Financial regulators, rating agencies and many commentators have blamed weak Risk Culture for many of the large losses and financial company failures of the past decade. But their exposition regarding a strong Risk Culture only goes as far as describing a few of the risk management practices of an organization and falls far short of describing the beliefs and motivations that are at the heart of any culture. This discussion will present thinking about how the fundamental beliefs of Neo Classical Economics clash with the recommended risk practices and how the beliefs that underpin Enterprise Risk Management are fundamentally consistent with the recommended risk management practices but differ significantly from Neo Classical Economics beliefs.
Posted tagged ‘Enterprise Risk Management’
Afternoon of September 29 – at the ERM Symposium #ERMSYM
Bad risk culture has been blamed as the ultimate source of problems that have caused gigantic losses and corporate failures in the past 10 years. But is that a helpful diagnosis of the cause of problems or just a circular discussion? What is risk culture anyway? Is it a set of practices that a company can just adopt or does culture run deeper than that? How does risk culture vary between countries and continents? How do risk cultures go bad and can they be fixed? This is, of course, a discussion of the human side of Enterprise Risk Management.
This half-day seminar (1 – 4:30 p.m.) will draw together materials from business organizational theorists, anthropologists, regulators, rating agencies, investors, corporations, insurers and auditors to help define risk culture and diagnose problem causes. The objective is to provide the attendees with multiple perspectives on risk culture to help them to survive and thrive within the potentially multiple risk cultures that they find themselves operating alongside – or against. In addition, the speakers will draw upon their own experiences and observations to provide a number of practical examples of how risk cultures can and do go wrong. This discussion may help you to identify the signs of devolving risk culture if they start to appear in your organization. Finally, the difficult topic of fixing a bad risk culture will be discussed. That part of the discussion will help attendees to attain a realistic perspective on that extremely difficult process.
The seminar will be presented by three speakers from very diverse backgrounds. Andrew Bent, Risk Coordinator for Suncor Energy Inc. has also worked in multiple levels of government in New Zealand and Canada. Bent has co-authored several articles and papers on strategic risk assessment and the use of root cause analysis in risk management. Carol Clark is Senior Policy Advisor at the Federal Reserve Bank of Chicago where she has most recently been focused on operational risk issues associated with high speed trading. Her research has been published in the Journal of Payment Systems Law, the Federal Reserve Bank of Chicago’s Chicago Fed Letter and Economic Perspectives as well as Euromoney Books. Dave Ingram is Executive Vice President at Willis Re where he advises insurers on ERM practices. Ingram has worked extensively with both Life and Property and Casualty insurers on various aspects of risk management over the past 30 years. He has recently co-authored a series of articles and papers on risk culture and has had a number of experiences with the risk cultures of over 200 insurers.
Andrew Bent, ARM-E, ARM-P, CCSA, CRMA, Risk Coordinator, Suncor Energy
Carol Clark, Senior Policy Advisor, Federal Reserve Bank of Chicago
David Ingram, CERA, PRM, EVP, Willis Re
Please find a new permanent page on RISKVIEWS – The History of Risk Management. It is a simple list of major historical events that are important to Risk Management and ERM as it is practiced today. This list was compiled with the help of INARM.
Risk Management development has not followed a particularly straight line. Practices have been adopted, ignored, misused. Blow up have happened. Some of those blow ups are mentioned on another page in RISKVIEWS – Risk Management Failures.
But Risk Managers have learned from those blow ups and the next generation of Risk Management programs incorporated those learnings.
The most important thing to know about risk management that we have learned from history is that risk management must be practiced in earnest. No amount of good talks or fancy charts will take the place of roll up your sleeves and do it risk management. Promoting that sort of Risk Management is the objective of this Blog.
For a set of activities to be called ERM, they must satisfy ALL of these Key Ideas…
- Transition from Evolved Risk Management to planned ERM
- Comprehensive – includes ALL risks
- Measurement – on a consistent basis allows ranking and…
- Aggregation – adding up the risks to know total
- Capital – comparing sum of risks to capital – can apply security standard to judge
- Hierarchy – decisions about risks are made at the appropriate level in the organization – which means information must be readily available
Risk management activities that do not satisfy ALL Key Ideas may well be good and useful things that must be done, but they are not, by themselves ERM.
Many activities that seek to be called ERM do not really satisfy ALL Key Ideas. The most common “fail” is item 2, Comprehensive. When risks are left out of consideration, that is the same as a measurement of zero. So no matter how difficult to measure, it is extremely important to really, really be Comprehensive.
But it is quite possible to “fail” on any of the other Key Ideas.
The Transition idea usually “fails” when the longest standing traditional risk management practices are not challenged to come up to ERM standards that are being applied to other risks and risk management activities.
Measurement “fails” when the tails of the risk model are not of the correct “fatness“. Risks are significantly undervalued.
Aggregation “fails” when too much independence of risks is assumed. Most often ignored is interdependence caused by common counter parties.
Capital “fails” when the security standard is based upon a very partial risk model and not on a completely comprehensive risk model.
Hierarchy “fails” when top management and/or the board do not personally take responsibility for ERM. The CRO should not be an independent advocate for risk management, the CRO should be the agent of the power structure of the firm.
In fact Hierarchy Failure is the other most common reason for ERM to fail.
What kind of future were you thinking of when you constructed your stress tests? Here are six different visions of the stressed future that have been the basis for stress tests.
- Historical Worst Case – Worst experience in the past 20 – 25 years
- Normal Variability – Stress falls within expected range for a normal five year period
- Adverse Environment Variability – Stress falls within expected range for a five year period that includes general deterioration such as recession or major weather/climate deviation
- Future Realistic Disaster – Worst experience that is reasonably expected in the future (even if it has never happened)
- Adverse Environment Disaster – Worst experience that is reasonably expected in the future if the future is significantly worse than the past
- Future Worst Case – Maximum plausible loss that could occur even if you believe that likelihood is extremely remote
Here are a long list of stress scenarios that comes from the exposure draft of the NAIC document for ORSA reviewers:
• Counterparty exposure (loss of specified amount to reinsurer, derivatives party, supplier)
• Equity securities (40%/50% drop, no growth in stocks in 3 years)
• General widening of credit spreads (increase in defaults)
• Other risk assets
• 300 basis point pop up in interest rates
• Prolonged low interest rates (10 year treasury of 1%)
• Material drop in GDP & related impacts
• Stock market crash or specific extreme condition (Great Depression)
• Eurozone collapse
• U.S. Treasury collapse
• Foreign currency shocks (e.g. percentages)
• Municipal bond market collapse
• Prolonged multiple market downturn (e.g. 2008/2009 crisis/or 1987 stock market drop-or 50% drop in equities, 150bp of realized credit losses)
• Significant drop in sales/premiums due to varying reasons
• Impact of 20% reduction in mortality rates on annuities
• Material product demonstrates specific losses (e.g. 1 in 20 year events)
• Severe pandemic (e.g. Avian bird flu based upon World Health Organization mortality assumption)
• California and New Madrid earthquakes, biological, chemical or nuclear terrorist attacks in locations of heaviest coverage (consider a specified level of industry losses)
• Atlantic hurricane (consider a specified level of industry losses previously unseen/may consider specified levels per different lines of coverage) in different areas (far northeast, northeast, southeast, etc.)
• U.S. tornado over major metropolitan area with largest exposure
• Japanese typhoon/earthquake (consider a specified level of industry losses previously unseen)
• Major aviation/marine collision
• Dirty bomb attack
• Drop in rating to BB
• Specified level of adverse development (e.g. 30%)
• Regulatory policy change requires additional reserves (e.g. 30%)
5. Liquidity • Catastrophe results in material immediate claims of 3X normalized amounts
• Call on any existing debt
• Material spike in lapses (e.g. 3X normal rates)
• Drop in rating to BB
• Loss of systems for 30 days
• Terrorist act
• Loss of key personnel
• Specified level of fraud within claims
• Material adverse finding on pending claim
• Worst historical 10 year loss is multiplied at varying levels
• Product distribution breakup
• PR crisis
• Drop in rating to BB
These seem to RISKVIEWS to fall into all six of the categories. Many of these scenarios would fall into the “Normal Volatility” category for some companies and into the worst historical for others. A few are in the area of “Future Worst Case” – such as the Treasury Collapse.
RISKVIEWS suggests that when doing Stress Testing, you should decide what sort of Stress you are intending. You may not agree with RISKVIEWS categories, but you should have your own categories. It might be a big help to the reader of your Stress Test report to know which sort of stress you think that you are testing. They may or may not agree with you on which category that your Stress Scenario falls into, and that would be a valuable revealing discussion.
Risk models can be used primarily to answer two very important questions for an enterprise whose primary activity is the risk business.
- How did we do?
- What should we do?
The “how did we do” question looks backwards on the past, usually for 90 days or a full year. For answering that question properly for a firm in the risk business it is absolutely necessary to have information about the amount of risk that the firm is exposed to during that period.
The “what should we do” question looks forward on the future. The proper time period for looking forward is the same as the length of the shadow into the future of the decision. Most decisions that are important enough to be brought to the attention of top management or the board of a company in the risk business have a shadow that extends past one year.
That means that the standard capital model with its one year time frame should NOT be the basis for making WHAT SHOULD WE DO? decisions. That is, unless you plan on selling the company at the end of the year.
Let’s think about it just a little bit.
Suppose the decision is to buy a laptop computer for the business use of one of the employees of an insurer. You can use two streams of analysis for that decision. You can assume that the only use of that computer is what utility that can be had from the computer during the calendar year of purchase and then you plan to sell the computer, along with the rest of the company, at the end of the calendar year. The computer is valued at the end of the year at a fair market value. Or you can project forward, the utility that you will get from that employee having a computer over its useful life, perhaps three years.
The first calculation is useful. It tells us “HOW DID WE DO?” at the end of the calendar year. But it not a sensible basis to make the decision about whether to buy the computer or not. The reason for that is not because there is anything wrong with the calendar year calculation. In theory, you could even run your company by deciding at the end of each calendar year, whether you wanted to continue running the company or not. And then if you decide to continue, you then must decide whether to sell every laptop or not, and similarly to sell every part of your business or not.
Most companies will automatically make the decision to continue, will not consider selling every part of their company, even if they have gone through the trouble of doing a “for sale” valuation of everything. That approach fits better with Herbert Simon’s “Satisficing” idea than with the theory of maximizing value of the enterprise.
But from a less theoretical point of view, putting absolutely everything on the table for a decision could be very time consuming. So what most companies is to imagine a set of conditions for the future when a decision is made and then as the future unfolds, it it does not deviate significantly from those assumptions, decisions are not reopened. But unfortunately, at many companies, this process is not an explicit conscious process. It is more vague and ad hoc.
Moving away from laptops to risk. For a risk decision, first notice that almost all risk decisions made by insurers will have an effect for multiple years. But decision makers will often look forward one year at financial statement impact. They look forward one year at a projection of the answer to the “How DID WE DO? question. This will only produce a full indication of the merit of a proposal if the forward looking parts of the statement are set to reflect the full future of the activity.
The idea of using fair value for liabilities is one attempt to put the liability values on a basis that can be used for both the “How did we do?” and the “What should we do?” decisions.
But it is unclear whether there is an equivalent adjustment that can be made to the risk capital. To answer “How did we do?” the risk capital needed has been defined to be the capital needed right now. But to determine “What should we do?”, the capital effect that is needed is the effect over the entire future. There is a current year cost of capital effect that is easily calculated.
But there is also the effect of the future capital that will be tied up because of the actions taken today.
The argument is made that by using the right current year values, the decisions can really be looked at as a series of one year decisions. But that fails to be accurate for at least two reasons:
- Friction in selling or closing out of a long term position. The values posted, even though they are called fair value rarely reflect the true value less transaction costs that could be received or would need to be paid to close out of a position. It is another one of those theoretical fictions like a frictionless surface. Such values might be a good starting point for negotiating a sale, but anyone who has ever been involved in an actual transaction knows that the actual closing price is usually different. Even the values recorded for liquid assets like common equity are not really the amounts that can be achieved at sale tomorrow for anyone’s actual holdings. If the risk that you want to shed is traded like stocks AND your position is not material to the amounts normally traded, then you might get more or less than the recorded fair value. However, most risk positions that are of concern are not traded in a liquid market and in fact are usually totally one of a kind risks that are expensive to evaluate. A potential counterparty will seek through a hearty negotiation process to find your walk away price and try to get just a litle bit more than that.
- Capital Availability – the series of one year decisions idea also depends on the assumption that capital will always be available in the future at the same cost as it is currently. That is not always the case. In late 2008 and 2009, capital was scarce or not available. Companies who made commitments that required future capital funding were really scrambling. Many ended up needing to change their commitments and others who could not had to enter into unfavorable deals to raise the capital that they needed, sometimes needing to take on new partners on terms that were tilted against their existing owners. In other time, cheap capital suddenly becomes dear. That happened when letters of credit that had been used to fulfill offshore reinsurer collateral requirements suddenly counted when determining bank capital which resulted in a 300% increase in cost.
RISKVIEWS says that the one year decision model is also just a bad idea because it makes no sense for a business that does only multi year transactions to pretend that they are in a one year business. It is a part of the general thrust in financial reporting and risk management to try to treat everything like a bank trading desk. And also part of a movement led by CFOs of the largest international insurers to seek to only have one set of numbers used for all financial decision-making. The trading desk approach gave a theoretical basis for a one set of numbers financial statement. However, like much of financial economics, the theory ignores a number of major practicalities. That is, it doesn’t work in the real world at all times.
So RISKVIEWS proposes that the solution is to acknowledge that the two decisions require different information.
Yes, that is right. Just buying a treadmill has absolutely no health benefits.
And in the same vein, just creating a risk management system does not provide any benefit. You actually have to activate that system and pay attenion to the signals that it sends.
And you can count on the risk management system being disruptive. In fact, if it is not disruptive, then you should shut it down.
The risk management system is a waste of time and money if it just stays out of the way and you end up doing exactly what you would have done without it. But, in at least 2/3 of the companies that claim to be running a risk management system, they have trouble coming up with even one story of how they changed what they were planning to do because of the risk management system.
Usually, in a company that is really running a risk management system, the stories of the impact of risk management are of major clashes.
Risk management is a control system that focuses on three things:
- Riskiness of accepted risks
- Volume of accepted risks
- Return from accepted risks
The disruptions caused by an actual active risk management system fall into those three categories:
- Business that would have been accepted prior to risk management system is now deemed to be unacceptable because it is too risky. Rejection of business or mitigation of the excess risk is now required.
- Growth of risky business that may not have been restricted before the risk management system is now seen to be excessive. Rejection of business or mitigation of the excess risk is now required.
- Return from business where the risk was not previously measured is now seen to be inadequate compared to the risk involved. Business emphasis is now shifted to alternatives with a better return for risk.
Some firms will find the disruptions less than others, but there will almost always be disruptions.
The worst case scenario for a new risk management system is that the system is implemented and then when a major potentially disruptive situation arises, an exception to the new risk management system is granted. That is worst case because those major disruptive situations are actually where the risk management system pays for itself. If the risk management only applies to minor business decisions, then the company will experience all of the cost of the system but very little of the benefits.