Risk Officers. Most recently by the European Bank Supervisors. In their report of “High Level Principles for Risk Management” they actually call for a CRO that is totally independent of the hierarchy of the bank – reporting directly to the board.
This is a perfect solution – but not to the problem that they are addressing. It is a solution to the problem of CEO responsibility for risk and risk management. If a bank follows the EBS suggestion and makes the CRO totally independent of the CEO, then the CEO clearly no longer has any responsibility for risk, risk management or even losses.
So the CEO is responsible for gains and the CRO is responsible for losses.
Seems like a sweet arrangement for the CEO. Not so sweet for the Bank.
There are several possible outcomes, but only one likely one. The likely one is that the CRO will get this position and then will be totally ignored until the time comes to find someone responsible for a bad outcome and then the CRO will be toast. The CEO just bought a free pass for bad results.
The desired outcome is not much better. The desired outcome is that there will be a constant fight between the CEO and the 99% of the organization that works for him/her and the CRO with his/her 200 strong risk department. The CEO will not have to listen to the CRO. The CRO will need to decide how often to take his/her arguments up to the board. The CRO is given “authority”.
But what is really needed is not to have a more powerful cop. What is needed is for the entire organization to have a role in keeping the enterprise in business. That will not be accomplished by making one person solely responsible. Unless that one person is the CEO.
The idea is that person would protect the ability of the firm to be open minded. To consider both options and adverse possibilities. The CIO would be the person who does not ever believe the claims on the outside of the box. They would be the person who breaks the new toy immediately because they hold it the wrong way (hopefully while still in the store.) The CIO would be the person who is not so sure even when “everyone knows” that there is no risk in that new and growing area.
The CIO would also remind everyone that just because they have more information about one alternative it is not necessarily the best choice. Sometimes, the best choice is to go ahead with something that is not necessarily known for sure to work.
The CIO would also provide the childlike ability to see old things in a new light and possibly see new solutions for old problems that utilize tools that are right there on the worktable but that we always thought were only to be used for something else.
The CIO will be willing to try lots and lots of different solutions because they will not know in advance which one will work.
The CRO definitely should have a lieutenant who is their CIO. Someone who will actually see the road ahead because they have not been down it so many times that they no longer look.
In late 2009, the The CAS, CIA, and the SOA’s Joint Risk Management Section funded a research report about the Financial Crisis. This report featured nine key Lessons for Insurers. Riskviews will comment on those lessons individually…
1. The success of ERM hinges on a strong risk management culture which starts at the top of
a company.
This seems like a very simple statement that is made over and over again by most observers. But why is it important and why is it very often lacking?
First, what does it mean that there is a “strong risk management culture”?
A strong risk management culture is one where risk considerations make a difference when important decisions are made PERIOD
When a firm first adopts a strong risk management culture, managers will find that there will be clearly identifiable decisions that are being made differently than previously. After some time, it will become more and more difficult for management to notice such distinctions because as risk management becomes more and more embedded, the specific impact of risk considerations will become a natural inseparable part of corporate life.
Next, why is it important for this to come from the top? Well, we are tying effective risk management culture to actual changes in DECISIONS and the most important decisions are made by top management. So if risk management culture is not there at the top, then the most important decisions will not change. If the risk management culture had started to grow in the firm,
when middle managers see that top management does not let risk considerations get in their way, then fewer and fewer decisions will be made with real consideration risk.
Finally, why is this so difficult? The answer to that is straight forward, though not simple. The cost of risk management is usually a real and tangible reduction of income. The benefit of risk management is probabilistic and intangible. Firms are compared each quarter to their peers.
If peer firms are not doing risk management, then their earnings will appear higher in most periods.
Banks that suffered in the current financial crisis gave up 10 years of earnings! But the banks that in fact correctly shied away from the risks that led to the worst losses were seen as poor performers in the years leading up to the crisis.
So what will change this? Only investors will ultimately change this. Investors who recognize that in many situations, they have been paying un-risk adjusted multiples for earnings that have a large component of risk premiums for low frequency, high severity risks.
They are paying multiples, in many cases where they should be taking discounts!
