What you really need is a good Risk Bucket system.

To manage your risks, you then need to know

• which bucket each risk goes into;
• How much is already in each bucket;
• How much you want to have in each bucket.

Each bucket will have different rules for how it is monitored and managed.  About who must pay attention to the new risks going into the bucket.  And who makes sure that what was put in the buckets still belongs in that bucket.

One way to define the five buckets would be to say that

Bucket 5 – these risks must be approved by the Board.  The Board must monitor all of the risks in this bucket very regularly.  Strategic Risks belong in this bucket.  Especially large concentrations of risks should go into this bucket.  Risks that are of a size that an adverse experience might endanger the company’s survival must go into this bucket.  Once the Board has agreed on what it wants in this bucket, then they should require management to assert that they are getting regular reports on all of the exposures that the companies has or are considering that should go into this bucket.
Bucket 4 – there risks must be approved and are monitored by the CEO and top management.
Bucket 3 – these risks must be approved and are monitored by a business unit head.
Bucket 2 – these are risks that must be approved and are monitored by supervisors or middle managers.
Bucket 1 – these are risks that do not need approvals.

The criteria for assigning risks to buckets will vary from company to company.  One criteria may be size, another familiarity with the risk.  Volatility or extreme losses per unit of activity that is mugh higher than normal for the company should mean a higher number bucket.

The funny thing about this system is that absolutely everyone already uses the bucket system.  But few have written down the definitions of what goes into each bucket.  Few monitor the risks systematically.

To go from an unconscious five bucket risk management system to a Five Bucket ERM System all that is needed is to formalize the assignments, monitor that risks in each bucket regularly, produce reports that show how much risk that is in all of the buckets at regular intervals.

The final step in shifting to an a Five Bucket ERM System  is to shift from using the buckets to monitor risk to using them to manage risk.  That means shifting from activity metrics to risk metrics.  It also means identifying the profits that are coming from each bucket.   It leads to conscious decisions of how muck risk that can be accepted in each bucket.

The first step in this transition for everyone is to start to notice the buckets that are already right there in your office.

As I deal with a variety of industries, professionals, investors and even risk managers, it has become obvious that the first issue that needs to be addressed from a risk management context is to define the term “risk”. I generally get pushback on this, but what I find is that everyone has a strong definition in their own mind that varies from person to person. How you define risk drives both risk appetite and risk culture. One of the keys in many of the management classes I have attended over the years has been to recognize that others tend to not think like I do. This is important here too. Before reading further, how do you define risk? Let me know if you don’t see your personal high level definition below.

Knightian Risk

Probably the most interesting risk definition I have seen, and the one I had never considered in its extreme, was put forth by Frank Knight in his 1921 book Risk, Uncertainty and Profit. Risk is defined as uncertainty. It is best explained by an example. If you were to launch yourself into space with no protection against the cold and lack of oxygen that defines space, you know you would die. By this definition there is no risk. If there is no uncertainty, in any direction, there is no risk. Sure to fail, no risk. Sure to win, no risk. Most people consider this definition in moderation when managing risk, although most would override it with one of the definitions we will consider next.

Downside Risk

When managing a business or portfolio, many managers consider risk only with respect to something bad that could happen. Outcomes can be defined numerically as more of something is either good or bad, and less of something is the opposite. An additional nuance is needed, and it has been mentioned by others. I like to look at “good” outcomes and “bad” outcomes. To follow an example earlier in this thread, higher sales might initially be called a good outcome, but often it eventually becomes a bad outcome as it outstrips capital availability or flags a pricing issue. Keep in mind that what is important is the overall impact on the entity, so a good overall outcome should be encouraged even if some lines of business would call it a bad outcome for their silo. High mortality is an example of this, with a life insurance line saying it is a bad outcome and a payout annuity considering it a good outcome. This is an example of a natural hedge, provided by two lines with offsetting risks in their portfolio.

Most companies today are looking at risk from a one sided perspective to meet their regulatory compliance needs. Risk management is viewed as a fixed cost under this paradigm. This approach is useful and helps the company avoid bankruptcy. It also provides a base from which you can leverage your ERM efforts.

Volatility Risk

I often think of traders when considering a volatility driven definition of risk. Opportunities abound if prices move, no matter which direction. Those who look at risk from a two sided perspective, and are good at it, can provide an organization with a competitive advantage as enterprise risk management becomes a major part of the strategic planning process. Everything is on the table. This helps an organization grow and prosper, in addition to lowering the probability of ruin. Incorporating risk into decision making provides a competitive advantage in all environments. The downside of this approach is that many who think of volatility as risk also believe that risk can be modeled accurately. They are more prone to model risk.

Not everyone is capable of the two sided risk approach. Risk culture can get in the way, but you also need the right people in place to drive risk management opportunities to senior team members. A risk manager should try to nudge their firm in this direction, but trying to leap there all at once is not likely to work.

Which risk definition is the best one?

It will depend on firm culture and risk appetite to know which definition is most consistent within an entity, and employing people with each definition can help a firm avoid overfocusing on one of the definitions. This will allow the firm to make better decisions. Risk is Opportunity!

©2011 Rudolph Financial Consulting, LLC

Warning: The information provided in this post is the opinion of Max Rudolph and is provided for general information only. It should not be considered investment advice. Information from a variety of sources should be reviewed and considered before decisions are made by the individual investor. My opinions may have already changed, so you don’t want to rely on them. Good luck!

A.     Risk management is a key part of our corporate management. Its task is not only to safeguard the Group’s financial strength in order to satisfy our obligations to clients and create sustained value for our shareholders, but also to protect Munich Re’s reputation. We achieve these objectives through global risk management encompassing all areas of our operations. (Munich Re)

B.     The financial crisis has demonstrated the importance of a strong and independent risk management function, as well as the need for an  integrated approach to  assessing and controlling  risks. To this end, we further enhanced our risk management by establishing a more robust governance process, intensifying our risk oversight and strengthening our  liquidity management. (Swiss Re)

C.     We employ an enterprise-wide approach to all risk taking and risk management activities globally. The enterprise risk management framework sets out policies and standards of practice related to risk governance, risk identification and monitoring, risk measurement, and risk control and mitigation. In order to ensure that we can effectively execute our risk management we continuously invest to attract and retain qualified risk professionals, and to build and maintain the necessary processes, tools and systems. (Manulife Financial)

D.    Management believes that effective risk management is of primary importance to the success of Goldman Sachs. Accordingly, we have a comprehensive risk management process to monitor, evaluate and manage the principal risks we assume in conducting our activities.

E.     AEGON’s risk management and control systems are designed to ensure that these risks are managed as effectively and efficiently as possible. For AEGON, risk management involves:
·      Understanding which risks the company is able to underwrite;
·      Assessing the risk-return trade-off associated with these risks;
·      Establishing limits for the level of exposure to a particular risk or combination of risks; and Measuring and monitoring risk exposures and actively managing the company’s overall risk and solvency positions.

F.     The mission of Zurich’s Enterprise Risk Management is to promptly identify, measure, manage, report and monitor risks that affect the achievement of our strategic, operational and financial objectives. This includes adjusting the risk profile in line with the Group’s stated risk tolerance to respond to new threats and opportunities in order to optimize returns.

G.     QBE’s risk management strategy is underpinned by a number of robust processes which are aimed at reducing uncertainty and volatility and avoiding unwelcome surprises. Risks are subject to rigorous identification and evaluation throughout the business management cycle.

H.    The management of risk is a core skill supporting the Group’s ability to offer both sustainable risk transfer solutions to its clients and attractive returns to shareholders. The management and identification of risk is the day to day responsibility of many of our staff and is a feature of all our business activities. (Amlin)

I.      Diversification is used as a tool to reduce the Group’s overall insurance risk profile by spreading exposures, thereby reducing the volatility of results. QBE’s approach is to diversify insurance risk, both by product and geographically.

J.      The Group employs a comprehensive risk management framework to identify, assess, manage and monitor the risks arising as a result of operating the business. The framework includes a comprehensive suite of risk policies, procedures, measurement, reporting and monitoring techniques and a series of stress tests and scenario analyses to ensure that the Group’s risk exposures are managed appropriately. (RSA)

All you need in this life is ignorance and confidence then success is sure.  Mark Twain

Overconfidence is one of the favorite biases of Behavioral Finance folks.  It goes a long way to help support their Irrational Market paradigm.

“People are overconfident. Psychologists have determined that overconfidence causes people to overestimate their knowledge, underestimate risks, and exaggerate their ability to control events. Does overconfidence occur in investment decision making? Security selection is a difficult task. It is precisely this type of task at which people exhibit the greatest overconfidence.”
Nofsinger (2001)

Overconfidence means that we generally tend to view the future prospects to be more favorable than they turn out to be and it also means that we tend to overestimate the likelihood of our predictions about the future being accurate.

