Risk Portfolio Management

In 1952, Harry Markowitz wrote the article “Portfolio Selection” which became the seed for the theory called Modern Portfolio Theory. Modern Portfolio Theory (MPT) promises a path to follow to achieve the maximum return for a given level of risk for an investment portfolio.

It is not clear who first thought to apply the MPT ideas to a portfolio of risks in an insurer. In 1974, Gustav Hamilton of Sweden’s Statsforetag proposed the “risk management circle” to describe the interaction of all elements in the risk management process, including assessment, control, financing and communication. In 1979, Randell Brubaker wrote about “Profit Maximization for a multi line Property/Liability Company.” Since then, the idea of risk and reward optimization has become to many the actual definition of ERM.

Standard & Poor’s calls the process “Strategic Risk Management”.

“Strategic Risk Management is the Standard & Poor’s term for the part of ERM that focuses on both the risks and returns of the entire firm. Although other aspects of ERM mainly focus on limiting downside, SRM is the process that will produce the upside, which is where the real value added of ERM lies.“

The Risk Portfolio Management process is nothing more or less than looking at the expected reward and loss potential for each major profit making activity of an insurer and applying the Modern Portfolio Management ideas of portfolio optimization to that risk and reward information.

At the strategic level, insurers will leverage the risk and reward knowledge that comes from their years of experience in the insurance markets as well as from their enterprise risk management (ERM) systems to find the risks where their company’s ability to execute can produce better average risk-adjusted returns. They then seek to optimize the risk/reward mix of the entire portfolio of insurance and investment risks that they hold. There are two aspects of this optimization process. First is the identification of the opportunities of the insurer in terms of expected return for the amount of risk. The second aspect is the interdependence of the risks. A risk with low interdependency with other risks may produce a better portfolio result than another risk with a higher stand alone return on risk but higher interdependence.

Proposals to grow or shrink parts of the business and choices to offset or transfer different major portions of the total risk positions can be viewed in terms of risk-adjusted return. This can be done as part of a capital budgeting/strategic resource allocation exercise and can be incorporated into regular decision-making. Some firms bring this approach into consideration only for major ad hoc decisions on acquisitions or divestitures and some use it all the time.

There are several common activities that may support the macro- level risk exploitation.

Economic Capital
Economic capital (EC) flows from the Provisioning principle. EC is often calculated with a comprehensive risk model consistently for all of the actual risks of the company. Adjustments are made for the imperfect correlation of the risks. Identification of the highest-concentration risks as well as the risks with lower correlation to the highest-concentration risks is risk information that can be exploited. Insurers may find that they have an advantage when adding risks to those areas with lower correlation to their largest risks if they have the expertise to manage those risks as well as they manage their largest risks.

Risk-adjusted product pricing
Another part of the process to manage risk portfolio risk reward involves the Consideration principle. Product pricing is “risk-adjusted” using one of several methods. One such method is to look at expected profits as a percentage of EC resulting in an expected return-to-risk capital ratio. Another method reflects the cost of capital associated with the economic capital of the product as well as volatility of expected income. The cost of capital is determined as the difference between the price to obtain capital and the rate of investment earnings on capital held by the insurer. Product profit projections then will show the pure profit as well as the return for risk of the product. Risk-adjusted value added is another way of approaching risk-adjusted pricing.

Capital budgeting
The capital needed to fulfill proposed business plans is projected based on the economic capital associated with the plans. Acceptance of strategic plans includes consideration of these capital needs and the returns associated with the capital that will be used. Risk exploitation as described above is one of the ways to optimize the use of capital over the planning period. The allocation of risk capital is a key step in this process.

Risk-adjusted performance measurement (RAPM)
Financial results of business plans are measured on a risk-adjusted basis. This includes recognition of the cost of holding the economic capital that is necessary to support each business as reflected in risk-adjusted pricing as well as the risk premiums and loss reserves for multi-period risks such as credit losses or casualty coverages. This should tie directly to the expectations of risk- adjusted profits that are used for product pricing and capital budgeting. Product pricing and capital budgeting form the expectations of performance. Risk-adjusted performance measurement means actually creating a system that reports on the degree to which those expectations are or are not met.

For non-life insurers, Risk Portfolio Management involves making strategic trade-offs between insurance, credit (on reinsurance ceded) and all aspects of investment risk based on a long-term view of risk-adjusted return for all of their choices.

Insurers that do not practice Portfolio Risk Management usually fail to do so because they do not have a common measurement basis across all of their risks. The recent move of many insurers to develop economic capital models provides a powerful tool that can be used as the common risk measure for this process. Economic capital is most often the metric used to define risk in the risk/reward equation of insurers.

Some insurers choose not to develop an EC model and instead rely upon rating agency or regulatory capital formulas. The regulatory and rating agency capital formulas are by their nature broad market estimates of the risk capital of the insurer. These formulae will over-state the capital needs for some of the insurer’s activity and understate the needs for others. The insurer has the specific data about their own risks and can do a better job of assessing their risks than any outsider could ever do. In some cases, insurers took high amounts of catastrophe exposure or embedded guarantee and option risks, which were not penalized in the generic capital formulas. In the end, some insurers found that they had taken much more risk than their actual loss tolerance or capacity.

Risk Portfolio management provides insurers with the framework to take full advantage of the power of diversification in their risk selection. They will look at their insurance and investment choices based on the impact, after diversification, on their total risk/reward profile. These insurers will also react to the cycles in risk premium that exist for all of their different insurance risks and for all of their investment risks in the context of their total portfolio.

Sales of most insurance company products result in an increase in the amount of capital needed by the business due to low or negative initial profits and the need to support the new business with Economic Capital. After the year of issue, most insurance company products will show annual releases of capital both due to the earnings of the product as well as the release of supporting capital that is no longer needed due to terminations of prior coverages. The net capital needs of a business arise when growth (new sales less terminations) is high and/or profits are low and capital is released when growth is low and/or profits are high.

The definition of the capital needs for a product is the same as the definition of distributable earnings for an entire business: projected earnings less the increase in Economic Capital. The capital budgeting process will then focus on obtaining the right mix of short and long term returns for the capital that is needed for each set of business plans.

Both new and existing products can be subjected to this capital budgeting discipline. A forecast of capital usage by a new product can be developed and used as a factor in deciding which of several new products to develop. In considering new and existing products, capital budgeting may involve examining historic and projected financial returns.

Pitfalls of Risk Portfolio Management

In theory, optimization processes can be shown to produce the best results for practitioners. And for periods of time when fluctuations of experience are moderate and fall comfortably within the model parameters, continual fine tuning and higher reliance on the modeled optimization recommendations produce ever growing rewards for the expert practitioner. However, model errors and uncertainties are magnified when management relies upon the risk model to lever up the business. And at some point, the user of complex risk models will see that levering up their business seems to be a safe and profitable way to operate. When volatility shifts into a less predictable and/or higher level, the highly levered company can find it self quickly in major trouble.

Even without major deviations of experience, the Risk Portfolio Management principles can lead to major business disruptions. When an insurer makes a major change in its risk profile through an acquisition or divestiture of a large part of their business, the capital allocation of all other activities may shift drastically. Strict adherence to theory can whipsaw businesses as the insurer makes large changes in business.

Insurers need to be careful to use the risk model information to inform strategic decisions without overreliance and abdication of management judgment. Management should also push usage of risk and reward thinking throughout the organization. The one assumption that seems to cause the most trouble is correlation. The saying goes that “in a crisis, all correlations go to one”. If the justification for a major strategic decision is that correlations are far from one, management should take note of the above saying and prepare accordingly. In addition management should study the variability of correlations over time. They will find that correlations are often highly unreliable and this should have a major impact on the way that they are used in the Risk Portfolio Management process.

Risk Portfolio Management is one of the Seven ERM Principles for Insurers

Controlling with a Cycle

No, not that kind of cycle… This kind:

This is a Risk Control Cycle.  It includes Thinking/Observing steps and Action Steps.  The only reason a sane organization would spend the time on the Assessing, Planning and Monitoring steps is so that they could be more effective with the Risk Taking, Mitigating and Responding steps.

A process capable of limiting losses can be referred to as a complete risk control process, which would usually include the following:

• Identification of risks—with a process that seeks to find all risks inherent in a insurance product, investment instrument, or other situation, rather than simply automatically targeting “the usual suspects.”
• Assess Risks – This is both the beginning and the end of the cycle.  As the end, this step is looking back and determining whether your judgment about the risk and your ability to select and manage risks is as good as you thought that it would be.  As the beginning, you look forward to form a new opinion about the prospects for risk and rewards for the next year.  For newly identified risks/opportunities this is the due diligence phase.
• Plan Risk Taking and Risk Management – Based upon the risk assessment, management will make plans for how much of each risk that the organization will plan to accept and then how much of that risk will be transferred, offset and retained.  These plans will also include the determination of limits
• Take Risks – organizations will often have two teams of individuals involved in risk taking.  One set will identify potential opportunities based upon broad guidelines that are either carried over from a prior year or modified by the accepted risk plan.  (Sales) The other set will do a more detailed review of the acceptability of the risk and often the appropriate price for accepting the risk.  (Underwriting)
• Measuring and monitoring of risk—with metrics that are adapted to the complexity and the characteristics of the risk as well as Regular Reporting of Positions versus Limits/Checkpoints— where the timing needed to be effective depends on the volatility of the risk and the rate at which the insurer changes their risk positions. Insurers may report at a granular level that supports all specific decision making and actions on a regular schedule.
• Regular risk assessment and dissemination of risk positions and loss experience—with a standard set of risk and loss metrics and distribution of risk position reports, with clear attention from persons with significant standing and authority in the organization.
• Risk limits and standards—directly linked to objectives. Terminology varies widely, but many insurers have both hard “Limits” that they seek to never exceed and softer “Checkpoints” that are sometimes exceeded. Limits will often be extended to individuals within the organization with escalating authority for individuals higher in the organizational hierarchy.
• Response – Enforcement of limits and policing of checkpoints—with documented consequences for limit breaches and standard resolution processes for exceeding checkpoints. Risk management processes such as risk avoidance for risks where the insurer has zero tolerance. These processes will ensure that constant management attention is not needed to assure compliance. However, occasional assessment of compliance is often practiced. Loss control processes to reduce the avoidable excess frequency and severity of claims and to assure that when losses occur, the extent of the losses is contained to the extent possible. Risk transfer processes, which are used when an insurer takes more risk than they wish to retain and where there is a third party who can take the risk at a price that is sensible after accounting for any counterparty risk that is created by the risk transfer process. Risk offset processes, which are used when insurer risks can be offset by taking additional risks that are found to have opposite characteristics. These processes usually entail the potential for basis risk because the offset is not exact at any time or because the degree of offset varies as time passes and conditions change, which is overcome in whole or in part by frequent adjustment to the offsetting positions. Risk diversification, which can be used when risks can be pooled with other risks with relatively low correlation. Risk costing / pricing, which involves maintaining the capability to develop appropriate views of the cost of holding a risk in terms of expected losses and provision for risk. This view will influence the risks that an insurer will take and the provisioning for losses from risks that the insurer has taken (reserves). This applies to all risks but especially to insurance risk management. Coordination of insurance profit/loss analysis with pricing with loss control (claims) with underwriting (risk selection), risk costing, and reserving, so that all parties within the insurer are aware of the relationship between emerging experience of the 
risks that the insurer has chosen to retain and the expectations that the insurer held when it chose to write and retain the risks.
• Assess Risks – and the cycle starts again.

This is one of the seven ERM Principles for Insurers

What Do Your Threats Look Like?

Severe and intense threats are usually associated with dramatic weather events, terrorist attacks, earthquakes, nuclear accidents and such like.  When one of these types of threats is thought to be immanent, people will often cooperate with a cooperative ERM scheme, if one is offered.  But when the threat actually happens, there are four possible responses:  cooperation with disaster plan, becoming immobilized and ignoring the disaster, panic and anti-social advantage taking.  Disaster planning sometimes goes no further than developing a path for people with the first response.  A full disaster plan would need to take into account all four reactions.  Plans would be made to deal with the labile and panicked people and to prevent the damage from the anti-social.  In businesses, a business continuity or disaster plan would fall into this category of activity.

When businesses do a first assessment, risks are often displayed in four quadrants: Low Likelihood/Low Severity; Low Likelihood/High Severity; High Likelihood/Low Severity; and High Likelihood/High Severity.  It is extremely difficult to survive if your risks are High Likelihood/High Severity, so few businesses find that they have risks in that quadrant.  So businesses usually only have risks in this category that are Low Likelihood.

Highly Cooperative mode of Risk Management means that everyone is involved in risk management because you need everyone to be looking out for the threats.  This falls apart quickly if your threats are not Severe and Intense because people will question the need for so much vigilance.

Highly Complex threats usually come from the breakdown of a complex system of some sort that you are counting upon.  For an insurer, this usually means that events that they thought had low interdependency end up with a high correlation.  Or else a new source of large losses emerges from an existing area of coverage.  Other complex threats that threaten the life insurance industry include the interplay of financial markets and competing products, such as happened in the 1980′s when money market funds threatened to suck all of the money out of insurers, or in the 1990′s the variable products that decimated the more traditional guaranteed minimum return products.

In addition, financial firms all create their own complex threat situations because they tend to be exposed to a number of different risks.  Keeping track of the magnitude of several different risk types and their interplay is itself a complex task.  Without very complex risk evaluation tools and the help of trained professionals, financial firms would be flying blind.  But these risk evaluation tools themselves create a complex threat.

Highly Organized mode of Risk Management means that there are many very different specialized roles within the risk management process.  May have different teams doing risk assessment, risk mitigation and assurance, for each separate threat.  This can only make sense when the rewards for taking these risks is large because this mode of risk management is very expensive.

Highly Unpredictable Threats are common during times of transition when a system is reorganizing itself.  “Uncertain” has been the word most often used in the past several years to describe the current environment.  We just are not sure what will be hitting us next.  Neither the type of threat, the timing, frequency or severity is known in advance of these unpredictable threats.

Businesses operating in less developed economies will usually see this as their situation.  Governments change, regulations change, the economy dips and weaves, access to resources changes abruptly, wars and terrorism are real threats.

Highly Adaptable mode of Risk Management means that you are ready to shift among the other three modes at any time and operate in a different mode for each threat.  The highly adaptable mode of risk management also allows for quick decisions to abandon the activity that creates the threat at any time.  But taking up new activities with other unique threats is less of a problem under this mode.  Firms operating under the highly adaptive mode usually make sure that their activities do not all lead to a single threat and that they are highly diversified.

Benign Threats are things that will never do more than partially reduce earnings.  Small stuff.  Not good news, but not bad enough to lose any sleep over.

Low Cooperation mode of Risk Management means that individuals within their firm can be separately authorized to undertake activities that expand the threats to the firm.  The individuals will all operate under some rules that put boundaries around their freedom, but most often these firms police these rules after the action, rather than with a process that prevents infractions.  At the extreme of low cooperation mode of risk management, enforcement will be very weak.

For example, many banks have been trying to get by with a low cooperation mode of ERM.  Risk Management is usually separate and adversarial.  The idea is to allow the risk takers the maximum degree of freedom.  After all, they make the profits of the bank.  The idea of VaR is purely to monitor earnings fluctuations.  The risk management systems of banks had not even been looking for any possible Severe and Intense Threats.  As their risk shifted from a simple “Credit” or “Market” to very complex instruments that had elements of both with highly intricate structures there was not enough movement to the highly organized mode of risk management within many banks.  Without the highly organized risk management, the banks were unable to see the shift of those structures from highly complex threats to severe and intense threats. (Or the risk staff saw the problem, but were not empowered to force action.)  The low cooperation mode of risk management was not able to handle those threats and the banks suffered large losses or simply collapsed.

CRO is not the Moral Compass

The American Banker has a new column on risk management.  The first article is here.  Clifford Rossi manes some good points about the JP Morgan story.  But Riskviews takes issue with one point that he makes…

The paradigm of the trader and the risk manager are fundamentally at odds. The trader will believe that if they are given the funds to make one more trade, they will make up all of the past losses and post a large gain. The stories of successful traders and hedge fund managers all read the same, losses, growing losses, no one else believes in the trader. Finally, they are vindicated by a large gain that makes them the hero. When you listen to the stories from Bear Sterns and Lehman, folks who were involved all say that it was just a liquidity issue. If they just had a little more funds, they would have made the trades that would have brought the firm back.

The risk manager on the other hand believes that there must be a limit to the amount that is put at risk by the firm. Do not bet what you cannot afford to lose. The risk manager believes that even the best theory can have a run of bad luck that the firm cannot afford.

Ultimately, the risk manager is not the moral compass of the firm. The risk manager is nothing more or less than the person who is charged to make sure that the CEO and the Board understand and are fully aware and approve of all of the risk taking activities of the firm. To make that process work, the risk manager will ask the board and CEO to pre-approve some activities and to require to be notified about others.

In JP Morgan’s case, the board and CEO should have been aware of what was going on, of the size of the positions. Perhaps they did not give clear directions to the risk manager or perhaps the risk manager for some reason failed to report the risk positions.

However, it should have been a business decision made by the Board and CEO, not a decision of the trader or of the risk manager.  The loss that resulted would be a decision that did not work out as intended, not even necessarily a bad decision.  All decisions do not work out well.  And while $3 Billion is a large amount of money, it is only a fraction of earnings for a good year for JP Morgan.

If the decision to make the trade(s) that added up to the $3 Billion loss were made by the trader and not reported to the CEO and Board, then and only then is this a risk management failure.

Risk and Reward

Successful Businesses pay attention to risk.

- How much risk to take compared to their capacity to absorb risk via their level of average earnings and their capital position.  They have a basket.  Each basket is different.  It can easily hold so much.  Sometimes, you decide to put a little more in the basket, sometimes a little less.  They should know when they have stacked their risk far over the top of the basket.
- What kinds of risk to take.  They have a plan for how much of each major class of risk they they will pick up to use up the capacity of their basket.

- Then when the actually go to fill the basket, they need to carefully choose each and every risk that they put into the basket.

-  And as long as they have those risks in the basket, they need to pay attention and make sure that none of the risks are spoiling themselves and especially that they are not spoiling the entire basket of fruit or ruining the basket itself.

But that is not what a successful business is all about.  They are not in business to be careful with their basket of risks.  They are in business to make sure that their basket makes a profit.

+ So how much risk to take is informed by the level of profit to be had for risk in the marketplace.  Some business managers do it backwards.  If they are not being paid much for risk, they fill up the basket higher and higher.  That is what many did just prior to the financial crisis.  In insurance terms, they grew rapidly at the peak of the soft market.  Just prior to the cirsis, risk margins for most financial market risks were at cyclical lows.  What makes sense for a business that wants to get the best reward for the risk taken would be to take the most risk when the reward for risk is the highest.  Few do that.  However, the problem faced by firms whose primary business is risk taking is that taking less risk in times of low reward for risk creates even more pressure on their income because of decreased expense coverage.  This problem seems to indicate that businesses in such cyclical markets should be very careful to manage their level of fixed expenses.

+ What types of risk to take is also informed very much by the margins.  But it also needs to be informed by diversification principles.  Short term thinking suggests that risk taking shift all to the particular risk with the immediate best risk adjusted margin.  Long term thinking suggests something very different.  Long term thinking realizes that the business needs to have alternatives.  For most markets, the alternatives are only maintained if a presence in multiple risks is maintained in good times and bad.  Risk and reward needs to develop a balance between short term and long term.  To allow for exploiting particularly rich markets while maintaining discipline in other markets.

+ Which specific risks to select needs to incorporate a clear view of actual profitability.  It is very easy on a spreadsheet to take your sales projection and profit projections and multiply both numbers by two.  However, it is only through careful selection of individual risks that something even remotely like that simple minded projection can be achieved.  The profit opportunity from each risk for the additional sales may be at the same rate as the original margins, it may be higher (unlikely) and it may well be lower.  The risk reward system needs to be sensitive to all of these three possibilities and ready to react accordingly.

ERM Mission Statements

From the Annual Reports:

A.     Risk management is a key part of our corporate management. Its task is not only to safeguard the Group’s financial strength in order to satisfy our obligations to clients and create sustained value for our shareholders, but also to protect Munich Re’s reputation. We achieve these objectives through global risk management encompassing all areas of our operations. (Munich Re)

B.     The financial crisis has demonstrated the importance of a strong and independent risk management function, as well as the need for an  integrated approach to  assessing and controlling  risks. To this end, we further enhanced our risk management by establishing a more robust governance process, intensifying our risk oversight and strengthening our  liquidity management. (Swiss Re)

C.     We employ an enterprise-wide approach to all risk taking and risk management activities globally. The enterprise risk management framework sets out policies and standards of practice related to risk governance, risk identification and monitoring, risk measurement, and risk control and mitigation. In order to ensure that we can effectively execute our risk management we continuously invest to attract and retain qualified risk professionals, and to build and maintain the necessary processes, tools and systems. (Manulife Financial)

D.    Management believes that effective risk management is of primary importance to the success of Goldman Sachs. Accordingly, we have a comprehensive risk management process to monitor, evaluate and manage the principal risks we assume in conducting our activities.

E.     AEGON’s risk management and control systems are designed to ensure that these risks are managed as effectively and efficiently as possible. For AEGON, risk management involves:
·      Understanding which risks the company is able to underwrite;
·      Assessing the risk-return trade-off associated with these risks;
·      Establishing limits for the level of exposure to a particular risk or combination of risks; and Measuring and monitoring risk exposures and actively managing the company’s overall risk and solvency positions.

F.     The mission of Zurich’s Enterprise Risk Management is to promptly identify, measure, manage, report and monitor risks that affect the achievement of our strategic, operational and financial objectives. This includes adjusting the risk profile in line with the Group’s stated risk tolerance to respond to new threats and opportunities in order to optimize returns.

G.     QBE’s risk management strategy is underpinned by a number of robust processes which are aimed at reducing uncertainty and volatility and avoiding unwelcome surprises. Risks are subject to rigorous identification and evaluation throughout the business management cycle.

H.    The management of risk is a core skill supporting the Group’s ability to offer both sustainable risk transfer solutions to its clients and attractive returns to shareholders. The management and identification of risk is the day to day responsibility of many of our staff and is a feature of all our business activities. (Amlin)

I.      Diversification is used as a tool to reduce the Group’s overall insurance risk profile by spreading exposures, thereby reducing the volatility of results. QBE’s approach is to diversify insurance risk, both by product and geographically.

J.      The Group employs a comprehensive risk management framework to identify, assess, manage and monitor the risks arising as a result of operating the business. The framework includes a comprehensive suite of risk policies, procedures, measurement, reporting and monitoring techniques and a series of stress tests and scenario analyses to ensure that the Group’s risk exposures are managed appropriately. (RSA)

Let’s get Real

Talk to CROs and all the nice theories about risk management get put in their place.  In real companies, the loudest and most influential voice is usually the people who want to add risks.

A real CRO is not often struggling with issues of risk theory.  They are totally immersed in the reality of corporate power politics.

• In some firms, the CEO will set up the CRO in a position where risk concerns will trump all else.  The CRO will have authority to stop or curtail any activity that s/he feels is excessively risky.
• In other firms, the CEO will set up the CRO to be one of many voices that are clamoring for attention and for their point of view to be heard.
• And a third set of firms has the CRO as purely a reporting function, not directly involved in the actual decision making of the firm.

The first case sounds ideal, until the CRO and the CEO go head to head on a major decision.  The battle is not usually long.  The CEO’s view will will.  In these firms, it is usually true that the CRO and the CEO see eye to eye on most things.  The CEO in these firms has the opinion that the business units would take enough risk to imperil the firm if left alone.  But the CEO is still responsible to make sure that the firm is able to grow profitably.  And a CRO who gets used to power over risk decisions, sometimes forgets that power comes solely from the CEO.  But for the most part, the CRO in this firm gets to implement the risk management system that works the way that they thinks is best.

The second case sounds much more common.  The CEO is not saying exactly how much s/he supports ERM.  The CEO will decide in each situation whether to support the CRO or a business unit head on any risk related major decision.  The risk management system in this firm exists in a grey area.  It might look like the risk management system of the first firm, but it does not always have the same amount of authority.  Managers will find out quickly enough that it is usually better to ask for forgiveness rather than follow the rules in the times when they see an important opportunity.  The CRO in this firm will be seeking to make a difference but has to define their goals as all relative.  Are they able to make a noticeable shift in the way that the firm takes risk.  That shift may not go all the way to an optimal risk taking approach, but it will be a shift towards that situation.  Over time they can hope to educate the business unit management to the risk aware point of view with the expectation that they will gradually shift to more and more comfort with the risk management system.

In some of these firms, the risk management system will look more like the system of the third case below – a Risk Information system.  The approach is to keep all of the negotiation and confrontation that is involved with managing risk limits and standards to be verbal rather than on paper.

In third case, the risk management system exists to placate some outside audience.  The CEO has no intention of letting this process dictate or even change any of the decisions that s/he intends to make.  The most evident part of an ERM system is the reports, so the risk management system in these firms will consist almost entirely of reporting.  These firms will be deliberately creating an ERM Entertainment system.  The best hope in these firms is that eventually, the information itself will lead management to better decisions.

What is working against the CRO in the second and third cases are the risk attitudes of the different members of management.   If the CRO is targeting the ERM system and/or reports to the Manager risk attitude then it might be a long time before the executives with other risk attitudes see any value in ERM.

Does Your Firm Know What To Do At a Yellow Light?

An Audi advertizement says:

The Yellow light was invented in 1920.  Almost 100 years later. 85% of drivers have no idea what to do when they see one.

A risk management system needs yellow lights.  Signals that automatically tell people to “Proceed with Caution”.  These signals need to be sensitive to both outside changes in the risk environment and to inside decisions about risk.

In the outside world, the level of risk is changing all of the time.  Everyone anywhere a hurricane zone knows the annual season for those storms.  They make sure that they are prepared during that season and don’t worry so much in the off season.  Most risks do not have clear regular seasons, like hurricanes.  (And in fact hurricanes are not really completely bound by those rules either.)

A good risk management program needs to have a system that looks for the conditions that mean that it is hurricane season for each of the major risks.  And it needs to have plans for what needs to to done in each part of the firm so that they “Proceed with Caution”.  And the managers of the affected areas need to know those plans and their own roles.  And there needs to be a Yellow (or Amber) light that flashes somewhere. And then the managers need to act, they need to execute the plans to Proceed with Caution.

The same thing applies to the other reason that might trigger a yellow light.  That would be company actions.  Most firms have risk limits.  Some of those risk limits are “soft” limits.  That means that the limit itself is a Yellow Light. Hitting the limit in these firms means that you must “Proceed with Caution”.

More commonly, the limits are HARD; either Red Lights, Cement Barriers or Brick Walls.  A red Light risk limit, means that when you get to the limit, you must stop and wait for someone to tell you that you can proceed.  A cement barrier risk limit means that you are prohibited from proceeding when you hit a limit.  A brick wall risk limits means that if you hit the limit, you are likely to be terminated.  In these three sorts of control systems, there are often informal Yellow Lights and occasionally formal caution signals.  RISKVIEWS suggests that all firms that use HARD limits should create a formal Yellow Light system with a process that identifies an official Caution point along with suggestions or rules or plans of how to proceed when the Yellow Light goes on.

On the highway, Yellow Lights cause problems because there are really three different understandings.  One group believes that it means “Speed Up to avoid the Red Light”, while another group thinks it means “Stop now and Avoid having to make an Emergency Stop when the Red Light comes on”.

The third group knows that what the Yellow Light really means is

“watch out for the other two groups“.

How to do Risk Management in Lean Times

The good news for risk managers is that times have been tough, so that company management is listening more and more to your message.

The bad news for risk managers is that times have been tough, so there is not much budget for anyone, let alone an area where there is no hope of new revenue generation.

So risk managers are being asked to do more and more with less and less.

Here are some tips for how to manage to meet expectations without crashing the budget:

1. Identify the area or activity that now has the most expensive risk oversight process.  Identify the reason for that expense and make sure that a) there really is a need for that much oversight, b) if so, that the profit margins of the activity support the expense of the oversight and c) if there is a way that the riskiest 20% of that activity produces a high proportion of the profits.  Can a shift in the risk acceptance criteria or the risk limits make a drastic change in oversight needs without a drastic change in profitability?
2. Get more people involved in risk management.  This seems counter to the idea of decreasing costs of risk management, but in fact it can work well.  Study the things that the risk management staff is spending time on and determine which of those activities can be transfered to the business unit staff who can do the oversight on a very part time basis.  Your risk management staff can then shift to periodic review of their activities instead.  This should be promoted as a natural evolution of risk management.  Ultimately, the business units should be managing their own risk anyway.
3. Find out which risk reports are not being used and eliminate them.  Constructing management information reports can be a very time consuming part of your staff’s time.  Some of those reports are hopefully being relied upon for major decisions, but there may be some that just sit unread in the in boxes.
4. Reduce staff support for risk management in areas where activity levels are falling.  It is very important that risk management be ramped up with volumes and just as important that it be seen to ramp down with volumes.
5. Leverage outside resources.  In fat times, you may be declining free support from vendors and other business partners.  In lean times, they may be even more happy to provide their support.  Just make sure that the help that they give supports your needs.
6. Reduce frequency of time consuming model runs for risks that just do not change that much from run to run or that change proportionately with volumes of business.  See recent post on model accuracy.
7. Expand your own personal capacity by delegating more of the matters that have become more routine.  There is a natural tendency for the leader to be involved in everything that is new and important.  Sometimes, you forget to transfer those responsibilities to someone on your staff or even someone outside your staff once you are sure that it is up and going smoothly.  Let go.  Make sure that you have the time that will be needed to take up the next new thing.  Lean times will not last forever and you need to be available to pay attention to the thing that will pull your firm forward into the next stage of robust growth.

These are all the sorts of things that every manager in your firm should be thinking about.  Risk managers should be doing the same sorts of thinking.  You and your function are another natural part of the business environment of the firm.  You will not be immune from the pressures of business, nor should you expect to be.

How many significant digits on your car’s speedometer?

Mine only shows the numbers every 20 and has markers for gradations of 5. So the people who make cars think that it is sufficient accuracy to drive a car that the driver know the speed of the car within 5.
And for the sorts of things that one usually needs to do while driving, that seems fine to me. I do not recall ever even wondering what my speed is to the nearest .0001.

That is because I never need to make any decisions that require the more precise value.
What about your economic capital model? Do you make decisions that require an answer to the nearest million? Or nearest thousand, or nearest 1?  How much time and effort goes into getting the accuracy that you do not use?

What causes the answer to vary from one time you run your model to another?  Riskviews tries to think of the drivers of changes as volume variances and rate variances.

The volume variances are the changes you experience because the volume of risk changes.  You wrote more or less business.  Your asset base grew or shrunk.

Rate variances are the changes that you experience because the amount of risk per unit of activity has changed.  Riskviews likes to call this the QUALITY of the risk.  For many firms, one of the primary objectives of the risk management system is to control the QUANTITY of risk.

QUANTITY of risk = QUALITY of risk times VOLUME of risk.

Some of those firms seek to control quantity of risk solely by managing VOLUME.  They only look at QUALITY of risk after the fact.  Some firms only look at QUALITY of risk when they do their economic capital calculation.  They try to manage QUALITY of risk from the modeling group.  That approach to managing QUALITY of risk is doomed to failure.

That is because QUALITY of risk is a micro phenomena and needs to be managed operationally at the stage of risk acceptance.  Trying to manage it as a macro phenomena results in the development of a process to counter the risks taken at the risk acceptance area with a macro risk offsetting activity.  This adds a layer of unnecessary cost and also adds a considerable amount of operational risk.

Some firms have processes for managing both QUANTITY and QUALITY of risk at the micro level.  At the risk acceptance stage.  The firm might have tight QUALITY criteria for risk acceptance or if the firm has a broad range of acceptable risk QUALITY it might have QUANTITY of risk criteria that have been articulated as the accumulation of quantity and quality.  (In fact, if they do their homework, the firms with the broad QUALITY acceptance will find that some ranges of QUALITY are much preferable to others and they can improve their return for risk taking by narrowing their QUALITY acceptance criteria.)

Once the firm has undertaken one or the other of these methods for controlling quality, then the need for detailed and complex modeling of their risks decreases drastically.  They have controlled their accumulation of risks and they already know what their risk is before they do their model.

Ten Commandments for a Crash

Joshua Brown wrote “Ten Commandments for a Crash“  – his advice for stock traders in a stock market crash.  Most of his ideas can be generalized to refer to any situation where large losses or even the threat of large losses occurs.

1.  Acknowledge that its a crash.

This is first and most difficult.  The natural impulse of humans when things look worse than they ever imagined is to close your eyes and hope that it was a dream.  To wait for things to come back to normal.  But sometimes the only survivors are the people who stopped imagining a return to normal first and accepted the bad news as reality.

2.  Pencils Down! 

This means abandoning your research based upon the previous paradigm.  Do not run the model one more time to see what it says.  All of the model parameters are now suspect.  You do not usually know enough to say which ones are still true.

3.  Don’t listen to “stockpickers” or sell-side equity analysts.

Get your head out of the nits.  Your usual business may require that you are a master of the details of your markets.  You are looking to build your year’s result up over 52 weeks, looking to create 1/52 of your target return each week.  But when the crisis hits, the right macro decisions can change your results by half a year’s worth of normal business.

4.  Ignore the asset-gatherers and the brokerage firm strategists,

Know the bias of the people you are getting advice from.  They may be saying what is necessary for THEIR firm to make it through the crash, no matter what their advice would do to you.

5.  Make sacrifices

You are going to need to let go of one or several of the things that you were patiently nursing along in hopes of a big payoff later on when they came around.  Make these decisions sooner rather than later.  Otherwise, they will be dragging you down along with everything else.  Think of it as a scale change.  The old long term opportunities mostly become losers while some of the marginally profitable situations become your new opportunities.  Choose fast.

6.  Make two lists.

Those are the lists of things that you might now want to start doing if the terms suddenly get sweeter and the things where you plan to dump unless you can tighten the terms.  Keep updating the list every day as you get new information.  Act on the list as opportunities change.

7.  Watch sentiment more closely

This is the flip side to #1 above.  The analysis may no longer be of help, but a good handle on the sentiment of your market will be invaluable.  It will tell you when it is time to press for the stricter terms from your list #6.

8.  Abandon any hope or intention of catching the bottom.

This may be an excuse for not making decisions when things are unclear.  Guess what?  THe bottom is only ever clear afterwards.

9.  Suspend disbelief.

Any opinions that you have that some aspect of your business environment will never get “that” bad will often be trashed by reality.  In case you have been asleep for the last decade, each crisis results in new bigger losses than ever before.  The sooner you get off the illusion that you know exactly how bad it can get, the sooner you will be making the right decisions and avoiding totally wrongly timed moves.

10.  Stop being a know-it-all and shut up.

Everyone out there seems to know a small part of what is happening that no one else knows and is totally ignorant of most of what is going on from their own internal sources.  If you talk all of the time, you will never learn those other pieces of the puzzle.

A good list.  Some things to think about.  A challenge to work these ideas into your planning for emerging risks.  Need to practice adopting this point of view.

Read more: http://www.thereformedbroker.com/2011/09/22/the-ten-crash-commandments/#ixzz1YsTTo7ky

Don’t Forget to Breathe

All air breathing organisms do not need any special process to avoid the risk of simply forgetting to breathe. Mostly, they just do it automatically. And if for some strange reason, they stop breathing, their body very quickly develops a violent response to the lack of new air.

Drinking and eating are not quite so automatic, but it is also unnecessary to remind people not to starve to death, when they have a choice to do otherwise.

Animals, including humans, can be observed to also have many, many automatic risk management behaviors. Fear of heights, startle reactions, fight or flight adrenalin releases, and so on. In fact, if you are at a loss of how to deal with any business risk, just go down the list of human natural defenses against risk and you will get lots and lots of different ideas. The natural environment in which the human species evolved was and remains very dangerous. Risks come at us from every direction. Some are constant (like falling from a great height) and some change all the time (like predators and competitors for resources).

Many business managers will contend that their company has developed automatic systems that are embedded in the DNA of the firm to handle risk. The continued existence of the firm is put in evidence as the primary proof of that contention.

The problem with believing that sort of argument is that while a failure to breathe will send an animal into fits of gasping, and dancing on the edge of a cliff will make most animal’s head spin with a natural fear reflex, there is no noticeable consequences of a business stopping their risk management activities.

There are natural, automatic and almost fool proof mechanisms in animals to prevent them from taking some of the most immediately dangerous risks. There are absolutely none of those in a business setting.

So even if there has been a long history of ingrained risk management actions in a firm, a sudden change in personnel can send all that right out the window.

One way of looking at a risk management system is as the replacement for the natural fail safe mechanisms.

Nature saw fit to add a violent automatic natural reaction to a lack of air to the automatic breathing mechanism that can be consciously overridden. The business risk management traditions can be easily and painlessly overridden, unless there is a good risk management system to make the company gasp for breath.

You might find yourself swimming underwater. You override your natural urge to breathe. There are interesting things to see underwater. But you will find it very difficult to stay under too long. Your body has failsafe mechanisms that means you have to work at it very hard to stay under long enough to really hurt yourself. In fact, the mechanism seems to have such a margin of error that you start to want to come back up when you still have the capacity to get back to the surface.

Companies have no similar automatic mechanism.  When someone fails to do the risk management that they should, usually the reaction is that things look and seem better.  Most often, risk management depresses profits, and reduces choices.  The feedback that is experienced leads the exact wrong direction.

A risk management system is the answer to the problem.  The risk management system needs to have mechanisms to keep reminding employees that they need to follow the system rules.

Risk management is not at all like breathing.  In fact quite the opposite.  A firm that wants to have risk management for the long term will need to have a formal process to remind employees that it is important.  In addition, the importance of risk management needs to be periodically reinforced by statements of support from top management.

Risk management is more like a medicine that a person who feels perfectly fine is asked to take regularly.  Every day, they get up and take this medicine, but there is no obvious indication that the medicine is needed.  Many will simply start to forget to take the medicine.  Stop wasting the time it takes to buy and take the medicine.  Avoid even minor side effects.

On the other hand, things that are bad for your health are give quite positive short term feedback.

The trick is to make risk management become more and more like breathing.  To make it a reflex and to build up the mechanisms that will send out danger signals if someone tries to override those automatic mechanism.

ERM Disclosure (2)

In a post last week, it was noted that US insurers are starting to admit to managing their risks in their public disclosures.  The 671 word discussion of the ERM process of Travelers was reproduced.  (Notice that over 100 of those words talk about the unreliability of the ERM system. )

But disclosure of ERM processes has been much more widespread and much more extensive in other parts of the world for more than 5 years.

For Example, Munich Re’s 2010 annual report has a 20 page section titled Risk Report.  That section has sub headings such as:

Risk governance and risk management system

Risk management organisation, roles and responsibilities

Control and monitoring systems

Risk reporting

Significant risks

Underwriting risk: Property-casualty insurance

Underwriting risk: Life and health insurance

Market risk

Credit Risk

Operational risk

Liquidity risk

Strategic risk

Reputation Risk

Economic Capital

Available Financial Resources

Selected Risk Complexes

It is not just Munich Re.  Manulife’s Risk Management disclosure is 22 pages of their annual report.  Below is the introduction to that section:

Manulife Financial is a financial institution offering insurance, wealth and asset management products and services, which subjects the Company to a broad range of risks. We manage these risks within an enterprise-wide risk management framework. Our goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue, earnings and capital growth.
We seek to achieve this by capitalizing on business opportunities that are aligned with the Company’s risk taking philosophy, risk appetite and return expectations; by identifying, measuring and monitoring key risks taken; and by executing risk control and mitigation programs.
We employ an enterprise-wide approach to all risk taking and risk management activities globally. The enterprise risk management (“ERM”) framework sets out policies and standards of practice related to risk governance, risk identification, risk measurement, risk monitoring, and risk control and mitigation. With an overall goal of effectively executing risk management activities, we continuously invest to attract and retain qualified risk professionals, and to build, acquire and maintain the necessary processes, tools and systems.
We manage risk taking activities against an overall risk appetite, which defines the amount and type of risks we are willing to assume. Our risk appetite reflects the Company’s financial condition, risk tolerance and business strategies. The quantitative component of our risk appetite establishes total Company targets defined in relation to economic capital, regulatory capital required, and earnings sensitivity.
We have further established targets for each of our principal risks to assist us in maintaining appropriate levels of exposures and a risk profile that is well diversified across risk categories. In 2010, we cascaded the targets for the majority of our principal risks down to the business level, to facilitate the alignment of business strategies and plans with the Company’s overall risk management objectives.
Individual risk management programs are in place for each of our broad risk categories: strategic, market, liquidity, credit, insurance and operational. To ensure consistency, these programs incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework, covering:

■ Assignment of risk management accountabilities across the organization;
■ Delegation of authorities related to risk taking activities;
■ Philosophy and appetite related to assuming risks;
■ Establishment of specific risk targets or limits;
■ Identification, measurement, assessment, monitoring, and reporting of risks; and
■ Activities related to risk control and mitigation.

Such frank discussion of risk and risk management may be seen by some US insurers’ management to be dangerous.  In the rest of the world, it is moving towards a situation where NOT discussing risk and risk management frankly and openly is a risk to management.

Which would you prefer?

Reporting on an ERM Program

In a recent post, RISKVIEWS stated six key parts to ERM.  These six ideas can act as the outline for describing an ERM Program.  Here is how they could be used:

1.  Risks need to be diversified.  There is no risk management if a firm is just taking one big bet.

REPORT: Display the risk profile of the firm.  Discuss how the firm has increased or decreased diversification within each risk and between risks in the recent past.  Discuss how this is a result of deliberate risk and diversification related choices of the firm, rather than just a record of what happened as a result of other totally unrelated decisions. 

2.  Firm needs to be sure of the quality of the risks that they take.  This implies that multiple ways of evaluating risks are needed to maintain quality, or to be aware of changes in quality.  There is no single source of information about quality that is adequate.

REPORT:  Display the risk quality of the firm.  Discuss how the firm has increased or decreased risk quality in the recent past and the reasons for those changes.  Discuss how risk quality is changing in the marketplace and how the firm maintains the quality of the risks that are chosen.

3.  A control cycle is needed regarding the amount of risk taken.  This implies measurements, appetites, limits, treatment actions, reporting, feedback.

REPORT:  The control cycle will be described in terms of who is responsible for each step as well as the plans for remediation should limits be breached.  A record of breaches should also be shown.  (Note that a blemish-less record might be a sign of good control or it might simply mean that the limits are ineffectively large.)  Emerging risks should have their own control cycle and be reported as well.

4.  The pricing of the risks needs to be adequate.  At least if you are in the risk business like insurers, for risks that are traded.  For risks that are not traded, the benefit of the risk needs to exceed the cost in terms of potential losses.

REPORT:  For General Insurance, this means reporting combined ratio.  In addition, it is important to show how risk margins are similar to market risk margins.  Note that products with combined ratios over 100% may or may not be profitable if the reserves do not include a discount for interest.  This is accomplished by mark-to-market accounting for investment risks.  Some insurance products have negative value when marked to market (all-in assets and liabilities) because they are sold with insufficient risk margins.  This should be clearly reported, as well as the reasons for that activity.  

5.  The firm needs to manage its portfolio of risks so that it can take advantage of the opportunities that are often associated with its risks.  This involves risk reward management.

REPORT:  Risk reward management requires determining return on risk for all activities as well as a planning process that starts with projections of such and a conscious choice to construct a portfolio of risks.  This process has its own control cycle.  The reporting for this control cycle should be similar to the process described above.  This part of the report needs to explain how management is thinking about the diversification benefits that potentially exist from the range of diverse risks taken.  

6.   The firm needs to provision for its retained risks appropriately, in terms of set asides (reserves or technical provisions) for expected losses and capital for excess losses.

REPORT:  Losses can be shown in four layers, expected losses, losses that decrease total profits, losses that exceed gains from other sources but that are less than capital and losses that exceed capital.  The likelihood of losses in each of those four layers should be described as well as the reasons for material changes.  Some firms will choose to report their potential losses in two layers, expected losses, losses that reach a certain likelihood (usually 99.5% in a year or similar likelihood).  However, regulators should have a high interest in the nature and potential size of those losses in excess of capital.  The determination of the likelihood of losses in each of the four layers needs to reflect the other five aspects of ERM and when reporting on this aspect of ERM, discussion of how they are reflected would be in order.  

You Must Abandon All Presumptions

If you really want to have Enterprise Risk Management, then you must at all times abandon all presumptions. You must make sure that all of the things to successfully manage risks are being done, and done now, not sometime in the distant past.

A pilot of an aircraft will spend over an hour checking things directly and reviewing other people’s checks.  The pilot will review:

• the route of flight
• weather at the origin, destination, and enroute.
• the mechanical status of the airplane
• mechanical issues that may have been improperly logged.
• the items that may have been fixed just prior to the flight to make certain that system works
• the flight computer
• the outside of the airplane for obvious defects that may have been overlooked
• the paperwork
• the fuel load
• the takeoff and landing weights to make sure that they are within limits for the flight

Most of us do not do anything like this when we get into our cars to drive.  Is this overkill?  You decide.

When you are expecting to fly somewhere and there is a last minute delay because of something that seems like it should have really been taken care of, that is likely because the pilot finds something that someone might normally PRESUME was ok that was not.

Personally, as someone who takes lots and lots of flights, RISKVIEWS thinks that this is a good process.  One that RISKVIEWS would recommend to be used by risk managers.

THE NO PRESUMPTION APPROACH TO RISK MANAGEMENT

Here are the things that the Pilot of the ERM program needs to check before taking off on each flight.

1.  Risks need to be diversified.  There is no risk management if a firm is just taking one big bet.

2.  Firm needs to be sure of the quality of the risks that they take.  This implies that multiple ways of evaluating risks are needed to maintain quality, or to be aware of changes in quality.  There is no single source of information about quality that is adequate.

3.  A control cycle is needed regarding the amount of risk taken.  This implies measurements, appetites, limits, treatment actions, reporting, feedback

4.  The pricing of the risks needs to be adequate.  At least if you are in the risk business like insurers, for risks that are traded.  For risks that are not traded, the benefit of the risk needs to exceed the cost in terms of potential losses.

5.  The firm needs to manage its portfolio of risks so that it can take advantage of the opportunities that are often associated with its risks.  This involves risk reward management.

6.   The firm needs to provision for its retained risks appropriately, in terms of set asides (reserves) for expected losses and capital for excess losses.

A firm ultimately needs all six of these things.  Things like a CRO, or risk committees or board involvement are not on this list because those are ways to get these six things.

The Risk Manager needs to take a NO PRESUMPTIONS approach to checking these things.  Many of the problems of the financial crisis can be traced back to presumptions that one or more of these six things were true without any attempt to verify.

Trimming Risk Positions – 10 ERM Questions from Investors – The Answer Key (6)

Riskviews was once asked by an insurance sector equity analyst for 10 questions that they could ask company CEOs and CFOs about ERM.  Riskviews gave them 10 but they were trick questions.  Each one would take an hour to answer properly.  Not really what the analyst wanted.

Here they are:

1. What is the firm’s risk profile?
2. How much time does the board spend discussing risk with management each quarter?
3. Who is responsible for risk management for the risk that has shown the largest percentage rise over the past year?
4. What outside the box risks are of concern to management?
5. What is driving the results that you are getting in the area with the highest risk adjusted returns?
6. Describe a recent action taken to trim a risk position?
7. How does management know that old risk management programs are still being followed?
8. What were the largest positions held by company in excess of risk the limits in the last year?
9. Where have your risk experts disagreed with your risk models in the past year?
10. What are the areas where you see the firm being able to achieve better risk adjusted returns over the near term and long term?

They never come back and asked for the answer key.  Here it is:

There are a number of issues relating to this question.  First of all, does the insurer ever trim a risk position?  Some insurers are pure buy and hold.  They never think to trim a position, on either side of their balance sheet.  But it is quite possible that the CEO might know that terminology, but the CFO should.  And if the insurer actually has an ERM program then they should have considered trimming positions at some point in time.  If not, then they may just have so much excess capital that they never have felt that they had too much risk.

Another issue is whether the CEO and CFO are aware of risk position trimming.  If they are not, that might indicate that their system works well and there are never situations that need to get brought to their attention about excess risks.  Again, that is not such a good sign.  It either means that their staff never takes and significant risks that might need trimming or else there is not a good communication system as a part of their ERM system.

Risks might need trimming if either by accident or on purpose, someone directly entered into a transaction, on either side of the balance sheet, that moved the company past a risk limit.  That would never happen if there were no limits, if there is no system to check on limits or if the limits are so far above the actual expected level of activity that they are not operationally effective limits.

In addition, risk positions might need trimming for several other reasons.  A risk position that was within the limit might have changed because of a changing environment or a recalibration of a risk model.  Firms that operate hedging or ALM programs could be taking trimming actions at any time.  Firms that use cat models to assess their risk might find their positions in excess of limits when the cat models get re-calibrated as they were in the first half of 2011.

And risk positions may need to be trimmed if new opportunities come along that have better returns than existing positions on the same risk.  A firm that is expecting to operate near its limits might want to trim existing positions so that the new opportunity can be fit within the limits.

SO a firm with a good ERM program might be telling any of those stories in answer to the question.

10 ERM Questions from an Investor – The Answer Key (3)

Riskviews was once asked by an insurance sector equity analyst for 10 questions that they could ask company CEOs and CFOs about ERM.  Riskviews gave them 10 but they were trick questions.  Each one would take an hour to answer properly.  Not really what the analyst wanted.

Here they are:

1. What is the firm’s risk profile?
2. How much time does the board spend discussing risk with management each quarter?
3. Who is responsible for risk management for the risk that has shown the largest percentage rise over the past year?
4. What outside the box risks are of concern to management?
5. What is driving the results that you are getting in the area with the highest risk adjusted returns?
6. Describe a recent action taken to trim a risk position?
7. How does management know that old risk management programs are still being followed?
8. What were the largest positions held by company in excess of risk the limits in the last year?
9. Where have your risk experts disagreed with your risk models in the past year?
10. What are the areas where you see the firm being able to achieve better risk adjusted returns over the near term and long term?

They never come back and asked for the answer key.  Here it is:

3.  The answer to this question requires several parts of risk management to be right.  First of all, the answerer needs to know which risk position grew the most.  Second of all, in a good risk management program, the position that grew the most should have had by far the most scruitny.  High growth does not always spark big blow ups, but big blow ups are always preceded by high growth.  A firm that is not paying lots and lots of attention to its fastest growing risk is not going to end up with good results.  The highest growth positions require a disproportionate large amount of attention, but most often they get a disproportionately smaller share of attention.  Risk management budgets are determined based upon the business at the start of the year.  Finally, to answer the question, the firm needs to have someone who they can immediately identify who is responsible for that risk.  Best practice is to have a senior person responsible for each major risk.  That should be a business person, not the CRO or CFO.  If it is not the same person who is responsible for sales and profits, then management has set up a fight.  On one side is the person responsible for bringing in the business and for achieving profits.  On the other side is the person responsible for preventing losses.  Not a fair fight in most firms.

In the end, the best practice firms recognize that in situations of great change, there needs to be a special ERM process that exceeds the regular ERM process.

10 ERM Questions from an Investor – The Answer Key (2)

Riskviews was once asked by an insurance sector equity analyst for 10 questions that they could ask company CEOs and CFOs about ERM.  Riskviews gave them 10 but they were trick questions.  Each one would take an hour to answer properly.  Not really what the analyst wanted.

Here they are:

1. What is the firm’s risk profile?
2. How much time does the board spend discussing risk with management each quarter?
3. Who is responsible for risk management for the risk that has shown the largest percentage rise over the past year?
4. What outside the box risks are of concern to management?
5. What is driving the results that you are getting in the area with the highest risk adjusted returns?
6. Describe a recent action taken to trim a risk position?
7. How does management know that old risk management programs are still being followed?
8. What were the largest positions held by company in excess of risk the limits in the last year?
9. Where have your risk experts disagreed with your risk models in the past year?
10. What are the areas where you see the firm being able to achieve better risk adjusted returns over the near term and long term?

They never come back and asked for the answer key.  Here it is:

2.  One of the large banks that is no longer with us had, on paper, a complete ERM system with a board risk committee that they reviewed their risk reports with every quarter.  But in 2007, when the financial markets were starting to crack up, their board risk committee had not met for more than six months.  The answer to this question is the difference between a pretend ERM system and a real risk system.  The time spent should be proportionate to the complexity of the risk positions of the firm.  For the banks with risk positions that are so complex that they feel that they cannot possibly find enough paper to disclose them, there needs to be much more board time spent, since investors are relying on board oversight rather than market discipline to police the risk taking.  Ask Bernie what you can get away with if there is no disclosure and no oversight.

Many CEOs will tell you that the board has always spent plenty of time talking about risk.  This might be true.  But the standard now is for boards to have a formal risk committee.  Boards that have simply added risk to the Audit committee’s agenda ends up short changing either audit or risk or both.  The Audit Committee had a full plate before the Risk responsibility was added.

And for a larger complex firm, a single annual risk briefing on risk is definitely not sufficient.  For a firm with an ERM program, the board needs to review the risk profile, both actual and planned for each year, approve the risk appetite, approve the ERM Framework and policies of the firm, review the risk limits and be informed of each breach of the limits or policies of the firm.  If the firm has an economic capital model, the model results need to be presented to the board risk committee each year and updated quarterly. Risks associated with anything new that the company is doing would be presented as well.

Does that sound like anything other than a full committee?  So your follow up question, if the CEO gives a vague answer is to ask about whether the board reviewed each of the items listed in the preceding paragraph in the past year.

Back to that former bank.  Their risk reports showed a massive build up in risk in violation of board approved limits.

And the board risk committee saved time by not meeting during the period of that run up in risk.

ERM in a Low Interest Rate Environment

(Excerpts from presenation at Riskminds USA)

A discussion of how the current low interest rate environment impacts choices for (1) interest rate risk, (2) other risks and (3) Enterprise Risk Management.
How an insurer might react to low interest rates depends to a large extent on risk taking strategy and their point of view about interest rate risk.  There are four primary strategies for interest rate risk:

• Minimize Risk
• The Classic ALM approach is designed to minimize risk.  Duration mismatch is a measure of the degree to which you failed to achieve risk minimization.  Most ALM programs allow for an acceptable level of mismatch which might be an operational risk acceptance or it might be an option to take some interest rate risk tactically.  Risk is evaluated compared to Zero (matched position).
• Accumulate Risk
• The classic approach of banks to interest rate risk is to accumulate it.  The Japan carry trade is an interest rate accumulation trade.  Life Insurers usually Accumulate Mortality Risk.  Non-Life Insurers usually Accumulate attritional Risks  Accumulation of risk usually means that there is no limit to the amount of the risk that may be taken if it is priced right.  Risk is evaluated compared to expected cost using Utility theory – accept risk if expected value >0.
• Manage Risk
• The New ERM approach to Risk is to Manage Risk by looking at Risk vs. Reward for the portfolio of risks including diversification effects.  Taking a Strategic or Tactical approach to making choices - Return Targets “Over the Cycle” or “Every Year”.  Risk is evaluate with an Economic Capital model.  Risk means increase in total enterprise Economic Capital.
• Diversify Risk
• Many firms pay attention to diversification, but few make it the cornerstone to their ERM.  Firms focused on diversification will accumulate a risk as long as it does not come to dominate their risk profile and if it is expected to be profitable, often taking a purely  Tactical approach to which risks that they will accumulate.  They may not even have a chosen Long Term Strategic view of most risks.  They evaluate each risk in comparison to other risks of the enterprise.  The target is to have no single large risk concentration.

There are two aspects of Point of View that you need to be clear about:

• Long Term Strategic vs. Short Term Tactical

  • You might ignore both and imply avoid a risk

  • You might ignore Strategic and take risks tactically that might not make sense in the long run

  • You might Strategically decide to take a risk and ignore Tactical which means you take the risk no matter the environment

  • You might pay attention to both and always take the risk but vary the amount of the risk

• Going Concern vs. Going out of Business

  • Classic ALM (and Economic Capital models) use a “going out of business” model

  • But the “Going Concern” model is much more complicated and requires assumptions about future business and should include a going out of business assumption

With these questions resolved a company can go about setting their strategy for interest rate risk taking in a low interest environment.
To do that they may want to look at three scenarios:

·Scenario 1 – Interest Rates stay low

·Scenario 2 – Interest Rates increase slowly

·Scenario 3 – Interest Rates increase quickly
For each scenario, look at the implications for both interest rate risk as well as all of the other aspects of their risk profile and their business strategy.  If a scenario shows results that are unacceptable, then the planners and risk managers need to develop strategies to avoid or mitigate the projected problem, should that scenario come to pass as well as triggers for initiating those activities should the scenario appear imminent.

Incorporating Risk into Planning and Strategy

Risk has traditionally been a minor part of strategy discussions in many firms.

Usually you get it out of the way at the very start with a Strengths, Weaknesses, Opportunities and Threats (SWOT) discussion.  As quickly as possible, the planners shift into concentrating on discussion of Opportunities.  That is what they are there for anyway – Opportunities.

Utility theory and the business education that flows from utility theory suggests very little consideration of risk.  Not none at all, but very little.  Opportunities where the gains from the expected opportunities exceed the losses from the expected threats are considered good.  That is one spot where risk creeps in.  In addition, risk might be also reflected as an externality – the capital required by a regulator or ratings agency.

Financial economics came along and offered a more complicated view of risk.  Instead of using a fuzzily determined present value of risk from utility theory, Financial Economics substitutes the market cost of risk.

Risk management suggests a completely different and potentially contradictory approach.

The risk management approach to bringing risk into planning and strategy is to make risk appetite central to strategy selection.  The internal risk appetite becomes the constraint instead of the external capital constraint.  For firms that were using that external capital constraint as a key factor in planning, this could be an easy switch.  But often is actually is not.

The boards and management of most firms have failed to choose their own risk appetite constraint.

Riskviews believes that this is because the folks who have spent their entire careers under and external constraint system are ill equipped to set their own limits.  They do not have the experience with trial and error of setting risk appetite unlike the long experience that they have with most of their other management decisions.  For most management decisions, they came up through the management ranks watching their predecessors make good and bad decisions and succeed or fail.  When they reached their current positions, they had a lifetime of experience with most of the types of decisions that they need to make.

Now risk managers and regulators and rating agencies and consultants tell them that they need to make an entirely new decision about risk appetite, and then lever all of their other important decisions off of that one decision.  And when they look back upon their education and experience there was no mention at all of this risk appetite stuff.

And as the discussion at the start of this post states, the business education did not include risk appetite either.

But there are other ways that risk can be incorporated into the planning and strategy.

• Risk Profile.  A part of the statement of the impact that the plan will have on the company should be a before and after risk profile.  This will show how the plan either grows the larger risks of the firm or diversifies those risks.   Risk cannot be fully described by any one number and therefore there is not one single pie chart that is THE risk profile of the firm.  The risk profile should be presented so that it shows the key aspects of risk that are the consequences of the plan – intended or unintended.  That may mean showing the geographic risk profile, the product by product risk profile, the risk profile by distribution system or the risk profile by risk type.  By looking at these risk profiles, the planners will naturally be drawn to the strengths and weaknesses of the risk aspects of the plan.  They will see the aspects of risk that are growing rapidly and therefore need extra attention from a control perspective.  And even if there are none of those reactions, the exposure to the risk information will eventually lead to a better understanding of risk and a drift towards more risk aware planning.
• Risk management view of gains and losses.  Planning usually starts with a review of recent experience.  The risk managers can prepare a review of the prior year that describes the experience for each risk in terms of the exceedence probability from the risk models.  This could lead to a discussion of the model calibration and possibly to either better credibility for the risk model or a different calibration that can be more credible.
• Risk Controls review.  Each risk operated within a control system.  The above review of recent experience should include discussion of whether the control systems worked as expected or not.
• Risk Pricing review.  The review of gains and losses can also be done as a review of the risk margins compared to the risks for each major business or product or risk type.  Comparison to a neutral index could be considered as well.  With this review, the question of whether the returns of the firm were a result of taking more risk or from better selection and management of the risks taken should be addressed.

Some management groups will be much more interested in one or another of these approaches.  The risk manager must seek to find the approach to discussing risk that fits management’s interests for risk to become a part of planning and strategy.  Without that match, any discussions of risk that take place to satisfy regulatory or rating agency pressures will be largely perfunctory.

 

Football is about more than just Shoes

Of course it is. The equipment never wins the game. It never runs the game.  But a team that shows up without proper equipment has only a slim chance of prevailing.

And ERM is about more than just models.  Some people have mistakenly equated ERM with Economic Capital or VAR models.  That makes no more sense than the idea that football is all about the shoes.

Football is about having the right team, assigning the the right roles, setting the strategy and finally mostly about execution.  If you asked 1000 experts about football, few if any of them would even list the shoes.

But for ERM, you do need to also find the right people, assign the the right roles, set the risk strategy and execute.

So why have models found their way into the debate about ERM in financial affairs?

Models in general and Economic Capital in specific has become central to the ERM process because insurers and banks have traditionally used very crude and very different approaches to measuring risks, when they actually did try to measure them.  It is difficult to believe that an industry that exists by taking on risks from others like insurance would not have a clear tradition of measuring how much risk it was taking on in any clear and consistent way.

The methods that tended to be employed by insurers worked when the risks that they were taking stayed the same over time.  When the risks could be adequately tracked by reference to something that indirectly tracked with the level of the risk.  But when businesses and people and markets are changing the nature and level of risk constantly, those old relationships completely broke down.

The promise of economic capital and VaR models is to replace the old rules of thumb with timely and consistent scientific assessments of risk.

But even if that promise is achieved, the insurer or bank has only then got to the point of buying shoes for their football team.  Now they need to start training and coaching the team and watching to see how the team performs, providing feedback and constantly making adjustments as the other teams adjust their teams and strategies.

So the model is a start but it is the start of the football season, not even the start of the playoffs.

You have the shoes now play the game.

Not About Capital

The reality is that regulatory capital requirements, no matter how much we try to refine them, will always be a blunt tool.  Certainly they should not create the wrong incentives, but we cannot micromanage firm behavior through regulatory capital requirements.  There are diminishing returns to pursuing precision in regulatory capital requirements.

Terri Vaughan, NAIC

These remarks were made in Europe recently by the lead US regulator of the insurance industry.  In Europe, there has never been a regulatory capital requirement that was risk related.  But the Europeans have been making the discussion all about capital for about 10 years now in anticipation of their first risk based capital regime, Solvency II.

The European assumption is that if they follow as closely as possible the regulatory regime that has failed so spectacularly to control the banking system, Basel II, then everything will be under control.

The idea seems to be that if you concentrate, really concentrate, on measuring risk, then insurance company management will really take seriously the idea of managing risk.   Of course, that conclusion is also based upon the assumption that if you really, really concentrate on measuring risk that you will get it right.

But the Law of Risk and Light tells us that our risk taking systems will lead us to avoid the risk in the light and to load up on the risk in the dark.

That means the risks that are properly measured by the risk based capital regulatory system will be managed.

But whatever risks that are not properly measured will come to predominate the system.  The companies that take those risks will grow their business and their profits faster than the companies that do not take those poorly measured risks.

And if everyone is required to use the same expensive risk measurement system, very, very few will invest the additional money to create alternate measures that will see the flaws in the regulatory regime.

The banking system had a flaw.  And many banks concentrated on risks that looked good in the flawed system but that were actually rotten.

What is needed instead is a system that concentrates on risk controlling.  A firm first needs a risk appetite and second needs a system that makes sure that their risks stay within their appetite.

Under a regulatory risk capital system, the most common risk appetite is that a firm will maintain capital above the regulatory requirement.  This represents a transfer of the duty of management and the board onto the regulator.  They never need to say how much risk that they are willing to take.  They say instead that they are in business to satisfy the regulator with regard to their risk taking.

The capital held by the firm should depend upon the firm’s risk appetite.  The capital held should support the risk limits allowed by the board.

And the heart of the risk control system should be the processes that ensure that the risk stays within the limits.

And finally, the limits should not be a part of a game that managers try to beat.  The limits need to be an extremely clear expression of the fundamental way that the firm wants to conduct business.  So any manager that acts in a way that is contrary to the fundamental goals of the firm should not continue to have authority to direct the activities of the firm.

Systems of Controlling

Source: Controlling Modern Government

The four methods of controlling chart above can be very helpful to envision ways to improve risk management control systems.  A control system can use one or several of these methods.  But first it might require a little translation:

1. Contrived Randomness – choosing by lots does not seem to be a control method, but in fact it is a part of a method that is used every day in almost every business.  Contrived randomness is usually used along with another of the control techniques.  Instead of constantly applying the other control processes, they are applied in a random fashion.  It is easy to imagine how the contrived randomness is vital to cost effective and just plain effective controlling.  If Oversight, for example, is used for controlling on a constant basis, it is very costly, requiring review of every single outcome.  However, if the Oversight is applied regularly, say every 10th event, then the cost is reduced by 90%, but the effectiveness is also reduced by up to 90%.  That is because the person who is being overseen can easily adjust to comply with the control process only on every 10th event and fail to comply the other 9 times without the control process noticing.  Using a random schedule means that a person seeking to avoid the effort of compliance is at much higher risk of being caught by oversight.  And even better, BF Skinner found that intermittent reinforcement provided by positive situations found in random inspections can have much higher impact on creating favorable habits than regular or even constant reinforcement.  The chart also suggest rotation of staff.  This part of the Contrived Randomness approach to controlling is seen in the efforts by banks to control fraud by shifting employees and especially by doing more thorough audits during employee vacations, which is again a combination of randomness and Oversight.
2. Mutuality - When Mutuality is used as a control system, it sometimes uses peer review, in addition to processes that involve partnering.  The partnering process can be very expensive, or it may save time and money depending on the process.  When the partnering involves two people doing what one might have done, then the extra cost is obvious.  In fact, the cost might well be more than double for a two person term because of the degree in interaction between the partners that might add time to the tasks.  This must be offset by an increase in effectiveness, quality or continuity for the doubling of resources to make sense.  But the control system application of peer review is very common.  The peer review can be at several possible levels – the peer can be doing a very high level check – “does this make sense?”  Or they can be doing a more thorough review.  Or the peer can be trying to totally independently reproduce the work being reviewed.  In addition, the decision must be made of the frequency of the peer review.  The same ideas expressed above about intermittent reinforcement apply to peer review.
3. Oversight – monitoring from a supervisory position is the most common form of control.   The supervisor is the most natural candidate for the type of oversight that is needed.  It means broadening the supervisor’s role to go beyond the accomplishment of the primary objective of the unit to also include the controlling objectives.  The downside to this method is the dilution of the supervisor’s attention distracting them from the accomplishment of the primary objective.  In addition, there is the potential mismatch of skills and talents.  In some cases, the primary objective and the controlling objectives require very different methods and skills.
4. Competition – Competition is another technique that  may be difficult to imagine as a control method.  And what is needed to make competition a controlling system is openness of information about the activities that are to be controlled.  For different members of a team to compete, they need to know what and how the others are doing.  This openness is not very common.  But one of the objectives of the open office movement is the free controlling that automatically comes in the open environment.  Some firms do use Competition through a totally open system of managing where all members of a unit know about what every other member is doing.  Control breaches then can only happen if the entire unit agrees that they are necessary.

Many would think that Oversight is the main form of controlling.  Hopefully, this post will expand your view to include these other options.

Infrastructure Risk – Too High

The American Society of Civil Engineers has produced a reportcard on the state of the infrastructure in the US.

The good news is that the richest country in the world did not flunk.

The bad news is that the overall average grade is a D.

Now Warren Buffet reminds us that you shouldn’t expect an unbiased answer if you ask a barber whether you need a haircut.  And in this case, the civil engineers would benefit significantly from an increase of attention to infrastructure.

But let’s look at the sorts of suggestions that they make.  Many of them can be generalized to other areas of risk. (Paraphrased by Riskviews)

• Encourage risk reduction/management programs
• Use the best of current science rather than continuing to follow science from many years ago
• Develop emergency action plans
• Develop maintenance standards
• Establish plan to fund needed improvements in risk management
• Evaluate specific impact of failure to improve risk management
• Educate stakeholders regarding above
• Establish a regular review process

In the case of infrastructure, there is a recognized lifespan of the systems and a continual deterioration expected.

Risk systems in general are not thought of as wasting assets, but perhaps that is simply because risk management is so new.

Perhaps even the firms that have achieved the point of a full and integrated set of risk management systems should think of the useful life of those systems.

“The principal reason we have train crashes is a lack of investment in rail infrastructure – and the reason we have systemic crises is a lack of investment in financial infrastructure.”  Hugo Bänziger, in the FT

The money will always be there to keep funding innovations in the way that risk is added to a firm.

Crossroad of ERM

The ninth ERM Symposium in Chicago was the crossroads of ERM for a few days.

Heard there:

• The Financial crisis was not the failure of regulators, except perhaps the OTS.
• Compliance culture of risk management in banks contributed to the crisis
• 85% of bank losses were from the structured finance area.
• Securitization was 30 years old, but there was a quantum jump of complexity.
• Banks were supposed to have been sophisticated enough to control their risks.
• Discussion of subsidization of housing was broadly blamed.
• Riskviews suggests that only a tiny part of the fault is with housing policy.  Rest is simply finger pointing at best and deliberate misdirection at worst.  Losses and problems in banks were 400% or more higher than actual losses in mortgages, possibly 1000% or more higher.  Severe losses resulted from using housing as the basis for gambling.  They could have just as easily have bet on rainfall.  Then would they blame the weather for the losses?  Securities in play far exceeded the amount of mortgages.  And the multiple layers of bets concentrated on the worst stuff.
• Regulators need to keep up with innovation and excessive leverage from innovation.
• Riskviews:  No evidence that regulators have even started to deal with excessive leverage except in the crudest manner.  It is still possible to derivatives to skip right past leverage rules.  If you can replicated a highly levered position with a derivative position, then the derivative position IS A HIGHLY LEVERED POSITION.
• German regulator requires that banks have a Risk Controller who reports directly to the board.
• ERM is not an EASY button from Staples.
• Energy firms that had excessive trading losses were allowed to fail.
• Banking suffered from concentrated opacity.
• The board has to challenge management about risk.  Masters of the Universe approach or the smartest guys in the room tries to intimidate the board into feeling too stupid if they ask any questions.
• There will need to be major cultural changes for ICAAP/ORSA to be effective.
• Many banks and insurers should be failing the use test for ERM regulation to be effective.
• Stress testing is becoming a major tool for regulators.
• European regulators could not apply real stress tests because that would have meant publicly asking banks to look at a scenario of major sovereign defaults in Europe.
• Regulators need to be able to pay competitive market salaries
• Cross boarder collaboration among regulators has broken out.
• Difficult for risk managers to operate under multiple constraints of multiple regulators, accounting systems.
• Riskviews: It would be much faster to reach wrong conclusions if there were only one system to worry about.  That is not the way to go if there is really a concern about risk.  The multiple points of view encourage true understanding of the underlying risks.
• Banks are natural oligopolies
• Nice tree/forest story:  Small trees take resources from the forest.  Large trees shade smaller trees making it harder for them to get sunlight.  Old trees die and fall crashing through the forest taking out smaller trees.
• Riskviews:  This story illustrates to me that there is too much worry and manipulation to try to fix short term issues.  Natural processes work fairly well.  But interference has allowed a few trees to grow so large that little else can gro making the forest unhealthy.  Solution is to trim largest trees and plant/encourage new smaller trees.
• Things that people say will never go wrong will go wrong.
• Compliance should be the easy part of ERM, not the whole thing
• Asking dumb questions should be seen as good for firm.  10th dumb question might reveal something that no one else saw.
• There is a lack of imagination of adverse events.  US has cultural optimism.  Culture is risk seeking.
• Swiss approach to regulating banks is for their banks to hold the most capital.  Credit Swisse has signaled that they will seek lower return on capital.  Using that as marketing advantage – they are the most secure banks.
• 90% of Risk Management professionals believe that Dodd Frank will push the risks of the financial system out of regulated banks into unregulated financial enterprises. (Hedge Funds)
• Trade-off between liquidity and transparency is not true
• Requirements to post collateral may not increase costs at all for non-financial firms.  The dealers were changing them for the lack of collateral.  Prices may go down net of all costs.
• Bear Stearns was well capitalized.
• People understand and prefer principles based regulation.  But when trust is gone everything moves towards rules.
• Riskviews:  MTM should be adjusted for illiquidity.  Much larger adjustment than being contemplated for illiquid insurance liabilities.  Need to compare position size to trading volume.  If position is much larger than trading volume then liquidity adjustment needs to reflect possible price movements during the time needed to liquidate.
• Many CROs have been given the role of minimizing capital required for the firm.
• Insurers are moving rapidly to the bank model for this.
• The range of ERM practices are narrowing
• Riskviews: Narrow range of practices is only a good thing if the next large risk event is cooperative with practices that everyone is using.  Diversity is much, much healthier.
• Need to get rid of arb between trading and banking books in banks.
• FSA wants the whole world on one standard
• Riskviews: Solves one problem.  Creates another that is doubtless much, much larger.
• Difficult to explain decisions when there are multiple accounting and regulatory systems.
• Investors need to do their own due diligence
• Counterparties are not your friends.
• Supervisors need to learn to say no.
• Caveat Emptor
• Riskviews: Modern US society has moved in the opposite direction of Caveat Emptor.  It is always someone else’s fault.  Risk Management needs to overcome this tendency.
• Businesses need to learn to say no to non-core activities, no matter how good they look.  They usually do not have the expertise to really examine them, not to manage them.
• A risk metric that makes you more effective makes you special.
• Do we overtrade?
• Reduction of ROE target would take off pressure to take excessive risks.
• Regulators put 80% weight on model and 20% weight on judgment.  Should be the other way around.
• We have shifted to being too focused on risk, need to balance business need for returns.
• There will be unintended consequences from the major shifts in regulation.
• Must not freeze in a crisis.  Need to act and act approximately correctly.
• Moral Hazard was a major issue.  Some people should be put in jail because of the crisis.
• Riskviews: The losses to bank executives and employees were enormous.  People look at salaries of remaining bankers, forgetting that there are now 10% to 20% less of them.  Shareholders of Citi are still off 90% from the peak.  Execs whose net worth was largely in stock holdings and stock options are still out quite a large amount of money.  Riskviews has trouble understanding the moral hazard argument.  It does not match up well with any facts except the bail outs.  Moral hazard ONLY seems to have impact on creditors of banks.  Not unimportant but not the largest driver in bank activities.
• SIFI do get GSE level cost of borrowing.
• Riskviews: My question is why it is good public policy for monetary policy to transfer so much money to the shareholders and employees of banks?  They have been able operate at approximately zero cost of goods sold for four years now.  Their lending rates do not pass all of those savings along.  Why does it make sense for the banks to find themselves to be so smart and well paid when they are being totally supported by monetary policy.  In any other business you would have to be totally brain dead to not succeed if someone gave you your raw materials for free.
• More market discipline is needed.
• Riskviews:  AMEN

Risk Policy

by Jean-Pierre Berliet

A risk policy specifies which risks a company will be willing to assume and which risks it will not. The risk policy of an insurance company focuses on:

• creating and protecting shareholders’ value from the volatility of its financial results, and
• containing the impact of this volatility on the cost of its capital and thus also, the cost of its risk capacity

Since insurance contracts involve assumption of insurance and investment risks, risk policies of insurance companies must include distinct insurance and investment components.

Insurance risk policy

To develop its insurance risk policy, a company needs to takes into account its ability to establish and sustain a competitive advantage by leveraging superior capabilities (e.g. underwriting expertise, claim management, risk management, etc.).  It must evaluate the attractiveness of individual insurance markets based on analysis and assessment of key factors that shape business strategy, including:

• Market structure and characteristics (size in premium revenue, number of accounts, distribution of exposures by location, industry, etc.)
• Revenue growth potential
• Business acquisition and underwriting expenses
• Changes in customer needs and value perceptions
• Assessment of relative competitive positions
• Loss frequency and severity, and expected loss ratio
• Correlations with macro economic factors (e.g., inflation and GDP growth rates), and other markets served by the company.
• Systemic insurance risk
• Availability, cost  and anticipated use of reinsurance

Insurance companies can use data available from public and private sources (e.g., brokers) to estimate the level and volatility of revenues and earnings associated with specific exposure types, i.e. to develop an “ex-ante” assessment of the risks it considers accumulating. The underlying loss distributions can then be used to develop estimates of i) capital intensity, ii)  the impact of the accumulation of specific exposures on the company’s risk profile, iii) the utilization of its risk capacity and iv) financial performance under alternative risk policies. In every situation, there is a need to verify that a company’s capital and earnings base are sufficient relative to limits written and the probable maximum loss of the portfolio to protect the company’s ratings and ensure the viability of the company as a going concern.

Investment risk policy

The investment risk policy needs to address the following two effects of investment value volatility that might cause:

• The absolute market value of invested assets to fall in a given time period, thereby reducing available capital and risk capacity
• Changes in the market value of invested assets relative to the value of liabilities that increase the volatility of the company’s capital position, thereby  also increasing the probability of downgrading, or of intervention by regulators in company management

These effects of investment value volatility are addressed through reinsurance and asset strategies that contain the volatility of net assets. Insurance companies determine the extent and manner in which these strategies can be optimized, and supplemented in certain cases by arrangement of back-up lines of credit, through analysis of the volatility of their cash flows, taking into consideration the execution of their strategy, the potential liquidity and value volatility of their invested assets and the payment patterns of their liabilities. Note that liabilities of insurance companies, unlike bank demand deposits and overnight funding, are a source of relatively stable funding. Many companies take investment positions that take advantage of this relative illiquidity to create value.

The objective of an investment risk policy is to guide management in ascertaining when, to what extent and how a company should deviate from investing in a portfolio that replicates its liabilities. Its investment risk policy, at a minimum, should specify:

• Which asset classes are permissible, by type, rating class, liquidity, etc.

• Which risk types may be assumed to enhance returns, given a company’s risk capacity (e.g. interest rate, credit, inflation, currency, beta, idiosyncratic, liquidity, etc.)

• How much of the assets may be invested in alternative assets, including illiquid positions (e.g. venture capital, real estate, hedge funds, funds of funds, etc.)
• Guidelines for diversification within and between asset classes
• How much volatility in investment income and portfolio value is consistent with the  respective solvency and value risk tolerances of the company’s stakeholders
• Guidelines for using hedging strategies, and controlling counterparty risk

To develop this policy, a company needs to simulate the impact of alternative guidelines in relation to liabilities and the risk capital consumed, assess their contribution to economic objectives, and identify the range of acceptable asset allocations and strategies. Ultimately, the policy should provide a framework within which a company can determine how much of its return to seek through investment in risk-free instruments, or instruments that provide extra “market return” (beta) or even additional skill-based returns (alpha).

Revision of risk policy

Although it is widely recognized that an insurance company needs to develop its risk policy when it starts operating, there is no consensus on how often an established company needs to revise its risk policy.

Many insurance companies review their risk policy when they are contemplating an acquisition or entering a new business. Because such decisions can have a significant impact on their risk profile, companies often perform detailed pro-forma actuarial analyses to develop the risk insights they need before making a commitment. However, when no significant change in business portfolio is contemplated, insurance executives are often reluctant to invest time to revisit their company’s risk policy.

The recent crisis suggests, however, that there is hardly any activity of greater importance to the survival and success of insurance companies.

Jean-Pierre Berliet

(203) 247-6448

jpberliet@att.net

February 14, 2011

Note: This article is abstracted from the “Risk Management and Business Strategy in P/C Insurance Companies” briefing paper published by Advisen (www.advisen.com) and available at the Corner Store.

Risk Management Success

Many people struggle with clearly identifying how to measure the success of their risk management program.

But they really are struggling with is either a lack of clear objectives or with unobtainable objectives.

Because if there are clear and obtainable objectives, then measuring success means comparing performance to those objectives.

The objectives need to be framed in terms of the things that risk management concentrates upon – that is likelihood and severity of future problems.

The objectives need to be obtainable with the authority and resources that are given to the risk manager.  A risk manager who is expected to produce certainty about losses needs to either have unlimited authority or unlimited budget to produce that certainty.

The most difficult part of judging the success of a risk management program is when those programs are driven by assessments of risk that end up being totally insufficient.  But again the real answer to this issue is authority and budget.  If the assumptions of the model are under the control of the risk manager, that is totally under the risk manager’s control, then the risk manager would be prudent to incorporate significant amounts of margin either into the model or into the processes that use the model for model risk.  But then the risk manager is incented to make the model as conservative as their imagination can make it.  The result will be no business – it will all look too risky.

So a business can only work if the model assumptions are the join responsibility of the risk manager and the business users.

But there are objectives for a risk management program that can be clear and obtainable.  Here are some examples:

1. The Risk Management program will be compliant with regulatory and/or rating agency requirements
2. The Risk Management program will provide the information and facilitate the process for management to maintain capital at the most efficient level for the risks of the firm.
3. The Risk Management program will provide the information and facilitate the process for management to maintain profit margins for risk (pricing in insurance terms) at a level consistent with corporate goals.
4. The Risk Management program will provide the information and facilitate the process for management to maintain risk exposures to within corporate risk tolerances and appetites.
5. The Risk Management program will provide the information and facilitate the process for management and the board to set and update goals for risk management and return for the organization as well as risk tolerances and appetites at a level and form consistent with corporate goals.
6. The Risk Management program will provide the information and facilitate the process for management to avoid concentrations and achieve diversification that is consistent with corporate goals.
7. The Risk Management program will provide the information and facilitate the process for management to select strategic alternatives that optimize the risk adjusted returns of the firm over the short and long term in a manner that is consistent with corporate goals.
8. The Risk Management program will provide information to the board and for public distribution about the risk management program and about whether company performance is consistent with the firm goals for risk management.

Note that the firm’s goals for risk management are usually not exactly the same as the risk management program’s goals.  The responsibility for achieving the risk management goals is shared by the management team and the risk management function.

Goals for the risk management program that are stated like the following are the sort that are clear, but unobtainable without unlimited authority and/or budget as described above:

X1  The Risk Management program will assure that the firm maintains profit margins for risk at a level consistent with corporate goals.

X2  The Risk Management program will assure that the firm maintains risk exposures to within corporate risk tolerances and appetites so that losses will not occur that are in excess of corporate goals.

X3  The Risk Management program will assure that the firm avoids concentrations and achieve diversification that is consistent with corporate goals.

X4  The Risk Management program will assure that the firm selects strategic alternatives that optimize the risk adjusted returns of the firm over the short and long term in a manner that is consistent with corporate goals.

The worst case situation for a risk manager is to have the position in a firm where there are no clear risk management goals for the organization (item 4 above) and where they are judged on one of the X goals but which one that they will be judged upon is not determined in advance.

Unfortunately, this is exactly the situation that many, many risk managers find themselves in.

Second Step to a New ERM Program

Everyone knows the first step - Identify your risks.

But what should you do SECOND?  The list of ERM practices is long.  Riskviews uses an eight item list of ERM Fundamentals to point the way to early ERM developments.

And you want to make sure that you avoid Brick Walls and Touring Bikes.

But the Second Step is not a practice of ERM.  The Second Step is to identify the motivation for risk management.  As mentioned in another post, there are three main motivations:  Compliance, Capital Adequacy and Decision making.

If Compliance is the motivation, then the ERM development process will be to obtain or develop a checklist of items that must be completed to achieve compliance and to work to put something in place for each of those items that will create the ability to check off that item.

If Capital Adequacy is the motivation, then building an Economic Capital model is the main task that is needed for ERM development.

If Decision making is the motivation, then the process becomes somewhat more involved.  Start with identifying the risk attitude of the firm.  Knowing the risk attitude of the firm, the risk management strategy can then be selected.  Each of the ERM Fundamentals can then be implemented in a way that is adapted to the risk strategy.

This process has been described in the post Risk Attitudes and the New ERM Program.

But knowing the motivation is key.  A newly appointed risk management officer might have fallen in love with literature describing the Risk Steering strategy of ERM.  They would set up a big budget for capital modeling and start to set up risk committees and write rules and policy statements…..

And then hit a brick wall.

That is because they did not clearly identify the motivation for their appointment to be the risk management officer.  The term ERM actually means something totally different to different folks.  Usually one of the three motivations:  Compliance, Capital Adequacy, or Decision Making.

A company that is primarily motivated by Capital Adequacy will have minimal interest in any of the active parts of the ERM practices.  A company motivated by compliance will want to know that each and every step in their ERM process satisfies a requirement.  Talking about enhanced decision making as the reason for steps in the ERM development process will either confuse or even anger management of these companies.

The reaction to a mismatch of ERM program to motivation is similar to someone who booked a cruise for their vacation and found themselves on a cross country biking tour.

Most modern cruise ships feature the following facilities:

• Casino – Only open when the ship is in open sea
• Spa
• Fitness center
• Shops – Only open when ship is in open sea
• Library
• Theatre with Broadway style shows
• Cinema
• Indoor and/or outdoor swimming pool
• Hot tub
• Buffet restaurant
• Lounges
• Gym
• Clubs

Keep that contrast in mind when you are making your plans for a new ERM system.

Dealing with Crisis

Risk management has two important phases.  The first phase is Between Crises (BC) and the second phase is During Crises (DC).  The skills and activities needed for these two phases are totally different.  This post will talk about the DC phase.

During the Crisis, the concentration of the risk manager must shift to survival.  Much has been made of the famous saying from Baron Rothchild

“Buy when there’s blood in the streets, even if the blood is your own.“

But Rothchild famously made his own luck by arranging that he was the first to know the outcome of the battle of Waterloo.  And when the crisis hits, that is what you will hope that you, or your predecessor did before the crisis – make some of that sort of luck.

One of the things that often happens is that the organization will seem to shift right out from under you.  The norms and objectives that you thought were agreed are no longer in place.  You will be judged by a set of rules that are being written right now.

An old (1938) article by Robert Merton, SOCIAL STRUCTURE AND ANOMIE, suggests that there are five ways that people can react to situations where they are unhappy with how the rules and norms are working:

1. Conformity
2. Innovation
3. Ritualism
4. Retreat
5. Rebellion

Conformity means that they simply continue to operate under the old rules and norms as if nothing has happened.  In many cases, risk managers act as if this is the only possibility however.

Innovation means that they try to come up with a new way to solve their problem within the same structure that was in place.  Innovation may or may not work and if it does not work, then one of the other responses will be next. Often the risk manager is trying to innovate the way out of the crisis.

Ritualism means that they start to go through the motions of following the old rules, even though there is a strong sense that those rules no longer work as that had been working.  Things get more rigid and hierarchical.  Stepping on the wrong person’s toes has become a more significant infraction than it had been.

Retreat means that the organization freezes.  In some cases, it is the CEO who retreats, simply disappearing from the scene and lines of authority become blurry.

Rebellion means that the old rules and norms of the company are overthrown and new rules and norms replace the old quite rapidly.  This is most often accompanied by major management personnel changes.  But sometimes not.

The risk manager needs to be aware of these possibilities and make plans accordingly.

COSO & ISO 31000 & ERM for Insurers

Over the years, Riskviews has seen many risk management systems that are developed by people, usually auditors, from the COSO guide to ERM.  What is most commonly seen is that COSO based ERM system has a few characteristics in common:

• They usually take at least a year to implement phase 1.  By the end of that year, no actual improvements or changes to actual risk treatment activities take place.  The most common product of that year’s efforts is a risk register.
• The risk register usually contains at least 100 risks.  Many of these systems have closer to 200 risks identified.
• Top management is completely baffled about why they need to spend their time paying any attention to such activity.  If you ask them anything about risk or risk management at the end of the year, you will often find that they cannot recall anything specific about the process.

The COSO process seems to be totally a Loss Controlling approach to ERM.  This approach would appeal to companies and managers of companies who have the Conservator risk attitude. Riskviews has found that a small minority of insurance company management have the Conservator risk attitude and that almost zero insurance firms are managed with a Conservator risk approach.    That is another way of saying that COSO does not fit well with insurance company management approaches.

ISO 31000 is new risk management standard that was developed from the Australia/New Zealand standards that have been used and improved over the past 15 years.  The following post gives a discussion of the differences between the two.

Norman Marks quotes Grant Purdy on the ways that ISO 31000 is superior to COSO.

ISO 31000 does not clearly fall into the Loss Controlling category of ERM approach.  It seems to seek to be in the Risk Steering camp.  Which makes it much more applicable to insurers, many of which are managed with the Manager risk approach.

Riskviews main complaint about ISO 31000 is with the degree to which it emphasizes endless process over actual risk treatment action.

ISO 31000 encourages firms to adopt what Riskviews calls a Risk Management Entertainment System.  Sadly, this is not a joke.  Many firms will proudly present a show and tell about their reports and meetings and org charts and policy statements when asked about ERM and be flummoxed when asked about any actual risk treatment that is taking place and where it fits into the risk management system.

That is a major problem with detailed prescriptive systems like ISO 31000.  While that document says nearly all the right things, the people who pick it up and seek to apply it quite often do not get the sense of what is IMPORTANT and what is less important in developing an ERM system.

In fact, what is actually IMPORTANT is that ERM helps management to focus on the important risks of the firm and making the right moves so that exposures to those risks are of the size that they would choose.  Human beings have limitations and those limitations would suggest that these important risks need to number less than 10 if they are really going to get top management attention.

And in practice, the people who implement COSO and ISO 31000 risk management systems often miss that most important objective.

Integrating ERM and Value Based Management

from Jean-Pierre Berliet

The global financial crisis has reduced the market capitalization and price to book ratios of property/casualty insurance companies dramatically. According to a study published by Bank of America Merrill Lynch in August 2009, the S&P P/C index was trading at a 1.0 price/book ratio at that time, sharply down from a 1.4 average over the last three years and a 1.6 over the last 20 years. The updated historical valuations report published in August 2010 indicates that the S&P P/C index was trading at a 1.1 price/book ratio at that time. Excluding Progressive, companies in the Merrill Lynch index were trading then at an average price/book ratio of .89. This data suggests that the industry lost credibility with investors in 2008-2009 and has failed so far to persuade them that it is positioned to resume growing profitably in an uncertain rate environment.

Ironically, the crisis started just a few years after rating agencies began to include an assessment of the effectiveness of enterprise risk management (ERM) in their rating decisions and after they had given most insurers passing grades or above. It is clear now that ERM did not prevent a number of insurance companies from overextending themselves. Investors have concluded that risk management failed broadly and is disconnected from business strategy. They are justified in wondering whether risk management frameworks and processes of insurance companies will be more effective in the present lower volume and lower rate environment. Under such expected market conditions, investors are concerned that companies might lack discipline and write business at inadequate rates in order to achieve their premium volume objectives.

More generally, investors are concerned that strategic planning frameworks of many insurance companies are “expected value” focused, and are thus myopic about risk. In addition, investors are also aware that design weaknesses of ERM frameworks cause many executives i) to distrust “ex-post” decision signals provided by risk adjusted management performance metrics and ii) often to ignore resulting decision signals to redeploy capital or optimize asset allocation and reinsurance strategies. The existence of significant weaknesses in strategic planning and ERM frameworks and management processes explains why establishing tight and credible linkages between ERM and business strategy decisions is problematic and why ex-post measurement of risk adjusted performance is not viewed by investors as helpful. Just like the cleaning up of risks that manifested themselves, such as catastrophes and investment losses, ex-post risk management accomplishes only little, too late, and at great cost.

To respond to concerns of investors, insurance companies need to make their strategic planning and ERM frameworks capable of addressing credibly, and in a mutually consistent manner, the risk management issues raised and business strategy decisions impacted by the asymmetrical distribution of the financial results of insurance businesses. Investors believe, in particular, that risk management would create more value if i) risk insights guided the management and deployment of a company’s risk capacity “ex-ante”, that is before insurance policies were bound or investment decisions were made, and ii) strategy decisions about risk assumption and accumulations always took into consideration the adequacy of insurance rates and changes in market volume

These considerations call for the integration of value and risk governance frameworks and management processes in insurance companies. In the absence of such integration, there will be an enduring disconnect between strategy and risk management, and neither value based management (VBM) nor ERM will be credible or effective.

To be effective, the integration framework must recognize that, in insurance businesses, the cost of risk is known only after contracts have expired and related liabilities have run off. This unique peculiarity of loss costs, the raw material of insurance businesses, makes ex-post risk management a contradiction in terms. It places risk issues at the core of strategy development and execution. To achieve the needed integration of ERM and VBM, insurance companies must be careful to develop and establish distinct but tightly aligned:

• Governance frameworks for VBM and ERM, that specify the respective roles and responsibilities of the Board of Directors, external advisers, and Senior Management with regard to the development and approval of a company’s business mission and strategic plan, including i) the evaluation of risk return trade-offs, ii) the setting of financial objectives, iii) the oversight of strategy execution, and iv) accountability for results
• Managerial frameworks and processes capable of ensuring alignment of business strategy and risk management decisions across risk types, operational activities and products or markets.

Risk management must not be an afterthought in insurance businesses. An insurance company needs to establish “ex-ante” risk management as an essential foundation for the effective integration of its VBM and ERM frameworks. Ex-ante risk management is based on the observation that, together, risk assumption and accumulation functions in insurance companies are analogous to production in industrial companies. A properly designed risk management framework that supports “ex-ante” management of risk exposure accumulations should help an insurance company:

• Achieve loss costs and earnings volatility advantages
• Reduce both the amount and the cost of the capital they require
• Support effective development and execution of its business strategy

Such possibilities make “ex-ante” risk management concepts and tools and risk capacity management as important to business strategies of insurance companies as scale, equipment and machinery specialization, flexible automation and outsourcing, i.e. production strategy elements, are to business strategies of industrial companies. Notably, ex-ante risk management requires insurance companies to develop and use insights about risks that can provide a competitive advantage. Unlike cost reduction, product or service enhancements or pricing initiatives, risk insights and the underlying ability to compete on analytics, cannot be easily or rapidly duplicated by competitors. They can thus enable insurance companies to achieve more enduring margin improvements and escape for a while the strategic stalemate conditions under which they operate in many businesses.

To restore their credibility, insurance companies need to persuade investors that “ex-ante” risk management will support effective strategy implementation and drive risk capacity deployment, thereby improving financial performance. To accomplish the required alignment of risk capacity management, risk taking and business strategy management, companies need to establish the following three distinct but tightly integrated frameworks for:

• Measuring and assessing risk capacity utilization
• Addressing financial risk concerns of external stakeholders
• Deploying and leveraging risk capacity.

Integration of these frameworks would be effected through development of risk limits by line of business and business segment. Such risk limits would provide an insurance company a means to i) drive and control the deployment of its risk capacity toward uses that are projected to meet the return expectations and risk tolerances of its external stakeholders, ii) develop performance metrics needed to assess risk and return trade-offs of alternative strategies and align risk capacity management and business strategies and iii) improve risk capacity utilization and enhance financial performance.

To establish and use these frameworks, insurance companies need to integrate risk insights that emerge at the intersection of actuarial analysis, underwriting expertise, strategy analysis and financial simulation.

Jean-Pierre Berliet

(203) 247-6448

jpberliet@att.net

February 14, 2011

Note: This article is abstracted from the “Risk Management and Business Strategy in P/C Insurance Companies” briefing paper published by Advisen (www.advisen.com) and available at the Corner Store.

Heresy

I do want to confess that I am a heretic.

That is because I do not believe that there is one single best ERM approach.

And I do not believe that a scientific, advanced, disciplined adherence to any single ERM system will produce best or even good results.

In fact, I think that a scientific, advanced, disciplined adherence to a single ERM system is also dangerous as a career strategy and as a strategy for the profession of risk managers.

The details of this heresy have been put forward here at Riskviews in over 20 postings and in a number of published articles and presentations that have been mentioned on the Plural Rationalities page of this blog.

One of the key underpinnings of these ideas is that our businesses will operate under  one of four different risk perspectives.  The conclusion about risk management from these ideas is that two things are needed to have a successful risk management program:

1. At the heart of the risk management program must be a set of practices and processes and systems that are supportive of the predominant risk perspective of the firm.
2. Some capability to see the other risk perspectives and to be able to adapt the risk management program of the firm as the predominant risk perspective of the firm changes.  None of the four risk perspectives or the risk management programs that are consistent with those perspectives will work all of the time.

Some of the most advanced firms in the risk management area will say that they are operating under all four styles of risk management all of the time and are prepared to shift emphasis at any time to the aspect of risk management that is the most effective.

That style of risk management has been titled Rational Adaptability.

The four styles of risk management are called:

• Diversification
• Loss Controlling
• Risk Trading
• Risk Steering

Global Convergence of ERM Requirements in the Insurance Industry

Role of Own Risk and Solvency Assessment in Enterprise Risk Management

Insurance companies tend to look backwards to see if there was enough capital for the risks that were present then. It is important for insurance companies to be forward looking and assess whether enough capital is in place to take care risks in the future. Though it is mandatory for insurance firms to comply with solvency standards set by regulatory authorities, what is even more important is the need for top management to be responsible for certifying solvency. Performing Own Risk and Solvency Assessment (ORSA) is the key for the insurance industry.

• Global Convergence of ERM Regulatory requirements with NAIC adoption of ORSA regulations
• Importance of evaluating Enterprise Risk Management for ORSA
• When to do an ORSA and what goes in an ORSA report?
• Basic and Advanced ERM Practices
• ORSA Plan for Insurers
• Role of Technology in Risk Management

Join this MetricStream webinar

Date: Wednesday February 16, 2011
Time: 10 am EST | 4 pm CET | 3pm GMT
Duration: 1 hour

ERM Fundamentals

You have to start somewhere.

My suggestion it that rather than starting with someone else’s idea of ERM, you start with what YOUR COMPANY is already doing.

In that spirit, I offer up these eight Fundamental ERM Practices.  So to follow my suggestion, you would start in each of these eight areas with a self assessment.  Identify what you already have in these eight areas.  THEN start to think about what to build.  If there are gaping holes, plan to fill those in with new practices.  If there are areas where your company already has a rich vein of existing practice build gently on that foundation.  Much better to use ERM to enhance existing good practice than to tear down existing systems that are already working.  Making significant improvement to existing good practices should be one of your lowest priorities.

1. Risk Identification: Systematic identification of principal risks – Identify and classify risks to which the firm is exposed and understand the important characteristics of the key risks

2. Risk Language: Explicit firm-wide words for risk – A risk definition that can be applied to all exposures, that helps to clarify the range of size of potential loss that is of concern to management and that identifies the likelihood range of potential losses that is of concern. Common definitions of the usual terms used to describe risk management roles and activities.

3. Risk Measurement: What gets measured gets managed – Includes: Gathering data, risk models, multiple views of risk and standards for data and models.

4. Policies and Standards: Clear and comprehensive documentation – Clearly documented the firm’s policies and standards regarding how the firm will take risks and how and when the firm will look to offset, transfer or retain risks. Definitions of risk-taking authorities; definitions of risks to be always avoided; underlying approach to risk management; measurement of risk; validation of risk models; approach to best practice standards.

5. Risk Organization: Roles & responsibilities – Coordination of ERM through: High-level risk committees; risk owners; Chief Risk Officer; corporate risk department; business unit management; business unit staff; internal audit. Assignment of responsibility, authority and expectations.

6. Risk Limits and Controlling: Set, track, enforce – Comprehensively clarifying expectations and limits regarding authority, concentration, size, quality; a distribution of risk targets

   and limits, as well as plans for resolution of limit breaches and consequences of those breaches.

7. Risk Management Culture: ERM & the staff – ERM can be much more effective if there is risk awareness throughout the firm. This is accomplished via a multi-stage training program, targeting universal understanding of how the firm is addressing risk management best practices.

8. Risk Learning: Commitment to constant improvement – A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses, both within the firm and from outside the firm.

Why ORSA?

At first glance, the Own Risk and Solvency Assessment (ORSA) seems like an unnecessary redundancy.  For some firms, they will have looked at the Standard formula for capital adequacy and then looked again at the Internal Model and the Economic Capital.  And on all of those views, the firm has sufficient solvency margin.

But the problem that ORSA solves is a problem that is so very fundamental that we have almost completely forgotten that it exists.  That problem is that all of the traditional ways of looking at capital adequacy look at the wrong thing.  Yes, you heard that right, we have always and will continue to focus on the wrong thing when we assess capital adequacy.

The basis for capital assessment is the wrong view because it looks backwards.  We already know that the firm survived the past year.  What we really need to know is whether the firm can survive the next year and probably the one after that.

The traditional backwards looking solvency assessment tradition started when there was no viable alternative.  It is a good basis for looking at solvency under only a few possible futures.  Fortunately, many firms broadly operate within the range of futures.

For the backwards looking approach to solvency to have any validity, the future of the firm needs to be very much like the past of the firm.  Firms need capital more for the future than for the past and the balance sheet is more about the past of the firm than the future.  So a capital regime that is tied to the balance sheet is useful only to the firms whose future does not materially change their balance sheet.

But wait, the only time when that capital is needed is when the balance sheet DOES change materially.

So ORSA shifts the question of solvency from the past to the future.

The second thing that ORSA does is to shift the burden of determining adequacy of capital from the regulator to the board and management.  With the ORSA, the board and management will never again have the excuse that they thought everything was fine because they met the standards of the regulators.  The ORSA requires the board and management to assert, IN THEIR OWN OPINION, that the firm has sufficient capital for its own risks AND its own risk management systems.  Prior regimes allowed management to pass a test set by the regulator and thereby show adequacy of capital.  Even if the test did not pick up on some new risk that management was totally aware of but which was not at all recognized by the regulatory formula.

Now that is a game changer.

Risk Limits and Controlling

A New York Times Magazine article on Jamie Dimon, now CEO of JP Morgan Chase Bank, tells that he once set a risk limit for Travelers…

• Losses from a once in a hundred year storm could not exceed a quarter’s earnings.

For the quantifiable risks that banks and insurers have aplenty, that is exactly how a risk limit needs to read.  It must state a frequency (once in a hundred or 1%) and a severity (one quarter’s earnings).

That sort of simple clarity seems to escape most financial firms.  Probably that is because they have little experience with the frequency part of that statement.

Think of this analogy.  You are sitting there in an office building deciding what to set as the speed limit for a new transportation system.  That system has newly designed roads and vehicles.  You do not know the tolerances of either the roads or the vehicles.  You have been a passenger on test runs, but during that test, you were not shown the speeds that the vehicle was going.

 

What might make sense in that situation, would be for the person being asked to make the decisions on speed limits to be told what speed that they had been going on the long straight-aways, on the gradual curves, the sharp curves and how long it took to stop the vehicle at various speeds.  In addition, more trips, more experience, should be undertaken and the speed of the vehicle should be noted under various weather conditions as well as types of roads.

Polls often reveal that the most common shortfall of ERM development is in the area of Risk Tolerance and Risk Appetite.  In many cases, that shortfall is due to the inexperience of management and boards with the frequency information.

There is no shortcut to getting that experience.  But there are simple exercizes that can be undertaken to look at prior experiences and tell the story of just how fast the firm was going and how severe the weather was.

The best such exercize is to look backwards in time over the recent past as well as to famously adverse periods in the more remote past.  For each of those situations, the backwards looking frequency can be assigned.  This is done by looking at the current risk model and determining the frequency that is aligned with the level of gains losses that were experienced in general.  That frequency is analogous to the weather.  Then the risk analyst can look at the firm’s own gain or loss experience and the frequency that the model could attribute to that size gain or loss.

Once a firm has some comfort with frequency, they can write a real risk appetite statement.

And after that, they can go through an exercize each year of deciding what frequency to assign to the experience of the year’s gains and losses.

Action and Inaction

Running a successful business requires doing something almost constantly.

But successful risk management may require doing very little for long stretches of time.

“Just because they say “ACTION” doesn’t mean you have to do anything”  Al Pacino

Good risk management means picking your times and picking your actions.

But there is much for the new risk manager to do between the day when they are first given their charge (the call of ACTION) and the day when they must take their first ACTION.