Here are New Decade Resolutions for firms to adopt who are looking to be prepared for another decade
Attention to risk management by top management and the board. The past decade has been just one continuous lesson that losses can happen from any direction. This is about the survival of the firm. Survival must not be delegated to a middle manager. It must be a key concern for the CEO and board.
Action oriented approach to risk. Risk reports are made to point out where and what actions are needed. Management expects to and does act upon the information from the risk reports.
Learning fromown losses and from the losses of others. After a loss, the firm should learn not just what went wrong that resulted in the loss, but how they can learn from their experience to improve their responses to future situations both similar and dissimilar. Two different areas of a firmshouldn’t have to separately experience a problem to learn the same lesson. Competitor losses should present the exact same opportunity to improve rather than a feeling of smug superiority.
Forwardlooking risk assessment. Painstaking calibration of risk models to past experience is only valuable for firms that own time machines. Risk assessment needs to be calibrated to the future.
Skeptical of common knowledge. The future will NOT be a repeat of the past. Any risk assessment that is properly calibrated to the future is only one one of many possible results. Look back on the past decade’s experience and remember how many times risk models needed to be recalibrated. That recalibration experience should form the basis for healthy skepticism of any and all future risk assessments.
Drivers of risks will be highlighted and monitored. Key risk indicators is not just an idea for Operational risks that are difficult to measure directly. Key risk indicators should be identified and monitored for all important risks. Key risk indicators need to include leading and lagging indicators as well as indicators from information that is internal to the firm as well as external.
Adaptable. Both risk measurement and risk managementwill not be designed after the famously fixed Ligne Maginot that spectacularly failed the French in 1940. The ability needs to be developed and maintained to change focus of risk assessment and to change risk treatment methods on short notice without major cost or disruption.
Scope will be clear for risk management. I have personally favored a split between risk of failure of the firm strategy and risk of losses within the form strategy, with only the later within the scope of risk management. That means that anything that is potentially loss making except failure of sales would be in the scope of risk management.
Focus on the largest exposures. All of the details of execution of risk treatment will come to naught if the firm is too concentrated in any risk that starts making losses at a rate higher than expected. That means that the largest exposures need to be examined and re-examined with a “no complacency” attitude. There should never be a large exposure that is too safe to need attention. Big transactions will also get the same kind of focus on risk.
Are you working with live ammunition with your risk management program?
What I mean is, when the risk models and the risk reports show a problem, is the reaction to promptly fix the problem, or is the reaction to start a study of the problem?
The question really is whether the risk management information streams are considered primary information for managing the firm or are they secondary systems?
If the reaction to an indication of a problem from the risk management systems is to initiate a study, then the implied presumption is that the real information systems say that everything is ok, and this secondary system says not. So we need to check this out.
Many commentators about risk management have been calling for “RISK” to be given authority. What I think that means is that RISK would be empowered to act when the risk management system tells of a problem. RISK would order that something be bought or sold or whatever to fix the problem.
I think that the presumption there is that there is no possibility that anyone other than RISK would actually ever act upon a warning from the risk management systems. So if risk management is to be taken seriously, then it must be for RISK to do that.
Well, wouldn’t it be much better if the risk management information was considered to be a primary information source for the folks who actually run the businesses? Think about it. If you run a bus company and want the drivers to stay within the speed limit, do you put someone in the back of the bus with a speedometer and a break pedal who will step on the brake whenever the bus starts to go too fast? Or do you train the bus driver to use the brake pedal herself?
Risk Management needs to be everyone’s job. If the CEO of the firm is not willing to hold business managers responsible for risk, then he really does not want risk management.
The job of RISK is not to over ride the bus drivers, it is to make sure that the speedometers and brakes work right, that the acceleration pedal does not stick down and that the driver is well trained in how to interpret the speedometer and use the brakes in the right way. RISK keeps the CEO and the Board informed about the effectiveness of the risk management system and helps top management to understand the risk reward choices that they are faced with when the major decisions about the firm’s future are being made.
Riskviews was dormant from April to July 2009 and restarted as a forum for discussions of risk and risk management. You may have missed some of these posts from shortly after the restart…
Not listening to your CRO – having him too low down the management chain;
Hiring a CEO who “doesn’t want to hear bad news”;
Not linking the Board tolerance for risk to the risk management practices of the company;
Having the CRO report to the CFO instead of to the CEO or Board, i.e., not having a system of checks and balances in place regarding risk practices;
The board not leading the risk management charge;
Not communicating the risk management goals;
Not driving the risk management culture down to the lower levels of the organization;
Ignorance is not Bliss
Not doing your own risk evaluations;
Not expecting the unexpected;
Overreacting to risks that turn out to be harmless;
Don’t shun the risk you understand, only to jump into a risk you don’t understand;
Failure to pay attention to actual risk exposure in the context of risk appetite;
Using outsider view of how much capital the firm should hold uncritically;
Cocksureness
Believing your risk model;
The opinion held by the majority is not always the right one;
There can be several logical, but contradictive explanations for one sequence of events, and logical doesn’t mean true;
We do not have perfect information about the future, or even the past and present;
Don’t use old normal assumptions to model in the new normal;
Arrogance of quantifying the unquantifiable;
Not believing your risk model – waiting until you have enough evidence to prove the risk is real;
Not Seeing the Big Picture
Making major changes without heavy involvement of Risk Management;
Conflict of interest: not separating risk taking and risk management;
Disconnection of strategy and risk management: Allocating capital blindly without understanding the risk-adjusted value creation;
One of the biggest mistakes has to be thinking that you can understand the risks of an enterprise just by looking at the components of risk and “adding them up” – the complex interactions between factors are what lead to real enterprise risk;
Looking at risk using one single measure;
Measuring and reporting risks is the same as managing risks;
Risk can always be measured;
Fixation on Structure
Thinking that ERM is about meetings and org charts and capital models and reports;
Think and don’t check boxes;
Forgetting that we are here to protect the organization against risks;
Don’t let an ERM process become a tick-box exercise;
Not taking a whole company view of risk management;
Nearsightedness
Failing to seize historic opportunities for reform, post crisis;
Failure to optimize the corporate risk-return profile by turning risk into opportunity where appropriate;
Don’t be a stop sign. Understand the risks AND REWARDS of a proposal before venturing an opinion;
Talking about ERM but never executing on anything;
Waiting until ratings agencies or regulatory requirements demand better ERM practices before doing anything;
There is no obstacle so difficult that, with sufficient thought, cannot be turned into an opportunity;
No opportunity so assured that, with insufficient thought, cannot be turned into a disaster;
Do not confuse trauma with learning;
Using a consistent discipline to search for opportunities where you are paid to accept risk in the context of the entire entity will move you toward an optimized position. Just as important is using that discipline to avoid “opportunities” where this is not the case.
undertake positive NPV projects
risk comes along with these projects and should be priced in the NPV equation
the price of risk is the lesser of the external cost of disposal (e.g., hedging) or the cost of retention “in the context of the entire entity”;
also hidden in these words is the need to look at the marginal impact on the entity of accepting the risk. Am I better off after this decision than I was before? A silo NPV may not give the same answer for all firms/individuals;
What is important is the optimization journey, understanding it as a goal we will never achieve;
More Skin in the Game
Misalign the incentives;
Most people will act based on their financial incentives, and that certainly happened (and continues to happen) over the past couple of years. Perhaps we could include one saying that no one is peer reviewing financial incentives to make sure they don’t increase risk elsewhere in the system;
Not tying risk management practices to compensation;
Not aligning risk management goals with compensation;
Some good and not so good parts to this conference. Hosted by Courant Institute of Mathematical Sciences, it was surprisingly non-quant. In fact several of the speakers, obviously with no idea of what the other speakers were doing said that they were going to give some relief from the quant stuff.
Sad to say, the only suggestion that anyone had to do anything “different” was to do more stress testing. Not exactly, or even slightly, a new idea. So if this is the future of risk management, no one should expect any significant future contributions from the field.
There was much good discussion, but almost all of it was about the past of risk management, primarily the very recent past.
