FROM THE ERM SYMPOSIUM IN CHICAGO

Post to Financial Training

• ERM Symposium Take aways

Posts to WillisWire:

• Has Risk Management become a Spectator Sport
• Actuarial Professional Risk Management
• ERM For Financial Intermediaries

Tweets:

1. Neil Cantle ‏@NJCantle 24 Apr

   Former FDIC Chairman Sheila Bair speaking at #ermsymposium warns #SolvencyII against internal models as they encouraged banks to take risk
2. Max Rudolph ‏@maxrudolph 24 Apr

   What happened to last year’s discussion of a country CRO at the #ermsymposium?
3. Max Rudolph ‏@maxrudolph 24 Apr

   Speaker from Fed at #ermsymposium says CTE no good since you don’t know distribution. How was the product priced? Not with stress tests!

   Retweeted by SocietyofActuaries

4. Neil Cantle ‏@NJCantle 23 Apr

   Seems that insurance industry may need to save up more cash to cover Nat Cat if forecasts on climate change are right! #ermsymposium
5. Max Rudolph ‏@maxrudolph 23 Apr

   Systemic risk decreases with transparency. #ermsymposium
6. Neil Cantle ‏@NJCantle 23 Apr

   So, we trust national security to causal models because data does not work. But we trust financial systems to statistics. #ermsymposium
7. Neil Cantle ‏@NJCantle 23 Apr

   Just hearing all the great things about Bayesian models…expert judgement, ease of communication to C-suite #ermsymposium #Bayesrules

   1. Dave Ingram ‏@dingramerm 23 Apr Must look at risk measures in the context of your business model. C Lawrence #ermsymposium
   2. Dave Ingram ‏@dingramerm 23 Apr

      Need to invest in the future of risk profession. Mark Abbott #ermsymposium
   3. K Andemichael ‏@that_art_guy 21 Mar

      I just heard the coolest story from Hall of Achievement Inductee Gary Peterson #ERMSymposium pic.twitter.com/1un0ZwJl1D
   4. Milliman, Inc. ‏@millimaninsight 20 Apr 12

      Neil Cantle: Complex adaptive systems are more than the sum of their parts. #ERMSymposium http://www.tout.com/m/nphp8d 
   5. Risk Institute ‏@riskinstitute 20 Apr 12

      What is the biggest misconception about enterprise risk management? http://bit.ly/JUbWb9  #ERMSymposium #ERM #risk

      Retweeted by Milliman, Inc.

   6. Risk Institute ‏@riskinstitute 18 Apr 12

      What role does economic capital modeling play in your organization? http://bit.ly/ISWFM7  #ERMSymposium #ERM

      Retweeted by Neil Cantle and 1 other

   7. Max Rudolph ‏@maxrudolph 18 Apr 12

      Business Insurance article focuses on the Emerging Risks Survey and includes some quotes from me. #ERMSymposium http://lnkd.in/M2P3xv 
   8. Max Rudolph ‏@maxrudolph 18 Apr 12

      CFO magazine article quoting me and talking about the Emerging Risks Survey! #ERMSymposium http://lnkd.in/-g-Dar 

1. CRO needs to have a 360 degree view of risk. #ermsymposium
   from Chicago, IL Dave Ingram ‏@dingramerm 24 Apr
2. New risk: longevity risk transfer products take a risk that was regulated into non-regulated areas. S Wason #ermsymposium from Chicago, IL Dave Ingram ‏@dingramerm 24 Apr
3. Companies do not always believe in their own mortality which undermines any risk mgt culture. #ermsymposium
   from Chicago, IL Dave Ingram ‏@dingramerm 24 Apr
4. Interconnectedness is THE issue for financial regulation going forward. #ermsymposium from Chicago, IL Dave Ingram ‏@dingramerm 24 Apr
5. CEO needs to be very hands on with risk. Deniability is not an option. S Bair #ermsymposium from Chicago, IL Dave Ingram ‏@dingramerm 24 Apr
6. Predictive analytics in US healthcare #ermsymposium from Illinois, US Dave Ingram ‏@dingramerm 24 Apr
7. Canadians using ERM to improve financial management of health firms. #ermsymposium Dave Ingram ‏@dingramerm 23 Apr
8. Professional Standards for Actuarial Risk Managers effective May 1, 2013 http://lnkd.in/mYwr6d Dave Ingram ‏@dingramerm 23 Apr
9. Too many think the risk equations are a closed form solution for the future when they are really about the past. M McCarthy #ermsymposium Dave Ingram ‏@dingramerm 23 Apr
10. When you crossed a limit you HAD to take an ACTION. B Mark #ermsymposium from Chicago, IL Dave Ingram ‏@dingramerm 23 Apr
11. Key goal of regulators is now financial stability. Zero tolerance for “fat tailed” failure. C Lawrence #ermsymposium
    from Chicago, IL Dave Ingram ‏@dingramerm 23 Apr
12. Bank returns jumped from 7% to 20% in 1970s & believed that risk was under control. C Lawrence #ermsymposium Dave Ingram ‏@dingramerm 23 Apr
13. Biggest risks are when we choose not know about potential problems that we did know about. Turning off fire alarms. W Fisher #ermsymposium Dave Ingram ‏@dingramerm 23 Apr
14. ERM can find offsetting risks and notionally create capital and opportunity. This gets enthusiastic buy in from mgt. M Stein #ermsymposium Dave Ingram ‏@dingramerm 23 Apr
15. The ERM program needs to show success on the opportunity side ot risk. J Kollar #ermsymposium Dave Ingram ‏@dingramerm 23 Apr
16. Accounting can cloud risk issues. Challenge to reconcile different statement. M Stein #ermsymposium from Chicago, IL Dave Ingram ‏@dingramerm 23 Apr
17. Disconnect between economics and accounting a challenge for ERM. Makes it harder to get buy in for ERM C Gilbert #ermsymposium Dave Ingram ‏@dingramerm 23 Apr
18. CRO Council papers Model Validation & Emerging Risks M Stein #ermsymposium Dave Ingram ‏@dingramerm 23 Apr
19. Key for CRO to be able to create a coherent summary of risk information for board M Stein #ermsymposium Dave Ingram ‏@dingramerm 23 Apr
20. Get board involved asking the risk questions. This create engagement in the organization to answer those questions W Fisher #ermsymposium Dave Ingram ‏@dingramerm 23 Apr
21. Wayne Fisher addressing Risk Profile at CRO panel #ermsymposium

But even with all those tweets, #ermsymposium did not make it to the top list of trending categories

ERM Control Cycle

The seven principles of ERM for Insurers can be seen as forming an Enterprise Risk Control cycle.

The cycle starts with assessing and planning for risk taking.  That process may include the Diversification principle and/or the Portfolio principle.

Next to the steps of setting Considerations and Underwriting the risks.  These steps are sometimes operated together and sometimes separate, usually depending upon the degree to which the risks are  small and homogeneous or large and unique.

The Risk Control cycle is then applied to the risks that have been accepted.  That step is needed because even if a risk is properly priced and appropriately accepted, the insurer will want to manage the aggregate amount of such risks.  Within the risk control cycle, there is a risk mitigation step and within that step an insurer may choose to reduce their total risk or to increase their risk taking capacity.

Risks that have been accepted through the underwriting process and that the insurer is retaining after the risk control cycle process must be assessed for Provisioning, both for reserve and capital.

Finally, for this discussion of the ERM Cycle, the insurer needs to consider whether there are additional risks that have been unknowingly accepted that may emerge in the future.  The Future risk principle provides a path for that step.

For the ERM Cycle, there is actually no such thing as FINALLY.  As a cycle, it repeats infinitely.  The picture above has many two headed arrows in addition to the one way arrows that represent a single circular process.

The ERM idea sits in the middle of these seven principles.  The ERM idea is the idea that an insurer will follow a cycle like this for all of the risks of the insurer and in addition for the aggregation of all risks.  This will be done to protect all of the stakeholders of the insurers, policyholders, stockholders, bondholders, management, employees and communities to the greatest extent that their sometimes contradictory interests allow.

Most firms will put different degrees of emphasis on different elements.  Some will have very faint arrows between ERM and some of the other principles.  Some insurers will neglect some of these principles completely.

It may be that the choice of which principles to emphasize are tightly linked with their view of the risk environment.

This a part of the discussion of the seven ERM Principles for Insurers

Has the risk profession become a spectator sport?

The 2013 ERM Symposium goes back to Chicago this year after a side trip to DC for 2012. This is the 11th year for the premier program for financial risk managers.   April 23 and 24th.

This year’s program has been developed around the theme, ERM: A Critical Self-Reflection, which asks:

• Has the risk profession become a spectator sport? One in which we believe we are being proactive, yet not necessarily in the right areas.
• For the most significant headlines during the past year, how was the risk management function involved?
• Since the financial crisis, has there been genuine learning and changes to how risk management functions operate?
• What are the lessons that have been learned and how are they shaping risk management today? If not, why?
• Does risk management have a seat at the table, at the correct table?
• Are risk managers as empowered as they should be?
• Is risk management asking the right questions?
• Is risk management as involved in decision making and value creation as it should be, at inception of ideas and during follow through?

On Wednesday, April 24 Former FDIC Chairman Sheila Bair will be the featured luncheon speaker

Sheila C. Bair served as the 19th chairman of the Federal Deposit Insurance Corporation for a five-year term, from June 2006 through July 2011. Bair has an extensive background in banking and finance in a career that has taken her from Capitol Hill to academia to the highest levels of government. Before joining the FDIC in 2006, she was the dean’s professor of financial regulatory policy for the Isenberg School of Management at the University of Massachusetts-Amherst since 2002.

The ERM Symposium and seminars bring together ERM knowledge from the insurance, energy and financial sectors.  Now in its 11th year, this premier global conference on ERM will offer: sessions featuring top risk management experts; seminars on hot ERM issues; ERM research from leading universities; exhibitors demonstrating their ERM services.  This program has been developed jointly by the Casualty Actuarial Society (CAS), the Professional Risk management International Association (PRMIA) and the Society of Actuaries (SOA).

Riskviews will be a speaker at three sessions out of more than 20 offered:

• Regulatory Reform: Responding to Complexity with Complexity – Andrew Haldane, executive director of Financial Stability at the Bank of England, recently made a speech at the Federal Reserve Bank of Kansas City’s Jackson Hole Economic Policy Symposium titled “The Dog and the Frisbee” warning that the growing complexity of markets and banks cannot be controlled with increasingly complex regulations. In fact, by attempting to solve the problem of complexity with additional complexity created by increased regulation, we may be missing the mark—perhaps simpler metrics and human judgment may be superior. Furthermore, in attempting to solve a complex problem with additional complexity, we may not have clearly defined or understand the problem. How does ERM fit into the solutions arsenal? Are there avenues left unexplored? Is ERM adding or minimizing complexity?
  • We are drowning in data, but can’t hope to track all the necessary variables, nor understand all or even the most important linkages. Given the wealth of data available, important signals may be lost in the overall “noise.”
  • Unintended consequences maybe lost/hidden in the maze of complexity thereby magnifying the potential impact of future events.
  • The importance of key variables changes throughout time and from situation to situation, so it’s not possible to predict in advance which ones will matter most in the next crisis.
  • We experience relatively few new crises that are mirror images of prior crises, so we really have limited history to learn how to prevent or to cure them.
  • Complex rules incent companies and individuals to “manage to the rules” and seek arbitrage, perhaps seeding the next crisis.

• Actuarial Professional Risk Management  -  The new actuarial standards for Risk Evaluation and Risk Treatment bring new help and new issues to actuaries practicing in the ERM field. For new entrants, the standards are good guidelines for preparing comprehensive analyses and reports to management. For more experienced practitioners, the standards lay out expectations for a product worthy of the highly-qualified actuary. However, meeting the standards’ expectations is not easy. This session focuses on clarifying key aspects of the standards.
• Enterprise Risk Management in Financial Intermediation  -  This session provides a framework for thinking about the rapidly evolving, some would say amorphous, subject of ERM, especially as applied at financial institutions and develops seven principles of ERM and considers their (mis)application in a variety of organizational settings. The takeaways are both foundational and practical.

Please join us for some ERM fun and excitement.

 

 

Diversification of Risks

There are records showing that the power of diversification of risks was known to the ancients.  Investors who financed trading ships clearly favored taking fractions of a number of ships to owning all of a single ship.

The benefits of diversification are clear.  The math is highly compelling.  A portfolio of n risks of the same size A that truly independent have a volatility that is a fraction of the volatility of totally dependent risks.

Here is a simple example.  There is a 1 in 200 chance that a house will be totally destroyed by fire.  Company A writes an insurance policy on one $500,000 house that would pay for replacement in the event of a total loss.  That means that company A has a 1 in 200 chance of paying a $500,000 claim.  Company B decides to write insurance that pays a maximum of $50,000 in the event of a total loss.  How many policies do you think that Company B needs to write to have a 1 in 200 chance of paying $500,000 of claims if the risks are all totally independent and exactly as prone to claims as the $500k house?

The answer is an amazing 900 policies or 90 times as much insurance!

When an insurer is able to write insurance on independent risks, then with each additional risk, the relative volatility of the book of insurance decreases.  Optimal diversification occurs when the independent risks are all of the same size.  For insurers, the market is competitive enough that the company writing the 900 policies is not able to get a profit margin that is proportionate to the individual risks.  The laws of micro economics work in insurance to drive the profit margins down to a level that is at or below the level that makes sense for the actual risk retained.  This provides the most compelling argument for the price for insurance for consumers, they are getting most of the benefit of diversification through the competitive mechanism described above.  Because of this, things are even worse for the first insurer with the one policy.  To the extent that there is a competitive market for insurance for that one $500k house, that insurer will only be able to get a profit margin that is commensurate with the risk of a diversified portfolio of risks. 

It is curious to note than in many situations, both insurers and individuals do not diversify.  RISKVIEWS would suggest that may be explained by imagining that they either forget about diversification when making single decisions (they are acting irrationally), or that they are acting rationally and believe that the returns for the concentrated risk that they undertake are sufficiently large to justify the added risk.

The table below shows the degree to which individuals in various large companies are acting against the principle of diversification.

From a diversification point of view, the P&G folks above are mostly like the insurer above that writes the one $500k policy.  They may believe that P&G is less risky than a diversified portfolio of stocks.  Unlike the insurer, where the constraint on the amount of business that they can write is the 1/200 loss potential, the investor in this case is constrained by the amount of funds to be invested.  So if a $500k 401k account with P&G stock has a likelihood of losing 100% of value of 1/200, then a portfolio of 20 $25k positions in similarly risky companies would have a likelihood of losing 15% of value of 1/1000.  Larger losses would have much lower likelihood.

With that kind of math in its favor, it is hard to imagine that the holdings in employer stock in the 401ks represents a rational estimation of higher returns, especially not on a risk adjusted basis.

People must just not be at all aware of how diversification benefits them.

Or, there is another explanation, in the case of stock investments.  It can be most easily framed in terms of the Capital Asset Pricing Theory(CAPM) terms.  CAPM suggests that stock market returns can be represented by a market or systematic component (beta) and company specific component (alpha).  Most stocks have a significantly positive beta.  In work that RISKVIEWS has done replicating mutual find portfolios with market index portfolios, it is not uncommon for a mutual fund returns to be 90% explained by total market returns.  People may be of the opinion that since the index represents the fund, that everything is highly correlated to the index and therefore not really independent.

The simplest way to refute that thought is to show the variety of returns that can be found in the returns of the stocks in the major sectors:

The S&P 500 return for 2012 was 16%.  Clearly, all sectors do not have returns that are closely related to the index, either in 2012 or for any other period shown here.

Both insurance companies and investors can have a large number of different risks but not be as well diversified as they would think.  That is because of the statement above that optimal diversification results when all risks are equal.  Investors like the 401k participants with half or more of their portfolio in one stock may have the other half of their money in a diversified mutual fund.  But the large size of the single position is difficult to overcome.  The same thing happens to insurers who are tempted to write just one, or a few risks that are much larger than their usual business.  The diversification benefit of their large portfolio of smaller risks disappears quickly when they add just a few much larger risks.

Diversification is the universal power tool of risk management.  But like any other tool, it must be used properly to be effective.

This is one of the seven ERM Principles for Insurers

Does your Risk Management Program have a Personality?

Many people are familiar with the Myers-Briggs Personality Type Indicator.  It is widely used by businesses.  What a shocker to read in the Washington Post last week that psychologists are not particularly fond of it.

The Myers-Briggs Personality types were developed directly from the work of Carl Jung, who is not highly regarded by modern psychologists according to the Washington Post story.

Psychologists have their own personality types.  The chart below is from The Personal Growth Library, and is called the Five Factor Model.

You may be able to find options here that would allign with your ERM program. 

Stability – You may seek Resilience, and settle for Responsiveness. 

Originality – You may want to be an Explorer, but much more likely, your ERM program is a Preserver.

Accommodation – Your goal is to be a Challenger, you end up a Negotiator. 

Consolidation – You should be able to achieve a Focused ERM program, but pressures of business and the never ending crises force you to be Flexible much too often. 

That seems to provide some valuable introspection. 

Next you need to look at the overall enterprise personality.  Many successful companies will have a personality that is very different from the choices that you want to steer towards as the risk manager for your program.  You should check it out and see.

If there is an actual allignment between your overall organization’s personality and the personality that you aspire to for your ERM program, then you will be running downhill to get that development accomplished. 

What does that mean when the personality that you want for your ERM program is almost totally different from the personality of your organization?  It means that you will be pulled constantly towards the corporate personallity and away from what you believe to be the most effective ERM personality.  You then have to choose whether to run your ERM program as a bunch of outsiders.  You then will need to form a tight knit support group for your outsiders.  And make sure that you watch the movie Seven Samuri or The Magnificant Seven. 

Or you can rethink the idea you have of ERM.  Think of a version of ERM that will fit with the personality of your company.  Take a look at The Fabric of ERM for some ideas.  Along with the rest of the Plural Rationality materials.

Principles of ERM for Insurance Organizations

RISKVIEWS has published this list before.  You will notice that it is different from many other lists of the parts of ERM.  That is because we do not presume that there is some sort of risk management process already in place that “automatically” takes care of several of these things.  Many writers implicitly make that assumption so that they can focus solely upon the new, more exciting things, especially number 6 on the list below.  But in fact, ERM must include all seven of these things to actually work to manage risk as most managers expect.

1. DIVERSIFICATION: Risks must be diversified. There is no risk management if a firm is just taking one big bet.
2. UNDERWRITING: These must be a process for risk acceptance that includes an assessment of risk quality.  Firm needs to be sure of the quality of the risks that they take. This implies that multiple ways of evaluating risks are needed to maintain quality, or to be aware of changes in quality. There is no single source of information about quality that is adequate.
3. CONTROL CYCLE: There must be a control cycle to manage the amount of risk taken. This implies measurements, appetites, limits, treatment actions, reporting, feedback
4. CONSIDERATION: There must be a process for assuring that the consideration received for accepting risk is adequate.  For risks that are not traded, such as operational risks, the benefit of the risk needs to exceed the cost in terms of potential losses.
5. PROVISIONING: There must be appropriate provisions held for retained risks, in terms of set asides (reserves) for expected losses and capital for excess losses.
6. PORTFOLIO:  There must be an awareness of the interdependencies within the portfolio of risks that are retained by the insurer.  This would include awareness of both risk concentrations and diversification effects.  An insurer can use this information to take advantage of the opportunities that are often associated with its risks through a risk reward management process.
7. FUTURE RISKS: There must be a process for identifying and preparing for potential future emerging risks.   This would include identification of risks that are not included in the processes above, assessment of the potential losses, development of leading indicators of emergence and contingent preparation of mitigation actions.

The Law of Risk and Light applies to these aspects of risk management just as it applies to aspects of risk.  The risk management that you do is in the light, the risk management that you skip is in the dark.  When parts of a full risk management program are in the dark, the risk that part of the risk management process would have protected you from will accumulate in your organization.

Future posts will explain these elements and focus on why ALL of these principles are essential.

Embedded Assumptions are Blind Spots

Embedded assumptions are dangerous. That is because we are usually unaware and almost always not concerned about whether those embedded assumptions are still true or not.

One embedded assumption is that looking backwards, at the last year end, will get us to a conclusion about the financial strength of a financial firm.

We have always done that.  Solvency assessments are always about the past year end.

But the last year end is over.  We already know that the firm has survived that time period.  What we really need to know is whether the firm will have the resources to withstand the next period. We assess the risks that the firm had at the last year end.  Without regard to whether the firm actually is still exposed to those risks.  When what we really need to know is whether the firm will survive the risks that it is going to be exposed to in the future.

We also apply standards for assessing solvency that are constant.  However, the ability of a firm to take on additional risk quickly varies significantly in different markets.  In 2006, financial firms were easily able to grow their risks at a high rate.  Credit and capital were readily available and standards for the amount of actual cash or capital that a counterparty would expect a financial firm to have were particularly low.

Another embedded assumption is that we can look at risk based upon the holding period of a security or an insurance contract.  What we fail to recognize is that even if every insurance contract lasts for only a short time, an insurer who regularly renews those contracts is exposed to risk over time in almost exactly the same way as someone who writes very long term contracts.  The same holds for securities.  A firm that typically holds positions for less than 30 days seems to have very limited exposure to losses that emerge over much longer periods.  But if that firm tends to trade among similar positions and maintains a similar level of risk in a particular class of risk, then they are likely to be all in for any systematic losses from that class of risks.  They are likely to find that exiting a position once those systematic losses start is costly, difficult and maybe impossible.

There are embedded assumptions all over the place.  Banks have the embedded assumptions that they have zero risk from their liabilities.  That works until some clever bank figures out how to make some risk there.

Insurers had the embedded assumption that variable products had no asset related risk.  That embedded assumption led insurers to load up with highly risky guarantees for those products.  Even after the 2001 dot com crash drove major losses and a couple of failures, companies still had the embedded assumption that there was no risk in the M&E fees.  The hedged away their guarantee risk and kept all of their fee risk because they had an embedded assumption that there was no risk there.  In fact, variable annuity writers faced massive DAC write-offs when the stock markets tanked.  There was a blind spot that kept them from seeing this risk.

Many commentators have mentioned the embedded assumption that real estate always rose in value.   In fact, the actual embedded assumption was that there would not be a nationwide drop in real estate values.  This was backed up by over 20 years of experience.  In fact, everyone started keeping detailed electronic records right after…… The last time when there was an across the board drop in home prices.

The blind spot caused it to take longer than it should have for many to notice that prices actually were falling nationally.  Each piece of evidence was fit in and around the blind spots.

So a very important job for the risk manager is to be able to identify all of the embedded assumptions / blind spots that prevail in the firm and set up processes to continually assess whether there is a danger lurking right there – hiding in a blind spot.

Emerging Risk Survey

TAKE PART IN THE ANNUAL EMERGING RISKS SURVEY

Posted by Max Rudolph

The Joint Risk Management Section, sponsored by the Casualty Actuarial Society, Canadian Institute of Actuaries, and the Society of Actuaries, is interested in better understanding how risk managers deal with emerging risks. The objective of this effort is to examine and ultimately give guidance to risk managers on how to deal with these unknown and developing risks.

To achieve this, we have designed an online survey to gather information about emerging risks and related issues. This survey is a follow-up to earlier surveys on emerging risks and will help to provide insight to changes and trends in this evolving field.

We would greatly appreciate you taking the time to complete the survey by October 26. It should take less than 10 minutes to complete the basic survey, but we hope you will share your thoughts in comment boxes, as well. Please share this survey link with other risk managers (internal and external) who might be interested in sharing their thoughts. We hope to gather a wide variety of perspectives from the survey.

It is our hope that the results of this survey will help risk managers deal with information that exists outside historical data sets. We assure you that results will be reported anonymously and that your specific responses will be held under the strictest confidence.

If you have questions about the survey, please contact Barbara Scott.

Thanks very much for your consideration! We expect to report results in December.

Follow this link to the Survey:
Take the Survey

Or copy and paste the URL below into your internet browser:

http://soa.qualtrics.com/WRQualtricsSurveyEngine/?SID=SV_5upsMMiVNJE1pBj&RID=MLRP_6zJ0LSMyi4Qysux&_=1

***** REMINDER ***** DEADLINE IS FRIDAY, OCTOBER 26 ***** REMINDER *****

Many thanks to those of you who have already participated in this survey!

Risk Evaluation by Actuaries

The US Actuarial Standards Board has promulgated a new Actuarial Standard of Practice number 46 Risk Evaluation in Enterprise Risk Management.

ASB Adopts New ASOP No. 46

At its September meeting, the ASB adopted ASOP No. 46, Risk Evaluation in Enterprise Risk Management. The ASOP provides guidance to actuaries when performing professional services with respect to risk evaluation systems used for the purposes of enterprise risk management, including designing, developing, implementing, using, maintaining, and reviewing those systems. An ASOP providing guidance for activities related to risk treatment is being addressed in a proposed ASOP titled, Risk Treatment in Enterprise Risk Management, which will be released in late 2012. The topics of these two standards were chosen because they cover the most common actuarial services performed within risk management systems of organizations. ASOP No. 46 will be effective May 1, 2013 and can be viewed under the tab, “Current Actuarial Standards of Practice.”

 

CEO is still the Real CRO

It was just a couple of weeks ago Riskviews posted…

It’s the job of a CEO to be the Chief Risk Officer

A week later, Reuters ran a story about JP Morgan…

Analysis: JPMorgan repeats basic mistakes managing traders

In that article Rachel Wolcott suggests that the CRO needs to be powerful enough to buck the most powerful traders.

What she fails to recognize is that the CRO and the trader are both acting out the orders of the CEO.  If the CEO is telling the CRO to enforce a risk limit and also telling the trader that he is free to break the limit, then it is not the power of the CRO that is the problem.

It is a CEO that wants the appearance of risk management and the profits from excessive risk both at the same time.

CEOs will often allow underlings to “fight it out” rather than making all of the decisions in the company.  In this case, however, everyone must realize that when it appears the CRO is too weak to do their job, that means that the CEO is not standing behind them and is completely responsible for the risk that is being taken by the overaggressive traders.

One Page ERM

The International Association of Insurance Supervisors adopted the following in late 2011 as a part of ICP 8.

Risk and Reward

Successful Businesses pay attention to risk.

- How much risk to take compared to their capacity to absorb risk via their level of average earnings and their capital position.  They have a basket.  Each basket is different.  It can easily hold so much.  Sometimes, you decide to put a little more in the basket, sometimes a little less.  They should know when they have stacked their risk far over the top of the basket.
- What kinds of risk to take.  They have a plan for how much of each major class of risk they they will pick up to use up the capacity of their basket.

- Then when the actually go to fill the basket, they need to carefully choose each and every risk that they put into the basket.

-  And as long as they have those risks in the basket, they need to pay attention and make sure that none of the risks are spoiling themselves and especially that they are not spoiling the entire basket of fruit or ruining the basket itself.

But that is not what a successful business is all about.  They are not in business to be careful with their basket of risks.  They are in business to make sure that their basket makes a profit.

+ So how much risk to take is informed by the level of profit to be had for risk in the marketplace.  Some business managers do it backwards.  If they are not being paid much for risk, they fill up the basket higher and higher.  That is what many did just prior to the financial crisis.  In insurance terms, they grew rapidly at the peak of the soft market.  Just prior to the cirsis, risk margins for most financial market risks were at cyclical lows.  What makes sense for a business that wants to get the best reward for the risk taken would be to take the most risk when the reward for risk is the highest.  Few do that.  However, the problem faced by firms whose primary business is risk taking is that taking less risk in times of low reward for risk creates even more pressure on their income because of decreased expense coverage.  This problem seems to indicate that businesses in such cyclical markets should be very careful to manage their level of fixed expenses.

+ What types of risk to take is also informed very much by the margins.  But it also needs to be informed by diversification principles.  Short term thinking suggests that risk taking shift all to the particular risk with the immediate best risk adjusted margin.  Long term thinking suggests something very different.  Long term thinking realizes that the business needs to have alternatives.  For most markets, the alternatives are only maintained if a presence in multiple risks is maintained in good times and bad.  Risk and reward needs to develop a balance between short term and long term.  To allow for exploiting particularly rich markets while maintaining discipline in other markets.

+ Which specific risks to select needs to incorporate a clear view of actual profitability.  It is very easy on a spreadsheet to take your sales projection and profit projections and multiply both numbers by two.  However, it is only through careful selection of individual risks that something even remotely like that simple minded projection can be achieved.  The profit opportunity from each risk for the additional sales may be at the same rate as the original margins, it may be higher (unlikely) and it may well be lower.  The risk reward system needs to be sensitive to all of these three possibilities and ready to react accordingly.

Conflicts about Risk

The headline reads:

Corzine Ignored Warnings from Chief Risk Officer

This story reveals several things about the nature of risk and the CRO job.

First, the nature of risk.  Risk is always about the future.  There will always be disagreements about the level of risk.  True disagreements.  People believing completely different things.  And it is the future we are talking about.  No one KNOWS for certain about the future.  And also, risk is potential for loss.  In many cases, even after the fact, no one can know how much risk that there was.  A severe adverse event that had a likelihood of 10% might not happen in the coming year.  Another equally severe event with a 0.1% likelihood migh happen.  Exposure to the 10% event was certainly riskier than an equal sized exposure to the 0.1% event.  Even if the less risky exposure produced a loss while the more risky exposure did not.

So the fact that the MF Global position produced a large, firm ending loss does not prove that the CRO was right.

In fact, what other stories reveal is that the board thought that the positions were more risky than Corzine.  And that is pretty typical of what you will see at financial services firms.  The top executives generally have the opinion that the environment is somewhat less risky than the board sees it while the non-executive employees generally see much, much more risk that either the executives or the board.

This tends to create exactly the dynamic that played out at MF Global where the CEO ignored the CRO warnings and the board very slightly restricted the CEO.

About the CRO

Many people forget that the Chief Risk Officer is usually not independent of the CEO.  If there is a company where the CEO does not think that they are totally responsible for risk, then the CRO will not have enough power or influence with the board to remedy that problem.  And if a CEO is aware that they are responsible for company results, good or bad, then clearly the job of the CRO, for better or for worse, is to execute the risk strategy of the CEO.  NOT to critique that policy to the board.

RISKVIEWS tends to think of the risk appetite as the expression of the objective of the risk management system.  The CRO should not be setting their own objective.  So at MF Global, if the risk appetite was expressed as some sort of broad statement about corporate security, then the conflict became what is described above – a disagreement about the calibration of the risk model.

But the story says that the board approved some of the positions and disapproved a proposal to increase those positions even more that was made by the CEO.  That makes it sound like there was a risk appetite and that the board, even if they did not say it in advance, knew when it was exceeded.

So the CROs job is not to stand in judgment of both the CEO and the Board.  The CROs job is to work within the risk appetite of the board.

All Risks are not Enterprise Risks

Some Enterprise Risk management programs feature lists of 75 or more risks that the ERM program attends to.

This approach to ERM drastically reduces the potential power of ERM to help to focus attention to Enterprise Risks.

An Enterprise Risk is a class of events that could severely damage the capability of the enterprise to achieve its mission.  No serious undertaking has 75 classes of events that could stop them in their tracks.

A serious undertaking might have 5 such risks.  Usually less.  Things that in spite of the best efforts of management could stop them in their tracks.  There are probably another 5 or so risks that are potentially that serious, but that the firm has, for the most part, under control.

What Enterprise Risk Management is about is a constant effort to pay attention to those 10 or so top risks.  To make sure that a new potential trouble is not creeping into that top 10.  To make sure that  they are not accidentally taking on much more of those risks.  To find ways to mitigate that first group of top risks.  To make sure that the controls on that second group of top risks are still sufficient.  And to make sure that there are not any secondary risks outside of this list that are very highly correlated with the Enterprise Risks.

Dave Sandberg likes to classify risks into three classes:

• Risks that threaten the earnings of the firm
• Risks that threaten the capital of the firm
• Risks that threaten the promises of the firm

A well managed firm will attend to all three types of risks, but the Enterprise Risks are the risks that threaten capital and promises that should be the concern of the Enterprise Risk Management program of the firm.  They should be the concern of the top executives of the firm.  Those risks should be the concern of the directors of the firm.

10 Things We Didn’t Learn from Enron

A great piece from ABC News lists 10 things that we should have but didn’t learn from Enron, on the 10th anniversary…

1. Conflicts of interest continue to occur
2. If it’s too good to be true, it probably isn’t
3. Regulators and the regulated continue their dance
4. Transparency is vital
5. More capital is better
6. Excessive leverage is as dangerous as a bad bet
7. Corporate leadership makes all the difference in the world–for good and for bad

8. Preferred stockholders get preferred treatment

9. Still building fragile financial structures

10. Important names make mistakes too

Riskviews comments:

1.  Conflicts – The risk manager should be aware of who benefits from each major program of the firm and who stands to lose if a program runs into trouble.  If those two parties are different, then there are strong incentives for abuse of the program.  Suggestions from a party that could benefit but not be at risk to change the program should be viewed very carefully.

2.  Too Good to be True – But this time is different!!!  The four most dangerous words.

3.  Regulators – someone needs to be able to identify and change situations where the regulators are too cozy with the regulated.  The myth that firms will self regulate was exposed to be a total falsehood in the 2008 Financial crisis.  Real regulation is needed in the financial services business where firms are primarily selling promises.  Whether you are Madoff or Lehman Brothers, the most lucrative approach for managers of a financial services firm is to make promises and not make sufficient provision for satisfying those promises.  Regulators need to assure the customers that a clear standard is maintained for security of those promises.

4.  Transparency – in RISKVIEWS opinion, real transparency is much better than supervision.  Market discipline is much more sure than regulatory discipline.  Because market counterparties have skin in the game.  Regulators actually have multiple agendas.  To date, transparency has never been tried, however.  But there are rumours that current depressed bank valuations are in part a market reaction to the fundamental lack of transparency of the banks.  RISKVIEWS hopes that one of the banks tries to be transparent and shows the rest of the sector what happens to their valuation.  US insurers have operated with extremely high transparency for some risks but total lack of transparency for others.  RISKVIEWS hopes that the insurance regulators will stop being agreeable to that situation.

5.  More Capital &

6.  Excessive Leverage  -  these two points are the same.  More capital is less risky, More leverare is more risky.

7.  Leadership – In most companies, leadership is more aggressive than the rank and file of the firm.  And the risk reward equation for top management and the rank and file is totally different as well.  See #1, above.

8.  Preferred Treatment – Why doesn’t the SEC simply mandate disclosure of who gets paid what under different scenarios.  And mandate that be disclosed to new purchasers of a security?  At least to those who intend to hold the security for more than 15 minutes.

9.  Fragile structures – Insurers and banks are being asked to present “stress to failure” tests to show regulators what degree of stress would cause them to fail.  Perhaps that would be a good disclosure for investors as well.  What sort of stress causes a structure to fail?

10.  Mistakes – This is a good reason for diversification.  Into totally different sorts of investments in totally different sectors.  Mistakes can be made from entire secotrs, as we saw in the financial crisis.

But read the ABC comments.  They are all good as well.

On Thin Ice

Most people who know that they are walking on thin ice will proceed very slowly and carefully.

That is also the effect that we get when we fail to recognize losses. Everyone HOPES that things will turn out ok and either the losses will eventually emerge at a lower value (i.e. less loss) than expected or that while we defer recognition, other earnings will make up for the losses.

Loss recognition is an important step in getting off of the thin ice.  Firms need to have a disciplined loss recognition process so that they can avoid getting into the thin ice situation. 

One important concept in risk management was stated by Nassim Taleb in his “Black Swan Free World” piece – that failures should be frequent and small.  That principles applies to losses as well.  A good risk management program should encourage small and frequent losses. 

A firm that rarely recognizes losses is either (a) not taking any real amount of risk or (b) failing to recognize the losses that it has.

The Danger of Optimization

RISKVIEWS was recently asked “How do insurers Optimize Risk and Reward?”

The response was “That is dangerous. Why do you want to know that?” You see, a guru must always answer a question with a question. And in this case, RISKVIEWS was being treated as a guru.

Optimizing risk and reward is dangerous because it is done with a model.  Not all things that use a model are dangerous.  But Optimizing is definitely dangerous.

One definition of optimizing is

“to make as perfect as possible.”

Most often, optimization means taking maximum possible advantage of the diversification effect.  You will often hear someone talking about the ability to add risk without adding capital.  Getting a free ride on risk.

There are two reasons that optimizing ends up being dangerous…

1. The idea of adding risk without adding capital is a misunderstanding.  Adding risk always adds risk.  It may well not add to a specific measure of risk because of either size or correlation or both, but the risk is there.  The idea that adding a risk that is low correlation with the firm’s predominant risk is a free ride will sooner or later seep into the minds of the people who ultimately set the prices.  They will start to think that it is just fine to give away some or all of the risk premium and eventually to give up most of the risk margin because there is thought to be no added risk.  This free risk idea will also lead to possibly taking on too much of that uncorrelated risk.  More than one insurer has looked at an acquisition of a large amount of the uncorrelated risk where the price for the acquisition only makes sense with a diminished risk charge.  But with the acquisition, the risk becomes a major concentration of loss potential and suddenly, the risk charge is substantial.
2. In almost all cases, the best looking opportunities, based on the information that you are getting out of the model are the places where the model is in error, where the model is missing one or more of the real risks.  Those opportunities will look to have unusually fat risk premiums. To the insurer with the incorrect model, those look like extra margin.  This is exactly what happened with the super senior tranches of sub prime mortgage securities.  If you believed the standard assumption that house prices would never go down, there was no risk in the super senior, but they paid 5 – 10 bps more than a risk free bond.

The reliance on a model for optimization is dangerous.

That does not mean that the model is always dangerous.  The model only becomes dangerous when there is undue reliance is placed upon the exact accuracy of the model, without regard for model error and/or parameter uncertainty.

The proper use of the model is Risk Steering.  The model helps to determine the risks that should be held steady, which risks would be good to grow (as long as the environment stays the same as what the model assumes) and which risk to reduce.

Let’s get Real

Talk to CROs and all the nice theories about risk management get put in their place.  In real companies, the loudest and most influential voice is usually the people who want to add risks.

A real CRO is not often struggling with issues of risk theory.  They are totally immersed in the reality of corporate power politics.

• In some firms, the CEO will set up the CRO in a position where risk concerns will trump all else.  The CRO will have authority to stop or curtail any activity that s/he feels is excessively risky.
• In other firms, the CEO will set up the CRO to be one of many voices that are clamoring for attention and for their point of view to be heard.
• And a third set of firms has the CRO as purely a reporting function, not directly involved in the actual decision making of the firm.

The first case sounds ideal, until the CRO and the CEO go head to head on a major decision.  The battle is not usually long.  The CEO’s view will will.  In these firms, it is usually true that the CRO and the CEO see eye to eye on most things.  The CEO in these firms has the opinion that the business units would take enough risk to imperil the firm if left alone.  But the CEO is still responsible to make sure that the firm is able to grow profitably.  And a CRO who gets used to power over risk decisions, sometimes forgets that power comes solely from the CEO.  But for the most part, the CRO in this firm gets to implement the risk management system that works the way that they thinks is best.

The second case sounds much more common.  The CEO is not saying exactly how much s/he supports ERM.  The CEO will decide in each situation whether to support the CRO or a business unit head on any risk related major decision.  The risk management system in this firm exists in a grey area.  It might look like the risk management system of the first firm, but it does not always have the same amount of authority.  Managers will find out quickly enough that it is usually better to ask for forgiveness rather than follow the rules in the times when they see an important opportunity.  The CRO in this firm will be seeking to make a difference but has to define their goals as all relative.  Are they able to make a noticeable shift in the way that the firm takes risk.  That shift may not go all the way to an optimal risk taking approach, but it will be a shift towards that situation.  Over time they can hope to educate the business unit management to the risk aware point of view with the expectation that they will gradually shift to more and more comfort with the risk management system.

In some of these firms, the risk management system will look more like the system of the third case below – a Risk Information system.  The approach is to keep all of the negotiation and confrontation that is involved with managing risk limits and standards to be verbal rather than on paper.

In third case, the risk management system exists to placate some outside audience.  The CEO has no intention of letting this process dictate or even change any of the decisions that s/he intends to make.  The most evident part of an ERM system is the reports, so the risk management system in these firms will consist almost entirely of reporting.  These firms will be deliberately creating an ERM Entertainment system.  The best hope in these firms is that eventually, the information itself will lead management to better decisions.

What is working against the CRO in the second and third cases are the risk attitudes of the different members of management.   If the CRO is targeting the ERM system and/or reports to the Manager risk attitude then it might be a long time before the executives with other risk attitudes see any value in ERM.

How Real Risks are Managed

The real risk that your $10 million machine that is at the heart of your production line will fail needs to be managed. There are several ways that real companies manage this sort of real risk:

1. Wait til it breaks and then fix it,
2. Replace the machine when it is old enough that there is an x% probability that it has reached the end of its useful life, based upon statistics for all users of the same machine and the passage of time.
3. Replace the machine when it has been used so much that it has reached an x% probability of failure, based upon statistics for all users of the same machine and the actual usage you make of the machine.
4. Repair the machine when one of dozens of sensors placed within the machine indicates that some part of the machine is starting to operate outside of desired specs.  Replace the machine when such repairs are not cost effective.

This list seems to have a clear analogy for financial firms and their risk management programs:

1. No risk management program – let the losses happen and mop up afterward.
2. Manage to some broad industry standard, like premium to surplus ratio or assets to surplus ratio.
3. Manage to some risk adjusted industry standard like BCAR or RBC.
4. Manage to a detailed and carefully updated comprehensive risk model.

Of course, 4 is the most expensive course, for both the “real” companies and the financial firms.  Which course you pick depends upon how devastating an event it is for your machine to break down unexpectedly.  If your business can stand a few days/weeks/months without the machine, then maybe the very low cost path 1 is fine for you.

For financial firms, the question is the cost of an unexpected and large excess loss.  How disruptive will it be to have to either curtail business activity until you are able to build back capital or to raise the capital to replace what you lost with new capital?  Can you keep doing business while you settle that question?  What is the opportunity cost of not being able to write business right after a big loss?

The analogy is a pretty good fit.  Feel free to use it when you have to argue for more risk management spend.

Winners and Losers

European leaders are in conference as this is being written. Their sole concern is to determine the shares of the Losers from the lending boom.  Candidates for Loser shares include:

1. The Greek citizens  -  this has been the first place that they wanted to go.  But so far the Greeks have shrugged off attempts to get them to even stop running up additional debt, let alone repaying any old debt.  Realists are now struggling with trying to determine who else they can find to take the Loser shares.  The efforts of the Greek government have all been to slow the rate of new borrowing, and those have fallen short of goals.
2. The non-Greek Europeans  -  this approach is accomplished through a government to government or government to ECB to government transfer of money.  This has been the central approach to date.  This approach is limited because of the reluctance of the German people (and therefore their politicians) to take a larger Loser share.  Their concern is that the Greek citizens have been the winners (through excessive government spending and salaries) so the Germans who have been frugal and prudent should not be providing a larger share than the Winners.
3. The banks  -  who all somehow managed to own greater or lesser amounts of Greek debt.  Unfortunately, these banks are mostly European.  And if forced to bare the bulk of the losses might find themselves in need of government bailouts.  Back to the non-Greek Europeans.   But it is worthwhile to think for a minute what making the banks taking a large Loser share would involve.  If the banks take a large Loser share, they have to decide who among six parties will they then spread the share to.  Those parties are:  bondholders, stockholders, management, employees, customers and other counterparties.
4. Non- Europeans  -  enter the IMF which has made smaller contributions to this situation than the Europenas, but not insignificant contributions.  The involvement of the IMF creates interesting precedents for future situations.  The Greeks are proving that there is no reason whatsoever to ever comply with international financial covenants.  The IMF was famous for imposing draconian requirements on those to whom it lends.  But that story is being rewritten by the Europeans.  To some it appears that there are two sets of rules when it comes to loans from the IMF.  And where you live determines which set of rules apply.

So back to the negotiating table.  History of the past 10 years has shown that the Greek government will agree to any terms, but will have trouble delivering on anything.  Countries have not recently tried living without banks.  But most assume that would be fairly difficult.  So in the end, the European people will pick up the tab.  It seems makes sense to settle this sooner rather than later so that it will be possible to put a stop to further Greek overspending.  But that sensible concern does not seem to be moving the leaders to doing the difficult work of assigning the Loser shares.

Clearly, there was not any realistic discussion of this possible situation BEFORE the crisis.  The Greeks promised repeatedly not to ever get close to this sort of mess.  The banks have rules against lending to entities who are not likely to repay and they have regulators whose job it is to make sure that they do not get in over their head.   Governments presumed, perhaps without any basis in reality, to believe that those three lines of defense would be more than enough.

The response ultimately needs to be something other than adding two more nevers to the promise to never, never, never, never let this happen again. 

An actuary from one insurer often tells the story that his firm will always want to understand how a new product might fail before they agree to start selling that product.

Perhaps that is what is needed for countries and their banking systems.  They need to think through how things might break and say in advance who will bare the Loser shares.  In really having that discussion, perhaps it will become clear that it is much easier to distribute losses when they are smaller and that their main task needs to be to identify and deal with Loser shares when they are smaller rather than the recent strategy of hoping that they would go away.

Some might suggest that there are a set of rules in place for that.  But the evidence is clear that those rules are insufficient.  We all need to get realistic about these situations and develop a new set of rules that might carry us for another 50+ years.  Rather than solutions that work for a few months.

Does Your Firm Know What To Do At a Yellow Light?

An Audi advertizement says:

The Yellow light was invented in 1920.  Almost 100 years later. 85% of drivers have no idea what to do when they see one.

A risk management system needs yellow lights.  Signals that automatically tell people to “Proceed with Caution”.  These signals need to be sensitive to both outside changes in the risk environment and to inside decisions about risk.

In the outside world, the level of risk is changing all of the time.  Everyone anywhere a hurricane zone knows the annual season for those storms.  They make sure that they are prepared during that season and don’t worry so much in the off season.  Most risks do not have clear regular seasons, like hurricanes.  (And in fact hurricanes are not really completely bound by those rules either.)

A good risk management program needs to have a system that looks for the conditions that mean that it is hurricane season for each of the major risks.  And it needs to have plans for what needs to to done in each part of the firm so that they “Proceed with Caution”.  And the managers of the affected areas need to know those plans and their own roles.  And there needs to be a Yellow (or Amber) light that flashes somewhere. And then the managers need to act, they need to execute the plans to Proceed with Caution.

The same thing applies to the other reason that might trigger a yellow light.  That would be company actions.  Most firms have risk limits.  Some of those risk limits are “soft” limits.  That means that the limit itself is a Yellow Light. Hitting the limit in these firms means that you must “Proceed with Caution”.

More commonly, the limits are HARD; either Red Lights, Cement Barriers or Brick Walls.  A red Light risk limit, means that when you get to the limit, you must stop and wait for someone to tell you that you can proceed.  A cement barrier risk limit means that you are prohibited from proceeding when you hit a limit.  A brick wall risk limits means that if you hit the limit, you are likely to be terminated.  In these three sorts of control systems, there are often informal Yellow Lights and occasionally formal caution signals.  RISKVIEWS suggests that all firms that use HARD limits should create a formal Yellow Light system with a process that identifies an official Caution point along with suggestions or rules or plans of how to proceed when the Yellow Light goes on.

On the highway, Yellow Lights cause problems because there are really three different understandings.  One group believes that it means “Speed Up to avoid the Red Light”, while another group thinks it means “Stop now and Avoid having to make an Emergency Stop when the Red Light comes on”.

The third group knows that what the Yellow Light really means is

“watch out for the other two groups“.

400 Posts – 70,000 Hits and Still Blogging

In April 2009, someone said to RISKVIEWS, why don’t you try blogging.

From April to August, the RISKVIEWS website consistently drew at least 600 hits per month to the Risk Management Quotes.  Then the blogging started.

Someone recently asked “How does this fit into your career plan?”  Interesting question.

Posting is now just a habit.  It happens in bursts.  Some weeks there are no good ideas, others there are many.  At least many ideas.  Over time there are even a few really good posts.

Here are a few that you may not have noticed:

You may not be able to Grow out if it

Growth does not always mean excessive risk, but excessive risk is almost always associated with high growth.

Who wins with leverage?

Leverage increases apparent returns in best of times but Increases risk considerably in worst of times.

How about a Risk Diet?

Why do you need an aggregate risk limit?  For the same reason that a dieter needs a calorie limit.

Adaptability is the Key Survival Trait

To survive such situations, it seems that the ability to quickly assess new situations, especially ones that look like old tried and true but that are seriously more dangerous, and to change what the organization is doing in response to these risks is key.

Your Mother Should Know

Something as massive as the current financial crisis is much too large to have one or two or even three simple drivers.  There were many, many mistakes made by many different people.  My mother, who was never employed in the financial world,  would have cautioned against many of those mistakes.

According to the site stats that I get, these posts have been read a total of less than 30 times.

So on a day like today, check one of them out.  Chances are you did not see it already.

Global ERM Webinar

How to do Risk Management in Lean Times

The good news for risk managers is that times have been tough, so that company management is listening more and more to your message.

The bad news for risk managers is that times have been tough, so there is not much budget for anyone, let alone an area where there is no hope of new revenue generation.

So risk managers are being asked to do more and more with less and less.

Here are some tips for how to manage to meet expectations without crashing the budget:

1. Identify the area or activity that now has the most expensive risk oversight process.  Identify the reason for that expense and make sure that a) there really is a need for that much oversight, b) if so, that the profit margins of the activity support the expense of the oversight and c) if there is a way that the riskiest 20% of that activity produces a high proportion of the profits.  Can a shift in the risk acceptance criteria or the risk limits make a drastic change in oversight needs without a drastic change in profitability?
2. Get more people involved in risk management.  This seems counter to the idea of decreasing costs of risk management, but in fact it can work well.  Study the things that the risk management staff is spending time on and determine which of those activities can be transfered to the business unit staff who can do the oversight on a very part time basis.  Your risk management staff can then shift to periodic review of their activities instead.  This should be promoted as a natural evolution of risk management.  Ultimately, the business units should be managing their own risk anyway.
3. Find out which risk reports are not being used and eliminate them.  Constructing management information reports can be a very time consuming part of your staff’s time.  Some of those reports are hopefully being relied upon for major decisions, but there may be some that just sit unread in the in boxes.
4. Reduce staff support for risk management in areas where activity levels are falling.  It is very important that risk management be ramped up with volumes and just as important that it be seen to ramp down with volumes.
5. Leverage outside resources.  In fat times, you may be declining free support from vendors and other business partners.  In lean times, they may be even more happy to provide their support.  Just make sure that the help that they give supports your needs.
6. Reduce frequency of time consuming model runs for risks that just do not change that much from run to run or that change proportionately with volumes of business.  See recent post on model accuracy.
7. Expand your own personal capacity by delegating more of the matters that have become more routine.  There is a natural tendency for the leader to be involved in everything that is new and important.  Sometimes, you forget to transfer those responsibilities to someone on your staff or even someone outside your staff once you are sure that it is up and going smoothly.  Let go.  Make sure that you have the time that will be needed to take up the next new thing.  Lean times will not last forever and you need to be available to pay attention to the thing that will pull your firm forward into the next stage of robust growth.

These are all the sorts of things that every manager in your firm should be thinking about.  Risk managers should be doing the same sorts of thinking.  You and your function are another natural part of the business environment of the firm.  You will not be immune from the pressures of business, nor should you expect to be.

Ten Commandments for a Crash

Joshua Brown wrote “Ten Commandments for a Crash“  – his advice for stock traders in a stock market crash.  Most of his ideas can be generalized to refer to any situation where large losses or even the threat of large losses occurs.

1.  Acknowledge that its a crash.

This is first and most difficult.  The natural impulse of humans when things look worse than they ever imagined is to close your eyes and hope that it was a dream.  To wait for things to come back to normal.  But sometimes the only survivors are the people who stopped imagining a return to normal first and accepted the bad news as reality.

2.  Pencils Down! 

This means abandoning your research based upon the previous paradigm.  Do not run the model one more time to see what it says.  All of the model parameters are now suspect.  You do not usually know enough to say which ones are still true.

3.  Don’t listen to “stockpickers” or sell-side equity analysts.

Get your head out of the nits.  Your usual business may require that you are a master of the details of your markets.  You are looking to build your year’s result up over 52 weeks, looking to create 1/52 of your target return each week.  But when the crisis hits, the right macro decisions can change your results by half a year’s worth of normal business.

4.  Ignore the asset-gatherers and the brokerage firm strategists,

Know the bias of the people you are getting advice from.  They may be saying what is necessary for THEIR firm to make it through the crash, no matter what their advice would do to you.

5.  Make sacrifices

You are going to need to let go of one or several of the things that you were patiently nursing along in hopes of a big payoff later on when they came around.  Make these decisions sooner rather than later.  Otherwise, they will be dragging you down along with everything else.  Think of it as a scale change.  The old long term opportunities mostly become losers while some of the marginally profitable situations become your new opportunities.  Choose fast.

6.  Make two lists.

Those are the lists of things that you might now want to start doing if the terms suddenly get sweeter and the things where you plan to dump unless you can tighten the terms.  Keep updating the list every day as you get new information.  Act on the list as opportunities change.

7.  Watch sentiment more closely

This is the flip side to #1 above.  The analysis may no longer be of help, but a good handle on the sentiment of your market will be invaluable.  It will tell you when it is time to press for the stricter terms from your list #6.

8.  Abandon any hope or intention of catching the bottom.

This may be an excuse for not making decisions when things are unclear.  Guess what?  THe bottom is only ever clear afterwards.

9.  Suspend disbelief.

Any opinions that you have that some aspect of your business environment will never get “that” bad will often be trashed by reality.  In case you have been asleep for the last decade, each crisis results in new bigger losses than ever before.  The sooner you get off the illusion that you know exactly how bad it can get, the sooner you will be making the right decisions and avoiding totally wrongly timed moves.

10.  Stop being a know-it-all and shut up.

Everyone out there seems to know a small part of what is happening that no one else knows and is totally ignorant of most of what is going on from their own internal sources.  If you talk all of the time, you will never learn those other pieces of the puzzle.

A good list.  Some things to think about.  A challenge to work these ideas into your planning for emerging risks.  Need to practice adopting this point of view.

Read more: http://www.thereformedbroker.com/2011/09/22/the-ten-crash-commandments/#ixzz1YsTTo7ky

Climbing the Risk Management Mountain

The pursuit of risk management is in some respects like climbing a mountain.

Your choice of the risks that you will plan to manage (rather than avoiding or eliminating) is like your choice of mountain. Some mountains will be more difficult to climb than others. Some have well worn paths to the top. And sometimes there is a shift in the weather than makes even the most traveled path unusually dangerous.

Some folks have been living on the side of their mountain for generations. They considered that they are the experts of that particular mountain. But then one day, a band of outlanders shows up with new equipment and takes a new route that takes them higher up the mountain than any of the locals have ever gone.  Sometimes, however, those outsiders only look like they are going straight to the top.  Sometimes they are stopped short by perils that the locals knew well.  With risk management, there have been firms managing some risks for a long time who have been brushed aside by competitors with rocket scientists.  Some of those rockets took the firms right to the top, others flamed out along the way.

There are many ways to approach climbing a mountain.  Some choose the southern route, others the northern.  And many different places to stop the climb and declare success.  For some risk managers, the climb may stop when the largest one or two risks of the firm are separately under control.  Others will seek to reach the spot on the mountain where the capital model can be found.  They undertook climbing risk management mountain to get a handle on managing their capital.  A third group will stay unswervingly on the path that is laid out with the railings and signs put there by the regulators.  They seek only to achieve the point on the mountain of regulatory compliance.  They do not seem to care that standing for too long on that spot may not be safe in all weather either.  The final group is looking to get to the top of the mountain, to stand on the highest pinnacle.  They feel that mastering risk management can only be done if they are standing on top of all of their risks at once.  They feel that any other spot on the risk management mountain is not for them.

Having spotted the place where they want to end up, many people stand transfixed by the immense task ahead of them and fail to start.  They do not see any way that they can get from where they are to that remote point up the mountain that is partially obscured by the clouds.  They see some others already at those points and cannot figure out how to jump right up to join them.

They sometimes do not realize that those who are already far up the path got there most often by focusing instead on the next step, rather than on the endpoint.  Some of those who are far up the mountain may in fact have started out to reach a different point and made corrections to their ascent path as the realized the conditions as well as their own capabilities.

Others who already live part way up the mountain are confused.  They are looking at the instruction manual for climbing this mountain.  The book always starts at the bottom of the mountain.  And it assumes that you are someone who does not already own some (possibly most) of the equipment needed for climbing.   The whole thing seems impossible to make sense out of for you.  You are not even going to consider going to the bottom of the mountain and leaving all of your equipment and expertise behind.

Most insurers are in the position of the villagers living on the side of the mountain.  They are getting instructions to start at the bottom of the south side of Risk Management Mountain, while they live on the north.  What they need is not generic instructions.  What they need is instructions that start with what they know and with the equipment and experience that they have.  They need to know the best path to get to the place where they want to go from where they are.

You need to know how much risk you’ve been taking first

Everyone struggles with choosing a risk appetite.  But that is the first mistake.  Risk appetite will not be singular.  Risk Appetite is plural.  It refers to any aspect of risk that goes beyond what you will comfortably accept.

In the paper Risk and Light, it mentions a number of aspects of risk:

• Type A Risk – Short Term Volatility of cash flows in 1 year
• Type B Risk – Short Term Tail Risk of cash flows in 1 year
• Type C Risk – Uncertainty Risk (also known as parameter risk)
• Type D Risk – Inexperience Risk relative to full multiple market cycles
• Type E Risk – Correlation to a top 10
• Type F Risk – Market value volatility in 1 year
• Type G Risk – Execution Risk regarding difficulty of controlling operational losses
• Type H Risk – Long Term Volatility of cash flows over 5 or more years
• Type J Risk – Long Term Tail Risk of cash flows over 5 years or more
• Type K Risk – Pricing Risk (cycle risk)
• Type L Risk – Market Liquidity Risk
• Type M Risk – Instability Risk regarding the degree that the risk parameters are stable

It is quite possible that a full risk appetite would could address each of these aspects of risk and more.

But a more difficult hurdle is the fact that in many cases risk exposure is not consciously known.  In some cases, that is because of a confusion between RISK and LOSS.  Some of that is because of the overuse of the word risk.  In many situations, risk is used to mean an expected loss.

But for risk appetite, it is never the expected loss or even the actual losses that is of concern for a risk appetite.  The risk that matters is the potential for future loss.

But to have any idea of how much risk that a person or a firm might be comfortable with, they need to have experience with risk.  To have an  articulate risk appetite, that experience must have been quantified.

How much was the risk exposure last year?  How much was it the previous year?

And when we try to think of how much risk, we need to recognize that risk has many aspects that may need to be quantified.  Risk is complicated.  It does not reside in a single number.

Why would we think that it did?  Try to name anything important that can be represented with a single number.  Can you represent your car with a single number?  Can you represent your brother with a single number?  Can you represent a book with a single number?  Risk is a potential for future loss, that potential has many more possibilities than an existing physical object.  The object needs to represented by many different numbers.

But not all of the aspects of risk are ultimately important in most situations.

But before anyone or any business can form a risk appetite, they need to identify the characteristics of risk that are most important to them and then they need to build an experience base.  They need to know how much risk that they have taken in the past.  They need to know how much they can get paid for taking the risk.  They need to know when they were at risk of having their lights put out.

Better to have this experience in real time.  But second best is to work backwards into the past.

Faced with real information, matched up to real experience, then the stories of how to create a risk attitude will then start to make sense.

But up til then, it just won’t mean anything.

The World is not the Same – After

In reality, there is no accurate way to calibrate a risk model right after a major loss event. That is because there is always a good chance that the world will change as a result of the experiences of the event.

In Japan, the rebuilding after the losses from the earthquake/tsunami will not replace what was there. The buyers of the products that were manufactured in Japan who were disrupted by the event have all found alternatives. And they have learned from the even to diversify their suppliers or at least deal with a supplier who has diversified exposure to risk. The Japan after the event will not be the same Japan as before.

A market or an industry, a company or a people rarely go back to doing things exactly the same way after a major crisis.

They may become much more conservative about the risk that caused the crisis.  They may just move on, like New Orleans which is now less than one third its pre-Katrina size.  They may adopt many new rules and regulations like Sarbanes-Oxley or Dodd-Frank.  Or they may finally start listening to their risk managers or even hire new CROs.

If you want to have a model that includes the year after a crisis, then you will need to study past crises and the reactions to those events.  What that may mean is that there are ripple effects of the crisis in the model. Not just another random year.  Because regardless of what the theories say, the world displays multi year effects.  Events are not over simply because the model turns to another time slot.

 

 

During the Crisis

There are three Phases to Risk Management,

• Preparation,
• Crisis Management and
• Picking up the pieces

During the Crisis, the most important thing is that you are able to assess the situation, choose the appropriate action and finally and most importantly ACT.

Many people are prone to freeze during a crisis.  They go into a daze because some main steady thing in their life is no longer there and working.

On the anniversary of 911, it is interesting to notice that an article A Survival Guide to Catastrophe from 2008 is the most popular article today at Time.com.

It tells the story of how several people escaped several famous catastrophes.  In each case, some of the people who died in those situations were frozen.

The human brain goes through three stages during a crisis: disbelief, deliberation and action.  The frozen people have stuck on the disbelief or deliberation stages.

That is where the Preparation phase is important.  With proper preparation, people can be taught to quickly identify the reality of the crisis and to know in advance their best options.  The purpose of the preparation is then to shorten the time to get to the third stage.  ACTION.  And to make sure that when you get there, you take the right action.

During the World Trade Center crisis, some people did act quickly, and climbed the stairs right up to the roof.  Others made the right choice and went down the stairs.

This Crisis Management thinking does not just refer to physical crises.  Financial firms are faced with financial crises.  In those situations, managers of the firm go through the exact same stages:  disbelief, deliberation and action.  They can get stuck in either of the first two stages until it is too late.  They can also choose the wrong action.

Much of risk management literature seems to be about the risk management things that are needed during the moderately risky, normal times.  But risk management is also needed in the midst of the crisis.  The risk mitigation tactics that work best in moderately risky, normal times may not even be available in a crisis.  There needs to be preparation for a possible crisis so that managers will promptly identify the crisis and know in advance the types of options that they may have and also know how to go about choosing the best options.

Firms that provide property insurance to disaster prone areas have learned that it is much more than good customer service to have claims people on the ground to start writing checks as soon as possible after the disaster.  Firms that trade in financial markets have learned, if they did not know already, that trading is not always continuous.

Whatever your firm does, the risk manager should be developing and training managers about crisis plans.

Where Do You Hide?

US Hurricane Risk

The lines on the graph represent the paths of the 50 most deadly US hurricanes on record.  The numbers on the lines are the number of deaths.

One important thing to notice is that there is nowhere on the eastern or southern coasts of the US coast that has not experienced deadly hurricanes.

That suggests two strategies for dealing with hurricane risk for an individual.

1. Avoiding it by moving well inside the lines.
2. Building up a residential system that is resilient to the forces of hurricanes.

The first strategy is suspect until you study the risks of those areas.  The area just outside the lines includes the New Madrid fault and an area that has experienced major inland windstorms, hailstorms and floods in the recent past.   So there is no guarantee of safety by risk avoidance.

That leaves resilience as the best bet.  Resilience will involve learning about safety measures, setting a risk tolerance and finding out how strong of a storm fits within the risk tolerance.

In Japan, they set their risk tolerance to be that they would not accept a risk of a storm that is within the range of all past experience.  They thought of that as a zero risk tolerance.  They learned on 311 that their actual risk tolerance (storms within the historical observations) and their notional risk tolerance (zero) were not the same thing.

For an insurer or a business, there are very different options.  Diversification and insurance/reinsurance may be chosen instead of resiliency.

Society and the Default Put

The idea of the Limited Liability Corporation is one of the innovations that is credited with making capitalism work. The structure allows a person or group to form a business without risking their entire fortune. That is the way that economics textbooks say it. It sounds like all upside.

But wait a minute. Think about it like a risk manager. A real risk manager, not the hucksters who sold the “risk goes away if you split it fine enough” or the “no increase in total risk because of diversification benefits” stories.

A real risk manager knows that a loss is a loss. A dollar (or euro, or pound) is a dollar. Losses do not disappear EVER. Unless you do the work to prevent them.

And limited liability is NOT a loss prevention program. It prevents losses from transmitting to a certain party. The owner of the company. But someone always gets those losses.

Think about it for just a fraction of a second. If a company has obligations that it cannot pay, who has a loss? You figured it out; their counterparties take the loss. It might be customers, suppliers, subcontractors, their bank, or bondholders. The limited liability idea protects only one group – the owners/shareholders. Everyone else has unlimited liability!

What we saw in the crisis, if you owe the bank $100,000 they own you. If you owe the bank $10,000,000 then you own the bank.

This limited liability idea is totally embedded now. Everyone believes that they have the RIGHT to create problems for everyone else that deals with them and JUST WALK AWAY.

In ancient times, the ultimate collateral was the debtor’s personal freedom. A person who defaulted on a debt became an indentured servant of the lender in the case of default. This idea persisted in one form or another until the 1800s when debtors prisons became out of favor. The US was one country that led the way on this movement. The US has always had a much easier attitude to bankruptcy. There has always been much less stigma attached to bankruptcy along with the easier legal climate.

So the system works this way – people and businesses can go bankrupt easily and put their excess losses onto their counterparties. And in reaction to this, counterparties must be careful who they do business with.

That means that Credit Risk Management is a fundamental aspect of the business environment.

However, when you recognize the underlying fundamental reason for that statement, you may question whether the new statistical based Credit Risk Management that has developed over the past 25 years actually satisfies the fundamental need of the system.

Under the statistical approach to CRM, diversification is the key risk management tool. This has replaced the time consuming and labor intensive credit underwriting process.

But it is the underwriting process that works to counter balance the default put that is implicit in the bankruptcy rules.

Without the underwriting, the statistical process will simply not work. It will give totally wrong information. That is because statistics does not work on any old bunch of numbers. Statistics only works on homogeneous sets of numbers.

Let’s review. The default put creates a situation where a person or a firm can take on obligations that they cannot repay AND they will not be held responsible to repay. When people or businesses operate AS IF they were going to pay obligations, then they can receive value from counterparties that is in excess of the value that they will repay. So their counterparties need to police this imbalance.

Statistical CRM means that the lender will make many loans with the expectation that only a few will fail to repay and there will be limited losses from those failures. But once borrowers notice this (or intermediaries who have a better chance to notice) their best outcome is to borrow as much as they can, to leverage up as much as possible. Their upside in the event that everything turns out well is then enormous and they suffer none of the downside.

So statistical CRM leads directly to deterioration in credit quality through excess leverage. No one is actually watching to make sure that the credit risk per loan is staying constant.

And the main risk management tool of diversification fails when the loans themselves become the major source of risk. The correlation between excessive lending and defaults is very high. It is different from the correlation between loans that can be repaid easily.

All this results directly from that default put.  You need to understand the true dynamics of the system if you want to get your risk management right.

Don’t Forget to Breathe

All air breathing organisms do not need any special process to avoid the risk of simply forgetting to breathe. Mostly, they just do it automatically. And if for some strange reason, they stop breathing, their body very quickly develops a violent response to the lack of new air.

Drinking and eating are not quite so automatic, but it is also unnecessary to remind people not to starve to death, when they have a choice to do otherwise.

Animals, including humans, can be observed to also have many, many automatic risk management behaviors. Fear of heights, startle reactions, fight or flight adrenalin releases, and so on. In fact, if you are at a loss of how to deal with any business risk, just go down the list of human natural defenses against risk and you will get lots and lots of different ideas. The natural environment in which the human species evolved was and remains very dangerous. Risks come at us from every direction. Some are constant (like falling from a great height) and some change all the time (like predators and competitors for resources).

Many business managers will contend that their company has developed automatic systems that are embedded in the DNA of the firm to handle risk. The continued existence of the firm is put in evidence as the primary proof of that contention.

The problem with believing that sort of argument is that while a failure to breathe will send an animal into fits of gasping, and dancing on the edge of a cliff will make most animal’s head spin with a natural fear reflex, there is no noticeable consequences of a business stopping their risk management activities.

There are natural, automatic and almost fool proof mechanisms in animals to prevent them from taking some of the most immediately dangerous risks. There are absolutely none of those in a business setting.

So even if there has been a long history of ingrained risk management actions in a firm, a sudden change in personnel can send all that right out the window.

One way of looking at a risk management system is as the replacement for the natural fail safe mechanisms.

Nature saw fit to add a violent automatic natural reaction to a lack of air to the automatic breathing mechanism that can be consciously overridden. The business risk management traditions can be easily and painlessly overridden, unless there is a good risk management system to make the company gasp for breath.

You might find yourself swimming underwater. You override your natural urge to breathe. There are interesting things to see underwater. But you will find it very difficult to stay under too long. Your body has failsafe mechanisms that means you have to work at it very hard to stay under long enough to really hurt yourself. In fact, the mechanism seems to have such a margin of error that you start to want to come back up when you still have the capacity to get back to the surface.

Companies have no similar automatic mechanism.  When someone fails to do the risk management that they should, usually the reaction is that things look and seem better.  Most often, risk management depresses profits, and reduces choices.  The feedback that is experienced leads the exact wrong direction.

A risk management system is the answer to the problem.  The risk management system needs to have mechanisms to keep reminding employees that they need to follow the system rules.

Risk management is not at all like breathing.  In fact quite the opposite.  A firm that wants to have risk management for the long term will need to have a formal process to remind employees that it is important.  In addition, the importance of risk management needs to be periodically reinforced by statements of support from top management.

Risk management is more like a medicine that a person who feels perfectly fine is asked to take regularly.  Every day, they get up and take this medicine, but there is no obvious indication that the medicine is needed.  Many will simply start to forget to take the medicine.  Stop wasting the time it takes to buy and take the medicine.  Avoid even minor side effects.

On the other hand, things that are bad for your health are give quite positive short term feedback.

The trick is to make risk management become more and more like breathing.  To make it a reflex and to build up the mechanisms that will send out danger signals if someone tries to override those automatic mechanism.

Decision Fatigue and Crisis Risk Management

In a recent New York TImes Magazine article, the problem of decision making fatigue is described.  The article says that people will generally tire of making decisions.  It sites studies of judges rulings on parole hearings.  Parolees who have the bad luck to have their case heard later in the day have much less chance of success was one example cited.

Another interesting aspect of decision fatigue was that once fatigued of decisions, people tended to narrow their decision making criteria.  Tired decision makers would eventually get down to a single factor driving their decisions.

The idea given of how to avoid decision fatigue is generally to avoid making too many decisions.

There are interesting implications for risk management.  RISKVIEWS has said many times that risk management means that sometimes the company will do something different then before they had risk management.  But since the company is not doing something different all of the time, each different situation requires a decision.  But all decisions are not of the same economic impact.

So a strategy for getting it right – or at least avoiding decision fatigue for the most important decisions is to make sure that a fresh decision maker is involved in the decisions of higher importance.

This idea may not mean making any change in the procedures of many companies.  It is not uncommon for decisions that involve larger amounts of money to require approval by a more senior person than the person who makes the lesser decisions.  It appears that is a good idea from a decision fatigue point of view.  Firms who seek to empower their employees by avoiding that sort of system may be playing russian roulette with their most important risk management decisions.

In a crisis, many decisions are needed in a short time.  That is perhaps one way of defining a crisis.  Things must be done differently.  The likelihood of decision fatigue in a crisis seems to be immense.

A solution to this is to reduce the number of decisions.  This can be accomplished by anticipating the decisions that may be needed and making the most likely decisions in advance.  It may well be that an advance decision made with an approximation of the situation may be better than a fatigued decision.  There still remains the decision of whether the advance decision is still applicable.  But if done right, the stress of decisions can be greatly reduced.

In addition, the narrowing of decision making criteria for fatigued decision makers is an interesting finding.  Many management information people report that they need to refine the information that they provide to single indicators, in some cases to red light/green light on/off indicators.

This seems to be clear indication of decision fatigue of senior managers.  While MI professionals will not usually be empowered to have an opinion on this, it seems that what is in order is for the top managers to make fewer decisions until they get to the point where they are no longer too fatigued to recognize the actual complexity of the decisions that they are making.

The Risk Managers Desk Reference

If you are a risk manager, you probably already have this book on your desk.  Ready for the next time that someone say that some disaster your are asking them to prepare for will never happen.  You then can pull out this resource and show them that something much worse has happened several times before.  This invaluable resource is

The Pessimist’s Guide to History 3e: An Irresistible Compendium of Catastrophes, Barbarities, Massacres, and Mayhem – from 14 Billion Years Ago to 2007 by Flexner and Flexner.

With this book, the alert risk manager can perform a comprehensive study of disasters that occured in the 1500′s, for example.  The PGTH (as fans affectionately call it) tells of the following:

• 1502 – 30 Spanish treasure ships destroyed by hurricane
• 1514 – Hungarian Peasants Revolt
• 1520 – Sad Night at Tenochtitlan
• 1521 – Smallpox and Spanish conquer Aztecs
• 1524 – Peasants revolt in Germany
• 1527 – Sack of Rome
• 1528 – Spanish explorers ships wrecked by hurricane near Florida
• 1531 – Earthquake hits Lisbon
• 1545 – Sinking of Mary Rose
• 1546 – Massacre of Waldenses
• 1556 – Chinese earthquake kills over 800,000
• 1559 – Spanish ships sink in hurricane near Tampa
• 1562 – Massacre near Vassy, France
• 1570 – Massacre at Novogorod
• 1572 – Massacre of St. Bartholomew
• 1574 – Floods in Netherlands kill 20,000 Spanish soldiers
• 1587 – English colonists at Roanoke disappear
• 1588 – Spanish Armada defeated
• 1589 – Assassination of Henry III
• 1591 – Philippines volcano erupts
• 1591 – Storms destroy 29 Spanish ships near Florida

Other events include the extinction of the dinosaurs 65 million years ago.  If you are using that piece of data to help to calibrate your loss models, you can think of that as a total loss once in the past 65 million years.

So the next question from your management may be whether if the total loss scenario is a one in 65 million year event and it has not happened in 65 million years, are we due?

And from this data, it looks like hurricanes happen near Florida.  Especially dangerous to Spanish ships.  Tell that to your underwriters.

But they probably have their own copy of the book.

And one very sure sign of a dangerous situation for your company is if you find one of your underwriters with an different book by the Flexner’s, The Optimists Guide to History.

Something important to check for.

ERM Disclosure (2)

In a post last week, it was noted that US insurers are starting to admit to managing their risks in their public disclosures.  The 671 word discussion of the ERM process of Travelers was reproduced.  (Notice that over 100 of those words talk about the unreliability of the ERM system. )

But disclosure of ERM processes has been much more widespread and much more extensive in other parts of the world for more than 5 years.

For Example, Munich Re’s 2010 annual report has a 20 page section titled Risk Report.  That section has sub headings such as:

Risk governance and risk management system

Risk management organisation, roles and responsibilities

Control and monitoring systems

Risk reporting

Significant risks

Underwriting risk: Property-casualty insurance

Underwriting risk: Life and health insurance

Market risk

Credit Risk

Operational risk

Liquidity risk

Strategic risk

Reputation Risk

Economic Capital

Available Financial Resources

Selected Risk Complexes

It is not just Munich Re.  Manulife’s Risk Management disclosure is 22 pages of their annual report.  Below is the introduction to that section:

Manulife Financial is a financial institution offering insurance, wealth and asset management products and services, which subjects the Company to a broad range of risks. We manage these risks within an enterprise-wide risk management framework. Our goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue, earnings and capital growth.
We seek to achieve this by capitalizing on business opportunities that are aligned with the Company’s risk taking philosophy, risk appetite and return expectations; by identifying, measuring and monitoring key risks taken; and by executing risk control and mitigation programs.
We employ an enterprise-wide approach to all risk taking and risk management activities globally. The enterprise risk management (“ERM”) framework sets out policies and standards of practice related to risk governance, risk identification, risk measurement, risk monitoring, and risk control and mitigation. With an overall goal of effectively executing risk management activities, we continuously invest to attract and retain qualified risk professionals, and to build, acquire and maintain the necessary processes, tools and systems.
We manage risk taking activities against an overall risk appetite, which defines the amount and type of risks we are willing to assume. Our risk appetite reflects the Company’s financial condition, risk tolerance and business strategies. The quantitative component of our risk appetite establishes total Company targets defined in relation to economic capital, regulatory capital required, and earnings sensitivity.
We have further established targets for each of our principal risks to assist us in maintaining appropriate levels of exposures and a risk profile that is well diversified across risk categories. In 2010, we cascaded the targets for the majority of our principal risks down to the business level, to facilitate the alignment of business strategies and plans with the Company’s overall risk management objectives.
Individual risk management programs are in place for each of our broad risk categories: strategic, market, liquidity, credit, insurance and operational. To ensure consistency, these programs incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework, covering:

■ Assignment of risk management accountabilities across the organization;
■ Delegation of authorities related to risk taking activities;
■ Philosophy and appetite related to assuming risks;
■ Establishment of specific risk targets or limits;
■ Identification, measurement, assessment, monitoring, and reporting of risks; and
■ Activities related to risk control and mitigation.

Such frank discussion of risk and risk management may be seen by some US insurers’ management to be dangerous.  In the rest of the world, it is moving towards a situation where NOT discussing risk and risk management frankly and openly is a risk to management.

Which would you prefer?

ERM Discosure

Here is a tip from the IRMI about how to get started with a new ERM program:

✓ If  you  are  a  public  company,  begin  by asking  the  person  or  group  that  identifies  risks  for  SEC  reports  to  also  identify
the top three corrective actions for the next quarter. Update the list quarterly.

That sounds like a great suggestion.  RISKVIEWS has always been amazed that the standard for disclosure in the US has been to disclose risks but not to say anything about what the firm is doing about those risks.  Based upon the standard disclosures, it is almost impossible to tell the difference between a firm with state of the art risk management and a firm with almost none.

But recently, companies, even in the US, are increasingly including a mention of their risk management activities along with the required laundry list of risks.

Just picking a public firm at random, here is an excerpt from Allstate’s risk disclosure:

As a property and casualty insurer, we may face significant losses from catastrophes and severe weather events

Because of the exposure of our property and casualty business to catastrophic events, our operating results and financial condition may vary significantly from one period to the next. Catastrophes can be caused by various natural and man-made disasters, including earthquakes, volcanoes, wildfires, tornadoes, hurricanes, tropical storms and certain types of terrorism. We may incur catastrophe losses in our auto and property business in excess of: (1) those experienced in prior years, (2) those that we project would be incurred based on hurricane and earthquake losses which have a one percent probability of occurring on an annual aggregate countrywide basis, (3) those that external modeling firms estimate would be incurred based on other levels of probability, (4) the average expected level used in pricing or (5) our current reinsurance coverage limits.Despite our catastrophe management programs, we are exposed to catastrophes that could have a material adverse effect on operating results and financial condition. For example, our historical catastrophe experience includes losses relating to Hurricane Katrina in 2005 totaling $3.6 billion, the Northridge earthquake of 1994 totaling $2.1 billion and Hurricane Andrew in 1992 totaling $2.3 billion. We are also exposed to assessments from the California Earthquake Authority and various state-created catastrophe insurance facilities, and to losses that could surpass the capitalization of these facilities. Our liquidity could be constrained by a catastrophe, or multiple catastrophes, which result in extraordinary losses or a downgrade of our debt or financial strength ratings.

In addition, we are subject to claims arising from weather events such as winter storms, rain, hail and high winds. The incidence and severity of weather conditions are largely unpredictable. There is generally an increase in the frequency and severity of auto and property claims when severe weather conditions occur.

Green text coloring added by RISKVIEWS to highlight mention of risk management activities.

Another example from Travelers:

Catastrophe losses could materially and adversely affect our results of operations, our financial position and/or liquidity, and could adversely impact our ratings, our ability to raise capital and the availability and cost of reinsurance. Our property and casualty insurance operations expose us to claims arising out of catastrophes. Catastrophes can be caused by various natural events, including, among others, hurricanes and other windstorms, earthquakes, hail, wildfires, severe winter weather, floods and volcanic eruptions. Catastrophes can also be man-made, such as a terrorist attack (including those involving nuclear, biological, chemical or radiological events), explosions, infrastructure failures or a consequence of political instability. The geographic distribution of our business subjects us to catastrophe exposures in the United States, which include, but are not limited to: hurricanes from Maine through Texas; tornadoes throughout the Central and Southeast United States; earthquakes in California, the New Madrid region and the Pacific Northwest region of the United States; wildfires, particularly in the Southwest; and terrorism in major cities in the United States. In addition, our international operations subject us to catastrophe exposures in the United Kingdom, Canada and the Republic of Ireland, as well as to a variety of world-wide catastrophe exposures through our Lloyd’s operations. The incidence and severity of catastrophes are inherently unpredictable, and it is possible that both the frequency and severity of natural and man-made catastrophic events could increase. Some scientists believe that in recent years changing climate conditions have added to the unpredictability and frequency of natural disasters (including, but not limited to, hurricanes, tornadoes, other storms and fires) in certain parts of the world and created additional uncertainty as to future trends and exposures. For example, in recent years hurricane activity has impacted areas further inland than previously experienced, thus expanding our overall hurricane exposure. The catastrophe modeling tools that we use, or that we rely on from outside parties, to help manage certain of our catastrophe exposures are based on assumptions and judgments that are subject to error and mis-estimation and may produce estimates that are materially different than actual results. In addition, our increased presence in certain geographic areas, such as in the Midwest and Western regions of the United States, and any changes in climate conditions could cause our data to be more limited and our catastrophe models to be even less predictive, thus limiting our ability to effectively evaluate and manage such exposures. See ‘‘Item 7— Management’s Discussion and Analysis of Financial Condition and Results of Operations—Catastrophe Modeling’’ and ‘‘—Changing Climate Conditions.’’ The extent of losses from a catastrophe is a function of both the total amount of insured exposure in the area affected by the event and the severity of the event. Increases in the value and geographic concentration of insured property and the effects of inflation could increase the severity of claims from catastrophic events in the future. In addition, states have from time to time passed legislation, and regulators have taken action, that has the effect of limiting the ability of insurers to manage catastrophe risk, such as legislation prohibiting insurers from reducing exposures or withdrawing from catastrophe-prone areas or mandating that insurers participate in residual markets. Participation in residual market mechanisms has resulted in, and may continue to result in, significant losses or assessments to insurers, including us, and, in certain states, those losses or assessments may not be commensurate with our direct catastrophe exposure in those states. If our competitors leave those states having residual market mechanisms, remaining insurers, including us, may be subject to significant increases in losses or assessments following a catastrophe. In addition, following catastrophes, there are sometimes legislative initiatives and court decisions which seek to expand insurance coverage for catastrophe claims beyond the original intent of the policies. Also, our ability to increase pricing to the extent necessary to offset rising costs of catastrophes, particularly in the Personal Insurance segment, requires approval of regulatory authorities of certain states. Our ability or our willingness to manage our catastrophe exposure by raising prices, modifying underwriting terms or reducing exposure to certain geographies may be limited due to considerations of public policy, the evolving political environment, changes in the general economic climate and/or social responsibilities. We also may choose to write business in catastrophe-prone areas that we might not otherwise write for strategic purposes, such as improving our access to other underwriting activities. There are also risks that impact the estimation of ultimate costs for catastrophes. For example, the estimation of reserves related to hurricanes can be affected by the inability to access portions of the impacted areas, the complexity of factors contributing to the losses, the legal and regulatory uncertainties and the nature of the information available to establish the reserves. Complex factors include, but are not limited to: determining whether damage was caused by flooding versus wind; evaluating general liability and pollution exposures; estimating additional living expenses; the impact of demand surge; infrastructure disruption; fraud; the effect of mold damage; business interruption costs; and reinsurance collectability. The timing of a catastrophe’s occurrence, such as at or near the end of a reporting period, can also affect the information available to us in estimating reserves for that reporting period. The estimates related to catastrophes are adjusted as actual claims emerge and additional information becomes available. Exposure to catastrophe losses or actual losses following a catastrophe could adversely affect our financial strength and claims-paying ratings and could impair our ability to raise capital on acceptable terms or at all. Also, as a result of our exposure to catastrophe losses or actual losses following a catastrophe, rating agencies may further increase capital requirements, which may require us to raise capital to maintain our ratings or adversely affect our ratings. A ratings downgrade could hurt our ability to compete effectively or attract new business. In addition, catastrophic events could cause us to exhaust our available reinsurance limits and could adversely impact the cost and availability of reinsurance. Such events can also impact the credit of our reinsurers. For a discussion of our catastrophe reinsurance coverage, see ‘‘Item 1—Business—Reinsurance—Catastrophe Reinsurance.’’ Catastrophic events could also adversely impact the credit of the issuers of securities, such as states or municipalities, in whom we have invested. In addition, coverage in our reinsurance program for terrorism is limited. Although the Terrorism Risk Insurance Program Reauthorization Act of 2007 (the Act) provides benefits in the event of certain acts of terrorism, those benefits are subject to a deductible and other limitations. Under this law, once our losses exceed 20% of our commercial property and casualty insurance premium for the preceding calendar year, the federal government will reimburse us for 85% of our losses attributable to certain acts of terrorism which exceed this deductible up to a total industry program cap of $100 billion. Our estimated deductible under the program is $2.08 billion for 2011. In addition, because the interpretation of this law is untested, there is substantial uncertainty as to how it will be applied to specific circumstances. It is also possible that future legislative action could change the Act. Because of the risks set forth above, catastrophes such as those caused by various natural events or man-made events such as a terrorist attack, including ‘‘unconventional’’ acts of terrorism involving nuclear, biological, chemical or radiological events, could materially and adversely affect our results of operations, financial position and/or liquidity. Further, while we seek to manage our exposure to man-made catastrophic events involving conventional means, there can be no assurance that we would have sufficient resources to respond to claims arising out of one or more man-made catastrophic events involving so-called weapons of mass destruction, including nuclear, biological, chemical or radiological means.

Travelers actually has a section of the 10k devoted to Catastrophe modeling:

CATASTROPHE MODELING

The Company uses various analyses and methods, including computer modeling techniques, to analyze catastrophic events and the risks associated with them. The Company uses these analyses and methods to make underwriting and reinsurance decisions designed to manage its exposure to catastrophic events. In making underwriting and reinsurance decisions for hurricane and earthquake exposures, the Company uses third-party proprietary computer modeling in an attempt to estimate the likelihood that the loss from a single event occurring in a one-year timeframe will equal or exceed a particular amount. The tables below set forth the estimated probabilities that losses from a single event occurring in a one-year timeframe will equal or exceed the indicated loss amounts (expressed in dollars and as a percentage of the Company’s common equity). For example, on the basis described below the tables, the Company estimates that there is a one percent chance that the Company’s loss from a single U.S. hurricane occurring in a one-year timeframe would equal or exceed $1.1 billion, or 5% of the Company’s common equity at December 31, 2010. Dollars (in billions) Single U.S.

The last disclosure does provide good context for their risk level.  And their ability to even disclose this information suggests a likelihood that they may be actually using this information to manage the risk.

Travelers goes on to take the unusual step for a US insurer of actually directly addressing their ERM program in their 10k:

ENTERPRISE RISK MANAGEMENT

As a large property and casualty insurance enterprise, the Company is exposed to many risks. These risks are a function of the environments within which the Company operates. Since certain risks can be correlated with other risks, an event or a series of events can impact multiple areas of the Company simultaneously and have a material effect on the Company’s results of operations, financial position and/or liquidity. These exposures require an entity-wide view of risk and an understanding of the potential impact on all aspects of the Company. It also requires the Company to manage its risk-taking to be within its risk appetite in a prudent and balanced effort to create and preserve value for all of the Company’s stakeholders. This approach to Company-wide risk evaluation and management is commonly called Enterprise Risk Management (ERM). ERM activities involve both the identification and assessment of a broad range of risks and the execution of synchronized strategies to effectively manage such risks. Effective ERM also includes the determination of the Company’s risk capital needs, which takes into account regulatory requirements and credit rating considerations, in addition to economic and other factors. ERM at the Company is an integral part of business operations. All risk owners across all functions, all corporate leaders and the board of directors are engaged in ERM. ERM involves risk-based analytics, as well as reporting and feedback throughout the enterprise in support of the Company’s long-term financial strategies and objectives. The Company uses various methods, including sophisticated computer modeling techniques, to analyze catastrophic events and the risks associated with them. These analyses and methods are used in making underwriting and reinsurance decisions as part of managing the Company’s exposure to catastrophic events. In addition to catastrophe modeling and analysis, the Company also models and analyzes its exposure to other extreme events. These analytical techniques are an integral component of the Company’s ERM process and further support the Company’s long-term financial strategies and objectives. In addition to the day-to-day ERM activities within the Company’s business units, other key internal risk management functions include the Management Committee (comprised of the Company’s Chief Executive Officer and the other most senior members of management), the Enterprise and Underwriting Risk Committees of management, the Credit Committee, the Chief Compliance Officer, the Business Conduct Officer, the Corporate Actuarial group, the Corporate Audit group, the Accounting Policy group, the Enterprise Underwriting group and many others. A senior executive oversees the ERM process. The mission of this executive is to facilitate risk assessment and to collaborate in implementing effective risk management strategies throughout the Company. Another strategic ERM objective of this executive includes working across the Company to enhance effective and realistic risk modeling capabilities as part of the Company’s overall effort to understand and manage its portfolio of risks to be within its risk appetite. Board oversight of ERM is provided by the Risk Committee of the board of directors, which reviews the strategies, processes and controls pertaining to the Company’s insurance operations and oversees the implementation, execution and performance of the Company’s ERM program. The Company’s ERM efforts build upon the foundation of an effective internal control environment. ERM expands the internal control objectives of effective and efficient operations, reliable financial reporting and compliance with applicable laws and regulations, to fostering, leading and supporting an integrated, risk-based culture within the Company that focuses on value creation and preservation. However, the Company can provide only reasonable, not absolute, assurance that these objectives will be met. Further, the design of any risk management or control system must reflect the fact that there are resource constraints, and the benefits must be considered relative to their costs. As a result, the possibility of material financial loss remains in spite of the Company’s significant ERM efforts. An investor should carefully consider the risks and all of the other information set forth in this annual report, including the discussions included in ‘‘Item 1A—Risk Factors,’’ ‘‘Item 7A—Quantitative and Qualitative Disclosures About Market Risk,’’ and ‘‘Item 8—Financial Statements and Supplementary Data.’’

And finally, Travelers does disclose in the list of management that there are two senior executives, out of about 50 listed, with the words “Enterprise Risk Management” as a part of their title.

Reporting on an ERM Program

In a recent post, RISKVIEWS stated six key parts to ERM.  These six ideas can act as the outline for describing an ERM Program.  Here is how they could be used:

1.  Risks need to be diversified.  There is no risk management if a firm is just taking one big bet.

REPORT: Display the risk profile of the firm.  Discuss how the firm has increased or decreased diversification within each risk and between risks in the recent past.  Discuss how this is a result of deliberate risk and diversification related choices of the firm, rather than just a record of what happened as a result of other totally unrelated decisions. 

2.  Firm needs to be sure of the quality of the risks that they take.  This implies that multiple ways of evaluating risks are needed to maintain quality, or to be aware of changes in quality.  There is no single source of information about quality that is adequate.

REPORT:  Display the risk quality of the firm.  Discuss how the firm has increased or decreased risk quality in the recent past and the reasons for those changes.  Discuss how risk quality is changing in the marketplace and how the firm maintains the quality of the risks that are chosen.

3.  A control cycle is needed regarding the amount of risk taken.  This implies measurements, appetites, limits, treatment actions, reporting, feedback.

REPORT:  The control cycle will be described in terms of who is responsible for each step as well as the plans for remediation should limits be breached.  A record of breaches should also be shown.  (Note that a blemish-less record might be a sign of good control or it might simply mean that the limits are ineffectively large.)  Emerging risks should have their own control cycle and be reported as well.

4.  The pricing of the risks needs to be adequate.  At least if you are in the risk business like insurers, for risks that are traded.  For risks that are not traded, the benefit of the risk needs to exceed the cost in terms of potential losses.

REPORT:  For General Insurance, this means reporting combined ratio.  In addition, it is important to show how risk margins are similar to market risk margins.  Note that products with combined ratios over 100% may or may not be profitable if the reserves do not include a discount for interest.  This is accomplished by mark-to-market accounting for investment risks.  Some insurance products have negative value when marked to market (all-in assets and liabilities) because they are sold with insufficient risk margins.  This should be clearly reported, as well as the reasons for that activity.  

5.  The firm needs to manage its portfolio of risks so that it can take advantage of the opportunities that are often associated with its risks.  This involves risk reward management.

REPORT:  Risk reward management requires determining return on risk for all activities as well as a planning process that starts with projections of such and a conscious choice to construct a portfolio of risks.  This process has its own control cycle.  The reporting for this control cycle should be similar to the process described above.  This part of the report needs to explain how management is thinking about the diversification benefits that potentially exist from the range of diverse risks taken.  

6.   The firm needs to provision for its retained risks appropriately, in terms of set asides (reserves or technical provisions) for expected losses and capital for excess losses.

REPORT:  Losses can be shown in four layers, expected losses, losses that decrease total profits, losses that exceed gains from other sources but that are less than capital and losses that exceed capital.  The likelihood of losses in each of those four layers should be described as well as the reasons for material changes.  Some firms will choose to report their potential losses in two layers, expected losses, losses that reach a certain likelihood (usually 99.5% in a year or similar likelihood).  However, regulators should have a high interest in the nature and potential size of those losses in excess of capital.  The determination of the likelihood of losses in each of the four layers needs to reflect the other five aspects of ERM and when reporting on this aspect of ERM, discussion of how they are reflected would be in order.  

Reading about ERM

Have you read any good books or papers about ERM?

Looking for a good book or paper about an ERM related topic?

Try  http://ermbooks.wordpress.com/

That blog has about 50 comments about specific books or articles about ERM as well as lists from various places that give dozens more possible readings.

Suggestions of additional books and articles to add to the blog would be highly appreciated.

 

Keeping up with Old ERM Programs – 10 Investor Questions (7)

Riskviews was once asked by an insurance sector equity analyst for 10 questions that they could ask company CEOs and CFOs about ERM.  Riskviews gave them 10 but they were trick questions.  Each one would take an hour to answer properly.  Not really what the analyst wanted.

Here they are:

1. What is the firm’s risk profile?
2. How much time does the board spend discussing risk with management each quarter?
3. Who is responsible for risk management for the risk that has shown the largest percentage rise over the past year?
4. What outside the box risks are of concern to management?
5. What is driving the results that you are getting in the area with the highest risk adjusted returns?
6. Describe a recent action taken to trim a risk position?
7. How does management know that old risk management programs are still being followed?
8. What were the largest positions held by company in excess of risk the limits in the last year?
9. Where have your risk experts disagreed with your risk models in the past year?
10. What are the areas where you see the firm being able to achieve better risk adjusted returns over the near term and long term?

They never come back and asked for the answer key.  Here it is:

One of the most difficult things to accomplish in any organization is continuing to do well the things that were well developed in the past but that are not longer on the “front burner”.

Top management needs to limit attention to the most pressing problems.  So an existing program that is working well is just not likely to get much, if any, top management attention.  Continuing to get it right for the old tried and true parts of the organization is however of vital importance to the success of the organization.

Therefore Middle Management needs to be the keeper of these programs.  In some organization, this actually puts them at odds with top management priorities. Some Middle Managers, the lifers who are more loyal to the organization than to the current top management, will manage to do this under almost all circumstances, risking even their own positions to keep these vital programs going.  Other Middle Managers will feel that they are more loyal to the current management who put them in their positions.  They will reduce resources and even Middle Management attention to these old programs.

So far, this discussion could be about anything.  It does apply to risk management along with many other programs.  Old risk management programs are the base that new Enterprise Risk Management programs are built upon.  The old risk management programs are usually what creates the actual risk level of the firm that ERM then tries to manipulate.  However, if the firm brings in too many new risk managers who do not understand the importance of the old risk management programs, then they are likely to let them wither.

This is a major factor that causes the presumptions of the ERM program to be untrue or unstable.

The trick to this question is that the answer will tell you whether the CEO  is aware of any of this dynamic.  CEOs can be temporarily very successful by shifting all management attention to new products, or markets or programs, such as ERM.  For some period of time, the old risk management programs will continue to operate without any management attention, giving the firm a short free ride.  Eventually, those programs will wither away and the company will start to be hurt because the failure of these old programs that had an unrecognized, but bery real benefit.

A clear example of this is the area of Credit Risk underwriting.  Ten to fifteen years ago, every major financial institution had large credit underwriting staffs and a very carefully administered system for reviewing and coming to an agreement on credit quality of each opportunity for a loan or other extension of credit.  But with the development of trading desks, credit underwriting lost the attention of management.  Eventually, it simply stopped happening in many institutions,  Credit shifted to the trading paradigm.  However, the credit underwriting had a purpose and when it stopped happening, the presumption that credit positions had certain characteristics slowly had less and less meaning.  Until at the height of the credit crisis, a large number of institutions all believed and acted on that belief that very low credit quality positions in sub prime mortgages were actually of the very highest quality.  A small amount of work by an experienced credit underwriting team would have shown that presumption to be totally untrue.  (One firm who didn’t do credit underwriting, but did believe in reality checks sent their traders to spend some time each quarter applying for mortgages in the hottest markets.  Those traders wouldn’t touch any mortgage related exposure.)

So the best answer to this question would be for the CEO to understand the old risk management programs that create the presumptions that their visions for the future are based upon.  And to hear that the CEO values those programs.  As to how the firm keeps those programs going, the fact that the CEO can say the above two statements is probably enough in most firms.  As long as they do not undermine their words by cutting off funding to those old programs.

For extra credit, see if the CEO can actually list these old programs.

You Must Abandon All Presumptions

If you really want to have Enterprise Risk Management, then you must at all times abandon all presumptions. You must make sure that all of the things to successfully manage risks are being done, and done now, not sometime in the distant past.

A pilot of an aircraft will spend over an hour checking things directly and reviewing other people’s checks.  The pilot will review:

• the route of flight
• weather at the origin, destination, and enroute.
• the mechanical status of the airplane
• mechanical issues that may have been improperly logged.
• the items that may have been fixed just prior to the flight to make certain that system works
• the flight computer
• the outside of the airplane for obvious defects that may have been overlooked
• the paperwork
• the fuel load
• the takeoff and landing weights to make sure that they are within limits for the flight

Most of us do not do anything like this when we get into our cars to drive.  Is this overkill?  You decide.

When you are expecting to fly somewhere and there is a last minute delay because of something that seems like it should have really been taken care of, that is likely because the pilot finds something that someone might normally PRESUME was ok that was not.

Personally, as someone who takes lots and lots of flights, RISKVIEWS thinks that this is a good process.  One that RISKVIEWS would recommend to be used by risk managers.

THE NO PRESUMPTION APPROACH TO RISK MANAGEMENT

Here are the things that the Pilot of the ERM program needs to check before taking off on each flight.

1.  Risks need to be diversified.  There is no risk management if a firm is just taking one big bet.

2.  Firm needs to be sure of the quality of the risks that they take.  This implies that multiple ways of evaluating risks are needed to maintain quality, or to be aware of changes in quality.  There is no single source of information about quality that is adequate.

3.  A control cycle is needed regarding the amount of risk taken.  This implies measurements, appetites, limits, treatment actions, reporting, feedback

4.  The pricing of the risks needs to be adequate.  At least if you are in the risk business like insurers, for risks that are traded.  For risks that are not traded, the benefit of the risk needs to exceed the cost in terms of potential losses.

5.  The firm needs to manage its portfolio of risks so that it can take advantage of the opportunities that are often associated with its risks.  This involves risk reward management.

6.   The firm needs to provision for its retained risks appropriately, in terms of set asides (reserves) for expected losses and capital for excess losses.

A firm ultimately needs all six of these things.  Things like a CRO, or risk committees or board involvement are not on this list because those are ways to get these six things.

The Risk Manager needs to take a NO PRESUMPTIONS approach to checking these things.  Many of the problems of the financial crisis can be traced back to presumptions that one or more of these six things were true without any attempt to verify.

Another Point of View

Good Risk Management requires people who can see things from another point of view.

The various tasks that are required for good risk management actually require different people with different points of view.

• Loss Controlling requires people who are going to be willing to painstakingly review everything that the firm does to make sure that there are not any unintended accumulations of risk (or any risk accumulations that are being deliberately hidden).  These people need to have a point of view that focuses on the details.
• Risk Steering requires people with almost the opposite point of view, the big picture people.  To do good risk steering one must look past all of the details of risk and concentrate on the broad themes of risk that the firm is taking.
• Risk Trading requires people who are very outward focused, who are able to pay attention in the subtle and not so subtle changes in attitudes towards towards different risks in the marketplace.  They also need to be able to discern when changes in the company’s offerings or changes in the risk of the environment.  Their task is to make sure that the price that the company is getting for the risks it assumes is sufficient to pay for both the expected losses as well as appropriate compensation for the possibility of excess losses.
• Emerging Risks management requires people who are able to think outside the box, sometimes totally outside of the box to notice the faint signals that something is changing or something totally new is starting to happen and to imagine what might be needed to cope in the new situation.

Those are just not the same people.  So a smaller firm that has assigned their risk management to one person will be disappointed if that one person is not able to tap the skills of others who actually are readily able to think in these totally different ways.

That is one of the ways that risk management disappoints top management and frustrates the people asked to do it.  Even when an assigned risk manager is allowed or even encouraged to tap into these various other skills and points of view, it is very difficult for one person to even recognize the value of each of these different approaches.  More often the assigned risk manager will plow ahead building the risk management program that fits with their own point of view.

So no matter who you are and how good you are at risk management, remember to look for those people with the point of view that is very different from yours.  And pay attention to that they say about risk.

Trimming Risk Positions – 10 ERM Questions from Investors – The Answer Key (6)

Riskviews was once asked by an insurance sector equity analyst for 10 questions that they could ask company CEOs and CFOs about ERM.  Riskviews gave them 10 but they were trick questions.  Each one would take an hour to answer properly.  Not really what the analyst wanted.

Here they are:

1. What is the firm’s risk profile?
2. How much time does the board spend discussing risk with management each quarter?
3. Who is responsible for risk management for the risk that has shown the largest percentage rise over the past year?
4. What outside the box risks are of concern to management?
5. What is driving the results that you are getting in the area with the highest risk adjusted returns?
6. Describe a recent action taken to trim a risk position?
7. How does management know that old risk management programs are still being followed?
8. What were the largest positions held by company in excess of risk the limits in the last year?
9. Where have your risk experts disagreed with your risk models in the past year?
10. What are the areas where you see the firm being able to achieve better risk adjusted returns over the near term and long term?

They never come back and asked for the answer key.  Here it is:

There are a number of issues relating to this question.  First of all, does the insurer ever trim a risk position?  Some insurers are pure buy and hold.  They never think to trim a position, on either side of their balance sheet.  But it is quite possible that the CEO might know that terminology, but the CFO should.  And if the insurer actually has an ERM program then they should have considered trimming positions at some point in time.  If not, then they may just have so much excess capital that they never have felt that they had too much risk.

Another issue is whether the CEO and CFO are aware of risk position trimming.  If they are not, that might indicate that their system works well and there are never situations that need to get brought to their attention about excess risks.  Again, that is not such a good sign.  It either means that their staff never takes and significant risks that might need trimming or else there is not a good communication system as a part of their ERM system.

Risks might need trimming if either by accident or on purpose, someone directly entered into a transaction, on either side of the balance sheet, that moved the company past a risk limit.  That would never happen if there were no limits, if there is no system to check on limits or if the limits are so far above the actual expected level of activity that they are not operationally effective limits.

In addition, risk positions might need trimming for several other reasons.  A risk position that was within the limit might have changed because of a changing environment or a recalibration of a risk model.  Firms that operate hedging or ALM programs could be taking trimming actions at any time.  Firms that use cat models to assess their risk might find their positions in excess of limits when the cat models get re-calibrated as they were in the first half of 2011.

And risk positions may need to be trimmed if new opportunities come along that have better returns than existing positions on the same risk.  A firm that is expecting to operate near its limits might want to trim existing positions so that the new opportunity can be fit within the limits.

SO a firm with a good ERM program might be telling any of those stories in answer to the question.

High Risk Adjusted Returns and Risk Management – 10 Key ERM Questions from an Investor – The Answer Key (5)

Riskviews was once asked by an insurance sector equity analyst for 10 questions that they could ask company CEOs and CFOs about ERM.  Riskviews gave them 10 but they were trick questions.  Each one would take an hour to answer properly.  Not really what the analyst wanted.

Here they are:

1. What is the firm’s risk profile?
2. How much time does the board spend discussing risk with management each quarter?
3. Who is responsible for risk management for the risk that has shown the largest percentage rise over the past year?
4. What outside the box risks are of concern to management?
5. What is driving the results that you are getting in the area with the highest risk adjusted returns?
6. Describe a recent action taken to trim a risk position?
7. How does management know that old risk management programs are still being followed?
8. What were the largest positions held by company in excess of risk the limits in the last year?
9. Where have your risk experts disagreed with your risk models in the past year?
10. What are the areas where you see the firm being able to achieve better risk adjusted returns over the near term and long term?

They never come back and asked for the answer key.  Here it is:

5.  In the sub prime market prior to the crisis, investors were buying AAA securities but getting a little more yield.  Since they were AAA rated, the capital required was minimal.  So the return on equity could be attractive.  Unless you held that story up to the light and freely admitted that your bank profits were bolstered by exploiting the fact that the market and the regulators had different opinions of the creditworthiness of the sub prime securities.

So, if the banks had answered honestly, they would have been saying that their profits were coming from regulatory arbitrage.  There are only three possible outcomes from this situation.  First, the market could wise up and the excess profits would disappear.  Second, the regulators could wise up and suddenly the banks would find themselves needing lots more capital, and third, the market persists in its opinion of higher risk and it turns out the market is correct.  But since under this third option, the bank is playing the regulators for the fools, as the risks stay the same or grow ever larger, the banks take more and more advantage of the stupid regulators.  They pretend to their board that the bank is safe because they are holding the capital that the regulators require.  The banks takes more and more risk – the compulsion to grow and grow earnings in the face of the shrinking spreads for everything with “normal” risk is an immutable imperative that requires banks to multiply their risk.

So one of the possible reasons that Risk Adjusted Return is high is that the risk adjustment is based upon regulatory requirements – not on an actual assessment of risk.  And there are three possible outcomes of playing the regulatory arb game that are unfavorable.

Another reason for higher risk adjusted returns is a competitive advantage.  Investors should be happy to hear about a competitive advantage.  They should also do their own assessment about how permanent that advantage might be.

From the point of view of assessing an ERM system, the answer to this question should reveal how seriously that management takes the idea of risk management.  High and unexpected returns are as good a signal as any of higher risk.  In fact, in the financial markets, high returns are almost always a symptom of higher risk.

You may say he’s a dreamer, but he was really a CRO

You have probably heard this story before.  The head guy as a dream, some lowly schmuck tells him what the dream means and gets a big promotion.  You might have seen it in the theater, or read it in the Torah or in Genesis.

Well, that story is really about risk management.  It just got twisted in retelling and they lost the point.

That Joseph fella, he was the Chief Risk Officer for Egypt.  It was a pretty lowly position.  Then he suggested to Pharaoh that there was some famine risk.  He suggested a counter cyclical grain reserve policy.  His suggestion was that each good year, Egypt should put aside 20% of the harvest as economic capital.

Joseph knew that no one would do this on just his say so, so he concocted this story of the dream of Pharaoh’s.  If it was Pharaoh’s dream then people would listen to the poor CRO.

It was a tough go.  After three years of good harvests people were screaming about the 20% cost of capital charge.  They said that there was no need for a reserve.  Then the fourth and fifth year of the good weather, they were going to Pharaoh with their complaints.

But Joseph pulled out his clay tablets of the rise and fall of the Nile over 2000 years and showed the Pharaoh how this was no more than a 1 in 200 reserve.  They had 10 such periods on record and the data told a pretty clear story.  They really needed such a reserve.  And Joseph could also bring in the court historian who could tell about what happened to the Pharaoh’s who were the rulers when those 1 in 200 year droughts occurred.  Most of them had to flee to Switzerland and Switzerland had not at that time invented indoor plumbing.  Not so good in the winter in the mountains.

Then Joseph brought in 10,000 slaves who each had a different clay tablet.  They were told to run around the room for a minute then to fall in line.  Joseph called this a Monte Carlo simulation, and indeed, they did run around like that in Monte Carlo in those days.

So somehow, Joseph held on to his job and his counter cyclical economic capital formula on the condition that he never did any monte carlo modeling in the palace again.  But after seven years, even the Pharaoh was running out of patience with Joseph.

Then it happened.  Joseph had never actually predicted a famine on the seventh year, but that is how the story got twisted afterwards.  But he did get credit for saving the day and the Pharaoh when the famine kept going for seven more years.

That is because Joseph pulled out more clay tablets and more historians and pointed out the likelihood of a long, long famine.  He was just about to prove his point with a “modeling” exercise when Pharaoh relented and allowed him to release the economic capital slowly.  Joseph wanted to base the release on a 99 cte calculation, but Pharaoh told him that the high priest would never understand that so just use PaR (Pyramid at Risk).

Joseph was named a hero and given a promotion to chief of staff or something, like the other CROs who survived the Great Famine Crisis (GFC).  Since the Pharaoh’s chief publicist could not understand a word Joseph said when he interviewed him about the economic capital so he remembered that old story about the dream.

So Joseph, the first risk manager on record went down as a dream interpreter instead.

And Risk Managers have had trouble getting their stories across ever since.

Inspired by The Ecoomics of Good and Evil, by Thomas Sedlecek

10 ERM Questions from an Investor – The Answer Key (3)

Riskviews was once asked by an insurance sector equity analyst for 10 questions that they could ask company CEOs and CFOs about ERM.  Riskviews gave them 10 but they were trick questions.  Each one would take an hour to answer properly.  Not really what the analyst wanted.

Here they are:

1. What is the firm’s risk profile?
2. How much time does the board spend discussing risk with management each quarter?
3. Who is responsible for risk management for the risk that has shown the largest percentage rise over the past year?
4. What outside the box risks are of concern to management?
5. What is driving the results that you are getting in the area with the highest risk adjusted returns?
6. Describe a recent action taken to trim a risk position?
7. How does management know that old risk management programs are still being followed?
8. What were the largest positions held by company in excess of risk the limits in the last year?
9. Where have your risk experts disagreed with your risk models in the past year?
10. What are the areas where you see the firm being able to achieve better risk adjusted returns over the near term and long term?

They never come back and asked for the answer key.  Here it is:

3.  The answer to this question requires several parts of risk management to be right.  First of all, the answerer needs to know which risk position grew the most.  Second of all, in a good risk management program, the position that grew the most should have had by far the most scruitny.  High growth does not always spark big blow ups, but big blow ups are always preceded by high growth.  A firm that is not paying lots and lots of attention to its fastest growing risk is not going to end up with good results.  The highest growth positions require a disproportionate large amount of attention, but most often they get a disproportionately smaller share of attention.  Risk management budgets are determined based upon the business at the start of the year.  Finally, to answer the question, the firm needs to have someone who they can immediately identify who is responsible for that risk.  Best practice is to have a senior person responsible for each major risk.  That should be a business person, not the CRO or CFO.  If it is not the same person who is responsible for sales and profits, then management has set up a fight.  On one side is the person responsible for bringing in the business and for achieving profits.  On the other side is the person responsible for preventing losses.  Not a fair fight in most firms.

In the end, the best practice firms recognize that in situations of great change, there needs to be a special ERM process that exceeds the regular ERM process.

Learning from Disaster – The Honshu Earthquake

Steve Covey called it Sharpening the Saw.  A good risk management program will be continually learning.  The school of hard knocks is an extremely expensive teacher.  It is much better to audit the course by observing the experiences of others and learning from them.  The effective risk management program will be actively working to audit the courses of others experiences.

With that in mind, Risk Management magazine has devoted the May 2011 issue to learning from the Honshu earthquake.  There are four articles that review some key aspects of the Japanese experience as it appears right now.

• Nuclear Safety – the problems at the Fukushima Daiichi reactor came from the multiple events that struck.  The safety provisions were sufficient for the earthquake, but not for the tsunami.  There are specific questions raised in the article here about the specific design of the reactor cooling system.  But a greater question is the approach to providing for extreme events.  The tsunami was greater than any on the historical record.  Should it be necessary to prepare for adverse events that are significantly worse than the worst that has ever happened?  If so, how much worse is enough?  Do we even have a way to talk about this important question?
• Building Codes – the conclusion here is that Japanese building codes worked fairly well.  Many larger buildings were still standing after both the quake and the tsunami.  Christchurch did not fare as well.  But New Zealand codes were thought to be very strict.  However, the fault that was responsible for the earthquake there was only discovered recently.  So Christchurch was not thought to be in a particularly quake prone area.  As they overhaul the building codes in NZ, they do not expect to get much argument from strengthening the codes significantly in the Canterbury region.  The question is whether any other places will learn from Christchurch’s example and update their codes?
• Supply Chain - the movement over the past 10 years or more has been to “just-in-time” supply chain management.  What is obvious now is that the tighter that the supply chain is strung, the more that it is susceptible to disruption – the riskier that it is.   What we are learning is that great efficiency can bring great risk.  We need to look at all of our processes to see whether we have created risks without realizing through our efforts to improve efficiency.
• Preparedness – ultimately, our learnings need to be turned into actions.  Preparedness is one set of actions that we should consider.  The Risk Magazine focuses on making a point about the interconnectedness of all society now.  They say “Even a simple sole proprietorship operating a company in rural South Dakota can be negatively affected by political and social unrest in Egypt.”  We risk managers need to be aware of what preparedness means for each of our vulnerabilities and the degree to which we have reached a targeted stage of readiness.

Whenever there is a major crisis anywhere in the world, risk managers should review the experience to see what they can learn.  They can look for parallels to their business.  Can systems at their firm  withstand similar stresses?  What preparedness would create enough resilience?  What did they learn from their adversity?

Kellog Corporate Governance Conference II

Notes from comments by ERM session panelists:

Walter Havenstein, CEO, SAIC

Succession planning and leadership development seen as the most important ERM process at SIAC.  (Firm had been led by founder for 35 years up to 2003.)

Business of SIAC is 90% to government.  Large fraction of that business is Top Secret.  Needed to form special board committee to handle Classified Business oversight.  Board members with security clearances (Former DOD and Military officials).   This committee reports quarterly to board – saying what it can about classified work.

Work is highly technical and operationally sensitive – very high risk.  Risk decisions usually were about which people could work on which projects.

James McNerney, CEO, Boeing

There was much too much risk in the company when he became CEO.  ERM has made a big difference.  Risk management is integrated top to bottom and horizontally (covariance risk)

“you have to absorb some risk to make progress”

Boeing was the merger of four large companies.  There were not common views of anything, not any top to bottom or horizontal integration.  Operations are centered upon local plants.  There were compliance issues – Finance, Legal and HR did not collaborate.  Had to strengthen internal controls to deal with compliance issues.

Boeing made an acquisition that brought in much more tail risk than they knew.  And they had added a huge amount of risk with the BIG NEW PRODUCT (787).

Have used the COSO framework for ERM.  That has served Boeing well. It was easy to work hard at ERM because the risks were very visible.  Risk management does not slow Boeing down, it speeds us up.  The annual rhythms of ERM work well.  They are asking the same questions every year and 80% of the answers come back the same as the prior year, but each year 20% come back different – and those different answers are important to know.

At Boeing, risk of every one of 16 major projects is so large that any one could bring down the firm.  This makes risk management extremely important.

Jim Kackley – Herman Miller board member

ERM process was urged on CEO by the Audit committee of board.  They wanted a more rigorous look at risks and they insisted that ERM be a value added process – not just a cost drag.

Started ERM process at Senior Management level – not bottom up (COSO) process.  Identified 40 risks.  Afraid that if they got the whole company involved it would lead to too risk averse of a culture.  Supplemented senior management views with interviews of next level managers.  10 critical risks were then chosen for risk management focus.

Risks are not discreet.  In 2008, pension plan went from fully funded to underfunded causing problems with cash, balance sheet, income and debt covenants.  There was a cascading risk effect.

Another major risk comes from subcontractors.

High focus on likelihood of risks vs. Risk Gap (residual risk).  Created mitigation framework for each major risk.  Senior managers were given specific risk oversight assignments and reported to board about status of each major risk.  Risk management was seen as primarily a board responsibility.

CEO had to present strategic plans with a discussion of how each major strategy related to the top risks.

Each spring, the board reviews Global Risks; such things as sovereign default risk, Japan sourcing risk, Arab Spring.  Ends with a roundtable discussion where each board member gets 5 minutes to say what their major concern might be.

High degree of concern that company might become too risk averse.

================================================================================

RISKVIEWS OBSERVATION: There was at least one attendee who was worried that ANY attention to risk might be bad for a businesses entrepreneurial spirit! In his mind, the ONLY defense is a good offense.

Other comments during Q&A:

There is a trend towards more board awareness of risk.  Each director brings in different past experiences with risk so listening to their guidance on risk may be very helpful in a wide range of situations.

Sometimes risk management focuses on trivial things and wastes the board’s time.

Boards do not necessarily need to get involved in crisis management.

Most important way to manage M&A risk is to really do due diligence.

Kellog Corporate Governance Conference I

Remarks by David Ingram

I have been asked to start off the program by describing to you what I think that Enterprise Risk Management means.

ERM is a term that is used by many people to mean many very different things.  In my experience, some would say that ERM is an extension of Sarbanes Oxley.  Some would say that it is the process that got banks into trouble by forcing them to make decisions with faulty models.  Others would say that ERM is just a compliance exercise or the latest management consultant buzz word.

All that is a shame.  Because ERM has the potential to be so much more useful than any of that.  ERM can be the systematic process that a business uses to ensure that the it has the resilience to survive.  You see I believe that a business has three overarching goals:  Sales, Profits and Survival.  Businesses have long had organized processes to achieve those first two goals.  ERM is just the process that a business uses to achieve that third overarching goal – Survival.

In business, with all the adversity both from competitors and from the all the other adverse possibilities in the rest of the world,  you need to be either lucky or careful to survive.

People commonly confuse the two.  Lucky Lindbergh was extremely careful.  The popular story was that he dashed off with two sandwiches in a sack.  But he readily admitted that he also had five days of army rations that he thought he could survive on for much longer.  Lindbergh was careful.

Careful does not mean that you do not take risks.  It means that you take them with your eyes open and with preparation.

So, I want to explain what I think ERM is by telling you about five important things about a risk management program that are needed to make it work.

1. It is about the future.
2. Know what you want.
3. Pay attention and communicate.
4. Empower someone to take actions in response to risk situations.
5. Best results from ERM if you can align your risk attitude and risk strategy with the risk environment

ERM is about the Future

ERM is about the future and it is about making sure that there is a future.  Studies tell us that in an average 5 years period, about 80% of firms in the S&P 500 will continue on the S&P 500, about 7% will fail or be acquired and about 13% will drop off the S&P 500.

Risk management is about your future and the possibility that your firm could be one of the 400 S&P 500 firms continue in the S&P 500.  Not the 100 x S&P 500.

One of the disconcerting things about the future is that you do not know what is going to happen.  That means that one of the key management tricks that you have learned for management, the trick of boiling everything down to just the one most important number will not work.  If you have heard discussions of how VaR was the problem – the problem was the one number approach, not the one number that was used.  When you are talking about success, you may well be able to represent that with just one number.  But failure can come from any direction.   So because risk management is about the future, a very different management approach is needed.

In fact, I wrote a paper entitled Risk and Light that explains how using a one number approach to risk is likely to lead to unexpected accumulations of risks that you are not paying attention to.

So risk management is about looking out for ALL of the future things that could put your firm into the 100 x S&P list.  And making plans to deal with those things.  It is not primarily about preventing the reoccurrence of the last problem.

Know what you want

Now studies show that about 50% of the firms that are trying to do risk management do not have an objective for their risk management.  That objective is called a risk appetite.  Risk Appetite is the amount of risk that a firm is willing to take consciously.  From my personal experience at S&P listening to about 200  firms, I would say that the correct number is more like 75%.

I just said that on the average, S&P 500 firms have a 7% chance of failing or being merged out of existence and a 13% chance of falling off the S&P 500.  I would call those statistics the average effective risk appetite of the S&P 500 firms.  That effective risk appetite is the degree of riskiness of the firm in actuality.

When I was an analyst at S&P, they had an estimate for effective risk appetite of all of the rated firms.   Those estimates varied by credit quality.  There is a 1% to 14% chance of defaulting and a 10% to 15% chance of downgrade.

Many people say that they do not have a risk appetite because it is too difficult to come up with some top of the house combined estimate of risk.  I am not suggesting that you use S&P’s estimate, just pointing out that is can be done and perhaps you can do a better job yourself.

Knowing what you want means that you know what risk you are taking and what risk you want to be taking.

Pay Attention and Communicate

To get to the point where you can choose a risk appetite you need to be well aware of your effective risk appetite over several years and the sensitivity of the ERA to your management decisions and the variability of your risk environment.

And you will need to continue to pay attention and communicate about your risk position and potential changes.  That will likely require assigning some resources.

Empower someone to act

When I was at S&P, I saw quite a number of insurers who had developed great risk monitoring systems, they had appointed a Chief Risk Officer.  They had established risk committees and risk charters.  But when I asked what they did when confronted with an indicated risk problem, they talked about doing studies and holding emergency meetings and presenting findings.

I called those the Risk Management Entertainment Systems.  Because they never spoke of actually DOING anything as a result of their risk management program.

It is only really risk management if someone is empowered to do something.

But maybe that never happens because those actions will often fall into the category of “taking away the punchbowl just when the party gets going” as William Martin former Federal Reserve chairman said (and Greenspan famously never, ever did.)

Best results from ERM if you can align your risk attitude and risk strategy with the risk environment

Well, I have been told that you are all well aware of all of what I have just said.  You have an ERM program that looks ahead to the future, you have set your risk appetite, you pay attention and communicate your changing risk positions and you have empowered someone to act.

But I suspect, that even if you are doing those four things, you still may not be happy with your ERM system.  That may be because you did not know that you have to choose the risk management strategy that fits your situation.

The choices for risk strategy are:

–      Loss Controlling – Prevent Defense

–      Risk Trading – Cost Benefit Approach to Risk on a risk by risk basis

–      Risk Steering – Risk Selection based upon risk and reward

–      Diversification – Spread your risk exposures

If someone built you a risk management system they may not have even asked you what approach you wanted.  They may have believed that the approach that they favored was the “right” way to do ERM and therefore that is the way that you should do ERM.

You will be unhappy with your ERM system if it does not fit your risk attitude.  Your risk attitude is your belief about the risk environment.

You may believe that the risk environment is

–      Bust – high risk/loss

–      Boom – Low risk/high gains

–      Moderate – Some risk / manageable gains & losses

–      Uncertain – unpredictable risk and reward

So your best chance of Success is if there is alignment

Between…

–      your belief about risk environment – your Risk Attitude

–      your approach to risk management – your Risk Strategy

Fits with the

–      Actual Risk Environment

We have been calling this idea of alignment Rational Adaptability.  It means working to understand the risk environment, and to tailor your risk management strategy to the environment.  Sounds simple minded.  But it is actually fairly difficult and rarely achieved for a variety of reasons.

• The risk environment may be different for different risks that you are exposed to and your strategy can be varied for each different risk.
• Often a shift in the risk environment that management does not pick up and adjust to quickly enough is a reason for change of management.
• A risk management system that follows a risk strategy that is not aligned with the risk environment will be ignored.
• A risk attitude that is not aligned with the risk environment will lead to sub optimal risk decisions.

So in a nutshell, that is my explanation.

ERM means being careful, looking at the future, knowing what risk you want, paying attention, communicating but all in the context of a risk strategy – your risk strategy – not one out of the ERM box.

Is Your Company HQ located in Denial?

Denial is a popular location for companies to locate.  That is because Denial is a much more economical location than living in reality.

Companies who are headquartered in Denial do not have to think consciously about risk management.  It is inherent in their everyday business practices.  They do not need to appoint anyone to be their risk officer.  They do not need to schedule sessions with their board to ever talk about risk.  They always talk about risk with their boards.

True ERM has a very difficult time getting started in a firm headquartered there.  That is because of the cost structure in Denial.  Those firms are used to paying exactly zero for risk management.  They get to realize ALL of the profits of their choices, without deduction for risk management drag.

If you propose ERM to a firm that is located in Denial, you will have them ask for you to:

Show me how ERM adds to value.

Usually, with a smirk on their face, because they are sure that you cannot.

But for those who live outside Denial, they might ask the opposite question:

Show me how ignoring risk adds to value.

To them it is pretty obvious that a firm that has gone out of business has zero value.  So any strategy that reduces the chance of going out of business has the potential to have a positive impact on firm value.

Some prefer to live all the time in Denial, some just visit occasionally.

Football is about more than just Shoes

Of course it is. The equipment never wins the game. It never runs the game.  But a team that shows up without proper equipment has only a slim chance of prevailing.

And ERM is about more than just models.  Some people have mistakenly equated ERM with Economic Capital or VAR models.  That makes no more sense than the idea that football is all about the shoes.

Football is about having the right team, assigning the the right roles, setting the strategy and finally mostly about execution.  If you asked 1000 experts about football, few if any of them would even list the shoes.

But for ERM, you do need to also find the right people, assign the the right roles, set the risk strategy and execute.

So why have models found their way into the debate about ERM in financial affairs?

Models in general and Economic Capital in specific has become central to the ERM process because insurers and banks have traditionally used very crude and very different approaches to measuring risks, when they actually did try to measure them.  It is difficult to believe that an industry that exists by taking on risks from others like insurance would not have a clear tradition of measuring how much risk it was taking on in any clear and consistent way.

The methods that tended to be employed by insurers worked when the risks that they were taking stayed the same over time.  When the risks could be adequately tracked by reference to something that indirectly tracked with the level of the risk.  But when businesses and people and markets are changing the nature and level of risk constantly, those old relationships completely broke down.

The promise of economic capital and VaR models is to replace the old rules of thumb with timely and consistent scientific assessments of risk.

But even if that promise is achieved, the insurer or bank has only then got to the point of buying shoes for their football team.  Now they need to start training and coaching the team and watching to see how the team performs, providing feedback and constantly making adjustments as the other teams adjust their teams and strategies.

So the model is a start but it is the start of the football season, not even the start of the playoffs.

You have the shoes now play the game.