Overconfidence is one of the most powerful forces that works against appropriate risk management.  The most overconfident feel that risk management is a total waste of time and money.  Why waste time and resources preparing for failure when you can spend that time and resources assuring success? they ask.

One way to reduce the power of overconfidence is Practice.  What you need to practice is estimating likelihoods.  And then tabulating the  results.  Regularly perform what actuaries call an actual to expected analysis.

The Practice Effect is what psychologists want to avoid when they are doing experiments.  They usually do not want folks getting better and better with repeated trials.  So they are always looking to introduce fresh folks.

But in business and especially risk management we need the Practice Effect.

Risk Management works with estimated distributions of likelihood of adverse events.  One simple way to practice is to look at each period’s experience in terms of the prior year’s estimated distribution.  Was last year a 99th percentile year or a 78th percentile year?  Each you everyone should be informed of that and everyone can form an opinion about how good that prior estimate of likelihood was.

Of course, the firms that look at each risk as a single frequency severity pair cannot do that.  One more reason why the single pair approach to risk assessment falls short of real usability.

The Risk Management quotes were still by far the favorite feature of the blog, with about 800 hits per month.  That has been steady for over 3 years now.  What changed was the hits to the other content.  The home page saw over 6000 hits in 2011, or about 500 per month.  Some posts from prior years continue to be very popular.

Here are the most popular new posts from 2011:

Integrating ERM and Value Based Management

Avoiding Risk Management 

Risk Appetite and Risk Attitude

The Difference Between Risk and Loss

Risk Capacity Measurement

Integrating Risk Capacity and Business Management

Assessing Risk Capacity Utilization

Risk Management Success

COSO & ISO31000 & ERM for Insurers

Liquidity Risk Management for a Bank

Five of these posts were written by Riskviews, four by Jean-Pierre Berliet and one by Jawwad Farid.

“Every person takes the limits of their own field of vision for the limits of the world.”  Arthur Schopenhauer

Life is a series of failures punctuated by brief successes. James Altucher

Managing risk is not just about assessing and monitoring all the things that could go wrong. Rather it is about understanding all the things that need to go right for an organization to achieve its mission and objectives.  UN Joint Staff Pension Fund ERM Policy Statement

Across the grand sweep of history, the relationship between risk and return has been loose and variable.
Warren Hatch

“Call on God, but row away from the rocks.” Hunter S Thompson

“It don’t matter how hard you hit if you cannot take a punch” from the song Lend a Hand by Jakob Dylan

Don’t forget that people sometimes make very silly mistakes, especially when dealing with derivatives. Kevin Dowd

Frankly, I’m suspicious of anyone who has a strong opinion on a complicated issue.  Scott Adams

People are disposed to get angry and punish those who violate the models that they themselves are using, but the targets of such sanctions often do not acknowledge that that particular model applies, or that their acts were transgressions, so they perceive the intended sanctions as illegitimate aggression.   Alan Fiske

“everyone has a plan ’till they get punched in the mouth”  Mike Tyson

When there is financial failure, it comes as a result of illiquidity.  Now, truly, these parties are insolvent, because they took the risk of not being able to pay cash when it was due.  Illiquidity and insolvency are really the same thing, though many obfuscate.

If you can’t pay cash, it doesn’t matter what your assets are worth in “normal” times.  Banks should have planned in advance to make sure liquidity was always adequate, rather than doing the usual borrow short, lend long, that they usually do.

But after reading through the Fed ‘s proposal on bank solvency, I conclude that they may not get the picture.  They spend time on liquidity and other issues.  With liquidity, it is uncertain how they will view repo markets.  To me, those should be view as short-term finance of long dated assets.

During times of crisis, repo markets seize up, with rising repo haircuts.  Maybe I’ve read the Fed’s proposal wrong, but it seems that it neglects repo funding, which had a large effect on the recent crisis.

If banks had to be able to size their activity to survive a rise in repo haircuts equal to half of the highest that we have seen, it would probably be enough to make the issue go away, because the haircuts would be less likely to rise as a result of that restraint.

Now, I appreciate the perspective of this article from Dealbreaker on the topic.  All of the assets of the bank support all of the liabilities. In one sense, there are no assets that are tagged “equity” and others tagged “liability.”

P&C Insurance works a little different.  In that, premium reserves are invested in high quality short-term debt.  Claim reserves are invested in high quality debt similar to the period that claims are expected to be paid out over.  The remainder (the equity) can be invested in risk assets in order to earn a decent return for shareholders.  The idea is this: match liabilities with high quality assets of the same length, and take risk with the remainder of assets, realizing that they might might needed for liquidity in the worst case scenarios.

But really, banks should not be viewed differently.  They should invest like P&C or life insurers.  Invest in high quality assets equal to the terms of their liabilities — deposits (estimate stickiness), savings accounts (same), CDs (the term is known).  After that, take risks with the remaining assets in ways that reflect their comparative advantage, realizing that they might might needed for liquidity in the worst case scenarios.  Illiquid investments (e.g. private equity)  should not be allowed for a majority of of those investments.

If banks don’t engage in asset/liability mismatches aka maturity transformation, most of the risks of bank runs will go away.  And that is what I propose.  Note that if that happens, average people will have to pay some fee each year to have a checking account.  Banks would be liquidity utilities.

This fits under my rubric that the insurance industry is much better regulated than the banking industry.  Were it in my power to do so, I would turn banking regulation over to the states, and leave to the Fed control of monetary policy only.  You would soon see intolerant banking regulation, much like we see in insurance, and defaults would decline.

What could be better?

The odds of Earth being hit by the asteroid Apophis in 2039 was determined to be 1 in 200.

The odds a person is 80 years old are 1 in 250.4 (US, 5/2009).

If 200 insurance companies are meeting Solvency II capital requirements should we expect that one of them will fail each year?

Do we really have any idea of the answer to that question?

Or can we admit that calculating a 1/200 capital requirement is not really the same as knowing how much capital it takes to prevent failures at that rate?

Calculating a 1/200 capital requirement is about creating capital requirements that are related to the level of risk of the insurer.  Calculating a 1/200 capital requirement is about trying to make the relationship of the capital level to the risk level consistent for different insurers with all different types of risk.  Calculating a 1/200 capital requirement is about having a regulatory requirement that is reasonably close to the actual level of capital held by insurers presently.

It actually cannot be about knowing the actual likelihood of very large losses.  Because it is unlikely that we will ever actually know with any degree of certainty what the actual size of the 1/200 losses might be.

We agree on methods for extrapolating losses from observed frequency levels.  So perhaps, we might know what a 1/20 loss might be and we use “scientific” methods to extrapolate to a 1/200 value.  These scientific assumptions are about the relationship between the 1/20 loss that we might know with some confidence and the 1/200 loss.  Instead of just making an assumption about the relationship between the 1/20 and the 1/200 loss, we make an intermediate assumption and let that assumption drive the ultimate answer.  That intermediate assumption is usually an assumption of the statistical relationship between frequency and severity.  By making that complicated assumption and letting it drive the ultimate values, we are able to obscure our lack of real knowledge about the likelihood of extreme values.  By making complicated assumptions about something that we do not know, we make sure that we can keep the discussion out of the hands of folks who might not fully understand the mathematics.

For the simplest such assumption, i.e. that of a Gaussian or Normal Distribution, the relationships are something like this:

• For a risk with a coefficient of variance of 100% (i.e. the mean = standard deviation), the 1/200 loss is approximately 250% of the 1/20 loss
• For a risk with a coefficient of variance of 150% (1.e. the mean = 2/3 the standard deviation) the 1/200 loss is approximately 200% of the 1/20 loss
• For a risk with a coefficient of variance of 200% (i.e. the mean = 1/2 the standard deviation) the 1/200 loss is approximately 180% of the 1/20 loss
• For a risk with a coefficient of variance of 70%, the 1/200 loss is 530% of the 1/20 loss

The graph above is the standard deviation/mean looking backwards at the S&P 500 annual returns for each of the previous 21 twenty-year periods.  So based upon that data, we see that the 1/200 loss might be somewhere between 530% and 180% of the worst result in the 20 year period.

And in this case, we base this upon the assumption that the returns are normally distributed. We simply varied the parameters as we made observations.

What this suggests is that the distribution is not at all stable based upon 20 observations.  So using this approach to extrapolating losses at more remote frequency looks like it will have some severe issues with parameter risk.

You can look at every single sub model and find that there is huge parameter risk.

So the conclusion should be that the 1/200 standard is a convention, rather than a claim that such a calculation might be reliable.

Risk management is a fantastic career opportunity as it gives people a very broad and deep perspective on the business through strategic and operational involvement, dealing with people at all levels in an organisation.

Reed Elsevier chief risk officer Arnout van der veer

Risk management now is a career option – it wasn’t when I first started down this route. Certainly the world today is a riskier place and there is a demand for professional, competent people. You need to be qualified in a relevant discipline (business studies, economics, and so on – financial and economic literacy is key) and consider one of the excellent MBAs now available.

DLA Piper chief risk officer Julia Graham

My philosophy over the years has been to take new opportunities as they arise. The job is what you make it, using your skills and competencies.

Morgan Crucible director of risk assurance Paul Taylor

To be an enterprise risk manager, you need to get a solid grounding in business and management at different levels. It’s not an entry-level job.

Ferma vice-president and GDF Suez deputy chief risk officer Michel Dennery

There are uncertainties in everything we do, and hence a career in risk management provides the opportunity to explicitly do what everyone intellectually knows must be done. Further, the concept of uncertainty provides an intriguing angle from which a company can be addressed.

LEGO senior director, strategic risk management Hans Laessøe

You have to care – about jobs, the health of the employees, the health of the factories and the health of the business.

Ferma president and director of risk management for Pirelli Worldwide Jorge luzzi

If you are able to communicate to your colleagues the concept that a risk manager can help the company’s business, protecting profit margins and business continuity, and they understand this, risk management is a really enjoyable job.

Prysmian group risk manager  Alessandro de Felice

My motivation is to create value to my organisation by ensuring that we can deliver what we promise to our customers and shareholders through a well-functioning risk management process.

Assa Abloy group risk and insurance manager Fredrik Finnman

Risk managers should built professional skills over the following pillars: knowledge of risk measurement techniques; knowledge of the company’s processes; skills in spreading the risk culture inside the company; knowledge of the insurance business and risk underwriting: skills in leading internal working groups and designing procedures and control processes.

Telecom Italia corporate risk manager Paolo Rubini

Risk management is about managing risks inherent to the business, so it is critical to understand your business. Moving the company towards a different way of thinking about risk is all about change management and leadership. It’s important to share thoughts and experiences with other colleagues in the field. Attending professional and international events, such as the Ferma Forum, specific seminars and courses to meet other practising risk professionals is a good way to do this.

Campfrio Food Group director of corporate risk management and Ferma board member Christina Martinez

Corzine Ignored Warnings from Chief Risk Officer

This story reveals several things about the nature of risk and the CRO job.

First, the nature of risk.  Risk is always about the future.  There will always be disagreements about the level of risk.  True disagreements.  People believing completely different things.  And it is the future we are talking about.  No one KNOWS for certain about the future.  And also, risk is potential for loss.  In many cases, even after the fact, no one can know how much risk that there was.  A severe adverse event that had a likelihood of 10% might not happen in the coming year.  Another equally severe event with a 0.1% likelihood migh happen.  Exposure to the 10% event was certainly riskier than an equal sized exposure to the 0.1% event.  Even if the less risky exposure produced a loss while the more risky exposure did not.

So the fact that the MF Global position produced a large, firm ending loss does not prove that the CRO was right.

In fact, what other stories reveal is that the board thought that the positions were more risky than Corzine.  And that is pretty typical of what you will see at financial services firms.  The top executives generally have the opinion that the environment is somewhat less risky than the board sees it while the non-executive employees generally see much, much more risk that either the executives or the board.

This tends to create exactly the dynamic that played out at MF Global where the CEO ignored the CRO warnings and the board very slightly restricted the CEO.

About the CRO

Many people forget that the Chief Risk Officer is usually not independent of the CEO.  If there is a company where the CEO does not think that they are totally responsible for risk, then the CRO will not have enough power or influence with the board to remedy that problem.  And if a CEO is aware that they are responsible for company results, good or bad, then clearly the job of the CRO, for better or for worse, is to execute the risk strategy of the CEO.  NOT to critique that policy to the board.

RISKVIEWS tends to think of the risk appetite as the expression of the objective of the risk management system.  The CRO should not be setting their own objective.  So at MF Global, if the risk appetite was expressed as some sort of broad statement about corporate security, then the conflict became what is described above – a disagreement about the calibration of the risk model.

But the story says that the board approved some of the positions and disapproved a proposal to increase those positions even more that was made by the CEO.  That makes it sound like there was a risk appetite and that the board, even if they did not say it in advance, knew when it was exceeded.

So the CROs job is not to stand in judgment of both the CEO and the Board.  The CROs job is to work within the risk appetite of the board.