Posted tagged ‘Enterprise Risk Management’

Deciding “What Should We Do?” in the Risk Business

January 8, 2014

Risk models can be used primarily to answer two very important questions for an enterprise whose primary activity is the risk business.

  1. How did we do?
  2. What should we do?

The “how did we do” question looks backwards on the past, usually for 90 days or a full year.  For answering that question properly for a firm in the risk business it is absolutely necessary to have information about the amount of risk that the firm is exposed to during that period.

The “what should we do” question looks forward on the future.  The proper time period for looking forward is the same as the length of the shadow into the future of the decision.  Most decisions that are important enough to be brought to the attention of top management or the board of a company in the risk business have a shadow that extends past one year.

That means that the standard capital model with its one year time frame should NOT be the basis for making WHAT SHOULD WE DO? decisions.  That is, unless you plan on selling the company at the end of the year.

Let’s think about it just a little bit.

Suppose the decision is to buy a laptop computer for the business use of one of the employees of an insurer.  You can use two streams of analysis for that decision.  You can assume that the only use of that computer is what utility that can be had from the computer during the calendar year of purchase and then you plan to sell the computer, along with the rest of the company, at the end of the calendar year.  The computer is valued at the end of the year at a fair market value.  Or you can project forward, the utility that you will get from that employee having a computer over its useful life, perhaps three years.

The first calculation is useful.  It tells us “HOW DID WE DO?” at the end of the calendar year.  But it not a sensible basis to make the decision about whether to buy the computer or not.  The reason for that is not because there is anything wrong with the calendar year calculation.  In theory, you could even run your company by deciding at the end of each calendar year, whether you wanted to continue running the company or not.  And then if you decide to continue, you then must decide whether to sell every laptop or not, and similarly to sell every part of your business or not.

Most companies will automatically make the decision to continue, will not consider selling every part of their company, even if they have gone through the trouble of doing a “for sale” valuation of everything.  That approach fits better with Herbert Simon’s “Satisficing” idea than with the theory of maximizing value of the enterprise.

But from a less theoretical point of view, putting absolutely everything on the table for a decision could be very time consuming.  So what most companies is to imagine a set of conditions for the future when a decision is made and then as the future unfolds, it it does not deviate significantly from those assumptions, decisions are not reopened.  But unfortunately, at many companies, this process is not an explicit conscious process.  It is more vague and ad hoc.

Moving away from laptops to risk.  For a risk decision, first notice that almost all risk decisions made by insurers will have an effect for multiple years.  But decision makers will often look forward one year at financial statement impact.  They look forward one year at a projection of the answer to the “How DID WE DO? question. This will only produce a full indication of the merit of a proposal if the forward looking parts of the statement are set to reflect the full future of the activity.

The idea of using fair value for liabilities is one attempt to put the liability values on a basis that can be used for both the “How did we do?” and the “What should we do?” decisions.

But it is unclear whether there is an equivalent adjustment that can be made to the risk capital.  To answer “How did we do?” the risk capital needed has been defined to be the capital needed right now.  But to determine “What should we do?”, the capital effect that is needed is the effect over the entire future.  There is a current year cost of capital effect that is easily calculated.

But there is also the effect of the future capital that will be tied up because of the actions taken today.

The argument is made that by using the right current year values, the decisions can really be looked at as a series of one year decisions.  But that fails to be accurate for at least two reasons:

  • Friction in selling or closing out of a long term position.  The values posted, even though they are called fair value rarely reflect the true value less transaction costs that could be received or would need to be paid to close out of a position.  It is another one of those theoretical fictions like a frictionless surface.  Such values might be a good starting point for negotiating a sale, but anyone who has ever been involved in an actual transaction knows that the actual closing price is usually different.  Even the values recorded for liquid assets like common equity are not really the amounts that can be achieved at sale tomorrow for anyone’s actual holdings.  If the risk that you want to shed is traded like stocks AND your position is not material to the amounts normally traded, then you might get more or less than the recorded fair value.  However, most risk positions that are of concern are not traded in a liquid market and in fact are usually totally one of a kind risks that are expensive to evaluate.  A potential counterparty will seek through a hearty negotiation process to find your walk away price and try to get just a litle bit more than that.
  • Capital Availability – the series of one year decisions idea also depends on the assumption that capital will always be available in the future at the same cost as it is currently.  That is not always the case.  In late 2008 and 2009, capital was scarce or not available.  Companies who made commitments that required future capital funding were really scrambling.  Many ended up needing to change their commitments and others who could not had to enter into unfavorable deals to raise the capital that they needed, sometimes needing to take on new partners on terms that were tilted against their existing owners.  In other time, cheap capital suddenly becomes dear.  That happened when letters of credit that had been used to fulfill offshore reinsurer collateral requirements suddenly counted when determining bank capital which resulted in a 300% increase in cost.

RISKVIEWS says that the one year decision model is also just a bad idea because it makes no sense for a business that does only multi year transactions to pretend that they are in a one year business.  It is a part of the general thrust in financial reporting and risk management to try to treat everything like a bank trading desk.  And also part of a movement led by CFOs of the largest international insurers to seek to only have one set of numbers used for all financial decision-making.  The trading desk approach gave a theoretical basis for a one set of numbers financial statement.  However, like much of financial economics, the theory ignores a number of major practicalities.  That is, it doesn’t work in the real world at all times.

So RISKVIEWS proposes  that the solution is to acknowledge that the two decisions require different information.

You actually have to run on the treadmill . . .

December 19, 2013

Yes, that is right. Just buying a treadmill has absolutely no health benefits.

Treadmill

And in the same vein, just creating a risk management system does not provide any benefit. You actually have to activate that system and pay attenion to the signals that it sends. 

And you can count on the risk management system being disruptive.  In fact, if it is not disruptive, then you should shut it down. 

The risk management system is a waste of time and money if it just stays out of the way and you end up doing exactly what you would have done without it.  But, in at least 2/3 of the companies that claim to be running a risk management system, they have trouble coming up with even one story of how they changed what they were planning to do because of the risk management system.

Usually, in a company that is really running a risk management system, the stories of the impact of risk management are of major clashes. 

Risk management is a control system that focuses on three things:

  • Riskiness of accepted risks
  • Volume of accepted risks
  • Return from accepted risks

The disruptions caused by an actual active risk management system fall into those three categories:

  • Business that would have been accepted prior to risk management system is now deemed to be unacceptable because it is too risky.  Rejection of business or mitigation of the excess risk is now required. 
  • Growth of risky business that may not have been restricted before the risk management system is now seen to be excessive.  Rejection of business or mitigation of the excess risk is now required. 
  • Return from business where the risk was not previously measured is now seen to be inadequate compared to the risk involved.  Business emphasis is now shifted to alternatives with a better return for risk. 

Some firms will find the disruptions less than others, but there will almost always be disruptions. 

The worst case scenario for a new risk management system is that the system is implemented and then when a major potentially disruptive situation arises, an exception to the new risk management system is granted.  That is worst case because those major disruptive situations are actually where the risk management system pays for itself.  If the risk management only applies to minor business decisions, then the company will experience all of the cost of the system but very little of the benefits.

Ingram Looks into ERM – Eight short articles.

December 17, 2013

The magazine of the Society of Actuaries published eight short essays on a variety of ERM topics.

Making Risk Models Collaborative   With our risk models, we make the contribution of managers to the risk management of the company disappear into the mist of probabilities. And then we wonder why so many managers are opposed to “letting a model run the company.”

We Must Legitimize Uncertainty   In a post to the Harvard Business Review blog, “American CEO’s should Stop Complaining about Uncertainty,” Jonathan Berman points out that while African companies are able to cope with their uncertain environment, American CEOs mostly just complain.  Americans must legitimize the Uncertain environment and study how mest to cope.

Finding a Safe Place New ERM and Old School goals for risk management all seek to keep the company safe.

ERM and the Hierarchy of Corporate Needs  The reason that ERM is not given the degree of priority that its proponents desire is that its proponents want is that it is at best third in the hierarchy of corporate needs.

Help Wanted: Risk Tolerance  It is a rare company that can create a risk appetite statement if they do not already have years of experience with the measure of risk that will be used.

What should you do at a Yellow Light?  Companies need to plan in advance what should be happening when their risk reports indicates that they are entering into risky territory.

Are you Sure about that?  Frequently, we ignore the fact that our risk models do NOT produce infomation about our risks that are all consistently reliable.  Yet we still add those numbers to gether as if they were on the exact same basis. 

Creating a Risk Management Culture – Risk Management needs to be embedded into the corporate culture, just as expense management was embedded thirty years ago. 

 

Reviewing Risk Culture

November 4, 2013

[The material below is the work of an ad hoc IAA working group.  It was produced in 2011 but never completed or published.  RISKVIEWS is sharing so that this good work can be viewed.]

Culture is the combination of the behaviours of people in the company  – often described as “the way we do things around here”.  All organisations have a risk management culture.  Risk culture is the shared attitudes, values and practices that characterize how a company considers risk in its day-to-day activities. For some companies, the risk culture flows from an explicit risk philosophy and risk appetite.  The risk culture should support the goals, activities and desired outcomes of the company while mitigating the risks of not achieving desired outcomes.  Appropriate risk management behaviours may vary according to the organisation, the industry context, the location of operations both within and across national boundaries together with the resultant jurisdictional requirements. However behaviours that allow , that inspire a culture of fear or retribution, that allow “shooting the messenger” or that help “bad news to travel slowly” are not likely to be conducive to good risk management.

Desired actions/features of risks management by category:

Ad Hoc

1.  Each part of the company has their own risk language.

2.  There is very little cross discipline communications and discussion of risk and risk management issues.

3.  Risk decisions are almost always made individually, without reference to any corporate goals or objectives for risk.

4.  Responsibility for dealing with risks is unclear.

5.  There is an expectation of negative consequences for those associated with any activity that makes unexpected losses.

6.  There is a possibility of negative consequences for those who report bad news.

7.  There is little discussion of past problems or losses either at the time or subsequently.

8.  Senior Management and Board at best pay lip service to an idea that a company has a culture.

Basic

1.  Company has a formal risk management program that follows an outside standard or requirement.

2.  Company has not adapted that program to the specific culture of the firm in any significant way.

3.  Risk management responsibility and discussion are concentrated with a small number of “risk management staff”.

4.  Risk culture is acknowledged as important by senior management and Board.

Standard

1.  There is a common specific risk language at the company.

2.  Company has communication tools,  cross-functional discussions about management of risks, reporting tools and risks matrices.

3.  There are common techniques for risk assessment and risk treatment methodologies.

4.  There is a consistent point of view from the enterprise and business levels with regard to risk management.

5.  There are common understandings of the corporate goals and objectives for risk management.

6.  Company usually carefully reviews unexpected losses seeking to learn from experiences.

7.  Incentive compensation scheme support the achievement of risk management objectives

8.  Risk culture is actively promoted by senior management and the Board.

Advanced  – in addition to the Standard Practices:

1.  Cultural is reinforced by frequent communications and training programs, and by senior management and Board being seen to act in line with corporate risk culture.

2.  The degree of employee knowledge application of the corporate risk culture is periodically monitored.

3.  The communications and training programs are updated in reaction to the monitoring inputs.

4. ERM thinking is automatically incorporated in to all management decision making

Hit Me!

October 23, 2013

RISKVIEWS just noticed that this blog had exactly 150,000 hits as of today!

In the scheme of things on the web that is an extremely small number.  But this is a blog about risk management that has no particular marketing scheme, not any idea of making anyone any money.   RISKVIEWS also writes for the WillisWire blog and a post there will get 25,000 hits in a week. 

But from RISKVIEWS point of view, 150,000 is an amazing number of hits.  It is really hard to imagine. 

WordPress has a statistical package that tells me that RISKVIEWS has had 107 hits today and 242 on the day with the most hits. 

Over half the hits to RISKVIEWS are folks looking at the collection of Risk Management Quotes

But there is a surprising degree to which visitors are looking at many of the old posts on the blog.  That is gratifying.  Only a few posts are in any way time sensitive.  It is good to know that old posts are still seen as potential worthwhile by visitors. 

So if you ended up on this page and were expecting some wise words about risk and risk management, feel free to brouse the categories listed on the right.  I would recommend that you try Uncertainty.  RISKVIEWS always likes writing about that. 

And by the time RISKVIEWS was done typing this, the count was up to 150,005. 

Many Thanks!

FROM THE ERM SYMPOSIUM IN CHICAGO

April 28, 2013

Post to Financial Training

Posts to WillisWire:

Tweets:

  1. Former FDIC Chairman Sheila Bair speaking at #ermsymposium warns #SolvencyII against internal models as they encouraged banks to take risk

  2. What happened to last year’s discussion of a country CRO at the #ermsymposium?

  3. Speaker from Fed at #ermsymposium says CTE no good since you don’t know distribution. How was the product priced? Not with stress tests!

    Retweeted by SocietyofActuaries

  4. Seems that insurance industry may need to save up more cash to cover Nat Cat if forecasts on climate change are right! #ermsymposium

  5. Systemic risk decreases with transparency. #ermsymposium

  6. So, we trust national security to causal models because data does not work. But we trust financial systems to statistics. #ermsymposium

  7. Just hearing all the great things about Bayesian models…expert judgement, ease of communication to C-suite #ermsymposium #Bayesrules

    1. Dave Ingram@dingramerm 23 Apr Must look at risk measures in the context of your business model. C Lawrence #ermsymposium

    2. Need to invest in the future of risk profession. Mark Abbott #ermsymposium

    3. I just heard the coolest story from Hall of Achievement Inductee Gary Peterson #ERMSymposium pic.twitter.com/1un0ZwJl1D

    4. Neil Cantle: Complex adaptive systems are more than the sum of their parts. #ERMSymposium http://www.tout.com/m/nphp8d 

    5. What is the biggest misconception about enterprise risk management? http://bit.ly/JUbWb9  #ERMSymposium #ERM #risk

      Retweeted by Milliman, Inc.

    6. What role does economic capital modeling play in your organization? http://bit.ly/ISWFM7  #ERMSymposium #ERM

      Retweeted by Neil Cantle and 1 other

    7. Business Insurance article focuses on the Emerging Risks Survey and includes some quotes from me. #ERMSymposium http://lnkd.in/M2P3xv 

    8. CFO magazine article quoting me and talking about the Emerging Risks Survey! #ERMSymposium http://lnkd.in/-g-Dar 

  1. CRO needs to have a 360 degree view of risk. #ermsymposium
    from Chicago, IL Dave Ingram ‏@dingramerm 24 Apr
  2. New risk: longevity risk transfer products take a risk that was regulated into non-regulated areas. S Wason #ermsymposium from Chicago, IL Dave Ingram ‏@dingramerm 24 Apr
  3. Companies do not always believe in their own mortality which undermines any risk mgt culture. #ermsymposium
    from Chicago, IL Dave Ingram ‏@dingramerm 24 Apr
  4. Interconnectedness is THE issue for financial regulation going forward. #ermsymposium from Chicago, IL Dave Ingram ‏@dingramerm 24 Apr
  5. CEO needs to be very hands on with risk. Deniability is not an option. S Bair #ermsymposium from Chicago, IL Dave Ingram ‏@dingramerm 24 Apr
  6. Predictive analytics in US healthcare #ermsymposium from Illinois, US Dave Ingram ‏@dingramerm 24 Apr
  7. Canadians using ERM to improve financial management of health firms. #ermsymposium Dave Ingram ‏@dingramerm 23 Apr
  8. Professional Standards for Actuarial Risk Managers effective May 1, 2013 http://lnkd.in/mYwr6d Dave Ingram ‏@dingramerm 23 Apr
  9. Too many think the risk equations are a closed form solution for the future when they are really about the past. M McCarthy #ermsymposium Dave Ingram ‏@dingramerm 23 Apr
  10. When you crossed a limit you HAD to take an ACTION. B Mark #ermsymposium from Chicago, IL Dave Ingram ‏@dingramerm 23 Apr
  11. Key goal of regulators is now financial stability. Zero tolerance for “fat tailed” failure. C Lawrence #ermsymposium
    from Chicago, IL Dave Ingram ‏@dingramerm 23 Apr
  12. Bank returns jumped from 7% to 20% in 1970s & believed that risk was under control. C Lawrence #ermsymposium Dave Ingram ‏@dingramerm 23 Apr
  13. Biggest risks are when we choose not know about potential problems that we did know about. Turning off fire alarms. W Fisher #ermsymposium Dave Ingram ‏@dingramerm 23 Apr
  14. ERM can find offsetting risks and notionally create capital and opportunity. This gets enthusiastic buy in from mgt. M Stein #ermsymposium Dave Ingram ‏@dingramerm 23 Apr
  15. The ERM program needs to show success on the opportunity side ot risk. J Kollar #ermsymposium Dave Ingram ‏@dingramerm 23 Apr
  16. Accounting can cloud risk issues. Challenge to reconcile different statement. M Stein #ermsymposium from Chicago, IL Dave Ingram ‏@dingramerm 23 Apr
  17. Disconnect between economics and accounting a challenge for ERM. Makes it harder to get buy in for ERM C Gilbert #ermsymposium Dave Ingram ‏@dingramerm 23 Apr
  18. CRO Council papers Model Validation & Emerging Risks M Stein #ermsymposium Dave Ingram ‏@dingramerm 23 Apr
  19. Key for CRO to be able to create a coherent summary of risk information for board M Stein #ermsymposium Dave Ingram ‏@dingramerm 23 Apr
  20. Get board involved asking the risk questions. This create engagement in the organization to answer those questions W Fisher #ermsymposium Dave Ingram ‏@dingramerm 23 Apr
  21. Wayne Fisher addressing Risk Profile at CRO panel #ermsymposium

But even with all those tweets, #ermsymposium did not make it to the top list of trending categories

ERM Control Cycle

April 20, 2013

ERM Control Cycle

The seven principles of ERM for Insurers can be seen as forming an Enterprise Risk Control cycle.

The cycle starts with assessing and planning for risk taking.  That process may include the Diversification principle and/or the Portfolio principle.

Next to the steps of setting Considerations and Underwriting the risks.  These steps are sometimes operated together and sometimes separate, usually depending upon the degree to which the risks are  small and homogeneous or large and unique.

The Risk Control cycle is then applied to the risks that have been accepted.  That step is needed because even if a risk is properly priced and appropriately accepted, the insurer will want to manage the aggregate amount of such risks.  Within the risk control cycle, there is a risk mitigation step and within that step an insurer may choose to reduce their total risk or to increase their risk taking capacity.

Risks that have been accepted through the underwriting process and that the insurer is retaining after the risk control cycle process must be assessed for Provisioning, both for reserve and capital.

Finally, for this discussion of the ERM Cycle, the insurer needs to consider whether there are additional risks that have been unknowingly accepted that may emerge in the future.  The Future risk principle provides a path for that step.

For the ERM Cycle, there is actually no such thing as FINALLY.  As a cycle, it repeats infinitely.  The picture above has many two headed arrows in addition to the one way arrows that represent a single circular process.

The ERM idea sits in the middle of these seven principles.  The ERM idea is the idea that an insurer will follow a cycle like this for all of the risks of the insurer and in addition for the aggregation of all risks.  This will be done to protect all of the stakeholders of the insurers, policyholders, stockholders, bondholders, management, employees and communities to the greatest extent that their sometimes contradictory interests allow.

Most firms will put different degrees of emphasis on different elements.  Some will have very faint arrows between ERM and some of the other principles.  Some insurers will neglect some of these principles completely.

It may be that the choice of which principles to emphasize are tightly linked with their view of the risk environment.

env copy

This a part of the discussion of the seven ERM Principles for Insurers

Has the risk profession become a spectator sport?

April 3, 2013

The 2013 ERM Symposium goes back to Chicago this year after a side trip to DC for 2012. This is the 11th year for the premier program for financial risk managers.   April 23 and 24th.

This year’s program has been developed around the theme, ERM: A Critical Self-Reflection, which asks:

  • Has the risk profession become a spectator sport? One in which we believe we are being proactive, yet not necessarily in the right areas.
  • For the most significant headlines during the past year, how was the risk management function involved?
  • Since the financial crisis, has there been genuine learning and changes to how risk management functions operate?
  • What are the lessons that have been learned and how are they shaping risk management today? If not, why?
  • Does risk management have a seat at the table, at the correct table?
  • Are risk managers as empowered as they should be?
  • Is risk management asking the right questions?
  • Is risk management as involved in decision making and value creation as it should be, at inception of ideas and during follow through?

On Wednesday, April 24 Former FDIC Chairman Sheila Bair will be the featured luncheon speaker

Sheila C. Bair served as the 19th chairman of the Federal Deposit Insurance Corporation for a five-year term, from June 2006 through July 2011. Bair has an extensive background in banking and finance in a career that has taken her from Capitol Hill to academia to the highest levels of government. Before joining the FDIC in 2006, she was the dean’s professor of financial regulatory policy for the Isenberg School of Management at the University of Massachusetts-Amherst since 2002.

The ERM Symposium and seminars bring together ERM knowledge from the insurance, energy and financial sectors.  Now in its 11th year, this premier global conference on ERM will offer: sessions featuring top risk management experts; seminars on hot ERM issues; ERM research from leading universities; exhibitors demonstrating their ERM services.  This program has been developed jointly by the Casualty Actuarial Society (CAS), the Professional Risk management International Association (PRMIA) and the Society of Actuaries (SOA).

Riskviews will be a speaker at three sessions out of more than 20 offered:

  • Regulatory Reform: Responding to Complexity with Complexity – Andrew Haldane, executive director of Financial Stability at the Bank of England, recently made a speech at the Federal Reserve Bank of Kansas City’s Jackson Hole Economic Policy Symposium titled “The Dog and the Frisbee” warning that the growing complexity of markets and banks cannot be controlled with increasingly complex regulations. In fact, by attempting to solve the problem of complexity with additional complexity created by increased regulation, we may be missing the mark—perhaps simpler metrics and human judgment may be superior. Furthermore, in attempting to solve a complex problem with additional complexity, we may not have clearly defined or understand the problem. How does ERM fit into the solutions arsenal? Are there avenues left unexplored? Is ERM adding or minimizing complexity?
    • We are drowning in data, but can’t hope to track all the necessary variables, nor understand all or even the most important linkages. Given the wealth of data available, important signals may be lost in the overall “noise.”
    • Unintended consequences maybe lost/hidden in the maze of complexity thereby magnifying the potential impact of future events.
    • The importance of key variables changes throughout time and from situation to situation, so it’s not possible to predict in advance which ones will matter most in the next crisis.
    • We experience relatively few new crises that are mirror images of prior crises, so we really have limited history to learn how to prevent or to cure them.
    • Complex rules incent companies and individuals to “manage to the rules” and seek arbitrage, perhaps seeding the next crisis.
  • Actuarial Professional Risk Management  -  The new actuarial standards for Risk Evaluation and Risk Treatment bring new help and new issues to actuaries practicing in the ERM field. For new entrants, the standards are good guidelines for preparing comprehensive analyses and reports to management. For more experienced practitioners, the standards lay out expectations for a product worthy of the highly-qualified actuary. However, meeting the standards’ expectations is not easy. This session focuses on clarifying key aspects of the standards.
  • Enterprise Risk Management in Financial Intermediation  -  This session provides a framework for thinking about the rapidly evolving, some would say amorphous, subject of ERM, especially as applied at financial institutions and develops seven principles of ERM and considers their (mis)application in a variety of organizational settings. The takeaways are both foundational and practical.

Please join us for some ERM fun and excitement.

 

 

Diversification of Risks

January 22, 2013

There are records showing that the power of diversification of risks was known to the ancients.  Investors who financed trading ships clearly favored taking fractions of a number of ships to owning all of a single ship.

The benefits of diversification are clear.  The math is highly compelling.  A portfolio of n risks of the same size A that truly independent have a volatility that is a fraction of the volatility of totally dependent risks.

Here is a simple example.  There is a 1 in 200 chance that a house will be totally destroyed by fire.  Company A writes an insurance policy on one $500,000 house that would pay for replacement in the event of a total loss.  That means that company A has a 1 in 200 chance of paying a $500,000 claim.  Company B decides to write insurance that pays a maximum of $50,000 in the event of a total loss.  How many policies do you think that Company B needs to write to have a 1 in 200 chance of paying $500,000 of claims if the risks are all totally independent and exactly as prone to claims as the $500k house?

The answer is an amazing 900 policies or 90 times as much insurance!

When an insurer is able to write insurance on independent risks, then with each additional risk, the relative volatility of the book of insurance decreases.  Optimal diversification occurs when the independent risks are all of the same size.  For insurers, the market is competitive enough that the company writing the 900 policies is not able to get a profit margin that is proportionate to the individual risks.  The laws of micro economics work in insurance to drive the profit margins down to a level that is at or below the level that makes sense for the actual risk retained.  This provides the most compelling argument for the price for insurance for consumers, they are getting most of the benefit of diversification through the competitive mechanism described above.  Because of this, things are even worse for the first insurer with the one policy.  To the extent that there is a competitive market for insurance for that one $500k house, that insurer will only be able to get a profit margin that is commensurate with the risk of a diversified portfolio of risks. 

It is curious to note than in many situations, both insurers and individuals do not diversify.  RISKVIEWS would suggest that may be explained by imagining that they either forget about diversification when making single decisions (they are acting irrationally), or that they are acting rationally and believe that the returns for the concentrated risk that they undertake are sufficiently large to justify the added risk.

The table below shows the degree to which individuals in various large companies are acting against the principle of diversification.

concentration

From a diversification point of view, the P&G folks above are mostly like the insurer above that writes the one $500k policy.  They may believe that P&G is less risky than a diversified portfolio of stocks.  Unlike the insurer, where the constraint on the amount of business that they can write is the 1/200 loss potential, the investor in this case is constrained by the amount of funds to be invested.  So if a $500k 401k account with P&G stock has a likelihood of losing 100% of value of 1/200, then a portfolio of 20 $25k positions in similarly risky companies would have a likelihood of losing 15% of value of 1/1000.  Larger losses would have much lower likelihood.

With that kind of math in its favor, it is hard to imagine that the holdings in employer stock in the 401ks represents a rational estimation of higher returns, especially not on a risk adjusted basis.

People must just not be at all aware of how diversification benefits them.

Or, there is another explanation, in the case of stock investments.  It can be most easily framed in terms of the Capital Asset Pricing Theory(CAPM) terms.  CAPM suggests that stock market returns can be represented by a market or systematic component (beta) and company specific component (alpha).  Most stocks have a significantly positive beta.  In work that RISKVIEWS has done replicating mutual find portfolios with market index portfolios, it is not uncommon for a mutual fund returns to be 90% explained by total market returns.  People may be of the opinion that since the index represents the fund, that everything is highly correlated to the index and therefore not really independent.

The simplest way to refute that thought is to show the variety of returns that can be found in the returns of the stocks in the major sectors:

Sectors

The S&P 500 return for 2012 was 16%.  Clearly, all sectors do not have returns that are closely related to the index, either in 2012 or for any other period shown here.

Both insurance companies and investors can have a large number of different risks but not be as well diversified as they would think.  That is because of the statement above that optimal diversification results when all risks are equal.  Investors like the 401k participants with half or more of their portfolio in one stock may have the other half of their money in a diversified mutual fund.  But the large size of the single position is difficult to overcome.  The same thing happens to insurers who are tempted to write just one, or a few risks that are much larger than their usual business.  The diversification benefit of their large portfolio of smaller risks disappears quickly when they add just a few much larger risks.

Diversification is the universal power tool of risk management.  But like any other tool, it must be used properly to be effective.

This is one of the seven ERM Principles for Insurers

Does your Risk Management Program have a Personality?

December 19, 2012

Many people are familiar with the Myers-Briggs Personality Type Indicator.  It is widely used by businesses.  What a shocker to read in the Washington Post last week that psychologists are not particularly fond of it.

The Myers-Briggs Personality types were developed directly from the work of Carl Jung, who is not highly regarded by modern psychologists according to the Washington Post story.

Psychologists have their own personality types.  The chart below is from The Personal Growth Library, and is called the Five Factor Model.

Personality

You may be able to find options here that would allign with your ERM program. 

Stability – You may seek Resilience, and settle for Responsiveness. 

Originality – You may want to be an Explorer, but much more likely, your ERM program is a Preserver.

Accommodation – Your goal is to be a Challenger, you end up a Negotiator. 

Consolidation – You should be able to achieve a Focused ERM program, but pressures of business and the never ending crises force you to be Flexible much too often. 

That seems to provide some valuable introspection. 

Next you need to look at the overall enterprise personality.  Many successful companies will have a personality that is very different from the choices that you want to steer towards as the risk manager for your program.  You should check it out and see.

If there is an actual allignment between your overall organization’s personality and the personality that you aspire to for your ERM program, then you will be running downhill to get that development accomplished. 

What does that mean when the personality that you want for your ERM program is almost totally different from the personality of your organization?  It means that you will be pulled constantly towards the corporate personallity and away from what you believe to be the most effective ERM personality.  You then have to choose whether to run your ERM program as a bunch of outsiders.  You then will need to form a tight knit support group for your outsiders.  And make sure that you watch the movie Seven Samuri or The Magnificant Seven. 

Or you can rethink the idea you have of ERM.  Think of a version of ERM that will fit with the personality of your company.  Take a look at The Fabric of ERM for some ideas.  Along with the rest of the Plural Rationality materials.

Principles of ERM for Insurance Organizations

December 16, 2012

RISKVIEWS has published this list before.  You will notice that it is different from many other lists of the parts of ERM.  That is because we do not presume that there is some sort of risk management process already in place that “automatically” takes care of several of these things.  Many writers implicitly make that assumption so that they can focus solely upon the new, more exciting things, especially number 6 on the list below.  But in fact, ERM must include all seven of these things to actually work to manage risk as most managers expect.

  1. DIVERSIFICATION: Risks must be diversified. There is no risk management if a firm is just taking one big bet.
  2. UNDERWRITING: These must be a process for risk acceptance that includes an assessment of risk quality.  Firm needs to be sure of the quality of the risks that they take. This implies that multiple ways of evaluating risks are needed to maintain quality, or to be aware of changes in quality. There is no single source of information about quality that is adequate.
  3. CONTROL CYCLE: There must be a control cycle to manage the amount of risk taken. This implies measurements, appetites, limits, treatment actions, reporting, feedback
  4. CONSIDERATION: There must be a process for assuring that the consideration received for accepting risk is adequate.  For risks that are not traded, such as operational risks, the benefit of the risk needs to exceed the cost in terms of potential losses.
  5. PROVISIONING: There must be appropriate provisions held for retained risks, in terms of set asides (reserves) for expected losses and capital for excess losses.
  6. PORTFOLIO:  There must be an awareness of the interdependencies within the portfolio of risks that are retained by the insurer.  This would include awareness of both risk concentrations and diversification effects.  An insurer can use this information to take advantage of the opportunities that are often associated with its risks through a risk reward management process.
  7. FUTURE RISKS: There must be a process for identifying and preparing for potential future emerging risks.   This would include identification of risks that are not included in the processes above, assessment of the potential losses, development of leading indicators of emergence and contingent preparation of mitigation actions.

The Law of Risk and Light applies to these aspects of risk management just as it applies to aspects of risk.  The risk management that you do is in the light, the risk management that you skip is in the dark.  When parts of a full risk management program are in the dark, the risk that part of the risk management process would have protected you from will accumulate in your organization.

Future posts will explain these elements and focus on why ALL of these principles are essential.

Embedded Assumptions are Blind Spots

October 28, 2012

Embedded assumptions are dangerous. That is because we are usually unaware and almost always not concerned about whether those embedded assumptions are still true or not.

One embedded assumption is that looking backwards, at the last year end, will get us to a conclusion about the financial strength of a financial firm.

We have always done that.  Solvency assessments are always about the past year end.

But the last year end is over.  We already know that the firm has survived that time period.  What we really need to know is whether the firm will have the resources to withstand the next period. We assess the risks that the firm had at the last year end.  Without regard to whether the firm actually is still exposed to those risks.  When what we really need to know is whether the firm will survive the risks that it is going to be exposed to in the future.

We also apply standards for assessing solvency that are constant.  However, the ability of a firm to take on additional risk quickly varies significantly in different markets.  In 2006, financial firms were easily able to grow their risks at a high rate.  Credit and capital were readily available and standards for the amount of actual cash or capital that a counterparty would expect a financial firm to have were particularly low.

Another embedded assumption is that we can look at risk based upon the holding period of a security or an insurance contract.  What we fail to recognize is that even if every insurance contract lasts for only a short time, an insurer who regularly renews those contracts is exposed to risk over time in almost exactly the same way as someone who writes very long term contracts.  The same holds for securities.  A firm that typically holds positions for less than 30 days seems to have very limited exposure to losses that emerge over much longer periods.  But if that firm tends to trade among similar positions and maintains a similar level of risk in a particular class of risk, then they are likely to be all in for any systematic losses from that class of risks.  They are likely to find that exiting a position once those systematic losses start is costly, difficult and maybe impossible.

There are embedded assumptions all over the place.  Banks have the embedded assumptions that they have zero risk from their liabilities.  That works until some clever bank figures out how to make some risk there.

Insurers had the embedded assumption that variable products had no asset related risk.  That embedded assumption led insurers to load up with highly risky guarantees for those products.  Even after the 2001 dot com crash drove major losses and a couple of failures, companies still had the embedded assumption that there was no risk in the M&E fees.  The hedged away their guarantee risk and kept all of their fee risk because they had an embedded assumption that there was no risk there.  In fact, variable annuity writers faced massive DAC write-offs when the stock markets tanked.  There was a blind spot that kept them from seeing this risk.

Many commentators have mentioned the embedded assumption that real estate always rose in value.   In fact, the actual embedded assumption was that there would not be a nationwide drop in real estate values.  This was backed up by over 20 years of experience.  In fact, everyone started keeping detailed electronic records right after…… The last time when there was an across the board drop in home prices.

The blind spot caused it to take longer than it should have for many to notice that prices actually were falling nationally.  Each piece of evidence was fit in and around the blind spots.

So a very important job for the risk manager is to be able to identify all of the embedded assumptions / blind spots that prevail in the firm and set up processes to continually assess whether there is a danger lurking right there – hiding in a blind spot.

Emerging Risk Survey

October 24, 2012

TAKE PART IN THE ANNUAL EMERGING RISKS SURVEY

Posted by Max Rudolph

The Joint Risk Management Section, sponsored by the Casualty Actuarial Society, Canadian Institute of Actuaries, and the Society of Actuaries, is interested in better understanding how risk managers deal with emerging risks. The objective of this effort is to examine and ultimately give guidance to risk managers on how to deal with these unknown and developing risks.

To achieve this, we have designed an online survey to gather information about emerging risks and related issues. This survey is a follow-up to earlier surveys on emerging risks and will help to provide insight to changes and trends in this evolving field.

We would greatly appreciate you taking the time to complete the survey by October 26. It should take less than 10 minutes to complete the basic survey, but we hope you will share your thoughts in comment boxes, as well. Please share this survey link with other risk managers (internal and external) who might be interested in sharing their thoughts. We hope to gather a wide variety of perspectives from the survey.

It is our hope that the results of this survey will help risk managers deal with information that exists outside historical data sets. We assure you that results will be reported anonymously and that your specific responses will be held under the strictest confidence.

If you have questions about the survey, please contact Barbara Scott.

Thanks very much for your consideration! We expect to report results in December.

Follow this link to the Survey:
Take the Survey

Or copy and paste the URL below into your internet browser:

http://soa.qualtrics.com/WRQualtricsSurveyEngine/?SID=SV_5upsMMiVNJE1pBj&RID=MLRP_6zJ0LSMyi4Qysux&_=1

***** REMINDER ***** DEADLINE IS FRIDAY, OCTOBER 26 ***** REMINDER *****

Many thanks to those of you who have already participated in this survey!

Risk Evaluation by Actuaries

October 22, 2012

The US Actuarial Standards Board has promulgated a new Actuarial Standard of Practice number 46 Risk Evaluation in Enterprise Risk Management.

ASB Adopts New ASOP No. 46

At its September meeting, the ASB adopted ASOP No. 46, Risk Evaluation in Enterprise Risk Management. The ASOP provides guidance to actuaries when performing professional services with respect to risk evaluation systems used for the purposes of enterprise risk management, including designing, developing, implementing, using, maintaining, and reviewing those systems. An ASOP providing guidance for activities related to risk treatment is being addressed in a proposed ASOP titled, Risk Treatment in Enterprise Risk Management, which will be released in late 2012. The topics of these two standards were chosen because they cover the most common actuarial services performed within risk management systems of organizations. ASOP No. 46 will be effective May 1, 2013 and can be viewed under the tab, “Current Actuarial Standards of Practice.”

 

CEO is still the Real CRO

June 23, 2012

It was just a couple of weeks ago Riskviews posted…

It’s the job of a CEO to be the Chief Risk Officer

A week later, Reuters ran a story about JP Morgan…

Analysis: JPMorgan repeats basic mistakes managing traders

In that article Rachel Wolcott suggests that the CRO needs to be powerful enough to buck the most powerful traders.

What she fails to recognize is that the CRO and the trader are both acting out the orders of the CEO.  If the CEO is telling the CRO to enforce a risk limit and also telling the trader that he is free to break the limit, then it is not the power of the CRO that is the problem.

It is a CEO that wants the appearance of risk management and the profits from excessive risk both at the same time.

CEOs will often allow underlings to “fight it out” rather than making all of the decisions in the company.  In this case, however, everyone must realize that when it appears the CRO is too weak to do their job, that means that the CEO is not standing behind them and is completely responsible for the risk that is being taken by the overaggressive traders.

One Page ERM

May 30, 2012

The International Association of Insurance Supervisors adopted the following in late 2011 as a part of ICP 8.

Risk and Reward

May 19, 2012

Successful Businesses pay attention to risk.

- How much risk to take compared to their capacity to absorb risk via their level of average earnings and their capital position.  They have a basket.  Each basket is different.  It can easily hold so much.  Sometimes, you decide to put a little more in the basket, sometimes a little less.  They should know when they have stacked their risk far over the top of the basket.
- What kinds of risk to take.  They have a plan for how much of each major class of risk they they will pick up to use up the capacity of their basket.

- Then when the actually go to fill the basket, they need to carefully choose each and every risk that they put into the basket.

-  And as long as they have those risks in the basket, they need to pay attention and make sure that none of the risks are spoiling themselves and especially that they are not spoiling the entire basket of fruit or ruining the basket itself.

But that is not what a successful business is all about.  They are not in business to be careful with their basket of risks.  They are in business to make sure that their basket makes a profit.

+ So how much risk to take is informed by the level of profit to be had for risk in the marketplace.  Some business managers do it backwards.  If they are not being paid much for risk, they fill up the basket higher and higher.  That is what many did just prior to the financial crisis.  In insurance terms, they grew rapidly at the peak of the soft market.  Just prior to the cirsis, risk margins for most financial market risks were at cyclical lows.  What makes sense for a business that wants to get the best reward for the risk taken would be to take the most risk when the reward for risk is the highest.  Few do that.  However, the problem faced by firms whose primary business is risk taking is that taking less risk in times of low reward for risk creates even more pressure on their income because of decreased expense coverage.  This problem seems to indicate that businesses in such cyclical markets should be very careful to manage their level of fixed expenses.

+ What types of risk to take is also informed very much by the margins.  But it also needs to be informed by diversification principles.  Short term thinking suggests that risk taking shift all to the particular risk with the immediate best risk adjusted margin.  Long term thinking suggests something very different.  Long term thinking realizes that the business needs to have alternatives.  For most markets, the alternatives are only maintained if a presence in multiple risks is maintained in good times and bad.  Risk and reward needs to develop a balance between short term and long term.  To allow for exploiting particularly rich markets while maintaining discipline in other markets.

+ Which specific risks to select needs to incorporate a clear view of actual profitability.  It is very easy on a spreadsheet to take your sales projection and profit projections and multiply both numbers by two.  However, it is only through careful selection of individual risks that something even remotely like that simple minded projection can be achieved.  The profit opportunity from each risk for the additional sales may be at the same rate as the original margins, it may be higher (unlikely) and it may well be lower.  The risk reward system needs to be sensitive to all of these three possibilities and ready to react accordingly.

Conflicts about Risk

December 14, 2011

The headline reads:

Corzine Ignored Warnings from Chief Risk Officer

This story reveals several things about the nature of risk and the CRO job.

First, the nature of risk.  Risk is always about the future.  There will always be disagreements about the level of risk.  True disagreements.  People believing completely different things.  And it is the future we are talking about.  No one KNOWS for certain about the future.  And also, risk is potential for loss.  In many cases, even after the fact, no one can know how much risk that there was.  A severe adverse event that had a likelihood of 10% might not happen in the coming year.  Another equally severe event with a 0.1% likelihood migh happen.  Exposure to the 10% event was certainly riskier than an equal sized exposure to the 0.1% event.  Even if the less risky exposure produced a loss while the more risky exposure did not.

So the fact that the MF Global position produced a large, firm ending loss does not prove that the CRO was right.

In fact, what other stories reveal is that the board thought that the positions were more risky than Corzine.  And that is pretty typical of what you will see at financial services firms.  The top executives generally have the opinion that the environment is somewhat less risky than the board sees it while the non-executive employees generally see much, much more risk that either the executives or the board.

This tends to create exactly the dynamic that played out at MF Global where the CEO ignored the CRO warnings and the board very slightly restricted the CEO.

About the CRO

Many people forget that the Chief Risk Officer is usually not independent of the CEO.  If there is a company where the CEO does not think that they are totally responsible for risk, then the CRO will not have enough power or influence with the board to remedy that problem.  And if a CEO is aware that they are responsible for company results, good or bad, then clearly the job of the CRO, for better or for worse, is to execute the risk strategy of the CEO.  NOT to critique that policy to the board.

RISKVIEWS tends to think of the risk appetite as the expression of the objective of the risk management system.  The CRO should not be setting their own objective.  So at MF Global, if the risk appetite was expressed as some sort of broad statement about corporate security, then the conflict became what is described above – a disagreement about the calibration of the risk model.

But the story says that the board approved some of the positions and disapproved a proposal to increase those positions even more that was made by the CEO.  That makes it sound like there was a risk appetite and that the board, even if they did not say it in advance, knew when it was exceeded.

So the CROs job is not to stand in judgment of both the CEO and the Board.  The CROs job is to work within the risk appetite of the board.

All Risks are not Enterprise Risks

December 12, 2011

Some Enterprise Risk management programs feature lists of 75 or more risks that the ERM program attends to.

This approach to ERM drastically reduces the potential power of ERM to help to focus attention to Enterprise Risks.

An Enterprise Risk is a class of events that could severely damage the capability of the enterprise to achieve its mission.  No serious undertaking has 75 classes of events that could stop them in their tracks.

A serious undertaking might have 5 such risks.  Usually less.  Things that in spite of the best efforts of management could stop them in their tracks.  There are probably another 5 or so risks that are potentially that serious, but that the firm has, for the most part, under control.

What Enterprise Risk Management is about is a constant effort to pay attention to those 10 or so top risks.  To make sure that a new potential trouble is not creeping into that top 10.  To make sure that  they are not accidentally taking on much more of those risks.  To find ways to mitigate that first group of top risks.  To make sure that the controls on that second group of top risks are still sufficient.  And to make sure that there are not any secondary risks outside of this list that are very highly correlated with the Enterprise Risks.

Dave Sandberg likes to classify risks into three classes:

  • Risks that threaten the earnings of the firm
  • Risks that threaten the capital of the firm
  • Risks that threaten the promises of the firm

A well managed firm will attend to all three types of risks, but the Enterprise Risks are the risks that threaten capital and promises that should be the concern of the Enterprise Risk Management program of the firm.  They should be the concern of the top executives of the firm.  Those risks should be the concern of the directors of the firm.

10 Things We Didn’t Learn from Enron

December 6, 2011

A great piece from ABC News lists 10 things that we should have but didn’t learn from Enron, on the 10th anniversary…

1. Conflicts of interest continue to occur
2. If it’s too good to be true, it probably isn’t
3. Regulators and the regulated continue their dance
4. Transparency is vital
5. More capital is better
6. Excessive leverage is as dangerous as a bad bet
7. Corporate leadership makes all the difference in the world–for good and for bad

8. Preferred stockholders get preferred treatment

9. Still building fragile financial structures

10. Important names make mistakes too

Riskviews comments:

1.  Conflicts – The risk manager should be aware of who benefits from each major program of the firm and who stands to lose if a program runs into trouble.  If those two parties are different, then there are strong incentives for abuse of the program.  Suggestions from a party that could benefit but not be at risk to change the program should be viewed very carefully.

2.  Too Good to be True – But this time is different!!!  The four most dangerous words.

3.  Regulators – someone needs to be able to identify and change situations where the regulators are too cozy with the regulated.  The myth that firms will self regulate was exposed to be a total falsehood in the 2008 Financial crisis.  Real regulation is needed in the financial services business where firms are primarily selling promises.  Whether you are Madoff or Lehman Brothers, the most lucrative approach for managers of a financial services firm is to make promises and not make sufficient provision for satisfying those promises.  Regulators need to assure the customers that a clear standard is maintained for security of those promises.

4.  Transparency – in RISKVIEWS opinion, real transparency is much better than supervision.  Market discipline is much more sure than regulatory discipline.  Because market counterparties have skin in the game.  Regulators actually have multiple agendas.  To date, transparency has never been tried, however.  But there are rumours that current depressed bank valuations are in part a market reaction to the fundamental lack of transparency of the banks.  RISKVIEWS hopes that one of the banks tries to be transparent and shows the rest of the sector what happens to their valuation.  US insurers have operated with extremely high transparency for some risks but total lack of transparency for others.  RISKVIEWS hopes that the insurance regulators will stop being agreeable to that situation.

5.  More Capital &

6.  Excessive Leverage  -  these two points are the same.  More capital is less risky, More leverare is more risky.

7.  Leadership – In most companies, leadership is more aggressive than the rank and file of the firm.  And the risk reward equation for top management and the rank and file is totally different as well.  See #1, above.

8.  Preferred Treatment – Why doesn’t the SEC simply mandate disclosure of who gets paid what under different scenarios.  And mandate that be disclosed to new purchasers of a security?  At least to those who intend to hold the security for more than 15 minutes.

9.  Fragile structures – Insurers and banks are being asked to present “stress to failure” tests to show regulators what degree of stress would cause them to fail.  Perhaps that would be a good disclosure for investors as well.  What sort of stress causes a structure to fail?

10.  Mistakes – This is a good reason for diversification.  Into totally different sorts of investments in totally different sectors.  Mistakes can be made from entire secotrs, as we saw in the financial crisis.

But read the ABC comments.  They are all good as well.

On Thin Ice

November 30, 2011

Most people who know that they are walking on thin ice will proceed very slowly and carefully.

That is also the effect that we get when we fail to recognize losses. Everyone HOPES that things will turn out ok and either the losses will eventually emerge at a lower value (i.e. less loss) than expected or that while we defer recognition, other earnings will make up for the losses.

Loss recognition is an important step in getting off of the thin ice.  Firms need to have a disciplined loss recognition process so that they can avoid getting into the thin ice situation. 

One important concept in risk management was stated by Nassim Taleb in his “Black Swan Free World” piece – that failures should be frequent and small.  That principles applies to losses as well.  A good risk management program should encourage small and frequent losses. 

A firm that rarely recognizes losses is either (a) not taking any real amount of risk or (b) failing to recognize the losses that it has.

The Danger of Optimization

November 21, 2011

RISKVIEWS was recently asked “How do insurers Optimize Risk and Reward?”

The response was “That is dangerous. Why do you want to know that?” You see, a guru must always answer a question with a question. And in this case, RISKVIEWS was being treated as a guru.

Optimizing risk and reward is dangerous because it is done with a model.  Not all things that use a model are dangerous.  But Optimizing is definitely dangerous.

One definition of optimizing is

“to make as perfect as possible.”

Most often, optimization means taking maximum possible advantage of the diversification effect.  You will often hear someone talking about the ability to add risk without adding capital.  Getting a free ride on risk.

There are two reasons that optimizing ends up being dangerous…

  1. The idea of adding risk without adding capital is a misunderstanding.  Adding risk always adds risk.  It may well not add to a specific measure of risk because of either size or correlation or both, but the risk is there.  The idea that adding a risk that is low correlation with the firm’s predominant risk is a free ride will sooner or later seep into the minds of the people who ultimately set the prices.  They will start to think that it is just fine to give away some or all of the risk premium and eventually to give up most of the risk margin because there is thought to be no added risk.  This free risk idea will also lead to possibly taking on too much of that uncorrelated risk.  More than one insurer has looked at an acquisition of a large amount of the uncorrelated risk where the price for the acquisition only makes sense with a diminished risk charge.  But with the acquisition, the risk becomes a major concentration of loss potential and suddenly, the risk charge is substantial.
  2. In almost all cases, the best looking opportunities, based on the information that you are getting out of the model are the places where the model is in error, where the model is missing one or more of the real risks.  Those opportunities will look to have unusually fat risk premiums. To the insurer with the incorrect model, those look like extra margin.  This is exactly what happened with the super senior tranches of sub prime mortgage securities.  If you believed the standard assumption that house prices would never go down, there was no risk in the super senior, but they paid 5 – 10 bps more than a risk free bond.

The reliance on a model for optimization is dangerous.

That does not mean that the model is always dangerous.  The model only becomes dangerous when there is undue reliance is placed upon the exact accuracy of the model, without regard for model error and/or parameter uncertainty.

The proper use of the model is Risk Steering.  The model helps to determine the risks that should be held steady, which risks would be good to grow (as long as the environment stays the same as what the model assumes) and which risk to reduce.

Let’s get Real

November 7, 2011

Talk to CROs and all the nice theories about risk management get put in their place.  In real companies, the loudest and most influential voice is usually the people who want to add risks.

A real CRO is not often struggling with issues of risk theory.  They are totally immersed in the reality of corporate power politics.

  • In some firms, the CEO will set up the CRO in a position where risk concerns will trump all else.  The CRO will have authority to stop or curtail any activity that s/he feels is excessively risky.
  • In other firms, the CEO will set up the CRO to be one of many voices that are clamoring for attention and for their point of view to be heard.
  • And a third set of firms has the CRO as purely a reporting function, not directly involved in the actual decision making of the firm.
The first case sounds ideal, until the CRO and the CEO go head to head on a major decision.  The battle is not usually long.  The CEO’s view will will.  In these firms, it is usually true that the CRO and the CEO see eye to eye on most things.  The CEO in these firms has the opinion that the business units would take enough risk to imperil the firm if left alone.  But the CEO is still responsible to make sure that the firm is able to grow profitably.  And a CRO who gets used to power over risk decisions, sometimes forgets that power comes solely from the CEO.  But for the most part, the CRO in this firm gets to implement the risk management system that works the way that they thinks is best.
The second case sounds much more common.  The CEO is not saying exactly how much s/he supports ERM.  The CEO will decide in each situation whether to support the CRO or a business unit head on any risk related major decision.  The risk management system in this firm exists in a grey area.  It might look like the risk management system of the first firm, but it does not always have the same amount of authority.  Managers will find out quickly enough that it is usually better to ask for forgiveness rather than follow the rules in the times when they see an important opportunity.  The CRO in this firm will be seeking to make a difference but has to define their goals as all relative.  Are they able to make a noticeable shift in the way that the firm takes risk.  That shift may not go all the way to an optimal risk taking approach, but it will be a shift towards that situation.  Over time they can hope to educate the business unit management to the risk aware point of view with the expectation that they will gradually shift to more and more comfort with the risk management system.
In some of these firms, the risk management system will look more like the system of the third case below – a Risk Information system.  The approach is to keep all of the negotiation and confrontation that is involved with managing risk limits and standards to be verbal rather than on paper.
In third case, the risk management system exists to placate some outside audience.  The CEO has no intention of letting this process dictate or even change any of the decisions that s/he intends to make.  The most evident part of an ERM system is the reports, so the risk management system in these firms will consist almost entirely of reporting.  These firms will be deliberately creating an ERM Entertainment system.  The best hope in these firms is that eventually, the information itself will lead management to better decisions.
What is working against the CRO in the second and third cases are the risk attitudes of the different members of management.   If the CRO is targeting the ERM system and/or reports to the Manager risk attitude then it might be a long time before the executives with other risk attitudes see any value in ERM.

How Real Risks are Managed

October 31, 2011

The real risk that your $10 million machine that is at the heart of your production line will fail needs to be managed. There are several ways that real companies manage this sort of real risk:

  1. Wait til it breaks and then fix it,
  2. Replace the machine when it is old enough that there is an x% probability that it has reached the end of its useful life, based upon statistics for all users of the same machine and the passage of time.
  3. Replace the machine when it has been used so much that it has reached an x% probability of failure, based upon statistics for all users of the same machine and the actual usage you make of the machine.
  4. Repair the machine when one of dozens of sensors placed within the machine indicates that some part of the machine is starting to operate outside of desired specs.  Replace the machine when such repairs are not cost effective.
This list seems to have a clear analogy for financial firms and their risk management programs:
  1. No risk management program – let the losses happen and mop up afterward.
  2. Manage to some broad industry standard, like premium to surplus ratio or assets to surplus ratio.
  3. Manage to some risk adjusted industry standard like BCAR or RBC.
  4. Manage to a detailed and carefully updated comprehensive risk model.
Of course, 4 is the most expensive course, for both the “real” companies and the financial firms.  Which course you pick depends upon how devastating an event it is for your machine to break down unexpectedly.  If your business can stand a few days/weeks/months without the machine, then maybe the very low cost path 1 is fine for you.
For financial firms, the question is the cost of an unexpected and large excess loss.  How disruptive will it be to have to either curtail business activity until you are able to build back capital or to raise the capital to replace what you lost with new capital?  Can you keep doing business while you settle that question?  What is the opportunity cost of not being able to write business right after a big loss?
The analogy is a pretty good fit.  Feel free to use it when you have to argue for more risk management spend.

Winners and Losers

October 24, 2011

European leaders are in conference as this is being written. Their sole concern is to determine the shares of the Losers from the lending boom.  Candidates for Loser shares include:

  1. The Greek citizens  -  this has been the first place that they wanted to go.  But so far the Greeks have shrugged off attempts to get them to even stop running up additional debt, let alone repaying any old debt.  Realists are now struggling with trying to determine who else they can find to take the Loser shares.  The efforts of the Greek government have all been to slow the rate of new borrowing, and those have fallen short of goals.
  2. The non-Greek Europeans  -  this approach is accomplished through a government to government or government to ECB to government transfer of money.  This has been the central approach to date.  This approach is limited because of the reluctance of the German people (and therefore their politicians) to take a larger Loser share.  Their concern is that the Greek citizens have been the winners (through excessive government spending and salaries) so the Germans who have been frugal and prudent should not be providing a larger share than the Winners.
  3. The banks  -  who all somehow managed to own greater or lesser amounts of Greek debt.  Unfortunately, these banks are mostly European.  And if forced to bare the bulk of the losses might find themselves in need of government bailouts.  Back to the non-Greek Europeans.   But it is worthwhile to think for a minute what making the banks taking a large Loser share would involve.  If the banks take a large Loser share, they have to decide who among six parties will they then spread the share to.  Those parties are:  bondholders, stockholders, management, employees, customers and other counterparties.
  4. Non- Europeans  -  enter the IMF which has made smaller contributions to this situation than the Europenas, but not insignificant contributions.  The involvement of the IMF creates interesting precedents for future situations.  The Greeks are proving that there is no reason whatsoever to ever comply with international financial covenants.  The IMF was famous for imposing draconian requirements on those to whom it lends.  But that story is being rewritten by the Europeans.  To some it appears that there are two sets of rules when it comes to loans from the IMF.  And where you live determines which set of rules apply.

So back to the negotiating table.  History of the past 10 years has shown that the Greek government will agree to any terms, but will have trouble delivering on anything.  Countries have not recently tried living without banks.  But most assume that would be fairly difficult.  So in the end, the European people will pick up the tab.  It seems makes sense to settle this sooner rather than later so that it will be possible to put a stop to further Greek overspending.  But that sensible concern does not seem to be moving the leaders to doing the difficult work of assigning the Loser shares.

Clearly, there was not any realistic discussion of this possible situation BEFORE the crisis.  The Greeks promised repeatedly not to ever get close to this sort of mess.  The banks have rules against lending to entities who are not likely to repay and they have regulators whose job it is to make sure that they do not get in over their head.   Governments presumed, perhaps without any basis in reality, to believe that those three lines of defense would be more than enough.

The response ultimately needs to be something other than adding two more nevers to the promise to never, never, never, never let this happen again. 

An actuary from one insurer often tells the story that his firm will always want to understand how a new product might fail before they agree to start selling that product.

Perhaps that is what is needed for countries and their banking systems.  They need to think through how things might break and say in advance who will bare the Loser shares.  In really having that discussion, perhaps it will become clear that it is much easier to distribute losses when they are smaller and that their main task needs to be to identify and deal with Loser shares when they are smaller rather than the recent strategy of hoping that they would go away.

Some might suggest that there are a set of rules in place for that.  But the evidence is clear that those rules are insufficient.  We all need to get realistic about these situations and develop a new set of rules that might carry us for another 50+ years.  Rather than solutions that work for a few months.

Does Your Firm Know What To Do At a Yellow Light?

October 17, 2011

An Audi advertizement says:

The Yellow light was invented in 1920.  Almost 100 years later. 85% of drivers have no idea what to do when they see one.

A risk management system needs yellow lights.  Signals that automatically tell people to “Proceed with Caution”.  These signals need to be sensitive to both outside changes in the risk environment and to inside decisions about risk.

In the outside world, the level of risk is changing all of the time.  Everyone anywhere a hurricane zone knows the annual season for those storms.  They make sure that they are prepared during that season and don’t worry so much in the off season.  Most risks do not have clear regular seasons, like hurricanes.  (And in fact hurricanes are not really completely bound by those rules either.)

A good risk management program needs to have a system that looks for the conditions that mean that it is hurricane season for each of the major risks.  And it needs to have plans for what needs to to done in each part of the firm so that they “Proceed with Caution”.  And the managers of the affected areas need to know those plans and their own roles.  And there needs to be a Yellow (or Amber) light that flashes somewhere. And then the managers need to act, they need to execute the plans to Proceed with Caution.

The same thing applies to the other reason that might trigger a yellow light.  That would be company actions.  Most firms have risk limits.  Some of those risk limits are “soft” limits.  That means that the limit itself is a Yellow Light. Hitting the limit in these firms means that you must “Proceed with Caution”.

More commonly, the limits are HARD; either Red Lights, Cement Barriers or Brick Walls.  A red Light risk limit, means that when you get to the limit, you must stop and wait for someone to tell you that you can proceed.  A cement barrier risk limit means that you are prohibited from proceeding when you hit a limit.  A brick wall risk limits means that if you hit the limit, you are likely to be terminated.  In these three sorts of control systems, there are often informal Yellow Lights and occasionally formal caution signals.  RISKVIEWS suggests that all firms that use HARD limits should create a formal Yellow Light system with a process that identifies an official Caution point along with suggestions or rules or plans of how to proceed when the Yellow Light goes on.

On the highway, Yellow Lights cause problems because there are really three different understandings.  One group believes that it means “Speed Up to avoid the Red Light”, while another group thinks it means “Stop now and Avoid having to make an Emergency Stop when the Red Light comes on”.

The third group knows that what the Yellow Light really means is

watch out for the other two groups“.

400 Posts – 70,000 Hits and Still Blogging

October 8, 2011

In April 2009, someone said to RISKVIEWS, why don’t you try blogging.

From April to August, the RISKVIEWS website consistently drew at least 600 hits per month to the Risk Management Quotes.  Then the blogging started.

Someone recently asked “How does this fit into your career plan?”  Interesting question.

Posting is now just a habit.  It happens in bursts.  Some weeks there are no good ideas, others there are many.  At least many ideas.  Over time there are even a few really good posts.

Here are a few that you may not have noticed:

You may not be able to Grow out if it

Growth does not always mean excessive risk, but excessive risk is almost always associated with high growth.

Who wins with leverage?

Leverage increases apparent returns in best of times but Increases risk considerably in worst of times.

How about a Risk Diet?

Why do you need an aggregate risk limit?  For the same reason that a dieter needs a calorie limit.

Adaptability is the Key Survival Trait

To survive such situations, it seems that the ability to quickly assess new situations, especially ones that look like old tried and true but that are seriously more dangerous, and to change what the organization is doing in response to these risks is key.

Your Mother Should Know

Something as massive as the current financial crisis is much too large to have one or two or even three simple drivers.  There were many, many mistakes made by many different people.  My mother, who was never employed in the financial world,  would have cautioned against many of those mistakes.

According to the site stats that I get, these posts have been read a total of less than 30 times.

So on a day like today, check one of them out.  Chances are you did not see it already.

Global ERM Webinar

October 4, 2011


How to do Risk Management in Lean Times

September 30, 2011

The good news for risk managers is that times have been tough, so that company management is listening more and more to your message.

The bad news for risk managers is that times have been tough, so there is not much budget for anyone, let alone an area where there is no hope of new revenue generation.

So risk managers are being asked to do more and more with less and less.

Here are some tips for how to manage to meet expectations without crashing the budget:

  1. Identify the area or activity that now has the most expensive risk oversight process.  Identify the reason for that expense and make sure that a) there really is a need for that much oversight, b) if so, that the profit margins of the activity support the expense of the oversight and c) if there is a way that the riskiest 20% of that activity produces a high proportion of the profits.  Can a shift in the risk acceptance criteria or the risk limits make a drastic change in oversight needs without a drastic change in profitability?
  2. Get more people involved in risk management.  This seems counter to the idea of decreasing costs of risk management, but in fact it can work well.  Study the things that the risk management staff is spending time on and determine which of those activities can be transfered to the business unit staff who can do the oversight on a very part time basis.  Your risk management staff can then shift to periodic review of their activities instead.  This should be promoted as a natural evolution of risk management.  Ultimately, the business units should be managing their own risk anyway.
  3. Find out which risk reports are not being used and eliminate them.  Constructing management information reports can be a very time consuming part of your staff’s time.  Some of those reports are hopefully being relied upon for major decisions, but there may be some that just sit unread in the in boxes.
  4. Reduce staff support for risk management in areas where activity levels are falling.  It is very important that risk management be ramped up with volumes and just as important that it be seen to ramp down with volumes.
  5. Leverage outside resources.  In fat times, you may be declining free support from vendors and other business partners.  In lean times, they may be even more happy to provide their support.  Just make sure that the help that they give supports your needs.
  6. Reduce frequency of time consuming model runs for risks that just do not change that much from run to run or that change proportionately with volumes of business.  See recent post on model accuracy.
  7. Expand your own personal capacity by delegating more of the matters that have become more routine.  There is a natural tendency for the leader to be involved in everything that is new and important.  Sometimes, you forget to transfer those responsibilities to someone on your staff or even someone outside your staff once you are sure that it is up and going smoothly.  Let go.  Make sure that you have the time that will be needed to take up the next new thing.  Lean times will not last forever and you need to be available to pay attention to the thing that will pull your firm forward into the next stage of robust growth.
These are all the sorts of things that every manager in your firm should be thinking about.  Risk managers should be doing the same sorts of thinking.  You and your function are another natural part of the business environment of the firm.  You will not be immune from the pressures of business, nor should you expect to be.

Ten Commandments for a Crash

September 26, 2011

Joshua Brown wrote “Ten Commandments for a Crash”  – his advice for stock traders in a stock market crash.  Most of his ideas can be generalized to refer to any situation where large losses or even the threat of large losses occurs.

1.  Acknowledge that its a crash.

This is first and most difficult.  The natural impulse of humans when things look worse than they ever imagined is to close your eyes and hope that it was a dream.  To wait for things to come back to normal.  But sometimes the only survivors are the people who stopped imagining a return to normal first and accepted the bad news as reality.

2.  Pencils Down! 

This means abandoning your research based upon the previous paradigm.  Do not run the model one more time to see what it says.  All of the model parameters are now suspect.  You do not usually know enough to say which ones are still true.

3.  Don’t listen to “stockpickers” or sell-side equity analysts.

Get your head out of the nits.  Your usual business may require that you are a master of the details of your markets.  You are looking to build your year’s result up over 52 weeks, looking to create 1/52 of your target return each week.  But when the crisis hits, the right macro decisions can change your results by half a year’s worth of normal business.

4.  Ignore the asset-gatherers and the brokerage firm strategists,

Know the bias of the people you are getting advice from.  They may be saying what is necessary for THEIR firm to make it through the crash, no matter what their advice would do to you.

5.  Make sacrifices

You are going to need to let go of one or several of the things that you were patiently nursing along in hopes of a big payoff later on when they came around.  Make these decisions sooner rather than later.  Otherwise, they will be dragging you down along with everything else.  Think of it as a scale change.  The old long term opportunities mostly become losers while some of the marginally profitable situations become your new opportunities.  Choose fast.

6.  Make two lists.

Those are the lists of things that you might now want to start doing if the terms suddenly get sweeter and the things where you plan to dump unless you can tighten the terms.  Keep updating the list every day as you get new information.  Act on the list as opportunities change.

7.  Watch sentiment more closely

This is the flip side to #1 above.  The analysis may no longer be of help, but a good handle on the sentiment of your market will be invaluable.  It will tell you when it is time to press for the stricter terms from your list #6.

8.  Abandon any hope or intention of catching the bottom.

This may be an excuse for not making decisions when things are unclear.  Guess what?  THe bottom is only ever clear afterwards.

9.  Suspend disbelief.

Any opinions that you have that some aspect of your business environment will never get “that” bad will often be trashed by reality.  In case you have been asleep for the last decade, each crisis results in new bigger losses than ever before.  The sooner you get off the illusion that you know exactly how bad it can get, the sooner you will be making the right decisions and avoiding totally wrongly timed moves.

10.  Stop being a know-it-all and shut up.

Everyone out there seems to know a small part of what is happening that no one else knows and is totally ignorant of most of what is going on from their own internal sources.  If you talk all of the time, you will never learn those other pieces of the puzzle.

A good list.  Some things to think about.  A challenge to work these ideas into your planning for emerging risks.  Need to practice adopting this point of view.

Read more: http://www.thereformedbroker.com/2011/09/22/the-ten-crash-commandments/#ixzz1YsTTo7ky

Climbing the Risk Management Mountain

September 24, 2011

The pursuit of risk management is in some respects like climbing a mountain.

Your choice of the risks that you will plan to manage (rather than avoiding or eliminating) is like your choice of mountain. Some mountains will be more difficult to climb than others. Some have well worn paths to the top. And sometimes there is a shift in the weather than makes even the most traveled path unusually dangerous.

Some folks have been living on the side of their mountain for generations. They considered that they are the experts of that particular mountain. But then one day, a band of outlanders shows up with new equipment and takes a new route that takes them higher up the mountain than any of the locals have ever gone.  Sometimes, however, those outsiders only look like they are going straight to the top.  Sometimes they are stopped short by perils that the locals knew well.  With risk management, there have been firms managing some risks for a long time who have been brushed aside by competitors with rocket scientists.  Some of those rockets took the firms right to the top, others flamed out along the way.

There are many ways to approach climbing a mountain.  Some choose the southern route, others the northern.  And many different places to stop the climb and declare success.  For some risk managers, the climb may stop when the largest one or two risks of the firm are separately under control.  Others will seek to reach the spot on the mountain where the capital model can be found.  They undertook climbing risk management mountain to get a handle on managing their capital.  A third group will stay unswervingly on the path that is laid out with the railings and signs put there by the regulators.  They seek only to achieve the point on the mountain of regulatory compliance.  They do not seem to care that standing for too long on that spot may not be safe in all weather either.  The final group is looking to get to the top of the mountain, to stand on the highest pinnacle.  They feel that mastering risk management can only be done if they are standing on top of all of their risks at once.  They feel that any other spot on the risk management mountain is not for them.

Having spotted the place where they want to end up, many people stand transfixed by the immense task ahead of them and fail to start.  They do not see any way that they can get from where they are to that remote point up the mountain that is partially obscured by the clouds.  They see some others already at those points and cannot figure out how to jump right up to join them.

They sometimes do not realize that those who are already far up the path got there most often by focusing instead on the next step, rather than on the endpoint.  Some of those who are far up the mountain may in fact have started out to reach a different point and made corrections to their ascent path as the realized the conditions as well as their own capabilities.

Others who already live part way up the mountain are confused.  They are looking at the instruction manual for climbing this mountain.  The book always starts at the bottom of the mountain.  And it assumes that you are someone who does not already own some (possibly most) of the equipment needed for climbing.   The whole thing seems impossible to make sense out of for you.  You are not even going to consider going to the bottom of the mountain and leaving all of your equipment and expertise behind.

Most insurers are in the position of the villagers living on the side of the mountain.  They are getting instructions to start at the bottom of the south side of Risk Management Mountain, while they live on the north.  What they need is not generic instructions.  What they need is instructions that start with what they know and with the equipment and experience that they have.  They need to know the best path to get to the place where they want to go from where they are.

You need to know how much risk you’ve been taking first

September 15, 2011

Everyone struggles with choosing a risk appetite.  But that is the first mistake.  Risk appetite will not be singular.  Risk Appetite is plural.  It refers to any aspect of risk that goes beyond what you will comfortably accept.

In the paper Risk and Light, it mentions a number of aspects of risk:

  • Type A Risk – Short Term Volatility of cash flows in 1 year
  • Type B Risk – Short Term Tail Risk of cash flows in 1 year
  • Type C Risk – Uncertainty Risk (also known as parameter risk)
  • Type D Risk – Inexperience Risk relative to full multiple market cycles
  • Type E Risk – Correlation to a top 10
  • Type F Risk – Market value volatility in 1 year
  • Type G Risk – Execution Risk regarding difficulty of controlling operational losses
  • Type H Risk – Long Term Volatility of cash flows over 5 or more years
  • Type J Risk – Long Term Tail Risk of cash flows over 5 years or more
  • Type K Risk – Pricing Risk (cycle risk)
  • Type L Risk – Market Liquidity Risk
  • Type M Risk – Instability Risk regarding the degree that the risk parameters are stable

It is quite possible that a full risk appetite would could address each of these aspects of risk and more.

But a more difficult hurdle is the fact that in many cases risk exposure is not consciously known.  In some cases, that is because of a confusion between RISK and LOSS.  Some of that is because of the overuse of the word risk.  In many situations, risk is used to mean an expected loss.

But for risk appetite, it is never the expected loss or even the actual losses that is of concern for a risk appetite.  The risk that matters is the potential for future loss.

But to have any idea of how much risk that a person or a firm might be comfortable with, they need to have experience with risk.  To have an  articulate risk appetite, that experience must have been quantified.

How much was the risk exposure last year?  How much was it the previous year?

And when we try to think of how much risk, we need to recognize that risk has many aspects that may need to be quantified.  Risk is complicated.  It does not reside in a single number.

Why would we think that it did?  Try to name anything important that can be represented with a single number.  Can you represent your car with a single number?  Can you represent your brother with a single number?  Can you represent a book with a single number?  Risk is a potential for future loss, that potential has many more possibilities than an existing physical object.  The object needs to represented by many different numbers.

But not all of the aspects of risk are ultimately important in most situations.

But before anyone or any business can form a risk appetite, they need to identify the characteristics of risk that are most important to them and then they need to build an experience base.  They need to know how much risk that they have taken in the past.  They need to know how much they can get paid for taking the risk.  They need to know when they were at risk of having their lights put out.

Better to have this experience in real time.  But second best is to work backwards into the past.

Faced with real information, matched up to real experience, then the stories of how to create a risk attitude will then start to make sense.

But up til then, it just won’t mean anything.

The World is not the Same – After

September 12, 2011

In reality, there is no accurate way to calibrate a risk model right after a major loss event. That is because there is always a good chance that the world will change as a result of the experiences of the event.

In Japan, the rebuilding after the losses from the earthquake/tsunami will not replace what was there. The buyers of the products that were manufactured in Japan who were disrupted by the event have all found alternatives. And they have learned from the even to diversify their suppliers or at least deal with a supplier who has diversified exposure to risk. The Japan after the event will not be the same Japan as before.

A market or an industry, a company or a people rarely go back to doing things exactly the same way after a major crisis.

They may become much more conservative about the risk that caused the crisis.  They may just move on, like New Orleans which is now less than one third its pre-Katrina size.  They may adopt many new rules and regulations like Sarbanes-Oxley or Dodd-Frank.  Or they may finally start listening to their risk managers or even hire new CROs.

If you want to have a model that includes the year after a crisis, then you will need to study past crises and the reactions to those events.  What that may mean is that there are ripple effects of the crisis in the model. Not just another random year.  Because regardless of what the theories say, the world displays multi year effects.  Events are not over simply because the model turns to another time slot.

 

 

During the Crisis

September 11, 2011

There are three Phases to Risk Management,

  • Preparation,
  • Crisis Management and
  • Picking up the pieces

During the Crisis, the most important thing is that you are able to assess the situation, choose the appropriate action and finally and most importantly ACT.

Many people are prone to freeze during a crisis.  They go into a daze because some main steady thing in their life is no longer there and working.

On the anniversary of 911, it is interesting to notice that an article A Survival Guide to Catastrophe from 2008 is the most popular article today at Time.com.

It tells the story of how several people escaped several famous catastrophes.  In each case, some of the people who died in those situations were frozen.

The human brain goes through three stages during a crisis: disbelief, deliberation and action.  The frozen people have stuck on the disbelief or deliberation stages.

That is where the Preparation phase is important.  With proper preparation, people can be taught to quickly identify the reality of the crisis and to know in advance their best options.  The purpose of the preparation is then to shorten the time to get to the third stage.  ACTION.  And to make sure that when you get there, you take the right action.

During the World Trade Center crisis, some people did act quickly, and climbed the stairs right up to the roof.  Others made the right choice and went down the stairs.

This Crisis Management thinking does not just refer to physical crises.  Financial firms are faced with financial crises.  In those situations, managers of the firm go through the exact same stages:  disbelief, deliberation and action.  They can get stuck in either of the first two stages until it is too late.  They can also choose the wrong action.

Much of risk management literature seems to be about the risk management things that are needed during the moderately risky, normal times.  But risk management is also needed in the midst of the crisis.  The risk mitigation tactics that work best in moderately risky, normal times may not even be available in a crisis.  There needs to be preparation for a possible crisis so that managers will promptly identify the crisis and know in advance the types of options that they may have and also know how to go about choosing the best options.

Firms that provide property insurance to disaster prone areas have learned that it is much more than good customer service to have claims people on the ground to start writing checks as soon as possible after the disaster.  Firms that trade in financial markets have learned, if they did not know already, that trading is not always continuous.

Whatever your firm does, the risk manager should be developing and training managers about crisis plans.

Where Do You Hide?

September 9, 2011

US Hurricane Risk

The lines on the graph represent the paths of the 50 most deadly US hurricanes on record.  The numbers on the lines are the number of deaths.

One important thing to notice is that there is nowhere on the eastern or southern coasts of the US coast that has not experienced deadly hurricanes.

That suggests two strategies for dealing with hurricane risk for an individual.

  1. Avoiding it by moving well inside the lines.
  2. Building up a residential system that is resilient to the forces of hurricanes.
The first strategy is suspect until you study the risks of those areas.  The area just outside the lines includes the New Madrid fault and an area that has experienced major inland windstorms, hailstorms and floods in the recent past.   So there is no guarantee of safety by risk avoidance.
That leaves resilience as the best bet.  Resilience will involve learning about safety measures, setting a risk tolerance and finding out how strong of a storm fits within the risk tolerance.
In Japan, they set their risk tolerance to be that they would not accept a risk of a storm that is within the range of all past experience.  They thought of that as a zero risk tolerance.  They learned on 311 that their actual risk tolerance (storms within the historical observations) and their notional risk tolerance (zero) were not the same thing.
For an insurer or a business, there are very different options.  Diversification and insurance/reinsurance may be chosen instead of resiliency.

Society and the Default Put

September 7, 2011

The idea of the Limited Liability Corporation is one of the innovations that is credited with making capitalism work. The structure allows a person or group to form a business without risking their entire fortune. That is the way that economics textbooks say it. It sounds like all upside.

But wait a minute. Think about it like a risk manager. A real risk manager, not the hucksters who sold the “risk goes away if you split it fine enough” or the “no increase in total risk because of diversification benefits” stories.

A real risk manager knows that a loss is a loss. A dollar (or euro, or pound) is a dollar. Losses do not disappear EVER. Unless you do the work to prevent them.

And limited liability is NOT a loss prevention program. It prevents losses from transmitting to a certain party. The owner of the company. But someone always gets those losses.

Think about it for just a fraction of a second. If a company has obligations that it cannot pay, who has a loss? You figured it out; their counterparties take the loss. It might be customers, suppliers, subcontractors, their bank, or bondholders. The limited liability idea protects only one group – the owners/shareholders. Everyone else has unlimited liability!

What we saw in the crisis, if you owe the bank $100,000 they own you. If you owe the bank $10,000,000 then you own the bank.

This limited liability idea is totally embedded now. Everyone believes that they have the RIGHT to create problems for everyone else that deals with them and JUST WALK AWAY.

In ancient times, the ultimate collateral was the debtor’s personal freedom. A person who defaulted on a debt became an indentured servant of the lender in the case of default. This idea persisted in one form or another until the 1800s when debtors prisons became out of favor. The US was one country that led the way on this movement. The US has always had a much easier attitude to bankruptcy. There has always been much less stigma attached to bankruptcy along with the easier legal climate.

So the system works this way – people and businesses can go bankrupt easily and put their excess losses onto their counterparties. And in reaction to this, counterparties must be careful who they do business with.

That means that Credit Risk Management is a fundamental aspect of the business environment.

However, when you recognize the underlying fundamental reason for that statement, you may question whether the new statistical based Credit Risk Management that has developed over the past 25 years actually satisfies the fundamental need of the system.

Under the statistical approach to CRM, diversification is the key risk management tool. This has replaced the time consuming and labor intensive credit underwriting process.

But it is the underwriting process that works to counter balance the default put that is implicit in the bankruptcy rules.

Without the underwriting, the statistical process will simply not work. It will give totally wrong information. That is because statistics does not work on any old bunch of numbers. Statistics only works on homogeneous sets of numbers.

Let’s review. The default put creates a situation where a person or a firm can take on obligations that they cannot repay AND they will not be held responsible to repay. When people or businesses operate AS IF they were going to pay obligations, then they can receive value from counterparties that is in excess of the value that they will repay. So their counterparties need to police this imbalance.

Statistical CRM means that the lender will make many loans with the expectation that only a few will fail to repay and there will be limited losses from those failures. But once borrowers notice this (or intermediaries who have a better chance to notice) their best outcome is to borrow as much as they can, to leverage up as much as possible. Their upside in the event that everything turns out well is then enormous and they suffer none of the downside.

So statistical CRM leads directly to deterioration in credit quality through excess leverage. No one is actually watching to make sure that the credit risk per loan is staying constant.

And the main risk management tool of diversification fails when the loans themselves become the major source of risk. The correlation between excessive lending and defaults is very high. It is different from the correlation between loans that can be repaid easily.

All this results directly from that default put.  You need to understand the true dynamics of the system if you want to get your risk management right.

Don’t Forget to Breathe

September 5, 2011

All air breathing organisms do not need any special process to avoid the risk of simply forgetting to breathe. Mostly, they just do it automatically. And if for some strange reason, they stop breathing, their body very quickly develops a violent response to the lack of new air.

Drinking and eating are not quite so automatic, but it is also unnecessary to remind people not to starve to death, when they have a choice to do otherwise.

Animals, including humans, can be observed to also have many, many automatic risk management behaviors. Fear of heights, startle reactions, fight or flight adrenalin releases, and so on. In fact, if you are at a loss of how to deal with any business risk, just go down the list of human natural defenses against risk and you will get lots and lots of different ideas. The natural environment in which the human species evolved was and remains very dangerous. Risks come at us from every direction. Some are constant (like falling from a great height) and some change all the time (like predators and competitors for resources).

Many business managers will contend that their company has developed automatic systems that are embedded in the DNA of the firm to handle risk. The continued existence of the firm is put in evidence as the primary proof of that contention.

The problem with believing that sort of argument is that while a failure to breathe will send an animal into fits of gasping, and dancing on the edge of a cliff will make most animal’s head spin with a natural fear reflex, there is no noticeable consequences of a business stopping their risk management activities.

There are natural, automatic and almost fool proof mechanisms in animals to prevent them from taking some of the most immediately dangerous risks. There are absolutely none of those in a business setting.

So even if there has been a long history of ingrained risk management actions in a firm, a sudden change in personnel can send all that right out the window.

One way of looking at a risk management system is as the replacement for the natural fail safe mechanisms.

Nature saw fit to add a violent automatic natural reaction to a lack of air to the automatic breathing mechanism that can be consciously overridden. The business risk management traditions can be easily and painlessly overridden, unless there is a good risk management system to make the company gasp for breath.

You might find yourself swimming underwater. You override your natural urge to breathe. There are interesting things to see underwater. But you will find it very difficult to stay under too long. Your body has failsafe mechanisms that means you have to work at it very hard to stay under long enough to really hurt yourself. In fact, the mechanism seems to have such a margin of error that you start to want to come back up when you still have the capacity to get back to the surface.

Companies have no similar automatic mechanism.  When someone fails to do the risk management that they should, usually the reaction is that things look and seem better.  Most often, risk management depresses profits, and reduces choices.  The feedback that is experienced leads the exact wrong direction.

A risk management system is the answer to the problem.  The risk management system needs to have mechanisms to keep reminding employees that they need to follow the system rules.

Risk management is not at all like breathing.  In fact quite the opposite.  A firm that wants to have risk management for the long term will need to have a formal process to remind employees that it is important.  In addition, the importance of risk management needs to be periodically reinforced by statements of support from top management.

Risk management is more like a medicine that a person who feels perfectly fine is asked to take regularly.  Every day, they get up and take this medicine, but there is no obvious indication that the medicine is needed.  Many will simply start to forget to take the medicine.  Stop wasting the time it takes to buy and take the medicine.  Avoid even minor side effects.

On the other hand, things that are bad for your health are give quite positive short term feedback.

The trick is to make risk management become more and more like breathing.  To make it a reflex and to build up the mechanisms that will send out danger signals if someone tries to override those automatic mechanism.

Decision Fatigue and Crisis Risk Management

August 31, 2011

In a recent New York TImes Magazine article, the problem of decision making fatigue is described.  The article says that people will generally tire of making decisions.  It sites studies of judges rulings on parole hearings.  Parolees who have the bad luck to have their case heard later in the day have much less chance of success was one example cited.

Another interesting aspect of decision fatigue was that once fatigued of decisions, people tended to narrow their decision making criteria.  Tired decision makers would eventually get down to a single factor driving their decisions.

The idea given of how to avoid decision fatigue is generally to avoid making too many decisions.

There are interesting implications for risk management.  RISKVIEWS has said many times that risk management means that sometimes the company will do something different then before they had risk management.  But since the company is not doing something different all of the time, each different situation requires a decision.  But all decisions are not of the same economic impact.

So a strategy for getting it right – or at least avoiding decision fatigue for the most important decisions is to make sure that a fresh decision maker is involved in the decisions of higher importance.

This idea may not mean making any change in the procedures of many companies.  It is not uncommon for decisions that involve larger amounts of money to require approval by a more senior person than the person who makes the lesser decisions.  It appears that is a good idea from a decision fatigue point of view.  Firms who seek to empower their employees by avoiding that sort of system may be playing russian roulette with their most important risk management decisions.

In a crisis, many decisions are needed in a short time.  That is perhaps one way of defining a crisis.  Things must be done differently.  The likelihood of decision fatigue in a crisis seems to be immense.

A solution to this is to reduce the number of decisions.  This can be accomplished by anticipating the decisions that may be needed and making the most likely decisions in advance.  It may well be that an advance decision made with an approximation of the situation may be better than a fatigued decision.  There still remains the decision of whether the advance decision is still applicable.  But if done right, the stress of decisions can be greatly reduced.

In addition, the narrowing of decision making criteria for fatigued decision makers is an interesting finding.  Many management information people report that they need to refine the information that they provide to single indicators, in some cases to red light/green light on/off indicators.

This seems to be clear indication of decision fatigue of senior managers.  While MI professionals will not usually be empowered to have an opinion on this, it seems that what is in order is for the top managers to make fewer decisions until they get to the point where they are no longer too fatigued to recognize the actual complexity of the decisions that they are making.

The Risk Managers Desk Reference

August 23, 2011

If you are a risk manager, you probably already have this book on your desk.  Ready for the next time that someone say that some disaster your are asking them to prepare for will never happen.  You then can pull out this resource and show them that something much worse has happened several times before.  This invaluable resource is

The Pessimist’s Guide to History 3e: An Irresistible Compendium of Catastrophes, Barbarities, Massacres, and Mayhem – from 14 Billion Years Ago to 2007 by Flexner and Flexner.

With this book, the alert risk manager can perform a comprehensive study of disasters that occured in the 1500′s, for example.  The PGTH (as fans affectionately call it) tells of the following:

  • 1502 – 30 Spanish treasure ships destroyed by hurricane
  • 1514 – Hungarian Peasants Revolt
  • 1520 – Sad Night at Tenochtitlan
  • 1521 – Smallpox and Spanish conquer Aztecs
  • 1524 – Peasants revolt in Germany
  • 1527 – Sack of Rome
  • 1528 – Spanish explorers ships wrecked by hurricane near Florida
  • 1531 – Earthquake hits Lisbon
  • 1545 – Sinking of Mary Rose
  • 1546 – Massacre of Waldenses
  • 1556 – Chinese earthquake kills over 800,000
  • 1559 – Spanish ships sink in hurricane near Tampa
  • 1562 – Massacre near Vassy, France
  • 1570 – Massacre at Novogorod
  • 1572 – Massacre of St. Bartholomew
  • 1574 – Floods in Netherlands kill 20,000 Spanish soldiers
  • 1587 – English colonists at Roanoke disappear
  • 1588 – Spanish Armada defeated
  • 1589 – Assassination of Henry III
  • 1591 – Philippines volcano erupts
  • 1591 – Storms destroy 29 Spanish ships near Florida

Other events include the extinction of the dinosaurs 65 million years ago.  If you are using that piece of data to help to calibrate your loss models, you can think of that as a total loss once in the past 65 million years.

So the next question from your management may be whether if the total loss scenario is a one in 65 million year event and it has not happened in 65 million years, are we due?

And from this data, it looks like hurricanes happen near Florida.  Especially dangerous to Spanish ships.  Tell that to your underwriters.

But they probably have their own copy of the book.

And one very sure sign of a dangerous situation for your company is if you find one of your underwriters with an different book by the Flexner’s, The Optimists Guide to History.

Something important to check for.

ERM Disclosure (2)

August 22, 2011

In a post last week, it was noted that US insurers are starting to admit to managing their risks in their public disclosures.  The 671 word discussion of the ERM process of Travelers was reproduced.  (Notice that over 100 of those words talk about the unreliability of the ERM system. )

But disclosure of ERM processes has been much more widespread and much more extensive in other parts of the world for more than 5 years.

For Example, Munich Re’s 2010 annual report has a 20 page section titled Risk Report.  That section has sub headings such as:

Risk governance and risk management system

Risk management organisation, roles and responsibilities

Control and monitoring systems

Risk reporting

Significant risks

Underwriting risk: Property-casualty insurance

Underwriting risk: Life and health insurance

Market risk

Credit Risk

Operational risk

Liquidity risk

Strategic risk

Reputation Risk

Economic Capital

Available Financial Resources

Selected Risk Complexes

It is not just Munich Re.  Manulife’s Risk Management disclosure is 22 pages of their annual report.  Below is the introduction to that section:

Manulife Financial is a financial institution offering insurance, wealth and asset management products and services, which subjects the Company to a broad range of risks. We manage these risks within an enterprise-wide risk management framework. Our goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue, earnings and capital growth.
We seek to achieve this by capitalizing on business opportunities that are aligned with the Company’s risk taking philosophy, risk appetite and return expectations; by identifying, measuring and monitoring key risks taken; and by executing risk control and mitigation programs.
We employ an enterprise-wide approach to all risk taking and risk management activities globally. The enterprise risk management (“ERM”) framework sets out policies and standards of practice related to risk governance, risk identification, risk measurement, risk monitoring, and risk control and mitigation. With an overall goal of effectively executing risk management activities, we continuously invest to attract and retain qualified risk professionals, and to build, acquire and maintain the necessary processes, tools and systems.
We manage risk taking activities against an overall risk appetite, which defines the amount and type of risks we are willing to assume. Our risk appetite reflects the Company’s financial condition, risk tolerance and business strategies. The quantitative component of our risk appetite establishes total Company targets defined in relation to economic capital, regulatory capital required, and earnings sensitivity.
We have further established targets for each of our principal risks to assist us in maintaining appropriate levels of exposures and a risk profile that is well diversified across risk categories. In 2010, we cascaded the targets for the majority of our principal risks down to the business level, to facilitate the alignment of business strategies and plans with the Company’s overall risk management objectives.
Individual risk management programs are in place for each of our broad risk categories: strategic, market, liquidity, credit, insurance and operational. To ensure consistency, these programs incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework, covering:

■ Assignment of risk management accountabilities across the organization;
■ Delegation of authorities related to risk taking activities;
■ Philosophy and appetite related to assuming risks;
■ Establishment of specific risk targets or limits;
■ Identification, measurement, assessment, monitoring, and reporting of risks; and
■ Activities related to risk control and mitigation.

Such frank discussion of risk and risk management may be seen by some US insurers’ management to be dangerous.  In the rest of the world, it is moving towards a situation where NOT discussing risk and risk management frankly and openly is a risk to management.

Which would you prefer?

ERM Discosure

August 18, 2011

Here is a tip from the IRMI about how to get started with a new ERM program:

✓ If  you  are  a  public  company,  begin  by asking  the  person  or  group  that  identifies  risks  for  SEC  reports  to  also  identify
the top three corrective actions for the next quarter. Update the list quarterly.

That sounds like a great suggestion.  RISKVIEWS has always been amazed that the standard for disclosure in the US has been to disclose risks but not to say anything about what the firm is doing about those risks.  Based upon the standard disclosures, it is almost impossible to tell the difference between a firm with state of the art risk management and a firm with almost none.

But recently, companies, even in the US, are increasingly including a mention of their risk management activities along with the required laundry list of risks.

Just picking a public firm at random, here is an excerpt from Allstate’s risk disclosure:

As a property and casualty insurer, we may face significant losses from catastrophes and severe weather events

Because of the exposure of our property and casualty business to catastrophic events, our operating results and financial condition may vary significantly from one period to the next. Catastrophes can be caused by various natural and man-made disasters, including earthquakes, volcanoes, wildfires, tornadoes, hurricanes, tropical storms and certain types of terrorism. We may incur catastrophe losses in our auto and property business in excess of: (1) those experienced in prior years, (2) those that we project would be incurred based on hurricane and earthquake losses which have a one percent probability of occurring on an annual aggregate countrywide basis, (3) those that external modeling firms estimate would be incurred based on other levels of probability, (4) the average expected level used in pricing or (5) our current reinsurance coverage limits.Despite our catastrophe management programs, we are exposed to catastrophes that could have a material adverse effect on operating results and financial condition. For example, our historical catastrophe experience includes losses relating to Hurricane Katrina in 2005 totaling $3.6 billion, the Northridge earthquake of 1994 totaling $2.1 billion and Hurricane Andrew in 1992 totaling $2.3 billion. We are also exposed to assessments from the California Earthquake Authority and various state-created catastrophe insurance facilities, and to losses that could surpass the capitalization of these facilities. Our liquidity could be constrained by a catastrophe, or multiple catastrophes, which result in extraordinary losses or a downgrade of our debt or financial strength ratings.

In addition, we are subject to claims arising from weather events such as winter storms, rain, hail and high winds. The incidence and severity of weather conditions are largely unpredictable. There is generally an increase in the frequency and severity of auto and property claims when severe weather conditions occur.

Green text coloring added by RISKVIEWS to highlight mention of risk management activities.

Another example from Travelers:

Catastrophe losses could materially and adversely affect our results of operations, our financial position and/or liquidity, and could adversely impact our ratings, our ability to raise capital and the availability and cost of reinsurance. Our property and casualty insurance operations expose us to claims arising out of catastrophes. Catastrophes can be caused by various natural events, including, among others, hurricanes and other windstorms, earthquakes, hail, wildfires, severe winter weather, floods and volcanic eruptions. Catastrophes can also be man-made, such as a terrorist attack (including those involving nuclear, biological, chemical or radiological events), explosions, infrastructure failures or a consequence of political instability. The geographic distribution of our business subjects us to catastrophe exposures in the United States, which include, but are not limited to: hurricanes from Maine through Texas; tornadoes throughout the Central and Southeast United States; earthquakes in California, the New Madrid region and the Pacific Northwest region of the United States; wildfires, particularly in the Southwest; and terrorism in major cities in the United States. In addition, our international operations subject us to catastrophe exposures in the United Kingdom, Canada and the Republic of Ireland, as well as to a variety of world-wide catastrophe exposures through our Lloyd’s operations. The incidence and severity of catastrophes are inherently unpredictable, and it is possible that both the frequency and severity of natural and man-made catastrophic events could increase. Some scientists believe that in recent years changing climate conditions have added to the unpredictability and frequency of natural disasters (including, but not limited to, hurricanes, tornadoes, other storms and fires) in certain parts of the world and created additional uncertainty as to future trends and exposures. For example, in recent years hurricane activity has impacted areas further inland than previously experienced, thus expanding our overall hurricane exposure. The catastrophe modeling tools that we use, or that we rely on from outside parties, to help manage certain of our catastrophe exposures are based on assumptions and judgments that are subject to error and mis-estimation and may produce estimates that are materially different than actual results. In addition, our increased presence in certain geographic areas, such as in the Midwest and Western regions of the United States, and any changes in climate conditions could cause our data to be more limited and our catastrophe models to be even less predictive, thus limiting our ability to effectively evaluate and manage such exposures. See ‘‘Item 7— Management’s Discussion and Analysis of Financial Condition and Results of Operations—Catastrophe Modeling’’ and ‘‘—Changing Climate Conditions.’’ The extent of losses from a catastrophe is a function of both the total amount of insured exposure in the area affected by the event and the severity of the event. Increases in the value and geographic concentration of insured property and the effects of inflation could increase the severity of claims from catastrophic events in the future. In addition, states have from time to time passed legislation, and regulators have taken action, that has the effect of limiting the ability of insurers to manage catastrophe risk, such as legislation prohibiting insurers from reducing exposures or withdrawing from catastrophe-prone areas or mandating that insurers participate in residual markets. Participation in residual market mechanisms has resulted in, and may continue to result in, significant losses or assessments to insurers, including us, and, in certain states, those losses or assessments may not be commensurate with our direct catastrophe exposure in those states. If our competitors leave those states having residual market mechanisms, remaining insurers, including us, may be subject to significant increases in losses or assessments following a catastrophe. In addition, following catastrophes, there are sometimes legislative initiatives and court decisions which seek to expand insurance coverage for catastrophe claims beyond the original intent of the policies. Also, our ability to increase pricing to the extent necessary to offset rising costs of catastrophes, particularly in the Personal Insurance segment, requires approval of regulatory authorities of certain states. Our ability or our willingness to manage our catastrophe exposure by raising prices, modifying underwriting terms or reducing exposure to certain geographies may be limited due to considerations of public policy, the evolving political environment, changes in the general economic climate and/or social responsibilities. We also may choose to write business in catastrophe-prone areas that we might not otherwise write for strategic purposes, such as improving our access to other underwriting activities. There are also risks that impact the estimation of ultimate costs for catastrophes. For example, the estimation of reserves related to hurricanes can be affected by the inability to access portions of the impacted areas, the complexity of factors contributing to the losses, the legal and regulatory uncertainties and the nature of the information available to establish the reserves. Complex factors include, but are not limited to: determining whether damage was caused by flooding versus wind; evaluating general liability and pollution exposures; estimating additional living expenses; the impact of demand surge; infrastructure disruption; fraud; the effect of mold damage; business interruption costs; and reinsurance collectability. The timing of a catastrophe’s occurrence, such as at or near the end of a reporting period, can also affect the information available to us in estimating reserves for that reporting period. The estimates related to catastrophes are adjusted as actual claims emerge and additional information becomes available. Exposure to catastrophe losses or actual losses following a catastrophe could adversely affect our financial strength and claims-paying ratings and could impair our ability to raise capital on acceptable terms or at all. Also, as a result of our exposure to catastrophe losses or actual losses following a catastrophe, rating agencies may further increase capital requirements, which may require us to raise capital to maintain our ratings or adversely affect our ratings. A ratings downgrade could hurt our ability to compete effectively or attract new business. In addition, catastrophic events could cause us to exhaust our available reinsurance limits and could adversely impact the cost and availability of reinsurance. Such events can also impact the credit of our reinsurers. For a discussion of our catastrophe reinsurance coverage, see ‘‘Item 1—Business—Reinsurance—Catastrophe Reinsurance.’’ Catastrophic events could also adversely impact the credit of the issuers of securities, such as states or municipalities, in whom we have invested. In addition, coverage in our reinsurance program for terrorism is limited. Although the Terrorism Risk Insurance Program Reauthorization Act of 2007 (the Act) provides benefits in the event of certain acts of terrorism, those benefits are subject to a deductible and other limitations. Under this law, once our losses exceed 20% of our commercial property and casualty insurance premium for the preceding calendar year, the federal government will reimburse us for 85% of our losses attributable to certain acts of terrorism which exceed this deductible up to a total industry program cap of $100 billion. Our estimated deductible under the program is $2.08 billion for 2011. In addition, because the interpretation of this law is untested, there is substantial uncertainty as to how it will be applied to specific circumstances. It is also possible that future legislative action could change the Act. Because of the risks set forth above, catastrophes such as those caused by various natural events or man-made events such as a terrorist attack, including ‘‘unconventional’’ acts of terrorism involving nuclear, biological, chemical or radiological events, could materially and adversely affect our results of operations, financial position and/or liquidity. Further, while we seek to manage our exposure to man-made catastrophic events involving conventional means, there can be no assurance that we would have sufficient resources to respond to claims arising out of one or more man-made catastrophic events involving so-called weapons of mass destruction, including nuclear, biological, chemical or radiological means.

Travelers actually has a section of the 10k devoted to Catastrophe modeling:

CATASTROPHE MODELING

The Company uses various analyses and methods, including computer modeling techniques, to analyze catastrophic events and the risks associated with them. The Company uses these analyses and methods to make underwriting and reinsurance decisions designed to manage its exposure to catastrophic events. In making underwriting and reinsurance decisions for hurricane and earthquake exposures, the Company uses third-party proprietary computer modeling in an attempt to estimate the likelihood that the loss from a single event occurring in a one-year timeframe will equal or exceed a particular amount. The tables below set forth the estimated probabilities that losses from a single event occurring in a one-year timeframe will equal or exceed the indicated loss amounts (expressed in dollars and as a percentage of the Company’s common equity). For example, on the basis described below the tables, the Company estimates that there is a one percent chance that the Company’s loss from a single U.S. hurricane occurring in a one-year timeframe would equal or exceed $1.1 billion, or 5% of the Company’s common equity at December 31, 2010. Dollars (in billions) Single U.S.

The last disclosure does provide good context for their risk level.  And their ability to even disclose this information suggests a likelihood that they may be actually using this information to manage the risk.

Travelers goes on to take the unusual step for a US insurer of actually directly addressing their ERM program in their 10k:

ENTERPRISE RISK MANAGEMENT

As a large property and casualty insurance enterprise, the Company is exposed to many risks. These risks are a function of the environments within which the Company operates. Since certain risks can be correlated with other risks, an event or a series of events can impact multiple areas of the Company simultaneously and have a material effect on the Company’s results of operations, financial position and/or liquidity. These exposures require an entity-wide view of risk and an understanding of the potential impact on all aspects of the Company. It also requires the Company to manage its risk-taking to be within its risk appetite in a prudent and balanced effort to create and preserve value for all of the Company’s stakeholders. This approach to Company-wide risk evaluation and management is commonly called Enterprise Risk Management (ERM). ERM activities involve both the identification and assessment of a broad range of risks and the execution of synchronized strategies to effectively manage such risks. Effective ERM also includes the determination of the Company’s risk capital needs, which takes into account regulatory requirements and credit rating considerations, in addition to economic and other factors. ERM at the Company is an integral part of business operations. All risk owners across all functions, all corporate leaders and the board of directors are engaged in ERM. ERM involves risk-based analytics, as well as reporting and feedback throughout the enterprise in support of the Company’s long-term financial strategies and objectives. The Company uses various methods, including sophisticated computer modeling techniques, to analyze catastrophic events and the risks associated with them. These analyses and methods are used in making underwriting and reinsurance decisions as part of managing the Company’s exposure to catastrophic events. In addition to catastrophe modeling and analysis, the Company also models and analyzes its exposure to other extreme events. These analytical techniques are an integral component of the Company’s ERM process and further support the Company’s long-term financial strategies and objectives. In addition to the day-to-day ERM activities within the Company’s business units, other key internal risk management functions include the Management Committee (comprised of the Company’s Chief Executive Officer and the other most senior members of management), the Enterprise and Underwriting Risk Committees of management, the Credit Committee, the Chief Compliance Officer, the Business Conduct Officer, the Corporate Actuarial group, the Corporate Audit group, the Accounting Policy group, the Enterprise Underwriting group and many others. A senior executive oversees the ERM process. The mission of this executive is to facilitate risk assessment and to collaborate in implementing effective risk management strategies throughout the Company. Another strategic ERM objective of this executive includes working across the Company to enhance effective and realistic risk modeling capabilities as part of the Company’s overall effort to understand and manage its portfolio of risks to be within its risk appetite. Board oversight of ERM is provided by the Risk Committee of the board of directors, which reviews the strategies, processes and controls pertaining to the Company’s insurance operations and oversees the implementation, execution and performance of the Company’s ERM program. The Company’s ERM efforts build upon the foundation of an effective internal control environment. ERM expands the internal control objectives of effective and efficient operations, reliable financial reporting and compliance with applicable laws and regulations, to fostering, leading and supporting an integrated, risk-based culture within the Company that focuses on value creation and preservation. However, the Company can provide only reasonable, not absolute, assurance that these objectives will be met. Further, the design of any risk management or control system must reflect the fact that there are resource constraints, and the benefits must be considered relative to their costs. As a result, the possibility of material financial loss remains in spite of the Company’s significant ERM efforts. An investor should carefully consider the risks and all of the other information set forth in this annual report, including the discussions included in ‘‘Item 1A—Risk Factors,’’ ‘‘Item 7A—Quantitative and Qualitative Disclosures About Market Risk,’’ and ‘‘Item 8—Financial Statements and Supplementary Data.’’

And finally, Travelers does disclose in the list of management that there are two senior executives, out of about 50 listed, with the words “Enterprise Risk Management” as a part of their title.

Reporting on an ERM Program

August 15, 2011

In a recent post, RISKVIEWS stated six key parts to ERM.  These six ideas can act as the outline for describing an ERM Program.  Here is how they could be used:

1.  Risks need to be diversified.  There is no risk management if a firm is just taking one big bet.

REPORT: Display the risk profile of the firm.  Discuss how the firm has increased or decreased diversification within each risk and between risks in the recent past.  Discuss how this is a result of deliberate risk and diversification related choices of the firm, rather than just a record of what happened as a result of other totally unrelated decisions. 

2.  Firm needs to be sure of the quality of the risks that they take.  This implies that multiple ways of evaluating risks are needed to maintain quality, or to be aware of changes in quality.  There is no single source of information about quality that is adequate.

REPORT:  Display the risk quality of the firm.  Discuss how the firm has increased or decreased risk quality in the recent past and the reasons for those changes.  Discuss how risk quality is changing in the marketplace and how the firm maintains the quality of the risks that are chosen.

3.  A control cycle is needed regarding the amount of risk taken.  This implies measurements, appetites, limits, treatment actions, reporting, feedback.

REPORT:  The control cycle will be described in terms of who is responsible for each step as well as the plans for remediation should limits be breached.  A record of breaches should also be shown.  (Note that a blemish-less record might be a sign of good control or it might simply mean that the limits are ineffectively large.)  Emerging risks should have their own control cycle and be reported as well.

4.  The pricing of the risks needs to be adequate.  At least if you are in the risk business like insurers, for risks that are traded.  For risks that are not traded, the benefit of the risk needs to exceed the cost in terms of potential losses.

REPORT:  For General Insurance, this means reporting combined ratio.  In addition, it is important to show how risk margins are similar to market risk margins.  Note that products with combined ratios over 100% may or may not be profitable if the reserves do not include a discount for interest.  This is accomplished by mark-to-market accounting for investment risks.  Some insurance products have negative value when marked to market (all-in assets and liabilities) because they are sold with insufficient risk margins.  This should be clearly reported, as well as the reasons for that activity.  

5.  The firm needs to manage its portfolio of risks so that it can take advantage of the opportunities that are often associated with its risks.  This involves risk reward management.

REPORT:  Risk reward management requires determining return on risk for all activities as well as a planning process that starts with projections of such and a conscious choice to construct a portfolio of risks.  This process has its own control cycle.  The reporting for this control cycle should be similar to the process described above.  This part of the report needs to explain how management is thinking about the diversification benefits that potentially exist from the range of diverse risks taken.  

6.   The firm needs to provision for its retained risks appropriately, in terms of set asides (reserves or technical provisions) for expected losses and capital for excess losses.

REPORT:  Losses can be shown in four layers, expected losses, losses that decrease total profits, losses that exceed gains from other sources but that are less than capital and losses that exceed capital.  The likelihood of losses in each of those four layers should be described as well as the reasons for material changes.  Some firms will choose to report their potential losses in two layers, expected losses, losses that reach a certain likelihood (usually 99.5% in a year or similar likelihood).  However, regulators should have a high interest in the nature and potential size of those losses in excess of capital.  The determination of the likelihood of losses in each of the four layers needs to reflect the other five aspects of ERM and when reporting on this aspect of ERM, discussion of how they are reflected would be in order.  

Reading about ERM

August 14, 2011

Have you read any good books or papers about ERM?

Looking for a good book or paper about an ERM related topic?

Try  http://ermbooks.wordpress.com/

That blog has about 50 comments about specific books or articles about ERM as well as lists from various places that give dozens more possible readings.

Suggestions of additional books and articles to add to the blog would be highly appreciated.

 

Keeping up with Old ERM Programs – 10 Investor Questions (7)

August 8, 2011

Riskviews was once asked by an insurance sector equity analyst for 10 questions that they could ask company CEOs and CFOs about ERM.  Riskviews gave them 10 but they were trick questions.  Each one would take an hour to answer properly.  Not really what the analyst wanted.

Here they are:

  1. What is the firm’s risk profile?
  2. How much time does the board spend discussing risk with management each quarter?
  3. Who is responsible for risk management for the risk that has shown the largest percentage rise over the past year?
  4. What outside the box risks are of concern to management?
  5. What is driving the results that you are getting in the area with the highest risk adjusted returns?
  6. Describe a recent action taken to trim a risk position?
  7. How does management know that old risk management programs are still being followed?
  8. What were the largest positions held by company in excess of risk the limits in the last year?
  9. Where have your risk experts disagreed with your risk models in the past year?
  10. What are the areas where you see the firm being able to achieve better risk adjusted returns over the near term and long term?

They never come back and asked for the answer key.  Here it is:

One of the most difficult things to accomplish in any organization is continuing to do well the things that were well developed in the past but that are not longer on the “front burner”.

Top management needs to limit attention to the most pressing problems.  So an existing program that is working well is just not likely to get much, if any, top management attention.  Continuing to get it right for the old tried and true parts of the organization is however of vital importance to the success of the organization.

Therefore Middle Management needs to be the keeper of these programs.  In some organization, this actually puts them at odds with top management priorities. Some Middle Managers, the lifers who are more loyal to the organization than to the current top management, will manage to do this under almost all circumstances, risking even their own positions to keep these vital programs going.  Other Middle Managers will feel that they are more loyal to the current management who put them in their positions.  They will reduce resources and even Middle Management attention to these old programs.

So far, this discussion could be about anything.  It does apply to risk management along with many other programs.  Old risk management programs are the base that new Enterprise Risk Management programs are built upon.  The old risk management programs are usually what creates the actual risk level of the firm that ERM then tries to manipulate.  However, if the firm brings in too many new risk managers who do not understand the importance of the old risk management programs, then they are likely to let them wither.

This is a major factor that causes the presumptions of the ERM program to be untrue or unstable.

The trick to this question is that the answer will tell you whether the CEO  is aware of any of this dynamic.  CEOs can be temporarily very successful by shifting all management attention to new products, or markets or programs, such as ERM.  For some period of time, the old risk management programs will continue to operate without any management attention, giving the firm a short free ride.  Eventually, those programs will wither away and the company will start to be hurt because the failure of these old programs that had an unrecognized, but bery real benefit.

A clear example of this is the area of Credit Risk underwriting.  Ten to fifteen years ago, every major financial institution had large credit underwriting staffs and a very carefully administered system for reviewing and coming to an agreement on credit quality of each opportunity for a loan or other extension of credit.  But with the development of trading desks, credit underwriting lost the attention of management.  Eventually, it simply stopped happening in many institutions,  Credit shifted to the trading paradigm.  However, the credit underwriting had a purpose and when it stopped happening, the presumption that credit positions had certain characteristics slowly had less and less meaning.  Until at the height of the credit crisis, a large number of institutions all believed and acted on that belief that very low credit quality positions in sub prime mortgages were actually of the very highest quality.  A small amount of work by an experienced credit underwriting team would have shown that presumption to be totally untrue.  (One firm who didn’t do credit underwriting, but did believe in reality checks sent their traders to spend some time each quarter applying for mortgages in the hottest markets.  Those traders wouldn’t touch any mortgage related exposure.)

So the best answer to this question would be for the CEO to understand the old risk management programs that create the presumptions that their visions for the future are based upon.  And to hear that the CEO values those programs.  As to how the firm keeps those programs going, the fact that the CEO can say the above two statements is probably enough in most firms.  As long as they do not undermine their words by cutting off funding to those old programs.

For extra credit, see if the CEO can actually list these old programs.

You Must Abandon All Presumptions

August 5, 2011

If you really want to have Enterprise Risk Management, then you must at all times abandon all presumptions. You must make sure that all of the things to successfully manage risks are being done, and done now, not sometime in the distant past.

A pilot of an aircraft will spend over an hour checking things directly and reviewing other people’s checks.  The pilot will review:

  • the route of flight
  • weather at the origin, destination, and enroute.
  • the mechanical status of the airplane
  • mechanical issues that may have been improperly logged.
  • the items that may have been fixed just prior to the flight to make certain that system works
  • the flight computer
  • the outside of the airplane for obvious defects that may have been overlooked
  • the paperwork
  • the fuel load
  • the takeoff and landing weights to make sure that they are within limits for the flight

Most of us do not do anything like this when we get into our cars to drive.  Is this overkill?  You decide.

When you are expecting to fly somewhere and there is a last minute delay because of something that seems like it should have really been taken care of, that is likely because the pilot finds something that someone might normally PRESUME was ok that was not.

Personally, as someone who takes lots and lots of flights, RISKVIEWS thinks that this is a good process.  One that RISKVIEWS would recommend to be used by risk managers.

THE NO PRESUMPTION APPROACH TO RISK MANAGEMENT

Here are the things that the Pilot of the ERM program needs to check before taking off on each flight.

1.  Risks need to be diversified.  There is no risk management if a firm is just taking one big bet.

2.  Firm needs to be sure of the quality of the risks that they take.  This implies that multiple ways of evaluating risks are needed to maintain quality, or to be aware of changes in quality.  There is no single source of information about quality that is adequate.

3.  A control cycle is needed regarding the amount of risk taken.  This implies measurements, appetites, limits, treatment actions, reporting, feedback

4.  The pricing of the risks needs to be adequate.  At least if you are in the risk business like insurers, for risks that are traded.  For risks that are not traded, the benefit of the risk needs to exceed the cost in terms of potential losses.

5.  The firm needs to manage its portfolio of risks so that it can take advantage of the opportunities that are often associated with its risks.  This involves risk reward management.

6.   The firm needs to provision for its retained risks appropriately, in terms of set asides (reserves) for expected losses and capital for excess losses.

A firm ultimately needs all six of these things.  Things like a CRO, or risk committees or board involvement are not on this list because those are ways to get these six things.

The Risk Manager needs to take a NO PRESUMPTIONS approach to checking these things.  Many of the problems of the financial crisis can be traced back to presumptions that one or more of these six things were true without any attempt to verify.

Another Point of View

August 1, 2011
Good Risk Management requires people who can see things from another point of view.

The various tasks that are required for good risk management actually require different people with different points of view.

  • Loss Controlling requires people who are going to be willing to painstakingly review everything that the firm does to make sure that there are not any unintended accumulations of risk (or any risk accumulations that are being deliberately hidden).  These people need to have a point of view that focuses on the details.
  • Risk Steering requires people with almost the opposite point of view, the big picture people.  To do good risk steering one must look past all of the details of risk and concentrate on the broad themes of risk that the firm is taking.
  • Risk Trading requires people who are very outward focused, who are able to pay attention in the subtle and not so subtle changes in attitudes towards towards different risks in the marketplace.  They also need to be able to discern when changes in the company’s offerings or changes in the risk of the environment.  Their task is to make sure that the price that the company is getting for the risks it assumes is sufficient to pay for both the expected losses as well as appropriate compensation for the possibility of excess losses.
  • Emerging Risks management requires people who are able to think outside the box, sometimes totally outside of the box to notice the faint signals that something is changing or something totally new is starting to happen and to imagine what might be needed to cope in the new situation.

Those are just not the same people.  So a smaller firm that has assigned their risk management to one person will be disappointed if that one person is not able to tap the skills of others who actually are readily able to think in these totally different ways.

That is one of the ways that risk management disappoints top management and frustrates the people asked to do it.  Even when an assigned risk manager is allowed or even encouraged to tap into these various other skills and points of view, it is very difficult for one person to even recognize the value of each of these different approaches.  More often the assigned risk manager will plow ahead building the risk management program that fits with their own point of view.

So no matter who you are and how good you are at risk management, remember to look for those people with the point of view that is very different from yours.  And pay attention to that they say about risk.

Trimming Risk Positions – 10 ERM Questions from Investors – The Answer Key (6)

July 25, 2011

Riskviews was once asked by an insurance sector equity analyst for 10 questions that they could ask company CEOs and CFOs about ERM.  Riskviews gave them 10 but they were trick questions.  Each one would take an hour to answer properly.  Not really what the analyst wanted.

Here they are:

  1. What is the firm’s risk profile?
  2. How much time does the board spend discussing risk with management each quarter?
  3. Who is responsible for risk management for the risk that has shown the largest percentage rise over the past year?
  4. What outside the box risks are of concern to management?
  5. What is driving the results that you are getting in the area with the highest risk adjusted returns?
  6. Describe a recent action taken to trim a risk position?
  7. How does management know that old risk management programs are still being followed?
  8. What were the largest positions held by company in excess of risk the limits in the last year?
  9. Where have your risk experts disagreed with your risk models in the past year?
  10. What are the areas where you see the firm being able to achieve better risk adjusted returns over the near term and long term?

They never come back and asked for the answer key.  Here it is:

There are a number of issues relating to this question.  First of all, does the insurer ever trim a risk position?  Some insurers are pure buy and hold.  They never think to trim a position, on either side of their balance sheet.  But it is quite possible that the CEO might know that terminology, but the CFO should.  And if the insurer actually has an ERM program then they should have considered trimming positions at some point in time.  If not, then they may just have so much excess capital that they never have felt that they had too much risk.

Another issue is whether the CEO and CFO are aware of risk position trimming.  If they are not, that might indicate that their system works well and there are never situations that need to get brought to their attention about excess risks.  Again, that is not such a good sign.  It either means that their staff never takes and significant risks that might need trimming or else there is not a good communication system as a part of their ERM system.

Risks might need trimming if either by accident or on purpose, someone directly entered into a transaction, on either side of the balance sheet, that moved the company past a risk limit.  That would never happen if there were no limits, if there is no system to check on limits or if the limits are so far above the actual expected level of activity that they are not operationally effective limits.

In addition, risk positions might need trimming for several other reasons.  A risk position that was within the limit might have changed because of a changing environment or a recalibration of a risk model.  Firms that operate hedging or ALM programs could be taking trimming actions at any time.  Firms that use cat models to assess their risk might find their positions in excess of limits when the cat models get re-calibrated as they were in the first half of 2011.

And risk positions may need to be trimmed if new opportunities come along that have better returns than existing positions on the same risk.  A firm that is expecting to operate near its limits might want to trim existing positions so that the new opportunity can be fit within the limits.

SO a firm with a good ERM program might be telling any of those stories in answer to the question.

High Risk Adjusted Returns and Risk Management – 10 Key ERM Questions from an Investor – The Answer Key (5)

July 20, 2011

Riskviews was once asked by an insurance sector equity analyst for 10 questions that they could ask company CEOs and CFOs about ERM.  Riskviews gave them 10 but they were trick questions.  Each one would take an hour to answer properly.  Not really what the analyst wanted.

Here they are:

  1. What is the firm’s risk profile?
  2. How much time does the board spend discussing risk with management each quarter?
  3. Who is responsible for risk management for the risk that has shown the largest percentage rise over the past year?
  4. What outside the box risks are of concern to management?
  5. What is driving the results that you are getting in the area with the highest risk adjusted returns?
  6. Describe a recent action taken to trim a risk position?
  7. How does management know that old risk management programs are still being followed?
  8. What were the largest positions held by company in excess of risk the limits in the last year?
  9. Where have your risk experts disagreed with your risk models in the past year?
  10. What are the areas where you see the firm being able to achieve better risk adjusted returns over the near term and long term?

They never come back and asked for the answer key.  Here it is:

5.  In the sub prime market prior to the crisis, investors were buying AAA securities but getting a little more yield.  Since they were AAA rated, the capital required was minimal.  So the return on equity could be attractive.  Unless you held that story up to the light and freely admitted that your bank profits were bolstered by exploiting the fact that the market and the regulators had different opinions of the creditworthiness of the sub prime securities.

So, if the banks had answered honestly, they would have been saying that their profits were coming from regulatory arbitrage.  There are only three possible outcomes from this situation.  First, the market could wise up and the excess profits would disappear.  Second, the regulators could wise up and suddenly the banks would find themselves needing lots more capital, and third, the market persists in its opinion of higher risk and it turns out the market is correct.  But since under this third option, the bank is playing the regulators for the fools, as the risks stay the same or grow ever larger, the banks take more and more advantage of the stupid regulators.  They pretend to their board that the bank is safe because they are holding the capital that the regulators require.  The banks takes more and more risk – the compulsion to grow and grow earnings in the face of the shrinking spreads for everything with “normal” risk is an immutable imperative that requires banks to multiply their risk.

So one of the possible reasons that Risk Adjusted Return is high is that the risk adjustment is based upon regulatory requirements – not on an actual assessment of risk.  And there are three possible outcomes of playing the regulatory arb game that are unfavorable.

Another reason for higher risk adjusted returns is a competitive advantage.  Investors should be happy to hear about a competitive advantage.  They should also do their own assessment about how permanent that advantage might be.

From the point of view of assessing an ERM system, the answer to this question should reveal how seriously that management takes the idea of risk management.  High and unexpected returns are as good a signal as any of higher risk.  In fact, in the financial markets, high returns are almost always a symptom of higher risk.

You may say he’s a dreamer, but he was really a CRO

July 9, 2011

You have probably heard this story before.  The head guy as a dream, some lowly schmuck tells him what the dream means and gets a big promotion.  You might have seen it in the theater, or read it in the Torah or in Genesis.

Well, that story is really about risk management.  It just got twisted in retelling and they lost the point.

That Joseph fella, he was the Chief Risk Officer for Egypt.  It was a pretty lowly position.  Then he suggested to Pharaoh that there was some famine risk.  He suggested a counter cyclical grain reserve policy.  His suggestion was that each good year, Egypt should put aside 20% of the harvest as economic capital.

Joseph knew that no one would do this on just his say so, so he concocted this story of the dream of Pharaoh’s.  If it was Pharaoh’s dream then people would listen to the poor CRO.

It was a tough go.  After three years of good harvests people were screaming about the 20% cost of capital charge.  They said that there was no need for a reserve.  Then the fourth and fifth year of the good weather, they were going to Pharaoh with their complaints.

But Joseph pulled out his clay tablets of the rise and fall of the Nile over 2000 years and showed the Pharaoh how this was no more than a 1 in 200 reserve.  They had 10 such periods on record and the data told a pretty clear story.  They really needed such a reserve.  And Joseph could also bring in the court historian who could tell about what happened to the Pharaoh’s who were the rulers when those 1 in 200 year droughts occurred.  Most of them had to flee to Switzerland and Switzerland had not at that time invented indoor plumbing.  Not so good in the winter in the mountains.

Then Joseph brought in 10,000 slaves who each had a different clay tablet.  They were told to run around the room for a minute then to fall in line.  Joseph called this a Monte Carlo simulation, and indeed, they did run around like that in Monte Carlo in those days.

So somehow, Joseph held on to his job and his counter cyclical economic capital formula on the condition that he never did any monte carlo modeling in the palace again.  But after seven years, even the Pharaoh was running out of patience with Joseph.

Then it happened.  Joseph had never actually predicted a famine on the seventh year, but that is how the story got twisted afterwards.  But he did get credit for saving the day and the Pharaoh when the famine kept going for seven more years.

That is because Joseph pulled out more clay tablets and more historians and pointed out the likelihood of a long, long famine.  He was just about to prove his point with a “modeling” exercise when Pharaoh relented and allowed him to release the economic capital slowly.  Joseph wanted to base the release on a 99 cte calculation, but Pharaoh told him that the high priest would never understand that so just use PaR (Pyramid at Risk).

Joseph was named a hero and given a promotion to chief of staff or something, like the other CROs who survived the Great Famine Crisis (GFC).  Since the Pharaoh’s chief publicist could not understand a word Joseph said when he interviewed him about the economic capital so he remembered that old story about the dream.

So Joseph, the first risk manager on record went down as a dream interpreter instead.

And Risk Managers have had trouble getting their stories across ever since.

Inspired by The Ecoomics of Good and Evil, by Thomas Sedlecek

10 ERM Questions from an Investor – The Answer Key (3)

July 8, 2011

Riskviews was once asked by an insurance sector equity analyst for 10 questions that they could ask company CEOs and CFOs about ERM.  Riskviews gave them 10 but they were trick questions.  Each one would take an hour to answer properly.  Not really what the analyst wanted.

Here they are:

  1. What is the firm’s risk profile?
  2. How much time does the board spend discussing risk with management each quarter?
  3. Who is responsible for risk management for the risk that has shown the largest percentage rise over the past year?
  4. What outside the box risks are of concern to management?
  5. What is driving the results that you are getting in the area with the highest risk adjusted returns?
  6. Describe a recent action taken to trim a risk position?
  7. How does management know that old risk management programs are still being followed?
  8. What were the largest positions held by company in excess of risk the limits in the last year?
  9. Where have your risk experts disagreed with your risk models in the past year?
  10. What are the areas where you see the firm being able to achieve better risk adjusted returns over the near term and long term?

They never come back and asked for the answer key.  Here it is:

3.  The answer to this question requires several parts of risk management to be right.  First of all, the answerer needs to know which risk position grew the most.  Second of all, in a good risk management program, the position that grew the most should have had by far the most scruitny.  High growth does not always spark big blow ups, but big blow ups are always preceded by high growth.  A firm that is not paying lots and lots of attention to its fastest growing risk is not going to end up with good results.  The highest growth positions require a disproportionate large amount of attention, but most often they get a disproportionately smaller share of attention.  Risk management budgets are determined based upon the business at the start of the year.  Finally, to answer the question, the firm needs to have someone who they can immediately identify who is responsible for that risk.  Best practice is to have a senior person responsible for each major risk.  That should be a business person, not the CRO or CFO.  If it is not the same person who is responsible for sales and profits, then management has set up a fight.  On one side is the person responsible for bringing in the business and for achieving profits.  On the other side is the person responsible for preventing losses.  Not a fair fight in most firms.

In the end, the best practice firms recognize that in situations of great change, there needs to be a special ERM process that exceeds the regular ERM process.


Follow

Get every new post delivered to your Inbox.

Join 553 other followers

%d bloggers like this: