Variety of Decision Making

Posted July 20, 2022 by riskviews
Categories: Assumptions, Change Risk, Complexity, Cultural Theory of Risk, Decision Makng, Enterprise Risk Management, ERM, Execution Risk, Risk, Risk Environment, Risk Management System, Uncertainty

Tags: ,

Over the past several years, an anthropologist (Thompson), a control engineer (Beck) and an actuary (Ingram) have formed an unlikely collaboration that has resulted in countless discussions among the three of us along with several published (and posted) documents.

Our work was first planned in 2018. One further part of what was planned is still under development — the application of these ideas to economic thinking. This is previewed in document (2) below, where it is presented as Institutional Evolutionary Economics.

Here are abstracts and links to the existing documents:

  1. Model Governance and Rational Adaptability in Enterprise Risk Management, January 2020, AFIR-ERM section of the International Actuarial Association. The problem context here is what has been called the “Insurance Cycle”. In this cycle we recognize four qualitatively different risk environments, or seasons of risk. We address the use of models for supporting an insurer’s decision making for enterprise risk management (ERM) across all four seasons of the cycle. In particular, the report focuses expressly on: first, the matter of governance for dealing with model risk; and, second, model support for Rational Adaptability (RA) at the transitions among the seasons of risk. This latter examines what may happen around the turning points in the insurance cycle (any cycle, for that matter), when the risk of a model generating flawed foresight will generally be at its highest.
  2. Modeling the Variety of Decision Making, August 2021, Joint Risk Management Section. The four qualitatively different seasons of risk call for four distinctly different risk-coping decision rules. And if exercising those strategies is to be supported and informed by a model, four qualitatively different parameterizations of the model are also required. This is the variety of decision making that is being modeled. Except that we propose and develop in this work a first blueprint for a fifth decision-making strategy, to which we refer as the adaptor. It is a strategy for assisting the process of RA in ERM and navigating adaptively through all the seasons of risk, insurance cycle after insurance cycle. What is more, the variety of everyday risk-coping decision rules and supporting models can be substituted by a single corresponding rule and model whose parameters vary (slowly) with time, as the model tracks the seasonal business and risk transitions.
  3. The Adaptor Emerges, December 2021, The Actuary Magazine, Society of Actuaries. The adaptor strategy focuses on strategic change: on the chops and changes among the seasons of risk over the longer term. The attention of actuaries coping with everyday risk is necessarily focused on the short term. When the facts change qualitatively, as indeed they did during the pandemic, mindsets, models, and customary everyday rules must be changed. Our adaptor indeed emerged during the pandemic, albeit coincidentally, since such was already implied in RA for ERM.
  4. An Adaptor Strategy for Enterprise Risk Management, April 2022, Risk Management Newsletter, Joint Risk Management Section. In our earlier work (2009-13), something called the “Surprise Game” was introduced and experimented with. In it, simulated businesses are obliged to be surprised and shaken into eventually switching their risk-coping decision strategies as the seasons of risk undergo qualitative seasonal shifts and transitions. That “eventually” can be much delayed, with poor business performance accumulating all the while. In control engineering, the logic of the Surprise Game is closely similar to something called cascade control. We show how the adaptor strategy is akin to switching the “autopilot” in the company driving seat of risk-coping, but ideally much more promptly than waiting (and waiting) for any eventual surprise to dawn on the occupant of the driving seat.
  5. An Adaptor Strategy for Enterprise Risk Management (Part 2), July 2022, Risk Management Newsletter, Joint Risk Management Section. Rather than its switching function, the priority of the adaptor strategy should really be that of nurturing the human and financial resources in the makeup of a business — so that the business can perform with resilience, season in, season out, economic cycle after economic cycle. The nurturing function can be informed and supported by an adaptor “dashboard”. For example, the dashboard can be designed to alert the adaptor to the impending loss or surfeit of personnel skilled in implementing any one of the four risk-coping strategies of RA for ERM. We cite evidence of such a dashboard from both the insurance industry and an innovation ecosystem in Linz, Austria.
  6. Adaptor Exceptionalism:Structural Change & Systems Thinking, March 2022, RISKVIEWS, Here we link Parts 1 and 2 of the Risk Management Newsletter article ((4) and (5) above). When we talk of “when the facts change, we change our mindsets”, we are essentially talking about structural change in a system, most familiarly, the economy. One way of grasping the essence of this, hence the essence of the invaluable (but elusive) systemic property of resilience, is through the control engineering device of a much simplified model of the system with a parameterization that changes relatively slowly over time — the adaptor model of document (2) above, in fact. This work begins to show how the nurturing function of the adaptor strategy is so important for the achievement of resilient business performance.
  7. Adaptor Strategy: Foresight, May 2022, RISKVIEWS. This is a postscript to the two-part Newsletter article and, indeed, its linking technical support material of document (6). It identifies a third possible component of an adaptor strategy: that of deliberately probing the uncertainties in business behaviour and its surrounding risk environment. This probing function derives directly from the principle of “dual adaptive control” — something associated with systems such as guided missiles. Heaven forbid: that such should be the outcome of a discussion between the control engineer, the actuary, and the anthropologist!

Still to be completed is the full exposition of Institutional Evolutionary Economics that is previewed in Section 1 of Modeling the Variety of Decision Making (Item 2 above).

First Quarter GDP

Posted April 30, 2022 by riskviews
Categories: Black Swan, Decision Makng, Pandemic Risk

Tags:

Do you notice anything unusual in the graph above that occurred in the first quarter of 2022? This graph says that in January about 6% of Americans were sick. That is about 25% of all of the COVID infections over the past 26 months. Other than January 2022, COVID infections averaged 2.4 million per month.

First quarter GDP fell by 1.4% in 2022.

I would bet that some of the GDP drop was due to the absolutely extraordinary level of illness in the first quarter.

I hadn’t noticed any commentary that agrees with this point. But I am guessing that since we are all feeling that we have turned the corner on COVID, we are deliberately putting it out of our minds. Which may cause us to draw erroneous conclusions about what is happening with the economy and take actions to fix something that may have been driven to some extant by the pandemic, not some other type of weakness in the economy.

Determining Risk Capital

Posted February 5, 2022 by riskviews
Categories: Economic Capital, Enterprise Risk Management, ERM, Modeling, ORSA, risk assessment, Risk Management, Value at Risk, VaR

Tags:

Knowing the amount of surplus an insurer needs to support risk is fundamental to enterprise risk management (ERM) and to the own risk and solvency assessment (ORSA).

With the increasing focus on ERM, regulators, rating agencies, and insurance and reinsurance executives are more focused on risk capital modeling than ever before.

Risk – and the economic capital associated with it – cannot actually be measured as you can measure your height. Risk is about the future.

To measure risk, you must measure it against an idea of the future. A risk model is the most common tool for comparing one idea of the future against others.

Types of Risk Models

There are many ways to create a model of risk to provide quantitative metrics and derive a figure for the economic capital requirement.

Each approach has inherent strengths and weaknesses; the trade-offs are between factors such as implementation cost, complexity, run time, ability to represent reality, and ease of explaining the findings. Different types of models suit different purposes.

Each of the approaches described below can be used for purposes such as determining economic capital need, capital allocation, and making decisions about risk mitigation strategies.

Some methods may fit a particular situation, company, or philosophy of risk better than others.

Factor-Based Models

Here the concept is to define a relatively small number of risk categories; for each category, we require an exposure metric and a measure of riskiness.

The overall risk can then be calculated by multiplying “exposure × riskiness” for each category, and adding up the category scores.

Because factor-based models are transparent and straightforward to apply, they are commonly used by regulators and rating agencies.

The NAIC Risk-Based Capital and the Solvency II Standard Formula are calculated in this way, as is A.M. Best’s BCAR score and S&P’s Insurance Capital Model.

Stress Test Models

Stress tests can provide valuable information about how a company might hold up under adversity. As a stand-alone measure or as an adjunct to factor-based methods, stress tests can provide concrete indications that reflect company-specific features without the need for complex modeling. A robust stress testing regime might reflect, for example:

Worst company results experienced in last 20 years
Worst results observed across peer group in last 20 years
Worst results across peer group in last 50 years (or, 20% worse than stage 2) Magnitude of stress-to-failure

Stress test models focus on the severity of possible adverse scenarios. While the framework used to create the stress scenario may allow rough estimates of likelihood, this is not the primary goal.

High-Level Stochastic Models

Stochastic models enable us to analyze both the severity and likelihood of possible future scenarios. Such models need not be excessively complex. Indeed, a high-level model can provide useful guidance.

Categories of risk used in a high-level stochastic model might reflect the main categories from a factor-based model already in use; for example, the model might reflect risk sources such as underwriting risk, reserve risk, asset risk, and credit risk.

A stochastic model requires a probability distribution for each of these risk sources. This might be constructed in a somewhat ad-hoc way by building on the results of a stress test model, or it might be developed using more complex actuarial analysis.

Ideally, the stochastic model should also reflect any interdependencies among the various sources of risk. Timing of cash flows and present value calculations may also be included.

Detailed Stochastic Models

Some companies prefer to construct a more detailed stochastic model. The level of detail may vary; in order to keep the model practical and facilitate quality control, it may be best to avoid making the model excessively complicated, but rather develop only the level of granularity required to answer key business questions.

Such a model may, for example, sub-divide underwriting risk into several lines of business and/or profit centers, and associate to each of these units a probability distribution for both the frequency and the severity of claims. Naturally, including more granular sources of risk makes the question of interdependency more complicated.

Multi-Year Strategic Models with Active Management

In the real world, business decisions are rarely made in a single-year context. It is possible to create models that simulate multiple, detailed risk distributions over a multi-year time frame.

And it is also possible to build in “management logic,” so that the model responds to evolving circumstances in a way that approximates what management might actually do.

For example, if a company sustained a major catastrophic loss, in the ensuing year management might buy more reinsurance to maintain an adequate A.M. Best rating, rebalance the investment mix, and reassess growth strategy.

Simulation models can approximate this type of decision making, though of course the complexity of the model increases rapidly.

Key Questions and Decisions

Once a type of risk model has been chosen, there are many different ways to use this model to quantify risk capital. To decide how best to proceed, insurer management should consider questions such as:

  • What are the issues to be aware of when creating or refining our model?
  • What software offers the most appropriate platform?
  • What data will we need to collect?
  • What design choices must we make, and which selections are most appropriate for us?
  • How best can we aggregate risk from different sources and deal with interdependency?
  • There are so many risk metrics that can be used to determine risk capital – Value at Risk, Tail Value at Risk, Probability of Ruin, etc. – what are their implications, and how can we choose among them?
  • How should this coordinate with catastrophe modeling?
  • Will our model actually help us to answer the questions most important to our firm?
  • What are best practices for validating our model?
  • How should we allocate risk capital to business units, lines of business, and/or insurance policies?
  • How should we think about the results produced by our model in the context of rating agency capital benchmarks?
  • Introducing a risk capital model may create management issues – how can we anticipate and deal with these?

In answering these questions, it is important to consider the intended applications. Will the model be used to establish or refine risk appetite and risk tolerance?

Will modeled results drive reinsurance decisions, or affect choices about growth and merger opportunities? Does the company intend to use risk capital for performance management, or ratemaking?

Will the model be used to complete the NAIC ORSA, or inform rating agency capital adequacy discussions?

The intended applications, along with the strengths and weaknesses of the various modeling approaches and range of risk metrics, should guide decisions throughout the economic capital model design process.

Risk Reward Management

Posted January 25, 2022 by riskviews
Categories: Economic Capital, Enterprise Risk Management, ERM, Risk Management System

Tags: ,

In 1952, Harry Markowitz wrote the article “Portfolio Selection” which became the seed for the theory called Modern Portfolio Theory. Modern Portfolio Theory (MPT) promises a path to follow to achieve the maximum return for a given level of risk for an investment portfolio.

It is not clear who first thought to apply the MPT ideas to a portfolio of risks in an insurer. In 1974, Gustav Hamilton of Sweden’s Statsforetag proposed the “risk management circle” to describe the interaction of all elements in the risk management process, including assessment, control, financing and communication. In 1979, Randell Brubaker wrote about “Profit Maximization for a multi line Property/Liability Company.” Since then, the idea of risk and reward optimization has become to many the actual definition of ERM.

In 2005, Standard & Poor’s called the process “Strategic Risk Management”.

“Strategic Risk Management is the Standard & Poor’s term for the part of ERM that focuses on both the risks and returns of the entire firm. Although other aspects of ERM mainly focus on limiting downside, SRM is the process that will produce the upside, which is where the real value added of ERM lies.“

The Risk Reward Management process is nothing more or less than looking at the expected reward and loss potential for each major profit-making activity of an insurer and applying the Modern Portfolio Management ideas of portfolio optimization to that risk and reward information.

At the strategic level, insurers will leverage the risk and reward knowledge that comes from their years of experience in the insurance markets as well as from their enterprise risk management (ERM) systems to find the risks where their company’s ability to execute can produce better average risk-adjusted returns. They then seek to optimize the risk/reward mix of the entire portfolio of insurance and investment risks that they hold. There are two aspects of this optimization process. First is the identification of the opportunities of the insurer in terms of expected return for the amount of risk. The second aspect is the interdependence of the risks. A risk with low interdependency with other risks may produce a better portfolio result than another risk with a higher stand alone return on risk but higher interdependence.

Proposals to grow or shrink parts of the business and choices to offset or transfer different major portions of the total risk positions can be viewed in terms of risk-adjusted return. This can be done as part of a capital budgeting/strategic resource allocation exercise and can be incorporated into regular decision-making. Some firms bring this approach into consideration only for major ad hoc decisions on acquisitions or divestitures and some use it all the time.

There are several common activities that may support the macro- level risk exploitation.

Economic Capital
Economic capital (EC) is often calculated with a comprehensive risk model consistently for all of the actual risks of the company. Adjustments are made for the imperfect correlation of the risks. Identification of the highest-concentration risks as well as the risks with lower correlation to the highest-concentration risks is risk information that can be exploited. Insurers may find that they have an advantage when adding risks to those areas with lower correlation to their largest risks if they have the expertise to manage those risks as well as they manage their largest risks.

Risk-adjusted product pricing
Another part of the process to manage risk reward involves the Consideration principle. Product pricing is “risk-adjusted” using one of several methods. One such method is to look at expected profits as a percentage of EC resulting in an expected return-to-risk capital ratio. Another method reflects the cost of capital associated with the economic capital of the product as well as volatility of expected income. The cost of capital is determined as the difference between the price to obtain capital and the rate of investment earnings on capital held by the insurer. Product profit projections then will show the pure profit as well as the return for risk of the product. Risk-adjusted value added is another way of approaching risk-adjusted pricing.

Capital budgeting
The capital needed to fulfill proposed business plans is projected based on the economic capital associated with the plans. Acceptance of strategic plans includes consideration of these capital needs and the returns associated with the capital that will be used. Risk exploitation as described above is one of the ways to optimize the use of capital over the planning period. The allocation of risk capital is a key step in this process.

Risk-adjusted performance measurement (RAPM)
Financial results of business plans are measured on a risk-adjusted basis. This includes recognition of the cost of holding the economic capital that is necessary to support each business as reflected in risk-adjusted pricing as well as the risk premiums and loss reserves for multi-period risks such as credit losses or casualty coverages. This should tie directly to the expectations of risk- adjusted profits that are used for product pricing and capital budgeting. Product pricing and capital budgeting form the expectations of performance. Risk-adjusted performance measurement means actually creating a system that reports on the degree to which those expectations are or are not met.

For non-life insurers, Risk Reward Management involves making strategic trade-offs between insurance, credit (on reinsurance ceded) and all aspects of investment risk based on a long-term view of risk-adjusted return for all of their choices.

Insurers that do not practice Risk Reward Management usually fail to do so because they do not have a common measurement basis across all of their risks. The decision of many insurers to develop economic capital models provides a powerful tool that can be used as the common risk measure for this process. Economic capital is most often the metric used to define risk in the risk/reward equation of insurers.

Some insurers choose not to develop an EC model and instead rely upon rating agency or regulatory capital formulas. The regulatory and rating agency capital formulas are by their nature broad market estimates of the risk capital of the insurer. These formulae will over-state the capital needs for some of the insurer’s activity and understate the needs for others. The insurer has the specific data about their own risks and can do a better job of assessing their risks than any outsider could ever do. In some cases, insurers took high amounts of catastrophe exposure or embedded guarantee and option risks, which were not penalized in the generic capital formulas. In the end, some insurers found that they had taken much more risk than their actual loss tolerance or capacity.

Risk Reward Management provides insurers with the framework to take full advantage of the power of diversification in their risk selection. They will look at their insurance and investment choices based on the impact, after diversification, on their total risk/reward profile. These insurers will also react to the cycles in risk premium that exist for all of their different insurance risks and for all of their investment risks in the context of their total portfolio.

Sales of most insurance company products result in an increase in the amount of capital needed by the business due to low or negative initial profits and the need to support the new business with Economic Capital. After the year of issue, most insurance company products will show annual releases of capital both due to the earnings of the product as well as the release of supporting capital that is no longer needed due to terminations of prior coverages. The net capital needs of a business arise when growth (new sales less terminations) is high and/or profits are low and capital is released when growth is low and/or profits are high.

The definition of the capital needs for a product is the same as the definition of distributable earnings for an entire business: projected earnings less the increase in Economic Capital. The capital budgeting process will then focus on obtaining the right mix of short and long term returns for the capital that is needed for each set of business plans.

Both new and existing products can be subjected to this capital budgeting discipline. A forecast of capital usage by a new product can be developed and used as a factor in deciding which of several new products to develop. In considering new and existing products, capital budgeting may involve examining historic and projected financial returns.

This multi year view of capital usage does in fact apply to non-life products where the claims are not fully settled in the calendar year of issue.

Pitfalls of Risk Reward Management

In theory, optimization processes can be shown to produce the best results for practitioners. And for periods of time when fluctuations of experience are moderate and fall comfortably within the model parameters, continual fine tuning and higher reliance on the modeled optimization recommendations produce ever growing rewards for the expert practitioner. However, model errors and uncertainties are magnified when management relies upon the risk model to lever up the business. And at some point, the user of complex risk models will see that levering up their business seems to be a safe and profitable way to operate. When volatility shifts into a less predictable and/or higher level, the highly levered company can find it self quickly in major trouble.

Even without major deviations of experience, the Risk Reward Management principles can lead to major business disruptions. When an insurer makes a major change in its risk profile through an acquisition or divestiture of a large part of their business, the capital allocation of all other activities may shift drastically. Strict adherence to theory can whipsaw businesses as the insurer makes large changes in business.

Insurers need to be careful to use the risk model information to inform strategic decisions without overreliance and abdication of management judgment. Management should also push usage of risk and reward thinking throughout the organization. The one assumption that seems to cause the most trouble is correlation. The saying goes that “in a crisis, all correlations go to one”. If the justification for a major strategic decision is that correlations are far from one, management should take note of the above saying and prepare accordingly. In addition, management should study the variability of correlations over time. They will find that correlations are often highly unreliable and this should have a major impact on the way that they are used in the Risk Reward Management process.

Take Part in the 15th Survey of Emerging Risks

Posted November 4, 2021 by riskviews
Categories: Emerging Risks, Enterprise Risk Management, Risk, Risk Identification, Unknown Risks

Tags:
The Joint Risk Management Section of the Canadian Institute of Actuaries, the Casualty Actuarial Society, and the Society of Actuaries will oversee an online survey to help understand individual risk managers’ perspectives on emerging risks. We value insights from all levels of experience and background and invite you to participate in this annual survey.
Please complete this survey by Nov. 22nd. It should take about 15 minutes to complete. We hope you will share your thoughts and experiences in comment boxes. Responses from more than one risk manager within the same company are encouraged. All responses are anonymous. Thanks to the SOA Reinsurance and Financial Reporting Sections for supporting this research. 
If you have questions about the survey, please contact Jan Schuh at the SOA Research Institute, jschuh@soa.org

Take Part in the 15th Survey of Emerging Risks  Click here to participate

 
 

You can see last year’s Emerging Risks Report HERE.

What to Do About Emerging Risks…

Posted November 2, 2021 by riskviews
Categories: Black Swan, Emerging Risks, Enterprise Risk Management, Unknown Risks

Tags:

Many of the most serious problems that have beset firms have not been repeats of past issues but very new situations. Emerging risks is one description that is used to refer to these “unknown unknowns.” It is simply not sufficient for an ERM program to fully master the control of potential losses from the risks that are known to exist right now. Many would consider the current financial crisis to be the result of emerging risks that were not sufficiently anticipated. Emerging risks may be unknown, but their consequences are real and insurers need to actively prepare for them.

Management should be monitoring and controlling the known risks. Emerging risks management is concerned with the impact of completely new or extremely rare adverse events. These risks cannot be managed via a control process. Monitoring systems would not show any results. But there are ways that the best- practice firms address emerging risks.


Emerging risks may appear suddenly or slowly, are difficult to identify, and often represent a new idea more than factual circumstances. They often result from changes in the political, legal, market, or physical environment, but the link between cause and effect is not proven. An example from the past is asbestos or silicone liabilities. Other examples could be problems deriving from nanotechnology, genetically modified food, climate change, etc. The recent problems experienced by banks and other financial firms resulting from mortgage losses could be classified as emerging risks.


For these risks, normal risk identification and monitoring will not work because the frequency is usually completely unknown. Nevertheless, past experience shows that when they materialize, they have a significant impact on businesses and therefore cannot be excluded from a solid risk management program. Specific strategies and approaches must be implemented to cope with them properly.


Emerging risks can be unknown to the corporate body or merely unknown to the main decision takers. The O-ring problem was known about before disaster hit the US space shuttle Challenger in 1986 – just not known in a way that helped. When considering emerging risks, we need to consider communication to, and within, the corporate body. A good ERM approach should be able to handle both these aspects.


Emerging risks management will include a process of early warnings that will allow company management to anticipate disasters, however short the period of notice. Such a firm will have an inclusive approach to identifying and evaluating risk. This inclusiveness will encourage employees to express concerns openly, it will lead to the ability to learn from others’ experiences and it will allow a constructive approach to intelligence-gathering of both hard and soft information. A firm with good emerging risks management would expect to perform thorough post-mortem analyses of problem situations and would feed the results of that analysis back into its on-going disaster-planning process.


While the best ERM programs will often have a comprehensive emerging risks process, that process is not well served by a routine checklist. A company with excellent extreme-event management practices will instill and sustain a decidedly non-routine, imaginative flavor into its process.

Normal risk control processes focus on everyday risk management, including the management of identifiable risks and/or risks where uncertainty and unpredictability, are mitigated by historical data that allow insurers to estimate loss distribution with reasonable confidence. Emerging risk management processes take over for risks that do not currently exist but that might emerge at some point due to changes in the environment.

Emerging risks may appear abruptly or gradually, are difficult to identify, and may for some time represent a hypothetical idea more than factual circumstances. They often result from changes in the political, legal, market or physical environment. An example from the past is asbestos; other examples could be problems deriving from nanotechnology, genetically modified food, climate change, etc. For these risks, normal risk identification and monitoring will not work because the likelihood is usually completely unknown.

Nevertheless, past experience shows that when they materialize, they can have a significant impact on insurers and therefore cannot be excluded from a solid risk management program. So insurers have implemented unique specific strategies and approaches to cope with them properly.

Identifying Emerging Risks

Developing an early warning system for emerging risks that methodically identifies potential new risk factors either through internal or external sources is very important. To minimize the uncertainty surrounding these risks, insurers will consistently gather all existing relevant information to amass preliminary evidence of emerging risks, which would allow the insurer to reduce or limit the growth of exposure as the evidence becomes more and more certain. However, insurers practicing this discipline will need to be aware of the cost of false alarms.

Assessing Their Significance

Parties should assess the relevance (i.e. potential losses) of the emerging risks linked to a company’s commitment— which classes of business and existing policies would be affected by the materialization of the risk—and continue with the assessment of the potential financial impact, taking into account potential correlation with other risks already present in the firm.

For an insurer, the degree of concentration and correlation of the risks that they have taken on from their customers are two important parameters to be considered; the risk in question could be subject to very low frequency/high intensity manifestations, but if exposure to that particular risk is limited, then the impact on the company may not be as important.

On the other hand, unexpected risk correlations should not be underestimated; small individual exposures can coalesce into an extreme risk if underlying risks are highly interdependent. When developing extreme scenarios, some degree of imagination to think of unthinkable interdependencies could be beneficial.

A further practice of insurers is to sometimes work backwards from concentrations to risks. Insurers might envision risks that could apply to their concentrations and then track for signs of risk emergence in those areas. Some insurers set risk limits for insurance concentrations that are very similar to investment portfolio credit limits, with maximum concentrations in specific industries in geographic or political regions.

In addition, just as investment limits might restrict an insurer’s debt or equity position as a percentage of a company’s total outstanding securities, some insurers limit the percentage of coverage they might offer in any of the sectors described above.

Define Appropriate Responses

Responses to emerging risks might be part of the normal risk control process, i.e. risk mitigation or transfer, either through reinsurance (or retrocession) in the case of insurance risks, through the financial markets for financial risks, or through general limit reduction or hedging.

When these options are not available or the insurer decides not to use them, it must be prepared to shoulder significant losses, which can strain a company’s liquidity. Planning access to liquidity is a basic part of emerging risk management. Asset-selling priorities, credit facilities with banks, and notes programs are possible ways for insurers to manage a liquidity crisis.

Apart from liquidity crisis management, other issues exist for which a contingency plan should be identified in advance. The company should be able to quickly estimate and identify total losses and the payments due. It should also have a clear plan for settling the claims in due time so as to avoid reputation issues. Availability of reinsurance is also an important consideration: if a reinsurer were exposed to the same risks, it would be a sound practice for the primary insurer to evaluate the risk that the reinsurer might delay payments.

Advance Warning Process

For emerging risks the response plans developed as described above would often not be implemented immediately. Their implementation would often be deferred until a later date when the immanence of the emerging risk is more certain. For the risks that have been identified as most significant and where the insurer has developed coherent contingency plans, the next step is to create and install an advanced warning process.

To do that, the insurer identifies key risk indicators that provide an indication of increasing likelihood of a particular emerging risk. These key risk indicators are tracked and compared to a trigger point that has been identified in advance. The trigger point might be set at the point when it is thought that action is needed, but more likely it triggers a new round of investigation of both potential impact and responses.

Learn

Finally, sound practices for managing emerging risks include establishing procedures for learning from past events is important. The company should identify problems that appeared during the last extreme event and identify improvements to be added to the risk controls.

All of these steps can be applied by any firm in any sector with some adaptation.

Risk Management Framework

Posted October 21, 2021 by riskviews
Categories: Enterprise Risk Management

For an insurer who has just completed the initial stages of ERM development, the risk management framework is a statement of what was decided for each of those steps:

  • Identification of risks
  • Development of risk measures and reports
  • Identifying risk mitigations and setting risk limits
  • Appointing individuals to be responsible for the ownership of the identified risks as part of a defined risk organization structure.

This structure should provide the board with an on- going view of corporate risk profile.
As the insurer develops its ERM process further into additional ERM practices, the risk management framework is also extended to include statements about the objectives of those practices within the insurer’s program.
An insurer who is preparing for an Own Risk and Solvency Assessment (ORSA) should strongly consider having an additional set of associated policies.


Insurance Risk Policy
This policy sets out the identification, measurement, mitigation and reporting stages associated specifically with insurance risk. It is a statement of the types and amounts of insurance coverage that the insurer will write as well as the methods that the insurer will use to select the specific risks.
Processes should be defined for measuring these risks such as monitoring and reporting aggregate claims experience. Mitigation practices should be set to keep the insurance risk within the boundaries that management has set in the form of appetites, tolerances and limits.
The insurance policy statement will also likely set out the approval and exception authority structure used by the company as well as the notification requirements for breaches of the policy.
This breach process establishes expectations for actions to be taken in the event of significant deviations between actual and expected claims.
The insurance rate setting process will also be described, as well as who has the responsibility of determining initial and final rates.

Investment Risk Policy
The investment risk policy is a fraternal twin to the insurance policy. It defines the approval process for accepting types and amounts of investment risk. It also sets mitigation practices to be used and authorities for approvals and exceptions.
These should all be consistent with the risk appetite, tolerance and limit statements of the insurer.
The investment policy should set forth communications requirements on investment risk exposures and emerging experience in terms of timing and audience for that communication.
Expectations for actions in the event of deviations from the policy and/or from investment losses or under-performance are also set out here.

ALM Policy

An asset/liability management—or ALM—policy is an expectation of regulators, but such a policy is primarily a concern for life insurers whose products are often inherently linked to investment performance.
For non-life insurers, the ALM policy can usually be expressed as a short paragraph in the investment risk policy.
This paragraph should set forth the targets for investment cashflows and should also address tolerance for liquidity risk.

Risk Appetite, Tolerance and Limit Statements
Regulators and rating agencies all expect that insurers will have an articulated statement about their objectives with regard to risk taking. This includes both quantitative restrictions on the aggregate amount of risk that is retained and not fully mitigated and qualitative restrictions on the risks that will be taken.
In most cases, the quantitative risk appetite statements is likely to be qualified by both amount and likelihood.
For example, a company may seek to take risks to maintain a maximum net 1 in 10 year underwriting value at risk (Var) of £10m.
This target defines limits for the gross underwriting risk which can be written at business unit level. Importantly, it also defines an important input into the reinsurance decision-making process.

Own Risk and Solvency Assessment (ORSA)

In the U.S. insurers that must file an ORSA are asked to include the following elements of an ERM Framework:

• Risk Culture and Governance – Governance structure that clearly defines and articulates roles, responsibilities and accountabilities; and a risk culture that supports accountability in risk-based decision-making.

• Risk Identification and Prioritization – Risk identification and prioritization process that is key to the organization; responsibility for this activity is clear; the risk management function is responsible for ensuring that the process is appropriate and functioning properly at all organizational levels.

• Risk Appetite, Tolerances and Limits – A formal risk appetite statement, and associated risk tolerances and limits are foundational elements of risk management for an insurer; understanding of the risk appetite statement ensures alignment with risk strategy by the board of directors.

• Risk Management and Controls – Managing risk is an ongoing ERM activity, operating at many levels within the organization.

• Risk Reporting and Communication – Provides key constituents with transparency into the risk-management processes and facilitate active, informal decisions on risk-taking and management.

Risk Management Roles

Posted October 18, 2021 by riskviews
Categories: Chief Risk Officer, Enterprise Risk Management, Risk Management, Risk Management System

Tags: ,

Larger organizations with mature ERM programs tend to have evolved a short list of major risk management specific roles; many of which are part-time additions to already full time positions, while some are full time risk management only roles.  Smaller organizations tend to need an ERM operation with all part-timers.  We will call the former “Group ERM” programs and the latter “Company ERM”.

The organizing process always begins with two roles – the senior sponsor and the risk officer.  During the developmental phase, these two roles are very similar to those of Executive Sponsor and Project Manager as defined for normal project management[1].  The Executive Sponsor initiates a project and gets appropriate resources and budget for the project.  The Project Manager runs the project on a day-to-day basis.  During implementation, the Project Manager will keep the Executive Sponsor informed of progress and setbacks.  When problems are outside of the Project Manager’s authority, the Executive Sponsor will help by bringing in assistance or removing blockages from outside of the project team. 

Chief Risk Officer

The risk officer role that was the project manager for the initial development of a new ERM function will usually grow into a senior management role with the title of Chief Risk Officer (CRO). 

The CRO differs from organization to organization, but generally have some or all of these responsibilities:

  • Head the Risk Management Function
  • Chair the Risk Committee
  • Report to the Board on ERM
  • Report to shareholders on risk and capital management
  • Communicate risk and risk management matters to other stakeholders including rating agencies, employees, regulators

Each of these will be discussed in following sections of this chapter. 

The Chief Risk Officer may report directly to the CEO or, more often to the Chief Financial Officer.  Or else, the CRO role is handled by another senior officer such as the Internal Auditor, or, in an insurer, the Chief Underwriting Officer or Chief Actuary. 

The CRO has a wide variety of roles.  First and foremost, the CRO provides leadership and vision for the organization’s ERM program.  They must have a clear idea of the ERM objectives and the ability to direct a diverse group of employees throughout the organization, most of whom do not officially report to the CRO, to follow that vision.  The CRO is the point person in establishing and updating the ERM Framework, the ERM Policies and the Risk Appetite/Tolerance/Limit system.  This requires the CRO to understand the degree to which formal documents and processes fit with the organization’s culture.  The CRO is always the champion of intelligent risk management – risk management that fits the objectives, needs and budget of the organization.  The CRO may be the owner of the Enterprise Risk Model or that model may be owned by the Chief Actuary. 

The CRO will lead the discussion that leads to the formation and updating of the Risk Appetite and Tolerance.  This discussion will be based upon a single risk metric that is common to all risks; in countries that have adopted Solvency II, that single metric for insurers is almost always related to capital.  This is a source of conflict between the regulatory process and the management culture, especially in for-profit insurers, because otherwise, the preference for risk metric would likely be tied to earnings shortfalls rather than capital. 

The CRO is the leader of value added risk management.  That means using the information from the ERM system to help the growth of the firm’s risk adjusted value.  That requires some version of risk-adjusted financial results for various business units, territories and/or products.  The risk-adjustment is most often made based on Economic Capital either via a cost-of-capital adjustment to earnings, or through the reliance on a return on risk capital ratio.

The CRO  is the champion for the Value Added ERM, a major part of the implementation, as well as in explaining the idea and the results to stakeholders.  A major step in that process is the development and implementation of the analytic platform for Economic Capital Allocation.  The CRO may be responsible to perform analysis of risk-adjusted plan proposals and act as a resource to business units for developing risk-adjusted proposals.  As time progresses, the CRO will also work with the CFO to provide monitoring of plan vs. actual performance. 

The CRO’s wide range of responsibilities means that there is no single route to the position.  A Canadian survey[2] of twenty-one CROs found that, in their opinion, CROs needed to be skilled in Math, Finance, Communication and Accounting. 

Management Risk Committee

Most organizations form one or more risk management committees with a major role in the ERM framework.  There are three main reasons:  To provide support and assistance for the CRO, to help  keep the ERM process realistic (i.e. Intelligent ERM above); and, to direct the application of resources for ERM activities that are outside of the risk management department. 

Most often, the Risk Committee will focus first on the ERM reports to the board, reviewing the draft reports prepared by the risk management department for quality assurance, to make sure that the CRO will be able to tell the story that goes with the report, and that both the CRO and the risk committee members can answer any questions raised by the ERM report.  The Risk Committee is the nexus of Risk Culture for the organization – each area of the organization that has a major role in risk taking and risk management is usually represented on the risk committee. 

The exact responsibilities of the Risk Committee will vary by organization.  The four most common and most important responsibilities are:

  1. Setting Risk Appetite and Tolerance
  2. Approving Risk framework and policies
  3. Allocating Risk Appetite & Setting Risk Limits
  4. Setting standards for risk assessment and economic capital

The Risk Committee is usually responsible for setting (or recommending for approval by the board) the Risk Appetite and Tolerance for the organization.  This is a difficult and often tentative process the first time; mainly because the Risk Committee, like most of the management team, has little experience with the concepts behind Risk Appetite and Tolerance, and is wary about possibly making a mistake that will end up damaging the organization.  Once an initial Risk Appetite and Tolerance are set, making adjustments for early imperfections and updates for changing plans and circumstances become much more routine exercises. 

The Risk committee usually approves the Risk Framework and Risk Policies – in some cases, they are recommended for approval to the Board.  These will lay out the responsibilities of the CRO, Risk Committee, Risk Owners and ERM Department.  The Risk Committee should review these documents to make sure that they agree with the suggested range of responsibilities and authorities of the CRO.  The new responsibilities and authorities of the CRO are often completely new activities for an organization, or, they may include carving some responsibilities and authorities out of existing positions.  The Risk Committee members are usually top managers within the organization who will need to work with the CRO, not just in the Risk Committee context, but also in the ways that the CRO’s new duties overlap with their business functions.  The committee members will also be concerned with the amount of time and effort that will be required of the Risk Owners, who for the most part will either be the Risk Committee members or their  senior lieutenants. 

In some organizations, the allocation of Risk Appetite and setting of risk limits is done in the planning process; but most often, only broad conclusions are reached and the task of making the detailed decisions is left to the Risk Committee.  For this, the Risk Committee usually relies upon detailed work performed by the Risk Department or the Risk Owners.  The process is usually to update projections of risk capital requirements to reflect the final planning decisions and then to adjust Risk Appetite for each business unit or risk area and recommend limits that are consistent with the Risk Appetite. 

Many ERM programs have legacy risk assessment and economic capital calculation standards that may or may not be fully documented.  As regulatory processes have intruded into risk assessment, documentation and eventually consistency are required.  In addition, calls for consistency of risk assessment often arise when new products or new risks are being considered.  These discussions can end up being as much political as they are analytical, since the decision of what processes and assumptions make a risk assessment consistent with existing products and risks often determines whether the new activity is viable.  And since the Risk Committee members are usually selected for their position within the organization’s hierarchy, rather than their technical expertise, they are the right group to resolve the political aspects of this topic. 

Other topics that may be of concern to the Risk Committee include:

  • Monitoring compliance with limits and policies
  • Reviewing risk decisions
  • Monitoring risk profile
  • Proposing risk mitigation actions
  • Coordinate the risk control processes
  • Identify emerging risks
  • Discussing the above with the Board of Directors as agreed

Larger organizations often have two or more risk committees – most common is to have an executive risk committee made up of most or all of the senior officers and a working risk committee whose members are the people responsible for implementing the risk framework and policies.  In other cases, there are separate risk committees for major risk categories, which sometimes predate the ERM program. 

Risk Owners

Many organizations assign a single person the responsibility for each major risk.  Going beyond an organizational chart, a clear organizational structure includes documented responsibilities and clear decision making and escalation procedures. Clarity on roles and responsibilities—with regard to oversight and decision-making—contributes to improvement capability and expertise to meet the changing needs of the business[3].

Specifically, the Risk Owner is the person who organizationally resides in the business and is responsible for making sure that the risk management is actually taking place as risks are taken, which most of ten should the most effective way to manage a risk. 

The Risk Owner’s role varies considerably depending upon the characteristics of the risk.

Insurance and Investment risks are almost always consciously accepted by organizations, and the process of selecting the accepted risks is usually the most important part of risk management.  That is why insurance risk owners are often Chief Underwriting Officers, and Chief Investment officers  are often the owners of Investment risks.  However, risk structuring, in the form of setting the terms and conditions of the insurance contract is a key risk mitigation effort, and may not be part of the Chief Underwriter role.  On the other hand, structuring of investments, in situations where investments are made through a privately structured arrangement, is usually done within the Investment area.  Other risk mitigations, through reinsurance and hedging could also be within or outside of these areas.  Because of the dispersion of responsibilities for different parts of the risk management process, exercise of the Risk Owner responsibilities for Insurance Risks are collaborative among several company officers.  In some firms, there is a position of Product Manager who is the natural Risk Owner of a product’s risks.  The specialization of various investment types means that in many firms, a different lieutenant of the Chief Investment Officer is the risk owner for Equity risk, Credit Risk, Interest Rate Risk and risks from Alternative investments. 

Operational risks are usually accepted as a consequence of other decisions; the opportunities for risk selection are infrequent as processes are updated.  Often the risk owners for Operational risks are managers in various parts of the organization. 

Strategic risks are usually accepted through a firm’s planning process.  Usually the risk owners are the members of the top management team (management board) who are closest to each strategic risk, with the CEO taking the Risk Owner position for the risk of failure of the primary strategy of the firm. 

The Risk Owner may be responsible to make a periodic Report on the status of their risk and Risk Management to the governing Board.  This report may include:

  1. Plans for Exposure to risk and Risk Strategy
  2. Plans to exploit and mitigate
  3. Changes to Exposures taken and Remaining after mitigation
  4. Adequacy of resources to achieve plans

Risk Management Department

In all but the smallest organizations, the CRO’s responsibilities require more work and attention than can be provided by a single person.  The CRO will gain an assistant and eventually an entire department.  The risk management department serves primarily as support staff for the CRO and Risk Committee.  In addition, they may also be subject matter experts on risk management to assist Risk Owners.  Usually, the risk management department also compiles the risk reports for the risk committees and Board.  They are also usually tasked to maintain the risk register as well as the risk management framework and risk policies.

Internal Audit

Internal Audit often has an assurance role in ERM.  They will look to see that there is effective and continual compliance with Policies and Standards, and tracking and handling of risk limit breaches. 

If there is no Internal Audit involvement, this compliance assurance responsibility falls to the risk management department; that may create a conflict between compliance role and advisory role of the risk management department.  Compliance is the natural role of Internal Audit and giving this role to Internal Audit allows risk management to have more of a consultative and management information role. 

In many firms, the roles for risk owners, the risk management department, along with internal audit, have been formalized under the title “Three Levels of Defense.”

This approach is often coupled with a compliance role for the board audit committee. 

When internal audit is involved in this manner, there is sometimes a question about the role’s scope.  That question is: whether internal audit should limit its role to assurance of compliance with the ERM Framework and policies, or should it also have a role reviewing the ERM Framework itself?  To answer that question, the organization must assess the experience and capabilities of internal audit in enterprise risk management against the cost of engaging external experts to perform a review[4]

CEO Role in ERM

It is fairly common for a description of ERM roles at a bank or insurer to talk about roles for the board,CRO, and front line management, but not to mention any specific part for the CEO. 

“No one has any business running a huge financial institution unless they regard themselves as the Chief Risk Officer” – Warren Buffett, speaking at the New School (2013)

Warren Buffett, the CEO of Berkshire Hathaway, has said many times that he is the Chief Risk Officer of his firm and that he does not believe that it would be a good idea to delegate that responsibility to another individual.  While his position is an extreme that is not accepted by most CEO’s of financial institutions, there is an important role for the CEO that is very close to Buffett’s idea. 

For the CRO and the ERM program to be effective, the organization needs clarity on the aspects of risk management which the CEO is directly delegating his or her authority to the CRO, which are being delegated to the Risk Committee, and which risk management decisions are being delegated to the Risk Owners.  Leading up to the financial crisis of 2008, the authority for some risk decisions were not clearly delegated to either the CRO or the Risk Owners in some banks, and CEO’s remained aloof from resolving the issue[5].


[1] Executive Engagement: The Role of the Sponsor, Project Management Institute,

[2] “A Composite Sketch of a Chief Risk Officer”, Conference Board of Canada, 2001

[3] CRO Forum, Sound Risk Culture in the Insurance Industry, (2015)

[4] Institute of Internal Auditors, The Three Lines of Defense In Effective Risk Management And Control, (2013)

[5] Senior Supervisors Group, Risk Management Lessons from the Global Banking Crisis of 2008 (2009)

Risk Measurement & Reporting

Posted October 18, 2021 by riskviews
Categories: risk assessment, Stress Test, Value at Risk

Tags: , ,

Peter Drucker is reported to have once said “what gets measured, gets managed.” That truism of modern management applied to risk as well as it does to other more commonly measured things like sales, profits and expens es .

Regulators take a similar view; what gets measured should get managed. ORSA f rameworks aim to support prospective solvency by giving management a clear view of their on-going corporate risk positions.

This in turn should reduce the likelihood of large unanticipated losses if timely action can be taken when a risk limit is breached.

From a regulatory perspective, each identified risk should have at least one measurable metric that is reported upwards, ultimately to the board.

The Need to Measure Up

Many risk management programs build up extensive risk registers but are stymied by this obvious next step – that of measuring the risks that have been identif ied.

Almost every CEO can cite the company’s latest f igures f or sales, expenses and profits, but very few know what the company’s risk position might be.

Risks are somewhat more difficult to measure than profits due to the degree to which they depend upon opinions.

Insurance company profits are already seen as opaque by many non-industry observers because profits depend on more than just sales and expenses:profits depend upon claims estimates, which are based on current (and often incomplete) information about those transactions.

Risk, on the other hand, is all about things that might happen in the f uture: specif ically, bad things that might happen in the f uture.

Arisk measure reflects an opinion about the size of the exposure to f uture losses. All risk measures are opinions; there are no f acts about the f uture. At least not yet.

Rationalizing Risk

There are, however, several ways that risk can be measured to facilitate management in the classical sense that Drucker was thinking of.

That classic idea is the management control cycle, where management sets a plan and then monitors emerging experience in comparison to that plan.

To achieve this objective, risk measures need to be consistent from period to period. They need to increase when volume of activity increases, but they also need to reflect changes in the riskiness of activities as time passes and as the portfolio of the risk taker changes .

Good risk measures provide a projected outcome; but in some
cases, such calculations are not available and risk indicators must be used instead.

Risk indicators measure something that is closely related to the risk and so can be expected to vary similarly to an actual risk measure, if one were available.

For insurers, current state-of-the-art risk measures are based upon computer models of the risk taking act ivit ies .

With these models, risk managers can determine a broad range of possible outcomes for a risk taking activity and then define the risk measure as some subset of those outcomes.

Value at Risk

The most common such measure is called value at risk (VaR). If the risk model is run with a random element, usually called a Monte Carlo or stochastic model, a 99% VaR would be the 99th worst result in a run of 100 outcomes, or the 990th worst out of 1000.

Contingent Tail Expectation

This value might represent the insurer’s risk capital target.Asimilar risk measure is the contingent tail expectation (CTE), which is also called the tail value at risk (TVaR).

The 99% CTE is the average of all the values that are worse than the 99% VaR. You can think of these two values in this manner: if a company holds capital at the 99% VaR level, then the 99% CTE minus the 99% VaR is the average amount of loss to policyholders should the company become insolvent.

Rating agencies, and increasingly regulators, require companies to provide results of risk measures from stochastic models of natural catastrophes.

Stochastic models are also used to estimate other risk exposures, including underwriting risk from other lines of insurance coverage and investment risk.

In addition to stochastic models, insurers also model possible losses under single well-defined adverse scenarios. The results are often called stress tests.

Regulators are also increasingly calling for stress tests to provide risk measures that they feel are more easily understood and compared among companies.

Key Risk Indicators

Most other risks, especially strategic and operational risks, are monitored by key risk indicators (KRIs). For these risks, good measures are not available and so we must rely on indicators.

For example, an economic downturn could pose risk to an insurer’s growth strategy. While it may be dif f icult to measure the likelihood of a downturn or the extent to which it would impair growth, the insurer can use economic f orecasts as risk indicators.

Of course,simplymeasuringriskisinsufficient.Theresultsof themeasurementmustbecommunicatedto people who can and will use the risk information to appropriately steer the future activity of the company.

Risk Dashboard

Simple charts of numbers are sufficient in some cases, but the state of the art approach to presenting risk measurement information is the risk dashboard.

With a risk dashboard, several important charts and graphs are presented on a single page, like the dashboard of a car or airplane, so that the user can see important information and trends at a glance.

The risk dashboard is often accompanied by the charts of numbers, either on later pages of a hard copy or on a click-through basis for on-screen risk dashboards.

Dashboard Example

Three Parts to Insurer ERM programs

Posted September 15, 2021 by riskviews
Categories: Enterprise Risk Management, Risk Management, Risk Management System

Enterprise Risk Management practice is different at different insurers. Partly that is driven by the different cultures and missions of insurers. For the most part, those differences can be seen to be driven by the choices that management makes of whether to emphasize one, two or all three of the following three parts of insurer ERM.

1. Individual risk management

Insurers practiced risk management long before they adopted enterprise risk management. With individual risk management (IRM), the insurer enables the organization to raise the risk management activities relating to all of the key risks of the organization up to a high and effective level of practice.

IRM includes the identification, assessment and prioritization of key risks followed by the addition of more formal control processes, including decisions to mitigate, transfer, accept, limit or exploit each of the key risks. It also includes periodic reporting on those processes.

The result of an IRM function will be a transparent and disciplined approach to all of an organization’s key risks. This is often called a bottom-up risk management process as well. ERM standards such as COSO and ISO31000 promote an individual enterprise risk management process.

2. Aggregate risk management

Insurers generally know how their capital compares to regulators’ minimum requirements and/or the level of capital rating agencies require for their preferred rating. With aggregate risk management (ARM), these standards are recognized as outsiders’ views of the insurer’s aggregate risk.

ARM functions treat the combined total of all of the key risks of the firm as another candidate for a transparent and disciplined control process. An insurer will use one or a series of risk models to evaluate the amount of aggregate capital needed to provide security for the risk exposure and an aggregate risk appetite and tolerance to help articulate the company’s expectations for capital levels in aggregate control processes.

Regulatory and rating agency requirements often focus primarily on this ERM function. The result of the ARM function is a deliberate process for managing the relationship between the risks that are retained by the insurer with the capital it holds.

3. Risk reward management

One of the primary requirements of the model(s) used to evaluate aggregate risk is that they need to be as consistent as possible in their assessments. Only consistent values can be combined to determine an actionable total risk amount. Once the insurer achieves these consistent risk assessments, it can compare different business activities: First regarding which are responsible for the largest parts of its risk profile, and, second, to look at the differences in reward for the risk taken.

With information about risk and reward, this ERM function will inform the capital budgeting process as well as enhance consistency (or at least reduce conscious inconsistencies) in insurance product pricing. It will also help the insurer in considering the tradeoffs among different strategic choices on a risk-adjusted basis. This ERM function provides the upside benefit from ERM to the insurer, helping to enhance the long-term value of the organization.

Insurers may choose to implement one, two or three of these ERM functions in their enterprise risk management programs. One important consideration for insurers is that financial services firms – primarily banks and insurers – tend to have risk profiles where the majority of their risks have been tracked on a highly granular basis for many years and therefore lend themselves to statistical methods, such as insurance, market and credit risks. Those risks frequently make up 75% or more of an insurer’s risk profile.

Insurers are, of course, also exposed to operational and strategic risks that are harder to quantify. Non-financial firms’ risk profiles are more often weighted toward operational and strategic risks. This difference is one of the main drivers of the limited focus of some ERM literature that often may not even mention aggregate risk management nor risk reward management.

Regulatory requirements for insurer ERM usually include aggregate risk management and some rating agencies (Standard & Poor’s – but not A.M. Best) are expecting insurers to have risk reward management as well. We have also noted some regulators (e.g. in the UK) are focusing increasingly on the sustainability of insurers’ business models, which can be shown via risk reward management.

Guide to ERM: Risk Limits and Controls

Posted August 16, 2021 by riskviews
Categories: Compliance, Control Cycle, Enterprise Risk Management, ERM, Insurance Risk, Risk, Risk Limits, Risk Management System

At the most fundamental level, enterprise risk management can be understood as a control cycle. In an insurance company’s risk control cycle, management needs to first identify the key risks.

Management then decides the risk quantity they are willing to accept and retain. These decisions form the risk limits. It is then imperative to monitor the risk-taking throughout the year and react to actual situations that are revealed by the monitoring.

Photo by Ann H on Pexels.com

The Risk Control Cycle

There are seven distinct steps in the typical risk control cycle:

  1. Identify Risks – Choose which risks are the key controllable risks of the company
  2. Assess – Examine what are the elements of the risks that need (or can be) controlled
  3. Plan – Set the expectation for how much risk will be taken as an expected part of the plan and also the limits on how much more would be accepted and retained
  4. Take Risks – Conduct the primary function of an insurance company
  5. Mitigate – Take actions to keep the risks within limits
  6. Monitor – Determine how risk positions compare to limits and report
  7. Respond – Decide what actions to take if risk levels are significantly different from plan
Risk Control Cycle

The Complete Risk Control Process

A process capable of limiting losses can be referred to as a complete risk control process, which would usually include the following.

  • Identification of risks: The identified risks should be the main exposures which a company faces rather than an exhaustive list of all risks. The risk identification process must involve senior management and should consider the risk inherent in all insurance products underwritten. It must also take a broader view of overall risk. For example, large exposures to different investment instruments or other non-core risks must be considered. It is vital that this risk list is re-visited periodically rather than simply automatically targeting “the usual suspects”
  • Assess risks: This is both the beginning and the end of the cycle. At the beginning, you look forward to form a new opinion about the prospects for risk and rewards for the next year. At the end, management needs to assess how effective the control cycle has been. Did the selection process miss any key risks? Were limits set too high or perhaps too low? Were the breach processes effective?
  • Plan risk taking and risk management: Based upon the risk assessment, management will make plans for how much of each risk the organization will plan to accept and then how much of that risk will be transferred, offset and retained to manage the net risk position in line with defined risk limits
  • Take risks: Organizations will often start by identifying a list of potential risks to be taken based upon broad guidelines. This list is then narrowed down by selecting only risks which are aligned to overall corporate risk appetite. The final stage is deciding an appropriate price to be paid for accepting each risk (underwriting)
  • Measuring and monitoring of risk: With metrics or risk measures which capture the movement of the underlying risk position. These risk positions should be reported regularly and checked against limits and, in some cases, against lower checkpoints . The frequency of these checks should reflect the volatility of the risk and the rate at which the insurer changes their risk positions. Insurers may choose to report regularly at a granular level that supports all decision making and potential breach actions. The primary objective of this step is facilitating upwards reporting of risk through regular risk assessment and dissemination of risk positions and loss experience using a standard set of risk and loss metrics. These reports convey the risk output from the overall ERM framework and should receive the clear attention of persons with significant standing and authority in the organization. This allows for action to be taken which is the vital Respond stage in the risk control cycle
  • Risk limits and standards: Should be defined which are directly linked to objectives. Terminology varies widely, but many insurers have both hard “limits” that they seek to never exceed and softer “checkpoints” that are sometimes exceeded. Limit approval authority will often be extended to individuals within the organization with escalating amounts of authority for individuals higher in the organizational hierarchy. Limits ultimately need to be consistent with risk appetites, preferences and tolerances Additionally, there should be clear risk avoidance processes for risks where the insurer has zero tolerance. These ensure that constant management attention is not needed to assure compliance. A risk audit function is, however, often incorporated within the overall risk organization structure to provide an independent assessment of compliance.
  • Respond: Enforcement of limits and policing of checkpoints, with documented consequences for limit breaches and standard resolution processes for exceeding checkpoints. In some cases, the risk environment will have changed significantly from when the limits were set and the limits need to be reassessed. Some risks may be much more profitable than expected and risk limits can be raised, while other have become more expensive and/or riskier and limits need to be lowered
  • Assess risks: And the cycle starts again

The control cycle, and especially the risk appetite, tolerance and limit setting process can be the basis for a healthy discussion between management and the board.

Gaining the Greatest Benefit from the Risk Control Cycle

Ultimately, to get the most risk management benefit out of a risk control cycle, management must set limits at a level that matters and are tied to good measures of risk. These limits must be understood throughout the company and risk positions should be frequently and publicly reviewed so that any breaches can be identified.

But in addition to a policing function, the control cycle needs to include a learning element. With each pass through the cycle, management should gain some insight into the characteristics of their potential risks and associated mitigation alternatives, as well as the reactions of both to changes in the risk environment.

Guide to ERM: Risk Identification

Posted August 14, 2021 by riskviews
Categories: Enterprise Risk Management, ERM, Risk Identification, Risk Management System

Risk Identification is widely acknowledged at the very first step in forming a new ERM program. What is not so widely known is that the risk identification process needs to be repeated and refreshed to keep ERM alive. In this regard, ERM is like a lawn. Initially, the ground is prepared, it is seeded and fertilized and watered until a bed of green grass emerges. But the lawn will eventually deteriorate if it is not reseeded and fertilized and weeded and watered regularly. Repeating the risk identification process is one of the key steps to keeping the ERM program alive and green!

Photo by Pavel Danilyuk on Pexels.com

Risk Identification Process Adds Value

Companies considering the risk identification process should be aware that it is not a solution in itself and can only add value if the results are used as the first step in a risk control cycle.

This is an iterative process that refines managements’ understanding of the exposures that it is managing, and measures the effectiveness of the mitigation strategies employed in controlling risk:

For the risk identification process to be effective it is essential that senior management is directly involved from the outset. Regulators may give little or less credibility to an ORSA report if this ownership of ERM isn’t in place.

A brainstorming session involving the leaders of all risk taking functions across the business provides an effective starting point in compiling a list of significant risks.

This often results in a list containing 30 or more risks; if the process involves a broad range of people at many levels in the organization, it is not uncommon to have a list of 100 to 150 risks.

By considering each risk individually and quantifying its potential impact on the business, management can work towards a shorter list of high priority risks which should be the starting point of the risk control cycle.

Risk Control Cycle

Step 1: Identify All Significant Risks

Risks must be identified in order to:

>Ensure that the full range of significant risks is encompassed within the risk management process
>Develop processes to measure exposure to those risks
>Begin to develop a common language for risk management with the company

Some companies prefer to start with a comprehensive but generic list of risks. The company should then aim to select its own list by considering the following criteria:

  • Relevance to the insurer’s activities
  • Impact on the insurers financial condition
  • Ability to manage separately from other risks

The risk output from the ERM program may be used in strategic capital allocation decisions within the on-going business planning process.

The final “risk list” should be checked for completeness and consistency with this intended use. A final check can be done by looking at the lists once separated into categories. Most risks can be classified into one of several categories.

For example:

  • Underwriting Risk
  • Market Risk
  • Operational Risk
  • Credit/Default Risk

Management can review the range of risks that appear in each category to make sure that they are satisfied with the degree to which they have addressed key exposures within each major category.

The remaining steps in the risk identification process are then used to narrow down this initial risk list to a set of high priority risks that can be the focus of ERM discussions among and with senior management and ultimately with the board.

Step 2: Understand Each Risk Exposure

It is necessary to develop a broad understanding of each of the risks selected from Step 1; this includes determining whether the risk is driven by internal or external events.

In some situations, it may prove helpful to actually plot the exact sequence of events leading to a loss situation. This could result in the identification of intermediate intervention points where losses can be prevented or limited.

Existing risk measurement and control processes should be documented, and if the loss sequence has been plotted, the location of each control process in the sequence can be identified.

The final step in understanding the risks is to study recent events related to risks, including loss events, successful risk control or mitigation, and near misses both in the wider world and inside the company. Such events should be studied and lessons can be learned and shared.

Step 3: Evaluate

The next step in the risk identification process is to evaluate the potential impact of each risk. This involves:

>Estimating the frequency of loss events, e.g., low, medium, and high
>Estimating potential severity of loss events, e.g., low, medium, and high
>Considering offsetting factors to limit frequency or severity of losses and understand potential control processes

Some insurers also include an additional aspect of the risks, velocity, which is defined as the rate at which the risk can develop into a major loss situation

Step 4: Prioritize

The evaluations of risk frequency, severity, and velocity from Step 3 are then combined into a single factor and the risks ranked.

The risks are ranked according to a combined score incorporating all three assessments. The ranking starts with the risk with the worst combination of frequency, severity, and velocity scores.

From this ranked list of risks, 10 to 15 risks are chosen to be the key risk list that will be the focus of senior management discussions. From that list, ultimately 4 – 6 risks are chosen to feature with the board.

This need not be a complex or time consuming task. Often a simple heat map approach provides an effective way for management to identify their highest priority risks:

The rest of the risks should not be ignored. Those risks may ultimately be addressed at another level within the insurer.

Regulatory Emphasis

Regulators have developed Own Risk and Solvency Assessment (ORSA) regimes which require re/insurers to demonstrate their use of appropriate enterprise risk management (ERM) practices to support their ability to meet prospective solvency requirements over the business planning period.

Regulators are providing only high-level guidelines and will expect companies to decide what “appropriate” means for them. There are a number of common threads linking the ORSA guidelines; one of these is the fundamental importance of risk identification.

ORSA Guidance Manual

This ORSA process is being applied in all parts of the globe. In the U.S., the National Association of Insurance Commissioners (NAIC) ORSA Guidance Manual names risk identification as one of the five key aspects of the insurer’s ERM program that should be described in the ORSA report.

That document provides a definition for risk identification and prioritization:

[a] process that is key to the organization; responsibility for this activity is clear; the risk management function is responsible for ensuring that the process is appropriate and functioning properly at all organizational levels

For the EU, the Solvency II ORSA requires that solo undertakings provide:

[a] qualitative description of risks [and] should subject the identified risks to a sufficiently wide range of stress test / scenario analyses to provide an adequate basis for the assessment of overall solvency needs.

In the case of groups, the ORSA should adequately identify, measure, monitor, manage and report all group specific risks.

Insurance Core Principles (ICP)

The risk identification process is key to all insurers, not just those required to prepare an ORSA. This wider relevance is underlined by the Financial Stability Board’s endorsement of the International Association of Insurance Supervisors (IAIS) Insurance Core Principles (ICPs); ICP 16 highlights the importance of ERM as a process of identifying, assessing, measuring, monitoring, controlling and mitigating risks.

Perhaps the most attractive feature of the risk identification process is its low cost, high-impact introduction to risk management that builds upon the existing infrastructure and risk knowledge in the company.

It does not require a large commitment to capital expenditures and, if done appropriately, will provide a valuable first step in rolling out risk management across the company.

The ICPs are guidance for the insurance regulators in all jurisdictions. The ORSA, or an equivalent process with an equally odd name, may well be eventually adopted in all countries.

Take Part in the 14th Survey of Emerging Risks

Posted November 5, 2020 by riskviews
Categories: Emerging Risks, Enterprise Risk Management, ERM

CLICK HERE TO PARTICIPATE
The Joint Risk Management Section of the Canadian Institute of Actuaries, the Casualty Actuarial Society, and the Society of Actuaries is overseeing an online survey to help understand individual risk managers’ perspectives on emerging risks. We value your insights and invite you to participate in this annual survey. Please complete this survey by Nov. 23rd. It should take about 15 minutes to complete. We hope you will share your thoughts and experiences in comment boxes. Responses from more than one risk manager within the same company are encouraged. All responses are anonymous. Thanks to the SOA Reinsurance and Financial Reporting Sections for supporting this research. If you have questions about the survey, please contact Jan Schuh at jschuh@soa.org

Volunteer Observers Wanted

Posted October 17, 2020 by riskviews
Categories: Black Swan, Pandemic Risk

Tags:

The COVID Mitigation Monitoring Project needs your eyes!

Please share what you are seeing at the

COVID OBSERVATION COLLECTOR

Here is an example of what we are learning from the Observations that we have collected.

See more at the COVID Mitigation Monitoring Project website.

Monitoring COVID Mitigation Compliance

Posted July 28, 2020 by riskviews
Categories: Black Swan, Emerging Risks, Enterprise Risk Management, Pandemic Risk, Risk Management, Swine Flu, Tail Risk

Tags:

activecovid

Many discussions of COVID-19 mitigation revolve around the requirements and recommendations that are made by the government.

The CDC suggests answering this question:

  • To what extent do individuals and organizations practice community mitigation strategies?

We will seek to answer that question via a questionnaire.  Right now, we have piloted that questionnaire twice with about 30 people providing observations.

grid22

We have observations from people in the above states, which provide diverse situations regarding their COVID situation. (Here Level refers to the number of new cases per 100k from the past 14 days and Rate refers to the New Infection Rate which is the new infections from the current day as a percentage of the infections for the prior 14 days.)

Pilot Project Findings – not credible amount of data

bystate

The above reflects the average compliance over 36 mitigation strategies.  This is a Pilot, so we are not concerning ourselves about numbers of observations but we recognize that these are not sufficient to draw any conclusions about the actual level of compliance.  Of those 36 strategies, the top 10 are:

Pilot Project Findings – not credible amount of data

Top10s

We welcome additional observers.  We will be continuing the Pilot Project and working on getting funding to turn this into a full scale research project.

To contribute your observations follow this LINK.  We welcome both additional observers for the states above as well as observers from states where we have not yet received any observations.

Why 15% is more likely 5%

Posted May 14, 2020 by riskviews
Categories: Enterprise Risk Management

We have been hearing news reports for a week or more now that say that it is likely that COVID-19 actual infections are multiples of reported cases. THis is likely true. But probably not by as much as some reports.

That is because of the expected level of false positives from the antibody tests that are being used. Let’s break this down…

Let’s focus on the New York state figures reported above. They represent that the antibody testing of 7500 people in NY State showed antibodies for 14.9% of the sample, while reported cases run about 1.5% of the population of NY State. But, as is often the case, the most important information is in the footnote. It said that these figures are not corrected for test accuracy.

Now, accuracy for the antibody tests is reported to be about 90%. So many people would read that to mean that the result is good +/- 10%.

But that is not the case at all. In fact, a news report that I heard on the local news program yesterday said that it is quite possible that more than 2/3 of the people who got an indication of antibodies present do not in fact have any antibodies! How can that be you ask?

This result falls out of a little Baysian thinking. Like this…

  1. Let’s assume that we have a population of 1 million people where 5% of those people or 50,000 have been infected and 950,000 have never been infected.
  2. And that we have tested them all with an antibody test that is 90% accurate.
  3. So when we test the 50,000 who were infected, the test will tell us that 90% or 45,000 have antibodies (which is correct) and that 5,000 do not (which is incorrect – the 10% error rate). So far so good.
  4. But when we come to testing the 950,000 people who have not been infected, the test will find that 85.5% or 855,000 people are antibody free (correct for 90% of tests) and that 9.5% or 95,000 people have antibodies (the 10% error).
  5. So in total, the testing told us that 45,000 + 95,000 = 140,000 people (14%) have antibodies. And that 5000 + 855,000 = 860,000 people do not. So the error rate for Positives is 95,000 / 140,000 = 67% of the positives are WRONG. Error rate for negatives is 5000/860,000 = 0.6% wrong. Not bad on the negatives.
  6. So in this example, a test that told us that the rate of positives is 14%, when it is actually 5%.

So that 14.9% reported for New York State is likely to be closer to 5% if the test was 90% accurate. This is the adjustment for Test Accuracy that the footnote says was not made.

If you make a correction based on this example (which seems to almost fit the data), you get a corrected result of 5% (33% of the 14.9% reported). The 5% is still more than 3 times the reported 1.5% infection rate.

The Smell Test

This result is more consistent with reported statistics from China, where they report that about 50% of the cases are asymptotic or common cold like symptoms. People like that are unlikely to have been tested in New York when tests were in short supply. Of the other 50% who showed symptoms, China reported that about a third (15%) required treatment and a tenth (5% Included in the 15%) required treatment in an ICU. So if NY State was capturing all of the 15% who needed hospital care and three quarters of the other people with symptoms with testing, then 30% of the cases would be reported, as the 5%/1.5% ratio would indicate.

The 15% rate indicated by the test results without correction would suggest that either the disease is much milder in the US than in China or that NY State was not capturing more than 2/3 of 15% of the infections needing hospitalizations and none of the people with clear symptoms who did not go to the hospital. That just doesn’t seem likely to me.

So, to me the idea that 15% is more likely 5% passes my smell test.

What do you think?

Is S@H Worth It?

Posted April 26, 2020 by riskviews
Categories: Enterprise Risk Management

Tags: ,
Colin Van Dervort / CC BY (https://creativecommons.org/licenses/by/2.0)

It has been about a month since the US started Stay at Home (S@H) policies. Some people are wondering whether it has been worth it.

Here is a little thought exercise. At the end, you tell me if you think that it is worth it.

So if you think about it that way, it S@H worth it?

And if you can follow that story, then we can take it into May. Since we are looking at exponential curves, these numbers will keep diverging sharply. In another 20 days, if we can keep actual COVID-19 case growth at 3.5% or lower, we will go from about 40 to 80 cases per 100,000. And the 10% projection will double 3 times from about 90 to 650 per 100,000. That would be a 44 MILLION difference in infections and a 3 MILLION difference in deaths. By 15 May!

Agility:How to Navigate the Unknown and Seize Opportunity in a World of Disruption

Posted October 16, 2019 by riskviews
Categories: Enterprise Risk Management

As far as I can tell, risk management as a business practice is pretty well embedded now, more than a decade after the Great Recession. But it appears to be more of a cost of doing business that is required by boards, regulators and rating agencies rather than as a boon to management of businesses.  It is usually focused almost entirely on negative outcomes and insists on using its own language that is not even slightly close to the language used by top management in discussions of strategy for the firm.

When we overestimate our overall capacity, tangible and intangible, in relation to risk, we endanger our performance and even survival.

At the same time, there are continual examples of strategic failures, failures that you could imagine could be avoided with some risk management thinking.  (Stories like Kodak’s failure to develop a realistic vision of the coming impact of digital photography to its film business or Blockbuster’s failure to understand the threat from Netflix’s internet based business model.)

A new book, Agility, by Leo Tillman and General Charles Jacoby (ret.) suggests that we can enjoy the benefits of linking risk management to strategy by becoming . . . Agile.  The book provides stories, both from businessman Tillman and military man Jacoby to illustrate the pitfalls of operating without Agility and the benefits of operating with. 

Vital to an effective process for achieving agility is that it is not defined or operationalized in a rigid, one-size-fits-all way.

I think of their ideas as eminating from the realization that because we usually operate in a competitive environment, even the simplest of plans can be wrecked by unexpected reactions of those competitors. 

My sense of Agility, after reading this book, is that it is a sort of continual restlessness, of never being satisfied that everything is running as well as it could and of not feeling completely safe from harm either. Always ready to change course to gain more advantage or to steer away from danger that was recently not even in sight.  Tillman and Jacoby give the example of the football running back who might change course at any time to find daylight or to avoid a tackler. 

Few plans survive contact with reality because our assumptions turn out to be incorrect, our adversaries act in unforeseen ways, or because our actions set in motion a multitude of forces that change the operating landscape itself.

They say that Agility has three components: risk intelligence, bias towards action and flexibility.  Risk intelligence involves a forward-looking unbiased assessment of risks and opportunities associated with the risks.  Tillman has written previously about risk intelligence. Bias towards action seems to be clearest in the military context. It is easy to imagine that a military unit that experienced analysis paralysis would not be long for the world. Flexibility is the ability not just to change plans but to execute the new plans well. That last item is probably the most difficult item here. It is one thing to assemble a team who can do a good job executing a pre-planned task, but another much more difficult task to create a group who are willing and able to change their goals and objectives significantly and who will proceed to deliver on those plans.  But while difficult, Tillman and Jacoby point out that it is almost essential ability for an organization that expects to persist in the long run.

Adopting the agility mindset fundamentally transforms this perspective, turning a nice-to-have “luxury” into a mission-critical priority.

The agility mindset does not view risk as either inherently positive or negative. Instead, as alluded to earlier, it considers risks indispensable arrows in the quivers of decision makers. If we detect and assess environmental changes adroitly, these arrows enable us to both dynamically manage our portfolios of risks and alter our adversaries’ risk equations.

We fly blind when we do not fully understand our portfolio of risks, its role in our business model or its connection to our operating landscape.

While the premise of this book is well founded and well explained, the thing that really makes the book stand out is the inclusion of the military examples to show how each of the points that they make are supportable not only by Tillman’s business examples but also in the military sphere.  Examples include Napoleon at the Battle of Borodino with the concept of risk intelligence, the invasion of Afghanistan and Iraq illustrating execution and the Normandy invasion to illustrate the entire concept of a combination of strategic and operational agility.

Risk Intelligence III

Posted March 21, 2019 by riskviews
Categories: Enterprise Risk Management

Risk Intelligence Definition: A general mental capability that, among other things, involves the ability to reason, plan, solve problems, think abstractly, comprehend complex ideas, learn quickly and learn from experience in matters involving risk and uncertainty. It is not merely book learning, nor is it primarily about a gut feel for risk. Rather, it reflects a broader and deeper capability for comprehending risk and uncertainty in our surroundings—”catching on,” “making sense” of things, or “figuring out” what to do in the face of both presenting and emerging risks.*

In an earlier post, RISKVIEWS told of the capabilities of the Risk Intelligent.  To acquire capabilities, one must start with beliefs that (a) there is a need for such capabilities and (b) that such capabilities can be effective in satisfying the need. Common Beliefs of the Risk Intelligent that led them to acquire their capabilities:

  • The world is dangerous enough that we are motivated to control risks, and also predictable enough that systematic management and exploitation of risk can be worthwhile.
  • The characteristics of risks will drift over time (and occasionally jump unexpectedly) requiring constant vigilance to adapt risk exploitation and management processes.
  • Preferences for risk and reward are asymmetrical: the aversion to a large potential loss is always higher than the preference for the same sized potential gain
  • Opportunities for profit via risk-taking exist because firms can find opportunities to exploit risks that the market has miss-priced, and/or opportunities to exploit diversification effects
  • It is bad for organizations to fail, so risk management objectives should be a part of all company strategies and should involve the company’s CEO and board of directors
  • Risks can and should be measured; this measurement is a technical exercise that requires expertise
  • Management of risk requires diligent attention to any choices to accept risks and actions to mitigate or transfer risk; more significant risk decisions should be approved at more senior levels of the company hierarchy
These beliefs differ from standard economics beliefs.
As RISKVIEWS said in another post, the capabilities are gained via Education, Experience and Analysis.  The next several posts on this topic will explore each of those paths separately.  After that, RISKVIEWS will come back to the beliefs and discuss how they come about.

*It turns out that there are almost as many definitions of intelligence as there are psychologists.  But on one day in 1994, almost 50 agreed with this definition, put forward by Linda Gottfredson:

Intelligence: A very general mental capability that, among other things, involves the ability to reason, plan, solve problems, think abstractly, comprehend complex ideas, learn quickly and learn from experience. It is not merely book learning, a narrow academic skill, or test-taking smarts. Rather, it reflects a broader and deeper capability for comprehending our surroundings—”catching on,” “making sense” of things, or “figuring out” what to do.

As you can see, RISKVIEWS based our definition of Risk Intelligence on this wording.

Risk Intelligence IV

Posted March 20, 2019 by riskviews
Categories: Decision Makng, Enterprise Risk Management, Execution Risk, Risk Culture, Risk Learning

Tags: , , ,

Overcoming Biases

In a recent post, RISKVIEWS proposed that Risk Intelligence would overcome biases.  Here are some specifics…

Biases

  • Anchoring – too much reliance on first experience
  • Availability – overestimate likelihood of events that readily come to mind
  • Confirmation Bias – look for information that confirms bias
  • Endowment effect – overvalue what you already have
  • Framing effect – conclusion depends on how the question is phrased
  • Gambler’s Fallacy – Belief that future probabilities are impacted by past experience – reversion to mean
  • Hindsight bias – things seem to be predictable after they happen
  • Illusion of control – overestimate degree of control over events
  • Overconfidence – believe own answers are more correct
  • Status Quo bias – Expect things to stay the same
  • Survivorship bias – only look at the people who finished a process, not all who started
  • Ostrich Effect – Ignore negative information

Each of Education, Experience and Analysis should reduce all of these.

Experience should provide the feedback that most of these ideas are simply wrong.  The original work that started to identify these biases followed the standard psychology approach of excluding anyone with experience and would also prohibit anyone from trying any of the questions a second time.  So learning to identify and avoid these biases through experience has had limited testing.

Education for a risk manager should simply mention all of these biases directly and their adverse consequences.  Many risk managers receiving that education will ever after seek to avoid making those mistakes.

But some will be blinded by the perceptual biases and therefore resist abandoning their gut feel that actually follows the biases.

Analysis may provide the information to convince  some of these remaining holdouts.  Analysis, if done correctly, will follow the logic of economic rationality which is the metric that we used to identify the wrong decisions that were eventually aggregated as biases.

So there may still be some people who even in the face of:

  • Experience of less than optimal outcomes
  • Education that provides discussion and examples of the adverse impact of decision-making based upon the biases.
  • Analysis that provides numerical back-up for unbiased decision making

Will still want to trust their own gut to make decisions regarding risk.

You can probably weed out those folks in hiring.

2019 Most Dangerous Risks

Posted March 1, 2019 by riskviews
Categories: Enterprise Risk Management, Risk

Tags: , ,

top5

For 2019, a new poll on 180 insurance executives ranks four out of five of last year’s top risks again in the top 5.

See more details at https://blog.willis.com/2019/02/2019-most-dangerous-risks-to-insurers/ 

 

Risk Intelligence II

Posted February 28, 2019 by riskviews
Categories: Enterprise Risk Management

Tags: , , , , , , ,

Somehow it worked.

Several psychologists stated that economists were rational and those who didn’t know what economists knew were irrational.

They collected data on how irrational folks are and analyzed that data and grouped it and gave cute names to various groups.

But I think that you could do the same thing with long division. Certainly with calculus. Compare answers of rubes on the sidewalk to math PhD s on a bunch of math questions and how well do you think the rubes would do?

Some of the questions that the psychologists asked were about risk. They proved that folks who rely solely on their gut to make decisions about risk were not very good at it.

I am sure that no-one with any Risk Intelligence would have bet against that finding.

Because Risk Intelligence consists of more than just trusting your gut. It also requires education regarding the best practices for risk management and risk assessment along with stories of how well (and sometimes ill) intentioned business managers went wrong with risk. It also requires careful analysis. Often statistical analysis. Analysis that is usually not particularly intuitive even with experience.

But Risk Intelligence still needs a well developed gut. Because history doesn’t repeat, analysis always requires simplification and assumptions to fill out a model where data is insufficient.

Only with all of Education, Experience and Analysis is Risk Intelligence achievable and even then it is not guaranteed.

And in addition, Education, Experience and Analysis are the cure for the irrational biases found by the psychologists. I would bet that the psychologists systematically excluded any responses from a person with Risk Intelligence. That would have invalidated their investigation.

Their conclusion could have been that many of us need basic financial and risk education, better understanding of how to accumulate helpful experiences and some basic analytical skills. Not as much fun as a long list of cutely names biases, but much more helpful.

Risk Intelligence I

Posted February 24, 2019 by riskviews
Categories: Enterprise Risk Management

Risk Intelligence is what you need to make astute decisions about risks that confront you.

With Risk Intelligence you will be able to:

  • know when something is risky
  • know how to systematically determine parameters of risk
  • Assess Danger from a Risk – and not be unduly swayed by Fear of that Risk
  • understand that those parameters do not fully define a risk. They identify a point on a gain and loss continuum
  • identify the handful of risks that make up 90% of the risk profile (key risks)
  • understand the mechanisms that the company uses to maintain a consistent rate of risk for each key risk and Help to make sure that those mechanisms are maintained and only expect that there will be deliberately agreed changes to the rate of risk for any key risk.
  • understand risk/reward analysis and cost/benefit analysis where the trade-offs are often a certain reduction in earnings vs. an uncertain reduction in future losses
  • discern when to trade short term certain gains for longer term uncertain but larger gains under conditions that could be repeated indefinitely for a tangible long term gain.
  • be aware of which risks the company is exploiting because they have the expertise and opportunity to make a good profit for the amount of risk take and are able to notice when the opportunity to exploit has passed.
  • be aware of which risks the company is accepting and carefully managing to achieve a reasonable profit while avoiding unacceptable losses.
  • be aware of the risks that are unavoidable but the create little or no profits and that should be minimized at an acceptable cost.
  • Understand that people are generally optimistic and need to test plans against alternate future scenarios

Most Dangerous Risks

Posted July 31, 2018 by riskviews
Categories: Enterprise Risk Management, Risk Identification

The short story “The Most Dangerous Game” has always fascinated. Wikipedia lists dozens of adaptations for Radio, Movies and TV.  The story is about the most dangerous quarry for a hunter.

Insurers are not hunters, they do not exactly seek out risk.  Well, maybe they do seek risks. But insurers should be aware that some risks are more dangerous than others.

In late 2017, RISKVIEWS polled 200 insurance executives and they provided their opinion of how to rank a long list of risks that threaten insurers.  The polling software, found at allourideas.com, asks participants to rank pairs of items and uses a complex algorithm to create a ranking of the entire list.  These 200 executives, on the average, chose to rank about 80 pairs making a total of over 16,000 rankings performed.

The results were published on the web here.  The Top 10 risks were:

1 Cybersecurity & Cybercrime
2 IT/Systems & Tech Gap
3 Strategic Direction & Opportunities Missed
4 Pricing & Product Line Profit
5 Runaway frequency or severity of claims
6 Disruptive Technology
7 Customer needs not served by traditional approaches
8 Emerging Risks
9 Competition
10 Underwriting

And in mid 2018, RISKVIEWS looked around to find out what news there had been regarding each of the top risks and published the findings here.

A race between a motorcycle and a wheelbarrow

Posted May 2, 2018 by riskviews
Categories: Risk

Tags:

pexels-photo-217872.jpeg

Behavioral Finance / Behavioral Economics (BF for short) says that in general folks do a poor job of decision-making related to risk and finance.  There is quite a lot of analysis of systematic errors that their experimental subjects have been found to make.

In general, people are found to make IRRATIONAL choices.  RATIONAL choices are defined to be the choices that economists have found to be the best.  (The best in the world specified by the economists – not necessarily in the world that people actually live in.  But that is the subject for a different and long essay.)

This work is highly regarded and widely studied and quoted.  Kahneman and Smith received a Nobel Prize for the original development of BF in 2002 and Thaler received a Nobel prize for his advancements in the field in 2017.

But does it actually make sense?  As they pose the issue, it seems to.  But take a step back.  They are comparing economic decisions made by an economist to decisions made by folks with no training in economics.  If they follow the general protocols of psychology, they would have looked for subjects with the least amount of knowledge of finance and risk.

So should it be a surprise that the studied population did not do well in their study?  That they made systematic errors?

Imagine if you had a group of adults who had never been exposed to multiplication.  And you gave them a simple multiplication test.  Their answers would be compared to a group of math PhDs.  So for the most part, they would have been guessing at the answers to the questions.  If asked, they might well have felt good about their answers to some or all of the questions.  But it is highly likely that they would be wrong.

From this experiment, it would be concluded that people cannot answer multiplication problems.  The study might progress further and start to look at word problems, including word problems that represent everyday situations where multiplication is vital to getting by.  Oh no, people are found to be poor at this as well.

But the solution is not some grand theory about how people are flawed regarding multiplication.  The solution is math education!!!

On risk and finance, our society takes the position that in general we will not instruct people.  That the best way to learn risk is via experience.  And the best way to learn about finance is from a payday lender or a credit card past due debt collector.

flowers-garden-playing-pot.jpg

Economists generally have PhDs.  And their course of study includes both risk and finance.  One topic, for example, is the math of finance.  Taught within that topic are many of the approaches to financial decision making that BF has found that people make IRRATIONALLY.  Another course that is generally required of economics PhDs is statistics.  One of the ideas usually covered in statistics is risk.  Even an introductory statistics course provides much more knowledge of risk than is needed to answer the BF questions.  So economists have had systematic instruction that allows them to give the RATIONAL answers to the BF questions.

A side note – the idea of RATIONAL used in BF is consistent with Utility Maximization – an economics theory that was first fully developed in 1947.  So even some economists might have failed the BF questions prior to that.

So instead of the conclusions reached by BF, RISKVIEWS would suggest a very simple alternative:

Teach people about Risk and Finance!

Did the Three Pigs have different Risk Tolerances?

Posted March 21, 2018 by riskviews
Categories: Enterprise Risk Management, Risk Appetite

Tags: ,

Or did they just have a different view of the degree of risk in their environment?

3 PigsBy Alex Proimos from Sydney, Australia – Three Little Pigs

Think about it?  Is there any evidence that the first pig, whose house was made off straw, was fine with the idea of losing his house?  Not really.  More likely, he thought that the world was totally benign.  He thought that there was no way that his straw house wouldn’t be there tomorrow and the next day.  He was not tolerant of the risk of losing his house.  He just didn’t think it would happen.  But he was wrong.  It could and did happen.

The second pig used sticks instead of straw.  Did that mean that the second pig had less tolerance for risk than the first pig?  Probably not.  The second pig probably thought that a house of sticks was sturdy enough to withstand whatever the world would send against it.  This pig thought that the world was more dangerous than the first pig.  He needed sticks, rather than straw to make the house sturdy enough to last.  He also was wrong.  Sticks were not enough either.

That third pig has a house of bricks.  That probably cost much more than sticks or straw and took longer to build as well.  The third pig thought that the world was pretty dangerous for houses.  And he was right.  Bricks were sturdy enough to survive.  At least on the day that the wolf came by.

The problem here was not risk tolerance, but inappropriate parameters for the risk models of the first two pigs.  When they parameterized their models, the first pig probably put down zero for the number of wolves in the area.  After all, the first pig had never ever seen a wolf.  The second pig, may have put down 1 wolf, but when he went to enter the parameter for how hard could the wolf blow, he put down “not very hard”.  He had not seen a wolf either.  But he had heard of wolves.  He didn’t know about the wind speed of a full on wolf huff and puff.  His model told him that sticks could withstand whatever a wolf could do to his house.  When the third pig built his risk model, he answered that there were “many” wolves around.  And when he filled in the parameter for how hard the wolf could blow, he put “very”.  When he was a wee tiny pig, he had seen a wolf blow down a house built of sticks that had a straw roof.  He was afraid of wolves for a reason.

 

 

Too Much Logic

Posted March 13, 2018 by riskviews
Categories: Change Risk, Enterprise Risk Management, Risk Appetite

Tags: ,

Someone recently told RISKVIEWS that before a company could start a project to revitalize their risk governance structures they MUST update their Risk Appetite and Tolerance.  Because everything in an ERM program flows from Risk Appetite and Tolerance.  That suggestion is likely to be too much logic to succeed.

What many organizations have found is that if they are not ready to update their Risk Appetite and Tolerance, there are two likely outcomes of an update project:

  1. The update project will never be completed.
  2. The update project will be completed but the organization will ignore the updated Risk Appetite and Tolerance.

An organization will make a change when the pain of continuing on the existing course exceeds the pain of change.  (paraphrased from Edgar Shein)

So if an organization is not yet thoroughly dissatisfied with their current Risk Appetite and Tolerance, then they are not likely to change.

So you can think of the ERM program as the combination of several subsystems:

  • Governance – the people who have ERM responsibilities and their organizational positions – all the way up to the board.
  • Measurement – the models and other methods used to measure risk
  • Selection, Mitigation and Control – the processes that make up the every day activities of ERM
  • Capital Management – the processes that control aggregate risk including the ORSA.
  • Risk Reward Management – the processes that relate risk to prices and profits

When management of an organization is dissatisfied enough with any one of these sub systems, then they should undertake to revise/replace/improve those sub systems.

These sub systems are highly interconnected, so an improvement to one sub system is likely to increase dissatisfaction with another sub system.

For example, if the Governance sub system is not working.  People are not fulfilling their ERM related responsibilities which they may not really understand.  When this subsystem is set right,  people are aware of their ERM responsibilities and then they find out that some of the other sub systems do not provide sufficient support for them.  They get dissatisfied and urge an upgrade to another sub system.  And so on.

This might well result in a very different order for updating an ERM program than the logical order.

However, if the update follows the wave of dissatisfaction, the changes are much more likely to be fully adopted into ongoing company practice and to be effective.

WaveBy Malene Thyssen – Own work, CC BY-SA 3.0,https://commons.wikimedia.org/w/index.php?curid=651071

There is insufficient evidence to support a determination of past actual frequency of remote events!

Posted November 28, 2017 by riskviews
Categories: Enterprise Risk Management

Go figure.  The Institute and Faculty of Actuaries seems to have just discovered that humans are involved in risk modeling.  Upon noticing that, they immediately issued the following warning:

RISK ALERT
MODEL MANIPULATION

KEY MESSAGE
There are a number of risks associated with the use of models:
members must exercise care when using models to ensure that the rationale for selection of a particular model is sound and, in applying that model, it is not inappropriately used solely to provide evidence to support predetermined or preferred outcomes.

They warn particularly about the deliberate manipulation of models to get the desired answer.

There are two broad reasons why a human might select a model.  In both cases, they select the model to get the answer that they want.

  1. The human might have an opinion about the correct outcome from the model.  An outcome that does not concur with their opinion is considered to be WRONG and must be corrected.  See RISKVIEWS discussion of Plural Rationality for the range of different opinions that are likely.  Humans actually do believe quite a wide range of different things.  And if we restrict the management of insurance organizations to people with a narrow range of beliefs, that will have similar results to restricting planting to a single strain of wheat.  Cheap bread most years and none in some!
  2. The human doesn’t care what the right answer might be.  They want a particular range of result to support other business objectives.  Usually these folks believe that the concern of the model – a very remote loss – is not important to the management of the business.  Note that most people work in the insurance business for 45 years or less.  So the idea that they should be concerned with a 1 in 200 year loss seems absurd to many.  If they apply a little statistics knowledge, they might say that there is an 80% chance that there will not be a 1 in 200 year loss during their career.  Their Borel point is probably closer to a 1 in 20 level, where there is a 90% chance that such a loss will happen at least once in their career.

They also suggest that there needs to be “evidence to support outcomes”.  RISKVIEWS has always wondered what evidence might support prediction of remote outcomes in the future.  For the most part, there is insufficient evidence to support a determination of past actual frequency of the same sort of remote events.  And over time things change, so past frequency isn’t always indicative of future likelihood, even if the past frequency were known.

One insurer. where management was skeptical of the whole idea of “principles based” assessment of remote losses, decided to use a two pronged approach.  For their risk management, they focused on 95th percentile, 1 in 20 year losses.  There was some hope that they could validate these values through observed data.  For their capital management, they used the rating agency standard for their desired rating level.

Banks, with their VaR approach have gone to an extreme in this regard.  Their loss horizon is in days and their calibration period is less than 2 years.  Validation is easy.  But this misses the possibility of extremes.  Banks only managed risks that had recently happened and ignored the possibility that things could get much worse, even though most risks that they were measuring went through multi year cycles of boom and bust.

At one time, banks usually used the normal distribution to extrapolate to determine the potential extreme losses.  The problem is Fat Tails.  Many, possibly all, real world risks have remote losses that are larger than what is predicted by the normal distribution.  Perhaps we should generalize and say that the normal distribution might be ok for predicting things that happen with high frequency and that are near the mean in value, but some degree of Fat Tails must be recognized to come closer to the potential for extreme losses.

For a discussion of Fat Tails and a metric for assessing them (Coefficient of Risk) try this:  Fatness of Tails in Risk Models .

What is needed to make risk measurement effective is standards for results, not moralizing about process.  The standards for results need to be stated in terms of some Tail Fatness metric such as Coefficient of Risk.  Then modelers can be challenged to either follow the standards or justify their deviations.  Can they come up with a reasonable argument of why their company’s risk has thinner tails than the standard?

 

 

Don’t Ignore Ashby’s Law

Posted August 16, 2017 by riskviews
Categories: Enterprise Risk Management

Many observers will claim that complex systems are inherently fragile.  Some argue for simplifying things instead.  But one of the main reasons why many man-made complex systems are fragile is that we often ignore Ashby’s Law.

Ashby’s Law is also known as the Law of Requisite Variety.  It is so powerful that it is sometimes called the first law of cybernetics.

Basically, Ashby’s Law states that to be fully effective, a control system must has as much variety as the system being controlled.  The control system must be as complex as the system being controlled.

So man-made complex systems often evolve when people decide to add more and more functionality – more variety – to existing systems.  Sometimes this includes linking up multiple complex systems.

But humans are really clever and they tend to save time and money by not bothering to even figure out what additional controls are needed to make a newly enhanced system secure.  There is often not any appreciation of how much more control is needed when two complex systems are combined.

But look at the literature regarding company mergers and acquisitions.  The literature keeps saying that the majority of this activity destroys value.  Sometimes that is because the two organizations have incompatible cultures.  Executives are becoming aware of that and activities to create a single new culture are sometimes included in post merger activity lists.

But there is an aversion to recognize that there needs to be much more spending on control systems.  Most often in a merger, there is a reduction in the amount of people assigned to internal controls, either directly or within a line function.  This is usually expected to be one of the synergies or redundancies than can be eliminated to justify the purchase price.

But in reality, if the new merged entity is more complex than the two original firms, the need for control, as expressed under Ashby’s Law, is greater than the sum of the two entities.

Merging without recognizing this means that there is an out of the money put being embedded in the merged entity.  The merged entity has lower control expenses than it should for a time.  And maybe, just maybe, it will experience major problems because of the inadequate controls.

 

Risk and Reward are not relatives

Posted July 1, 2017 by riskviews
Categories: Enterprise Risk Management

A recent report on risk management mentions near the top that risk and reward have a fundamental relationship.  But experience tells us that just is not at all true in most situations.

The first person (that RISKVIEWS can find) to comment on that relationship was the great economist Alfred Marshall:

“in all undertakings in which there are risks of great losses, there must also be hopes of great gains.”
1890 Principles of Economics

That seems to be a very realistic characterization of the relationship – one of hope.  But his statement has been heavily distorted through the years.  Many have come to believe that if you increase risk then you also, automatically, increase reward.  Or that if you want increased reward that you must increase risk.

Perhaps the risk reward relationship is a simple arithmetic statement.  Made by those who believe that all economic actors are rational.  And by rational, they mean that they make choices to maximize expected value.

So if all of the choices that you actively consider have a positive expected value, then those with higher risk will have to have higher rewards to keep the sum positive.  (Alternately, risks would have much lower likelihood than gains – but this hardly seems to fit in with the concept of higher risks.)

So perhaps the “relationship” between risk and reward is this:

For opportunities where the risk and reward can be reliably determined in both amount and likelihood, then among those opportunities with a positive expected value, those with higher risk will have higher reward.

But isn’t that the rub?  Can we reliably determine risk, reward and their likelihood for most opportunities?

But then there is another issue.  For a single opportunity, the outcome will either be a loss or a gain.  If there is higher risk, the likelihood or amount of loss is higher.  So if there is higher risk, there is a higher chance of a loss or a higher chance of a larger loss.

So by definition, an opportunity with higher risk may just produce a loss. And either the likelihood or amount of that loss will, by definition, be higher.  No reward – LOSS.

Now, you can reduce the likelihood of that loss by creating a diversified portfolio of such opportunities.  And by diversified, read unrelated.

So the rule above needs to be amended…

For opportunities where the risk and reward can be reliably determined in both amount and likelihood, then among those opportunities with a positive expected value, those with higher risk will have higher reward.  To reliably achieve a higher reward, rather than more losses, it is necessary to choose a number of these opportunities that are unrelated.  

Realize here that we are talking about Knightian risk here.  Risk where the likelihood is knowable.  For Knightian Uncertainty – where the likelihood is not knowable – this is much more difficult to achieve.  Investors and business people who realize that they are faced by Uncertainty will usually Hope for even greater gains.  They require higher potential returns.  And/or set higher prices.

The issue is that in many cases, humans will make mistakes when assessing likelihood of uncertainty, risk and reward (see Restaurant failure rate).  There are quite a number of reasons for that.  One of my favorites is survivor bias in our data of comparables (They just don’t make them like they used to).  We also overestimate our chances of success because we overrate our own capabilities.  (see Lake Wobegone, above average children).  And to achieve that portfolio diversification effect, we need to be able to also reliably assess interdependence (see mortgage interdependence, 2008).

The real world problem is that aside from lottery tickets, there are very few opportunities where the likelihood of losses is actually knowable.  So risk and reward are not necessarily related.  Except perhaps in the way that all humans are related . . . through Adam (or Lucy if you prefer).

How to manage Risk in Uncertain Times

Posted June 8, 2017 by riskviews
Categories: Enterprise Risk Management

The biologist Holling saw that natural systems went through phases.  One view of those four phases is:

  1. Rapid Growth
  2.  Controlled Growth
  3. Collapse
  4. Reorganization

The phase will usually coincide with an environment that encourages that sort of activity.  The fourth phase, Reorganization, coincides with an Uncertain environment.

Since the financial crisis of 2008, many aspects of our economies and our societies have drifted in and out of the Uncertain environment.  We have been living in an historical inflection point.  The post WWII world, both politically and economically may be coming to an end.  But no new regime has emerged to take its place.  Difficult times for making long term plans and long term commitments.

And that describes the best approach to risk management in Uncertain times.  Avoid long term  and large commitments.  Keep short term, stay diversified.  Returns will not be great that way, but losses will be small and the change of a devastating loss smaller.

Sooner or later things will clarify and we will move out of uncertainty.  But one of the things that keeps us in an uncertain stage is the way that people act as if somehow, they have a right to something more certain.  Most often they are hoping for a return to a controlled growth phase.  When the careful are rewarded modestly.  Some long for the return to the boom phase when a few are rewarded greatly.

But right now, it makes the most sense to not count on that and to accept that we will uncertainty for some time to come.

For more on Uncertainty see these posts

Keys to ERM – Adaptability

Posted April 3, 2017 by riskviews
Categories: Black Swan, Change Risk, Enterprise Risk Management, Resilience, Risk Management System

Tags: ,

keys

Deliberately cultivating adaptability is how ERM reduces exposure to unexpected surprises.

There are four ways that an ERM program encourages adaptability:

  1. Risk Identification
  2. Emerging Risks
  3. Reaction step of Control Cycle
  4. Risk Learning

Many risk managers tell RISKVIEWS that their bosses say that their objective is “No Surprises”.  While that is an unrealistic ideal objective, cultivating Adaptability is the most likely way to approach that ideal.

More on Adaptability at WILLIS TOWERS WATSON WIRE.

Keys to ERM – Alignment

Posted February 15, 2017 by riskviews
Categories: Enterprise Risk Management

ERM is focused on Enterprise Risks. Enterprise Risks are those risks that could result in losses that would require the firm to make major, unexpected changes to plans or that would disrupt the firm (without necessarily causing losses) in such a way that the firm cannot successfully execute its plans.  Enterprise Risks need to be a major consideration in setting plans.  Through discussions of Risk Appetite and Tolerance and returns for risks and the costs of risk mitigations, ERM provides a path for alignment of the risk management with the strategic objectives of the firm.

Read More about ERM Tools for Alignment at WillisTowersWatsonWire Blog.

And on RISKVIEWS with

Linking Strategy and ERM – The Final Frontier

Risk Appetite is the Boundary

Updating your Risk Register

Posted January 26, 2017 by riskviews
Categories: Enterprise Risk Management, Risk Identification

Tags: , ,

It is quite easy for an ERM program to become irrelevant.  All it takes is for it to stay the same for several years.  After just a few years, you will find that you risk management processes are focused upon the issues of several years ago.  You may be missing new wrinkles to your risks and also repeating mitigation exercises that are no longer effective or needed.

That is because the risk environment is constantly changing.  Some risks are become more dangerous while for others the danger is receding.  No firm anywhere has an unlimited budget for risk management.  So to remain effective, you need to constantly reshuffle priorities.

One place where that reshuffling is very much needed is in the risk register.  That is a hard message to sell.  Risk Identification is seen by most as the first baby step in initiating and ERM program.  How could a well developed, sophisticated ERM program need to go back to the first baby step.

But we do need to go back and somehow get people to seriously re-evaluate the Risks on the Risk Register.  That is because risk management is fundamentally a cycle rather than a a one way development process.  We are all brainwashed that constant growth and steady improvement is the fundamental nature of human enterprise.  For risk management to really work, we need that cycle model where we go back and do all of the same steps as last year all over again.

One way to freshen up the process of reviewing the risk register is to bring in outside information.  The link below provides some good outside information that you can use to stimulate your own review.

Willis Re took the top 15 risks from a dozen insurer risk registers and combined them to get 50+ unique risks.  Then over 100 insurer executives and risk management staff helped to rank those 50 risks.


2017’s most dangerous risks for insurers

We took a list of over 50 risks commonly found on insurer risk registers, and asked, “Which risks present the most danger to your firm in 2017?”


Take a look.  How does the resulting ranking look compared to your risk register?  Do any of the top 10 risks show up as middling priority in your program?  Are any of the bottom ten risks near the top of your priority ranking?  So your review can focus on a discussion of the most significant deviations between your ranking and the ranking from the link above. You need to convince yourself that you have good reasons for different priorities or change your priorities.

Keys to ERM – Discipline

Posted January 11, 2017 by riskviews
Categories: Enterprise Risk Management

keys

There are four keys to ERM – The second is Discipline

Discipline is tightly linked with Transparency, another Key to ERM.  Transparency helps to encourage and enforce Discipline.

There are three ways that Discipline is Key to ERM.

Enterprise risk management brings discipline to the mitigation of individual risks, to aggregate risk management and ERM also promotes a disciplined commitment to a comprehensive approach to risk management.

Enterprise risk management brings the discipline to risk management by making explicit plans for managing risk and then following up, checking on the execution of those plans, and reporting the results of those checks. To some, this seems like lots and lots of needless redundancy, but they miss the point. Discipline makes risk management reliable instead of being another wild card in an uncertain world.

ERM encourages insurers to clearly state their approach to risk as well as the amount and types of risks that they will accept. Clear and coherent communication is an often-underappreciated discipline that is much more difficult than it appears. ERM provides a script and outline that makes it easier to speak clearly about risk and risk management.

ERM always starts with a risk identification and prioritization step, so that while all risks are considered, time and resources are used wisely by focusing only on the most significant risks.

Discipline is unlikely to be maintained in secret. Because of Transparency, is is easily and widely known when Discipline falters.   Insurers that want to have an effective and Disciplined ERM program will have both Discipline AND Transparency.

This is an excerpt from Discipline is key to ERM on the WTW Wire Blog.

Keys to ERM – Transparency

Posted November 16, 2016 by riskviews
Categories: Enterprise Risk Management

keys

There are four keys to ERM.  The first is Transparency.

In traditional risk management situations, the degree to which risk is tightly controlled or loosely allowed is often a personal decision made by the middle manager who “inherited” the responsibility for a particular risk. That person may make the best decision based on full knowledge of the nature of the risk and the availability and cost of mitigation of the risk, or they might just choose an approach based on poor or even inaccurate information because that is the best that they can find with the time they can spare.

Enterprise risk management (ERM) is a commitment to executive and board attention to the important risks of the firm. In a fully realized ERM, the risk profile of the firm and the plans to change or maintain that profile from one year to the next—while exploiting, managing, limiting or avoiding various risks in ways that are tied to the firm’s  strategy—are shared among the management team and with the board.

In the best programs, the risk profile and risk plans are not only shared, they are a topic of debate and challenge. These firms realize that a dollar of profit usually has the exact same value as a dollar of loss, so they conclude that risk management, well-chosen and executed, can be as important to success as marketing.

A clever math student may be able to just write down the answer, but teachers often insist that students show their work to get credit.

Take-Away:
“Show your work” is the idea of ERM
Show steps of and thinking behind risk management process.
Helps others understand intent and determine whether objectives are being met.

More about Transparency about risk and risk management and how it is important to executive management, to the board and to middle managers on Willis Towers Watson Wire.

Who is interested in ERM?

Posted October 20, 2016 by riskviews
Categories: Enterprise Risk Management

enterprise-rm-map

The map above is from Google Trends.  It shows the frequency of Google searches for the term ERM over the past year.  Darker blue means more searches.  No blue means no searches.

 

You can interpret the 12 states with no seaches two ways:

  • Folks in these states already know enough about ERM and have no need to search for more.
  • Folks in these states have no interest in ERM.

Either way, an interesting map.

Risk Trajectory – Do you know which way your risk is headed?

Posted July 25, 2016 by riskviews
Categories: Enterprise Risk Management, Risk Appetite, Risk Environment, Risk Management System

Tags: ,

Arrows

Which direction are you planning on taking?

  • Are you expecting your risk to grow faster than your capacity to bare risk?
  • Are you expecting your risk capacity to grow faster than your risk?
  • Or are you planning to keep growth of your risk and your capacity in balance?

If risk is your business, then the answer to this question is one of just a few statements that make up a basic risk strategy.

RISKVIEWS calls this the Risk Trajectory.  Risk Trajectory is not a permanent aspect of a businesses risk strategy.  Trajectory will change unpredictably and usually not each year.

There are four factors that have the most influence on Risk Trajectory:

  1. Your Risk Profile – often stated in terms of the potential losses from all risks at a particular likelihood (i.e. 1 in 200 years)
  2. Your capacity to bear risk – often stated in terms of capital
  3. Your preferred level of security (may be factored directly into the return period used for Risk Profile or stated as a buffer above Risk Profile)
  4. The likely rewards for accepting the risks in your Risk Profile

If you have a comfortable margin between your Risk Profile and your preferred level of security, then you might accept a risk trajectory of Risk Growing Faster than Capacity.

Or if the Likely Rewards seem very good, you might be willing to accept a little less security for the higher reward.

All four of the factors that influence Risk Trajectory are constantly moving.  Over time, anything other than carefully coordinated movements will result in occasional need to change trajectory.  In some cases, the need to change trajectory comes from an unexpected large loss that results in an abrupt change in your capacity.

For the balanced risk and capacity trajectory, you would need to maintain a level of profit as a percentage of the Risk Profile that is on the average over time equal to the growth in Risk Profile.

For Capacity to grow faster than Risk, the profit as a percentage of the Risk Profile would be greater than the growth in Risk Profile.

For Risk to grow faster than Capacity, Risk profile growth rate would be greater than the profit as a percentage of the Risk Profile.

RISKVIEWS would guess that all this is just as easy to do as juggling four balls that are a different and somewhat unpredictably different size, shape and weight when they come down compared to when you tossed them up.

Linking Strategy and ERM – The Final Frontier

Posted July 19, 2016 by riskviews
Categories: Enterprise Risk Management

4 steps to linking strategy and ERM

Many organizations have use the concepts and practices of Enterprise Risk Management to improve the control of their major risks. If applied properly, ERM will improve the transparency and discipline of risk management.  With a risk management regime that is transparent and disciplined, management should begin to notice whether it is aligned with company objectives…whether it is linked with strategy.  When linked with strategy, ERM can act like the crew on a catamaran who lean against the tilt of the boat in heavy wind.  Or to use another nautical analogy, can be the keel of the boat that helps to keep it upright.  The aligned ERM program will not be heavy cargo stacked on the deck, nor will it act like the passengers who run to the low side of the boat.

And better still, ERM can help the boat to get where it is going by helping to choose a path between or around the rocks.  But insurer strategies vary widely, so it seems logical that the linkage of ERM with strategy will vary.  And that may be the reason that there is so much difficulty with the process of aligning strategy and ERM.  Too much advice that focuses on just one way to accomplish that – one way that will work best with just one of the dozens of existing insurer strategies.

4 steps to linking strategy and ERM continues this discussion on the Willis Towers Watson blog.

You have to show up

Posted June 20, 2016 by riskviews
Categories: Chief Risk Officer, Enterprise Risk Management, ERM, Insurance Risk

Woody Allen’s adage that 80% of success is showing up is particularly difficult for some managers to take to heart regarding risk management.

When risk management is successful, there is no bell that rings.  There are no fireworks.  Usually, a successful risk management moment is evidenced by a lack of big surprises.

But most days, big surprises do not happen anyway.

So if risk managers want to be appreciated for their work, they have to do much more than just show up.  They need to build up the story around what a very good day looks like.

  • One such story would be that a very good day might happen when the world experiences a major catastrophe.  A catastrophe that is in the wheel house of the firm.  And because of a good risk management process, the firm finds that its losses are manageable within its capacity to handle losses.
  • In 2011, there were major earthquakes in New Zealand, Japan and Chile.  One reinsurer reported that they had exposures in all three zones but that they were still able to show a (very small) profit for the year.  They credited that result to a risk management process that had them limiting their exposure to any one zone.  A risk manager could work up a story of events like that happening (multi event stress scenarios) and preview the benefits of ERM.

With such stories in mind, when that big day comes when “Nothing Happens”, the risk managers can be ready to take credit!

But to do that, they need to be sure to show up.

 

Management by Onside Kick

Posted June 6, 2016 by riskviews
Categories: Credit Risk, Data, Decision Makng, Enterprise Risk Management, Hedging, Uncategorized

Tags:

Many American football fans can recall a game when their team drove the ball 80 or more yards in the waning moments of the game to pull within a touchdown of the team that had been dominating them. Then they call for the on side kick – recover the ball and charge to a win within a few more plays.

But according to NFL stats, that onside kick succeeds only 20% of the time in the waning minutes of the game.

Mid game onside kicks – that are surprises – work 60% of the time.

But mostly it is the successful onside kicks that make the highlights reel. RISKVIEWS guesses that on the highlights those kicks are 80% or more successful.

And if you look back on the games of the teams that make it to the Super Bowl, they probably were successful the few times that they called that play.

What does that mean for risk managers?

Be careful where you get your statistics. Big data is now very popular. Winners use Big Data. So many conclude that it will give better indications. But make sure that your data inputs are not from highlight reels or from the records of the best year for a company.

Many firms use default data collected by rating agencies for example to parameterize their credit models. But the rating agencies would point out that the data is from rated companies only. This makes little difference for rated Bonds. There the bonds are rated from issue to maturity or default. But if you want to build a default model of insurers or reinsurers then you need to know that many insurers and some reinsurers will drop their rating if it falls below a level where it hurts their business. So ratings transition statistics for insurers are more like the highlight reels below a certain level.

Some models of dynamic hedging strategies were in effect taking the mid game success rates and assuming that they would apply in bad times. But like the onside kick, things worked very different.

So realize that a business strategy and especially a risk mitigation strategy may work differently when things have gone all a mess.

And an onside kick is nothing more than putting the ball in play and praying that something good will happen.

Have you become “Nose Blind” to deficiencies in your ERM program?

Posted May 16, 2016 by riskviews
Categories: Enterprise Risk Management

You may have seen the commercial for the room freshener about becoming “Nose Blind” to odors.

Well, the same thing happens all the time, even in good ERM programs.

In the early days of ERM, the smart CRO is willing to take the victories that they can get and not let the “perfect be the enemy of the good”. And if they do it right, they will end up with an ERM program much faster then the perfectionist CRO and his two or three successors.

But, that CRO will eventually become “nose blind” to the weak spots in ERM. Just as a long term homeowner who goes to sell a house and has a hard time believing that new buyers cannot just step over that bad spot on the floor just as they have been doing for 10 years.

That is the reason that an outside audit of an ERM program is needed every so often.  The outside audit brings in a fresh nose.  But you need to be careful in charging the auditor.

There are two aspects of the ERM program that the auditor needs to look for:

  1. Poor execution of the ERM Framework
  2. Incomplete ERM Framework

And the nose blindness might apply in either aspect.  The CRO may have become nose blind to the places where someone is doing a weak job of execution.  Again, this may have been the area that was least supportive of ERM when the program was new.  So due to steady opposition, the CRO eventually just learns to live with whatever the managers in that area are willing to do, however minimal and ineffective.  And the CRO could be responsible to choosing to not attempt some normal parts of an ERM program when they are first making up the ERM Framework of the company.  Or, the standard that was initially used as the template for the ERM Framework might not have been very good for the types of risks that are taken by the company.  For example, the COSO ERM standard is intended to be applicable to all sorts of firms.  Its advise is fairly generic.  An insurer is a firm whose business it is to accept financial responsibility for other people’s risks.  There are a number of ERM standards developed specifically for insurers.  But an insurer that uses the COSO ERM standard as its sole guide will have difficulty achieving the level of ERM program maturity of those who followed insurance specific standards.

For those without the budget to hire an outside auditor can use two techniques can help you to clear the air and smell things with fresh nose:

  1. For execution issues, ask your folks to do peer audits of each other.  When people from your weakest area see the level of practice in another area, they will get some sense of what they are missing.  And when the people from the strongest execution area folks do an audit of another area, their best practices can be spread more widely.
  2. Review your ERM Framework against a different standard than the one that you used to create it.  Do not pull punches, if that different standard says to do something in a certain manner, mark your framework as potentially deficient if you are not operating in that manner.  Then work to honestly resolve these issues.  These alternate standards may have their own area of nose blindness, but they would never have risen to standard status unless they had some serious benefits for the users.

Frequency and Severity

Posted April 19, 2016 by riskviews
Categories: Enterprise Risk Management

There are not any statistics available, but some form of guessing frequency and severity for each risk is most likely the most popular approach to risk assessment.

Which is a problem, since that approach is fatally flawed.

There are at least three fatal flaws:

  1. Guessing is a weak approach to assessing anything.
  2. The Frequency/Severity idea only actually applies to a few rare situations.
  3. Frequency/Severity pairs are not actually comparable.

But there is a simple fix for this.  That fix would be to pick two levels of frequency and then determine the loss that is likely at both levels of frequency.  Most useful would be to look at worse losses that might occur under “Normal Volatility” and also look at the losses for each risk that would be considered a “Realistic Disaster”.  Losses from different risks CAN be compared on each of those two levels.

For more information about the Frequency Severity approach and this alternate approach, see:

For ERM, a Better Solution to Guessing Frequency and Severity Pairs for Risks on the Willis Towers Watson Wire

 

Real World Risks

Posted December 16, 2015 by riskviews
Categories: Black Swan, Enterprise Risk Management, Risk

Tags:

There are many flavors of Risk Management.  Each flavor of risk manager believes that they are addressing the Real World.

  • Bank risk managers believe that the world consists of exactly three sorts of risk:  Market, Credit and Operational.  They believe that because that is the way that banks are organized.  At one time, if you hired a person who was a banking risk manager to manage your risks, their first step would be to organize the risk register into those three buckets.
  • Insurance Risk Managers believe that a company’s insurable risks – liability, E&O, D&O, Workers Comp, Property, Auto Liability – are the real risks of a firm.  As insurance risk managers have expanded into ERM, they have adapted their approach, but not in a way that could, for instance, help at all with the Credit and Market risk of a bank.
  • Auditor Risk Managers believe that there are hundreds of risks worth attention in any significant organization. Their approach to risk is often to start at the bottom and ask the lowest level supervisors.  Their risk management is an extension of their audit work.  Consistent with the famous Guilliani broken windows approach to crime.  However, this approach to risk often leads to confusion about priorities and they sometimes find it difficult to take their massive risk registers to top management and the board.
  • Insurer Risk Managers are focused on statistical models of risk and have a hard time imagining dealing with risks that are not easily modeled such as operational and strategic risks.  The new statistical risk managers often clash with the traditional risk managers (aka the underwriters) whose risk management takes the form of judgment based selection and pricing processes.
  • Trading Desk Risk Managers are focused on the degree to which any traders exceed their limits.  These risk managers have evolved into the ultimate risk takers of their organizations because they are called upon to sometime approve breaches when they can be talked into agreeing with the trader about the likelihood of a risk paying off.  Their effectiveness is viewed by comparing the number of days that the firm’s losses exceed the frequency predicted by the risk models.

So what is Real World Risk?

Start with this…

Top Causes of death

  • Heart disease
  • stroke
  • lower respiratory infections
  • chronic obstructive lung disease
  • HIV
  • Diarrhea
  • Lung cancers
  • diabetes

Earthquakes, floods and Hurricanes are featured as the largest insured losses. (Source III)

Cat LossesNote that these are the insured portion of the losses.  the total loss from the Fukishima disaster is estimated to be around $105B.  Katrina total loss $81B. (Source Wikipedia)

Financial Market risk seems much smaller.  When viewed in terms of losses from trading, the largest trading loss is significantly smaller than the 10th largest natural disaster. (Source Wikipedia)

Trading LossesBut the financial markets sometimes create large losses for everyone who is exposed at the same time.

The largest financial market loss is the Global Financial Crisis of 2008 – 2009.  One observer estimates the total losses to be in the range of $750B to $2000B.  During the Great Depression, the stock market dropped by 89% over several years, far outstripping the 50% drop in 2009.  But some argue that every large drop in the stock market is preceded by an unrealistic run up in the value of stocks, so that some of the “value” lost was actually not value at all.

If your neighbor offers you $100M for your house but withdraws the offer before you can sell it to him and then you subsequently sell the house for $250k, did you lose $99.75M?  Of course not.  But if you are the stock market and for one day you trade at 25 time earnings and six months later you trade at 12 times earnings, was that a real loss for any investors who neither bought or sold at those two instants?

So what are Real World Risks?

Comments welcomed…

Real World Risk Institute

Posted November 28, 2015 by riskviews
Categories: Enterprise Risk Management

They work first to develop

the principles and methodology for what we call real-world rigor in decision making and codify a clear-cut way to approach risk.

Then they offer to teach those principles and methods to a small group of students.

They are

  • 2 risk takers, former full-time traders (with combined experience of more than half a century)
  • 2 persons known to have an attitude problem
  • 6 Phds (quant/math), 4 businessmen/quants/advisors to hedge funds, 2 owners of analytics firms (competing with one another)
  • 2 UHNWI (Ultra High Net Worth Individuals)
  • 4 persons who specialize in tail events in both theory and real-life practice
  • More than 25 books, and around 500 scholarly publications
  • 4 are probabilists with deep enough a knowledge of probability to respect practice and explain things with concepts and pictures

Their leader is Nassim Taleb, author of The Black Swan and other books.

They are offering a MINI-CERTIFICATE IN REAL WORLD RISK MANAGEMENT* Feb 22-26 2016, New York City, 9 AM-5 PM.

Find them at Real World Risk Institute

Inequality and Lotteries

Posted October 21, 2015 by riskviews
Categories: Compensation

Tags:

There has been much talk about how unacceptable the degree of financial inequality that there is in the US.  And it seems to be getting worse and worse.

But what we have seems to be exactly what most people want in general.  Probably the only part of it that most people would change is the part where they personally are not one of the fortunate wealthy few.

The lottery is the perfect example of a mechanism to achieve an unequal society.

Everyone buys a ticket for a small amount of money.  The jackpot grows until it reaches $301 million.  The winner is drawn.  The result is one rich person with $301M and everyone else goes back to their regular life and stops dreaming about becoming that one rich person – for a week at least.

If that happens several times a year and everyone is either a winner or has a low to moderate job, then a vastly unequal society develops.

After one year, there will be 3 – 4 multi-millionaires and the entire rest of the population will have wealth that is a tiny fraction of those ultra rich.  After a decade, the ranks of the ultra rich will have grown to 30 or 40.  At that point, the top .000001% of the population will have .03% of the total wealth.

Each year, the country will grow more and more unequal, with a tiny fraction of the population commanding an ever growing proportion of the total wealth.

But that is why there is no uprising against the super rich.  Everyone else believes that they might one day hit the lottery and win their position in that group.  And when that happens, they do not want a tax regime, for instance, that will just take their riches away.

 

No Reward without Risk

Posted September 29, 2015 by riskviews
Categories: Business, Enterprise Risk Management

Tags: ,

Is that so? Well, only if you live in a textbook. And RISKVIEWS has not actually checked whether there really are text books that are that far divorced from reality.

Actually, in the world that RISKVIEWS has inhabited for many years, there are may real possibilities, for example:

  • Risk without reward
  • Reward without risk
  • Risk with too little Reward
  • Risk with too much Reward
  • Risk with just the right amount of reward

The reason why it is necessary to engage nearly everyone in the risk management process is that it is very difficult to distinguish among those and other possibilities.

Risk without reward describes many operational risks.

Reward without risk is the clear objective of every capitalist business.  Modern authors call it a persistent competitive advantage, old school name was monopoly.  Reward without risk is usually called rent by economists.

Risk with too little reward is what happens to those who come late to the party or who come without sufficient knowledge of how things work.  Think of the poker saying “look around the table and if you cannot tell who is the chump, it is you.”  If you really are the chump, then you are very lucky if your reward is positive.

Risk with too much reward happens to some first comers to a new opportunity.  They are getting some monopoly effects.  Perhaps they were able to be price setters rather than price takers, so they chose a price higher than what they eventually learned was needed to allow for their ignorance.  Think of Apple in the businesses that they created themselves.  Their margins were huge at first, and eventually came down to …

Risk with just the right amount of reward happens sometimes, but only when there is a high degree of flexibility in a market – especially no penalty for entry and exit.  Sort of the opposite of the airline industry.

No Reward Without Risk

Comparing Eagles and Clocks

Posted August 11, 2015 by riskviews
Categories: Enterprise Risk Management

Tags: ,

Original Title: Replacing Disparate Frequency Severity Pairs.  Quite catchy, eh?

But this message is important.  Several times, RISKVIEWS has railed against the use of Frequency Severity estimates as a basis for risk management.  Most recently

Just Stop IT! Right Now. And Don’t Do IT again.

But finally, someone asked…

What would you do instead to fix this?

And RISKVIEWS had to put up or shut up.

But the fix was not long in coming to mind.  And not even slightly complicated or difficult.

Standard practice is to identify a HML for Frequency and Severity for each risk.  But RISKVIEWS does not know any way to compare a low frequency, high impact risk with a medium frequency, medium impact risk.  Some people do compare the risks by rating the frequency and severity on a numerical scale and then adding or multiplying the values for frequency and severity for each risk to get a “consistent” factor.  However, this process is frankly meaningless.  Like multiplying the number of carrots times the number of cheese slices in your refrigerator.

But to fix it is very easy.

The fix is this…

For each risk, develop two values.  First is the loss expected over a 5 year period under normal volatility.  The second is the loss that is possible under extreme but not impossible conditions – what Lloyd’s calls a Realistic Disaster.

These two values then each represent a different aspect of each risk.  They can each be compared across all of the risks.  That is you can rank the risks according to how large a loss is possible under Normal Volatility and how large a loss is possible under a realistic disaster.

Now, if you are concerned that we are only looking at financial risks with this approach, you can go right ahead and compare the impact of each risk on some other non-financial factor, under both normal volatility and under a realistic disaster.  The same sort of utility is there for any other factor that you like.

If you do this carefully enough, you are likely to find that some risks are more of a problem under normal volatility and others under realistic disasters.  You will also find that some risks that you have spent lots of time on under the Disparate Frequency/Severity Pairs method are just not at all significant when you look at the consistently with other risks.

So you need to compare risk estimates where one aspect is held the same.  Like comparing two bikes:

Helsinki_city_bikes

Or two birds:

ISU_mute_swans

But you cannot compare a bird and a Clock:

Adalberti_1

Bahnsteiguhr[1]

And once you have those insights, you can more effectively allocate your risk management efforts!

“Adalberti 1” by Juan lacruz – Own work. Licensed under CC BY-SA 3.0 via Wikimedia Commons – https://commons.wikimedia.org/wiki/File:Adalberti_1.jpg#/media/File:Adalberti_1.jpg

Separation of Risk Taking and Reporting

Posted July 23, 2015 by riskviews
Categories: Enterprise Risk Management

The separation of Risk Reporting from risk taking is a key tenet of ERM and especially of bank risk culture. The idea is that someone other than the person who is judged for the P& L of risks must be the one who reports on risk positions.

If looked at from a logical perspective, this must be because business unit people, such as risk traders, are not to be trusted. When faced with the opportunity, they will lie about their risk positions.

This might be because the people who might be doing the false reporting believe that what they are doing is ok because that there is something different between risk and profit. Risk is about the future. A measure of risk is ephemeral. It exists in a moment and is never proven by experience. In most cases, risk either becomes a loss or it evaporates to nothingness. It is that later sense that tempts the traders and other risk miss reporters. In their reckoning, “no harm, no foul”. If the risk didn’t become a loss, it really doesn’t matter what number we wrote down for it. And if these is a loss, what is important is the amount of the loss, not the potential loss that we call the risk measure. They may consider themselves to be realists.

Profits are different, aren’t they? They are about the past. So when they are recorded, profits are facts, aren’t they? Well, no, not really. Profits usually depend upon several estimates of provisions for future contingencies.  Sarbanes-Oxley in the US, has set up a massive system that leads to a statement by the CEO that the financial reports, the reports of profits are correct. So for profits, the CEO can be the ultimate arbiter if the company spends enough time following auditing procedures. The CEO can be trusted to report on his or her own profits, usually a key determinate in compensation. But for Risk, many call for a CRO who is independent of the CEO, who reports directly to the board, so that this independence of risk reporting and risk taking can be maintained at every level. The presumption is that the CEO does not believe in ERM, so will be tempted to apply the “no harm, no foul” principle from time to time.

This is evidence of a broken  risk culture, not a part of an effective risk culture.

That line of thinking means that in general, management and especially the traders do not believe in the risk management program of the organization. It means that no one actually believes that it is important whether the bank stays within its risk tolerance. That if a risk trader were to lie about their risk position and make a profit because the risk did not become a loss, that the organization would not fire or censure or probably even sincerely reprimand the trader as a matter of policy. And the manager who gave the “reprimand with a wink” would be considered the real carrier of the company culture rather than the risk management person who pointed out the misrepresentation. That risk management person would be considered in league with the regulators, not the bank. A member of the Business Prevention Squad.

That is not the reaction of a bank to most dishonest actions. For example, if someone in a bank were caught walking out of work one day with their pockets stuffed with cash, that person would doubtless be sacked immediately and turned over to the police. But if a risk trader misstates their risk position and because of that misstatement is able to maintain a risk position that they otherwise would have had to sell or offset that leads to them walking out of the bank with a large (sometimes extremely large) check, then that dishonest is ok. It is ok because “no harm, no foul”. Which is the same as saying that the bank does not really believe in one of the central tenants of risk management. That is the idea that your risk evaluation is a good indicator of your expected losses over time. Which leads to the belief that limiting the potential loss indicated from risk evaluation, over the long haul will limit the losses.

That is what is totally wrong about the Risk Culture discussion from the regulators as epitomized in the FSB paper on Risk Culture. In that document, regulators are urged to perform evaluation of the risk culture of the bank. But the evaluation is all about assessing whether banks are going through the motions of a good risk culture. It includes the separation of risk reporting and risk taking as one of the key components of a strong risk culture. By this approach, the regulators are acknowledging that the banks will never actually reform their cultures to the extent that they will actually expect their employees not to lie about their activities. They are, in effect, saying that the key financial services of the advanced economies of the world should be expected to always operate in such a manner.

The most important aspect of risk management culture is whether the board and management believe in the importance of ERM. If they believe in ERM, they will execute as competently as they execute most other important functions. If they do not believe in ERM, telling them in detail how to execute ERM is of little impact.  And the aspect of risk culture called “Tone at the Top” will be delivered without a wink.

Knowing the results from Stress Tests in Advance

Posted July 13, 2015 by riskviews
Categories: Enterprise Risk Management, Stress Test

Tags:

Insurers and regulators need to adopt the idea of characterizing stress tests scenario frequency as:

 

Normal Volatility

Realistic Disaster

Worst Case

 

Or something equivalent.

 

With the idea that it is reasonable for an insurer to prepare for a Realistic Disaster Scenario, but not practical to be prepared for all Worst Case scenarios. Not practical because the insurance would cost too much and less insurance would be sold.

 

With such a common language about frequency relating to stress tests, the results of the stress testing and the response to those results can make much more sense.

 

The outcomes of stress testing then fall into a pattern as well.

 

  • An insurer should be able to withstand normal volatility without any lasting reduction to capital.

 

  • An insurer should be able to withstand a Realistic Disaster for most of their risks without a game changing impairment of capital, i.e. it would be realistic for them to plan to earn their way back to their desired level of capital. For the most significant one or two risks, a Realistic Disaster may result in Capital impairment that requires special actions to repair. Special actions may include a major change to company strategy.

 

  • An insurer can usually withstand a Worst Case scenario for most of their risks with the likelihood that for some, there will be an impairment to capital that requires special actions to repair. For the largest one or two risks, the insurer is unlikely to be able to withstand the Worst Case scenario.

 

Those three statements are in fact a requirement for an insurer to be said to be effectively managing their risks.

So the ORSA and any other stress testing process should result in the development of the story of what sorts of stresses require special management actions and what types result in failure of the insurer.  And for an insurer with a risk management program that is working well, those answers should be known for all but one or two of their risks.  Those would the second and third largest risks.  An insurer with a perfect risk management program will not have very much daylight between their first, second and third largest risks and therefore may well be able to survive some worst case scenarios for even their largest risks.


%d bloggers like this: