A Risk Register is the Siren Song of Risk Management

Before we go any further, let me state unequivocally that filling in boxes in a risk register chart is not Risk Management.

But on numerous occasions, RISKVIEWS has come across risk officers who have been concentrating on managing a Risk Register for multiple years.  That is why the Risk Register is the siren song of Risk Management.  No not the siren that makes a loud noise for the Fire Department.  The Sirens of Homer’s Odyssey.

The siren’s song attracted sailors who as they got closer to listen crashed upon the rocks and died.

So with risk managers and risk registers.  Risk registers provide two convenient things: plenty of tasks and evidence of accomplishment.  However the tasks are ultimately lower value and the accomplishment is usually only internal to the Risk Register.  The risk manager who is enthralled by the song of the risk register gets further and further into the world of the risk register and loses touch with the world of the company.  They try to find ways to entice others into the world of the risk register.

But real risk management requires only a simple list of risks, risk owners and risk mitigation activities.  This should never be maintained on spreadsheets in formats that can only be printed with 8 point type or never seen in total because there are just too many columns of important details.  Nor should the list of risks require a special purchased system that allows only registered users to view or enter information.

Managing the process of

Adding cash or profits now while adding risk

-or-

reducing cash or profits now while decreasing risk

is real risk management.  

Because the real job of risk management is not the manufacture of lists that are elevated in status by the name register.  Real risk management involves making difficult decisions and taking actions based upon those decisions.  Those decisions always involve a trade-off between cash or profits now and risk later.  Adding cash or profits now while adding risk later or reducing cash or profits now while decreasing risk later.  That is real risk management.

Learnings from the Superstorm

From the FSOC 2013 Annual Report with minor paraphrasing…

• Planning and testing: It is important that your company and all of your important counterparties, vendors, and sub contractees, fully understand the functionality of contingency systems, and that key operations and business personnel communicate efficiently to assure enterprise-wide clarity. Expanded testing exercises would enhance assurance of failover reliability. Such testing should involve all parties inside and outside your firm that you depend upon to continue functioning, and should also involve providers of essential services such as power, water, and telecommunications.

• Incident management: Protocols for assuring a timely decision on whether and when to close or open the company would benefit from review and streamlining by the responsible parties. Likewise, protocols for assuring timely decisions within the firm on whether and when to leverage back-up sites would benefit from continued regular testing. Furthermore, operational interdependencies need to be fully incorporated in the decision-making process.

• Personnel: The resilience of critical components of the company requires geographic dispersal of both electronic systems and personnel sufficient to enable an organization to operate despite the occurrence of a wide-scale disruption affecting the metropolitan or geographic area of the organization’s primary operations, including communities economically integrated with, adjacent to, or within normal commuting distance of the primary operations area. Organizations, including major firms, need to continuously and rigorously analyze their routine positioning and emergency repositioning of key management and staff. This is an ongoing requirement as technology, market structure, and institutions evolve rapidly. Developed business continuity plans should be implemented, and key staff should be sent to disaster recovery sites when there is advance notice of events.

• Dependencies: Cross-industry interdependencies require constant review, reassessment, and improvement by organizations to mitigate the impact of energy, power, transport, and communications failures during severe incidents, and to help ensure reliable redundancy.

FROM THE ERM SYMPOSIUM IN CHICAGO

Post to Financial Training

• ERM Symposium Take aways

Posts to WillisWire:

• Has Risk Management become a Spectator Sport
• Actuarial Professional Risk Management
• ERM For Financial Intermediaries

Tweets:

1. Neil Cantle ‏@NJCantle 24 Apr

   Former FDIC Chairman Sheila Bair speaking at #ermsymposium warns #SolvencyII against internal models as they encouraged banks to take risk
2. Max Rudolph ‏@maxrudolph 24 Apr

   What happened to last year’s discussion of a country CRO at the #ermsymposium?
3. Max Rudolph ‏@maxrudolph 24 Apr

   Speaker from Fed at #ermsymposium says CTE no good since you don’t know distribution. How was the product priced? Not with stress tests!

   Retweeted by SocietyofActuaries

4. Neil Cantle ‏@NJCantle 23 Apr

   Seems that insurance industry may need to save up more cash to cover Nat Cat if forecasts on climate change are right! #ermsymposium
5. Max Rudolph ‏@maxrudolph 23 Apr

   Systemic risk decreases with transparency. #ermsymposium
6. Neil Cantle ‏@NJCantle 23 Apr

   So, we trust national security to causal models because data does not work. But we trust financial systems to statistics. #ermsymposium
7. Neil Cantle ‏@NJCantle 23 Apr

   Just hearing all the great things about Bayesian models…expert judgement, ease of communication to C-suite #ermsymposium #Bayesrules

   1. Dave Ingram ‏@dingramerm 23 Apr Must look at risk measures in the context of your business model. C Lawrence #ermsymposium
   2. Dave Ingram ‏@dingramerm 23 Apr

      Need to invest in the future of risk profession. Mark Abbott #ermsymposium
   3. K Andemichael ‏@that_art_guy 21 Mar

      I just heard the coolest story from Hall of Achievement Inductee Gary Peterson #ERMSymposium pic.twitter.com/1un0ZwJl1D
   4. Milliman, Inc. ‏@millimaninsight 20 Apr 12

      Neil Cantle: Complex adaptive systems are more than the sum of their parts. #ERMSymposium http://www.tout.com/m/nphp8d 
   5. Risk Institute ‏@riskinstitute 20 Apr 12

      What is the biggest misconception about enterprise risk management? http://bit.ly/JUbWb9  #ERMSymposium #ERM #risk

      Retweeted by Milliman, Inc.

   6. Risk Institute ‏@riskinstitute 18 Apr 12

      What role does economic capital modeling play in your organization? http://bit.ly/ISWFM7  #ERMSymposium #ERM

      Retweeted by Neil Cantle and 1 other

   7. Max Rudolph ‏@maxrudolph 18 Apr 12

      Business Insurance article focuses on the Emerging Risks Survey and includes some quotes from me. #ERMSymposium http://lnkd.in/M2P3xv 
   8. Max Rudolph ‏@maxrudolph 18 Apr 12

      CFO magazine article quoting me and talking about the Emerging Risks Survey! #ERMSymposium http://lnkd.in/-g-Dar 

1. CRO needs to have a 360 degree view of risk. #ermsymposium
   from Chicago, IL Dave Ingram ‏@dingramerm 24 Apr
2. New risk: longevity risk transfer products take a risk that was regulated into non-regulated areas. S Wason #ermsymposium from Chicago, IL Dave Ingram ‏@dingramerm 24 Apr
3. Companies do not always believe in their own mortality which undermines any risk mgt culture. #ermsymposium
   from Chicago, IL Dave Ingram ‏@dingramerm 24 Apr
4. Interconnectedness is THE issue for financial regulation going forward. #ermsymposium from Chicago, IL Dave Ingram ‏@dingramerm 24 Apr
5. CEO needs to be very hands on with risk. Deniability is not an option. S Bair #ermsymposium from Chicago, IL Dave Ingram ‏@dingramerm 24 Apr
6. Predictive analytics in US healthcare #ermsymposium from Illinois, US Dave Ingram ‏@dingramerm 24 Apr
7. Canadians using ERM to improve financial management of health firms. #ermsymposium Dave Ingram ‏@dingramerm 23 Apr
8. Professional Standards for Actuarial Risk Managers effective May 1, 2013 http://lnkd.in/mYwr6d Dave Ingram ‏@dingramerm 23 Apr
9. Too many think the risk equations are a closed form solution for the future when they are really about the past. M McCarthy #ermsymposium Dave Ingram ‏@dingramerm 23 Apr
10. When you crossed a limit you HAD to take an ACTION. B Mark #ermsymposium from Chicago, IL Dave Ingram ‏@dingramerm 23 Apr
11. Key goal of regulators is now financial stability. Zero tolerance for “fat tailed” failure. C Lawrence #ermsymposium
    from Chicago, IL Dave Ingram ‏@dingramerm 23 Apr
12. Bank returns jumped from 7% to 20% in 1970s & believed that risk was under control. C Lawrence #ermsymposium Dave Ingram ‏@dingramerm 23 Apr
13. Biggest risks are when we choose not know about potential problems that we did know about. Turning off fire alarms. W Fisher #ermsymposium Dave Ingram ‏@dingramerm 23 Apr
14. ERM can find offsetting risks and notionally create capital and opportunity. This gets enthusiastic buy in from mgt. M Stein #ermsymposium Dave Ingram ‏@dingramerm 23 Apr
15. The ERM program needs to show success on the opportunity side ot risk. J Kollar #ermsymposium Dave Ingram ‏@dingramerm 23 Apr
16. Accounting can cloud risk issues. Challenge to reconcile different statement. M Stein #ermsymposium from Chicago, IL Dave Ingram ‏@dingramerm 23 Apr
17. Disconnect between economics and accounting a challenge for ERM. Makes it harder to get buy in for ERM C Gilbert #ermsymposium Dave Ingram ‏@dingramerm 23 Apr
18. CRO Council papers Model Validation & Emerging Risks M Stein #ermsymposium Dave Ingram ‏@dingramerm 23 Apr
19. Key for CRO to be able to create a coherent summary of risk information for board M Stein #ermsymposium Dave Ingram ‏@dingramerm 23 Apr
20. Get board involved asking the risk questions. This create engagement in the organization to answer those questions W Fisher #ermsymposium Dave Ingram ‏@dingramerm 23 Apr
21. Wayne Fisher addressing Risk Profile at CRO panel #ermsymposium

But even with all those tweets, #ermsymposium did not make it to the top list of trending categories

Provisioning – Packing for your trip into the future

There are two levels of provisioning for an insurer.  Reserves and Risk Capital.  The two are intimately related.  In fact, in some cases, insurers will spend more time and care in determining the correct number for the sum of the two, called Total Asset Requirement (TAR) by some.

Insurers need an realistic picture of future obligations long before the future is completely clear. This is a key part of the feedback mechanism.  The results of the first year of business is the most important indication of business success for non-life insurance.  That view of results depends largely upon the integrity of the reserve value.  This feedback information effects performance evaluation, pricing for the next year, risk analysis and capital adequacy analysis and capital allocation.

The other part of provisioning is risk capital.  Insurers also need to hold capital for less likely swings in potential losses.  This risk capital is the buffer that provides for the payment of policyholder claims in a very high proportion of imagined circumstances.  The insurance marketplace, the rating agencies and insurance regulatory bodies all insist that the insurer holds a high buffer for this purpose.

In addition, many valuable insights into the insurance business can be gained from careful analysis of the data that is input to the provisioning process for both levels of provisioning.

However, reserves are most often set to be consistent with considerations.  Swings of adequate and inadequate pricing is tightly linked to swings in reserves.  When reserves are optimistically set capital levels may reflect same bias. This means that inadequate prices can ripple through to cause deferred recognition of actual claims costs as well as under provisioning at both levels.  This is more evidence that consideration is key to risk management.

There is often pressure for small and smooth changes to reserves and risk capital but information flows and analysis provide jumps in insights both as to expectations for emerging losses as well as in terms of methodologies for estimation of reserves and capital.  The business pressures may threaten to overwhelm the best analysis efforts here.  The analytical team that prepares the reserves and capital estimates needs to be aware of and be prepared for this eventuality.  One good way to prepare for this is to make sure that management and the board are fully aware of the weaknesses of the modeling approach and so are more prepared for the inevitable model corrections.

Insurers need to have a validation process to make sure that the sum of reserves and capital is an amount that provides the degree of security that is sought.  Modelers must allow for variations in risk environment as well as the impact of risk profile, financial security and risk management systems of the insurer in considering the risk capital amount.  Changes in any of those elements may cause abrupt shifts in the amount of capital needed.

The Total Asset Requirement should be determined without regard to where the reserves have been set so that risk capital level does not double up on redundancy or implicitly affirm inadequacy of reserves.

The capital determined through the Provisioning process will usually be the key element to the Risk Portfolio process.  That means that accuracy in the sub totals within the models are just as important as the overall total.  The common practice of tolerating offsetting inadequacies in the models may totally distort company strategic decision making.

This is one of the seven ERM Principles for Insurers.

Does Anyone Care about Risk Appetite?

RISKVIEWS got a private comment on the Risk Portfolio post. The comment can be summed up by the title above.

And if you think about the insights about ERM from the Plural Rationality discussion, you might echo that question.

If your risk attitude is what we call MAXIMIZER, then you will believe that you should be able to accept as much adequately priced risk as you can find.

If your risk attitude is what we call CONSERVATOR, then you will believe that you should mostly accept only risks that are very similar to what you write already, to what you are comfortable with.  You might fear that setting an appetite would improperly encourage folks to take more risk even it it does not really fit that very stringent criteria.

If your risk attitude is what we call PRAGMATIST, then you will believe that it is a waste of time to set down a rule like that in advance.  How would you know what the opportunities will be in the future?  You might easily want to accept much more or much less.  You would think that it is a waste of time to worry about such an unknowable issue.

Only the companies that are driven by what we call the MANAGERS would embrace the risk appetite idea.  They would say that you must have a risk appetite for your ERM program to have any meaning.  Many regulators have the same MANAGER risk attitude.  They agree with the fundamental idea of ERM, with the idea that risk managers are needed to assist insurance company managers, to assess risks and to make sure that the insurer does not take too much risk.  The risk managers should also be able to help the top management of the company to select the corporate strategic balance, reflecting the best combination of risks to optimize the risk reward balance of the company.

And MANAGERS will do the best for the company when they manage the risks of the firm during times of moderate volatility.  Then their choices of risks will likely perform just as their models will predict.  However in times when opportunities are best, the MANAGERS will doubtless hold the company back from the sort of gains in profitable business that the MAXIMIERS will achieve in the companies that they run.  And in times when the red ink is running all over, the MANAGERS will urge insufficient caution and will see larger losses than their models would indicate.

In the sort of uncertain times that we have lived with for 5 years now, the MANAGER’s models will not be able to adequately point the way either.  Results will languish or bounce unexpectedly.

But it is just not true that nobody cares about Risk Appetite.

Future Uncertainty

Often called emerging risks. Going back to Knight’s definitions of Risk and Uncertainty, there is very little risk contained in these potential situations.  Emerging risks are often pure uncertainty.  Humans are good at finding patterns.  Emerging risks are breaks in patterns.

What to Do about Emerging Risks…

Emerging risks are defined by AM Best as “new or evolving risks that are difficult to manage because their identification, likelihood of occurrence, potential impacts, timing of occurrence or impact, or correlation with other risks, are highly uncertain.” An example from the past is asbestos; other current examples could be problems deriving from nanotechnology, genetically modified food, climate change, etc. Lloyd’s, a major sufferer from the former emerging risk of asbestos, takes emerging risks very seriously. They think of emerging risks as “an issue that is perceived to be potentially significant but which may not be fully understood or allowed for in insurance terms and conditions, pricing, reserving or capital setting”.

What do the rating agencies expect?

AM Best says that insurers need “sound risk management practices relative to its risk profile and considering the risks inherent in the liabilities it writes, the assets it acquires and the market(s) in which it operates, and takes into consideration new and emerging risks.” In 2013, Best has added a question asking insurers to identify emerging risks to the ERM section of the SRQ. Emerging Risks Management has been one of the five major pillars of the Standard & Poor’s Insurance ERM ratings criteria since 2006.

How do you identify emerging risks?

A recent report from the World Economic Forum, The Global Risks 2012 report is based on a survey of 469 experts from industry, government, academia and civil society that examines 50 global risks. Those experts identified 8 of those 50 risks as having the most significance over the next 10 years:

•   Chronic fiscal imbalances
•   Cyber attacks
•   Extreme volatility in energy and agriculture prices
•   Food shortage crises
•   Major systemic financial failure
•   Rising greenhouse gas emissions
•   Severe income disparity
•   Water supply crises

This survey method for identifying or prioritizing risks is called the Delphi method and can be used by any insurer. Another popular method is called environmental scanning which includes simply reading and paying attention for unusual information about situations that could evolve into future major risks.

What can go wrong?

Many companies do not have any process to consider emerging risks.  At those firms, managers usually dismiss many possible emerging risks as impossible.  It may be the company culture to scoff at the sci fi thinking of the emerging risks process.  The process Taleb describes of finding ex post explanation for emerging Black Swan risks is often the undoing of careful plans to manage emerging risk.  In addition, lack of imagination causes some managers to conclude that the past worst case is the outer limit for future losses.