Many new risk managers get completely caught up in the process of creating a risk management system and the idea of ACTION gets moved into some sort of bureaucratic haze.  The risk management systems that are described in many textbooks and articles make it seem like ACTIONs will simply happen on their own if the system is all in place.

But any risk manager who has worked through the financial crisis or through any other major loss making crisis will tell you that the ACTIONs that take care of themselves through the system are only the easiest part of the ACTION that is really needed, that really adds value to the organization.  The really difficult ACTIONs are the ones that are not so clearly indicated, or the ACTIONs that come after a long period of inaction.

Those actions include things like stopping the growth of a profitable risk, stopping writing a particular risk or even shrinking risk positions.

“Every great mistake has a halfway moment, a split second when it can be recalled and perhaps remedied.”
Pearl Buck

There is a time as well when it is too late for the ACTION.  That is because it is usually in the late stages of a boom that the firm takes on the risks that end up making the largest losses.

And when the problem starts to become evident, it is usually much too expensive to lay off the risk positions.  The best you can hope for is to stop growing the positions.

So there are times, during a boom, when the most important but most difficult ACTION for a risk manager to take is to stop the growth of an overheated risk.

But there are many other times when the risk manager can concentrate on inaction.  Just letting the risk control system do its work.

Risk Organization

Some say that in a perfect world, there is no need for a separate Risk Organization.   But that is probably not true.

Think about the Hierarchy of Corporate Needs:

Hierarchy of Corporate Needs

• Sales

• Profits

• Security

• Growth of Value

Most successful larger organizations have a separate Sales department.  There certainly are firms that go around saying that “Sales are everyone’s job”, but they invariably have people who’s only job is Sales.

Move along to Profits and the picture shifts somewhat.  Often there is one department that has responsibility for pricing, another for assisting with managing expenses and the largest component is the folks who are responsible for tracking profits – the accounting department.  Again, many firms also say that “Profits is everyone’s job”, but they do assign many people to jobs that deal primarily with Profits.

So, that brings us to Security, which is the flip side of Risk.  Security needs a parallel structure to what you find for Profits. The system of work assignments for Profits has evolved over many years.

Many firms have set out to create a Risk system on a much, much shorter time frame.  One approach would be to say that since Losses are the opposite of Profits, then assign the responsibility for Security to the same people who have that responsibility for Profits. But what is likely to happen there is that attention to Profits will most often trump attention to Risk.  That is natural, since Profits are higher up the Hierarchy of Corporate Needs than Risk. In addition, measuring Profits is most often done in arrears and Risk can best be managed when measured in advance.  In fact, when responsibility for Risk is given to the folks who are experienced in managing Profits, they often make the mistake of trying to manage Risk by looking backwards.

So certainly to get started, and probably for the foreseeable future, Risk will need its own organization.

Risk Organizations will often include Risk Committees, sometimes more than one.  The committee roles will include High level decision making (Steering), Technical Leadership, and Execution.

One of the most important aspects of a Risk organization is the assignment of responsibility for Risk.   In many firms it is best to assign responsibility to a Line manager that controls the business that creates the risk.  The person with responsibility should be a person who does periodically stand before the board.  They should be asked to say to the board regularly where things stand with respect to managing their Risk.

As with Profits, there is a need for an independent role of Risk measurement.  Usually that role is given responsibility for both prospective measurement of Risk exposures as well as the analysis of losses.

When people talk about independence for Risk, the place where that is really needed is between the responsibility for managing Risk and the responsibility for measuring Risk and assessing losses.  The same way that is done for Profits. No one would consider assigning Profit management to the folks who measure Profits.

Why?

My favorite book of the Bible is Job.  That could have been called the book of WHY.  Everyone throughout the book assumes that there must be an answer and they try out those answers but none seems to fit.

Finally, they get an answer, but it is not the sort of answer that they were looking for.  The answer that they get is something like”you would never understand”.

But the risk manager is always being asked why?  Asked to explain the unexplainable.

David Hackett Fisher advised historians to avoid WHY.  To stick with who, what, when, where  and how.

A why question tends to become a metaphysical question. It is also an imprecise question, for the adverb ‘why’ is slippery and difficult to define. Sometimes it seeks a cause, sometimes a motive, sometimes a reason, sometimes a description, sometimes a process, sometimes a purpose, sometimes a justification.

This list of definitions for the word why is useful to the risk manager however, because often there is no “why” under some definitions, but the other definitions can help to provide a path to an answer that is probably less than satisfactory but better than nothing.

Nothing being the same as the answer “it is still a 1 in 100 event, we were just unlucky”.

If you want the company’s executives to really embrace ERM, then the risk manager needs to have all of these definitions and as many of the answers as humanly possible on hand.  The executive will need the risk manager to provide the words that they can use and feel comfortable lording it over their peers who do not have such a smart risk management department.  They need the words than answer WHY.

The famous quote about risk..

“We were seeing things that were 25-standard deviation moves, several days in a row.”

David Vinar, CFO Goldman Sachs
August 2007

Vinar obviously had someone who did not have the above list of definitions of WHY on hand, he got the S— Happens answer from a math geek.

Executives need to be brought into the Baysian recalibration process.  Each year, the  experience of the year needs to be placed on the scale from the model (as Vinar did above) and the scale then either accepted or rejected.  (Which step Vinar obviously did after making that statement.)

That exercize ought to be a part of every year end wrap up from the risk department.  Their recount of the who, what, when, where, how and WHY of the events of the year.

Risk Language

This is one of the eight Fundamental ERM practices. These practices are the foundations of a new ERM program.

Risk Language is not commonly recognized in most ERM literature as a fundamental practice.  But all you need to do is to talk with a management team that has a common risk language and another who does not and it is difficult to see why it is not.  The management with the common language can much more often articulate a common vision of risk management and especially of risk appetite.  The objectives of the ERM program of a firm without a common risk language are usually not understood similarly by more than a tiny handful of people.

When hearing the story of ERM at a firm it seems to be a much more likely explanation for the firm without the common language that their ERM program exists mostly for the purpose of entertaining outsiders than for impacting the management of the firm.

At the earliest stage of development of an ERM program, the lack of a language should become apparent.  Ask any two managers what they think is meant by an unacceptably large loss and you are likely to get as many different answers as you have answerers.

Ask that same set of people what would be an acceptable level of sales or profits and they will all usually be able to clearly state the company goals for the current year.

So the objective in this area as it is with measurement is to put risk on the same footing as sales and profits, to give it the same clarity and unanimity of understanding and purpose.

There are several steps to gaining a risk language for a firm.

1. Existing Risk Terms – Making a collection of existing risk terminology used commonly in different parts of the company is a good first step.  Notice where different parts of the company have different terms for one idea and other places where people have different meanings for the same term.  Those conflicts need to be resolved so that there is one main set of terms used within the company for those ideas.
2. Standard Risk terms – It is not necessary that each firm adopts an entire vocabulary about risk from outside the firm.  But on the same token, there are a wide variety of standardized terms for risk.  Take a look at Risk Glossary, for example.  A good first step would be to take a short list of terms from a source like that and start to make sure that everyone starts to learn those terms.
3. New Risk Terms – As ERM grows within the company, new terminology will develop for particular ideas.  Some of that terminology will emanate from the risk department and some will come from the executives as they seek to repeat things that they hear at the risk committee meetings.  For some time, everyone needs to be deliberate about the process of coining new terminology.  Conscious that one way of saying something seems to “stick” better than another.  Encourage the formation of this vocabulary.

Besides forming this new vocabulary, it is extremely important that both the risk staff and the other managers who are members of risk committees make sure to use the new risk terminology inn their everyday work.  Language is naturally built by usage, not by dictionaries.

One last thought… ERM practice is a combination of some very expensive things and very simple things.  In general, the largest firms can afford the very expensive things more easily while the simple things are usually executed much more effectively in small firms.  This is one of the simple things.

 

Really Different

What if the future is really different from the past? What does that do to the whole approach of quantitative risk management? When do you give up on the models that just do not help?

Here is a scenario of a Really Different Future

Farrell suggests that the economy will go through chaos for 10 years until things get so bad that we decide to actually do something about it.

We talk about stress testing for our companies.  What I am trying to suggest here is stress testing our risk management approach.

How well does your risk management system hold up to the scenario described in that article?

I am not asking for a top of the head answer.  I am suggesting that you walk through 10 years of economic bad times, alternating with uncertain times like the past 18 months.

Does your ERM system give good advice throughout?  Or do your models continually give bad signals as they very slowly incorporate the emerging world mess?  And then when things come back in 10 years, will the models be wrong again on the low side for another 10 years or more as you incorporate better experience?

So is there another choice?  I think so.  The choice is multiple risk models of different regimes.  You need a model of high volatility and low drift, a model of high drift and low volatility, a model of moderate volatility and moderate drift and a model of negative drift and low volatility.

Think about it.  If those four models reflect states of the world, is there any point in using a model that combines all four sets of experience?  It will always be wrong.  A Bayesian model that is constantly updating for experience assumes a stable underlying distribution.  Otherwise it is just wrong all the time.

Think about it.  If the next 10 years will be years of high volatility and low drift interspersed with periods of negative drift with low volatility, what good is a model with moderate volatility and moderate drift?  Or the combined all regime model of slightly higher volatility with slightly lower drift.

Changing Your Attitude

Discipline has been touted as one of the most important things that is needed for risk management to be effective.

But in fact the world keeps changing.  The definition of Discipline needs to change with the world.  Otherwise, you will find your risk management discipline  insufficient or too restrictive.

On a recent PRMIA web seminar, I asked the approximately 100 listeners…

How many times has your firm’s risk attitude changed between 2006 and now?

And got these answers:

• • 0 - 20%
  • 1 - 31%
  • 2 - 34%
  • 3 or more - 16%

So 80% of the firms changed their view of the level of riskiness in the world.

Hopefully for the career success of the CROs of those firms, they did not maintain a steady discipline during those years.

It is not poor discipline, it is good realism to change your risk management program as times change.

Risk Managers do not know the Future any Better than Anyone Else

Criticisms of risk managers for not anticipating some emerging future are overdone.  When a major unexpected loss happens, everyone missed it.

Risk managers do not have any special magic ball.  The future is just as dim to us as to everyone else.

Sometimes we forget that.  Our methods seem to be peering into the future.

But that is not really correct.  We are not looking into the future.  Not only do we not know the future, we do not even know the likelihood of various future possibilities, the probability distribution of the future.

That does not make our work a waste of time.  However.

What we should be doing with our models is to write down clearly that view of the future that we use to base our decisions upon.

You see, everyone who makes a decision must have a picture of the future possibilities that they are using to weigh the possibilities and make that decision.  Most people cannot necessarily articulate that picture with any specificity.  Management teams try to make sure that they are all working with similar visions of the future so that the sum of all their decisions makes sense together.

But one of the innovations of the new risk management discipline is to provide a very detailed exposition of that picture of the future.

Unfortunately, many risk managers are caught up in the mechanics of creating the model and they fail to recognize the extreme importance of this aspect of their work.  Risk Managers need to make sure that the future that is in their model IS the future that management wants to use to base their decisions upon.  The Risk Manager needs to understand whether he/she is the leader or the follower in the process of identifying that future vision.

If the leader, then there needs to be an explicit discussion where the other top managers affirm that they agree with the future suggested by the Risk Manager.

If the follower, then the risk manager will first need to say back to the rest of management what they are hearing to make sure that they are all on the same page.  They might still want to present alternate futures, but they need to be prepared to have those visions heavily discounted in decision making.

The Risk Managers who do not understand this process go forward developing their models based upon their best vision of the future and are frustrated when management does not find their models to be very helpful.  Sometimes, the risk manager presents their models as if they DO have some special insight into the future.

My vision of the future is that path will not succeed.

On The Top of My List

I finished a two hour presentation on how to get started with ERM and was asked what were my top 3 things to keep in mind and top 3 things to avoid.

Here’s what I wish I had said:

Top three hings to keep in mind when starting an ERM Program:

1. ERM must have a clear objective to be successful.  That objective should reflect both the view of management and the board about the amount of risk in the current environment as well as the direction that the company is headed in terms of the future target of risk as compared to capacity.  And finally, the objective for ERM must be compatible with the other objectives of the firm.  It must be reasonably possible to accomplish both the ERM objective and the growth and profit objectives of the firm at the same time.
2. ERM must have someone who is committed to accomplishing the objective of ERM for the firm.  That person also must have the authority within the firm to resolve most conflicts between the ERM development process and the other objectives of the firm. And they must have access to the CEO to be able to resolve any conflicts that they do not have the authority to resolve personally.
3. Exactly what you do first is much less important than the fact that you start doing something to develop an ERM program.   Doing something that involves actually managing risk and reporting the activity is a better choice than a long term developmental project.  It is not optimal for the firm to commit to ERM, to identify resources for that process and then to have those people and ERM disappear from  sight for a year or more to develop the ERM system.  Much better to start giving everyone in management of the firm some ideas of what ERM looks and feels like.  Recognize that one product that you are building is confidence in ERM.

Things to Avoid:

1. Valuing ERM retrospectively taking into account only experienced gains and losses.  (see ERM Value)  A good ERM program changes the likelihood of losses, but in any short period of time actual losses are a matter of chance.  On the other hand, if your ERM programs works to a limit for losses from an individual transaction, then it IS a failure if the firm has losses above that amount for individual transactions.
2. Starting out on ERM development with the idea that ERM is only correct if it validates existing company decisions.  New risk evaluation systems will almost always find one or more major decisions that expose the company to too much risk in some way. At least they will if the evaluation system is Comprehensive.
3. Letting ERM routines substitute for critical judgment.  Some of the economic carnage of the Global Financial Crisis was perpetuated by firms where their actions were supported by risk management systems that told them that everything was ok.  But Risk managers need to be humble.

But in fact, I did get some of these out. So next time, I will be prepared.

Changing Risk Tolerance

One of the reasons that many firms have not yet set a risk tolerance seems to be that management is afraid that the Risk Tolerance will then take over the company and they will no longer be able to make major decisions because of the risk tolerance.

I imagine the picture of a large sumo wrestler with the name “risk tolerance” sitting in the  corner of the executive conference room.  It would be really smart to avoid making risk tolerance unhappy.

But that is not really the case.  Risk Tolerance is not going to sit on you if you make the wrong decision.  Risk Tolerance is not going to actively insist that you make a decision that you know is wrong.

Risk Tolerance is more like the little brother that tags along behind you.  You know that if you do anything little brother will tell Mom.

Risk Tolerance is a commitment to acting as your own little brother.  Telling on yourself if you take on risk that goes beyond a certain pre-agreed upon point.

Then it is up to you to convince the higher authority that your risk taking was appropriate for whatever reason that you have.

In addition, Risk Tolerance should not be carved in stone.  Risk Tolerance should be written on the white board in Erasable marker.  You should not expect to clean that board every week.  But the option will always be there to walk up to the board and wipe it clean.

That does not mean that every time that it is inconvenient that the Risk Tolerance should be changed.  But it does mean that as the world changes, you should be sure that you Risk Tolerance still means what you intended it to mean when it was set.

Otherwise, you are in danger of having it turn into a Sumo Wrestler in the corner.