Here are some comments from the presenters:
Banks need regulator to require Stress tests so that they will be taken seriously.
Most banks did stress tests that were far from extreme risk scenarios, extreme risk scenarios would not have been given any credibility by bank management.
VAR calculations for illiquid securities are meaningless
Very large positions can be illiquid because of their size, even though the underlying security is traded in a liquid market.
Counterparty risk should be stress tested
Securities that are too illiquid to be exchange traded should have higher capital charges
Internal risk disclosure by traders should be a key to bonus treatment. Losses that were disclosed and that are within tolerances should be treated one way and losses from risks that were not disclosed and/or that fall outside of tolerances should be treated much more harshly for bonus calculation purposes.
Banks did not accurately respond to the Spring 2009 stress tests
Banks did not accurately self assess their own risk management practices for the SSG report. Usually gave themselves full credit for things that they had just started or were doing in a formalistic, non-committed manner.
Most banks are unable or unwilling to state a risk appetite and ADHERE to it.
Not all risks taken are disclosed to boards.
For the most part, losses of banks were < Economic Capital
Banks made no plans for what they would do to recapitalize after a large loss. Assumed that fresh capital would be readily available if they thought of it at all. Did not consider that in an extreme situation that results in the losses of magnitude similar to Economic Capital, that capital might not be available at all.
Prior to Basel reliance on VAR for capital requirements, banks had a multitude of methods and often used more than one to assess risks. With the advent of Basel specifications of methodology, most banks stopped doing anything other than the required calculation.
Stress tests were usually at 1 or at most 2 standard deviation scenarios.
Risk appetites need to be adjusted as markets change and need to reflect the input of various stakeholders.
Risk management is seen as not needed in good times and gets some of the first budget cuts in tough times.
After doing Stress tests need to establish a matrix of actions that are things that will be DONE if this stress happens, things to sell, changes in capital, changes in business activities, etc.
Market consists of three types of risk takers, Innovators, Me Too Followers and Risk Avoiders. Innovators find good businesses through real trial and error and make good gains from new businesses, Me Too follow innovators, getting less of gains because of slower, gradual adoption of innovations, and risk avoiders are usually into these businesses too late. All experience losses eventually. Innovators losses are a small fraction of gains, Me Too losses are a sizable fraction and Risk Avoiders often lose money. Innovators have all left the banks. Banks are just the Me Too and Avoiders.
T-Shirt – In my models, the markets work
Most of the reform suggestions will have the effect of eliminating alternatives, concentrating risk and risk oversight. Would be much safer to diversify and allow multiple options. Two exchanges are better than one, getting rid of all the largest banks will lead to lack of diversity of size.
Problem with compensation is that (a) pays for trades that have not closed as if they had closed and (b) pay for luck without adjustment for possibility of failure (risk).
Counter-cyclical capital rules will mean that banks will have much more capital going into the next crisis, so will be able to afford to lose much more. Why is that good?
Systemic risk is when market reaches equilibrium at below full production capacity. (Isn’t that a Depression – Funny how the words change)
Need to pay attention to who has cash when the crisis happens. They are the potential white knights.
Correlations are caused by cross holdings of market participants – Hunts held cattle and silver in 1908′s causing correlations in those otherwise unrelated markets. Such correlations are totally unpredictable in advance.
National Institute of Financa proposal for a new body to capture and analyze ALL financial market data to identify interconnectedness and future systemic risks.
If there is better information about systemic risk, then firms will manage their own systemic risk (Wanna Bet?)
Proposal to tax firms based on their contribution to gross systemic risk.
Stress testing should focus on changes to correlations
Treatment of the GSE Preferred stock holders was the actual start of the panic. Leahman a week later was actually the second shoe to drop.
Banks need to include variability of Vol in their VAR models. Models that allowed Vol to vary were faster to pick up on problems of the financial markets. (So the stampede starts a few weeks earlier.)
Your firm’s Risk Profile is a function of two things, the Opportunities for risk taking and your capabilities. Using your capabilities, you will choose from your opportunities for risk to get your gross risk exposures. Then your capabilities will again take over and treat your risks to bring them to the net risks.