What can you do about emerging risks?

The objectives for emerging risks management are just the same as for other more well-known risks: to reduce the frequency and severity of future losses. The uncertain nature of emerging risks makes that much more difficult to do cost effectively. Insurers can use scenario testing to examine potential impact of emerging risks and to see what actions taken in advance of their emergence might lessen exposures to losses. This scenario testing can also help to identify what actions might lessen the impact of an unexpected loss event that comes from a very rapidly emerging risk. Finally, insurers seek to identify and track leading indicators of impending new risk emergence.

Reinsurance is one of the most effective ways to protect against emerging risks, second only to careful drafting of insurance contract terms and conditions

Many of the largest insurers and reinsurers have developed very robust practices to identify and to prepare for emerging risks.  Other companies can learn from the insurers who practice emerging risk management and adapt the same processes to their emerging risks.

Normal risk control processes focus on everyday risk management, including the management of identifiable risks and/or risks where uncertainty and unpredictability are mitigated by historical data that allow insurers to estimate loss distribution with reasonable confidence. Emerging risk management processes take over for risks that do not currently exist but that might emerge at some point due to changes in the environment. Emerging risks may appear abruptly or slowly and gradually, are difficult to identify, and may for some time represent an ill formed idea more than factual circumstances. They often result from changes in the political, legal, market, or physical environment, but the link between cause and effect is fully known in advance. An example from the past is asbestos; other examples could be problems deriving from nanotechnology, genetically modified food, climate change, etc. 
For these risks, normal risk identification and monitoring will not work because the likelihood is usually completely unknown. Nevertheless, past experience shows that when they materialize, they have a significant impact on the insurers and therefore cannot be excluded from a solid risk management 
program. So insurers have implemented unique specific strategies and approaches to cope with them properly.

Identifying emerging risks

Emerging risks have not yet materialized or are not yet clearly defined and can appear abruptly or very slowly. Therefore, having some sort of early warning system in place, methodically identified either through internal or external sources, is very important. To minimize the uncertainty surrounding these risks, insurers will consistently gather all existing relevant information to amass preliminary evidence of emerging risks, which would allow the insurer to reduce or limit growth of exposure as the evidence becomes more and more certain.  However, Insurers practicing this discipline will need to be aware of the cost of false alarms.

Assessing their significance

Assess the relevance (i.e. potential losses) of the emerging risks linked to a company’s commitment— which classes of business and existing policies would be affected by the materialization of the risk—and continue with the assessment of the potential financial impact, taking into account potential correlation with other risks already present in the firm. For an insurer, the degree of concentration and correlation of the risks that they have taken on from their customers are two important parameters to be considered; the risk in question could be subject to very low frequency/high intensity manifestations, but if exposure to that particular risk is limited, then the impact on the company may not be as important. On the other hand, unexpected risk correlations should not be underestimated; small individual exposures can coalesce into an extreme risk if underlying risks are highly interdependent. When developing extreme scenarios, some degree of imagination to think of unthinkable interdependencies could be beneficial.

A further practice of insurers is to sometimes work backwards from concentrations to risks. Insurers might envision risks that could apply to their concentrations and then track for signs of risk emergence in those areas. Some insurers set risk limits for insurance concentrations that are very similar to investment portfolio credit limits, with maximum concentrations in specific industries in geographic or political regions. In addition, just as investment limits might restrict an insurer’s debt or equity position as a percentage of a company’s total outstanding securities, some insurers limit the percentage of coverage they might offer in any of the sectors described above.

Define appropriate responses

Responses to emerging risks might be part of the normal risk control process, i.e., risk mitigation or transfer, either through reinsurance (or retrocession) in case of insurance risks, through the financial markets for financial risks, or through general limit reduction or hedging. When these options are not available or the insurer decides not to use them, it must be prepared to shoulder significant losses, which can strain a company’s liquidity.  Planning access to liquidity is a basic part of emerging risk management.  Asset-selling priorities, credit facilities with banks, and notes programs are possible ways of managing a liquidity crisis.

Apart from liquidity crisis management, other issues exist for which a contingency plan should be identified in advance. The company should be able to quickly estimate and identify total losses and the payments due. It should also have a clear plan for settling the claims in due time so as to avoid reputation issues. Availability of reinsurance is also an important consideration: if a reinsurer were exposed to the same risks, it would be a sound practice for the primary insurer to evaluate the risk that the reinsurer might delay payments.

Advance Warning Process

For the risks that have identified as most significant and where the insurer has developed coherent contingency plans, the next step is to create and install an advanced warning process.  To do that, the insurer identifies key risk indicators that provide an indication of increasing likelihood of a particular emerging risk.

Learn

Finally, sound practices for managing emerging risks include establishing procedures for learning from past events. The company will identify problems that appeared during the last extreme event and identify improvements to be added to the risk controls.  In addition, expect to get better at each step of the emerging risk process with time and experience.

But emerging risk management costs money.  And the costs that are most difficult to defend are the emerging risks that never emerge.  A good emerging risk process will have many more misses than hits.  Real emerged risks are rare.  A company that is really taking emerging risks seriously will be taking actions on occasion that cost money to perform and possibly include a reduction in the risks accepted and the attendant profits.  Management needs to have a tolerance for these costs.  But not too much tolerance.

 

This is one of the seven ERM Principles for Insurers

Getting Paid for Risk Taking

Consideration for accepting a risk needs to be at a level that will sustain the business and produce a return that is satisfactory to investors.

Investors usually want additional return for extra risk.  This is one of the most misunderstood ideas in investing.

“In an efficient market, investors realize above-average returns only by taking above-average risks.  Risky stocks have high returns, on average, and safe stocks do not.”

Baker, M. Bradley, B. Wurgler, J.  Benchmarks as Limits to Arbitrage: Understanding the Low-Volatility Anomaly

But their study found that stocks in the top quintile of trailing volatility had real return of -90% vs. a real return of 1000% for the stocks in the bottom quintile.

But the thinking is wrong.  Excess risk does not produce excess return.  The cause and effect are wrong in the conventional wisdom.  The original statement of this principle may have been

“in all undertakings in which there are risks of great losses, there must also be hopes of great gains.”
Alfred Marshall 1890 Principles of Economics

Marshal has it right.  There are only “hopes” of great gains.  These is no invisible hand that forces higher risks to return higher gains.  Some of the higher risk investment choices are simply bad choices.

Insurers opportunity to make “great gains” out of “risks of great losses” is when they are determining what consideration, or price, that they will require to accept a risk.  Most insurers operate in competitive markets that are not completely efficient.  Individual insurers do not usually set the price in the market, but there is a range of prices at which insurance is purchased in any time period.  Certainly the process that an insurer uses to determine the price that makes a risk acceptable to accept is a primary determinant in the profits of the insurer.  If that price contains a sufficient load for the extreme risks that might threaten the existence of the insurer, then over time, the insurer has the ability to hold and maintain sufficient resources to survive some large loss situations.

One common goal conflict that leads to problems with pricing is the conflict between sales and profits.  In insurance as in many businesses, it is quite easy to increase sales by lowering prices.  In most businesses, it is very difficult to keep up that strategy for very long as the realization of lower profits or losses from inadequate prices is quickly realized.  In insurance, the the premiums are paid in advance, sometimes many years in advance of when the insurer must provide the promised insurance benefits.  If provisioning is tilted towards the point of view that supports the consideration, the pricing deficiencies will not be apparent for years.  So insurance is particularly susceptible to the tension between volume of business and margins for risk and profits,
and since sales is a more fundamental need than profits, the margins often suffer.
As just mentioned, insurers simply do not know for certain what the actual cost of providing an insurance benefit will be.  Not with the degree of certainty that businesses in other sectors can know their cost of goods sold.  The appropriateness of pricing will often be validated in the market.  Follow-the-leader pricing can lead a herd of insurers over the cliff.  The whole sector can get pricing wrong for a time.  Until, sometimes years later, the benefits are collected and their true cost is know.

“A decade of short sighted price slashing led to industry losses of nearly $3 billion last year.”  Wall Street Journal June 24, 2002

Pricing can also go wrong on an individual case level.  The “Winners Curse”  sends business to the insurer who most underimagines riskiness of a particular risk.

There are two steps to reflecting risk in pricing.  The first step is to capture the expected loss properly.  Most of the discussion above relates to this step and the major part of pricing risk comes from the possibility of missing that step as has already been discussed.  But the second step is to appropriately reflect all aspects of the risk that the actual losses will be different from expected.  There are many ways that such deviations can manifest.

The following is a partial listing of the risks that might be examined:

• Type A Risk—Short-Term Volatility of cash flows in 1 year

• Type B Risk—Short -Term Tail Risk of cash flows in 1 year
• Type C Risk—Uncertainty Risk (also known as parameter risk)
• Type D Risk—Inexperience Risk relative to full multiple market cycles
• Type E Risk—Correlation to a top 10
• Type F Risk—Market value volatility in 1 year
• Type G Risk—Execution Risk regarding difficulty of controlling operational
losses
• Type H Risk—Long-Term Volatility of cash flows over 5 or more years
• Type J Risk—Long-Term Tail Risk of cash flows over 5 years or more
• Type K Risk—Pricing Risk (cycle risk)
• Type L Risk—Market Liquidity Risk
• Type M Risk—Instability Risk regarding the degree that the risk parameters are
stable

See “Risk and Light” or “The Law of Risk and Light“

There are also many different ways that risk loads are specifically applied to insurance pricing.  Three examples are:

• Capital Allocation – Capital is allocated to a product (based upon the provisioning) and the pricing then needs to reflect the cost of holding the capital.  The cost of holding capital may be calculated as the difference between the risk free rate (after tax) and the hurdle rate for the insurer.  Some firms alternately use the difference between the investment return on the assets backing surplus (after tax) and the hurdle rate.  This process assures that the pricing will support achieving the hurdle rate on the capital that the insurer needs to hold for the risks of the business.  It does not reflect any margin for the volatility in earnings that the risks assumed might create, nor does it necessarily include any recognition of parameter risk or general uncertainty.
• Provision for Adverse Deviation – Each assumption is adjusted to provide for worse experience than the mean or median loss.  The amount of stress may be at a predetermined confidence interval (Such as 65%, 80% or 90%).  Higher confidence intervals would be used for assumptions with higher degree of parameter risk.  Similarly, some companies use a multiple (or fraction) of the standard deviation of the loss distribution as the provision.  More commonly, the degree of adversity is set based upon historical provisions or upon judgement of the person setting the price.  Provision for Adverse Deviation usually does not reflect anything specific for extra risk of insolvency.
• Risk Adjusted Profit Target – Using either or both of the above techniques, a profit target is determined and then that target is translated into a percentage of premium of assets to make for a simple risk charge when constructing a price indication.

The consequences of failing to recognize as aspect of risk in pricing will likely be that the firm will accumulate larger than expected concentrations of business with higher amounts of that risk aspect.  See “Risk and Light” or “The Law of Risk and Light“.

To get Consideration right you need to (1)regularly get a second opinion on price adequacy either from the market or from a reliable experienced person; (2) constantly update your view of your risks in the light of emerging experience and market feedback; and (3) recognize that high sales is a possible market signal of underpricing.

This is one of the seven ERM Principles for Insurers

Underwriting of risks is a key part of risk management for insurers

Underwriting is the process of reviewing and selecting risks that an insurer might accept, under what terms, and assigning those an expected cost and level of riskiness.

• Some underwriting processes are driven by statistics.  A few insurers who developed a highly statistical approach to underwriting personal auto coverages have experienced high degree of success.  With a careful mining of the data from their own claims experience, these insurers have been able to carefully subdivide rating classes into many finer classes with reliable claims expectations at different levels.  This allows them to concentrate their business on the better risks in each of the larger classes of their competitors while the competitors end up with a concentration of below average drivers in each larger class.  This statistical underwriting process is becoming a required tool to survive in personal auto and is being copied in other insurance lines.
• Many underwriting processes are highly reliant on judgment of an experienced underwriter.  Especially commercial business or other types of coverage where there is very little close commonality between one case and another.  Many insurers consider underwriting expertise to be their key corporate competency.
• Usually the underwriting process concludes with a decision on whether to make an offer to accept a risk under certain terms and at a determined price

How underwriting can go wrong:

• Insurers are often asked to “give away the pen” and allow third parties to underwrite risks on their paper. Sometimes a very sad ending to this.
• Statistical underwriting can spin out of control due to antiselection if not overseen by experienced people.  The bubble of US home mortgage securities can be seen as an extreme example of statistical underwriting gone bad.  Statistics from prior periods suggested that sub prime mortgages would default at a certain low rate.  Over time, the US mortgage market went from one with a high degree of underwriting of applicants by skilled and experienced reviewers to a process dictated by scores on credit reports and eventually the collection of data to perform underwriting stopped entirely with the no doc loans.  The theory was that the interest rate charged for the mortgages could be adjusted upwards to the point where extra interest collected could pay for the excess default claims from low credit borrowers.
• Volume incentives can work against the primary goals of underwriting.
• Insurance can be easily undone by underwriting decisions that are good risks, but much too large for the pool of other risks held by the insurer.

To get Underwriting right you need to:

• Have a clear idea of the risks that you are willing to accept, your risk preferences.  And be clear that you are going to be saying NO to risks that are outside of those preferences.
• Not let the pen get entirely out of the hand of an experienced underwriter that is trustable to make decisions in the interest of the firm, either to a computer or to a third party.
• Oversight of underwriting decisions needs to be an expectation at all levels.  The primary objective of this oversight should be to continually perfect the underwriting process and knowledge base.
• Underwriters need to be fully aware of the results of their prior decisions by regular communication with claims and reserving people.

This is one of the seven ERM Principles for Insurers

Delusions about Success and Failure

In his book, The Halo Effect: … and the Eight Other Business Delusions That Deceive Managers, author Phil Rosenzweig discusses the following 8 delusions about success:

1. Halo Effect: Tendency to look at a company’s overall performance and make attributions about its culture, leadership, values, and more.

2. Correlation and Causality: Two things may be correlated, but we may not know which one causes which.

3. Single Explanations: Many studies show that a particular factor leads to improved performance. But since many of these factors are highly correlated, the effect of each one is usually less than suggested.

4. Connecting the Winning Dots: If we pick a number of successful companies and search for what they have in common, we’ll never isolate the reasons for their success, because we have no way of comparing them with less successful companies.

5. Rigorous Research: If the data aren’t of good quality, the data size and research methodology don’t matter.

6. Lasting Success: Almost all high-performing companies regress over time. The promise of a blueprint for lasting success is attractive but unrealistic.

7. Absolute Performance: Company performance is relative, not absolute. A company can improve and fall further behind its rivals at the same time.

8. The Wrong End of the Stick: It may be true that successful companies often pursued highly focused strategies, but highly focused strategies do not necessarily lead to success.

9. Organizational Physics: Company performance doesn’t obey immutable laws of nature and can’t be predicted with the accuracy of science – despite our desire for certainty and order.

By Julian Voss-Andreae (Own work) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0)%5D, via Wikimedia Commons

A good risk manager will notice that all 8 of these delusions have a flip side that applies to risk analysis and risk management.

a.  Bad results <> Bad Culture – there are may possible reasons for poor results.  Culture is one possible reason for bad results, but by far not the only one.

b.  Causation and Correlation – actually this one need not be flipped.  Correlation is the most misunderstood statistic.  Risk managers would do well to study and understand what valuable and reliable uses that there are for correlation calculations.  They are very likely to find few.

c.  Single explanations  – are sometimes completely wrong (see c. above), they can be the most important of several causes, they can be the correct and only reason for a loss, or a correct but secondary reason.  Scapegoating is a process of identifying a single explanation and quickly moving on.  Often without much effort to determine which of the four possibilities above applies to the scapegoat.  Scapegoats are sometimes chosen that make the loss event appear to be non-repeatable, therefore requiring no further remedial action.

d.  Barn door solutions – looking backwards and finding the activities that seemed to lead to the worst losses at the companies that failed can provide valuable insights or it can lead to barn door solutions that fix past problems but have no impact on future situations.

e.  Data Quality – same exact issue applies to loss analysis.  GIGO

f.  Regression to the mean – may be how you describe what happens to great performing companies, but for most firms, entropy is the force that they need to be worried about.  A firm does not need to sport excellent performance to experience deteriorating results.

g.  Concentration risk – should be what a risk manager sees when strategy is too highly concentrated.

h.  Uncertainty prevails – precision does not automatically come from expensive and complicated models.

Risk and Return – A Balancing Act

From Max Rudolph

There are similarities between value investing and enterprise risk management (ERM) methods. For some, especially portfolio managers, this may be obvious. These investors come to the table with experience using risk as a constraint while trying to optimize returns. Years of experience have taught this group that risk balances return, and that return balances risk. Value is added by creating favorable imbalances. The investor with high returns and average risk has succeeded, as has the investor reporting average returns and low risk.
Many concepts are shared between ERM and value investing. When defining risk, which is generally unique to the individual, an analyst considers uncertainty, downside risk, and optimization. Value investors look at concepts like conservative assumptions, margin of safety, and asset allocation. These concepts are comparable, and this paper uses the International Actuarial Association’s Note on enterprise risk management (ERM) for capital and solvency purposes in the insurance industry to take the reader through general ERM topics. This is followed by a comparable value investing discussion and a comparison of the two practice areas.

In some firms, a risk manager is placed in a position with little authority, limiting the benefits of ERM. A process driven ERM function can identify risks and risk owners, create a common language, and send useful reports to the Board. A stronger risk officer adds value by using transparency to understand risk interactions, scanning for emerging risks and generally keeping a focus on how an entity’s risk profile is evolving.

Continued in Value Investing and Enterprise Risk Management: Two Sides of the Same Coin

Controlling with a Cycle

No, not that kind of cycle… This kind:

This is a Risk Control Cycle.  It includes Thinking/Observing steps and Action Steps.  The only reason a sane organization would spend the time on the Assessing, Planning and Monitoring steps is so that they could be more effective with the Risk Taking, Mitigating and Responding steps.

A process capable of limiting losses can be referred to as a complete risk control process, which would usually include the following:

• Identification of risks—with a process that seeks to find all risks inherent in a insurance product, investment instrument, or other situation, rather than simply automatically targeting “the usual suspects.”
• Assess Risks – This is both the beginning and the end of the cycle.  As the end, this step is looking back and determining whether your judgment about the risk and your ability to select and manage risks is as good as you thought that it would be.  As the beginning, you look forward to form a new opinion about the prospects for risk and rewards for the next year.  For newly identified risks/opportunities this is the due diligence phase.
• Plan Risk Taking and Risk Management – Based upon the risk assessment, management will make plans for how much of each risk that the organization will plan to accept and then how much of that risk will be transferred, offset and retained.  These plans will also include the determination of limits
• Take Risks – organizations will often have two teams of individuals involved in risk taking.  One set will identify potential opportunities based upon broad guidelines that are either carried over from a prior year or modified by the accepted risk plan.  (Sales) The other set will do a more detailed review of the acceptability of the risk and often the appropriate price for accepting the risk.  (Underwriting)
• Measuring and monitoring of risk—with metrics that are adapted to the complexity and the characteristics of the risk as well as Regular Reporting of Positions versus Limits/Checkpoints— where the timing needed to be effective depends on the volatility of the risk and the rate at which the insurer changes their risk positions. Insurers may report at a granular level that supports all specific decision making and actions on a regular schedule.
• Regular risk assessment and dissemination of risk positions and loss experience—with a standard set of risk and loss metrics and distribution of risk position reports, with clear attention from persons with significant standing and authority in the organization.
• Risk limits and standards—directly linked to objectives. Terminology varies widely, but many insurers have both hard “Limits” that they seek to never exceed and softer “Checkpoints” that are sometimes exceeded. Limits will often be extended to individuals within the organization with escalating authority for individuals higher in the organizational hierarchy.
• Response – Enforcement of limits and policing of checkpoints—with documented consequences for limit breaches and standard resolution processes for exceeding checkpoints. Risk management processes such as risk avoidance for risks where the insurer has zero tolerance. These processes will ensure that constant management attention is not needed to assure compliance. However, occasional assessment of compliance is often practiced. Loss control processes to reduce the avoidable excess frequency and severity of claims and to assure that when losses occur, the extent of the losses is contained to the extent possible. Risk transfer processes, which are used when an insurer takes more risk than they wish to retain and where there is a third party who can take the risk at a price that is sensible after accounting for any counterparty risk that is created by the risk transfer process. Risk offset processes, which are used when insurer risks can be offset by taking additional risks that are found to have opposite characteristics. These processes usually entail the potential for basis risk because the offset is not exact at any time or because the degree of offset varies as time passes and conditions change, which is overcome in whole or in part by frequent adjustment to the offsetting positions. Risk diversification, which can be used when risks can be pooled with other risks with relatively low correlation. Risk costing / pricing, which involves maintaining the capability to develop appropriate views of the cost of holding a risk in terms of expected losses and provision for risk. This view will influence the risks that an insurer will take and the provisioning for losses from risks that the insurer has taken (reserves). This applies to all risks but especially to insurance risk management. Coordination of insurance profit/loss analysis with pricing with loss control (claims) with underwriting (risk selection), risk costing, and reserving, so that all parties within the insurer are aware of the relationship between emerging experience of the 
risks that the insurer has chosen to retain and the expectations that the insurer held when it chose to write and retain the risks.
• Assess Risks – and the cycle starts again.

This is one of the seven ERM Principles for Insurers

Marking Risks to Market

If financial statements are set to mark to market, why aren’t they marking uninsured risks to market?
Under all accounting systems, a business that buys no fire insurance will show a better result then a similar company who is buying insurance. Except in the year when they have a claim. The market price for their risk is an insurance premium.  But for some reason, risk has never been treated in this way.

If risk was market to market, then a firm that buys no insurance, or does not hedge a risk would not report a gain, they would need to put aside an amount at least equal to the insurance premium. That amount could be put into a fund and released when they have an event that would have generated an insurance claim.

Of course, to be mathematically correct, they would need to make adjustments to the insurance premiums. One to remove the profit margin/risk charge in the premium and another to reflect the fact that they are in effect creating an insurance pool with one participant which appropriately replaces the risk charge.
An insurance pool with one participant? That doesn’t make any sense. But that is what a business who is not buying insurance is doing. What then would be the correct premium, not loaded for profits, for an insurance pool of one? The pool would have to bare the cost of holding capital (or a contingent capital facility) for the entire maximum claim amount to the extent that amount exceeds the reserves (or the amount in the pool).
So if the cost of capital is 3%, and the claims rate is 1%, then the mark to market cost would be about 400% of expected claims at first, declining as the fund builds up.
Pretty expensive. But that would make the financial statement make sense on a mark to market basis for risk.
This approach could be applied to unhedged risks as well. The mark to market accounting is actually much too lenient on hedgable risks that are unhedged. The MTM accounting in effect allows those companies to reflect the cost of hedging even if they are not hedging. In fact, when they do not hedge, they are self insuring and need to reflect a much higher cost as described above.

Not managing risk is expensive, particularly to investors.  Investors deserve appropriate information on risk.  The longstanding accounting paradigm that ignors risk gives investors the exact wrong information and needs to be immediately corrected.

One of the main reasons that risk management is not already completely embedded in all firms is that they can get away with this scam on their investors, supported by their accounting statement.

Risk needs to be accounted for properly, especially when it is not managed.

Spreadsheets are not the problem

The media have latched on to a story.

Microsoft’s Excel Might Be The Most Dangerous Software On The Planet

The culprit in the 2012 JP Morgan trading loss has been exposed.  Spreadsheets are to blame!

The only problem with this answer is that it is simply incorrect.  It is blaming the bad result on the last step in the process.  Like the announcers for a football game who blame the last play of the game for the outcome.  It really wasn’t missing that one last ditch scoring effort that made the difference.  It was how the two teams played the whole game.

And for situations like the JP Morgan trading loss, the spreadsheet was one of the last steps in the process.

But the fundamental problem was that they were allowing someone in the bank to take very large risks that no one could understand directly.  Risks that no one had a rule of thumb that told them that they were nearing a situation where any bad day, they could lose billions.

That is pretty fundamental to a risk taking business.  To understand your risks.  And if you have no idea whatsoever of how much risk that you are taking without running that position through a model, then you are in big trouble.

That does not mean that models shouldn’t be used to evaluate risk.  The problem is the need to use a model in the heat of battle, when there is no time to check for the kinds of mistakes that tripped up JP Morgan.  The models should be used in advance of going to market and rules of thumb, or heuristics for those who like the academic labels, need to be developed.

The model should be a tool for building understanding of the business, not as a substitute for understanding the business.

Humans have developed very powerful skills to work with heuristics over tens of thousands of years.  Models should feed into that capability, not be used to totally override it.

Chances are that the traders at JP Morgan did have heuristics for the risk and knew that they were arbitraging their own risk management process.  They may not have known why they gut told them that there was more risk than the model, but they are likely to have known that there was nore risk there.

The risk managers are the ones who most need to have those heuristics.  And management needs to set down clear rules about the situations where the risk models are later found to be in error that protect the bank, rather than the traders bonuses.

No, spreadsheets are not the problem.

The problem is the idea that you can be in a business that neither top management nor risk management has any “feel” for.

Real Resilience is not what you think it is

There is confusion about the term Resilience.  To many people, it means the ability to withstand stress. To some people, the ultimate resilience comes from thick walls (or huge capital requirements).  The picture above is one of many thousands like it that shows the ultimate result of seeking resilience in a static manner.

The dictionary has something slightly different:

the power or ability to return to the original form, position, etc., after being bent, compressed, or stretched; elasticity.

But Holling, a prominent ecologist, suggests something much more robust.  He suggests that a resilient species will survive all of the stressors that attack it from its environment and thrive when conditions become benign.

“a major strategy selected is not one maximizing either efficiency or a particular reward, but one which allows persistence by maintaining flexibility above all else. A population responds to any environmental change by the initiation of a series of physiological, behavioral, ecological, and genetic changes that restore its ability to respond to subsequent unpredictable environmental changes. Variability over space and time results in variability in numbers, and with this variability the population can simultaneously retain genetic and behavioral types that can maintain their existence in low populations together with others that can capitalize on opportunities for dramatic increase. The more homogeneous the environment in space and time, the more likely is the system to have low fluctuations and low resilience.”  CS Holling, Resilience and Stability of Ecological Systems

Real resilience is ADAPTABILITY.  The ability to change your approach.  To find the way to survive the extreme adverse scenario without devoting so much resources to safety that you miss the chance to “capitalize on opportunities for dramatic increase” as Holling says.

Does your ERM program build walls, thicker and thicker, or does it build adaptability?

How many people in your organization do you think would know what to do in the event of an adverse situation that has never happened before?

But what is this adaptablity?  In two studies in the late 1990′s, researchers studied thousands of crisis situations and identified 8 dimensions of adaptability for individuals.  See study here.

Handling emergencies or crisis situations

Reacting with appropriate and proper urgency in life threatening, dangerous, or emergency situations; quickly analyzing options for dealing with danger or crises and their implications; making split-second decisions based on clear and focused thinking; maintaining emotional control and objectivity while keeping focused on the situation at hand; stepping up to take action and handle danger or emergencies as necessary and appropriate.

Handling work stress

Remaining composed and cool when faced with difficult circumstances or a highly demanding workload or schedule; not overreacting to unexpected news or situations; managing frustration well by directing effort to constructive solutions rather than blaming others; demonstrating resilience and the highest levels of professionalism in stressful circumstances; acting as a calming and settling influence to whom others look for guidance.

Solving problems creatively

Employing unique types of analyses and generating new, innovative ideas in complex areas; turning problems upside-down and inside-out to find fresh, new approaches; integrating seemingly unrelated information and developing creative solutions; entertaining wide-ranging possibilities others may miss, thinking outside the given parameters to see if there is a more effective approach; developing innovative methods of obtaining or using resources when insufficient resources are available to do the job.

Dealing with uncertain and unpredictable work situations

Taking effective action when necessary without having to know the total picture or have all the facts at hand; readily and easily changing gears in response to unpredictable or unexpected events and circumstances; effectively adjusting plans, goals, actions, or priorities to deal with changing situations; imposing structure for self and others that provide as much focus as possible in dynamic situations; not needing things to be black and white; refusing to be paralyzed by uncertainty or ambiguity.

Learning work tasks, technologies, and procedures

Demonstrating enthusiasm for learning new approaches and technologies for conducting work; doing what is necessary to keep knowledge and skills current; quickly and proficiently learning new methods or how to perform previously unlearned tasks; adjusting to new work processes and procedures; anticipating changes in the work demands and searching for and participating in assignments or training that will prepare self for these changes; taking action to improve work performance deficiencies.

Demonstrating interpersonal adaptability

Being flexible and open-minded when dealing with others; listening to and considering others’ viewpoints and opinions and altering own opinion when it is appropriate to do so; being open and accepting of negative or developmental feedback regarding work; working well and developing effective relationships with highly diverse personalities; demonstrating keen insight of others’ behavior and tailoring own behavior to persuade, influence, or work more effectively with them.

Demonstrating cultural adaptability

Taking action to learn about and understand the climate, orientation, needs, and values of other groups, organizations, or cultures; integrating well into and being comfortable with different values, customs, and cultures; willingly adjusting behavior or appearance as necessary to comply with or show respect for others’ values and customs; understanding the implications of one’s actions and adjusting approach to maintain positive relationships with other groups, organizations, or cultures.

Demonstrating physically oriented adaptability

Adjusting to challenging environmental states such as extreme heat, humidity, cold, or dirtiness; frequently pushing self physically to complete strenuous or demanding tasks; adjusting weight and muscular strength or becoming proficient in performing physical tasks as necessary for the job.

The questions that remains are:

Is adaptability of a company anything different from adaptability of the people in the company?

How does a company get adaptable people?  Are people born that way or can they be trained?

2012 Survey for Japanese Risk Managers

The following is an excerpt from the Executive Summary of the report:

Defining Risk Management within an Organization:

Results of the 2012 Survey for Japanese Risk Managers

by Kenji Fujii and Yuji Morimoto

This survey was conducted early this year by the Tokyo Risk Managers Association (TRMA) as a follow-up to the TRMA financial crisis questionnaire in 2009. 

Following is the summary of what we learned from the survey result.

• First of all, the involvement of senior management in risk management has increased.
• On the other hand, there were many responses stating that effective discussions at Risk Management Committee meetings had not progressed very much; that the status and authority of Chief Risk Officers (CRO) had not been strengthened very much; and that sufficient resources are still not being allocated to Risk Management Divisions. These responses suggest that although senior management are expressing an increased interest in risk management, this interest does notnecessarily tie into concrete reinforcements.
• Regarding the risk appetite, more than half of respondents were of the opinion that risk should be used as a standard when creating business plans, but at the same time, it became clear that this approach has not penetrated or become entrenched as part of actual operations.
• Regarding capital management, two opinions were at odds; the opinion that regulatory capital and economic capital are approaching one another, and the opinion that they are drifting apart. Responses also indicated continued struggles with regard to the structure of approaches and frameworks regarding capital management, and a greater number of respondents expressed the opinion that there is meaning in creating recovery and resolution plans.
• Regarding stress tests, there were indications that integrated stress tests are being employed more broadly, and it appears that reports to management on test results have already become commonplace. The issue raised most frequently with regard to stress tests was the “establishing appropriate scenarios.”
• Although many respondents indicated that liquidity risk management has improved, these opinions were not yet in the majority. There were also conflicting opinions regarding whether or not the strengthening of liquidity risk regulations reduced liquidity risks.
• Regarding risk data, although many respondents said that there have been improvements, it became clear that many members are concerned about the fact that this data continues to be stored in various systems in a scattered fashion.

The entire paper is available here.

Five components of resilience – robustness, redundancy, resourcefulness, response and recovery

Adapted from the WEF Global Risks 2013 Report  (Minimal editing to focus discussion on “an organization” rather than “a country”)

Resilience Characteristics (Robustness, Redundancy and Resourcefulness)

The following three components of resilience are used to describe an organization’s state of resilience. These components should be designed into a system and, as such, will enable assessments of an organization’s inherent resilience capabilities.  

A. Robustness

Robustness incorporates the concept of reliability and refers to the ability to absorb and withstand disturbances and crises. The assumptions underlying this component of resilience are that: 1) if fail-safes and firewalls are designed into an organization’s critical networks, and 2) if that organization’s decision-making chains of command become more modular in response to changing circumstances, then potential damage to one part of an organization is less likely to spread far and wide.

