Risk managers have a difficult job, anticipating risk events and interpreting how they interact and aggregate with internal exposures. Emerging risks play a key role in this analysis. One such emerging risk, Solar Storms, is much more than just pretty northern lights. An impactful solar storm happened as recently as 1859. Then, some problems with telegraph wires were reported, just imagine how much more we depend upon electronics now than we did in 1859. That is exactly what we do in this podcast.
A deep dive into the risk selected as the Most Dangerous of 2023. We compare recent inflation spikes against past events, look at the drivers of the current bout of inflation, the impact on the insurance industry along with the most common responses. In addition, we also invert the question and consider what would cause future inflation to be very low. By Dave Ingram and Max Rudolph
Fear or Danger is a false choice. But using rational thought to balance fear and danger, and find an appropriate response, is very difficult. This repeatable process for thinking through how to react can improve your likelihood of success. By Dave Ingram.
This podcast refers to an article “Risk Intelligence” in the magazine Contingencies. You can read that article here.
Central bankers are doing all that they can to get inflation back to NORMAL, where in their minds, NORMAL is 2% inflation.
But what if, as many of us seem to be experiencing, the world is still going through some pretty extensive upheavals. And as those upheavals play out, the “natural” result would be for some major adjustments in the prices of a variety of things, especially the price of an employee’s time, that when measured by our inflation metrics result in a rebalancing which looks like 4% inflation. And what if that rebalancing is a force, like the forces that cause earthquakes, that will happen sooner or later whether we wish them to or not.
Let’s look at the wage thing in this context.
What happened in the US over the past several years to employment is very different from our experience over the history of the country. First of all, the retirement wave of the Baby Boomers had started. During the Pandemic, those retirements started to accelerate, in some situations, retirements doubled over a short time period. Increases in retirements often happen during a recession when unemployment rises as older folks at or near retirement age lose their jobs and decide that they might as well just retire. But the Pandemic was not a normal recession. The shutdowns were very temporary and were followed by rapid reopenings in many sectors. So employers needed to scramble to fill in for the retiring seniors. Meanwhile, many people (as well as businesses, government entities and other organizations) received cash assistance during the pandemic. Which made some less likely to take undesirable positions that they otherwise might have felt compelled to take.
With the openings due to retirements occurring at all levels, unemployed folks would have “moved up” the employment ladder to take as high paying of a job as they could qualify for. And some businesses have shifted to actually hiring people who may have the potential to fill a position, after training. That is an almost totally forgotten way of hiring – most employers have been doing decades of just in time = perfect fit – hit the ground running hiring.
A discussion of Risk and Risk Management from the perspective of an Insurance company risk manager. Insurers provide products that help everyone to manage their risks. Here you will hear Dave Ingram and Max Rudolph, actuaries from the global consultancy Actuarial Risk Management talk about the sorts of things that keep those insurance company risk managers up at night. Or at least they should.
The current real life scenario combines a pandemic, weather events, supply chain issues, inflation and a regional war all at the same time. Multi risk scenarios can provide major insights about a firm’s resilience that do not necessarily happen with single risk scenarios or even with stochastic models. You may not agree with all of them. They are meant to encourage you to think rather than to be predictive.
When you encounter vastly different risk-taking behaviors at two different businesses, you shouldn’t automatically presume that they are driven by totally different risk tolerances. In some cases they are actually the result of similar risk tolerances and major disagreements in risk assessment. Just ask the Three Little Pigs.
We have generally used a continuation of the current environment as our base assumption. But now, with the encouragement of the NY DFS, that is being treated as worse than “Moderately Adverse” scenario. Insurers need to develop a robust set of stress scenarios to test reserve adequacy that include continuation of current conditions and a variety of variations in experience, not just interest rates.
A major loss often causes management to question past decisions. They might even reverse some of them, but this may be an overreaction. The Chief Risk Officer improves the discussion by bringing a systematic review of the risk related decisions that preceded the loss. In many cases potential problems can be fixed without taking drastic and dramatic actions.
This podcast is a challenge for you to consider something that is likely not yet on your risk register. Could the spread of bacteria with resistance to antibiotics have an impact on your business plans? We provide some questions that you might ask as well as some preliminary answers.
Over 200 respondents in the 6th annual Dangerous Risks to Insurers Survey reordered the top risks of 2023, with Inflation swapping with Cybersecurity and cybercrime for the top spot, and Global/National recession moving into the top 5 at #3.
As humans encroach on new ecosystems diseases found in animals and birds can jump to a new home inside us. We think about coronavirus and influenza but should monitor closely diseases like bird flu and Ebola. By Max Rudolph
Fear or Danger is a false choice. But using rational thought to balance fear and danger, and find an appropriate response, is very difficult. This repeatable process for thinking through how to react can improve your likelihood of success. By Dave Ingram.
A deep dive into the risk selected as the Most Dangerous of 2023. We compare recent inflation spikes against past events, look at the drivers of the current bout of inflation, the impact on the insurance industry along with the most common responses. In addition, we also invert the question and consider what would cause future inflation to be very low. By Dave Ingram and Max Rudolph
Don’t miss out. Make sure that you subscribe – new podcasts will be published twice a month.
As humans encroach on new ecosystems diseases found in animals and birds can jump to a new home inside us. We think about coronavirus and influenza but should monitor closely diseases like bird flu and Ebola. By Max Rudolph
Over 200 respondents in the Dangerous Risks to Insurers Survey reordered the top risks, with Inflation swapping with Cybersecurity and cybercrime, and Global/National recession moving into the top 5 at #3.
This podcast is a challenge for you to consider something that is likely not yet on your risk register. Could the spread of bacteria with resistance to antibiotics have an impact on your business plans? We provide some questions that you might ask as well as some preliminary answers.
A major loss often causes management to question past decisions. They might even reverse some of them, but this may be an overreaction. The Chief Risk Officer improves the discussion by bringing a systematic review of the risk related decisions that preceded the loss. In many cases potential problems can be fixed without taking drastic and dramatic actions.
We have generally used a continuation of the current environment as our base assumption. But now, with the encouragement of the NY DFS, that is being treated as worse than “Moderately Adverse” scenario. Insurers need to develop a robust set of stress scenarios to test reserve adequacy that include continuation of current conditions and a variety of variations in experience, not just interest rates.
When you encounter vastly different risk taking behaviors at two different businesses, you shouldn’t automatically presume that they are driven by totally different risk tolerances. In some cases they are actually the result of similar risk tolerances and major disagreements in risk assessment. Just ask the Three Little Pigs.
Over the past several years, an anthropologist (Thompson), a control engineer (Beck) and an actuary (Ingram) have formed an unlikely collaboration that has resulted in countless discussions among the three of us along with several published (and posted) documents.
Our work was first planned in 2018. One further part of what was planned is still under development — the application of these ideas to economic thinking. This is previewed in document (2) below, where it is presented as Institutional Evolutionary Economics.
Here are abstracts and links to the existing documents:
Model Governance and Rational Adaptability in Enterprise Risk Management, January 2020, AFIR-ERM section of the International Actuarial Association. The problem context here is what has been called the “Insurance Cycle”. In this cycle we recognize four qualitatively different risk environments, or seasons of risk. We address the use of models for supporting an insurer’s decision making for enterprise risk management (ERM) across all four seasons of the cycle. In particular, the report focuses expressly on: first, the matter of governance for dealing with model risk; and, second, model support for Rational Adaptability (RA) at the transitions among the seasons of risk. This latter examines what may happen around the turning points in the insurance cycle (any cycle, for that matter), when the risk of a model generating flawed foresight will generally be at its highest.
Modeling the Variety of Decision Making, August 2021, Joint Risk Management Section. The four qualitatively different seasons of risk call for four distinctly different risk-coping decision rules. And if exercising those strategies is to be supported and informed by a model, four qualitatively different parameterizations of the model are also required. This is the variety of decision making that is being modeled. Except that we propose and develop in this work a first blueprint for a fifth decision-making strategy, to which we refer as the adaptor. It is a strategy for assisting the process of RA in ERM and navigating adaptively through all the seasons of risk, insurance cycle after insurance cycle. What is more, the variety of everyday risk-coping decision rules and supporting models can be substituted by a single corresponding rule and model whose parameters vary (slowly) with time, as the model tracks the seasonal business and risk transitions.
The Adaptor Emerges, December 2021, The Actuary Magazine, Society of Actuaries. The adaptor strategy focuses on strategic change: on the chops and changes among the seasons of risk over the longer term. The attention of actuaries coping with everyday risk is necessarily focused on the short term. When the facts change qualitatively, as indeed they did during the pandemic, mindsets, models, and customary everyday rules must be changed. Our adaptor indeed emerged during the pandemic, albeit coincidentally, since such was already implied in RA for ERM.
An Adaptor Strategy for Enterprise Risk Management, April 2022, Risk Management Newsletter, Joint Risk Management Section. In our earlier work (2009-13), something called the “Surprise Game” was introduced and experimented with. In it, simulated businesses are obliged to be surprised and shaken into eventually switching their risk-coping decision strategies as the seasons of risk undergo qualitative seasonal shifts and transitions. That “eventually” can be much delayed, with poor business performance accumulating all the while. In control engineering, the logic of the Surprise Game is closely similar to something called cascade control. We show how the adaptor strategy is akin to switching the “autopilot” in the company driving seat of risk-coping, but ideally much more promptly than waiting (and waiting) for any eventual surprise to dawn on the occupant of the driving seat.
An Adaptor Strategy for Enterprise Risk Management(Part 2), July 2022, Risk Management Newsletter, Joint Risk Management Section. Rather than its switching function, the priority of the adaptor strategy should really be that of nurturing the human and financial resources in the makeup of a business — so that the business can perform with resilience, season in, season out, economic cycle after economic cycle. The nurturing function can be informed and supported by an adaptor “dashboard”. For example, the dashboard can be designed to alert the adaptor to the impending loss or surfeit of personnel skilled in implementing any one of the four risk-coping strategies of RA for ERM. We cite evidence of such a dashboard from both the insurance industry and an innovation ecosystem in Linz, Austria.
Adaptor Exceptionalism:Structural Change & Systems Thinking, March 2022, RISKVIEWS, Here we link Parts 1 and 2 of the Risk Management Newsletter article ((4) and (5) above). When we talk of “when the facts change, we change our mindsets”, we are essentially talking about structural change in a system, most familiarly, the economy. One way of grasping the essence of this, hence the essence of the invaluable (but elusive) systemic property of resilience, is through the control engineering device of a much simplified model of the system with a parameterization that changes relatively slowly over time — the adaptor model of document (2) above, in fact. This work begins to show how the nurturing function of the adaptor strategy is so important for the achievement of resilient business performance.
Adaptor Strategy: Foresight, May 2022, RISKVIEWS. This is a postscript to the two-part Newsletter article and, indeed, its linking technical support material of document (6). It identifies a third possible component of an adaptor strategy: that of deliberately probing the uncertainties in business behaviour and its surrounding risk environment. This probing function derives directly from the principle of “dual adaptive control” — something associated with systems such as guided missiles. Heaven forbid: that such should be the outcome of a discussion between the control engineer, the actuary, and the anthropologist!
Still to be completed is the full exposition of Institutional Evolutionary Economics that is previewed in Section 1 of Modeling the Variety of Decision Making (Item 2 above).
Do you notice anything unusual in the graph above that occurred in the first quarter of 2022? This graph says that in January about 6% of Americans were sick. That is about 25% of all of the COVID infections over the past 26 months. Other than January 2022, COVID infections averaged 2.4 million per month.
First quarter GDP fell by 1.4% in 2022.
I would bet that some of the GDP drop was due to the absolutely extraordinary level of illness in the first quarter.
I hadn’t noticed any commentary that agrees with this point. But I am guessing that since we are all feeling that we have turned the corner on COVID, we are deliberately putting it out of our minds. Which may cause us to draw erroneous conclusions about what is happening with the economy and take actions to fix something that may have been driven to some extant by the pandemic, not some other type of weakness in the economy.
Knowing the amount of surplus an insurer needs to support risk is fundamental to enterprise risk management (ERM) and to the own risk and solvency assessment (ORSA).
With the increasing focus on ERM, regulators, rating agencies, and insurance and reinsurance executives are more focused on risk capital modeling than ever before.
Risk – and the economic capital associated with it – cannot actually be measured as you can measure your height. Risk is about the future.
To measure risk, you must measure it against an idea of the future. A risk model is the most common tool for comparing one idea of the future against others.
Types of Risk Models
There are many ways to create a model of risk to provide quantitative metrics and derive a figure for the economic capital requirement.
Each approach has inherent strengths and weaknesses; the trade-offs are between factors such as implementation cost, complexity, run time, ability to represent reality, and ease of explaining the findings. Different types of models suit different purposes.
Each of the approaches described below can be used for purposes such as determining economic capital need, capital allocation, and making decisions about risk mitigation strategies.
Some methods may fit a particular situation, company, or philosophy of risk better than others.
Factor-Based Models
Here the concept is to define a relatively small number of risk categories; for each category, we require an exposure metric and a measure of riskiness.
The overall risk can then be calculated by multiplying “exposure × riskiness” for each category, and adding up the category scores.
Because factor-based models are transparent and straightforward to apply, they are commonly used by regulators and rating agencies.
The NAIC Risk-Based Capital and the Solvency II Standard Formula are calculated in this way, as is A.M. Best’s BCAR score and S&P’s Insurance Capital Model.
Stress Test Models
Stress tests can provide valuable information about how a company might hold up under adversity. As a stand-alone measure or as an adjunct to factor-based methods, stress tests can provide concrete indications that reflect company-specific features without the need for complex modeling. A robust stress testing regime might reflect, for example:
Worst company results experienced in last 20 years Worst results observed across peer group in last 20 years Worst results across peer group in last 50 years (or, 20% worse than stage 2) Magnitude of stress-to-failure
Stress test models focus on the severity of possible adverse scenarios. While the framework used to create the stress scenario may allow rough estimates of likelihood, this is not the primary goal.
High-Level Stochastic Models
Stochastic models enable us to analyze both the severity and likelihood of possible future scenarios. Such models need not be excessively complex. Indeed, a high-level model can provide useful guidance.
Categories of risk used in a high-level stochastic model might reflect the main categories from a factor-based model already in use; for example, the model might reflect risk sources such as underwriting risk, reserve risk, asset risk, and credit risk.
A stochastic model requires a probability distribution for each of these risk sources. This might be constructed in a somewhat ad-hoc way by building on the results of a stress test model, or it might be developed using more complex actuarial analysis.
Ideally, the stochastic model should also reflect any interdependencies among the various sources of risk. Timing of cash flows and present value calculations may also be included.
Detailed Stochastic Models
Some companies prefer to construct a more detailed stochastic model. The level of detail may vary; in order to keep the model practical and facilitate quality control, it may be best to avoid making the model excessively complicated, but rather develop only the level of granularity required to answer key business questions.
Such a model may, for example, sub-divide underwriting risk into several lines of business and/or profit centers, and associate to each of these units a probability distribution for both the frequency and the severity of claims. Naturally, including more granular sources of risk makes the question of interdependency more complicated.
Multi-Year Strategic Models with Active Management
In the real world, business decisions are rarely made in a single-year context. It is possible to create models that simulate multiple, detailed risk distributions over a multi-year time frame.
And it is also possible to build in “management logic,” so that the model responds to evolving circumstances in a way that approximates what management might actually do.
For example, if a company sustained a major catastrophic loss, in the ensuing year management might buy more reinsurance to maintain an adequate A.M. Best rating, rebalance the investment mix, and reassess growth strategy.
Simulation models can approximate this type of decision making, though of course the complexity of the model increases rapidly.
Key Questions and Decisions
Once a type of risk model has been chosen, there are many different ways to use this model to quantify risk capital. To decide how best to proceed, insurer management should consider questions such as:
What are the issues to be aware of when creating or refining our model?
What software offers the most appropriate platform?
What data will we need to collect?
What design choices must we make, and which selections are most appropriate for us?
How best can we aggregate risk from different sources and deal with interdependency?
There are so many risk metrics that can be used to determine risk capital – Value at Risk, Tail Value at Risk, Probability of Ruin, etc. – what are their implications, and how can we choose among them?
How should this coordinate with catastrophe modeling?
Will our model actually help us to answer the questions most important to our firm?
What are best practices for validating our model?
How should we allocate risk capital to business units, lines of business, and/or insurance policies?
How should we think about the results produced by our model in the context of rating agency capital benchmarks?
Introducing a risk capital model may create management issues – how can we anticipate and deal with these?
In answering these questions, it is important to consider the intended applications. Will the model be used to establish or refine risk appetite and risk tolerance?
Will modeled results drive reinsurance decisions, or affect choices about growth and merger opportunities? Does the company intend to use risk capital for performance management, or ratemaking?
Will the model be used to complete the NAIC ORSA, or inform rating agency capital adequacy discussions?
The intended applications, along with the strengths and weaknesses of the various modeling approaches and range of risk metrics, should guide decisions throughout the economic capital model design process.
In 1952, Harry Markowitz wrote the article “Portfolio Selection” which became the seed for the theory called Modern Portfolio Theory. Modern Portfolio Theory (MPT) promises a path to follow to achieve the maximum return for a given level of risk for an investment portfolio.
It is not clear who first thought to apply the MPT ideas to a portfolio of risks in an insurer. In 1974, Gustav Hamilton of Sweden’s Statsforetag proposed the “risk management circle” to describe the interaction of all elements in the risk management process, including assessment, control, financing and communication. In 1979, Randell Brubaker wrote about “Profit Maximization for a multi line Property/Liability Company.” Since then, the idea of risk and reward optimization has become to many the actual definition of ERM.
In 2005, Standard & Poor’s called the process “Strategic Risk Management”.
“Strategic Risk Management is the Standard & Poor’s term for the part of ERM that focuses on both the risks and returns of the entire firm. Although other aspects of ERM mainly focus on limiting downside, SRM is the process that will produce the upside, which is where the real value added of ERM lies.“
The Risk Reward Management process is nothing more or less than looking at the expected reward and loss potential for each major profit-making activity of an insurer and applying the Modern Portfolio Management ideas of portfolio optimization to that risk and reward information.
At the strategic level, insurers will leverage the risk and reward knowledge that comes from their years of experience in the insurance markets as well as from their enterprise risk management (ERM) systems to find the risks where their company’s ability to execute can produce better average risk-adjusted returns. They then seek to optimize the risk/reward mix of the entire portfolio of insurance and investment risks that they hold. There are two aspects of this optimization process. First is the identification of the opportunities of the insurer in terms of expected return for the amount of risk. The second aspect is the interdependence of the risks. A risk with low interdependency with other risks may produce a better portfolio result than another risk with a higher stand alone return on risk but higher interdependence.
Proposals to grow or shrink parts of the business and choices to offset or transfer different major portions of the total risk positions can be viewed in terms of risk-adjusted return. This can be done as part of a capital budgeting/strategic resource allocation exercise and can be incorporated into regular decision-making. Some firms bring this approach into consideration only for major ad hoc decisions on acquisitions or divestitures and some use it all the time.
There are several common activities that may support the macro- level risk exploitation.
Economic Capital Economic capital (EC) is often calculated with a comprehensive risk model consistently for all of the actual risks of the company. Adjustments are made for the imperfect correlation of the risks. Identification of the highest-concentration risks as well as the risks with lower correlation to the highest-concentration risks is risk information that can be exploited. Insurers may find that they have an advantage when adding risks to those areas with lower correlation to their largest risks if they have the expertise to manage those risks as well as they manage their largest risks.
Risk-adjusted product pricing Another part of the process to manage risk reward involves the Consideration principle. Product pricing is “risk-adjusted” using one of several methods. One such method is to look at expected profits as a percentage of EC resulting in an expected return-to-risk capital ratio. Another method reflects the cost of capital associated with the economic capital of the product as well as volatility of expected income. The cost of capital is determined as the difference between the price to obtain capital and the rate of investment earnings on capital held by the insurer. Product profit projections then will show the pure profit as well as the return for risk of the product. Risk-adjusted value added is another way of approaching risk-adjusted pricing.
Capital budgeting The capital needed to fulfill proposed business plans is projected based on the economic capital associated with the plans. Acceptance of strategic plans includes consideration of these capital needs and the returns associated with the capital that will be used. Risk exploitation as described above is one of the ways to optimize the use of capital over the planning period. The allocation of risk capital is a key step in this process.
Risk-adjusted performance measurement (RAPM) Financial results of business plans are measured on a risk-adjusted basis. This includes recognition of the cost of holding the economic capital that is necessary to support each business as reflected in risk-adjusted pricing as well as the risk premiums and loss reserves for multi-period risks such as credit losses or casualty coverages. This should tie directly to the expectations of risk- adjusted profits that are used for product pricing and capital budgeting. Product pricing and capital budgeting form the expectations of performance. Risk-adjusted performance measurement means actually creating a system that reports on the degree to which those expectations are or are not met.
For non-life insurers, Risk Reward Management involves making strategic trade-offs between insurance, credit (on reinsurance ceded) and all aspects of investment risk based on a long-term view of risk-adjusted return for all of their choices.
Insurers that do not practice Risk Reward Management usually fail to do so because they do not have a common measurement basis across all of their risks. The decision of many insurers to develop economic capital models provides a powerful tool that can be used as the common risk measure for this process. Economic capital is most often the metric used to define risk in the risk/reward equation of insurers.
Some insurers choose not to develop an EC model and instead rely upon rating agency or regulatory capital formulas. The regulatory and rating agency capital formulas are by their nature broad market estimates of the risk capital of the insurer. These formulae will over-state the capital needs for some of the insurer’s activity and understate the needs for others. The insurer has the specific data about their own risks and can do a better job of assessing their risks than any outsider could ever do. In some cases, insurers took high amounts of catastrophe exposure or embedded guarantee and option risks, which were not penalized in the generic capital formulas. In the end, some insurers found that they had taken much more risk than their actual loss tolerance or capacity.
Risk Reward Management provides insurers with the framework to take full advantage of the power of diversification in their risk selection. They will look at their insurance and investment choices based on the impact, after diversification, on their total risk/reward profile. These insurers will also react to the cycles in risk premium that exist for all of their different insurance risks and for all of their investment risks in the context of their total portfolio.
Sales of most insurance company products result in an increase in the amount of capital needed by the business due to low or negative initial profits and the need to support the new business with Economic Capital. After the year of issue, most insurance company products will show annual releases of capital both due to the earnings of the product as well as the release of supporting capital that is no longer needed due to terminations of prior coverages. The net capital needs of a business arise when growth (new sales less terminations) is high and/or profits are low and capital is released when growth is low and/or profits are high.
The definition of the capital needs for a product is the same as the definition of distributable earnings for an entire business: projected earnings less the increase in Economic Capital. The capital budgeting process will then focus on obtaining the right mix of short and long term returns for the capital that is needed for each set of business plans.
Both new and existing products can be subjected to this capital budgeting discipline. A forecast of capital usage by a new product can be developed and used as a factor in deciding which of several new products to develop. In considering new and existing products, capital budgeting may involve examining historic and projected financial returns.
This multi year view of capital usage does in fact apply to non-life products where the claims are not fully settled in the calendar year of issue.
Pitfalls of Risk Reward Management
In theory, optimization processes can be shown to produce the best results for practitioners. And for periods of time when fluctuations of experience are moderate and fall comfortably within the model parameters, continual fine tuning and higher reliance on the modeled optimization recommendations produce ever growing rewards for the expert practitioner. However, model errors and uncertainties are magnified when management relies upon the risk model to lever up the business. And at some point, the user of complex risk models will see that levering up their business seems to be a safe and profitable way to operate. When volatility shifts into a less predictable and/or higher level, the highly levered company can find it self quickly in major trouble.
Even without major deviations of experience, the Risk Reward Management principles can lead to major business disruptions. When an insurer makes a major change in its risk profile through an acquisition or divestiture of a large part of their business, the capital allocation of all other activities may shift drastically. Strict adherence to theory can whipsaw businesses as the insurer makes large changes in business.
Insurers need to be careful to use the risk model information to inform strategic decisions without overreliance and abdication of management judgment. Management should also push usage of risk and reward thinking throughout the organization. The one assumption that seems to cause the most trouble is correlation. The saying goes that “in a crisis, all correlations go to one”. If the justification for a major strategic decision is that correlations are far from one, management should take note of the above saying and prepare accordingly. In addition, management should study the variability of correlations over time. They will find that correlations are often highly unreliable and this should have a major impact on the way that they are used in the Risk Reward Management process.
The Joint Risk Management Section of the Canadian Institute of Actuaries, the Casualty Actuarial Society, and the Society of Actuaries will oversee an online survey to help understand individual risk managers’ perspectives on emerging risks. We value insights from all levels of experience and background and invite you to participate in this annual survey. Please complete this survey by Nov. 22nd. It should take about 15 minutes to complete. We hope you will share your thoughts and experiences in comment boxes. Responses from more than one risk manager within the same company are encouraged. All responses are anonymous. Thanks to the SOA Reinsurance and Financial Reporting Sections for supporting this research. If you have questions about the survey, please contact Jan Schuh at the SOA Research Institute, jschuh@soa.org.
Many of the most serious problems that have beset firms have not been repeats of past issues but very new situations. Emerging risks is one description that is used to refer to these “unknown unknowns.” It is simply not sufficient for an ERM program to fully master the control of potential losses from the risks that are known to exist right now. Many would consider the current financial crisis to be the result of emerging risks that were not sufficiently anticipated. Emerging risks may be unknown, but their consequences are real and insurers need to actively prepare for them.
Management should be monitoring and controlling the known risks. Emerging risks management is concerned with the impact of completely new or extremely rare adverse events. These risks cannot be managed via a control process. Monitoring systems would not show any results. But there are ways that the best- practice firms address emerging risks.
Emerging risks may appear suddenly or slowly, are difficult to identify, and often represent a new idea more than factual circumstances. They often result from changes in the political, legal, market, or physical environment, but the link between cause and effect is not proven. An example from the past is asbestos or silicone liabilities. Other examples could be problems deriving from nanotechnology, genetically modified food, climate change, etc. The recent problems experienced by banks and other financial firms resulting from mortgage losses could be classified as emerging risks.
For these risks, normal risk identification and monitoring will not work because the frequency is usually completely unknown. Nevertheless, past experience shows that when they materialize, they have a significant impact on businesses and therefore cannot be excluded from a solid risk management program. Specific strategies and approaches must be implemented to cope with them properly.
Emerging risks can be unknown to the corporate body or merely unknown to the main decision takers. The O-ring problem was known about before disaster hit the US space shuttle Challenger in 1986 – just not known in a way that helped. When considering emerging risks, we need to consider communication to, and within, the corporate body. A good ERM approach should be able to handle both these aspects.
Emerging risks management will include a process of early warnings that will allow company management to anticipate disasters, however short the period of notice. Such a firm will have an inclusive approach to identifying and evaluating risk. This inclusiveness will encourage employees to express concerns openly, it will lead to the ability to learn from others’ experiences and it will allow a constructive approach to intelligence-gathering of both hard and soft information. A firm with good emerging risks management would expect to perform thorough post-mortem analyses of problem situations and would feed the results of that analysis back into its on-going disaster-planning process.
While the best ERM programs will often have a comprehensive emerging risks process, that process is not well served by a routine checklist. A company with excellent extreme-event management practices will instill and sustain a decidedly non-routine, imaginative flavor into its process.
Normal risk control processes focus on everyday risk management, including the management of identifiable risks and/or risks where uncertainty and unpredictability, are mitigated by historical data that allow insurers to estimate loss distribution with reasonable confidence. Emerging risk management processes take over for risks that do not currently exist but that might emerge at some point due to changes in the environment.
Emerging risks may appear abruptly or gradually, are difficult to identify, and may for some time represent a hypothetical idea more than factual circumstances. They often result from changes in the political, legal, market or physical environment. An example from the past is asbestos; other examples could be problems deriving from nanotechnology, genetically modified food, climate change, etc. For these risks, normal risk identification and monitoring will not work because the likelihood is usually completely unknown.
Nevertheless, past experience shows that when they materialize, they can have a significant impact on insurers and therefore cannot be excluded from a solid risk management program. So insurers have implemented unique specific strategies and approaches to cope with them properly.
Identifying Emerging Risks
Developing an early warning system for emerging risks that methodically identifies potential new risk factors either through internal or external sources is very important. To minimize the uncertainty surrounding these risks, insurers will consistently gather all existing relevant information to amass preliminary evidence of emerging risks, which would allow the insurer to reduce or limit the growth of exposure as the evidence becomes more and more certain. However, insurers practicing this discipline will need to be aware of the cost of false alarms.
Assessing Their Significance
Parties should assess the relevance (i.e. potential losses) of the emerging risks linked to a company’s commitment— which classes of business and existing policies would be affected by the materialization of the risk—and continue with the assessment of the potential financial impact, taking into account potential correlation with other risks already present in the firm.
For an insurer, the degree of concentration and correlation of the risks that they have taken on from their customers are two important parameters to be considered; the risk in question could be subject to very low frequency/high intensity manifestations, but if exposure to that particular risk is limited, then the impact on the company may not be as important.
On the other hand, unexpected risk correlations should not be underestimated; small individual exposures can coalesce into an extreme risk if underlying risks are highly interdependent. When developing extreme scenarios, some degree of imagination to think of unthinkable interdependencies could be beneficial.
A further practice of insurers is to sometimes work backwards from concentrations to risks. Insurers might envision risks that could apply to their concentrations and then track for signs of risk emergence in those areas. Some insurers set risk limits for insurance concentrations that are very similar to investment portfolio credit limits, with maximum concentrations in specific industries in geographic or political regions.
In addition, just as investment limits might restrict an insurer’s debt or equity position as a percentage of a company’s total outstanding securities, some insurers limit the percentage of coverage they might offer in any of the sectors described above.
Define Appropriate Responses
Responses to emerging risks might be part of the normal risk control process, i.e. risk mitigation or transfer, either through reinsurance (or retrocession) in the case of insurance risks, through the financial markets for financial risks, or through general limit reduction or hedging.
When these options are not available or the insurer decides not to use them, it must be prepared to shoulder significant losses, which can strain a company’s liquidity. Planning access to liquidity is a basic part of emerging risk management. Asset-selling priorities, credit facilities with banks, and notes programs are possible ways for insurers to manage a liquidity crisis.
Apart from liquidity crisis management, other issues exist for which a contingency plan should be identified in advance. The company should be able to quickly estimate and identify total losses and the payments due. It should also have a clear plan for settling the claims in due time so as to avoid reputation issues. Availability of reinsurance is also an important consideration: if a reinsurer were exposed to the same risks, it would be a sound practice for the primary insurer to evaluate the risk that the reinsurer might delay payments.
Advance Warning Process
For emerging risks the response plans developed as described above would often not be implemented immediately. Their implementation would often be deferred until a later date when the immanence of the emerging risk is more certain. For the risks that have been identified as most significant and where the insurer has developed coherent contingency plans, the next step is to create and install an advanced warning process.
To do that, the insurer identifies key risk indicators that provide an indication of increasing likelihood of a particular emerging risk. These key risk indicators are tracked and compared to a trigger point that has been identified in advance. The trigger point might be set at the point when it is thought that action is needed, but more likely it triggers a new round of investigation of both potential impact and responses.
Learn
Finally, sound practices for managing emerging risks include establishing procedures for learning from past events is important. The company should identify problems that appeared during the last extreme event and identify improvements to be added to the risk controls.
All of these steps can be applied by any firm in any sector with some adaptation.
For an insurer who has just completed the initial stages of ERM development, the risk management framework is a statement of what was decided for each of those steps:
Identification of risks
Development of risk measures and reports
Identifying risk mitigations and setting risk limits
Appointing individuals to be responsible for the ownership of the identified risks as part of a defined risk organization structure.
This structure should provide the board with an on- going view of corporate risk profile. As the insurer develops its ERM process further into additional ERM practices, the risk management framework is also extended to include statements about the objectives of those practices within the insurer’s program. An insurer who is preparing for an Own Risk and Solvency Assessment (ORSA) should strongly consider having an additional set of associated policies.
Insurance Risk Policy This policy sets out the identification, measurement, mitigation and reporting stages associated specifically with insurance risk. It is a statement of the types and amounts of insurance coverage that the insurer will write as well as the methods that the insurer will use to select the specific risks. Processes should be defined for measuring these risks such as monitoring and reporting aggregate claims experience. Mitigation practices should be set to keep the insurance risk within the boundaries that management has set in the form of appetites, tolerances and limits. The insurance policy statement will also likely set out the approval and exception authority structure used by the company as well as the notification requirements for breaches of the policy. This breach process establishes expectations for actions to be taken in the event of significant deviations between actual and expected claims. The insurance rate setting process will also be described, as well as who has the responsibility of determining initial and final rates.
Investment Risk Policy The investment risk policy is a fraternal twin to the insurance policy. It defines the approval process for accepting types and amounts of investment risk. It also sets mitigation practices to be used and authorities for approvals and exceptions. These should all be consistent with the risk appetite, tolerance and limit statements of the insurer. The investment policy should set forth communications requirements on investment risk exposures and emerging experience in terms of timing and audience for that communication. Expectations for actions in the event of deviations from the policy and/or from investment losses or under-performance are also set out here.
ALM Policy
An asset/liability management—or ALM—policy is an expectation of regulators, but such a policy is primarily a concern for life insurers whose products are often inherently linked to investment performance. For non-life insurers, the ALM policy can usually be expressed as a short paragraph in the investment risk policy. This paragraph should set forth the targets for investment cashflows and should also address tolerance for liquidity risk.
Risk Appetite, Tolerance and Limit Statements Regulators and rating agencies all expect that insurers will have an articulated statement about their objectives with regard to risk taking. This includes both quantitative restrictions on the aggregate amount of risk that is retained and not fully mitigated and qualitative restrictions on the risks that will be taken. In most cases, the quantitative risk appetite statements is likely to be qualified by both amount and likelihood. For example, a company may seek to take risks to maintain a maximum net 1 in 10 year underwriting value at risk (Var) of £10m. This target defines limits for the gross underwriting risk which can be written at business unit level. Importantly, it also defines an important input into the reinsurance decision-making process.
Own Risk and Solvency Assessment (ORSA)
In the U.S. insurers that must file an ORSA are asked to include the following elements of an ERM Framework:
• Risk Culture and Governance – Governance structure that clearly defines and articulates roles, responsibilities and accountabilities; and a risk culture that supports accountability in risk-based decision-making.
• Risk Identification and Prioritization – Risk identification and prioritization process that is key to the organization; responsibility for this activity is clear; the risk management function is responsible for ensuring that the process is appropriate and functioning properly at all organizational levels.
• Risk Appetite, Tolerances and Limits – A formal risk appetite statement, and associated risk tolerances and limits are foundational elements of risk management for an insurer; understanding of the risk appetite statement ensures alignment with risk strategy by the board of directors.
• Risk Management and Controls – Managing risk is an ongoing ERM activity, operating at many levels within the organization.
• Risk Reporting and Communication – Provides key constituents with transparency into the risk-management processes and facilitate active, informal decisions on risk-taking and management.
Larger organizations with mature ERM programs tend to have evolved a short list of major risk management specific roles; many of which are part-time additions to already full time positions, while some are full time risk management only roles. Smaller organizations tend to need an ERM operation with all part-timers. We will call the former “Group ERM” programs and the latter “Company ERM”.
The organizing process always begins with two roles – the senior sponsor and the risk officer. During the developmental phase, these two roles are very similar to those of Executive Sponsor and Project Manager as defined for normal project management[1]. The Executive Sponsor initiates a project and gets appropriate resources and budget for the project. The Project Manager runs the project on a day-to-day basis. During implementation, the Project Manager will keep the Executive Sponsor informed of progress and setbacks. When problems are outside of the Project Manager’s authority, the Executive Sponsor will help by bringing in assistance or removing blockages from outside of the project team.
Chief Risk Officer
The risk officer role that was the project manager for the initial development of a new ERM function will usually grow into a senior management role with the title of Chief Risk Officer (CRO).
The CRO differs from organization to organization, but generally have some or all of these responsibilities:
Head the Risk Management Function
Chair the Risk Committee
Report to the Board on ERM
Report to shareholders on risk and capital management
Communicate risk and risk management matters to other stakeholders including rating agencies, employees, regulators
Each of these will be discussed in following sections of this chapter.
The Chief Risk Officer may report directly to the CEO or, more often to the Chief Financial Officer. Or else, the CRO role is handled by another senior officer such as the Internal Auditor, or, in an insurer, the Chief Underwriting Officer or Chief Actuary.
The CRO has a wide variety of roles. First and foremost, the CRO provides leadership and vision for the organization’s ERM program. They must have a clear idea of the ERM objectives and the ability to direct a diverse group of employees throughout the organization, most of whom do not officially report to the CRO, to follow that vision. The CRO is the point person in establishing and updating the ERM Framework, the ERM Policies and the Risk Appetite/Tolerance/Limit system. This requires the CRO to understand the degree to which formal documents and processes fit with the organization’s culture. The CRO is always the champion of intelligent risk management – risk management that fits the objectives, needs and budget of the organization. The CRO may be the owner of the Enterprise Risk Model or that model may be owned by the Chief Actuary.
The CRO will lead the discussion that leads to the formation and updating of the Risk Appetite and Tolerance. This discussion will be based upon a single risk metric that is common to all risks; in countries that have adopted Solvency II, that single metric for insurers is almost always related to capital. This is a source of conflict between the regulatory process and the management culture, especially in for-profit insurers, because otherwise, the preference for risk metric would likely be tied to earnings shortfalls rather than capital.
The CRO is the leader of value added risk management. That means using the information from the ERM system to help the growth of the firm’s risk adjusted value. That requires some version of risk-adjusted financial results for various business units, territories and/or products. The risk-adjustment is most often made based on Economic Capital either via a cost-of-capital adjustment to earnings, or through the reliance on a return on risk capital ratio.
The CRO is the champion for the Value Added ERM, a major part of the implementation, as well as in explaining the idea and the results to stakeholders. A major step in that process is the development and implementation of the analytic platform for Economic Capital Allocation. The CRO may be responsible to perform analysis of risk-adjusted plan proposals and act as a resource to business units for developing risk-adjusted proposals. As time progresses, the CRO will also work with the CFO to provide monitoring of plan vs. actual performance.
The CRO’s wide range of responsibilities means that there is no single route to the position. A Canadian survey[2] of twenty-one CROs found that, in their opinion, CROs needed to be skilled in Math, Finance, Communication and Accounting.
Management Risk Committee
Most organizations form one or more risk management committees with a major role in the ERM framework. There are three main reasons: To provide support and assistance for the CRO, to help keep the ERM process realistic (i.e. Intelligent ERM above); and, to direct the application of resources for ERM activities that are outside of the risk management department.
Most often, the Risk Committee will focus first on the ERM reports to the board, reviewing the draft reports prepared by the risk management department for quality assurance, to make sure that the CRO will be able to tell the story that goes with the report, and that both the CRO and the risk committee members can answer any questions raised by the ERM report. The Risk Committee is the nexus of Risk Culture for the organization – each area of the organization that has a major role in risk taking and risk management is usually represented on the risk committee.
The exact responsibilities of the Risk Committee will vary by organization. The four most common and most important responsibilities are:
Setting Risk Appetite and Tolerance
Approving Risk framework and policies
Allocating Risk Appetite & Setting Risk Limits
Setting standards for risk assessment and economic capital
The Risk Committee is usually responsible for setting (or recommending for approval by the board) the Risk Appetite and Tolerance for the organization. This is a difficult and often tentative process the first time; mainly because the Risk Committee, like most of the management team, has little experience with the concepts behind Risk Appetite and Tolerance, and is wary about possibly making a mistake that will end up damaging the organization. Once an initial Risk Appetite and Tolerance are set, making adjustments for early imperfections and updates for changing plans and circumstances become much more routine exercises.
The Risk committee usually approves the Risk Framework and Risk Policies – in some cases, they are recommended for approval to the Board. These will lay out the responsibilities of the CRO, Risk Committee, Risk Owners and ERM Department. The Risk Committee should review these documents to make sure that they agree with the suggested range of responsibilities and authorities of the CRO. The new responsibilities and authorities of the CRO are often completely new activities for an organization, or, they may include carving some responsibilities and authorities out of existing positions. The Risk Committee members are usually top managers within the organization who will need to work with the CRO, not just in the Risk Committee context, but also in the ways that the CRO’s new duties overlap with their business functions. The committee members will also be concerned with the amount of time and effort that will be required of the Risk Owners, who for the most part will either be the Risk Committee members or their senior lieutenants.
In some organizations, the allocation of Risk Appetite and setting of risk limits is done in the planning process; but most often, only broad conclusions are reached and the task of making the detailed decisions is left to the Risk Committee. For this, the Risk Committee usually relies upon detailed work performed by the Risk Department or the Risk Owners. The process is usually to update projections of risk capital requirements to reflect the final planning decisions and then to adjust Risk Appetite for each business unit or risk area and recommend limits that are consistent with the Risk Appetite.
Many ERM programs have legacy risk assessment and economic capital calculation standards that may or may not be fully documented. As regulatory processes have intruded into risk assessment, documentation and eventually consistency are required. In addition, calls for consistency of risk assessment often arise when new products or new risks are being considered. These discussions can end up being as much political as they are analytical, since the decision of what processes and assumptions make a risk assessment consistent with existing products and risks often determines whether the new activity is viable. And since the Risk Committee members are usually selected for their position within the organization’s hierarchy, rather than their technical expertise, they are the right group to resolve the political aspects of this topic.
Other topics that may be of concern to the Risk Committee include:
Monitoring compliance with limits and policies
Reviewing risk decisions
Monitoring risk profile
Proposing risk mitigation actions
Coordinate the risk control processes
Identify emerging risks
Discussing the above with the Board of Directors as agreed
Larger organizations often have two or more risk committees – most common is to have an executive risk committee made up of most or all of the senior officers and a working risk committee whose members are the people responsible for implementing the risk framework and policies. In other cases, there are separate risk committees for major risk categories, which sometimes predate the ERM program.
Risk Owners
Many organizations assign a single person the responsibility for each major risk. Going beyond an organizational chart, a clear organizational structure includes documented responsibilities and clear decision making and escalation procedures. Clarity on roles and responsibilities—with regard to oversight and decision-making—contributes to improvement capability and expertise to meet the changing needs of the business[3].
Specifically, the Risk Owner is the person who organizationally resides in the business and is responsible for making sure that the risk management is actually taking place as risks are taken, which most of ten should the most effective way to manage a risk.
The Risk Owner’s role varies considerably depending upon the characteristics of the risk.
Insurance and Investment risks are almost always consciously accepted by organizations, and the process of selecting the accepted risks is usually the most important part of risk management. That is why insurance risk owners are often Chief Underwriting Officers, and Chief Investment officers are often the owners of Investment risks. However, risk structuring, in the form of setting the terms and conditions of the insurance contract is a key risk mitigation effort, and may not be part of the Chief Underwriter role. On the other hand, structuring of investments, in situations where investments are made through a privately structured arrangement, is usually done within the Investment area. Other risk mitigations, through reinsurance and hedging could also be within or outside of these areas. Because of the dispersion of responsibilities for different parts of the risk management process, exercise of the Risk Owner responsibilities for Insurance Risks are collaborative among several company officers. In some firms, there is a position of Product Manager who is the natural Risk Owner of a product’s risks. The specialization of various investment types means that in many firms, a different lieutenant of the Chief Investment Officer is the risk owner for Equity risk, Credit Risk, Interest Rate Risk and risks from Alternative investments.
Operational risks are usually accepted as a consequence of other decisions; the opportunities for risk selection are infrequent as processes are updated. Often the risk owners for Operational risks are managers in various parts of the organization.
Strategic risks are usually accepted through a firm’s planning process. Usually the risk owners are the members of the top management team (management board) who are closest to each strategic risk, with the CEO taking the Risk Owner position for the risk of failure of the primary strategy of the firm.
The Risk Owner may be responsible to make a periodic Report on the status of their risk and Risk Management to the governing Board. This report may include:
Plans for Exposure to risk and Risk Strategy
Plans to exploit and mitigate
Changes to Exposures taken and Remaining after mitigation
Adequacy of resources to achieve plans
Risk Management Department
In all but the smallest organizations, the CRO’s responsibilities require more work and attention than can be provided by a single person. The CRO will gain an assistant and eventually an entire department. The risk management department serves primarily as support staff for the CRO and Risk Committee. In addition, they may also be subject matter experts on risk management to assist Risk Owners. Usually, the risk management department also compiles the risk reports for the risk committees and Board. They are also usually tasked to maintain the risk register as well as the risk management framework and risk policies.
Internal Audit
Internal Audit often has an assurance role in ERM. They will look to see that there is effective and continual compliance with Policies and Standards, and tracking and handling of risk limit breaches.
If there is no Internal Audit involvement, this compliance assurance responsibility falls to the risk management department; that may create a conflict between compliance role and advisory role of the risk management department. Compliance is the natural role of Internal Audit and giving this role to Internal Audit allows risk management to have more of a consultative and management information role.
In many firms, the roles for risk owners, the risk management department, along with internal audit, have been formalized under the title “Three Levels of Defense.”
This approach is often coupled with a compliance role for the board audit committee.
When internal audit is involved in this manner, there is sometimes a question about the role’s scope. That question is: whether internal audit should limit its role to assurance of compliance with the ERM Framework and policies, or should it also have a role reviewing the ERM Framework itself? To answer that question, the organization must assess the experience and capabilities of internal audit in enterprise risk management against the cost of engaging external experts to perform a review[4].
CEO Role in ERM
It is fairly common for a description of ERM roles at a bank or insurer to talk about roles for the board,CRO, and front line management, but not to mention any specific part for the CEO.
“No one has any business running a huge financial institution unless they regard themselves as the Chief Risk Officer” – Warren Buffett, speaking at the New School (2013)
Warren Buffett, the CEO of Berkshire Hathaway, has said many times that he is the Chief Risk Officer of his firm and that he does not believe that it would be a good idea to delegate that responsibility to another individual. While his position is an extreme that is not accepted by most CEO’s of financial institutions, there is an important role for the CEO that is very close to Buffett’s idea.
For the CRO and the ERM program to be effective, the organization needs clarity on the aspects of risk management which the CEO is directly delegating his or her authority to the CRO, which are being delegated to the Risk Committee, and which risk management decisions are being delegated to the Risk Owners. Leading up to the financial crisis of 2008, the authority for some risk decisions were not clearly delegated to either the CRO or the Risk Owners in some banks, and CEO’s remained aloof from resolving the issue[5].
[1] Executive Engagement: The Role of the Sponsor, Project Management Institute,
[2] “A Composite Sketch of a Chief Risk Officer”, Conference Board of Canada, 2001
[3] CRO Forum, Sound Risk Culture in the Insurance Industry, (2015)
[4] Institute of Internal Auditors, The Three Lines of Defense In Effective Risk Management And Control, (2013)
[5] Senior Supervisors Group, Risk Management Lessons from the Global Banking Crisis of 2008 (2009)
Peter Drucker is reported to have once said “what gets measured, gets managed.” That truism of modern management applied to risk as well as it does to other more commonly measured things like sales, profits and expens es .
Regulators take a similar view; what gets measured should get managed. ORSA f rameworks aim to support prospective solvency by giving management a clear view of their on-going corporate risk positions.
This in turn should reduce the likelihood of large unanticipated losses if timely action can be taken when a risk limit is breached.
From a regulatory perspective, each identified risk should have at least one measurable metric that is reported upwards, ultimately to the board.
The Need to Measure Up
Many risk management programs build up extensive risk registers but are stymied by this obvious next step – that of measuring the risks that have been identif ied.
Almost every CEO can cite the company’s latest f igures f or sales, expenses and profits, but very few know what the company’s risk position might be.
Risks are somewhat more difficult to measure than profits due to the degree to which they depend upon opinions.
Insurance company profits are already seen as opaque by many non-industry observers because profits depend on more than just sales and expenses:profits depend upon claims estimates, which are based on current (and often incomplete) information about those transactions.
Risk, on the other hand, is all about things that might happen in the f uture: specif ically, bad things that might happen in the f uture.
Arisk measure reflects an opinion about the size of the exposure to f uture losses. All risk measures are opinions; there are no f acts about the f uture. At least not yet.
Rationalizing Risk
There are, however, several ways that risk can be measured to facilitate management in the classical sense that Drucker was thinking of.
That classic idea is the management control cycle, where management sets a plan and then monitors emerging experience in comparison to that plan.
To achieve this objective, risk measures need to be consistent from period to period. They need to increase when volume of activity increases, but they also need to reflect changes in the riskiness of activities as time passes and as the portfolio of the risk taker changes .
Good risk measures provide a projected outcome; but in some cases, such calculations are not available and risk indicators must be used instead.
Risk indicators measure something that is closely related to the risk and so can be expected to vary similarly to an actual risk measure, if one were available.
For insurers, current state-of-the-art risk measures are based upon computer models of the risk taking act ivit ies .
With these models, risk managers can determine a broad range of possible outcomes for a risk taking activity and then define the risk measure as some subset of those outcomes.
Value at Risk
The most common such measure is called value at risk (VaR). If the risk model is run with a random element, usually called a Monte Carlo or stochastic model, a 99% VaR would be the 99th worst result in a run of 100 outcomes, or the 990th worst out of 1000.
Contingent Tail Expectation
This value might represent the insurer’s risk capital target.Asimilar risk measure is the contingent tail expectation (CTE), which is also called the tail value at risk (TVaR).
The 99% CTE is the average of all the values that are worse than the 99% VaR. You can think of these two values in this manner: if a company holds capital at the 99% VaR level, then the 99% CTE minus the 99% VaR is the average amount of loss to policyholders should the company become insolvent.
Rating agencies, and increasingly regulators, require companies to provide results of risk measures from stochastic models of natural catastrophes.
Stochastic models are also used to estimate other risk exposures, including underwriting risk from other lines of insurance coverage and investment risk.
In addition to stochastic models, insurers also model possible losses under single well-defined adverse scenarios. The results are often called stress tests.
Regulators are also increasingly calling for stress tests to provide risk measures that they feel are more easily understood and compared among companies.
Key Risk Indicators
Most other risks, especially strategic and operational risks, are monitored by key risk indicators (KRIs). For these risks, good measures are not available and so we must rely on indicators.
For example, an economic downturn could pose risk to an insurer’s growth strategy. While it may be dif f icult to measure the likelihood of a downturn or the extent to which it would impair growth, the insurer can use economic f orecasts as risk indicators.
Of course,simplymeasuringriskisinsufficient.Theresultsof themeasurementmustbecommunicatedto people who can and will use the risk information to appropriately steer the future activity of the company.
Risk Dashboard
Simple charts of numbers are sufficient in some cases, but the state of the art approach to presenting risk measurement information is the risk dashboard.
With a risk dashboard, several important charts and graphs are presented on a single page, like the dashboard of a car or airplane, so that the user can see important information and trends at a glance.
The risk dashboard is often accompanied by the charts of numbers, either on later pages of a hard copy or on a click-through basis for on-screen risk dashboards.
Enterprise Risk Management practice is different at different insurers. Partly that is driven by the different cultures and missions of insurers. For the most part, those differences can be seen to be driven by the choices that management makes of whether to emphasize one, two or all three of the following three parts of insurer ERM.
1. Individual risk management
Insurers practiced risk management long before they adopted enterprise risk management. With individual risk management (IRM), the insurer enables the organization to raise the risk management activities relating to all of the key risks of the organization up to a high and effective level of practice.
IRM includes the identification, assessment and prioritization of key risks followed by the addition of more formal control processes, including decisions to mitigate, transfer, accept, limit or exploit each of the key risks. It also includes periodic reporting on those processes.
The result of an IRM function will be a transparent and disciplined approach to all of an organization’s key risks. This is often called a bottom-up risk management process as well. ERM standards such as COSO and ISO31000 promote an individual enterprise risk management process.
2. Aggregate risk management
Insurers generally know how their capital compares to regulators’ minimum requirements and/or the level of capital rating agencies require for their preferred rating. With aggregate risk management (ARM), these standards are recognized as outsiders’ views of the insurer’s aggregate risk.
ARM functions treat the combined total of all of the key risks of the firm as another candidate for a transparent and disciplined control process. An insurer will use one or a series of risk models to evaluate the amount of aggregate capital needed to provide security for the risk exposure and an aggregate risk appetite and tolerance to help articulate the company’s expectations for capital levels in aggregate control processes.
Regulatory and rating agency requirements often focus primarily on this ERM function. The result of the ARM function is a deliberate process for managing the relationship between the risks that are retained by the insurer with the capital it holds.
3. Risk reward management
One of the primary requirements of the model(s) used to evaluate aggregate risk is that they need to be as consistent as possible in their assessments. Only consistent values can be combined to determine an actionable total risk amount. Once the insurer achieves these consistent risk assessments, it can compare different business activities: First regarding which are responsible for the largest parts of its risk profile, and, second, to look at the differences in reward for the risk taken.
With information about risk and reward, this ERM function will inform the capital budgeting process as well as enhance consistency (or at least reduce conscious inconsistencies) in insurance product pricing. It will also help the insurer in considering the tradeoffs among different strategic choices on a risk-adjusted basis. This ERM function provides the upside benefit from ERM to the insurer, helping to enhance the long-term value of the organization.
Insurers may choose to implement one, two or three of these ERM functions in their enterprise risk management programs. One important consideration for insurers is that financial services firms – primarily banks and insurers – tend to have risk profiles where the majority of their risks have been tracked on a highly granular basis for many years and therefore lend themselves to statistical methods, such as insurance, market and credit risks. Those risks frequently make up 75% or more of an insurer’s risk profile.
Insurers are, of course, also exposed to operational and strategic risks that are harder to quantify. Non-financial firms’ risk profiles are more often weighted toward operational and strategic risks. This difference is one of the main drivers of the limited focus of some ERM literature that often may not even mention aggregate risk management nor risk reward management.
Regulatory requirements for insurer ERM usually include aggregate risk management and some rating agencies (Standard & Poor’s – but not A.M. Best) are expecting insurers to have risk reward management as well. We have also noted some regulators (e.g. in the UK) are focusing increasingly on the sustainability of insurers’ business models, which can be shown via risk reward management.
At the most fundamental level, enterprise risk management can be understood as a control cycle. In an insurance company’s risk control cycle, management needs to first identify the key risks.
Management then decides the risk quantity they are willing to accept and retain. These decisions form the risk limits. It is then imperative to monitor the risk-taking throughout the year and react to actual situations that are revealed by the monitoring.
There are seven distinct steps in the typical risk control cycle:
Identify Risks – Choose which risks are the key controllable risks of the company
Assess – Examine what are the elements of the risks that need (or can be) controlled
Plan – Set the expectation for how much risk will be taken as an expected part of the plan and also the limits on how much more would be accepted and retained
Take Risks – Conduct the primary function of an insurance company
Mitigate – Take actions to keep the risks within limits
Monitor – Determine how risk positions compare to limits and report
Respond – Decide what actions to take if risk levels are significantly different from plan
Risk Control Cycle
The Complete Risk Control Process
A process capable of limiting losses can be referred to as a complete risk control process, which would usually include the following.
Identification of risks: The identified risks should be the main exposures which a company faces rather than an exhaustive list of all risks. The risk identification process must involve senior management and should consider the risk inherent in all insurance products underwritten. It must also take a broader view of overall risk. For example, large exposures to different investment instruments or other non-core risks must be considered. It is vital that this risk list is re-visited periodically rather than simply automatically targeting “the usual suspects”
Assess risks: This is both the beginning and the end of the cycle. At the beginning, you look forward to form a new opinion about the prospects for risk and rewards for the next year. At the end, management needs to assess how effective the control cycle has been. Did the selection process miss any key risks? Were limits set too high or perhaps too low? Were the breach processes effective?
Plan risk taking and risk management: Based upon the risk assessment, management will make plans for how much of each risk the organization will plan to accept and then how much of that risk will be transferred, offset and retained to manage the net risk position in line with defined risk limits
Take risks: Organizations will often start by identifying a list of potential risks to be taken based upon broad guidelines. This list is then narrowed down by selecting only risks which are aligned to overall corporate risk appetite. The final stage is deciding an appropriate price to be paid for accepting each risk (underwriting)
Measuring and monitoring of risk: With metrics or risk measures which capture the movement of the underlying risk position. These risk positions should be reported regularly and checked against limits and, in some cases, against lower checkpoints . The frequency of these checks should reflect the volatility of the risk and the rate at which the insurer changes their risk positions. Insurers may choose to report regularly at a granular level that supports all decision making and potential breach actions. The primary objective of this step is facilitating upwards reporting of risk through regular risk assessment and dissemination of risk positions and loss experience using a standard set of risk and loss metrics. These reports convey the risk output from the overall ERM framework and should receive the clear attention of persons with significant standing and authority in the organization. This allows for action to be taken which is the vital Respond stage in the risk control cycle
Risk limits and standards: Should be defined which are directly linked to objectives. Terminology varies widely, but many insurers have both hard “limits” that they seek to never exceed and softer “checkpoints” that are sometimes exceeded. Limit approval authority will often be extended to individuals within the organization with escalating amounts of authority for individuals higher in the organizational hierarchy. Limits ultimately need to be consistent with risk appetites, preferences and tolerances Additionally, there should be clear risk avoidance processes for risks where the insurer has zero tolerance. These ensure that constant management attention is not needed to assure compliance. A risk audit function is, however, often incorporated within the overall risk organization structure to provide an independent assessment of compliance.
Respond: Enforcement of limits and policing of checkpoints, with documented consequences for limit breaches and standard resolution processes for exceeding checkpoints. In some cases, the risk environment will have changed significantly from when the limits were set and the limits need to be reassessed. Some risks may be much more profitable than expected and risk limits can be raised, while other have become more expensive and/or riskier and limits need to be lowered
Assess risks: And the cycle starts again
The control cycle, and especially the risk appetite, tolerance and limit setting process can be the basis for a healthy discussion between management and the board.
Gaining the Greatest Benefit from the Risk Control Cycle
Ultimately, to get the most risk management benefit out of a risk control cycle, management must set limits at a level that matters and are tied to good measures of risk. These limits must be understood throughout the company and risk positions should be frequently and publicly reviewed so that any breaches can be identified.
But in addition to a policing function, the control cycle needs to include a learning element. With each pass through the cycle, management should gain some insight into the characteristics of their potential risks and associated mitigation alternatives, as well as the reactions of both to changes in the risk environment.
Risk Identification is widely acknowledged at the very first step in forming a new ERM program. What is not so widely known is that the risk identification process needs to be repeated and refreshed to keep ERM alive. In this regard, ERM is like a lawn. Initially, the ground is prepared, it is seeded and fertilized and watered until a bed of green grass emerges. But the lawn will eventually deteriorate if it is not reseeded and fertilized and weeded and watered regularly. Repeating the risk identification process is one of the key steps to keeping the ERM program alive and green!
Companies considering the risk identification process should be aware that it is not a solution in itself and can only add value if the results are used as the first step in a risk control cycle.
This is an iterative process that refines managements’ understanding of the exposures that it is managing, and measures the effectiveness of the mitigation strategies employed in controlling risk:
For the risk identification process to be effective it is essential that senior management is directly involved from the outset. Regulators may give little or less credibility to an ORSA report if this ownership of ERM isn’t in place.
A brainstorming session involving the leaders of all risk taking functions across the business provides an effective starting point in compiling a list of significant risks.
This often results in a list containing 30 or more risks; if the process involves a broad range of people at many levels in the organization, it is not uncommon to have a list of 100 to 150 risks.
By considering each risk individually and quantifying its potential impact on the business, management can work towards a shorter list of high priority risks which should be the starting point of the risk control cycle.
Risk Control Cycle
Step 1: Identify All Significant Risks
Risks must be identified in order to:
>Ensure that the full range of significant risks is encompassed within the risk management process >Develop processes to measure exposure to those risks >Begin to develop a common language for risk management with the company
Some companies prefer to start with a comprehensive but generic list of risks. The company should then aim to select its own list by considering the following criteria:
Relevance to the insurer’s activities
Impact on the insurers financial condition
Ability to manage separately from other risks
The risk output from the ERM program may be used in strategic capital allocation decisions within the on-going business planning process.
The final “risk list” should be checked for completeness and consistency with this intended use. A final check can be done by looking at the lists once separated into categories. Most risks can be classified into one of several categories.
For example:
Underwriting Risk
Market Risk
Operational Risk
Credit/Default Risk
Management can review the range of risks that appear in each category to make sure that they are satisfied with the degree to which they have addressed key exposures within each major category.
The remaining steps in the risk identification process are then used to narrow down this initial risk list to a set of high priority risks that can be the focus of ERM discussions among and with senior management and ultimately with the board.
Step 2: Understand Each Risk Exposure
It is necessary to develop a broad understanding of each of the risks selected from Step 1; this includes determining whether the risk is driven by internal or external events.
In some situations, it may prove helpful to actually plot the exact sequence of events leading to a loss situation. This could result in the identification of intermediate intervention points where losses can be prevented or limited.
Existing risk measurement and control processes should be documented, and if the loss sequence has been plotted, the location of each control process in the sequence can be identified.
The final step in understanding the risks is to study recent events related to risks, including loss events, successful risk control or mitigation, and near misses both in the wider world and inside the company. Such events should be studied and lessons can be learned and shared.
Step 3: Evaluate
The next step in the risk identification process is to evaluate the potential impact of each risk. This involves:
>Estimating the frequency of loss events, e.g., low, medium, and high >Estimating potential severity of loss events, e.g., low, medium, and high >Considering offsetting factors to limit frequency or severity of losses and understand potential control processes
Some insurers also include an additional aspect of the risks, velocity, which is defined as the rate at which the risk can develop into a major loss situation
Step 4: Prioritize
The evaluations of risk frequency, severity, and velocity from Step 3 are then combined into a single factor and the risks ranked.
The risks are ranked according to a combined score incorporating all three assessments. The ranking starts with the risk with the worst combination of frequency, severity, and velocity scores.
From this ranked list of risks, 10 to 15 risks are chosen to be the key risk list that will be the focus of senior management discussions. From that list, ultimately 4 – 6 risks are chosen to feature with the board.
This need not be a complex or time consuming task. Often a simple heat map approach provides an effective way for management to identify their highest priority risks:
The rest of the risks should not be ignored. Those risks may ultimately be addressed at another level within the insurer.
Regulatory Emphasis
Regulators have developed Own Risk and Solvency Assessment (ORSA) regimes which require re/insurers to demonstrate their use of appropriate enterprise risk management (ERM) practices to support their ability to meet prospective solvency requirements over the business planning period.
Regulators are providing only high-level guidelines and will expect companies to decide what “appropriate” means for them. There are a number of common threads linking the ORSA guidelines; one of these is the fundamental importance of risk identification.
ORSA Guidance Manual
This ORSA process is being applied in all parts of the globe. In the U.S., the National Association of Insurance Commissioners (NAIC) ORSA Guidance Manual names risk identification as one of the five key aspects of the insurer’s ERM program that should be described in the ORSA report.
That document provides a definition for risk identification and prioritization:
[a] process that is key to the organization; responsibility for this activity is clear; the risk management function is responsible for ensuring that the process is appropriate and functioning properly at all organizational levels
For the EU, the Solvency II ORSA requires that solo undertakings provide:
[a] qualitative description of risks [and] should subject the identified risks to a sufficiently wide range of stress test / scenario analyses to provide an adequate basis for the assessment of overall solvency needs.
In the case of groups, the ORSA should adequately identify, measure, monitor, manage and report all group specific risks.
Insurance Core Principles (ICP)
The risk identification process is key to all insurers, not just those required to prepare an ORSA. This wider relevance is underlined by the Financial Stability Board’s endorsement of the International Association of Insurance Supervisors (IAIS) Insurance Core Principles (ICPs); ICP 16 highlights the importance of ERM as a process of identifying, assessing, measuring, monitoring, controlling and mitigating risks.
Perhaps the most attractive feature of the risk identification process is its low cost, high-impact introduction to risk management that builds upon the existing infrastructure and risk knowledge in the company.
It does not require a large commitment to capital expenditures and, if done appropriately, will provide a valuable first step in rolling out risk management across the company.
The ICPs are guidance for the insurance regulators in all jurisdictions. The ORSA, or an equivalent process with an equally odd name, may well be eventually adopted in all countries.
The Joint Risk Management Section of the Canadian Institute of Actuaries, the Casualty Actuarial Society, and the Society of Actuaries is overseeing an online survey to help understand individual risk managers’ perspectives on emerging risks. We value your insights and invite you to participate in this annual survey. Please complete this survey by Nov. 23rd. It should take about 15 minutes to complete. We hope you will share your thoughts and experiences in comment boxes. Responses from more than one risk manager within the same company are encouraged. All responses are anonymous. Thanks to the SOA Reinsurance and Financial Reporting Sections for supporting this research. If you have questions about the survey, please contact Jan Schuh at jschuh@soa.org.
Many discussions of COVID-19 mitigation revolve around the requirements and recommendations that are made by the government.
The CDC suggests answering this question:
To what extent do individuals and organizations practice community mitigation strategies?
We will seek to answer that question via a questionnaire. Right now, we have piloted that questionnaire twice with about 30 people providing observations.
We have observations from people in the above states, which provide diverse situations regarding their COVID situation. (Here Level refers to the number of new cases per 100k from the past 14 days and Rate refers to the New Infection Rate which is the new infections from the current day as a percentage of the infections for the prior 14 days.)
Pilot Project Findings – not credible amount of data
The above reflects the average compliance over 36 mitigation strategies. This is a Pilot, so we are not concerning ourselves about numbers of observations but we recognize that these are not sufficient to draw any conclusions about the actual level of compliance. Of those 36 strategies, the top 10 are:
Pilot Project Findings – not credible amount of data
We welcome additional observers. We will be continuing the Pilot Project and working on getting funding to turn this into a full scale research project.
To contribute your observations follow this LINK. We welcome both additional observers for the states above as well as observers from states where we have not yet received any observations.
We have been hearing news reports for a week or more now that say that it is likely that COVID-19 actual infections are multiples of reported cases. THis is likely true. But probably not by as much as some reports.
That is because of the expected level of false positives from the antibody tests that are being used. Let’s break this down…
Let’s focus on the New York state figures reported above. They represent that the antibody testing of 7500 people in NY State showed antibodies for 14.9% of the sample, while reported cases run about 1.5% of the population of NY State. But, as is often the case, the most important information is in the footnote. It said that these figures are not corrected for test accuracy.
Now, accuracy for the antibody tests is reported to be about 90%. So many people would read that to mean that the result is good +/- 10%.
But that is not the case at all. In fact, a news report that I heard on the local news program yesterday said that it is quite possible that more than 2/3 of the people who got an indication of antibodies present do not in fact have any antibodies! How can that be you ask?
This result falls out of a little Baysian thinking. Like this…
Let’s assume that we have a population of 1 million people where 5% of those people or 50,000 have been infected and 950,000 have never been infected.
And that we have tested them all with an antibody test that is 90% accurate.
So when we test the 50,000 who were infected, the test will tell us that 90% or 45,000 have antibodies (which is correct) and that 5,000 do not (which is incorrect – the 10% error rate). So far so good.
But when we come to testing the 950,000 people who have not been infected, the test will find that 85.5% or 855,000 people are antibody free (correct for 90% of tests) and that 9.5% or 95,000 people have antibodies (the 10% error).
So in total, the testing told us that 45,000 + 95,000 = 140,000 people (14%) have antibodies. And that 5000 + 855,000 = 860,000 people do not. So the error rate for Positives is 95,000 / 140,000 = 67% of the positives are WRONG. Error rate for negatives is 5000/860,000 = 0.6% wrong. Not bad on the negatives.
So in this example, a test that told us that the rate of positives is 14%, when it is actually 5%.
So that 14.9% reported for New York State is likely to be closer to 5% if the test was 90% accurate. This is the adjustment for Test Accuracy that the footnote says was not made.
If you make a correction based on this example (which seems to almost fit the data), you get a corrected result of 5% (33% of the 14.9% reported). The 5% is still more than 3 times the reported 1.5% infection rate.
The Smell Test
This result is more consistent with reported statistics from China, where they report that about 50% of the cases are asymptotic or common cold like symptoms. People like that are unlikely to have been tested in New York when tests were in short supply. Of the other 50% who showed symptoms, China reported that about a third (15%) required treatment and a tenth (5% Included in the 15%) required treatment in an ICU. So if NY State was capturing all of the 15% who needed hospital care and three quarters of the other people with symptoms with testing, then 30% of the cases would be reported, as the 5%/1.5% ratio would indicate.
The 15% rate indicated by the test results without correction would suggest that either the disease is much milder in the US than in China or that NY State was not capturing more than 2/3 of 15% of the infections needing hospitalizations and none of the people with clear symptoms who did not go to the hospital. That just doesn’t seem likely to me.
So, to me the idea that 15% is more likely 5% passes my smell test.
It has been about a month since the US started Stay at Home (S@H) policies. Some people are wondering whether it has been worth it.
Here is a little thought exercise. At the end, you tell me if you think that it is worth it.
So if you think about it that way, it S@H worth it?
And if you can follow that story, then we can take it into May. Since we are looking at exponential curves, these numbers will keep diverging sharply. In another 20 days, if we can keep actual COVID-19 case growth at 3.5% or lower, we will go from about 40 to 80 cases per 100,000. And the 10% projection will double 3 times from about 90 to 650 per 100,000. That would be a 44 MILLION difference in infections and a 3 MILLION difference in deaths. By 15 May!
As far as I can tell, risk management as a business practice is pretty well embedded now, more than a decade after the Great Recession. But it appears to be more of a cost of doing business that is required by boards, regulators and rating agencies rather than as a boon to management of businesses. It is usually focused almost entirely on negative outcomes and insists on using its own language that is not even slightly close to the language used by top management in discussions of strategy for the firm.
When we overestimate our overall capacity, tangible and intangible, in relation to risk, we endanger our performance and even survival.
At the same time, there are continual examples of strategic
failures, failures that you could imagine could be avoided with some risk
management thinking. (Stories like
Kodak’s failure to develop a realistic vision of the coming impact of digital
photography to its film business or Blockbuster’s failure to understand the
threat from Netflix’s internet based business model.)
A new book, Agility, by Leo Tillman and General Charles Jacoby (ret.) suggests that we can enjoy the benefits of linking risk management to strategy by becoming . . . Agile. The book provides stories, both from businessman Tillman and military man Jacoby to illustrate the pitfalls of operating without Agility and the benefits of operating with.
Vital to an effective process for achieving agility is that it is not defined or operationalized in a rigid, one-size-fits-all way.
I think of their ideas as eminating from the realization
that because we usually operate in a competitive environment, even the simplest
of plans can be wrecked by unexpected reactions of those competitors.
My sense of Agility, after reading this book, is that it is a sort of continual restlessness, of never being satisfied that everything is running as well as it could and of not feeling completely safe from harm either. Always ready to change course to gain more advantage or to steer away from danger that was recently not even in sight. Tillman and Jacoby give the example of the football running back who might change course at any time to find daylight or to avoid a tackler.
Few plans survive contact with reality because our assumptions turn out to be incorrect, our adversaries act in unforeseen ways, or because our actions set in motion a multitude of forces that change the operating landscape itself.
They say that Agility has three components: risk intelligence, bias towards action and flexibility. Risk intelligence involves a forward-looking unbiased assessment of risks and opportunities associated with the risks. Tillman has written previously about risk intelligence. Bias towards action seems to be clearest in the military context. It is easy to imagine that a military unit that experienced analysis paralysis would not be long for the world. Flexibility is the ability not just to change plans but to execute the new plans well. That last item is probably the most difficult item here. It is one thing to assemble a team who can do a good job executing a pre-planned task, but another much more difficult task to create a group who are willing and able to change their goals and objectives significantly and who will proceed to deliver on those plans. But while difficult, Tillman and Jacoby point out that it is almost essential ability for an organization that expects to persist in the long run.
Adopting the agility mindset fundamentally transforms this perspective, turning a nice-to-have “luxury” into a mission-critical priority.
The agility mindset does not view risk as either inherently positive or negative. Instead, as alluded to earlier, it considers risks indispensable arrows in the quivers of decision makers. If we detect and assess environmental changes adroitly, these arrows enable us to both dynamically manage our portfolios of risks and alter our adversaries’ risk equations.
We fly blind when we do not fully understand our portfolio of risks, its role in our business model or its connection to our operating landscape.
While the premise of this book is well founded and well
explained, the thing that really makes the book stand out is the inclusion of
the military examples to show how each of the points that they make are supportable
not only by Tillman’s business examples but also in the military sphere. Examples include Napoleon at the Battle of
Borodino with the concept of risk intelligence, the invasion of Afghanistan and
Iraq illustrating execution and the Normandy invasion to illustrate the entire concept
of a combination of strategic and operational agility.
Risk Intelligence Definition: A general mental capability that, among other things, involves the ability to reason, plan, solve problems, think abstractly, comprehend complex ideas, learn quickly and learn from experience in matters involving risk and uncertainty. It is not merely book learning, nor is it primarily about a gut feel for risk. Rather, it reflects a broader and deeper capability for comprehending risk and uncertainty in our surroundings—”catching on,” “making sense” of things, or “figuring out” what to do in the face of both presenting and emerging risks.*
In an earlier post, RISKVIEWS told of the capabilities of the Risk Intelligent. To acquire capabilities, one must start with beliefs that (a) there is a need for such capabilities and (b) that such capabilities can be effective in satisfying the need. Common Beliefs of the Risk Intelligent that led them to acquire their capabilities:
The world is dangerous enough that we are motivated to control risks, and also predictable enough that systematic management and exploitation of risk can be worthwhile.
The characteristics of risks will drift over time (and occasionally jump unexpectedly) requiring constant vigilance to adapt risk exploitation and management processes.
Preferences for risk and reward are asymmetrical: the aversion to a large potential loss is always higher than the preference for the same sized potential gain
Opportunities for profit via risk-taking exist because firms can find opportunities to exploit risks that the market has miss-priced, and/or opportunities to exploit diversification effects
It is bad for organizations to fail, so risk management objectives should be a part of all company strategies and should involve the company’s CEO and board of directors
Risks can and should be measured; this measurement is a technical exercise that requires expertise
Management of risk requires diligent attention to any choices to accept risks and actions to mitigate or transfer risk; more significant risk decisions should be approved at more senior levels of the company hierarchy
These beliefs differ from standard economics beliefs.
As RISKVIEWS said in another post, the capabilities are gained via Education, Experience and Analysis. The next several posts on this topic will explore each of those paths separately. After that, RISKVIEWS will come back to the beliefs and discuss how they come about.
*It turns out that there are almost as many definitions of intelligence as there are psychologists. But on one day in 1994, almost 50 agreed with this definition, put forward by Linda Gottfredson:
Intelligence: A very general mental capability that, among other things, involves the ability to reason, plan, solve problems, think abstractly, comprehend complex ideas, learn quickly and learn from experience. It is not merely book learning, a narrow academic skill, or test-taking smarts. Rather, it reflects a broader and deeper capability for comprehending our surroundings—”catching on,” “making sense” of things, or “figuring out” what to do.
As you can see, RISKVIEWS based our definition of Risk Intelligence on this wording.
In a recent post, RISKVIEWS proposed that Risk Intelligence would overcome biases. Here are some specifics…
Anchoring – too much reliance on first experience
Availability – overestimate likelihood of events that readily come to mind
Confirmation Bias – look for information that confirms bias
Endowment effect – overvalue what you already have
Framing effect – conclusion depends on how the question is phrased
Gambler’s Fallacy – Belief that future probabilities are impacted by past experience – reversion to mean
Hindsight bias – things seem to be predictable after they happen
Illusion of control – overestimate degree of control over events
Overconfidence – believe own answers are more correct
Status Quo bias – Expect things to stay the same
Survivorship bias – only look at the people who finished a process, not all who started
Ostrich Effect – Ignore negative information
Each of Education, Experience and Analysis should reduce all of these.
Experience should provide the feedback that most of these ideas are simply wrong. The original work that started to identify these biases followed the standard psychology approach of excluding anyone with experience and would also prohibit anyone from trying any of the questions a second time. So learning to identify and avoid these biases through experience has had limited testing.
Education for a risk manager should simply mention all of these biases directly and their adverse consequences. Many risk managers receiving that education will ever after seek to avoid making those mistakes.
But some will be blinded by the perceptual biases and therefore resist abandoning their gut feel that actually follows the biases.
Analysis may provide the information to convince some of these remaining holdouts. Analysis, if done correctly, will follow the logic of economic rationality which is the metric that we used to identify the wrong decisions that were eventually aggregated as biases.
So there may still be some people who even in the face of:
Experience of less than optimal outcomes
Education that provides discussion and examples of the adverse impact of decision-making based upon the biases.
Analysis that provides numerical back-up for unbiased decision making
Will still want to trust their own gut to make decisions regarding risk.
Several psychologists stated that economists were rational and those who didn’t know what economists knew were irrational.
They collected data on how irrational folks are and analyzed that data and grouped it and gave cute names to various groups.
But I think that you could do the same thing with long division. Certainly with calculus. Compare answers of rubes on the sidewalk to math PhD s on a bunch of math questions and how well do you think the rubes would do?
Some of the questions that the psychologists asked were about risk. They proved that folks who rely solely on their gut to make decisions about risk were not very good at it.
I am sure that no-one with any Risk Intelligence would have bet against that finding.
Because Risk Intelligence consists of more than just trusting your gut. It also requires education regarding the best practices for risk management and risk assessment along with stories of how well (and sometimes ill) intentioned business managers went wrong with risk. It also requires careful analysis. Often statistical analysis. Analysis that is usually not particularly intuitive even with experience.
But Risk Intelligence still needs a well developed gut. Because history doesn’t repeat, analysis always requires simplification and assumptions to fill out a model where data is insufficient.
Only with all of Education, Experience and Analysis is Risk Intelligence achievable and even then it is not guaranteed.
And in addition, Education, Experience and Analysis are the cure for the irrational biases found by the psychologists. I would bet that the psychologists systematically excluded any responses from a person with Risk Intelligence. That would have invalidated their investigation.
Their conclusion could have been that many of us need basic financial and risk education, better understanding of how to accumulate helpful experiences and some basic analytical skills. Not as much fun as a long list of cutely names biases, but much more helpful.
Risk Intelligence is what you need to make astute decisions about risks that confront you.
With Risk Intelligence you will be able to:
know when something is risky
know how to systematically determine parameters of risk
Assess Danger from a Risk – and not be unduly swayed by Fear of that Risk
understand that those parameters do not fully define a risk. They identify a point on a gain and loss continuum
identify the handful of risks that make up 90% of the risk profile (key risks)
understand the mechanisms that the company uses to maintain a consistent rate of risk for each key risk and Help to make sure that those mechanisms are maintained and only expect that there will be deliberately agreed changes to the rate of risk for any key risk.
understand risk/reward analysis and cost/benefit analysis where the trade-offs are often a certain reduction in earnings vs. an uncertain reduction in future losses
discern when to trade short term certain gains for longer term uncertain but larger gains under conditions that could be repeated indefinitely for a tangible long term gain.
be aware of which risks the company is exploiting because they have the expertise and opportunity to make a good profit for the amount of risk take and are able to notice when the opportunity to exploit has passed.
be aware of which risks the company is accepting and carefully managing to achieve a reasonable profit while avoiding unacceptable losses.
be aware of the risks that are unavoidable but the create little or no profits and that should be minimized at an acceptable cost.
Understand that people are generally optimistic and need to test plans against alternate future scenarios
The short story “The Most Dangerous Game” has always fascinated. Wikipedia lists dozens of adaptations for Radio, Movies and TV. The story is about the most dangerous quarry for a hunter.
Insurers are not hunters, they do not exactly seek out risk. Well, maybe they do seek risks. But insurers should be aware that some risks are more dangerous than others.
In late 2017, RISKVIEWS polled 200 insurance executives and they provided their opinion of how to rank a long list of risks that threaten insurers. The polling software, found at allourideas.com, asks participants to rank pairs of items and uses a complex algorithm to create a ranking of the entire list. These 200 executives, on the average, chose to rank about 80 pairs making a total of over 16,000 rankings performed.
The results were published on the web here. The Top 10 risks were:
1 Cybersecurity & Cybercrime
2 IT/Systems & Tech Gap
3 Strategic Direction & Opportunities Missed
4 Pricing & Product Line Profit
5 Runaway frequency or severity of claims
6 Disruptive Technology
7 Customer needs not served by traditional approaches
8 Emerging Risks
9 Competition
10 Underwriting
And in mid 2018, RISKVIEWS looked around to find out what news there had been regarding each of the top risks and published the findings here.
Behavioral Finance / Behavioral Economics (BF for short) says that in general folks do a poor job of decision-making related to risk and finance. There is quite a lot of analysis of systematic errors that their experimental subjects have been found to make.
In general, people are found to make IRRATIONAL choices. RATIONAL choices are defined to be the choices that economists have found to be the best. (The best in the world specified by the economists – not necessarily in the world that people actually live in. But that is the subject for a different and long essay.)
This work is highly regarded and widely studied and quoted. Kahneman and Smith received a Nobel Prize for the original development of BF in 2002 and Thaler received a Nobel prize for his advancements in the field in 2017.
But does it actually make sense? As they pose the issue, it seems to. But take a step back. They are comparing economic decisions made by an economist to decisions made by folks with no training in economics. If they follow the general protocols of psychology, they would have looked for subjects with the least amount of knowledge of finance and risk.
So should it be a surprise that the studied population did not do well in their study? That they made systematic errors?
Imagine if you had a group of adults who had never been exposed to multiplication. And you gave them a simple multiplication test. Their answers would be compared to a group of math PhDs. So for the most part, they would have been guessing at the answers to the questions. If asked, they might well have felt good about their answers to some or all of the questions. But it is highly likely that they would be wrong.
From this experiment, it would be concluded that people cannot answer multiplication problems. The study might progress further and start to look at word problems, including word problems that represent everyday situations where multiplication is vital to getting by. Oh no, people are found to be poor at this as well.
But the solution is not some grand theory about how people are flawed regarding multiplication. The solution is math education!!!
On risk and finance, our society takes the position that in general we will not instruct people. That the best way to learn risk is via experience. And the best way to learn about finance is from a payday lender or a credit card past due debt collector.
Economists generally have PhDs. And their course of study includes both risk and finance. One topic, for example, is the math of finance. Taught within that topic are many of the approaches to financial decision making that BF has found that people make IRRATIONALLY. Another course that is generally required of economics PhDs is statistics. One of the ideas usually covered in statistics is risk. Even an introductory statistics course provides much more knowledge of risk than is needed to answer the BF questions. So economists have had systematic instruction that allows them to give the RATIONAL answers to the BF questions.
A side note – the idea of RATIONAL used in BF is consistent with Utility Maximization – an economics theory that was first fully developed in 1947. So even some economists might have failed the BF questions prior to that.
So instead of the conclusions reached by BF, RISKVIEWS would suggest a very simple alternative:
Or did they just have a different view of the degree of risk in their environment?
By Alex Proimos from Sydney, Australia – Three Little Pigs
Think about it? Is there any evidence that the first pig, whose house was made off straw, was fine with the idea of losing his house? Not really. More likely, he thought that the world was totally benign. He thought that there was no way that his straw house wouldn’t be there tomorrow and the next day. He was not tolerant of the risk of losing his house. He just didn’t think it would happen. But he was wrong. It could and did happen.
The second pig used sticks instead of straw. Did that mean that the second pig had less tolerance for risk than the first pig? Probably not. The second pig probably thought that a house of sticks was sturdy enough to withstand whatever the world would send against it. This pig thought that the world was more dangerous than the first pig. He needed sticks, rather than straw to make the house sturdy enough to last. He also was wrong. Sticks were not enough either.
That third pig has a house of bricks. That probably cost much more than sticks or straw and took longer to build as well. The third pig thought that the world was pretty dangerous for houses. And he was right. Bricks were sturdy enough to survive. At least on the day that the wolf came by.
The problem here was not risk tolerance, but inappropriate parameters for the risk models of the first two pigs. When they parameterized their models, the first pig probably put down zero for the number of wolves in the area. After all, the first pig had never ever seen a wolf. The second pig, may have put down 1 wolf, but when he went to enter the parameter for how hard could the wolf blow, he put down “not very hard”. He had not seen a wolf either. But he had heard of wolves. He didn’t know about the wind speed of a full on wolf huff and puff. His model told him that sticks could withstand whatever a wolf could do to his house. When the third pig built his risk model, he answered that there were “many” wolves around. And when he filled in the parameter for how hard the wolf could blow, he put “very”. When he was a wee tiny pig, he had seen a wolf blow down a house built of sticks that had a straw roof. He was afraid of wolves for a reason.
Someone recently told RISKVIEWS that before a company could start a project to revitalize their risk governance structures they MUST update their Risk Appetite and Tolerance. Because everything in an ERM program flows from Risk Appetite and Tolerance. That suggestion is likely to be too much logic to succeed.
What many organizations have found is that if they are not ready to update their Risk Appetite and Tolerance, there are two likely outcomes of an update project:
The update project will never be completed.
The update project will be completed but the organization will ignore the updated Risk Appetite and Tolerance.
An organization will make a change when the pain of continuing on the existing course exceeds the pain of change. (paraphrased from Edgar Shein)
So if an organization is not yet thoroughly dissatisfied with their current Risk Appetite and Tolerance, then they are not likely to change.
So you can think of the ERM program as the combination of several subsystems:
Governance – the people who have ERM responsibilities and their organizational positions – all the way up to the board.
Measurement – the models and other methods used to measure risk
Selection, Mitigation and Control – the processes that make up the every day activities of ERM
Capital Management – the processes that control aggregate risk including the ORSA.
Risk Reward Management – the processes that relate risk to prices and profits
When management of an organization is dissatisfied enough with any one of these sub systems, then they should undertake to revise/replace/improve those sub systems.
These sub systems are highly interconnected, so an improvement to one sub system is likely to increase dissatisfaction with another sub system.
For example, if the Governance sub system is not working. People are not fulfilling their ERM related responsibilities which they may not really understand. When this subsystem is set right, people are aware of their ERM responsibilities and then they find out that some of the other sub systems do not provide sufficient support for them. They get dissatisfied and urge an upgrade to another sub system. And so on.
This might well result in a very different order for updating an ERM program than the logical order.
However, if the update follows the wave of dissatisfaction, the changes are much more likely to be fully adopted into ongoing company practice and to be effective.
Go figure. The Institute and Faculty of Actuaries seems to have just discovered that humans are involved in risk modeling. Upon noticing that, they immediately issued the following warning:
RISK ALERT
MODEL MANIPULATION
KEY MESSAGE
There are a number of risks associated with the use of models:
members must exercise care when using models to ensure that the rationale for selection of a particular model is sound and, in applying that model, it is not inappropriately used solely to provide evidence to support predetermined or preferred outcomes.
They warn particularly about the deliberate manipulation of models to get the desired answer.
There are two broad reasons why a human might select a model. In both cases, they select the model to get the answer that they want.
The human might have an opinion about the correct outcome from the model. An outcome that does not concur with their opinion is considered to be WRONG and must be corrected. See RISKVIEWS discussion of Plural Rationality for the range of different opinions that are likely. Humans actually do believe quite a wide range of different things. And if we restrict the management of insurance organizations to people with a narrow range of beliefs, that will have similar results to restricting planting to a single strain of wheat. Cheap bread most years and none in some!
The human doesn’t care what the right answer might be. They want a particular range of result to support other business objectives. Usually these folks believe that the concern of the model – a very remote loss – is not important to the management of the business. Note that most people work in the insurance business for 45 years or less. So the idea that they should be concerned with a 1 in 200 year loss seems absurd to many. If they apply a little statistics knowledge, they might say that there is an 80% chance that there will not be a 1 in 200 year loss during their career. Their Borel point is probably closer to a 1 in 20 level, where there is a 90% chance that such a loss will happen at least once in their career.
They also suggest that there needs to be “evidence to support outcomes”. RISKVIEWS has always wondered what evidence might support prediction of remote outcomes in the future. For the most part, there is insufficient evidence to support a determination of past actual frequency of the same sort of remote events. And over time things change, so past frequency isn’t always indicative of future likelihood, even if the past frequency were known.
One insurer. where management was skeptical of the whole idea of “principles based” assessment of remote losses, decided to use a two pronged approach. For their risk management, they focused on 95th percentile, 1 in 20 year losses. There was some hope that they could validate these values through observed data. For their capital management, they used the rating agency standard for their desired rating level.
Banks, with their VaR approach have gone to an extreme in this regard. Their loss horizon is in days and their calibration period is less than 2 years. Validation is easy. But this misses the possibility of extremes. Banks only managed risks that had recently happened and ignored the possibility that things could get much worse, even though most risks that they were measuring went through multi year cycles of boom and bust.
At one time, banks usually used the normal distribution to extrapolate to determine the potential extreme losses. The problem is Fat Tails. Many, possibly all, real world risks have remote losses that are larger than what is predicted by the normal distribution. Perhaps we should generalize and say that the normal distribution might be ok for predicting things that happen with high frequency and that are near the mean in value, but some degree of Fat Tails must be recognized to come closer to the potential for extreme losses.
What is needed to make risk measurement effective is standards for results, not moralizing about process. The standards for results need to be stated in terms of some Tail Fatness metric such as Coefficient of Risk. Then modelers can be challenged to either follow the standards or justify their deviations. Can they come up with a reasonable argument of why their company’s risk has thinner tails than the standard?
Many observers will claim that complex systems are inherently fragile. Some argue for simplifying things instead. But one of the main reasons why many man-made complex systems are fragile is that we often ignore Ashby’s Law.
Ashby’s Law is also known as the Law of Requisite Variety. It is so powerful that it is sometimes called the first law of cybernetics.
Basically, Ashby’s Law states that to be fully effective, a control system must has as much variety as the system being controlled. The control system must be as complex as the system being controlled.
So man-made complex systems often evolve when people decide to add more and more functionality – more variety – to existing systems. Sometimes this includes linking up multiple complex systems.
But humans are really clever and they tend to save time and money by not bothering to even figure out what additional controls are needed to make a newly enhanced system secure. There is often not any appreciation of how much more control is needed when two complex systems are combined.
But look at the literature regarding company mergers and acquisitions. The literature keeps saying that the majority of this activity destroys value. Sometimes that is because the two organizations have incompatible cultures. Executives are becoming aware of that and activities to create a single new culture are sometimes included in post merger activity lists.
But there is an aversion to recognize that there needs to be much more spending on control systems. Most often in a merger, there is a reduction in the amount of people assigned to internal controls, either directly or within a line function. This is usually expected to be one of the synergies or redundancies than can be eliminated to justify the purchase price.
But in reality, if the new merged entity is more complex than the two original firms, the need for control, as expressed under Ashby’s Law, is greater than the sum of the two entities.
Merging without recognizing this means that there is an out of the money put being embedded in the merged entity. The merged entity has lower control expenses than it should for a time. And maybe, just maybe, it will experience major problems because of the inadequate controls.
A recent report on risk management mentions near the top that risk and reward have a fundamental relationship. But experience tells us that just is not at all true in most situations.
The first person (that RISKVIEWS can find) to comment on that relationship was the great economist Alfred Marshall:
“in all undertakings in which there are risks of great losses, there must also be hopes of great gains.”
1890 Principles of Economics
That seems to be a very realistic characterization of the relationship – one of hope. But his statement has been heavily distorted through the years. Many have come to believe that if you increase risk then you also, automatically, increase reward. Or that if you want increased reward that you must increase risk.
Perhaps the risk reward relationship is a simple arithmetic statement. Made by those who believe that all economic actors are rational. And by rational, they mean that they make choices to maximize expected value.
So if all of the choices that you actively consider have a positive expected value, then those with higher risk will have to have higher rewards to keep the sum positive. (Alternately, risks would have much lower likelihood than gains – but this hardly seems to fit in with the concept of higher risks.)
So perhaps the “relationship” between risk and reward is this:
For opportunities where the risk and reward can be reliably determined in both amount and likelihood, then among those opportunities with a positive expected value, those with higher risk will have higher reward.
But isn’t that the rub? Can we reliably determine risk, reward and their likelihood for most opportunities?
But then there is another issue. For a single opportunity, the outcome will either be a loss or a gain. If there is higher risk, the likelihood or amount of loss is higher. So if there is higher risk, there is a higher chance of a loss or a higher chance of a larger loss.
So by definition, an opportunity with higher risk may just produce a loss. And either the likelihood or amount of that loss will, by definition, be higher. No reward – LOSS.
Now, you can reduce the likelihood of that loss by creating a diversified portfolio of such opportunities. And by diversified, read unrelated.
So the rule above needs to be amended…
For opportunities where the risk and reward can be reliably determined in both amount and likelihood, then among those opportunities with a positive expected value, those with higher risk will have higher reward. To reliably achieve a higher reward, rather than more losses, it is necessary to choose a number of these opportunities that are unrelated.
Realize here that we are talking about Knightian risk here. Risk where the likelihood is knowable. For Knightian Uncertainty – where the likelihood is not knowable – this is much more difficult to achieve. Investors and business people who realize that they are faced by Uncertainty will usually Hope for even greater gains. They require higher potential returns. And/or set higher prices.
The issue is that in many cases, humans will make mistakes when assessing likelihood of uncertainty, risk and reward (see Restaurant failure rate). There are quite a number of reasons for that. One of my favorites is survivor bias in our data of comparables (They just don’t make them like they used to). We also overestimate our chances of success because we overrate our own capabilities. (see Lake Wobegone, above average children). And to achieve that portfolio diversification effect, we need to be able to also reliably assess interdependence (see mortgage interdependence, 2008).
The real world problem is that aside from lottery tickets, there are very few opportunities where the likelihood of losses is actually knowable. So risk and reward are not necessarily related. Except perhaps in the way that all humans are related . . . through Adam (or Lucy if you prefer).
The biologist Holling saw that natural systems went through phases. One view of those four phases is:
Rapid Growth
Controlled Growth
Collapse
Reorganization
The phase will usually coincide with an environment that encourages that sort of activity. The fourth phase, Reorganization, coincides with an Uncertain environment.
Since the financial crisis of 2008, many aspects of our economies and our societies have drifted in and out of the Uncertain environment. We have been living in an historical inflection point. The post WWII world, both politically and economically may be coming to an end. But no new regime has emerged to take its place. Difficult times for making long term plans and long term commitments.
And that describes the best approach to risk management in Uncertain times. Avoid long term and large commitments. Keep short term, stay diversified. Returns will not be great that way, but losses will be small and the change of a devastating loss smaller.
Sooner or later things will clarify and we will move out of uncertainty. But one of the things that keeps us in an uncertain stage is the way that people act as if somehow, they have a right to something more certain. Most often they are hoping for a return to a controlled growth phase. When the careful are rewarded modestly. Some long for the return to the boom phase when a few are rewarded greatly.
But right now, it makes the most sense to not count on that and to accept that we will uncertainty for some time to come.
Many risk managers tell RISKVIEWS that their bosses say that their objective is “No Surprises”. While that is an unrealistic ideal objective, cultivating Adaptability is the most likely way to approach that ideal.
ERM is focused on Enterprise Risks. Enterprise Risks are those risks that could result in losses that would require the firm to make major, unexpected changes to plans or that would disrupt the firm (without necessarily causing losses) in such a way that the firm cannot successfully execute its plans. Enterprise Risks need to be a major consideration in setting plans. Through discussions of Risk Appetite and Tolerance and returns for risks and the costs of risk mitigations, ERM provides a path for alignment of the risk management with the strategic objectives of the firm.
It is quite easy for an ERM program to become irrelevant. All it takes is for it to stay the same for several years. After just a few years, you will find that you risk management processes are focused upon the issues of several years ago. You may be missing new wrinkles to your risks and also repeating mitigation exercises that are no longer effective or needed.
That is because the risk environment is constantly changing. Some risks are become more dangerous while for others the danger is receding. No firm anywhere has an unlimited budget for risk management. So to remain effective, you need to constantly reshuffle priorities.
One place where that reshuffling is very much needed is in the risk register. That is a hard message to sell. Risk Identification is seen by most as the first baby step in initiating and ERM program. How could a well developed, sophisticated ERM program need to go back to the first baby step.
But we do need to go back and somehow get people to seriously re-evaluate the Risks on the Risk Register. That is because risk management is fundamentally a cycle rather than a a one way development process. We are all brainwashed that constant growth and steady improvement is the fundamental nature of human enterprise. For risk management to really work, we need that cycle model where we go back and do all of the same steps as last year all over again.
One way to freshen up the process of reviewing the risk register is to bring in outside information. The link below provides some good outside information that you can use to stimulate your own review.
Willis Re took the top 15 risks from a dozen insurer risk registers and combined them to get 50+ unique risks. Then over 100 insurer executives and risk management staff helped to rank those 50 risks.
We took a list of over 50 risks commonly found on insurer risk registers, and asked, “Which risks present the most danger to your firm in 2017?”
Take a look. How does the resulting ranking look compared to your risk register? Do any of the top 10 risks show up as middling priority in your program? Are any of the bottom ten risks near the top of your priority ranking? So your review can focus on a discussion of the most significant deviations between your ranking and the ranking from the link above. You need to convince yourself that you have good reasons for different priorities or change your priorities.
There are four keys to ERM – The second is Discipline
Discipline is tightly linked with Transparency, another Key to ERM. Transparency helps to encourage and enforce Discipline.
There are three ways that Discipline is Key to ERM.
Enterprise risk management brings discipline to the mitigation of individual risks, to aggregate risk management and ERM also promotes a disciplined commitment to a comprehensive approach to risk management.
Enterprise risk management brings the discipline to risk management by making explicit plans for managing risk and then following up, checking on the execution of those plans, and reporting the results of those checks. To some, this seems like lots and lots of needless redundancy, but they miss the point. Discipline makes risk management reliable instead of being another wild card in an uncertain world.
ERM encourages insurers to clearly state their approach to risk as well as the amount and types of risks that they will accept. Clear and coherent communication is an often-underappreciated discipline that is much more difficult than it appears. ERM provides a script and outline that makes it easier to speak clearly about risk and risk management.
ERM always starts with a risk identification and prioritization step, so that while all risks are considered, time and resources are used wisely by focusing only on the most significant risks.
Discipline is unlikely to be maintained in secret. Because of Transparency, is is easily and widely known when Discipline falters. Insurers that want to have an effective and Disciplined ERM program will have both Discipline ANDTransparency.
There are four keys to ERM. The first is Transparency.
In traditional risk management situations, the degree to which risk is tightly controlled or loosely allowed is often a personal decision made by the middle manager who “inherited” the responsibility for a particular risk. That person may make the best decision based on full knowledge of the nature of the risk and the availability and cost of mitigation of the risk, or they might just choose an approach based on poor or even inaccurate information because that is the best that they can find with the time they can spare.
Enterprise risk management (ERM) is a commitment to executive and board attention to the important risks of the firm. In a fully realized ERM, the risk profile of the firm and the plans to change or maintain that profile from one year to the next—while exploiting, managing, limiting or avoiding various risks in ways that are tied to the firm’s strategy—are shared among the management team and with the board.
In the best programs, the risk profile and risk plans are not only shared, they are a topic of debate and challenge. These firms realize that a dollar of profit usually has the exact same value as a dollar of loss, so they conclude that risk management, well-chosen and executed, can be as important to success as marketing.
A clever math student may be able to just write down the answer, but teachers often insist that students show their work to get credit.
Take-Away:
“Show your work” is the idea of ERM
Show steps of and thinking behind risk management process.
Helps others understand intent and determine whether objectives are being met.
More about Transparency about risk and risk management and how it is important to executive management, to the board and to middle managers onWillis Towers Watson Wire.
The map above is from Google Trends. It shows the frequency of Google searches for the term ERM over the past year. Darker blue means more searches. No blue means no searches.
You can interpret the 12 states with no seaches two ways:
Folks in these states already know enough about ERM and have no need to search for more.
Are you expecting your risk to grow faster than your capacity to bare risk?
Are you expecting your risk capacity to grow faster than your risk?
Or are you planning to keep growth of your risk and your capacity in balance?
If risk is your business, then the answer to this question is one of just a few statements that make up a basic risk strategy.
RISKVIEWS calls this the Risk Trajectory. Risk Trajectory is not a permanent aspect of a businesses risk strategy. Trajectory will change unpredictably and usually not each year.
There are four factors that have the most influence on Risk Trajectory:
Your Risk Profile – often stated in terms of the potential losses from all risks at a particular likelihood (i.e. 1 in 200 years)
Your capacity to bear risk – often stated in terms of capital
Your preferred level of security (may be factored directly into the return period used for Risk Profile or stated as a buffer above Risk Profile)
The likely rewards for accepting the risks in your Risk Profile
If you have a comfortable margin between your Risk Profile and your preferred level of security, then you might accept a risk trajectory of Risk Growing Faster than Capacity.
Or if the Likely Rewards seem very good, you might be willing to accept a little less security for the higher reward.
All four of the factors that influence Risk Trajectory are constantly moving. Over time, anything other than carefully coordinated movements will result in occasional need to change trajectory. In some cases, the need to change trajectory comes from an unexpected large loss that results in an abrupt change in your capacity.
For the balanced risk and capacity trajectory, you would need to maintain a level of profit as a percentage of the Risk Profile that is on the average over time equal to the growth in Risk Profile.
For Capacity to grow faster than Risk, the profit as a percentage of the Risk Profile would be greater than the growth in Risk Profile.
For Risk to grow faster than Capacity, Risk profile growth rate would be greater than the profit as a percentage of the Risk Profile.
RISKVIEWS would guess that all this is just as easy to do as juggling four balls that are a different and somewhat unpredictably different size, shape and weight when they come down compared to when you tossed them up.
By Alex Proimos from Sydney, Australia – Three Little Pigs
By Malene Thyssen – Own work, CC BY-SA 3.0,
Riskviews 