So your capabilities make two contributions to risk management.
A firm with strong capabilities will find the best opportunities from the choices that the firm has based upon its access to sourcing risks. Those opportunities will have the most favorable risk reward potential.
Then the strong capabilities will seek to trim the risk through risk treatment, giving up as little return as possible while offsetting or otherwise reducing returns as much as possible.
A firm that wants to increase its capabilities has three choices: Acquiring, Partnering or Training.
Risk capabilities can be Acquired in bulk by acquiring a firm with good capabilities, or by hiring one risk professional at a time. With Partnering, the firm gets help from the partner who could be a consulting firm or an intermediary. By using Training to acquire capabilities, the firm seeks to add capabilities to existing staff.
Each possibility has different short and long term costs and each has different levels of dependability and time to start up.
Many, many good questions and good ideas at the RISK USA conference in New York. Here is a brief sampling:
Risk managers are spending more time showing different constituencies that they really are managing risk.
May want to change the name to “Enterprise Uncertainty Management”
Two risk managers explained how their firms did withdraw from the mortgage market prior to the crisis and what sort of thinking by their top management supported that strategy
Now is the moment for risk management – we are being asked for our opinion on a wide range of things – we need to have good answers
Availability of risk management talent is an issue. At both the operational level and the board level.
Risk managers need to move to doing more explaining after better automating the calculating
Group think is one of the major barriers of good risk management
Regulators tend to want to save too many firms. Need to have a middle path that allows a different sort of resolution of a troubled firm than bankrupcy.
Collateral will not be a sufficient solution to risks of derivatives. Collateral covers only 30 – 50% of risk
No one has ever come up with a theory for the level of capital for financial firms. Basel II is based upon the idea of keeping capital at about the same level as Basel I.
Disclosure of Stress tests of major banks last Spring was a new level of transparency.
Banking is risky.
Systemic Risk Regulation is impossibly complicated and doomed to failure.
Systemic Risk Regulation can be done. (Two different speakers)
In Q2 2007, the Fed said that the sub-prime crisis is contained. (let’s put them in charge)
Having a very good system for communicating was key to surviving the crisis. Risk committees met 3 times per day 7 days per week in fall 2008.
Should have worked out in advance what do do after environmental changes shifted exposures over limits
One firm used ratings plus 8 additional metrics to model their credit risk
Need to look through holdings in financial firms to their underlying risk exposures – one firm got red of all direct exposure to sub prime but retained a large exposure to banks with large sub prime exposure
Active management of counterparties and information flow to decision makers of the interactions with counter parties provided early warning to problems
Several speakers said that largest risk right now is regulatory changes
One speaker said that the largest Black Swan was another major terrorist attack
Next major systemic risk problem will be driven primarily by regulators/exchanges
Some of structured markets will never come back (CDO squareds)
Regret is needed to learn from mistakes
No one from major firms actually went physically to the hottest real estate markets to get an on the ground sense of what was happening there – it would have made a big difference – Instead of relying solely on models.
Discussions of these and other ideas from the conference will appear here in the near future.
Back in 1984 an anthropologist, Mary Douglas, wrote about her theory for why people chose to form and continue to associate with groups. She postulated that the way that people thought about RISK was a primary driver.
Cultural Theory describes four views of RISK:
Individualists see the world as mean reverting. Any risk that they take will be offset by later gains.
Egalitarians see the world in a delicate balance where any risky behaviors might throw off that balance and result in major problems.
Authoritarians see the world as dangerous by manageable. Some risk can be taken but must be tightly controlled.
Fatalists see the world as unpredictable. No telling what the result might be from risk taking.
The dynamics of human behavior are influenced by these four groups. People shift between the four groups because they find the environment either validating their belief or failing to validate their belief.
Cultural Theory also see that there are broadly four different risk regimes in the world. The four groups exist because the risk regime that validates their view of risk will exist some of the time.
These four regimes are:
Normal Risk – when the ups and downs of the world fall within the expected ranges.
Low Risk – when everything seems to be working out well for the risk takers and the dips are quickly followed by jumps.
High Risk – when the world is on the edge of disaster and hard choices must be made very carefully.
High Loss – when the risks have all turned to losses and survival does not seem certain.
There are huge implications of these ideas for risk managers. Risk management, as currently practiced, is process that is designed by Authoritarians for the Normal Risk regime. The Global Financial Crisis has shown that current risk management fails when faced with the other regimes.
One solution would be to redesign risk management to be a broader idea that can both use the skills of those other three views of risk, adapting to the other three regimes of risk.
This idea is discussed in more detail here and in a forthcoming series of articles in Wilmott Magazine.
You can read what he has to say about it. I just wanted to pass along the term “Glass Box.”
A Glass Box Risk Model is one that is exactly the opposit of a Black Box. With a Black Box Model, you have no idea what is going on inside. WIth a Glass Box, you can see everything inside.
Something is needed, however, in addition to transparency, and that is clarity. To use the physical metaphor further, the glass box could easily be crammed with so, so much complicated stuff that it is only transparent in name. The complexity acts as a shroud that keeps real transparency from happening.
I would suggest that argues for separability of parts of the risk model. The more different things that one tries to cram into a single model, the less likely that it is separable or truely transparent.
That probably argues against any of the elegance that modelers sometimes prize. More code is probably preferable to less if that makes things easier to understand.
For example, I give away my age, but I stopped being a programmer about the time when actuaries took up APL. But I heard from everyone who ever tried to assign maintenance of an APL program to someone other than the developer, that APL was a totally elegant but totally opaque programming language.
But I would suggest that the Glass Box should be the ideal for which we strive with our models.
On April 7 2009, the Financial Times published an article written by Nassim Taleb called Ten Principles for a Black Swan Free World. Let’s look at them one at a time…
2. No socialisation of losses and privatisation of gains. Whatever may need to be bailed out should be nationalised; whatever does not need a bail-out should be free, small and risk-bearing. We have managed to combine the worst of capitalism and socialism. In France in the 1980s, the socialists took over the banks. In the US in the 2000s, the banks took over the government. This is surreal.
Most assuredly the socialization of losses and privatization of gains is what has anyone outside of the banking sector furious. Within the sector, everyone seems to believe that they earned their share of the gains. Think about what you hear about the bonus scheme at the banks – the investment banks are said to be paying out about 50% of gains before bonus. I imagine that puts them approximately on par with the hedge funds, if the banks profit figure takes out overhead before calculating the 50% ratio. So the bank incentive comp is based upon the hedge fund incentive comp. Amazingly, the hedge fund managers manage to convince investors to give them their money and lenders to advance them funds to leverage without any hint of a bailout ever in their future. The hedge fund managers generally walk away from the fund when things go wrong and they are no longer have a chance for outsized gains.
Do the bank shareholders understand that they are really investing in a highly leveraged hedge fund? The folks getting those bonuses surely understand that.
Is this the worst of capitalism and socialism? Probably so.
How do we get out of this? It seems that rather than limiting compensation, we ought be assuring shareholders and debt holders of any firms that structure their compensation like hedge funds that they should expect to be treated like hedge funds in the event of failure. Goodbye, no regrets.
One way of looking at the compensation issue is to focus on time frame. There are four time frames to consider:
1. The employees – the recipients of the bonuses. Their time frame looks backwards. They want to be paid for the value that they created for the firm. They want to be paid in cash for that value.
2. The Short Term shareholders. Their time frame is in quarters. They are most interested in what will be posted as the next quarterly earnings. They want to be able to cash out their investment at the point where they believe that the next quarter’s earnings will not grow enough to support future price increases.
3. The Long Term shareholders. Their time frame is in years – probably 3 – 5 years. Which is the expected holding period for a long term shareholder. They are looking for growth in value compared to share price and will usually sell when they believe that the intrinsic value of the firm starts to catch up with the market value.
4. The public. Our time frame is our lifetime. We need to have a financial system that works our entire lifetime. The public gets nothing from the changes in value of the financial system but ends up paying off the losses that exceed the capacity of the financial system.
The compensation and prudential capital for banks is a trade-off between the interests of all four of these groups. In the run up to the crisis, the system tilted in the favor of employees and short term investors to the extreme detriment of the long term shareholders and public.
So the solution is likely to be best if the interests of the long term shareholders are made more important. Right now, a large, possibly most of the long term shareholders are index funds. Index funds are extremely unlikely to want to have any say in corporate governance or compensation.
So you could surmise that the compensation aspect of the crisis and the drift of all things corporate to fall under the sway of short term investors is a result of the prevalence of index funds.
As an inanimate object one would think that a risk policy document would not lead to such intense, passionate discussion at the drafting stage. A policy document is just a policy document, where are these extreme reactions coming from?
Apparently there are two schools of thought when it comes to crafting policy. The less is more school of thought believes that a policy document should be philosophical in nature and rather than describing all risks in great detail, it should focus more on how risk would be handled and treated at a (you guessed it) at a policy level. For this school a policy document focuses more on the logistics of approvals, exceptions and mandates rather than actual limits or categorization of risk. The risk identification, limit setting, evaluation and reporting component is left to the supporting process document that accompanies the policy everywhere.
In their defense the less is more school believes that Boards do not have sufficient time to do justice to risk policy. An involved, multi chapter risk policy document would only get a superficial review at the Board level and would most likely get stamped for approval on account of the shortage of time and the competition for attention within the number of items on Board’s agendas’ these days. So it is better to keep the policy short, sweet and relevant and shift the details to the process document that may or may not require direct approval from the Board. As long as the process document is in alignment with the policy, the Board has discharged its primary obligation by reviewing and approving the policy document without creating un-necessary delays in the approval process. There after the Board can be pulled in and involved on an as needed basis on risk issues without spending too much time on the approval of minor or process oriented changed to the policy or process documents.
On the other side is the descriptive and prescriptive school of policy thought. Under this approach the policy document is a far more comprehensive write up that not just includes the types and categories of risks addressed but also suggested and proposed limits. These policies include everything the less and more school suggests and then some.
Both schools have their place in a risk group. Which one is right depends on how involved your Board is in the risk management process, the frequency with which it meets, its composition, its accessibility and the amount of time it can honestly devote to risk items on its agenda. Where a Board’s risk review group includes members whose availability and time is limited, where risk committee meetings are held once every quarter and where even ordinary risk items often get covered over multiple Board meetings, the less is more school is a better bet. Where Board’s are more actively involved and Board members are easily accessible and where risk agenda items are covered in the same meeting, the second school may be more appropriate.
In the end what really matters is that both the process and policy documents support the reality that unfortunately exist regarding demands on Board of Directors time, at least here in this region. In the absence of SOX like regulation in large parts of Middle East and Asia Pacific it means that your policy documents shouldn’t turn the Board of Directors meeting into a recurring bottleneck when it comes to implementing risk policy.
I doubt you will find anyone else who breaks ERM into these two components: content and process.
Content includes all the stuff that consultants deliver such as lists of categorized risks, control plans, outstanding actions and colourful heat maps. This content is what I was once told by an EVP is the stuff “I put in a drawer after the meeting and never look at.” (Needless to say hearing this for the first time knocked the wind out of me!)
ERM is just a bunch of stuff that goes into a drawer until you build the process that supports the content. And this is the hard part.
I see the ERM process as a mechanism that provides everyone in the organization with an opportunity to stand on their desks and yell at the top of their lungs that they know where to find their organization’s risks and they should be heard (figuratively speaking!) I always say: the top five executives in any organization do not have a monopoly on all the risk identification in any organization.
Now the trouble with this approach lies in the fact that not all organizations have the sort of culture that promotes this kind of sharing. More often that not, the entry-level AP clerk doesn’t know what to do with their awareness of a risk; they may share it with their supervisor and the information dies right there never to be escalated until something blows up (figuratively or literally) but it is too little tool late.
ERM has to create process and, tools and processes that allow the AP clerk to share their awareness of this risk, without fear, and this requires a change in the culture.
Half a league onward,