Example of Attributes

– Monitoring system health: Regularly monitoring and assessing the quality of the subsystem ensures its reliability.

– Modularity: Mechanisms designed to prevent unexpected shocks in one part of a system from spreading to other parts of a system can localize their impact, as happened with the contagion from investment banking to retail banking during the 2007-2008 financial crisis.

– Adaptive decision-making models: Networked managerial structures can allow an organization to become more or less centralized depending on circumstances, such as when branch offices of the Japanese retailer Lawson’s continued operating through the serious disruptions of the Great East Japan Earthquake in 2011.  These measures can include having in place the right investment and incentive structures to overcome competing interests.

B. Redundancy

Redundancy involves having excess capacity and back-up systems, which enable the maintenance of core functionality in the event of disturbances.  This component assumes that an organization will be less likely to experience a collapse in the wake of stresses or failures of some of its infrastructure, if the design of that organization’s critical infrastructure and institutions incorporates a diversity of overlapping methods, policies, strategies or services to accomplish objects and fulfill purposes.

Examples of Attributes

– Redundancy of critical infrastructure: Designing replication of modules which are not strictly necessary to maintaining core function day to day, but are necessary to maintaining core function in the event of crises.

– Diversity of solutions and strategy: Promoting diversity of mechanisms for a given function. Balancing diversity with efficiency and redundancy will enable organizations to cope and adapt better than those that have none.

C. Resourcefulness

Resourcefulness means the ability to adapt to crises, respond flexibly and – when possible – transform a negative impact into a positive.  For a system to be adaptive means that it has inherent flexibility, which is crucial to enabling the ability to influence of resilience.  The assumption underlying this component of resilience is that if organizations can build trust within their networks of suppliers, employees and customers and are able to self-organize, then they are more likely to spontaneously react and discover solutions to resolve unanticipated challenges when larger industry and community institutions and governance systems are challenged or fail.

Example of Attributes

– Capacity for self-organization: This includes factors such as the extent of social and human capital, the relationship between social networks and organizational structures, and the existence of institutions that enable face-to-face networking. These factors are critical in circumstances such as failures of government institutions when organizations need to self-organize and continue to dobtain essential services.

– Creativity and innovation: The ability to innovate is linked to the availability of spare resources and the rigidity of boundaries between disciplines, departments and social groups within the organization.

Resilience Performance (Response and Recovery)

These two components of resilience describe how a system performs in the event of crises. They provide evidence of resilience when actual crises occur.  Response and recovery are dependent on risk, event and time. These components will provide the ability to compare systems and feed the measurements and results to calibrate the resilience characteristics.

D. Response

Response means the ability to mobilize quickly in the face of crises. This component of resilience assesses whether an organization has good methods for gathering relevant information from all parts of society and communicating the relevant data and information to others, as well as the ability for decision makers to recognize emerging issues quickly.

Example of Attributes

– Communication: Effective communication and trust in the information conveyed increase the likelihood that, in the event of a crisis, stakeholders are able to disseminate and share information quickly, and to ensure cooperation and quick response from the audience.

– Inclusive participation: Inclusive participation among all stakeholders can build a shared understanding of the issues underpinning crises and acute risks to the organization, reduce the possibility of important interdependencies being overlooked, and strengthen trust among participants.

E. Recovery

Recovery means the ability to regain a degree of normality after a crisis or event, including the ability of a system to be flexible and adaptable and to evolve to deal with the new or changed circumstances after the manifestation of a risk.  This component of resilience assesses the organization’s capacities and strategies for feeding information throughout the organization,  and the ability for decision-makers to take action to adapt to changing circumstances and  incorporating new situations into business strategies,.

Example of Attributes

– Active “horizon scanning”: Critical to this attribute are multi-stakeholder processes tasked with uncovering gaps in existing knowledge and commissioning research to fill those gaps.

– Responsive feedback mechanisms: Systems to translate new information from horizon-scanning activities into action – for example, defining “automatic policy adjustments triggers” – can clarify circumstances in which policies must be reassessed.

As an example of the overlapping and complementary nature of these attributes, inclusive participation is listed as a key attribute of response, but it is also vital in other areas such as recovery and resourcefulness. Also inherent in all resilience characteristics, though referenced above only in the attribute of adaptive decision-making models, are investment and incentive structures and design requirements to overcome collective action problems and competing interests. There are many individual stakeholders who would benefit from greater shared resilience but currently lack either the incentive or feel too pressed for time and resources to take the necessary actions.

Diversification of Risks

There are records showing that the power of diversification of risks was known to the ancients.  Investors who financed trading ships clearly favored taking fractions of a number of ships to owning all of a single ship.

The benefits of diversification are clear.  The math is highly compelling.  A portfolio of n risks of the same size A that truly independent have a volatility that is a fraction of the volatility of totally dependent risks.

Here is a simple example.  There is a 1 in 200 chance that a house will be totally destroyed by fire.  Company A writes an insurance policy on one $500,000 house that would pay for replacement in the event of a total loss.  That means that company A has a 1 in 200 chance of paying a $500,000 claim.  Company B decides to write insurance that pays a maximum of $50,000 in the event of a total loss.  How many policies do you think that Company B needs to write to have a 1 in 200 chance of paying $500,000 of claims if the risks are all totally independent and exactly as prone to claims as the $500k house?

The answer is an amazing 900 policies or 90 times as much insurance!

When an insurer is able to write insurance on independent risks, then with each additional risk, the relative volatility of the book of insurance decreases.  Optimal diversification occurs when the independent risks are all of the same size.  For insurers, the market is competitive enough that the company writing the 900 policies is not able to get a profit margin that is proportionate to the individual risks.  The laws of micro economics work in insurance to drive the profit margins down to a level that is at or below the level that makes sense for the actual risk retained.  This provides the most compelling argument for the price for insurance for consumers, they are getting most of the benefit of diversification through the competitive mechanism described above.  Because of this, things are even worse for the first insurer with the one policy.  To the extent that there is a competitive market for insurance for that one $500k house, that insurer will only be able to get a profit margin that is commensurate with the risk of a diversified portfolio of risks. 

It is curious to note than in many situations, both insurers and individuals do not diversify.  RISKVIEWS would suggest that may be explained by imagining that they either forget about diversification when making single decisions (they are acting irrationally), or that they are acting rationally and believe that the returns for the concentrated risk that they undertake are sufficiently large to justify the added risk.

The table below shows the degree to which individuals in various large companies are acting against the principle of diversification.

From a diversification point of view, the P&G folks above are mostly like the insurer above that writes the one $500k policy.  They may believe that P&G is less risky than a diversified portfolio of stocks.  Unlike the insurer, where the constraint on the amount of business that they can write is the 1/200 loss potential, the investor in this case is constrained by the amount of funds to be invested.  So if a $500k 401k account with P&G stock has a likelihood of losing 100% of value of 1/200, then a portfolio of 20 $25k positions in similarly risky companies would have a likelihood of losing 15% of value of 1/1000.  Larger losses would have much lower likelihood.

With that kind of math in its favor, it is hard to imagine that the holdings in employer stock in the 401ks represents a rational estimation of higher returns, especially not on a risk adjusted basis.

People must just not be at all aware of how diversification benefits them.

Or, there is another explanation, in the case of stock investments.  It can be most easily framed in terms of the Capital Asset Pricing Theory(CAPM) terms.  CAPM suggests that stock market returns can be represented by a market or systematic component (beta) and company specific component (alpha).  Most stocks have a significantly positive beta.  In work that RISKVIEWS has done replicating mutual find portfolios with market index portfolios, it is not uncommon for a mutual fund returns to be 90% explained by total market returns.  People may be of the opinion that since the index represents the fund, that everything is highly correlated to the index and therefore not really independent.

The simplest way to refute that thought is to show the variety of returns that can be found in the returns of the stocks in the major sectors:

The S&P 500 return for 2012 was 16%.  Clearly, all sectors do not have returns that are closely related to the index, either in 2012 or for any other period shown here.

Both insurance companies and investors can have a large number of different risks but not be as well diversified as they would think.  That is because of the statement above that optimal diversification results when all risks are equal.  Investors like the 401k participants with half or more of their portfolio in one stock may have the other half of their money in a diversified mutual fund.  But the large size of the single position is difficult to overcome.  The same thing happens to insurers who are tempted to write just one, or a few risks that are much larger than their usual business.  The diversification benefit of their large portfolio of smaller risks disappears quickly when they add just a few much larger risks.

Diversification is the universal power tool of risk management.  But like any other tool, it must be used properly to be effective.

This is one of the seven ERM Principles for Insurers

Should we be concentrating regulatory attention on Systemic Risk?

Think of it somewhat like the town that just suffered a very bad winter season with huge snowfalls that they were unprepared for clogging up everything for weeks on end. They spend the spring fixing up and deciding what to do. Their conclusion is to have all town employees carry snowshovels at all times and to keep snow plow trucks patrolling the streets all day and all night through the entire summer. Sometime in early fall, they decide that was a waste of time and sell all the shovels and trucks by the end of the fall.

RISKVIEWS does not think that our situation will include any systemic risks that we will anticipate. We will not repeat the exact same mistakes. Systemic risk oversight will in the end be a fixed Maginot Line defense.

What we need is

1. to figure out how to distinguish between creation of wealth by new innovation and by extraction from past innovation so that we can encourage the former and discourage the later. The former widely distributes increases in wealth while the latter concentrates it.  The former creates growth while the latter captures the benefits of future growth now – which means that we will not have them later.
2. to understand leverage better. Look at the Minsky Financial Instability Model myself. Often, we are not honest with ourselves on the extent of debt. RISKVIEWS favors full disclosure over regulations. For example, firms should disclose the amount of debt that is implicit in derivative positions. And disclose the counterparties for that debt.
3. to figure out how we are going to find the next big thing that will employ all of the people who are now permanently, structurally unemployed. We can keep hoping for something that increases wealth, something that merely decreases wealth less than the current situation or something that decreases wealth but employs people.
4. to orient research into how to operate an economy in the long term with much less or no growth. Most of our economic expectations are built off of a constantly growing economy. With population about to start falling, we will necessarily experience much less growth. We don’t collectively even have any idea of what the shift to large retired populations will do to our economies.

The regulators need to focus on whatever is within their purview that gets in the way to accomplishing those things.

For the town above, that means storing the snow shovels to the winter and looking at the problems of the summer heat. They still need to keep an eye out for the next winter. But that does not mean it needs to be a primary focus NOW.

An ERM Carol

You awake with a start.  There is an eerie presence in your bedroom.  A voice says “Come with me!”

You see yourself, many years ago, starting out in your career.  With an interest in risk, you feel lucky that you were able to land a position in an insurance company.  You are encouraged when you hear your boss say “its all about risk and reward”.  But it didn’t take you too long to find out that while there were daily, weekly, monthly, quarterly, annual and special reports about the rewards that the company was experiencing, there was not one single report about risk.  You confront your manager about this and he tells you that “risk isn’t something that you measure”, it is in your gut.  You just know when something is risky. “.  He advised that once you were more experienced, you too would be able to tell when something was risky or not.  

You drift back to sleep when a second voice calls you to “Behold!”.  You see yourself a manager in an insurance company:

You are being told that risk is very important. Your company takes risk management very seriously. Several years ago, the company spent millions to build a state of the art Economic Capital Model.  Now, all plans and all performance is viewed in terms of the amount of risk associated with each and every activity.  And you hate the whole thing!

To you, this has become a technocratic nightmare.  Your performance is judged by a computer using an algorithm that seems to be spewing forth somewhat random values.  It seems like your promotions and bonuses are being determined by a slot machine, but a slot machine with no window to see what is happening inside.

The high priests of risk operate the model.  But they are too busy to actually explain what is going on in a manner that could help the business.

So if somehow, you are lucky enough to get to the top, that will be the last day for that complex risk model.

And you pull the covers up over your head.  This is too much like a workday.  You need your sleep.  But before long, a third voice wakes you again.   “This way…”

You are on the hot seat.  The board wants to know how the company was able to get into such a problem.  Didn’t you see that there were such enormous build ups of exposures to that risky indoor snow experience sector?  The frostbite claims were double what they were last year.  Dividends will have to be eliminated.  And we probably need to turn down the corporate air conditioners.  No longer could the offices be kept at a tolerable 31 degrees.  Next summer would be unbearable.  Your only defense is that your gut told you that there was little risk and big rewards in the indoor snow business.  But that is not how it went.  They end the meeting by letting you go.  The inglorious end to your career as a risk manager. 

You wake up shouting that it was not your fault.  And you see the light coming in the window.  You turn on the TV to find that all this happened in one night.  You get dressed and go back into the office.  You are finishing up your staff meeting and you direct your attention to your risk management staff.

Starting today, I want you to spend more of your time making your models more transparant and the findings more actionable.  I am tired of risk being something that comes at us after the fact to tell us that something was wrong.  We need to focus on leading indicators that all of the managers can use in real time to manage the business.  You can still use that fancy model that you all so love, but I only want to hear about the model when it actually explains something about the business that I can use next quarter to do a better job of managing my risk and reward.

And with that, we ended the meeting and all went to our holiday party.  Next year will be interesting…..

Does your Risk Management Program have a Personality?

Many people are familiar with the Myers-Briggs Personality Type Indicator.  It is widely used by businesses.  What a shocker to read in the Washington Post last week that psychologists are not particularly fond of it.

The Myers-Briggs Personality types were developed directly from the work of Carl Jung, who is not highly regarded by modern psychologists according to the Washington Post story.

Psychologists have their own personality types.  The chart below is from The Personal Growth Library, and is called the Five Factor Model.

You may be able to find options here that would allign with your ERM program. 

Stability – You may seek Resilience, and settle for Responsiveness. 

Originality – You may want to be an Explorer, but much more likely, your ERM program is a Preserver.

Accommodation – Your goal is to be a Challenger, you end up a Negotiator. 

Consolidation – You should be able to achieve a Focused ERM program, but pressures of business and the never ending crises force you to be Flexible much too often. 

That seems to provide some valuable introspection. 

Next you need to look at the overall enterprise personality.  Many successful companies will have a personality that is very different from the choices that you want to steer towards as the risk manager for your program.  You should check it out and see.

If there is an actual allignment between your overall organization’s personality and the personality that you aspire to for your ERM program, then you will be running downhill to get that development accomplished. 

What does that mean when the personality that you want for your ERM program is almost totally different from the personality of your organization?  It means that you will be pulled constantly towards the corporate personallity and away from what you believe to be the most effective ERM personality.  You then have to choose whether to run your ERM program as a bunch of outsiders.  You then will need to form a tight knit support group for your outsiders.  And make sure that you watch the movie Seven Samuri or The Magnificant Seven. 

Or you can rethink the idea you have of ERM.  Think of a version of ERM that will fit with the personality of your company.  Take a look at The Fabric of ERM for some ideas.  Along with the rest of the Plural Rationality materials.

During a Crisis – A Lesson from Fire Fighters

The fire cycle: “The action-cycle of a fire from birth to death follows a certain pattern.  The fire itself may vary in proportion from insignificance to conflagration, but regardless of its proportions, origin, propagation or rate of progression, the cycle or pattern of controlling it includes these phases:

1. the period between discovery and the transmittal of the alarm or alerting of the fire forces;

2. the period between receipt of alarm by the fire service and arrival of firemen at the scene of the fire; and, finally,

3. the period between arrival on the fire ground and final extinguishment of the fire itself.

It is important to fire fighting to make sure that the right things happen during each phase and that each step takes as little time as possible.  For the first phase, that means having fire detection equipment in place and working properly that produces a signal that will be noticed and conveyed to the fire forces.  In the second phase, the fire fighters need to be organized to respond appropriately to the alarm.  And the third phase includes the process of diagnosing the situation and taking the necessary steps to put out the fire.

That is a good process model for risk managers to contemplate.  Ask yourself and your staff:

1. This is about the attitude and preparedness of company staff to accept that there may be a problem.  How long will it be before we know when an actual crisis hits the company?  How do our alarms work?  Are they all in functioning order?  Or will those closest to the problems delay notifying you of a potential problem?  Sometimes with fires and company crises, an alarm sounds and it is immediately turned off.  The presumption is that everything is normal and the alarm must be malfunctioning.  Or perhaps that the alarm is correct, but that it it calibrated to be too sensitive and there is not a significant problem.  As risk manager, you should urge everyone to err on the side of reporting every possible situation.  Better to have some extra responses than to have events, like fires, rage completely out of control before calling for help.
2.  This is about the preparedness of risk management staff to begin to respond to a crisis.  One problem that many risk management programs face is that their main task seems to be measuring and reporting risk positions.  If that is what people believe is their primary function, then the risk management function will not attract any action oriented people.  If that is the case in your firm, then you as risk manager need to determine who are the best people to recruit as responders and build a rapport with them in advance of the next crisis so that when it happens, you can mobilize their help.  If the risk staff is all people who excel at measuring, then you also need to define their roles in an emergency – and have them practice those roles.   No matter what, you do not want to find out who will freeze in a crisis during the first major crisis of your tenure.  And freezing (rather than panic) is by far the most common reaction.  You need to find those few people whose reaction to a crisis is to go into a totally focuses active survival mode.
3. This is about being able to properly diagnose a crisis and to execute the needed actions.  Fire Fighters need to determine the source of the blaze, wind conditions, evacuation status and many other things to make their plan for fighting the fire.  They usually need to form that plan quickly, mobilize and execute the plan effectively, making both the planned actions and the unplanned modifications happen as well as can be done.  Risk managers need to perform similar steps.  They need to understand the source of the problem, the conditions around the problem that are outside of the firm and the continuing involvement of company employees, customers and others.  While risk managers usually do not have to form their plan in minutes as fire fighters must, they do have to do so quickly.  Especially when there are reputational issues involved, swift and sure initial actions can make the world of difference.  And execution is key.  Getting this right means that the risk manager needs to know in advance of a crisis, what sorts of actions can be taken in a crisis and that the company staff has the ability to execute.  There is no sense planning to take actions that require the physical prowess  of Navy Seals if your staff are a bunch of ordinary office workers.  And recognizing the limitations of the rest of the world is important also.  If your crisis effects many others, they may not be able to provide the help from outside that you may have planned on.  If the crisis is unique to you, you need to recognize that some will question getting involved in something that they do not understand but that may create large risks for their organizations.

 

What Do Your Threats Look Like?

Severe and intense threats are usually associated with dramatic weather events, terrorist attacks, earthquakes, nuclear accidents and such like.  When one of these types of threats is thought to be immanent, people will often cooperate with a cooperative ERM scheme, if one is offered.  But when the threat actually happens, there are four possible responses:  cooperation with disaster plan, becoming immobilized and ignoring the disaster, panic and anti-social advantage taking.  Disaster planning sometimes goes no further than developing a path for people with the first response.  A full disaster plan would need to take into account all four reactions.  Plans would be made to deal with the labile and panicked people and to prevent the damage from the anti-social.  In businesses, a business continuity or disaster plan would fall into this category of activity.

When businesses do a first assessment, risks are often displayed in four quadrants: Low Likelihood/Low Severity; Low Likelihood/High Severity; High Likelihood/Low Severity; and High Likelihood/High Severity.  It is extremely difficult to survive if your risks are High Likelihood/High Severity, so few businesses find that they have risks in that quadrant.  So businesses usually only have risks in this category that are Low Likelihood.

Highly Cooperative mode of Risk Management means that everyone is involved in risk management because you need everyone to be looking out for the threats.  This falls apart quickly if your threats are not Severe and Intense because people will question the need for so much vigilance.

Highly Complex threats usually come from the breakdown of a complex system of some sort that you are counting upon.  For an insurer, this usually means that events that they thought had low interdependency end up with a high correlation.  Or else a new source of large losses emerges from an existing area of coverage.  Other complex threats that threaten the life insurance industry include the interplay of financial markets and competing products, such as happened in the 1980′s when money market funds threatened to suck all of the money out of insurers, or in the 1990′s the variable products that decimated the more traditional guaranteed minimum return products.

In addition, financial firms all create their own complex threat situations because they tend to be exposed to a number of different risks.  Keeping track of the magnitude of several different risk types and their interplay is itself a complex task.  Without very complex risk evaluation tools and the help of trained professionals, financial firms would be flying blind.  But these risk evaluation tools themselves create a complex threat.

Highly Organized mode of Risk Management means that there are many very different specialized roles within the risk management process.  May have different teams doing risk assessment, risk mitigation and assurance, for each separate threat.  This can only make sense when the rewards for taking these risks is large because this mode of risk management is very expensive.

Highly Unpredictable Threats are common during times of transition when a system is reorganizing itself.  “Uncertain” has been the word most often used in the past several years to describe the current environment.  We just are not sure what will be hitting us next.  Neither the type of threat, the timing, frequency or severity is known in advance of these unpredictable threats.

Businesses operating in less developed economies will usually see this as their situation.  Governments change, regulations change, the economy dips and weaves, access to resources changes abruptly, wars and terrorism are real threats.

Highly Adaptable mode of Risk Management means that you are ready to shift among the other three modes at any time and operate in a different mode for each threat.  The highly adaptable mode of risk management also allows for quick decisions to abandon the activity that creates the threat at any time.  But taking up new activities with other unique threats is less of a problem under this mode.  Firms operating under the highly adaptive mode usually make sure that their activities do not all lead to a single threat and that they are highly diversified.

Benign Threats are things that will never do more than partially reduce earnings.  Small stuff.  Not good news, but not bad enough to lose any sleep over.

Low Cooperation mode of Risk Management means that individuals within their firm can be separately authorized to undertake activities that expand the threats to the firm.  The individuals will all operate under some rules that put boundaries around their freedom, but most often these firms police these rules after the action, rather than with a process that prevents infractions.  At the extreme of low cooperation mode of risk management, enforcement will be very weak.

For example, many banks have been trying to get by with a low cooperation mode of ERM.  Risk Management is usually separate and adversarial.  The idea is to allow the risk takers the maximum degree of freedom.  After all, they make the profits of the bank.  The idea of VaR is purely to monitor earnings fluctuations.  The risk management systems of banks had not even been looking for any possible Severe and Intense Threats.  As their risk shifted from a simple “Credit” or “Market” to very complex instruments that had elements of both with highly intricate structures there was not enough movement to the highly organized mode of risk management within many banks.  Without the highly organized risk management, the banks were unable to see the shift of those structures from highly complex threats to severe and intense threats. (Or the risk staff saw the problem, but were not empowered to force action.)  The low cooperation mode of risk management was not able to handle those threats and the banks suffered large losses or simply collapsed.

Tug of War Between Intertwined Roles

A question posed to RISKVIEWS:

Do you have a clear distinction between “What’s Risk vs What’s Actuarial?”  It seems that the roles of Risk Management and Actuarial are utterly intertwined and overlapping, thus causing utter confusion, within the company of my employ. While we have internally agreed to a segregation of duties over two years ago, the organization has barely moved forward to align itself accordingly.

Any attempt I have made to seek external guidance has not resulted in any definitive clarity. In response to the question “What’s Risk vs What’s Actuarial?”, most consultants offer “it depends on the company”. Solvency II guidance seems to indiscriminately interchange, say, risk management function (risk management is everyone’s job) with Risk Management Department.

I should clarify – when I refer to Actuarial, I am referring to “all four legs of the actuarial stool” – namely, Pricing, Modeling/Projections, Valuation, and Experience Studies.

In fact, it really does depend upon the company.  That is because actuarial roles are extremely broad in some companies and very narrow in others.

The four legs of the actuarial stool referenced, “Pricing, Modeling/Projections, Valuation, and Experience Studies” are in fact a moderately broad definition.  In the most narrowly drawn situations, the actuarial role is limited solely to situations where an actuarial opinion is required by law or regulation.  In companies that define the actuarial role in that manner, there is almost no overlap with the Risk function.

But Risk can be defined differently in different companies as well.  In some companies, the definition of the Risk function takes in only what is needed to get capital relief from regulators or rating agencies.  Or to satisfy other requirements of the same audiences.

In companies where both the Actuarial and Risk roles are broadly defined, there is great potential for overlap.

• The Actuarial Function in these firms will include not only “Pricing, Modeling/Projections, Valuation, and Experience Studies” but may also have a role in broad financial oversight and or broad risk oversight.  In fact, RISKVIEWS worked for two insurers with such a broad definition of the actuarial function.
• A broadly defined Risk function in these firms will overlap most clearly with those last two roles.  With the installation of a separate Risk function, it seems clear that the broad risk oversight once performed by the Actuarial function needs to be surrendered.  But there are Risk aspects of all five of the other functions listed.
  • Pricing – A strong Risk function will want to make sure that pricing is appropriate for the risks of the activities
  • Modeling/Projections – A strong Risk function will want to perform stress tests that are in fact simple projections.
  • Valuation – Since the definition of the capital of the firm is totally dependent upon the valuation of the liabilities of the firm and the Risk function usually has a major role regarding capital adequacy, a strong Risk function will have a high interest in Valuation of Liabilities.
  • Experience Analysis – The process that has been developed by actuaries to update Liabilities from year to year includes the collection and analysis of quite a large amount of information about the emerging experience of the firm.  This information is also used in Pricing.  And should be a main part of the information needed to evaluate the risks of the firm.  Which makes this area of high importance to Risk.
  • Broad Financial Oversight – Actuaries in many insurers have already lost this role to CFOs years ago.  But in the cases where they have not, the CRO becomes a new challenger with the idea that Risk should oversee the strategic risk and capital budgeting processes.

Some of the conflict is a matter of competition between the leader of a “new” function within the firm and the leader of an “old” function.  The firms where this conflict is the worst would be the firms where there is a broadly defined Actuarial and Risk function.  The development of a new Risk function in these firms can be interpreted as Actuarial losing influence.  This perception would add to the conflict and to the confusion.  Risk will want to control its own destiny, so would naturally want to control much of what had “always” been Actuarial.  Actuarial would not want to lose any responsibility and may therefore seek to maintain parallel activities even where Risk is now performing a former Actuarial function.

At the other extreme, a number of companies see the very high degree of overlap between the Actuarial function and the Risk function and have named their Chief Actuary to be their Chief Risk Officer.  The success of that approach will depend upon the degree to which the Chief Actuary is willing to appropriately prioritize the activities needed to support the new responsibilities.  In these cases, the conflict described above between Risk and Actuarial will take place, but a large part of it will be inside the Chief Actuary / CRO’s head.

Knowing and Thinking must be linked to Doing

“One of the things that we’re trying to do is to get people to think more rather than know more,” said Rick Nason, associate professor of finance at Dalhousie University’s School of Business in Halifax, Nova Scotia. “In risk management we’ve gotten into a regulatory mode of knowing more, and unfortunately we’re stuck on techniques and forget how to think about risk. Going beyond knowing is what we’re trying to stress.”

Too few risk managers are actually empowered to actually DO anything.  Natural human nature steps in which leads these disempowered risk managers to elevate the importance of the things that they are empowered to do.  Knowing and Thinking are two of those things.

It is of course important to KNOW your risks and the possible paths to loss that go with each risk as well the current status of your exposures.  Nason rightly points out that regulatory risk management requirements work on the assumption that if a management team KNOWS about their risks that they can necessarily be counted on to react.  But that is often an unstated and unrequired assumption.  Perhaps regulators shy away from going any further in their prescriptions because of lack of authority.

Risk Management systems, such as ISO31000, build up a massive infrastructure of steps that are required to support the KNOWing objective.  A risk manager applying ISO31000 can keep very, very busy for several years building up that infrastructure without getting to the step of actually infringing upon management of the company.

Nason is right to suggest that THINKing is a step further.  But by focusing on THINKing, he makes the same sort of assumption, that if someone THINKs about their risks, they surely must eventually DO something about them.

The risk manager who wants to be effective must start with the end in mind (see Covey).  DOing must be the purpose of a risk management system.  A system that focuses on KNOWing or THINKing is merely a Risk Management Entertainment System.

Is this just MATH that you do to make yourself feel better?

Megyn Kelly asked that of Karl Rove on Fox TV on election night about his prediction of Ohio voting.

But does most risk analysis fall into this category as well?

How many companies funded the development of economic capital models with the expressed interest in achieving lower capital requirements?  How many of those companies encouraged the use of “MATH that you do to make yourself feel better” MTYDTMYFB

Model validation is now one of the hot topics in Risk model land.  Why? Is it because modelers stopped checking when they got the answer that was wanted, rather than working at it until they got it right?  If the later was the answer, then there would be zero additional work to do to validate a model.  That validation work would already be done.  MTYDTMYFB

The Use Test is quite a challenge for many.  First part of the challenge is to produce an example of a situation where they did modeling of a major risk decision before that decision was finalized.  Or are the models only brought into play after all of the decisions are made?  MTYDTMYFB

There are many other examples of MTYDTMYFB.   Many years ago when computers were relatively new and dot matrix printers were the sign of high tech, it was possible to write a program to print out a table of numbers that had been developed somewhere else.  The fact that they appeared on 11 x 14 computer paper from a dot matrix printer gave those numbers a sheen of credibility.  Some managers were willing to believe then that computers were infallible.

But in fact, computers, and math, are about as infallible as gravity and about as selective.  Gravity will be a big help if you need to get something from a higher place to a lower place.  But it will be quite a hindrance if you need to do the opposite.  Math and computers are quite good at some things, like analyzing large amounts of data and finding patterns that may or may not really exist.

Math and computers need to be used with judgement, skepticism and experience.  Especially when approaching the topic of risk.

Statistics works like gravity helping us take things downhill when you are seeking to estimate the most likely value of some uncertain event.  That is because each additional piece of data helps you to hone in one the average of the distribution of possibilities.  Your confidence in your prediction of the most likely value should improve.

But when you are looking at risk, you are usually looking for an estimate for extremely unlikely adverse results.  The principles of statistics are just like the effect of gravity on moving heavy things uphill.  They work against you.

Take correlation, for example.  The chart above can be easily reproduced by anyone with a spreadsheet program.  RISKVIEWS simply created two columns of random numbers that each contained 1000 numbers.  The correlation of these two series for all 1000 numbers is zero to several decimal places.  This chart is created by measuring the correlation of subsets of that 1000 that contained 10 values.

What this shows is how easy it is to get any answer that you want.  MTYDTMYFB

Getting Started in a Risk Management Career

RISKVIEWS got an email request…

I am a senior ‘Risk Management & Insurance’ and ‘Finance’ double major at Butler University. I was wondering if you would be able to lend some advice for my future career endeavors. One question is “what made you chose the consulting risk management side over more of a singular corporation risk management position?”  My basic concern is that unlike finance, I feel the path for a student to get involved with the risk management industry is much less defined. I keep hearing how most risk managers usually start in a completely different corporate function. I am just trying to do my due diligence and research to get insight into all career paths before I choose which way I want to go.   Daniel Gable

Daniel, some Risk Management career paths are very new.  New enough that there are not yet any people who entered the field out of college and who are now in retirement.  Now, if you are majoring in “Risk Management and Insurance”, then you are aware that there is a long established career centering upon the management of corporate insurance purchasing programs.  But the risk management programs that go beyond insurance purchasing, in banks, insurance companies and in many other industries are all new enough that they mostly had to go outside the field for at least initial leadership.  Those people will value skills and experiences that come from a wider range of experiences than someone might have who has always worked in risk management.  So their senior staff positions will have some people who also did not start out in a risk management career.

RISKVIEWS’ perspective is that risk management will be best served if a balance of highly trained risk management specialists along with a significant number of people with broader business perspectives and especially experiences working in the areas where the risk is taken on.

The highly trained risk management specialists are needed to keep the technical rigor of the risk management program up to a similar level to the areas that originate the risk taking.

WARNING: SPORTS ANALOGY AHEAD

The best sports teams prevail against their rivals only if they have great natural players in both offensive and defensive positions.  There are an extremely small number of players who can excel at either offense or defense.  Most players in most sports are much better at one or the other.  Risk management programs need to find the natural defenders who also excel at the technical skills that are needed to monitor the risk taking effectively.

But only some risk management work can be accomplished by highly technically competent trained risk managers.  Some of risk management requires people with the experience and gut instincts about the business who can tell when something just “smells” wrong.   To get this experience, one needs to have lived in the business, understand the motivations and choices that are available to the people in the business as well as their competition and the markets that they operate in.  This is all experience that is very difficult to get working from within the risk management program.

At the top of the risk management system is a Chief Risk Officer.  Like most senior executives, this person will need a high degree of leadership/managerial/political skills.  Perhaps much more so than most of the people who work in the risk management program.  In the last year or so, there have been a steady stream of bank CROs moving to CEO positions.  So in many places, it is a position with a serious future.

Finally, Daniel asked about consulting vs. working inside a company?  First of all, many consulting firms hire few if any entry level people.  They usually look to find people with at least a few years of experience inside of the firms that they are likely to consult for.  Once you have enough experience to have a choice, the option is for breadth vs. depth.  RISKVIEWS has over ten years of experience in both situations.  Inside of a company, a person may get the chance to develop a deep understanding of one or several aspects of the company operations.  Many people get a feeling of satisfaction from mastering their environment in this way and developing the ability to work with people and situations that they know very well.  Many corporate jobs are also in a fixed location, so that people who have strong reasons to want to be home most nights would prefer that.  While there is some uncertainty about continuation of corporate jobs, many jobs are secure for a decade or more at a time.  Consulting positions on the other hand provide the person to get a very broad perspective on the many different ways that things are being done in the industry.  Consulting often offers the possibility of doing different work without it having a significant impact on career path.  Consultants often travel, some a little and most quite a bit.  An advantage for some and a big disadvantage for others.  Consulting work is insecure, often it is unknown what work a consultant will be doing in six months.  Some people are very excited by the variety and uncertainty of consulting work.  Consultants need to have excellent communications skills, especially the “client facing” consultants.

In both the question of starting out in risk management or moving to risk management after working in a business and the question of starting early in consulting vs. after some work inside of a business, the considerations end up being similar.  A few people have the talent to pick up enough of the details of the business life to be able to be effective consultants or risk managers from outside of the business, but most people need to live it to be really effective risk managers or consultants.

Daniel is studying Finance as well as Risk Management.  RISKVIEWS cannot give any advice in finance careers, but will observe that with the effect of the financial crisis and the resulting changes to regulation of banks, the future finance career path may well be very different than it has been for the past 20 years.

 

Embedded Assumptions are Blind Spots

Embedded assumptions are dangerous. That is because we are usually unaware and almost always not concerned about whether those embedded assumptions are still true or not.

One embedded assumption is that looking backwards, at the last year end, will get us to a conclusion about the financial strength of a financial firm.

We have always done that.  Solvency assessments are always about the past year end.

But the last year end is over.  We already know that the firm has survived that time period.  What we really need to know is whether the firm will have the resources to withstand the next period. We assess the risks that the firm had at the last year end.  Without regard to whether the firm actually is still exposed to those risks.  When what we really need to know is whether the firm will survive the risks that it is going to be exposed to in the future.

We also apply standards for assessing solvency that are constant.  However, the ability of a firm to take on additional risk quickly varies significantly in different markets.  In 2006, financial firms were easily able to grow their risks at a high rate.  Credit and capital were readily available and standards for the amount of actual cash or capital that a counterparty would expect a financial firm to have were particularly low.

Another embedded assumption is that we can look at risk based upon the holding period of a security or an insurance contract.  What we fail to recognize is that even if every insurance contract lasts for only a short time, an insurer who regularly renews those contracts is exposed to risk over time in almost exactly the same way as someone who writes very long term contracts.  The same holds for securities.  A firm that typically holds positions for less than 30 days seems to have very limited exposure to losses that emerge over much longer periods.  But if that firm tends to trade among similar positions and maintains a similar level of risk in a particular class of risk, then they are likely to be all in for any systematic losses from that class of risks.  They are likely to find that exiting a position once those systematic losses start is costly, difficult and maybe impossible.

There are embedded assumptions all over the place.  Banks have the embedded assumptions that they have zero risk from their liabilities.  That works until some clever bank figures out how to make some risk there.

Insurers had the embedded assumption that variable products had no asset related risk.  That embedded assumption led insurers to load up with highly risky guarantees for those products.  Even after the 2001 dot com crash drove major losses and a couple of failures, companies still had the embedded assumption that there was no risk in the M&E fees.  The hedged away their guarantee risk and kept all of their fee risk because they had an embedded assumption that there was no risk there.  In fact, variable annuity writers faced massive DAC write-offs when the stock markets tanked.  There was a blind spot that kept them from seeing this risk.

Many commentators have mentioned the embedded assumption that real estate always rose in value.   In fact, the actual embedded assumption was that there would not be a nationwide drop in real estate values.  This was backed up by over 20 years of experience.  In fact, everyone started keeping detailed electronic records right after…… The last time when there was an across the board drop in home prices.

The blind spot caused it to take longer than it should have for many to notice that prices actually were falling nationally.  Each piece of evidence was fit in and around the blind spots.

So a very important job for the risk manager is to be able to identify all of the embedded assumptions / blind spots that prevail in the firm and set up processes to continually assess whether there is a danger lurking right there – hiding in a blind spot.

The End of ERM

In essence, if ERM is to be implemented in a way which helps an entity get to where it wants to go, it needs to have a bias toward action which many applications currently lack.   “The End of Enterprise Risk Management“  David Martin and Michael Power

In 2007, Martin and Power argued that the regulatory based Enterprise Risk Management programs that were COSO based provided the illusion of control, without actually achieving anything.  Now if you are an executive of a firm and you believe that things are being done just fine, thank you very much, then an ineffective ERM program is just what you want.  But if you really want ERM, the something else is needed.  Martin and Power suggest that the activities of ERM are focused much too much on activities that do not reault in actions to actually change the risks of the firm.  This is a favorite topic of RISKVIEWS as well.  See Beware the Risk Management Entertainment System. 

RISKVIEWS always tells managers who are interested in developing ERM systems that if some part of an ERM program cannot be clearly linked to decisions to take actions that would not have been taken without ERM, then they are better off without that part of ERM. 

Martin and Power go on to suggest that ERM that uses just one risk measure (usually VAR) is difficult to get right because of limitations of VAR.  RISKVIEWS would add that an ERM program that uses only one risk measure, no matter what that measure is, will be prone to problems.  See Law of Risk and Light. 

It is very nice to find someone who says the same things that you say.  Affirming.  But even better to read something that you haven’t said.  And Martin and Power provide that. 

Finally, there is a call for risk management that is Reflexive.  That reacts to the environment.  Most ERM systems do not have this Reflexive element.  Risk limits are set and risk positions are monitored most often assuming a static environment.  The static environment presumption in a risk management system works if you are operating in an environment that changes fairly infrequently.  In fact, it works best if the frequency of change to your environment is less then the frequency of your update to the risk factors that you use.  That is, if your update includes studying the environment and majing environment driven changes. 

RISKVIEWS has worked in ERM systems that were based upon risk assessment based upon “eternal” risk factors.  Eternal Risk factors are assumed to be good “for all time”.  The US RBC factors are such.  Those factors are changed only when there is a belief that the prior factors were inadequate in representing the full range of risk “for all time”. 

But firms would be better off looking at their risks in the light of a changing risk environment.  Plural Rationality theory suggests that there are four different risk environments.  If a company adopts this idea, then they need to look for signs that the environment is shifting and when it seems to be likely to be shifting, to consider how to change their risk acceptance and risk mitigation in the light of the expected new risk environment.  The idea of repeatedly catching this wave and correctly shifting course is called Rational Adaptability. 

So RISKVIEWS also strongly agrees with Martin and Powers that a risk management system needs to be reflexive. 

In “The End of ERM” Martin and Powers really mean the end of static ERM that is not action oriented and not reflexive with the environment.  With that RISKVIEWS can heartily agree.

Unintended Consequences – Distortion of Decisions

Central bankers have tools to help the economy, but for the most part, those tools all have the effect of lowering interest rates.

But there are consequences of overriding the market to change the price of something.  The consequences are that every decision that uses the information from the affected market prices will be distorted.

Interest rates are a price for deferral of receiving cash.  Low interest rates signal that there is very little risk to deferral of receiving cash.  So one only has to pay a little extra to pay later rather than now.

This is helpful in stimulating consumption.  People without the money right now can promise to pay later with low penalty for the deferral.

But is the risk from the deferral really lower?  The interest rates are very low because the central bank is overwhelming the market demand.  Not because anyone really believes that deferral of receipt of cash is low risk.

But anyone who simply uses the market interest rates is having their decision distorted.  They are open to taking deferral risk without expecting to be reasonably compensated for that risk.

To purists who believe that the only usable value is the market price, this is the only real information.

But if you want to make good decisions about transactions that stretch out over a long time, you might want to consider making your own adjustment for the risk of deferral.

Performance Pressure

It has become a pretty standard part of business management practice. Every year, the demand is for MORE with the same or fewer resources and in the same or less time.  The latest requirement to be a senior manager is the ability to stare a subordinate straight in the eye and demand that they significantly enhance productivity again when you have absolutely no idea how they will pull that rabbit out of their hat.

One very common way to work this magic is to spend less resources on things like risk management.  Risk Management is rarely one of those places where more productivity is being required.  In fact, during this productivity discussion, risk management is almost never mentioned.  That is the hint that risk management is one of the areas where adjustments can be made to pick up some slack.

In a firm without a clear risk management culture, risk management will often just be skipped altogether.  End of story.

But in a firm with a strong risk management culture, that would never be an acceptable course of action.  What instead will happen is that substitutions will be made.  Less time spent on risk management, less frequent checking of the need for mitigation.  Less, Less, Less.

And if this happens in “normal” times, then there will be no feedback from the environment that there is any problem with Less Risk Management.  If the original intention of the Risk Management was to protect against all but 1 in 100 year losses and there is a drift, an easing into Less Risk Management, then what was thought to be a 1/100 loss might become a 1/10 loss.  There is still a 90% chance that the extreme loss will not happen.

That is the “Drift into Failure” of the Safety Engineers.  In the book of that title, Dekker tells of an airplane maintenance schedule that drifts over time from the manufacturers recommended 350 hours of flight time to 2500 hours of flight time.  Then one maintenance cycle was skipped and a plane crashed.  The drift from 350 hours to 2500 hours was not one big decision.  It was many little decisions, each moving things up only 10% to 20%.  Skipping just one maintenance was not a big decision either.  Things were tight one month and they needed the plane.

So Risk Management procedures need to allow for natural drift caused by Performance Pressure.  And for normal degree of mistakes, like skipping a scheduled maintenance.

At JP Morgan, the Corporate Investment Office did not start out making gigantic trades for profit.  They were doubtless like lots of other hedging operations.  One quarter, they saw an odd situation where a profit could be made with a fairly high degree of certainty.  So they asked permission and took a small gain.  They were then told to look for other similar opportunities.  After a while, they started to get a profit goal along with all the other business units.  Like LTCM, they must have hit a period where such profit making opportunities stopped falling into their laps.  So the started to go very big on something with small reward.  One decision at a time.  And probably risk management oversight that was one or two stages of their evolution behind.

It may well not have been one big bad wrong decision, it may well have been a series of small seemingly easy, sensible decisions that together spelled disaster.

But no one looked at them all together.

Rounding Up to Reduce Drift into Failure and Maintain Risk Karma

So what to do about Drift into Failure?

Think of DIF in simple math terms.  At every turn in the calculation, you are rounding down or truncating the values that you calculate.  With that process, your result will always be low.  Not always noticeably low but with a bias to be below the value that you would have calculated with carrying forward the value with all of the decimal points.

With a Risk Management or Safety system, it is the same thing.  If checking ten times will give a .9999 guaranty of safety, then nine times should be good enough.  If lubricating weekly produces no failures, how about lubricating every 9 days.  And so on.  If a hedge that is 98% effective works out fine most days, how about a hedge that is 96% effective.  A $5 million retention works, why not move it to $5.5 million.

In every case, the company rounds down.

So the practice that is needed to reduce DIF is to occasionally round up.  One year, try rounding up on half the risk systems.  Make the standards just a tiny bit tighter a few times.  Balance things that way.  Think of your firm as accumulating bad karma by allowing the shortcuts, the rounding down on the risk management and safety systems.  Protect the karma, by going the other way in the same sort of imperceptible small steps that are the evidence of the DIF.

Stop Drifting.   Join the Fight Against Bad Risk Karma Today.

The Risk of Paying too much Attention to your Experience

The Drift into Failure idea from the Safety Engineers is quite valuable.

One way that DIF occurs is when an organization listens too well to the feedback that they get from their safety system.

That is right, too much attention.  In the case of a remote risk, the feedback that you will get most days, most weeks, most months is NOTHING HAPPENS.

That is the feedback you are likely to get if you have a good loss prevention system or if you have none.

This ties to the DIF idea because organizations are always under pressure to do more with less.  To streamline and reduce costs.

So what happens?  In Safety and Risk Management, someone studies the risks of a situations and designs a risk mitigation system that reduces the frequency or severity of problem situations to an acceptable level.

Then, at some future time, the company management looks to reduce costs and/or staff.  This particular risk mitigation system looks like a prime candidate.  The company is spending time and money and there has never been a problem.  Doubtless, the same “nothing” could be achieved with less.  So the budget is cut, a position is elimated and they get by with less mitigation.

Then time pass and they collect the feedback, the experience with the reduced risk mitigation process.  And the experience tells them that they still have no problems.  The budget cutters are vindicated.  Things seem to be just fine with a less costly program.

If the risk here is highly remote, then this process might happen several times.

Which may eventually result in a very bad situation if the remote adverse event finally happens.  The company will be inadequately unprepared.  And no one made a clear decision to dilute the defense to an ineffective level.  They just kept making small decisions and eventually they drifted into failure.

And each step was validated by their experience.

A Learning Break

Riskviews has been taking a learning break.

Some times we are refreshed and invigorated by getting away from anything relating to their primary occupation.

But other times the most refreshing thing that you can do is to learn about how people faced with seemingly different, but fundamentally similar problems approach their work.

Riskviews has been learning small bits about Resilience.  That topic is usually associated with physical systems failures.  We are fooled into thinking that physical systems failures are all about engineering questions about the failures of metals or breakdown of lubricants.

But just as most failures in financial firms are directly related to human systems issues, so are most physical systems failures.  Studies about resilience are mostly studies of the human systems that are tightly linked to the physical systems that fail.

Here is a definition of resilience:

Resilience is the intrinsic ability of a system
to adjust its functioning prior to, during, or
following changes and disturbances, so that
it can sustain required operations under both
expected and unexpected conditions.

Already, Riskviews is learning something.  In much risk management literature, it is assumed that the system is determined via rules and that there is not necessarily ANY adjusting happening.  But from experience, we know that in almost all cases, systems will adjust to most significant changes and certainly will adjust to “disturbances”.

At the highest level, banks found out that a capital regime under which they held capital for a 1 in x event worked for absorbing the large loss, but it did not work for providing needed capital after the large loss.  They had a plan that worked up until the day after the event.

What both banks and insurers also found in the crisis was that their systems did adjust as things got insanely adverse.  But what they found was that in some cases, their systems adjusted so that they reduced the impact of the crisis and in other cases, made things worse.

One of the concepts that Resilience Engineers have developed is what they call “Drift into Failure.”  What they mean by that is that in many cases, complex systems fail, not because of some single part of person’s failure, but because of a series of small problems that in the end cause an avalanche type failure.

Here are four ideas that were discussed at a Resilience Engineering conference in 2004 from the notes of C Nemeth:

. Get smarter at reporting the next [adverse] event, helping
organizations to better manage the processes by which they decide
to control risk
. Detect drift into failure before breakdown occurs. Large system
accidents have revealed that what is considered to be normal is
highly negotiable. There is no operational model of drift.
. Chart the momentary distance between operations as they are,
versus as they are imagined, to lessen the gap between operations
and management that leads to brittleness.
. Constantly test whether ideas about risk still match reality. Keeping
discussions of risk alive even when everything looks safe can serve
as a broader indicator of resilience than tracking the number of
accidents that have occurred.

Resilience is a big topic and Riskviews will continue to share further learnings.

When You Find Yourself in a Hole, Stop Digging

Attributed to Will Rogers

Who knew that Will Rogers was a closet Risk Manager.   He must have been because that is great risk management advise.

If you have too much of something – the first thing that you should do is to STOP ADDING to your position.

We do not yet have the full story, but it is pretty safe to guess that neither MF Global or JP Morgan followed that idea.  It seems fairly obvious that at some point in time, the each had smaller positions that were already too big and then they ADDED to their positions.

The bank/hedge fund trading mentality suggests that the traders who really tener cojones will be able to keep raising the size of their position until the market breaks.

Insurance companies harbor the same mentality, except that they are never on the big win side of the bet.  Insurers win small on any one bet.  They win if there is no claim.  But even with that lopsided situation does not stop insurers from loading up on bets where they already have too much.

So the answer is to invite WIll Rogers into your Limit protocol.  When you are setting or reviewing your limits for the next period, set a new WILL ROGERS LIMIT.  The new WILL ROGERS LIMIT (WRL) is the point where you automatically stop adding to your position if there has not been a discussion and an exception to the WRL.

And that is what risk management is all about.  Just thinking ahead.  It is not magic.  Just listening to the great risk managers of the past.

CEO is still the Real CRO

It was just a couple of weeks ago Riskviews posted…

It’s the job of a CEO to be the Chief Risk Officer

A week later, Reuters ran a story about JP Morgan…

Analysis: JPMorgan repeats basic mistakes managing traders

In that article Rachel Wolcott suggests that the CRO needs to be powerful enough to buck the most powerful traders.

What she fails to recognize is that the CRO and the trader are both acting out the orders of the CEO.  If the CEO is telling the CRO to enforce a risk limit and also telling the trader that he is free to break the limit, then it is not the power of the CRO that is the problem.

It is a CEO that wants the appearance of risk management and the profits from excessive risk both at the same time.

CEOs will often allow underlings to “fight it out” rather than making all of the decisions in the company.  In this case, however, everyone must realize that when it appears the CRO is too weak to do their job, that means that the CEO is not standing behind them and is completely responsible for the risk that is being taken by the overaggressive traders.

Why isn’t Strategic Risk included in ERM?

Many ERM systems exclude Strategic Risk.   The ERM systems usually include Market, Credit, Insurance and Operational Risk.  But not Strategic Risk.

Perhaps the assumption is that the ERM systems are about managing capital for the fluctuations and extreme losses of the business.

More likely, strategic risk is left out for two reasons.  First of all, the CEO and senior officers probably do not want to delegate this work.  Concerns about strategic risk are quite high in the priorities of a senior management team.  It is also a major concern of boards.

The second reason is that ERM has been highly focused on “measurable” risks and few feel that they can measure things like reputation risk and strategic risk.  So it may well be that risk managers are not asking to be given responsibility for helping with strategic risk.

But CROs need to remember that strategic risk is real, is very large and is not on their list of risks.  Because when they go to the board and top management with their “holistic” risk presentations, they will have a difficult time if the fail to ever even mention strategic risks.

In a the average company, their risk of failure averages between 2% for the largest and most secure firms and 5% for all other firms.  (Based upon studies of corporate longevity.  Fortune 500 firms have an average lifespan of about 40 years and an average firm only14.5 years.)

When other studies look at cause of major problems for firms, strategic risk make up about 70% of the events that result in a stock drop of 20% or more and operational risks, 20% and financial risks only 10%.

While those statistics are not widely known, it seems likely that a risk presentation that totally ignores strategic risk will strike board members who are generally aware of what causes problems for firms to wrinkle their brows with disbelief.

Now insurers, for example, have a different risk profile.  Their Financial and insurance risks are thought to be about 4 times as large as their operational risk.  Making a rough just ice adjustment to the figures above, one migh estimate that Insurance and Financial Risks are perhaps 55% of the total risk profile, Operational risk about 12% and Strategic risk about 33%.

So there is a range for thinking about strategic risk for insurers – between 33% and 70% of total risk.

Think about that before the next time you talk to your board about the firm’s risk profile.

Where is the Metric for Diversity?

“What gets measured, gets managed.” – Peter Drucker

By gaetanlee, via Wikimedia Commons

It seems that while diversification is widely touted as the fundamental principle behind insurance and behind risk management in general, there is no general measure of diversity. So based upon Drucker’s rule of thumb RISKVIEWS would say that we all fail to manage diversity.

A measure of diversity would tell us when we take more similar risks and when we are taking more distinct risks.  But we do not even look.

This may well be another part of good financial management that has been stolen by the presumptions of financial economics.  Financial economics PRESUMES that we all have full diversification.  It tells us that we cannot get paid for our lack of diversification.

But those presumptions are untested and untestable, at least as long as we fail to even measure diversity.

Correlation is the best measure that we have and it is barely used.  For the most part, correlation is used mainly to look at macro portfolio effects on Economic Capital Models.  And it is not a particularly good measure of diversity anyway.  It actually only measures a certain type of statistical comovement of data.  For example, below is a chart that shows that equity market comovement is increasing.

But have the activities of the largest companies in those markets been converging?  Or is this picture just an artifact of the continuing Euro crisis? In either case, if we were looking at a measure of diversity, rather than just comovement, we might have an idea whether this chart makes any sense or not.

Many believe that they are protected by indexing.  That an index is automatically diverse.  But there is little guarantee of that.  Particularly for a market-value weighted index.  In fact, a market-values weighted index is almost guaranteed to have less diversity just when it is needed most.

For a clear indication of that look at the TSX index during the internet bubble Nortel represented 35% of the index!  Concentration increases risk.  In this case, the results were disastrous for any indexers. While Nortel stock rose in the Dot Com mania, buyers of the TSX index were holding a larger and larger fraction of their investment in a single stock.

We badly need a metric for diversity.

 

One Banker’s Frank Commentary on the Financial Crisis and the Way Forward

Excerpted from the 2011 annual report of  M&T Bank’s and written by the CEO, Robert Wilmers:

Indeed, it is difficult, for one who has spent more than a generation in the field, to recall a time when banking as a profession has been publicly held in such persistently low esteem. A 2011 Gallup survey found that only a quarter of the American public expressed confidence in the integrity of bankers. We have reached a point at which not only do public demonstrations specifically target
the financial industry but when a leading national newspaper would opine that regulation which might lower bank profits would be “a boon to the broader economy.” What’s worse is that such a view is far from entirely illogical, even if it fails to distinguish between Wall Street banks who, in my view, were central to the financial crisis and continue to distort our economy, and Main Street banks who were often victims of the crisis and are eager, under the right conditions, to extend credit to businesses that need it.

It is no consolation, moreover, to observe that banks and the financial services industry generally were far from alone in sparking the crisis. Nonetheless, it is true, and very much worth keeping in mind, that major institutions in other sectors of the American system – public and private – must be considered complicit, some in ways we are only beginning to learn fully about. As understandable as a search for particular causes, or villains, might be, the truth is that the economic crisis that began in the fall of 2007 implicated a wide range of institutions – not only bankers but their regulators, not only investors but those paid to advise them, not only private finance but its government-sponsored kin. The wide spectrum of the culpable has left the U.S. and the world with a problem which, although related to the financial crisis, transcends it and must be confronted: the decimation of public trust in once-respected institutions and their leaders. This has created a fear among those responsible for forming the rules and standards that shape the American financial services industry. And the outcome of this fear-driven rulemaking is likely to burden the efficiency of the American financial system for years to come and will potentially have broader implications for the overall economy.

Nor can one say with any confidence that we have seen a fundamental change in the big bank business approach which helped lead us into crisis and scandal. The Wall Street banks continue to fight against regulation that would limit their capacity to trade for their own accounts – while enjoying the backing of deposit insurance – and thus seek to keep in place a system which puts taxpayers at high risk. In 2011, the six largest banks spent $31.5 million on lobbying activities. All told, the six firms employed 234 registered lobbyists. Because the Wall Street juggernaut has tarnished the reputation of banking as a whole, it is difficult if not impossible for bankers – who once were viewed as thoughtful stewards of the overall economy – to plausibly play a leadership role today. Inevitably, their ideas and proposals to help right our financial system will be viewed as self-interested, not high-minded.

As noted before, however, the major banks were not the only ones implicated in and tainted by the financial crisis. One can, sadly, go on in this vein to discuss a great many other institutions which have disappointed the American public in similar ways, in the process compromising their own leadership status. They have in common a relationship to the crisis associated with the nation’s housing policies, which were themselves shaped over the course of several generations by many parts of the government and both political parties. Those policies marshaled some of the leading government agencies and enterprises, as well as private financial institutions, in the quest to broaden home ownership. Even apart from the collateral damage this pursuit has caused the financial system, it is worth keeping in mind that it was not remarkably successful on its own terms – particularly when today one finds a higher rate of home ownership in countries such as Hungary, Poland and Portugal, where the per capita GDP on average is 56% lower than that of the United States.

So it is that the crisis was orchestrated by so many who should have, instead, been sounding the alarm – not only bankers but also regulators, rating firms, government agencies, private enterprises and investors. That a former U.S. Senator, Governor and CEO of a big six financial institution was at the helm of MF Global on the eve of its demise due to trading losses, or that the largest-ever Ponzi scheme  was run by the former chairman of a major stock exchange will long be remembered by the public. The repercussions have stretched beyond banking, creating an atmosphere of fear affecting and inhibiting those who should be leading us toward a better post-crisis economy.

Fear-Driven Rulemaking and Its Burden:
In this vacuum of credible leadership, not just in the banking industry but all around it, it is entirely understandable that regulators believe they must proceed with an abundance –perhaps over-abundance – of caution. Inevitably, they feel pressure to eliminate, in its entirety, risk that had been rising for far too long. This tension – based in their understanding that steps aimed at ensuring the safety and soundness of the financial system can stifle its vitality and dynamism – naturally weighs on rulemakers and slows the pace of promulgation. They know too, that, in designing regulations, the sort of informal conversations with private institutions and individuals, which were once routine, might now be viewed as suspect, leaving regulators to operate in isolation, without thoughtful guidance as to the overall impact of their actions. When all are suspect, no conversation can be viewed as benign. Ultimately, however, this is neither a recipe to improve public confidence nor a situation likely to facilitate the expeditious design of a regulatory structure which will not hobble the extension of credit. One must be concerned that a lack of leadership and trust, and an overreliance, instead, on the development of policies, procedures and protocols, has created a level of complexity that will decrease the efficiency of the U.S. financial system for years to come – and hamper the flow of trade and commerce for the foreseeable future.

Nor is there any apparent end in sight to the imposition of new directives and rules. The Dodd-Frank Act contains, by one estimate, 400 new rulemaking requirements, only 86 of which were finalized by the start of 2012. It is impossible, of course, to assess our full cost to comply with these rules until they are promulgated. By virtue of having more than $50 billion in assets, a measure of size, with no consideration given to the activities in which we engage nor the merits of our actions, M&T has been deemed to be a “systemically important” financial institution and will be subject to higher capital standards as well as costly new liquidity requirements.

A common feature of many of these new directives is a higher order of complexity than had heretofore been typical, particularly for Main Street banks like M&T which do not engage in excessive risk-taking and rely on fundamental banking services as their primary source of income. Utilization of these opaque and intricate methods as a means to prevent a crisis is at best questionable.

It is no small irony – it is, dare I say, a bitter one – that these costly requirements have been visited on a company such as ours and hundreds, if not thousands, like us who did little or nothing to cause the financial crisis – and were, in fact, in many ways victims of it. And, of course, the higher costs along with higher capital and liquidity requirements will inevitably diminish the availability and increase the cost of credit to business owners, entrepreneurs and innovators of our community. Indeed, one has the sense that little or no thought has been given to the cumulative effect of new directives, both on costs and operations. One wishes, thus far in vain, for a clear, complete, simple and straightforward regulatory regime in which both consumers and banks know what to expect and could proceed accordingly, at reasonable expense.

Broader Impacts and Unintended Consequences:
In this context, one has to be concerned about the accumulated effects of new mandates beyond the narrow terms of how they affect banks. More broadly, there is reason to believe that regulation may provide incentives that distort the allocation of capital in ways that could be harmful to economic recovery. Specifically, there are incentives for commercial banks to divert from their traditional roles – the same sort of activities which helped spark the housing bubble. The proposed Basel III liquidity rules, for instance, call for banks to significantly increase their investments in government securities, leaving less capital for community-based loans which hold the most promise for potential economic progress.

New formulae from the FDIC are likely to have similar inadvertent consequences for the economy. Last spring, the FDIC began assessing insurance premiums based on assets rather than deposits, which it had done since its inception in 1933. As a result, a loan to finance the construction of a company’s new building, an activity that produces jobs, carries insurance premiums that are three to four times as high as for commercial loans extended for unspecified purposes with no need for employment creation – arguably the greatest necessity of the current economy. Even more troubling is the fact that, under this formula, the mere association with real estate deems construction lending more risky regardless of how sturdy one’s underwriting or how much “skin in the game” the entrepreneur is willing to commit.

Nor is the damage from new mandates and regulation merely projected or prospective. Many are already proving to be counterproductive for businesses and consumers alike. The Durbin Amendment, for instance, was supposed to reduce costs for merchants. Instead it has resulted in higher transaction processing fees for some small business owners. According to The Wall Street Journal, many business owners who sell low priced goods like coffee and candy bars are now paying higher rates, when customers use their debit card for transactions that are less than $10. These small merchants now are left with some hard choices, such as raising prices, encouraging customers to pay in cash or dropping card payments altogether.

The breathtakingly rapid pace of changing regulations makes it challenging for banks and regulators alike to understand the changes, let alone react to them in an efficient manner. The fact that there are so many masters to whom banks today report makes it difficult for one hand to know what the other is doing, whether it relates to coordination among the various regulatory bodies or even among the various divisions within a single agency.

Finding a New Way
So it is that the effects of crisis, combined with a void of leadership, weigh on banks such as ours – and encumber the economy. We find ourselves at a point at which, we face not only the question of what approaches are right but how, in light of a leadership vacuum, can we restore our capacity to work together constructively and productively. It is no small task, given the number of agencies involved and the decibel level of politicians and the public at large. We will not, in my own view, be able to make progress absent two key ingredients: trust and leadership. We must again have the sense that leaders, both public and private, will do their best to propose and consider ideas that will serve the general interest, not their own agendas.

To help recognize and preempt emerging new threats, it is crucial that there be an ongoing, at times informal, dialogue among bankers and regulators. Such exchanges would plausibly put focus on rising issues like cyber-crime that has already cost the American banking industry some $15 billion over the last five years. More importantly, these discussions should be premised not on confrontation nor framed by fear but, rather, based on the understanding that a safe and secure financial services system is a prerequisite for a healthy economy –arguably our most important, shared national goal. I know that we would be eager to share our own collective learning with the Federal Reserve and other regulators in order to allow them to understand the extent to which regulatory changes are likely to affect the general well-being of our economy. I am sure other Main Street banks would be eager to do the same. Our goal is not to seek favors or special dispensation – but rather to have the chance to do our part in helping to craft a regulatory regime that does not impede, but rather enables sustainable economic growth.

In reflecting on my years in banking and the situation we confront today, I am mindful of the fact that banks have traditionally played a clear, if limited, role in the economy: to gather savings and to finance industry and commerce. Trading and speculation were nowhere included – nor should they be. Historically, bankers, moreover, were viewed as among the more responsible and ethical members of their communities. In my view, the vast majority still are and have been ill-served by those whose non-traditional approach have caused banks to be the targets of public opprobrium. Such is the case of the British banker who was recently stripped of his knighthood in the wake of his role in the financial crisis. It is time for regulators and, yes, protestors, to understand that all banks have not been equally culpable for the problems we face today. In other words, give us back our good name – and we will do our best to deserve it.

Works if Small, Fails if Large

by David Merkel, The Aleph Blog

The Wall Street Journal had an article on risk control that had the attitude of “here are some silver bullets.” Ugh. When will journalists learn that there are no simple solutions to portfolio management?

“Risk-allocation turns 50 years of portfolio theory on its head.”

Ain’t true. Modern Portfolio Theory is garbage, but so is this. So volatility is more stable than returns. Volatility can be up or down, and you want to buy volatile asset classes that have gotten trashed. You won’t do it because you are scared, but that is part of why you aren’t a good investor. Good investors make the “pain trades.”

Here’s the question to ask: What would happen if everybody did this? Unlike share-weighted indexing, not all strategies can be applied by everyone at the same time. I have written about risk parity before:

Against Risk Parity
Against Risk Parity, Redux

So long as there are few using the strategy, it may work well, but it will not scale because volatility does not match the proportion of assets available to be purchased. The same is true of “risk control” and “risk budgeting” strategies. They will be “flashes in the pan;” there is no necessary reason why they will work. There is no such thing as risk, but there are risks.

Avoid faddish ideas as described in the WSJ article. Far better to focus on what risks you face in the investment markets, and choose assets that will not be affected by those risks,or, might even benefit from them.

Using volatility as a guide to investing will fail if it gets large enough, and during bull markets, it will be forgotten. Non-scalable strategies work if there is a barrier to entry, and there is no barrier here. Thus I see no long term value in the strategies proposed.

Quantity, Quality and Variety

Another way to think of ERM is to focus on just three things:

• Quantity of Risk – is the usual focus on what can be measured.
• Quality of Risk -  is something that is often left out – it relates to how well you are controlling that what you have is what you think that you have.  Lowest quality risk might well be anything.
• Variety of Risk – is what you need for resilience.  No matter how well you control the quantity and quality of risk, if you are not making sure that you have variety, then you have a mono culture.  Monocultures look great – until they die out all at the same time.

What’s Your Risk Attitude?

The HBR Blog has picked up a piece by Ingram and Thompson on the dynamics of Risk Attitudes and Risk Environment.

Check it out HERE.

 RISKVIEWS has featured these ideas many times. 

See http://riskviews.wordpress.com/plural-rationalities/

Align Risk Management with Strategic Goals

The Project Management Institute says that projects are 20% more successful if they seek to support company strategic goals rather than project specific goals as their primary focus.

That sounds like something that may be an extremely important idea to bring into risk management.

Risk Management should focus primarily upon company strategic goals rather than specific risk goals.

How does that sound to you?  Riskviews imagines that at least some readers are immediately reacting that this idea will not work because the company does not have a strategic goal that would support their function.

And that sounds like a major insight about organizational engagement in and support for risk management.  If risk management does not directly support one or more of the strategic goals of the firm, that speaks volumes about what will happen when there is a conflict between something that IS aligned with the strategic goals and risk management.

The story of MF Global is an extreme example of this conflict.  The management (read CEO) actions of MF Global were totally outside of the agreed upon risk appetite.  The CRO brought that to the board attention and the board decided that those actions supported the goals of the organization, while adherence to the risk appetite was of lesser importance.  The CRO left and the actions eventually led to the destruction of the firm.

Here is an example of the Mission and Vision Statements of an insurer

Mission Statement Providing financial security by keeping our promises.

Vision Statement To build a thriving financial services organization that stands the test of time.

Risk management definitely has plenty of room in that firm to align with the mission and vision of the firm.  “keeping our promises” and “standing the test of time” are both clearly statements about how the organization intends to handle risk.  The mission and vision of that firm cannot be met without risk management.

Here is the mission and vision statements of JP Morgan Chase

“At JPMorgan Chase, we want to be the best financial services company in the world. Because of our great heritage and excellent platform, we believe this is within our reach.”

“To provide unparalleled service to our clients by empowering them with strong analytical insights that enable them to more effectively manage their human assets.

It is not clear to Riskviews whether or not risk management activities are called for at all with that mission and vision statement.

So if you are wondering what might happen when there is a conflict between risk management and a business activity look to your firm’s mission, vision and strategic objectives.  If you do not see risk management there, you have your answer well in advance of any future conflict.

One Page ERM

The International Association of Insurance Supervisors adopted the following in late 2011 as a part of ICP 8.

CRO is not the Moral Compass

The American Banker has a new column on risk management.  The first article is here.  Clifford Rossi manes some good points about the JP Morgan story.  But Riskviews takes issue with one point that he makes…

The paradigm of the trader and the risk manager are fundamentally at odds. The trader will believe that if they are given the funds to make one more trade, they will make up all of the past losses and post a large gain. The stories of successful traders and hedge fund managers all read the same, losses, growing losses, no one else believes in the trader. Finally, they are vindicated by a large gain that makes them the hero. When you listen to the stories from Bear Sterns and Lehman, folks who were involved all say that it was just a liquidity issue. If they just had a little more funds, they would have made the trades that would have brought the firm back.

The risk manager on the other hand believes that there must be a limit to the amount that is put at risk by the firm. Do not bet what you cannot afford to lose. The risk manager believes that even the best theory can have a run of bad luck that the firm cannot afford.

Ultimately, the risk manager is not the moral compass of the firm. The risk manager is nothing more or less than the person who is charged to make sure that the CEO and the Board understand and are fully aware and approve of all of the risk taking activities of the firm. To make that process work, the risk manager will ask the board and CEO to pre-approve some activities and to require to be notified about others.

In JP Morgan’s case, the board and CEO should have been aware of what was going on, of the size of the positions. Perhaps they did not give clear directions to the risk manager or perhaps the risk manager for some reason failed to report the risk positions.

However, it should have been a business decision made by the Board and CEO, not a decision of the trader or of the risk manager.  The loss that resulted would be a decision that did not work out as intended, not even necessarily a bad decision.  All decisions do not work out well.  And while $3 Billion is a large amount of money, it is only a fraction of earnings for a good year for JP Morgan.

If the decision to make the trade(s) that added up to the $3 Billion loss were made by the trader and not reported to the CEO and Board, then and only then is this a risk management failure.

What do risk officers worry about?

Read Max Rudolph’s comments on the Reuters Blog.

“Truth be told, risk management is an ever-evolving discipline. The Great Recession pointed out both the shortcomings of implementation at many companies, as well as the potential for a strong risk culture driving the risk management process. As time passes from this crisis to the next (as there is always another one around the bend), recurring trends are becoming apparent and companies across the world are getting smarter about the essential need to move risk management from the back room to a position influencing strategic decisions.”

Risk and Reward

Successful Businesses pay attention to risk.

- How much risk to take compared to their capacity to absorb risk via their level of average earnings and their capital position.  They have a basket.  Each basket is different.  It can easily hold so much.  Sometimes, you decide to put a little more in the basket, sometimes a little less.  They should know when they have stacked their risk far over the top of the basket.
- What kinds of risk to take.  They have a plan for how much of each major class of risk they they will pick up to use up the capacity of their basket.

- Then when the actually go to fill the basket, they need to carefully choose each and every risk that they put into the basket.

-  And as long as they have those risks in the basket, they need to pay attention and make sure that none of the risks are spoiling themselves and especially that they are not spoiling the entire basket of fruit or ruining the basket itself.

But that is not what a successful business is all about.  They are not in business to be careful with their basket of risks.  They are in business to make sure that their basket makes a profit.

+ So how much risk to take is informed by the level of profit to be had for risk in the marketplace.  Some business managers do it backwards.  If they are not being paid much for risk, they fill up the basket higher and higher.  That is what many did just prior to the financial crisis.  In insurance terms, they grew rapidly at the peak of the soft market.  Just prior to the cirsis, risk margins for most financial market risks were at cyclical lows.  What makes sense for a business that wants to get the best reward for the risk taken would be to take the most risk when the reward for risk is the highest.  Few do that.  However, the problem faced by firms whose primary business is risk taking is that taking less risk in times of low reward for risk creates even more pressure on their income because of decreased expense coverage.  This problem seems to indicate that businesses in such cyclical markets should be very careful to manage their level of fixed expenses.

+ What types of risk to take is also informed very much by the margins.  But it also needs to be informed by diversification principles.  Short term thinking suggests that risk taking shift all to the particular risk with the immediate best risk adjusted margin.  Long term thinking suggests something very different.  Long term thinking realizes that the business needs to have alternatives.  For most markets, the alternatives are only maintained if a presence in multiple risks is maintained in good times and bad.  Risk and reward needs to develop a balance between short term and long term.  To allow for exploiting particularly rich markets while maintaining discipline in other markets.

+ Which specific risks to select needs to incorporate a clear view of actual profitability.  It is very easy on a spreadsheet to take your sales projection and profit projections and multiply both numbers by two.  However, it is only through careful selection of individual risks that something even remotely like that simple minded projection can be achieved.  The profit opportunity from each risk for the additional sales may be at the same rate as the original margins, it may be higher (unlikely) and it may well be lower.  The risk reward system needs to be sensitive to all of these three possibilities and ready to react accordingly.

Black Swan Survival Kit for Investors

From  Black: Swans and Crude by Liz Ann Saunders, her tips for investing in a sideways market:

• Be diversified, especially now that asset-class correlations have begun to recede toward normal levels.
• If you like to be opportunistic, keep some powder dry in highly liquid investments for both cash needs and some flexibility to take advantage of volatility.
• Consider more frequent rebalancing if volatility reasserts itself, allowing you to sell into strength and buy into weakness.
• Focus on your long-term goals and not short-term market dips so you’re less likely to fall prey to panic selling (or buying).
• Review your portfolio and asset allocation to confirm your risk tolerance matches your financial goals.

These suggestions line up well with the Pragmatist risk attitude of Plural Rationalities.  That is good because the Pragmatists expect an Uncertain Environment, which is what we hear over and over that we are experiencing.

A Pragmatist will seek to diversify.  Not only will they want to diversify their risks as Ms. Saunders suggests as her very first suggestion, but they will also be diversifying their approach to risks.  Pragmatists will sometimes look to limit their losses with a Conservator style risk management approach, to aggressively pursue profits with a Maximizer style approach and even sometimes to look at risk vs reward in a Manager style approach.

Notice the interesting twist in her first point “now that asset-class correlations have begun to recede”.  You see that she is not a card carrying Pragmatist either.  She fundamentally believes that the world should return to an orderly state where correlations and volatilities are more stable.

Mathematically, that is how you can define the uncertain market of the times – variable volatility and variable correlations, variable drift.  A market model that cannot support trading.

The models for the other three environments might be:

• Boom – positive drift, low and stable volatility, low and steady correlations.
• Bust – negative drift, low volatility, high correlations.
• Moderate – near zero drift, moderate but stable volatility, moderate but stable correlations.

In her second point, she tells how to be ready for when the environment goes back to Boom or Moderate – by taking the classical Pragmatist position of under invested.

But the Pragmatist approach to risk is not really a Black Swan survival approach.  If you really believe that a Black Swan event is coming, you would have the Conservator view of risk.  That would lead you to move to a much lower expected upside and also a much lower likelihood of failure of your portfolio.  In its purest form, the Conservator would accept almost no chance of total ruin.  In actual practice, most Conservator leaning firms will accept risks that might cause a failure of the firm, but only if they have long experience with those risks and feel that they have them totally under their control.

Must have more than one View of Risk

Riskviews finds the headline Value-at-Risk model masked JP Morgan $2 bln loss to be totally appalling. JP Morgan is of course famous for having been one of the first large banks to use VaR for daily risk assessment.

During the late 1980’s, JP Morgan developed a firm-wide VaR system. This modeled several hundred risk factors. A covariance matrix was updated quarterly from historical data. Each day, trading units would report by e-mail their positions’ deltas with respect to each of the risk factors. These were aggregated to express the combined portfolio’s value as a linear polynomial of the risk factors. From this, the standard deviation of portfolio value was calculated. Various VaR metrics were employed. One of these was one-day 95% USD VaR, which was calculated using an assumption that the portfolio’s value was normally distributed.
With this VaR measure, JP Morgan replaced a cumbersome system of notional market risk limits with a simple system of VaR limits. Starting in 1990, VaR numbers were combined with P&L’s in a report for each day’s 4:15 PM Treasury meeting in New York. Those reports, with comments from the Treasury group, were forwarded to Chairman
Weatherstone.                        from History of Value-at-Risk:1922-1998 by Glyn Holten

JP Morgan went on to spin off a group, Riskmetrics, who sold the capability to do VaR calculations to all comers.

Riskviews had always assumed that JP Morgan had felt safe selling the VaR technology because they had moved on to something better.

But the story given about the $2 billion loss suggests that they were flubbing the measurement of their exposure because of a new risk measurement system.

Riskviews would suggest two ideas to JP Morgan:

1. A firm that makes its money taking risks should never rely upon a single measure of risk.  See Risk and Light and the CARE Report for further information.
2. The folks responsible for risk evaluation need to apply some serious standards for their work.  Take a look at the first attempt of the actuarial profession of standards for professionals performing risk evaluation in ERM programs.  This proposed standard suggests many things, but the most important idea is that a professional who is evaluating risk should look at three things: the risk taking capacity of the firm, the risk environment and the risk management program of the firm.

These are fundamental principles of risk management.  Not the only ones, but principles that speak to the problem that JP Morgan claims to have.

Very High cost for Asset Allocation Advice

Most investors in hedge funds must be looking at them totally marginally.  Certainly that is the way that hedge fund managers would suggest.

What that means is the ther investor should not look at the details of what the hedge fund is doing, it should only look at the returns.  Those returns should be looked upon as a unit.

Certainly that is the only way to think of it that matches up with the compensation for hedge fund managers.  They get paid their 2 and 20 based solely upon their performance.

But think for a moment about how an investor probably looks at the rest of their portfolio.  They look at the portfolio as a whole, across all asset classes.  The investor will often make their first investment decision regarding their asset allocation.

While hedge fund managers have argued for treating their funds as one or even several asset classes, they are almost always made up of investments, long and short, in other asset classes.  So if you are an investor who already has positions in many asset classes, the hedge fund is merely a series of moves to modify the investors asset mix.

So for example, if the hedge fund is a simple leveraged stock fund, the hedge fund manager is lowering the investor’s bond holdings and increasing the stock holdings.

So if an investor with a 70% 30% Stock bond mix changes their portfolio to 65%, 25%, 10% giving 10% to a hedge fund manager who varies runs a leveraged stock fund that varies from all cash to 4/3 leveraged position in stocks, then they have totally turned their asset mix over to the hedge fund manager.

When the hedge fund is fully levered in stocks then their portfolio is 65% long Stocks, 25% long bonds, plus 40% long stocks and 30% short bonds.  Their net position is 105% stocks with  5% short bonds.  But that is not quite right.  If you only get 80% of your performance, your position is 97% stocks and 1% bonds.  That is right, it is less than 100%.  Only it is really worse than that.  That is the allocation when performance is good.  When the stock market goes really poorly, you get the performance of the 105%/(5%) fund. 

Other funds go long and short large and small stocks.  The same sort of simple arithmetic applies there. 

It is really hard to imagine that anyone who thinks that there is any merit whatsoever to asset allocation would participate in this game.  Because they will no longer have any say in their asset allocation.  What you have done is to switch to being a market timer.  In the levered stock example, you now have a portfolio that is 65% long stocks and 35% market timing.  

So in most cases, what is really happening is that by investing in a hedge fund, the investor is largely abandoning most basic investment principles and shifting a major part of their portfolio asset allocation to a market timer. 

At a very large fee.

It’s the job of a CEO to be the Chief Risk Officer

At his annual shareholder’s meeting Warren Buffet repeated his belief that there is no substitute for CEO attention to risk.

Anyone who has tried to do the CRO job without full unwavering support of the CEO would doubtless agree.  The CRO job, just like the COO and CMO and other C suite officers job is delegated responsibility of the CEO.  It is not independent of the CEO.  Boards who try to set up a CRO function that reports directly to them and is intended to act as a check on the CEO are at best wasting their own and the CROs time.  At worst they are creating a very unhealthy dynamic in the firm. 

If a CRO is given the job of defense against killer losses and the rest of the firm is given the job of winning customers and making a profit, guess who will lose whenever there is a conflict.  An adverserial risk function is not a healthy way to manage a company.  By refusing to delegate the risk role, Buffet is sending a message to all of his companies that risk is important to him, the CEO of the firm that owns their company. 

Now Buffet (or any other CEO that goes this route) needs to do more than refuse to appoint a CRO.  A CEO who does not want any risk management to slow down his firm can quote Buffet and not appoint a CRO and then totally ignore risk. 

The CEO/CRO needs to make it constantly known that they are concerned about risk by their words AND deeds.  They need to talk the talk and walk the walk of risk management. 

As Buffet knows, that does not necessarily mean that he needs a risk register of hundreds of risks.  Berkshire Hathaway is in dozens of businesses and is actually exposed to hundreds of risks.  But BH is also very large and diversified.  There are actually only a few risks that need to be on Buffet’s plate as the CEO/CRO. 

And what Buffet and other CEO/CROs need to do is to make sure that they are totally aware of what their firm is doing with the handful of truely killer risks.  They need to make sure that:

• Everyone who could make a decision to increase the firm’s exposure to these killer risks knows that the CEO/CRO must be involved in that decision.
• The firm is being properly compensated for the killer risks that they are taking.
• The Risk Treatment programs for these risks are being properly maintained and operated. 
• The firm has alternatives to the current risk treatment programs in case the existing programs become less effective or unavailable.
• The firm is carefully monitoring the risk environment that impacts those risks and any change or even strong hint of future change is brought to the attention of the CEO/CRO.
• The board is kept informed about all of the above. 

Interestingly, this list does not change at all if the CEO decides to appoint a CRO.  The list above can be a major part of the agenda when the CEO and CRO have their daily meetings.