Risk Reporting Conflict of Interest

Posted March 2, 2015 by riskviews
Categories: Compensation, Enterprise Risk Management, Swine Flu

Tags: ,

We give much too little consideration to potential for conflict of interest in risk reporting.

Take for instance weather risk reporting.

Lens: Tamron 28-80mmScanned with Nikon CoolScan V ED

"Sneeuwschuiver". Licensed under CC BY-SA 2.5 via Wikimedia Commons

Many of the people who report on Weather Risk have a financial interest in bad weather.  Not that they own snow plowing services or something.  But take TV stations for example.  Local TV station revenue is largely proportional to their number of viewers.  Local news and weather are often the sole part of their schedule that they produce themselves and therefore get all or almost all of the revenue.  And viewership for local news programs may double with an impending snowstorm.  So they have a financial interest in predicting more snow.  The Weather Channel has the same dynamic, but a wider area from which to draw to find extreme weather situations.  But if there is any hint of a possible extreme weather situation in a major metropolitan area with millions of possible viewers, they have a strong incentive to report the worst case possibility.

This past January, there were some terrible snow forecasts for New York and Philadelphia:

For the Big Apple, the great Blizzard of 2015 was forecast to rival the paralyzing 1888 storm, dubbed the White Hurricane. Up to three feet of snow was predicted. Reality: About 10 inches fell.

The forecast in Philadelphia wasn’t any better – and arguably worse. Up to 14 inches of snow were forecast. The City of Brotherly Love tallied roughly 2 inches, about the same as Washington, D.C.

Washington Post,  January 27, 2015

In other cases, we go to the experts to get information about possible disasters from diseases.  But their funding depends very much on how important their specialty is seen to be to the politicians who approve their funding.

In 2005, the Bird Flu was the scare topic of the year.

“I’m not, at the moment, at liberty to give you a prediction on numbers, but I just want to stress, that, let’s say, the range of deaths could be anything from 5 to 150 million.”

David Nabarro, Senior United Nations system coordinator for avian and human influenza

Needless to say, the funding for health systems can be strongly impacted by the fear of such a pandemic.  At them time that statement was made, worldwide Bird Flu deaths were slightly over 100.  Not 100 thousand, 100 – the number right after 99.

But the purpose of this post is not writing this to disparage weather reporters or epidemiologists.  It is to caution risk managers.

Sometimes risk managers get the idea that they are better off if everyone had more concern for risk.  They take on the roll of Dr. Doom, pointing out the worst case potential in every situation.

This course of action is usually not successful. Instead of building respect for risk, the result is more often to create a steady distrust of statements from the risk manager.  The Chicken Little effect results.

Instead, the risk manager needs to focus on being painstakingly realistic in reporting about risk.  Risk is about the future, so it is impossible to get it right all of the time.  That is not the goal.  The goal should be to make reports on risk that consistently use all of the information available at the time the report is made.

And finally, a suggestion on communicating risk.  That is that risk managers need to develop a consistent language to talk about the likelihood and severity of a risk.  RISKVIEWS suggests that risk managers use three levels of likelihood:

  • Normal Volatility (as in within).  Each risk should have a range of favorable and unfavorable outcomes within the range of normal volatility.  This could mean within one standard deviation, or with a 1 in 10 likelihood. So normal volatility for the road that you drive to work might be for there to be one accident per month.
  • Realistic Disaster Scenario.  This might be the worst situation for the risk that has happened in recent memory, or it might be a believable bad scenario that hasn’t happened for risks where recent experience has been fairly benign.  For that road, two accidents in a week might be a realistic disaster.  It actually happened 5 years ago.  For the similar road that your spouse takes to work, there haven’t been any two accident weeks, but the volume of traffic is similar, so the realistic disaster scenario for that road is also two accidents in a week.
  • Worst case scenario.  This is usually not a particularly realistic scenario.  It does not mean worst case, like the sun blowing up and the end of the solar system.  It does mean something significantly worse than what you expect can happen. For the risk of car accidents on your morning commute, the worst case might be a month with 8 accidents.

So the 150 million number above for flu deaths is a worst case scenario.  As were the Great Blizzard predictions.  What actually happened was in line with normal volatility for a winter storm in those two cities.

If you, the risk manager, learn to always use language like the above, first of all, it will slow you down and make you think about what you are saying.  Eventually, your audience will get to learn what your terminology means and will be able to form their own opinion about your reliability.

And you will find that credibility for your risk reporting has very favorable impact on your longevity and compensation as a risk manager.

 

Out of Sight can lead to Out of Mind

Posted February 12, 2015 by riskviews
Categories: Enterprise Risk Management

Tags: ,

Once you have outsourced a process, there is a tendency to forget about it. 

Outsourcing has become possibly the most popular management practice of the past 15 years.  Companies large and small have outsourced many of the non-essential elements of their business.

Many property and casualty (non-life, general) insurers have, for example, outsourced their investment processes.

Over time, if the insurer had any expertise regarding investments, that expertise withered away.  It is quite common that there is only one or two people at a P&C insurer who actually pay any attention to the investments of the firm.

But when Out of Sight becomes Out of Mind, outsourcing becomes dangerous.

Boeing had an outsourcing problem in 2012 and 2013 that resulted in the grounding of their latest jetliner.  Batteries produced by a third party were catching fire.  The ultimate cause of the problem was never identified, but it happened at the point of connection between an outsourced product and the jetliner systems manufactured by Boeing.

There are many possible causes of outsourcing problems.  RISKVIEWS believes that primary among them is the reluctance to recognize that outsourcing will require a higher spend for risk management of the outsourced process.

More on Outsourcing Risk at http://blog.willis.com/2015/02/emerging-erm-risk-of-2015-outsourcing/

The CRO is making a list and checking it twice

Posted February 2, 2015 by riskviews
Categories: Chief Risk Officer, Enterprise Risk Management, Hedging, Reinsurance, Risk Management System

Tags: ,

“You never said that you wanted me to do that”  is an answer that managers often get when they point out a shortfall in performance.  And in many cases it is actually true.  As a rule, some of us tend to avoid too much writing things down.  And that is also true when it comes to risk management

That is where ERM policies come in.  The ERM policy is a written agreement between various managers in a company and the board documenting expectations regarding risk management.

policy

But too many people mistake a detailed procedure manual for a policy statement.  Often a policy statement can be just a page or two.

For Risk Management there are several places where firms tend to “write it down”:

  • ERM Policy – documents that the firm is committed to an enterprise wide risk management system and that there are broad roles for the board and for management.  This policy is usually approved by the board.  The ERM Policy should be reviewed annually, but may not be changed but every three to five years.
  • ERM Framework – this is a working document that lists many of the details of how the company plans to “do” ERM.  When an ERM program is new, this document many list many new things that are being done.  Once a program is well established, it will need no more or no less documentation than other company activities.  RISKVIEWS usually recommends that the ERM Framework would include a short section relating to each of the risk management practices that make up a Risk Management System.
  • Risk Appetite & Tolerance Statement – may be separate from the above to highlight its importance and the fact that it is likely to be more variable than the Policy statement, but not as detailed as the Framework.
  • Separate Risk Policies for major risk categories – almost all insurers have an investment policy.  Most insurers should consider writing policies for insurance risk.  Some firms decide to write operational risk policies as well.  Very few have strategic risk policies.
  • Policies for Hedging, Insurance and/or Reinsurance – the most powerful risk management tools need to have clear uses as well as clear lines of decision-making and authority.
  • Charter for Risk Committees – Some firms have three or more risk committees.  On is a board committee, one is at the executive level and the third is for more operational level people with some risk management responsibilities.  It is common at some firms for board committees to have charters.  Less so for committees of company employees.  These can be included in the ERM Framework, rather than as separate documents.
  • Job Description for the CRO – Without a clear job description many CROs have found that they become the scapegoat for whatever goes wrong, regardless of their actual authority and responsibilities before hand.

With written policies in place, the board can hold management accountable.  The CEO can hold the CRO responsible and the CRO is able to expect that may hands around the company are all sharing the risk management responsibilities.

More on ERM Policies on WillisWire.

http://blog.willis.com/2015/01/erm-in-practice-risk-policies-and-standards/

http://blog.willis.com/2014/02/erm-practices-policies-and-standards/

 

The ERM Pioneers and the Settlers – Let’s not have another range war!

Posted January 24, 2015 by riskviews
Categories: Chief Risk Officer, Enterprise Risk Management, Risk Management System

Tags: ,

Most of the people with CRO jobs are pioneers of ERM.  They came into ERM from other careers and have been working out what makes up an ERM process and how to make it work by hard work, trial & error and most often a good deal of experience on the other side of the risk – the risk taking side.

As ERM becomes a permanent (or at least a long term) business practice, it is more likely that the next generation of CROs will have come up through the ranks of the Risk function.  It is even becoming increasingly likely that they will have had some training and education regarding the various technical aspects of risk management and especially risk measurement.

The only problem is that some of the pioneers are openly disdainful of these folks who are likely to become their successors.  They will openly say that they have little respect for risk management education and feel strongly that the top people in Risk need to have significant business experience.

This situation is a version of the range wars in the Wild West.  The Pioneers were the folks who went West first.  They overcame great hardships to fashion a life out of a wilderness.  The Settlers came later and were making their way in a situation that was much closer to being already tamed.

Different skills and talents are needed for successful Pioneers than for successful Settlers.  Top among them is the Settlers need to be able to get along in a situation where there are more people.  The Risk departments of today are large and filled with a number of people with a wide variety of expertise.

Risk will transition from the Pioneer generation to the Settler generation of leadership.  That transition will be most successful if the Pioneers can help develop their Settler successros.

How to Show the Benefits of Risk Management

Posted January 2, 2015 by riskviews
Categories: risk assessment

Tags: ,

From Harry Hall at www.pmsouth.com

Sometimes we struggle to illustrate the value of risk management. We sense we are doing the right things. How can we show the benefits?

Some products such as weight loss programs are promoted by showing a “before picture” and an “after picture.” We are sold by the extraordinary improvements.

The “before picture” and “after picture” are also a powerful way to make known the value of risk management.

We have risks in which no strategies or actions have been executed. In other words, we have a “before picture” of the risks. When we execute appropriate response strategies such as mitigating a threat, the risk exposure is reduced. Now we have the “after picture.”

Let’s look at one way to create pictures of our risk exposure for projects, programs, portfolios, and enterprises.

Say Cheese

The first step to turning risk assessments into pictures is to assign risk levels.

Assume that a Project Manager is using a qualitative rating scale of 1 to 10, 10 being the highest, to rate Probability and Impact. The Risk Score is calculated by multiplying Probability x Impact. Here is an example of a risk table with a level of risk and the corresponding risk score range.

Level of Risk

Risk Score

Very Low

< 20

Low

21 – 39

Medium

40 – 59

High

60 – 79

Very High

> 80

Figure 1: Qualitative Risk Table

Looking Good

Imagine a Project Manager facilitates the initial risk identification and assessment. The initial assessment results in fifteen Urgent Risks – eight “High” risks and seven “Very High” risks.

Figure 2: Number of Risk before Execution of Risk Response Strategies

We decide to act on the Urgent Risks alone and leave the remaining risks in our Watch List. The team develops risk response strategies for the Urgent Risks such as ways to avoid and mitigate threats.

Figure 3: Number of Risks after Execution of Risk Response Strategies

After the project team executes the strategies, the team reassesses the risks. We see a drop in the number of Urgent Risks (lighter bars). The team has reduced the risk exposure and improved the potential for success.

How to Illustrate Programs, Portfolios, or Enterprises

Now, imagine a Program Manager managing four projects in a program. We can roll up the risks of the four projects into a single view. Figure 4 below illustrates the comparison of the number of risks before and after the execution of the risk strategies.

Figure 4: Number of Program risks before and after the execution of risk response strategies

Of course, we can also illustrate risks in a like manner at a portfolio level or an enterprise level (i.e., Enterprise Risk Management).

Tip of the Day

When you ask team members to rate risks, it is important we specify whether the team members are assessing the “before picture” (i.e., inherent risks) or the “after picture” (i.e., residual risks) or bothInherent risks are risks to the project in the absence of any strategies/actions that might alter the risk. Residual risks are risks remaining after strategies/actions have been taken.

Question: What types of charts or graphics do you use to illustrate the value of risk management?

New Year’s ERM Resolution – A Risk Diet Plan

Posted December 31, 2014 by riskviews
Categories: Change Risk, Control Cycle, Enterprise Risk Management

Tags: ,

Why do you need an aggregate risk limit?

For the same reason that a dieter needs a calorie limit.  There are lots and lots of fad diets out there.  Cottege Cheese diets, grapefruit diets, low carb, low fat, liquid.  And they might work, but only if you follow them exactly, with absolutely no deviation.  If you want to make some substitution, many diets do not have any way to help you to adapt.  Calories provide two things that are desparately needed to make a diet work.  Common currency for substitutions and a metric that can be applied to things not contemplated in the design of the diet.

So if you do a calorie counting diet, you can easily substitute one food for another with the same calorie count.  If some new food becomes available, you do not have to wait for the author of the diet book to come up with a new edition and hope that it includes the new food.  All you need to do is find out how much calories the new food has.

The aggregate risk limit serves the exact same role role for an insurer.  There may be an economic capital or other comprehensive risk measure as the limit.  That risk measure is the common currency.  That is the simple genius of VaR as a risk metric.  Before the invention of VaR by JP Morgan, the risk limit for each risk was stated in a different currency.  Premiums for one, PML for another, percentages of total assets for a third.  But the VaR thinking was to look at everything via its distribution of gains and losses.  Using a single point on that distribution.  That provided the common currency for risk.

The diet analogy is particularly apt, since minimizing weight is no more desirable than minimizing risk.  A good diet is just like a good risk tolerance plan – it contains the right elements for the person/company to optimum health.

And the same approach provided the method to consistently deal with any new risk opportunity that comes along.

So once an insurer has the common currency and ability to place new opportunities on the same risk basis as existing activities, then you have something that can work just like calories do for dieters.

So all that is left is to figure out how many calories – or how much risk – should make up the diet.

And just like a diet, your risk management program needs to provide regular updates on whether you keep to the risk limits.

 

Top 10 RISKVIEWS Posts of 2014 – ORSA Heavily Featured

Posted December 29, 2014 by riskviews
Categories: Assumptions, Decision Makng, Economic Capital, Emerging Risks, Enterprise Risk Management, ERM, Modeling, ORSA, Risk, Risk Appetite, risk assessment, Risk Culture, Risk Limits, Risk Management, Stress Test, Tail Risk, Uncertainty

Tags: ,

RISKVIEWS believes that this may be the best top 10 list of posts in the history of this blog.  Thanks to our readers whose clicks resulted in their selection.

  • Instructions for a 17 Step ORSA Process - Own Risk and Solvency Assessment is here for Canadian insurers, coming in 2015 for US and required in Europe for 2016. At least 10 other countries have also adopted ORSA and are moving towards full implementation. This post leads you to 17 other posts that give a detailed view of the various parts to a full ORSA process and report.
  • Full Limits Stress Test – Where Solvency and ERM Meet - This post suggests a link between your ERM program and your stress tests for ORSA that is highly logical, but not generally practiced.
  • What kind of Stress Test? – Risk managers need to do a better job communicating what they are doing. Much communications about risk models and stress tests is fairly mechanical and technical. This post suggests some plain English terminology to describe the stress tests to non-technical audiences such as boards and top management.
  • How to Build and Use a Risk Register - A first RISKVIEWS post from a new regular contributor, Harry Hall. Watch for more posts along these lines from Harry in the coming months. And catch Harry on his blog, http://www.pmsouth.com
  • ORSA ==> AC – ST > RCS - You will notice a recurring theme in 2014 – ORSA. That topic has taken up much of RISKVIEWS time in 2014 and will likely take up even more in 2015 and after as more and more companies undertake their first ORSA process and report. This post is a simple explanation of the question that ORSA is trying to answer that RISKVIEWS has used when explaining ORSA to a board of directors.
  • The History of Risk Management – Someone asked RISKVIEWS to do a speech on the history of ERM. This post and the associated new permanent page are the notes from writing that speech. Much more here than could fit into a 15 minute talk.
  • Hierarchy Principle of Risk Management - There are thousands of risks faced by an insurer that do not belong in their ERM program. That is because of the Hierarchy Principle. Many insurers who have followed someone’s urging that ALL risk need to be included in ERM belatedly find out that no one in top management wants to hear from them or to let them talk to the board. A good dose of the Hierarchy Principle will fix that, though it will take time. Bad first impressions are difficult to fix.
  • Risk Culture, Neoclassical Economics, and Enterprise Risk Management - A discussion of the different beliefs about how business and risk work. A difference in the beliefs that are taught in MBA and Finance programs from the beliefs about risk that underpin ERM make it difficult to reconcile spending time and money on risk management.
  • What CEO’s Think about Risk - A discussion of three different aspects of decision-making as practiced by top management of companies and the decision making processes that are taught to quants can make quants less effective when trying to explain their work and conclusions.
  • Decision Making Under Deep Uncertainty - Explores the concepts of Deep Uncertainty and Wicked Problems. Of interest if you have any risks that you find yourself unable to clearly understand or if you have any problems where all of the apparent solutions are strongly opposed by one group of stakeholders or another.

Follow

Get every new post delivered to your Inbox.

Join 717 other followers

%d bloggers like this: