There is insufficient evidence to support a determination of past actual frequency of remote events!

Posted November 28, 2017 by riskviews
Categories: Enterprise Risk Management

Go figure.  The Institute and Faculty of Actuaries seems to have just discovered that humans are involved in risk modeling.  Upon noticing that, they immediately issued the following warning:

RISK ALERT
MODEL MANIPULATION

KEY MESSAGE
There are a number of risks associated with the use of models:
members must exercise care when using models to ensure that the rationale for selection of a particular model is sound and, in applying that model, it is not inappropriately used solely to provide evidence to support predetermined or preferred outcomes.

They warn particularly about the deliberate manipulation of models to get the desired answer.

There are two broad reasons why a human might select a model.  In both cases, they select the model to get the answer that they want.

  1. The human might have an opinion about the correct outcome from the model.  An outcome that does not concur with their opinion is considered to be WRONG and must be corrected.  See RISKVIEWS discussion of Plural Rationality for the range of different opinions that are likely.  Humans actually do believe quite a wide range of different things.  And if we restrict the management of insurance organizations to people with a narrow range of beliefs, that will have similar results to restricting planting to a single strain of wheat.  Cheap bread most years and none in some!
  2. The human doesn’t care what the right answer might be.  They want a particular range of result to support other business objectives.  Usually these folks believe that the concern of the model – a very remote loss – is not important to the management of the business.  Note that most people work in the insurance business for 45 years or less.  So the idea that they should be concerned with a 1 in 200 year loss seems absurd to many.  If they apply a little statistics knowledge, they might say that there is an 80% chance that there will not be a 1 in 200 year loss during their career.  Their Borel point is probably closer to a 1 in 20 level, where there is a 90% chance that such a loss will happen at least once in their career.

They also suggest that there needs to be “evidence to support outcomes”.  RISKVIEWS has always wondered what evidence might support prediction of remote outcomes in the future.  For the most part, there is insufficient evidence to support a determination of past actual frequency of the same sort of remote events.  And over time things change, so past frequency isn’t always indicative of future likelihood, even if the past frequency were known.

One insurer. where management was skeptical of the whole idea of “principles based” assessment of remote losses, decided to use a two pronged approach.  For their risk management, they focused on 95th percentile, 1 in 20 year losses.  There was some hope that they could validate these values through observed data.  For their capital management, they used the rating agency standard for their desired rating level.

Banks, with their VaR approach have gone to an extreme in this regard.  Their loss horizon is in days and their calibration period is less than 2 years.  Validation is easy.  But this misses the possibility of extremes.  Banks only managed risks that had recently happened and ignored the possibility that things could get much worse, even though most risks that they were measuring went through multi year cycles of boom and bust.

At one time, banks usually used the normal distribution to extrapolate to determine the potential extreme losses.  The problem is Fat Tails.  Many, possibly all, real world risks have remote losses that are larger than what is predicted by the normal distribution.  Perhaps we should generalize and say that the normal distribution might be ok for predicting things that happen with high frequency and that are near the mean in value, but some degree of Fat Tails must be recognized to come closer to the potential for extreme losses.

For a discussion of Fat Tails and a metric for assessing them (Coefficient of Risk) try this:  Fatness of Tails in Risk Models .

What is needed to make risk measurement effective is standards for results, not moralizing about process.  The standards for results need to be stated in terms of some Tail Fatness metric such as Coefficient of Risk.  Then modelers can be challenged to either follow the standards or justify their deviations.  Can they come up with a reasonable argument of why their company’s risk has thinner tails than the standard?

 

 

Advertisements

Don’t Ignore Ashby’s Law

Posted August 16, 2017 by riskviews
Categories: Enterprise Risk Management

Many observers will claim that complex systems are inherently fragile.  Some argue for simplifying things instead.  But one of the main reasons why many man-made complex systems are fragile is that we often ignore Ashby’s Law.

Ashby’s Law is also known as the Law of Requisite Variety.  It is so powerful that it is sometimes called the first law of cybernetics.

Basically, Ashby’s Law states that to be fully effective, a control system must has as much variety as the system being controlled.  The control system must be as complex as the system being controlled.

So man-made complex systems often evolve when people decide to add more and more functionality – more variety – to existing systems.  Sometimes this includes linking up multiple complex systems.

But humans are really clever and they tend to save time and money by not bothering to even figure out what additional controls are needed to make a newly enhanced system secure.  There is often not any appreciation of how much more control is needed when two complex systems are combined.

But look at the literature regarding company mergers and acquisitions.  The literature keeps saying that the majority of this activity destroys value.  Sometimes that is because the two organizations have incompatible cultures.  Executives are becoming aware of that and activities to create a single new culture are sometimes included in post merger activity lists.

But there is an aversion to recognize that there needs to be much more spending on control systems.  Most often in a merger, there is a reduction in the amount of people assigned to internal controls, either directly or within a line function.  This is usually expected to be one of the synergies or redundancies than can be eliminated to justify the purchase price.

But in reality, if the new merged entity is more complex than the two original firms, the need for control, as expressed under Ashby’s Law, is greater than the sum of the two entities.

Merging without recognizing this means that there is an out of the money put being embedded in the merged entity.  The merged entity has lower control expenses than it should for a time.  And maybe, just maybe, it will experience major problems because of the inadequate controls.

 

Risk and Reward are not relatives

Posted July 1, 2017 by riskviews
Categories: Enterprise Risk Management

A recent report on risk management mentions near the top that risk and reward have a fundamental relationship.  But experience tells us that just is not at all true in most situations.

The first person (that RISKVIEWS can find) to comment on that relationship was the great economist Alfred Marshall:

“in all undertakings in which there are risks of great losses, there must also be hopes of great gains.”
1890 Principles of Economics

That seems to be a very realistic characterization of the relationship – one of hope.  But his statement has been heavily distorted through the years.  Many have come to believe that if you increase risk then you also, automatically, increase reward.  Or that if you want increased reward that you must increase risk.

Perhaps the risk reward relationship is a simple arithmetic statement.  Made by those who believe that all economic actors are rational.  And by rational, they mean that they make choices to maximize expected value.

So if all of the choices that you actively consider have a positive expected value, then those with higher risk will have to have higher rewards to keep the sum positive.  (Alternately, risks would have much lower likelihood than gains – but this hardly seems to fit in with the concept of higher risks.)

So perhaps the “relationship” between risk and reward is this:

For opportunities where the risk and reward can be reliably determined in both amount and likelihood, then among those opportunities with a positive expected value, those with higher risk will have higher reward.

But isn’t that the rub?  Can we reliably determine risk, reward and their likelihood for most opportunities?

But then there is another issue.  For a single opportunity, the outcome will either be a loss or a gain.  If there is higher risk, the likelihood or amount of loss is higher.  So if there is higher risk, there is a higher chance of a loss or a higher chance of a larger loss.

So by definition, an opportunity with higher risk may just produce a loss. And either the likelihood or amount of that loss will, by definition, be higher.  No reward – LOSS.

Now, you can reduce the likelihood of that loss by creating a diversified portfolio of such opportunities.  And by diversified, read unrelated.

So the rule above needs to be amended…

For opportunities where the risk and reward can be reliably determined in both amount and likelihood, then among those opportunities with a positive expected value, those with higher risk will have higher reward.  To reliably achieve a higher reward, rather than more losses, it is necessary to choose a number of these opportunities that are unrelated.  

Realize here that we are talking about Knightian risk here.  Risk where the likelihood is knowable.  For Knightian Uncertainty – where the likelihood is not knowable – this is much more difficult to achieve.  Investors and business people who realize that they are faced by Uncertainty will usually Hope for even greater gains.  They require higher potential returns.  And/or set higher prices.

The issue is that in many cases, humans will make mistakes when assessing likelihood of uncertainty, risk and reward (see Restaurant failure rate).  There are quite a number of reasons for that.  One of my favorites is survivor bias in our data of comparables (They just don’t make them like they used to).  We also overestimate our chances of success because we overrate our own capabilities.  (see Lake Wobegone, above average children).  And to achieve that portfolio diversification effect, we need to be able to also reliably assess interdependence (see mortgage interdependence, 2008).

The real world problem is that aside from lottery tickets, there are very few opportunities where the likelihood of losses is actually knowable.  So risk and reward are not necessarily related.  Except perhaps in the way that all humans are related . . . through Adam (or Lucy if you prefer).

How to manage Risk in Uncertain Times

Posted June 8, 2017 by riskviews
Categories: Enterprise Risk Management

The biologist Holling saw that natural systems went through phases.  One view of those four phases is:

  1. Rapid Growth
  2.  Controlled Growth
  3. Collapse
  4. Reorganization

The phase will usually coincide with an environment that encourages that sort of activity.  The fourth phase, Reorganization, coincides with an Uncertain environment.

Since the financial crisis of 2008, many aspects of our economies and our societies have drifted in and out of the Uncertain environment.  We have been living in an historical inflection point.  The post WWII world, both politically and economically may be coming to an end.  But no new regime has emerged to take its place.  Difficult times for making long term plans and long term commitments.

And that describes the best approach to risk management in Uncertain times.  Avoid long term  and large commitments.  Keep short term, stay diversified.  Returns will not be great that way, but losses will be small and the change of a devastating loss smaller.

Sooner or later things will clarify and we will move out of uncertainty.  But one of the things that keeps us in an uncertain stage is the way that people act as if somehow, they have a right to something more certain.  Most often they are hoping for a return to a controlled growth phase.  When the careful are rewarded modestly.  Some long for the return to the boom phase when a few are rewarded greatly.

But right now, it makes the most sense to not count on that and to accept that we will uncertainty for some time to come.

For more on Uncertainty see these posts

Keys to ERM – Adaptability

Posted April 3, 2017 by riskviews
Categories: Black Swan, Change Risk, Enterprise Risk Management, Resilience, Risk Management System

Tags: ,

keys

Deliberately cultivating adaptability is how ERM reduces exposure to unexpected surprises.

There are four ways that an ERM program encourages adaptability:

  1. Risk Identification
  2. Emerging Risks
  3. Reaction step of Control Cycle
  4. Risk Learning

Many risk managers tell RISKVIEWS that their bosses say that their objective is “No Surprises”.  While that is an unrealistic ideal objective, cultivating Adaptability is the most likely way to approach that ideal.

More on Adaptability at WILLIS TOWERS WATSON WIRE.

Keys to ERM – Alignment

Posted February 15, 2017 by riskviews
Categories: Enterprise Risk Management

ERM is focused on Enterprise Risks. Enterprise Risks are those risks that could result in losses that would require the firm to make major, unexpected changes to plans or that would disrupt the firm (without necessarily causing losses) in such a way that the firm cannot successfully execute its plans.  Enterprise Risks need to be a major consideration in setting plans.  Through discussions of Risk Appetite and Tolerance and returns for risks and the costs of risk mitigations, ERM provides a path for alignment of the risk management with the strategic objectives of the firm.

Read More about ERM Tools for Alignment at WillisTowersWatsonWire Blog.

And on RISKVIEWS with

Linking Strategy and ERM – The Final Frontier

Risk Appetite is the Boundary

Updating your Risk Register

Posted January 26, 2017 by riskviews
Categories: Enterprise Risk Management, Risk Identification

Tags: , ,

It is quite easy for an ERM program to become irrelevant.  All it takes is for it to stay the same for several years.  After just a few years, you will find that you risk management processes are focused upon the issues of several years ago.  You may be missing new wrinkles to your risks and also repeating mitigation exercises that are no longer effective or needed.

That is because the risk environment is constantly changing.  Some risks are become more dangerous while for others the danger is receding.  No firm anywhere has an unlimited budget for risk management.  So to remain effective, you need to constantly reshuffle priorities.

One place where that reshuffling is very much needed is in the risk register.  That is a hard message to sell.  Risk Identification is seen by most as the first baby step in initiating and ERM program.  How could a well developed, sophisticated ERM program need to go back to the first baby step.

But we do need to go back and somehow get people to seriously re-evaluate the Risks on the Risk Register.  That is because risk management is fundamentally a cycle rather than a a one way development process.  We are all brainwashed that constant growth and steady improvement is the fundamental nature of human enterprise.  For risk management to really work, we need that cycle model where we go back and do all of the same steps as last year all over again.

One way to freshen up the process of reviewing the risk register is to bring in outside information.  The link below provides some good outside information that you can use to stimulate your own review.

Willis Re took the top 15 risks from a dozen insurer risk registers and combined them to get 50+ unique risks.  Then over 100 insurer executives and risk management staff helped to rank those 50 risks.


2017’s most dangerous risks for insurers

We took a list of over 50 risks commonly found on insurer risk registers, and asked, “Which risks present the most danger to your firm in 2017?”


Take a look.  How does the resulting ranking look compared to your risk register?  Do any of the top 10 risks show up as middling priority in your program?  Are any of the bottom ten risks near the top of your priority ranking?  So your review can focus on a discussion of the most significant deviations between your ranking and the ranking from the link above. You need to convince yourself that you have good reasons for different priorities or change your priorities.


%d bloggers like this: