Posted tagged ‘Enterprise Risk Management’

The History of Risk Management

August 28, 2014

Please find a new permanent page on RISKVIEWS – The History of Risk Management.  It is a simple list of major historical events that are important to Risk Management and ERM as it is practiced today.  This list was compiled with the help of INARM

Risk Management development has not followed a particularly straight line.  Practices have been adopted, ignored, misused.  Blow up have happened.  Some of those blow ups are mentioned on another page in RISKVIEWS – Risk Management Failures

But Risk Managers have learned from those blow ups and the next generation of Risk Management programs incorporated those learnings. 

The most important thing to know about risk management that we have learned from history is that risk management must be practiced in earnest.  No amount of good talks or fancy charts will take the place of roll up your sleeves and do it risk management.  Promoting that sort of Risk Management is the objective of this Blog. 



Key Ideas of ERM

July 24, 2014

For a set of activities to be called ERM, they must satisfy ALL of these Key Ideas…

  1. Transition from Evolved Risk Management to planned ERM
  2. Comprehensive – includes ALL risks
  3. Measurement – on a consistent basis allows ranking and…
  4. Aggregation – adding up the risks to know total
  5. Capital – comparing sum of risks to capital – can apply security standard to judge
  6. Hierarchy – decisions about risks are made at the appropriate level in the organization – which means information must be readily available

Risk management activities that do not satisfy ALL Key Ideas may well be good and useful things that must be done, but they are not, by themselves ERM.

Many activities that seek to be called ERM do not really satisfy ALL Key Ideas.  The most common “fail” is item 2, Comprehensive.  When risks are left out of consideration, that is the same as a measurement of zero.  So no matter how difficult to measure, it is extremely important to really, really be Comprehensive.

But it is quite possible to “fail” on any of the other Key Ideas.

The Transition idea usually “fails” when the longest standing traditional risk management practices are not challenged to come up to ERM standards that are being applied to other risks and risk management activities.

Measurement “fails” when the tails of the risk model are not of the correct “fatness“.  Risks are significantly undervalued.

Aggregation “fails” when too much independence of risks is assumed.  Most often ignored is interdependence caused by common counter parties.

Capital “fails” when the security standard is based upon a very partial risk model and not on a completely comprehensive risk model.

Hierarchy “fails” when top management and/or the board do not personally take responsibility for ERM.  The CRO should not be an independent advocate for risk management, the CRO should be the agent of the power structure of the firm.

In fact Hierarchy Failure is the other most common reason for ERM to fail.

What kind of Stress Test?

June 25, 2014

What kind of future were you thinking of when you constructed your stress tests?  Here are six different visions of the stressed future that have been the basis for stress tests.

  • Historical Worst Case – Worst experience in the past 20 – 25 years
  • Normal Variability – Stress falls within expected range for a normal five year period
  • Adverse Environment Variability – Stress falls within expected range for a five year period that includes general deterioration such as recession or major weather/climate deviation
  • Future Realistic Disaster – Worst experience that is reasonably expected in the future (even if it has never happened)
  • Adverse Environment Disaster – Worst experience that is reasonably expected in the future if the future is significantly worse than the past
  • Future Worst Case – Maximum plausible loss that could occur even if you believe that likelihood is extremely remote

Here are a long list of stress scenarios that comes from the exposure draft of the NAIC document for ORSA reviewers:

1. Credit

• Counterparty exposure (loss of specified amount to reinsurer, derivatives party, supplier)
• Equity securities (40%/50% drop, no growth in stocks in 3 years)
• General widening of credit spreads (increase in defaults)
• Other risk assets

2. Market

• 300 basis point pop up in interest rates
• Prolonged low interest rates (10 year treasury of 1%)
• Material drop in GDP & related impacts
• Stock market crash or specific extreme condition (Great Depression)
• Eurozone collapse
• U.S. Treasury collapse
• Foreign currency shocks (e.g. percentages)
• Municipal bond market collapse
• Prolonged multiple market downturn (e.g. 2008/2009 crisis/or 1987 stock market drop-or 50% drop in equities, 150bp of realized credit losses)

3. Pricing/Underwriting

• Significant drop in sales/premiums due to varying reasons
• Impact of 20% reduction in mortality rates on annuities
• Material product demonstrates specific losses (e.g. 1 in 20 year events)
• Severe pandemic (e.g. Avian bird flu based upon World Health Organization mortality assumption)
• California and New Madrid earthquakes, biological, chemical or nuclear terrorist attacks in locations of heaviest coverage (consider a specified level of industry losses)
• Atlantic hurricane (consider a specified level of industry losses previously unseen/may consider specified levels per different lines of coverage) in different areas (far northeast, northeast, southeast, etc.)
• U.S. tornado over major metropolitan area with largest exposure
• Japanese typhoon/earthquake (consider a specified level of industry losses previously unseen)
• Major aviation/marine collision
• Dirty bomb attack
• Drop in rating to BB

4. Reserving

• Specified level of adverse development (e.g. 30%)
• Regulatory policy change requires additional reserves (e.g. 30%)

5. Liquidity • Catastrophe results in material immediate claims of 3X normalized amounts
• Call on any existing debt
• Material spike in lapses (e.g. 3X normal rates)
• Drop in rating to BB

6. Operational

• Loss of systems for 30 days
• Terrorist act
• Cybercrime
• Loss of key personnel
• Specified level of fraud within claims

7. Legal

• Material adverse finding on pending claim
• Worst historical 10 year loss is multiplied at varying levels

8. Strategic

• Product distribution breakup

9. Reputational

• PR crisis
• Drop in rating to BB

These seem to RISKVIEWS to fall into all six of the categories.  Many of these scenarios would fall into the “Normal Volatility” category for some companies and into the worst historical for others.  A few are in the area of “Future Worst Case” – such as the Treasury Collapse.

RISKVIEWS suggests that when doing Stress Testing, you should decide what sort of Stress you are intending.  You may not agree with RISKVIEWS categories, but you should have your own categories.  It might be a big help to the reader of your Stress Test report to know which sort of stress you think that you are testing.  They may or may not agree with you on which category that your Stress Scenario falls into, and that would be a valuable revealing discussion.

Deciding “What Should We Do?” in the Risk Business

January 8, 2014

Risk models can be used primarily to answer two very important questions for an enterprise whose primary activity is the risk business.

  1. How did we do?
  2. What should we do?

The “how did we do” question looks backwards on the past, usually for 90 days or a full year.  For answering that question properly for a firm in the risk business it is absolutely necessary to have information about the amount of risk that the firm is exposed to during that period.

The “what should we do” question looks forward on the future.  The proper time period for looking forward is the same as the length of the shadow into the future of the decision.  Most decisions that are important enough to be brought to the attention of top management or the board of a company in the risk business have a shadow that extends past one year.

That means that the standard capital model with its one year time frame should NOT be the basis for making WHAT SHOULD WE DO? decisions.  That is, unless you plan on selling the company at the end of the year.

Let’s think about it just a little bit.

Suppose the decision is to buy a laptop computer for the business use of one of the employees of an insurer.  You can use two streams of analysis for that decision.  You can assume that the only use of that computer is what utility that can be had from the computer during the calendar year of purchase and then you plan to sell the computer, along with the rest of the company, at the end of the calendar year.  The computer is valued at the end of the year at a fair market value.  Or you can project forward, the utility that you will get from that employee having a computer over its useful life, perhaps three years.

The first calculation is useful.  It tells us “HOW DID WE DO?” at the end of the calendar year.  But it not a sensible basis to make the decision about whether to buy the computer or not.  The reason for that is not because there is anything wrong with the calendar year calculation.  In theory, you could even run your company by deciding at the end of each calendar year, whether you wanted to continue running the company or not.  And then if you decide to continue, you then must decide whether to sell every laptop or not, and similarly to sell every part of your business or not.

Most companies will automatically make the decision to continue, will not consider selling every part of their company, even if they have gone through the trouble of doing a “for sale” valuation of everything.  That approach fits better with Herbert Simon’s “Satisficing” idea than with the theory of maximizing value of the enterprise.

But from a less theoretical point of view, putting absolutely everything on the table for a decision could be very time consuming.  So what most companies is to imagine a set of conditions for the future when a decision is made and then as the future unfolds, it it does not deviate significantly from those assumptions, decisions are not reopened.  But unfortunately, at many companies, this process is not an explicit conscious process.  It is more vague and ad hoc.

Moving away from laptops to risk.  For a risk decision, first notice that almost all risk decisions made by insurers will have an effect for multiple years.  But decision makers will often look forward one year at financial statement impact.  They look forward one year at a projection of the answer to the “How DID WE DO? question. This will only produce a full indication of the merit of a proposal if the forward looking parts of the statement are set to reflect the full future of the activity.

The idea of using fair value for liabilities is one attempt to put the liability values on a basis that can be used for both the “How did we do?” and the “What should we do?” decisions.

But it is unclear whether there is an equivalent adjustment that can be made to the risk capital.  To answer “How did we do?” the risk capital needed has been defined to be the capital needed right now.  But to determine “What should we do?”, the capital effect that is needed is the effect over the entire future.  There is a current year cost of capital effect that is easily calculated.

But there is also the effect of the future capital that will be tied up because of the actions taken today.

The argument is made that by using the right current year values, the decisions can really be looked at as a series of one year decisions.  But that fails to be accurate for at least two reasons:

  • Friction in selling or closing out of a long term position.  The values posted, even though they are called fair value rarely reflect the true value less transaction costs that could be received or would need to be paid to close out of a position.  It is another one of those theoretical fictions like a frictionless surface.  Such values might be a good starting point for negotiating a sale, but anyone who has ever been involved in an actual transaction knows that the actual closing price is usually different.  Even the values recorded for liquid assets like common equity are not really the amounts that can be achieved at sale tomorrow for anyone’s actual holdings.  If the risk that you want to shed is traded like stocks AND your position is not material to the amounts normally traded, then you might get more or less than the recorded fair value.  However, most risk positions that are of concern are not traded in a liquid market and in fact are usually totally one of a kind risks that are expensive to evaluate.  A potential counterparty will seek through a hearty negotiation process to find your walk away price and try to get just a litle bit more than that.
  • Capital Availability – the series of one year decisions idea also depends on the assumption that capital will always be available in the future at the same cost as it is currently.  That is not always the case.  In late 2008 and 2009, capital was scarce or not available.  Companies who made commitments that required future capital funding were really scrambling.  Many ended up needing to change their commitments and others who could not had to enter into unfavorable deals to raise the capital that they needed, sometimes needing to take on new partners on terms that were tilted against their existing owners.  In other time, cheap capital suddenly becomes dear.  That happened when letters of credit that had been used to fulfill offshore reinsurer collateral requirements suddenly counted when determining bank capital which resulted in a 300% increase in cost.

RISKVIEWS says that the one year decision model is also just a bad idea because it makes no sense for a business that does only multi year transactions to pretend that they are in a one year business.  It is a part of the general thrust in financial reporting and risk management to try to treat everything like a bank trading desk.  And also part of a movement led by CFOs of the largest international insurers to seek to only have one set of numbers used for all financial decision-making.  The trading desk approach gave a theoretical basis for a one set of numbers financial statement.  However, like much of financial economics, the theory ignores a number of major practicalities.  That is, it doesn’t work in the real world at all times.

So RISKVIEWS proposes  that the solution is to acknowledge that the two decisions require different information.

You actually have to run on the treadmill . . .

December 19, 2013

Yes, that is right. Just buying a treadmill has absolutely no health benefits.


And in the same vein, just creating a risk management system does not provide any benefit. You actually have to activate that system and pay attenion to the signals that it sends. 

And you can count on the risk management system being disruptive.  In fact, if it is not disruptive, then you should shut it down. 

The risk management system is a waste of time and money if it just stays out of the way and you end up doing exactly what you would have done without it.  But, in at least 2/3 of the companies that claim to be running a risk management system, they have trouble coming up with even one story of how they changed what they were planning to do because of the risk management system.

Usually, in a company that is really running a risk management system, the stories of the impact of risk management are of major clashes. 

Risk management is a control system that focuses on three things:

  • Riskiness of accepted risks
  • Volume of accepted risks
  • Return from accepted risks

The disruptions caused by an actual active risk management system fall into those three categories:

  • Business that would have been accepted prior to risk management system is now deemed to be unacceptable because it is too risky.  Rejection of business or mitigation of the excess risk is now required. 
  • Growth of risky business that may not have been restricted before the risk management system is now seen to be excessive.  Rejection of business or mitigation of the excess risk is now required. 
  • Return from business where the risk was not previously measured is now seen to be inadequate compared to the risk involved.  Business emphasis is now shifted to alternatives with a better return for risk. 

Some firms will find the disruptions less than others, but there will almost always be disruptions. 

The worst case scenario for a new risk management system is that the system is implemented and then when a major potentially disruptive situation arises, an exception to the new risk management system is granted.  That is worst case because those major disruptive situations are actually where the risk management system pays for itself.  If the risk management only applies to minor business decisions, then the company will experience all of the cost of the system but very little of the benefits.

Ingram Looks into ERM – Eight short articles.

December 17, 2013

The magazine of the Society of Actuaries published eight short essays on a variety of ERM topics.

Making Risk Models Collaborative   With our risk models, we make the contribution of managers to the risk management of the company disappear into the mist of probabilities. And then we wonder why so many managers are opposed to “letting a model run the company.”

We Must Legitimize Uncertainty   In a post to the Harvard Business Review blog, “American CEO’s should Stop Complaining about Uncertainty,” Jonathan Berman points out that while African companies are able to cope with their uncertain environment, American CEOs mostly just complain.  Americans must legitimize the Uncertain environment and study how mest to cope.

Finding a Safe Place New ERM and Old School goals for risk management all seek to keep the company safe.

ERM and the Hierarchy of Corporate Needs  The reason that ERM is not given the degree of priority that its proponents desire is that its proponents want is that it is at best third in the hierarchy of corporate needs.

Help Wanted: Risk Tolerance  It is a rare company that can create a risk appetite statement if they do not already have years of experience with the measure of risk that will be used.

What should you do at a Yellow Light?  Companies need to plan in advance what should be happening when their risk reports indicates that they are entering into risky territory.

Are you Sure about that?  Frequently, we ignore the fact that our risk models do NOT produce infomation about our risks that are all consistently reliable.  Yet we still add those numbers to gether as if they were on the exact same basis. 

Creating a Risk Management Culture – Risk Management needs to be embedded into the corporate culture, just as expense management was embedded thirty years ago. 


Reviewing Risk Culture

November 4, 2013

[The material below is the work of an ad hoc IAA working group.  It was produced in 2011 but never completed or published.  RISKVIEWS is sharing so that this good work can be viewed.]

Culture is the combination of the behaviours of people in the company  – often described as “the way we do things around here”.  All organisations have a risk management culture.  Risk culture is the shared attitudes, values and practices that characterize how a company considers risk in its day-to-day activities. For some companies, the risk culture flows from an explicit risk philosophy and risk appetite.  The risk culture should support the goals, activities and desired outcomes of the company while mitigating the risks of not achieving desired outcomes.  Appropriate risk management behaviours may vary according to the organisation, the industry context, the location of operations both within and across national boundaries together with the resultant jurisdictional requirements. However behaviours that allow , that inspire a culture of fear or retribution, that allow “shooting the messenger” or that help “bad news to travel slowly” are not likely to be conducive to good risk management.

Desired actions/features of risks management by category:

Ad Hoc

1.  Each part of the company has their own risk language.

2.  There is very little cross discipline communications and discussion of risk and risk management issues.

3.  Risk decisions are almost always made individually, without reference to any corporate goals or objectives for risk.

4.  Responsibility for dealing with risks is unclear.

5.  There is an expectation of negative consequences for those associated with any activity that makes unexpected losses.

6.  There is a possibility of negative consequences for those who report bad news.

7.  There is little discussion of past problems or losses either at the time or subsequently.

8.  Senior Management and Board at best pay lip service to an idea that a company has a culture.


1.  Company has a formal risk management program that follows an outside standard or requirement.

2.  Company has not adapted that program to the specific culture of the firm in any significant way.

3.  Risk management responsibility and discussion are concentrated with a small number of “risk management staff”.

4.  Risk culture is acknowledged as important by senior management and Board.


1.  There is a common specific risk language at the company.

2.  Company has communication tools,  cross-functional discussions about management of risks, reporting tools and risks matrices.

3.  There are common techniques for risk assessment and risk treatment methodologies.

4.  There is a consistent point of view from the enterprise and business levels with regard to risk management.

5.  There are common understandings of the corporate goals and objectives for risk management.

6.  Company usually carefully reviews unexpected losses seeking to learn from experiences.

7.  Incentive compensation scheme support the achievement of risk management objectives

8.  Risk culture is actively promoted by senior management and the Board.

Advanced  – in addition to the Standard Practices:

1.  Cultural is reinforced by frequent communications and training programs, and by senior management and Board being seen to act in line with corporate risk culture.

2.  The degree of employee knowledge application of the corporate risk culture is periodically monitored.

3.  The communications and training programs are updated in reaction to the monitoring inputs.

4. ERM thinking is automatically incorporated in to all management decision making


Get every new post delivered to your Inbox.

Join 645 other followers

%d bloggers like this: