Volunteer Observers Wanted

Posted October 17, 2020 by riskviews
Categories: Black Swan, Pandemic Risk

Tags:

The COVID Mitigation Monitoring Project needs your eyes!

Please share what you are seeing at the

COVID OBSERVATION COLLECTOR

Here is an example of what we are learning from the Observations that we have collected.

See more at the COVID Mitigation Monitoring Project website.

Monitoring COVID Mitigation Compliance

Posted July 28, 2020 by riskviews
Categories: Black Swan, Emerging Risks, Enterprise Risk Management, Pandemic Risk, Risk Management, Swine Flu, Tail Risk

Tags:

activecovid

Many discussions of COVID-19 mitigation revolve around the requirements and recommendations that are made by the government.

The CDC suggests answering this question:

  • To what extent do individuals and organizations practice community mitigation strategies?

We will seek to answer that question via a questionnaire.  Right now, we have piloted that questionnaire twice with about 30 people providing observations.

grid22

We have observations from people in the above states, which provide diverse situations regarding their COVID situation. (Here Level refers to the number of new cases per 100k from the past 14 days and Rate refers to the New Infection Rate which is the new infections from the current day as a percentage of the infections for the prior 14 days.)

Pilot Project Findings – not credible amount of data

bystate

The above reflects the average compliance over 36 mitigation strategies.  This is a Pilot, so we are not concerning ourselves about numbers of observations but we recognize that these are not sufficient to draw any conclusions about the actual level of compliance.  Of those 36 strategies, the top 10 are:

Pilot Project Findings – not credible amount of data

Top10s

We welcome additional observers.  We will be continuing the Pilot Project and working on getting funding to turn this into a full scale research project.

To contribute your observations follow this LINK.  We welcome both additional observers for the states above as well as observers from states where we have not yet received any observations.

Why 15% is more likely 5%

Posted May 14, 2020 by riskviews
Categories: Enterprise Risk Management

We have been hearing news reports for a week or more now that say that it is likely that COVID-19 actual infections are multiples of reported cases. THis is likely true. But probably not by as much as some reports.

That is because of the expected level of false positives from the antibody tests that are being used. Let’s break this down…

Let’s focus on the New York state figures reported above. They represent that the antibody testing of 7500 people in NY State showed antibodies for 14.9% of the sample, while reported cases run about 1.5% of the population of NY State. But, as is often the case, the most important information is in the footnote. It said that these figures are not corrected for test accuracy.

Now, accuracy for the antibody tests is reported to be about 90%. So many people would read that to mean that the result is good +/- 10%.

But that is not the case at all. In fact, a news report that I heard on the local news program yesterday said that it is quite possible that more than 2/3 of the people who got an indication of antibodies present do not in fact have any antibodies! How can that be you ask?

This result falls out of a little Baysian thinking. Like this…

  1. Let’s assume that we have a population of 1 million people where 5% of those people or 50,000 have been infected and 950,000 have never been infected.
  2. And that we have tested them all with an antibody test that is 90% accurate.
  3. So when we test the 50,000 who were infected, the test will tell us that 90% or 45,000 have antibodies (which is correct) and that 5,000 do not (which is incorrect – the 10% error rate). So far so good.
  4. But when we come to testing the 950,000 people who have not been infected, the test will find that 85.5% or 855,000 people are antibody free (correct for 90% of tests) and that 9.5% or 95,000 people have antibodies (the 10% error).
  5. So in total, the testing told us that 45,000 + 95,000 = 140,000 people (14%) have antibodies. And that 5000 + 855,000 = 860,000 people do not. So the error rate for Positives is 95,000 / 140,000 = 67% of the positives are WRONG. Error rate for negatives is 5000/860,000 = 0.6% wrong. Not bad on the negatives.
  6. So in this example, a test that told us that the rate of positives is 14%, when it is actually 5%.

So that 14.9% reported for New York State is likely to be closer to 5% if the test was 90% accurate. This is the adjustment for Test Accuracy that the footnote says was not made.

If you make a correction based on this example (which seems to almost fit the data), you get a corrected result of 5% (33% of the 14.9% reported). The 5% is still more than 3 times the reported 1.5% infection rate.

The Smell Test

This result is more consistent with reported statistics from China, where they report that about 50% of the cases are asymptotic or common cold like symptoms. People like that are unlikely to have been tested in New York when tests were in short supply. Of the other 50% who showed symptoms, China reported that about a third (15%) required treatment and a tenth (5% Included in the 15%) required treatment in an ICU. So if NY State was capturing all of the 15% who needed hospital care and three quarters of the other people with symptoms with testing, then 30% of the cases would be reported, as the 5%/1.5% ratio would indicate.

The 15% rate indicated by the test results without correction would suggest that either the disease is much milder in the US than in China or that NY State was not capturing more than 2/3 of 15% of the infections needing hospitalizations and none of the people with clear symptoms who did not go to the hospital. That just doesn’t seem likely to me.

So, to me the idea that 15% is more likely 5% passes my smell test.

What do you think?

Is S@H Worth It?

Posted April 26, 2020 by riskviews
Categories: Enterprise Risk Management

Tags: ,
Colin Van Dervort / CC BY (https://creativecommons.org/licenses/by/2.0)

It has been about a month since the US started Stay at Home (S@H) policies. Some people are wondering whether it has been worth it.

Here is a little thought exercise. At the end, you tell me if you think that it is worth it.

So if you think about it that way, it S@H worth it?

And if you can follow that story, then we can take it into May. Since we are looking at exponential curves, these numbers will keep diverging sharply. In another 20 days, if we can keep actual COVID-19 case growth at 3.5% or lower, we will go from about 40 to 80 cases per 100,000. And the 10% projection will double 3 times from about 90 to 650 per 100,000. That would be a 44 MILLION difference in infections and a 3 MILLION difference in deaths. By 15 May!

Agility:How to Navigate the Unknown and Seize Opportunity in a World of Disruption

Posted October 16, 2019 by riskviews
Categories: Enterprise Risk Management

As far as I can tell, risk management as a business practice is pretty well embedded now, more than a decade after the Great Recession. But it appears to be more of a cost of doing business that is required by boards, regulators and rating agencies rather than as a boon to management of businesses.  It is usually focused almost entirely on negative outcomes and insists on using its own language that is not even slightly close to the language used by top management in discussions of strategy for the firm.

When we overestimate our overall capacity, tangible and intangible, in relation to risk, we endanger our performance and even survival.

At the same time, there are continual examples of strategic failures, failures that you could imagine could be avoided with some risk management thinking.  (Stories like Kodak’s failure to develop a realistic vision of the coming impact of digital photography to its film business or Blockbuster’s failure to understand the threat from Netflix’s internet based business model.)

A new book, Agility, by Leo Tillman and General Charles Jacoby (ret.) suggests that we can enjoy the benefits of linking risk management to strategy by becoming . . . Agile.  The book provides stories, both from businessman Tillman and military man Jacoby to illustrate the pitfalls of operating without Agility and the benefits of operating with. 

Vital to an effective process for achieving agility is that it is not defined or operationalized in a rigid, one-size-fits-all way.

I think of their ideas as eminating from the realization that because we usually operate in a competitive environment, even the simplest of plans can be wrecked by unexpected reactions of those competitors. 

My sense of Agility, after reading this book, is that it is a sort of continual restlessness, of never being satisfied that everything is running as well as it could and of not feeling completely safe from harm either. Always ready to change course to gain more advantage or to steer away from danger that was recently not even in sight.  Tillman and Jacoby give the example of the football running back who might change course at any time to find daylight or to avoid a tackler. 

Few plans survive contact with reality because our assumptions turn out to be incorrect, our adversaries act in unforeseen ways, or because our actions set in motion a multitude of forces that change the operating landscape itself.

They say that Agility has three components: risk intelligence, bias towards action and flexibility.  Risk intelligence involves a forward-looking unbiased assessment of risks and opportunities associated with the risks.  Tillman has written previously about risk intelligence. Bias towards action seems to be clearest in the military context. It is easy to imagine that a military unit that experienced analysis paralysis would not be long for the world. Flexibility is the ability not just to change plans but to execute the new plans well. That last item is probably the most difficult item here. It is one thing to assemble a team who can do a good job executing a pre-planned task, but another much more difficult task to create a group who are willing and able to change their goals and objectives significantly and who will proceed to deliver on those plans.  But while difficult, Tillman and Jacoby point out that it is almost essential ability for an organization that expects to persist in the long run.

Adopting the agility mindset fundamentally transforms this perspective, turning a nice-to-have “luxury” into a mission-critical priority.

The agility mindset does not view risk as either inherently positive or negative. Instead, as alluded to earlier, it considers risks indispensable arrows in the quivers of decision makers. If we detect and assess environmental changes adroitly, these arrows enable us to both dynamically manage our portfolios of risks and alter our adversaries’ risk equations.

We fly blind when we do not fully understand our portfolio of risks, its role in our business model or its connection to our operating landscape.

While the premise of this book is well founded and well explained, the thing that really makes the book stand out is the inclusion of the military examples to show how each of the points that they make are supportable not only by Tillman’s business examples but also in the military sphere.  Examples include Napoleon at the Battle of Borodino with the concept of risk intelligence, the invasion of Afghanistan and Iraq illustrating execution and the Normandy invasion to illustrate the entire concept of a combination of strategic and operational agility.

Risk Intelligence III

Posted March 21, 2019 by riskviews
Categories: Enterprise Risk Management

Risk Intelligence Definition: A general mental capability that, among other things, involves the ability to reason, plan, solve problems, think abstractly, comprehend complex ideas, learn quickly and learn from experience in matters involving risk and uncertainty. It is not merely book learning, nor is it primarily about a gut feel for risk. Rather, it reflects a broader and deeper capability for comprehending risk and uncertainty in our surroundings—”catching on,” “making sense” of things, or “figuring out” what to do in the face of both presenting and emerging risks.*

In an earlier post, RISKVIEWS told of the capabilities of the Risk Intelligent.  To acquire capabilities, one must start with beliefs that (a) there is a need for such capabilities and (b) that such capabilities can be effective in satisfying the need. Common Beliefs of the Risk Intelligent that led them to acquire their capabilities:

  • The world is dangerous enough that we are motivated to control risks, and also predictable enough that systematic management and exploitation of risk can be worthwhile.
  • The characteristics of risks will drift over time (and occasionally jump unexpectedly) requiring constant vigilance to adapt risk exploitation and management processes.
  • Preferences for risk and reward are asymmetrical: the aversion to a large potential loss is always higher than the preference for the same sized potential gain
  • Opportunities for profit via risk-taking exist because firms can find opportunities to exploit risks that the market has miss-priced, and/or opportunities to exploit diversification effects
  • It is bad for organizations to fail, so risk management objectives should be a part of all company strategies and should involve the company’s CEO and board of directors
  • Risks can and should be measured; this measurement is a technical exercise that requires expertise
  • Management of risk requires diligent attention to any choices to accept risks and actions to mitigate or transfer risk; more significant risk decisions should be approved at more senior levels of the company hierarchy
These beliefs differ from standard economics beliefs.
As RISKVIEWS said in another post, the capabilities are gained via Education, Experience and Analysis.  The next several posts on this topic will explore each of those paths separately.  After that, RISKVIEWS will come back to the beliefs and discuss how they come about.

*It turns out that there are almost as many definitions of intelligence as there are psychologists.  But on one day in 1994, almost 50 agreed with this definition, put forward by Linda Gottfredson:

Intelligence: A very general mental capability that, among other things, involves the ability to reason, plan, solve problems, think abstractly, comprehend complex ideas, learn quickly and learn from experience. It is not merely book learning, a narrow academic skill, or test-taking smarts. Rather, it reflects a broader and deeper capability for comprehending our surroundings—”catching on,” “making sense” of things, or “figuring out” what to do.

As you can see, RISKVIEWS based our definition of Risk Intelligence on this wording.

Risk Intelligence IV

Posted March 20, 2019 by riskviews
Categories: Decision Makng, Enterprise Risk Management, Execution Risk, Risk Culture, Risk Learning

Tags: , , ,

Overcoming Biases

In a recent post, RISKVIEWS proposed that Risk Intelligence would overcome biases.  Here are some specifics…

Biases

  • Anchoring – too much reliance on first experience
  • Availability – overestimate likelihood of events that readily come to mind
  • Confirmation Bias – look for information that confirms bias
  • Endowment effect – overvalue what you already have
  • Framing effect – conclusion depends on how the question is phrased
  • Gambler’s Fallacy – Belief that future probabilities are impacted by past experience – reversion to mean
  • Hindsight bias – things seem to be predictable after they happen
  • Illusion of control – overestimate degree of control over events
  • Overconfidence – believe own answers are more correct
  • Status Quo bias – Expect things to stay the same
  • Survivorship bias – only look at the people who finished a process, not all who started
  • Ostrich Effect – Ignore negative information

Each of Education, Experience and Analysis should reduce all of these.

Experience should provide the feedback that most of these ideas are simply wrong.  The original work that started to identify these biases followed the standard psychology approach of excluding anyone with experience and would also prohibit anyone from trying any of the questions a second time.  So learning to identify and avoid these biases through experience has had limited testing.

Education for a risk manager should simply mention all of these biases directly and their adverse consequences.  Many risk managers receiving that education will ever after seek to avoid making those mistakes.

But some will be blinded by the perceptual biases and therefore resist abandoning their gut feel that actually follows the biases.

Analysis may provide the information to convince  some of these remaining holdouts.  Analysis, if done correctly, will follow the logic of economic rationality which is the metric that we used to identify the wrong decisions that were eventually aggregated as biases.

So there may still be some people who even in the face of:

  • Experience of less than optimal outcomes
  • Education that provides discussion and examples of the adverse impact of decision-making based upon the biases.
  • Analysis that provides numerical back-up for unbiased decision making

Will still want to trust their own gut to make decisions regarding risk.

You can probably weed out those folks in hiring.

2019 Most Dangerous Risks

Posted March 1, 2019 by riskviews
Categories: Enterprise Risk Management, Risk

Tags: , ,

top5

For 2019, a new poll on 180 insurance executives ranks four out of five of last year’s top risks again in the top 5.

See more details at https://blog.willis.com/2019/02/2019-most-dangerous-risks-to-insurers/ 

 

Risk Intelligence II

Posted February 28, 2019 by riskviews
Categories: Enterprise Risk Management

Tags: , , , , , , ,

Somehow it worked.

Several psychologists stated that economists were rational and those who didn’t know what economists knew were irrational.

They collected data on how irrational folks are and analyzed that data and grouped it and gave cute names to various groups.

But I think that you could do the same thing with long division. Certainly with calculus. Compare answers of rubes on the sidewalk to math PhD s on a bunch of math questions and how well do you think the rubes would do?

Some of the questions that the psychologists asked were about risk. They proved that folks who rely solely on their gut to make decisions about risk were not very good at it.

I am sure that no-one with any Risk Intelligence would have bet against that finding.

Because Risk Intelligence consists of more than just trusting your gut. It also requires education regarding the best practices for risk management and risk assessment along with stories of how well (and sometimes ill) intentioned business managers went wrong with risk. It also requires careful analysis. Often statistical analysis. Analysis that is usually not particularly intuitive even with experience.

But Risk Intelligence still needs a well developed gut. Because history doesn’t repeat, analysis always requires simplification and assumptions to fill out a model where data is insufficient.

Only with all of Education, Experience and Analysis is Risk Intelligence achievable and even then it is not guaranteed.

And in addition, Education, Experience and Analysis are the cure for the irrational biases found by the psychologists. I would bet that the psychologists systematically excluded any responses from a person with Risk Intelligence. That would have invalidated their investigation.

Their conclusion could have been that many of us need basic financial and risk education, better understanding of how to accumulate helpful experiences and some basic analytical skills. Not as much fun as a long list of cutely names biases, but much more helpful.

Risk Intelligence I

Posted February 24, 2019 by riskviews
Categories: Enterprise Risk Management

Risk Intelligence is what you need to make astute decisions about risks that confront you.

With Risk Intelligence you will be able to:

  • know when something is risky
  • know how to systematically determine parameters of risk
  • Assess Danger from a Risk – and not be unduly swayed by Fear of that Risk
  • understand that those parameters do not fully define a risk. They identify a point on a gain and loss continuum
  • identify the handful of risks that make up 90% of the risk profile (key risks)
  • understand the mechanisms that the company uses to maintain a consistent rate of risk for each key risk and Help to make sure that those mechanisms are maintained and only expect that there will be deliberately agreed changes to the rate of risk for any key risk.
  • understand risk/reward analysis and cost/benefit analysis where the trade-offs are often a certain reduction in earnings vs. an uncertain reduction in future losses
  • discern when to trade short term certain gains for longer term uncertain but larger gains under conditions that could be repeated indefinitely for a tangible long term gain.
  • be aware of which risks the company is exploiting because they have the expertise and opportunity to make a good profit for the amount of risk take and are able to notice when the opportunity to exploit has passed.
  • be aware of which risks the company is accepting and carefully managing to achieve a reasonable profit while avoiding unacceptable losses.
  • be aware of the risks that are unavoidable but the create little or no profits and that should be minimized at an acceptable cost.
  • Understand that people are generally optimistic and need to test plans against alternate future scenarios

Most Dangerous Risks

Posted July 31, 2018 by riskviews
Categories: Enterprise Risk Management, Risk Identification

The short story “The Most Dangerous Game” has always fascinated. Wikipedia lists dozens of adaptations for Radio, Movies and TV.  The story is about the most dangerous quarry for a hunter.

Insurers are not hunters, they do not exactly seek out risk.  Well, maybe they do seek risks. But insurers should be aware that some risks are more dangerous than others.

In late 2017, RISKVIEWS polled 200 insurance executives and they provided their opinion of how to rank a long list of risks that threaten insurers.  The polling software, found at allourideas.com, asks participants to rank pairs of items and uses a complex algorithm to create a ranking of the entire list.  These 200 executives, on the average, chose to rank about 80 pairs making a total of over 16,000 rankings performed.

The results were published on the web here.  The Top 10 risks were:

1 Cybersecurity & Cybercrime
2 IT/Systems & Tech Gap
3 Strategic Direction & Opportunities Missed
4 Pricing & Product Line Profit
5 Runaway frequency or severity of claims
6 Disruptive Technology
7 Customer needs not served by traditional approaches
8 Emerging Risks
9 Competition
10 Underwriting

And in mid 2018, RISKVIEWS looked around to find out what news there had been regarding each of the top risks and published the findings here.

A race between a motorcycle and a wheelbarrow

Posted May 2, 2018 by riskviews
Categories: Risk

Tags:

pexels-photo-217872.jpeg

Behavioral Finance / Behavioral Economics (BF for short) says that in general folks do a poor job of decision-making related to risk and finance.  There is quite a lot of analysis of systematic errors that their experimental subjects have been found to make.

In general, people are found to make IRRATIONAL choices.  RATIONAL choices are defined to be the choices that economists have found to be the best.  (The best in the world specified by the economists – not necessarily in the world that people actually live in.  But that is the subject for a different and long essay.)

This work is highly regarded and widely studied and quoted.  Kahneman and Smith received a Nobel Prize for the original development of BF in 2002 and Thaler received a Nobel prize for his advancements in the field in 2017.

But does it actually make sense?  As they pose the issue, it seems to.  But take a step back.  They are comparing economic decisions made by an economist to decisions made by folks with no training in economics.  If they follow the general protocols of psychology, they would have looked for subjects with the least amount of knowledge of finance and risk.

So should it be a surprise that the studied population did not do well in their study?  That they made systematic errors?

Imagine if you had a group of adults who had never been exposed to multiplication.  And you gave them a simple multiplication test.  Their answers would be compared to a group of math PhDs.  So for the most part, they would have been guessing at the answers to the questions.  If asked, they might well have felt good about their answers to some or all of the questions.  But it is highly likely that they would be wrong.

From this experiment, it would be concluded that people cannot answer multiplication problems.  The study might progress further and start to look at word problems, including word problems that represent everyday situations where multiplication is vital to getting by.  Oh no, people are found to be poor at this as well.

But the solution is not some grand theory about how people are flawed regarding multiplication.  The solution is math education!!!

On risk and finance, our society takes the position that in general we will not instruct people.  That the best way to learn risk is via experience.  And the best way to learn about finance is from a payday lender or a credit card past due debt collector.

flowers-garden-playing-pot.jpg

Economists generally have PhDs.  And their course of study includes both risk and finance.  One topic, for example, is the math of finance.  Taught within that topic are many of the approaches to financial decision making that BF has found that people make IRRATIONALLY.  Another course that is generally required of economics PhDs is statistics.  One of the ideas usually covered in statistics is risk.  Even an introductory statistics course provides much more knowledge of risk than is needed to answer the BF questions.  So economists have had systematic instruction that allows them to give the RATIONAL answers to the BF questions.

A side note – the idea of RATIONAL used in BF is consistent with Utility Maximization – an economics theory that was first fully developed in 1947.  So even some economists might have failed the BF questions prior to that.

So instead of the conclusions reached by BF, RISKVIEWS would suggest a very simple alternative:

Teach people about Risk and Finance!

Did the Three Pigs have different Risk Tolerances?

Posted March 21, 2018 by riskviews
Categories: Enterprise Risk Management, Risk Appetite

Tags: ,

Or did they just have a different view of the degree of risk in their environment?

3 PigsBy Alex Proimos from Sydney, Australia – Three Little Pigs

Think about it?  Is there any evidence that the first pig, whose house was made off straw, was fine with the idea of losing his house?  Not really.  More likely, he thought that the world was totally benign.  He thought that there was no way that his straw house wouldn’t be there tomorrow and the next day.  He was not tolerant of the risk of losing his house.  He just didn’t think it would happen.  But he was wrong.  It could and did happen.

The second pig used sticks instead of straw.  Did that mean that the second pig had less tolerance for risk than the first pig?  Probably not.  The second pig probably thought that a house of sticks was sturdy enough to withstand whatever the world would send against it.  This pig thought that the world was more dangerous than the first pig.  He needed sticks, rather than straw to make the house sturdy enough to last.  He also was wrong.  Sticks were not enough either.

That third pig has a house of bricks.  That probably cost much more than sticks or straw and took longer to build as well.  The third pig thought that the world was pretty dangerous for houses.  And he was right.  Bricks were sturdy enough to survive.  At least on the day that the wolf came by.

The problem here was not risk tolerance, but inappropriate parameters for the risk models of the first two pigs.  When they parameterized their models, the first pig probably put down zero for the number of wolves in the area.  After all, the first pig had never ever seen a wolf.  The second pig, may have put down 1 wolf, but when he went to enter the parameter for how hard could the wolf blow, he put down “not very hard”.  He had not seen a wolf either.  But he had heard of wolves.  He didn’t know about the wind speed of a full on wolf huff and puff.  His model told him that sticks could withstand whatever a wolf could do to his house.  When the third pig built his risk model, he answered that there were “many” wolves around.  And when he filled in the parameter for how hard the wolf could blow, he put “very”.  When he was a wee tiny pig, he had seen a wolf blow down a house built of sticks that had a straw roof.  He was afraid of wolves for a reason.

 

 

Too Much Logic

Posted March 13, 2018 by riskviews
Categories: Change Risk, Enterprise Risk Management, Risk Appetite

Tags: ,

Someone recently told RISKVIEWS that before a company could start a project to revitalize their risk governance structures they MUST update their Risk Appetite and Tolerance.  Because everything in an ERM program flows from Risk Appetite and Tolerance.  That suggestion is likely to be too much logic to succeed.

What many organizations have found is that if they are not ready to update their Risk Appetite and Tolerance, there are two likely outcomes of an update project:

  1. The update project will never be completed.
  2. The update project will be completed but the organization will ignore the updated Risk Appetite and Tolerance.

An organization will make a change when the pain of continuing on the existing course exceeds the pain of change.  (paraphrased from Edgar Shein)

So if an organization is not yet thoroughly dissatisfied with their current Risk Appetite and Tolerance, then they are not likely to change.

So you can think of the ERM program as the combination of several subsystems:

  • Governance – the people who have ERM responsibilities and their organizational positions – all the way up to the board.
  • Measurement – the models and other methods used to measure risk
  • Selection, Mitigation and Control – the processes that make up the every day activities of ERM
  • Capital Management – the processes that control aggregate risk including the ORSA.
  • Risk Reward Management – the processes that relate risk to prices and profits

When management of an organization is dissatisfied enough with any one of these sub systems, then they should undertake to revise/replace/improve those sub systems.

These sub systems are highly interconnected, so an improvement to one sub system is likely to increase dissatisfaction with another sub system.

For example, if the Governance sub system is not working.  People are not fulfilling their ERM related responsibilities which they may not really understand.  When this subsystem is set right,  people are aware of their ERM responsibilities and then they find out that some of the other sub systems do not provide sufficient support for them.  They get dissatisfied and urge an upgrade to another sub system.  And so on.

This might well result in a very different order for updating an ERM program than the logical order.

However, if the update follows the wave of dissatisfaction, the changes are much more likely to be fully adopted into ongoing company practice and to be effective.

WaveBy Malene Thyssen – Own work, CC BY-SA 3.0,https://commons.wikimedia.org/w/index.php?curid=651071

There is insufficient evidence to support a determination of past actual frequency of remote events!

Posted November 28, 2017 by riskviews
Categories: Enterprise Risk Management

Go figure.  The Institute and Faculty of Actuaries seems to have just discovered that humans are involved in risk modeling.  Upon noticing that, they immediately issued the following warning:

RISK ALERT
MODEL MANIPULATION

KEY MESSAGE
There are a number of risks associated with the use of models:
members must exercise care when using models to ensure that the rationale for selection of a particular model is sound and, in applying that model, it is not inappropriately used solely to provide evidence to support predetermined or preferred outcomes.

They warn particularly about the deliberate manipulation of models to get the desired answer.

There are two broad reasons why a human might select a model.  In both cases, they select the model to get the answer that they want.

  1. The human might have an opinion about the correct outcome from the model.  An outcome that does not concur with their opinion is considered to be WRONG and must be corrected.  See RISKVIEWS discussion of Plural Rationality for the range of different opinions that are likely.  Humans actually do believe quite a wide range of different things.  And if we restrict the management of insurance organizations to people with a narrow range of beliefs, that will have similar results to restricting planting to a single strain of wheat.  Cheap bread most years and none in some!
  2. The human doesn’t care what the right answer might be.  They want a particular range of result to support other business objectives.  Usually these folks believe that the concern of the model – a very remote loss – is not important to the management of the business.  Note that most people work in the insurance business for 45 years or less.  So the idea that they should be concerned with a 1 in 200 year loss seems absurd to many.  If they apply a little statistics knowledge, they might say that there is an 80% chance that there will not be a 1 in 200 year loss during their career.  Their Borel point is probably closer to a 1 in 20 level, where there is a 90% chance that such a loss will happen at least once in their career.

They also suggest that there needs to be “evidence to support outcomes”.  RISKVIEWS has always wondered what evidence might support prediction of remote outcomes in the future.  For the most part, there is insufficient evidence to support a determination of past actual frequency of the same sort of remote events.  And over time things change, so past frequency isn’t always indicative of future likelihood, even if the past frequency were known.

One insurer. where management was skeptical of the whole idea of “principles based” assessment of remote losses, decided to use a two pronged approach.  For their risk management, they focused on 95th percentile, 1 in 20 year losses.  There was some hope that they could validate these values through observed data.  For their capital management, they used the rating agency standard for their desired rating level.

Banks, with their VaR approach have gone to an extreme in this regard.  Their loss horizon is in days and their calibration period is less than 2 years.  Validation is easy.  But this misses the possibility of extremes.  Banks only managed risks that had recently happened and ignored the possibility that things could get much worse, even though most risks that they were measuring went through multi year cycles of boom and bust.

At one time, banks usually used the normal distribution to extrapolate to determine the potential extreme losses.  The problem is Fat Tails.  Many, possibly all, real world risks have remote losses that are larger than what is predicted by the normal distribution.  Perhaps we should generalize and say that the normal distribution might be ok for predicting things that happen with high frequency and that are near the mean in value, but some degree of Fat Tails must be recognized to come closer to the potential for extreme losses.

For a discussion of Fat Tails and a metric for assessing them (Coefficient of Risk) try this:  Fatness of Tails in Risk Models .

What is needed to make risk measurement effective is standards for results, not moralizing about process.  The standards for results need to be stated in terms of some Tail Fatness metric such as Coefficient of Risk.  Then modelers can be challenged to either follow the standards or justify their deviations.  Can they come up with a reasonable argument of why their company’s risk has thinner tails than the standard?

 

 

Don’t Ignore Ashby’s Law

Posted August 16, 2017 by riskviews
Categories: Enterprise Risk Management

Many observers will claim that complex systems are inherently fragile.  Some argue for simplifying things instead.  But one of the main reasons why many man-made complex systems are fragile is that we often ignore Ashby’s Law.

Ashby’s Law is also known as the Law of Requisite Variety.  It is so powerful that it is sometimes called the first law of cybernetics.

Basically, Ashby’s Law states that to be fully effective, a control system must has as much variety as the system being controlled.  The control system must be as complex as the system being controlled.

So man-made complex systems often evolve when people decide to add more and more functionality – more variety – to existing systems.  Sometimes this includes linking up multiple complex systems.

But humans are really clever and they tend to save time and money by not bothering to even figure out what additional controls are needed to make a newly enhanced system secure.  There is often not any appreciation of how much more control is needed when two complex systems are combined.

But look at the literature regarding company mergers and acquisitions.  The literature keeps saying that the majority of this activity destroys value.  Sometimes that is because the two organizations have incompatible cultures.  Executives are becoming aware of that and activities to create a single new culture are sometimes included in post merger activity lists.

But there is an aversion to recognize that there needs to be much more spending on control systems.  Most often in a merger, there is a reduction in the amount of people assigned to internal controls, either directly or within a line function.  This is usually expected to be one of the synergies or redundancies than can be eliminated to justify the purchase price.

But in reality, if the new merged entity is more complex than the two original firms, the need for control, as expressed under Ashby’s Law, is greater than the sum of the two entities.

Merging without recognizing this means that there is an out of the money put being embedded in the merged entity.  The merged entity has lower control expenses than it should for a time.  And maybe, just maybe, it will experience major problems because of the inadequate controls.

 

Risk and Reward are not relatives

Posted July 1, 2017 by riskviews
Categories: Enterprise Risk Management

A recent report on risk management mentions near the top that risk and reward have a fundamental relationship.  But experience tells us that just is not at all true in most situations.

The first person (that RISKVIEWS can find) to comment on that relationship was the great economist Alfred Marshall:

“in all undertakings in which there are risks of great losses, there must also be hopes of great gains.”
1890 Principles of Economics

That seems to be a very realistic characterization of the relationship – one of hope.  But his statement has been heavily distorted through the years.  Many have come to believe that if you increase risk then you also, automatically, increase reward.  Or that if you want increased reward that you must increase risk.

Perhaps the risk reward relationship is a simple arithmetic statement.  Made by those who believe that all economic actors are rational.  And by rational, they mean that they make choices to maximize expected value.

So if all of the choices that you actively consider have a positive expected value, then those with higher risk will have to have higher rewards to keep the sum positive.  (Alternately, risks would have much lower likelihood than gains – but this hardly seems to fit in with the concept of higher risks.)

So perhaps the “relationship” between risk and reward is this:

For opportunities where the risk and reward can be reliably determined in both amount and likelihood, then among those opportunities with a positive expected value, those with higher risk will have higher reward.

But isn’t that the rub?  Can we reliably determine risk, reward and their likelihood for most opportunities?

But then there is another issue.  For a single opportunity, the outcome will either be a loss or a gain.  If there is higher risk, the likelihood or amount of loss is higher.  So if there is higher risk, there is a higher chance of a loss or a higher chance of a larger loss.

So by definition, an opportunity with higher risk may just produce a loss. And either the likelihood or amount of that loss will, by definition, be higher.  No reward – LOSS.

Now, you can reduce the likelihood of that loss by creating a diversified portfolio of such opportunities.  And by diversified, read unrelated.

So the rule above needs to be amended…

For opportunities where the risk and reward can be reliably determined in both amount and likelihood, then among those opportunities with a positive expected value, those with higher risk will have higher reward.  To reliably achieve a higher reward, rather than more losses, it is necessary to choose a number of these opportunities that are unrelated.  

Realize here that we are talking about Knightian risk here.  Risk where the likelihood is knowable.  For Knightian Uncertainty – where the likelihood is not knowable – this is much more difficult to achieve.  Investors and business people who realize that they are faced by Uncertainty will usually Hope for even greater gains.  They require higher potential returns.  And/or set higher prices.

The issue is that in many cases, humans will make mistakes when assessing likelihood of uncertainty, risk and reward (see Restaurant failure rate).  There are quite a number of reasons for that.  One of my favorites is survivor bias in our data of comparables (They just don’t make them like they used to).  We also overestimate our chances of success because we overrate our own capabilities.  (see Lake Wobegone, above average children).  And to achieve that portfolio diversification effect, we need to be able to also reliably assess interdependence (see mortgage interdependence, 2008).

The real world problem is that aside from lottery tickets, there are very few opportunities where the likelihood of losses is actually knowable.  So risk and reward are not necessarily related.  Except perhaps in the way that all humans are related . . . through Adam (or Lucy if you prefer).

How to manage Risk in Uncertain Times

Posted June 8, 2017 by riskviews
Categories: Enterprise Risk Management

The biologist Holling saw that natural systems went through phases.  One view of those four phases is:

  1. Rapid Growth
  2.  Controlled Growth
  3. Collapse
  4. Reorganization

The phase will usually coincide with an environment that encourages that sort of activity.  The fourth phase, Reorganization, coincides with an Uncertain environment.

Since the financial crisis of 2008, many aspects of our economies and our societies have drifted in and out of the Uncertain environment.  We have been living in an historical inflection point.  The post WWII world, both politically and economically may be coming to an end.  But no new regime has emerged to take its place.  Difficult times for making long term plans and long term commitments.

And that describes the best approach to risk management in Uncertain times.  Avoid long term  and large commitments.  Keep short term, stay diversified.  Returns will not be great that way, but losses will be small and the change of a devastating loss smaller.

Sooner or later things will clarify and we will move out of uncertainty.  But one of the things that keeps us in an uncertain stage is the way that people act as if somehow, they have a right to something more certain.  Most often they are hoping for a return to a controlled growth phase.  When the careful are rewarded modestly.  Some long for the return to the boom phase when a few are rewarded greatly.

But right now, it makes the most sense to not count on that and to accept that we will uncertainty for some time to come.

For more on Uncertainty see these posts

Keys to ERM – Adaptability

Posted April 3, 2017 by riskviews
Categories: Black Swan, Change Risk, Enterprise Risk Management, Resilience, Risk Management System

Tags: ,

keys

Deliberately cultivating adaptability is how ERM reduces exposure to unexpected surprises.

There are four ways that an ERM program encourages adaptability:

  1. Risk Identification
  2. Emerging Risks
  3. Reaction step of Control Cycle
  4. Risk Learning

Many risk managers tell RISKVIEWS that their bosses say that their objective is “No Surprises”.  While that is an unrealistic ideal objective, cultivating Adaptability is the most likely way to approach that ideal.

More on Adaptability at WILLIS TOWERS WATSON WIRE.

Keys to ERM – Alignment

Posted February 15, 2017 by riskviews
Categories: Enterprise Risk Management

ERM is focused on Enterprise Risks. Enterprise Risks are those risks that could result in losses that would require the firm to make major, unexpected changes to plans or that would disrupt the firm (without necessarily causing losses) in such a way that the firm cannot successfully execute its plans.  Enterprise Risks need to be a major consideration in setting plans.  Through discussions of Risk Appetite and Tolerance and returns for risks and the costs of risk mitigations, ERM provides a path for alignment of the risk management with the strategic objectives of the firm.

Read More about ERM Tools for Alignment at WillisTowersWatsonWire Blog.

And on RISKVIEWS with

Linking Strategy and ERM – The Final Frontier

Risk Appetite is the Boundary

Updating your Risk Register

Posted January 26, 2017 by riskviews
Categories: Enterprise Risk Management, Risk Identification

Tags: , ,

It is quite easy for an ERM program to become irrelevant.  All it takes is for it to stay the same for several years.  After just a few years, you will find that you risk management processes are focused upon the issues of several years ago.  You may be missing new wrinkles to your risks and also repeating mitigation exercises that are no longer effective or needed.

That is because the risk environment is constantly changing.  Some risks are become more dangerous while for others the danger is receding.  No firm anywhere has an unlimited budget for risk management.  So to remain effective, you need to constantly reshuffle priorities.

One place where that reshuffling is very much needed is in the risk register.  That is a hard message to sell.  Risk Identification is seen by most as the first baby step in initiating and ERM program.  How could a well developed, sophisticated ERM program need to go back to the first baby step.

But we do need to go back and somehow get people to seriously re-evaluate the Risks on the Risk Register.  That is because risk management is fundamentally a cycle rather than a a one way development process.  We are all brainwashed that constant growth and steady improvement is the fundamental nature of human enterprise.  For risk management to really work, we need that cycle model where we go back and do all of the same steps as last year all over again.

One way to freshen up the process of reviewing the risk register is to bring in outside information.  The link below provides some good outside information that you can use to stimulate your own review.

Willis Re took the top 15 risks from a dozen insurer risk registers and combined them to get 50+ unique risks.  Then over 100 insurer executives and risk management staff helped to rank those 50 risks.


2017’s most dangerous risks for insurers

We took a list of over 50 risks commonly found on insurer risk registers, and asked, “Which risks present the most danger to your firm in 2017?”


Take a look.  How does the resulting ranking look compared to your risk register?  Do any of the top 10 risks show up as middling priority in your program?  Are any of the bottom ten risks near the top of your priority ranking?  So your review can focus on a discussion of the most significant deviations between your ranking and the ranking from the link above. You need to convince yourself that you have good reasons for different priorities or change your priorities.

Keys to ERM – Discipline

Posted January 11, 2017 by riskviews
Categories: Enterprise Risk Management

keys

There are four keys to ERM – The second is Discipline

Discipline is tightly linked with Transparency, another Key to ERM.  Transparency helps to encourage and enforce Discipline.

There are three ways that Discipline is Key to ERM.

Enterprise risk management brings discipline to the mitigation of individual risks, to aggregate risk management and ERM also promotes a disciplined commitment to a comprehensive approach to risk management.

Enterprise risk management brings the discipline to risk management by making explicit plans for managing risk and then following up, checking on the execution of those plans, and reporting the results of those checks. To some, this seems like lots and lots of needless redundancy, but they miss the point. Discipline makes risk management reliable instead of being another wild card in an uncertain world.

ERM encourages insurers to clearly state their approach to risk as well as the amount and types of risks that they will accept. Clear and coherent communication is an often-underappreciated discipline that is much more difficult than it appears. ERM provides a script and outline that makes it easier to speak clearly about risk and risk management.

ERM always starts with a risk identification and prioritization step, so that while all risks are considered, time and resources are used wisely by focusing only on the most significant risks.

Discipline is unlikely to be maintained in secret. Because of Transparency, is is easily and widely known when Discipline falters.   Insurers that want to have an effective and Disciplined ERM program will have both Discipline AND Transparency.

This is an excerpt from Discipline is key to ERM on the WTW Wire Blog.

Keys to ERM – Transparency

Posted November 16, 2016 by riskviews
Categories: Enterprise Risk Management

keys

There are four keys to ERM.  The first is Transparency.

In traditional risk management situations, the degree to which risk is tightly controlled or loosely allowed is often a personal decision made by the middle manager who “inherited” the responsibility for a particular risk. That person may make the best decision based on full knowledge of the nature of the risk and the availability and cost of mitigation of the risk, or they might just choose an approach based on poor or even inaccurate information because that is the best that they can find with the time they can spare.

Enterprise risk management (ERM) is a commitment to executive and board attention to the important risks of the firm. In a fully realized ERM, the risk profile of the firm and the plans to change or maintain that profile from one year to the next—while exploiting, managing, limiting or avoiding various risks in ways that are tied to the firm’s  strategy—are shared among the management team and with the board.

In the best programs, the risk profile and risk plans are not only shared, they are a topic of debate and challenge. These firms realize that a dollar of profit usually has the exact same value as a dollar of loss, so they conclude that risk management, well-chosen and executed, can be as important to success as marketing.

A clever math student may be able to just write down the answer, but teachers often insist that students show their work to get credit.

Take-Away:
“Show your work” is the idea of ERM
Show steps of and thinking behind risk management process.
Helps others understand intent and determine whether objectives are being met.

More about Transparency about risk and risk management and how it is important to executive management, to the board and to middle managers on Willis Towers Watson Wire.

Who is interested in ERM?

Posted October 20, 2016 by riskviews
Categories: Enterprise Risk Management

enterprise-rm-map

The map above is from Google Trends.  It shows the frequency of Google searches for the term ERM over the past year.  Darker blue means more searches.  No blue means no searches.

 

You can interpret the 12 states with no seaches two ways:

  • Folks in these states already know enough about ERM and have no need to search for more.
  • Folks in these states have no interest in ERM.

Either way, an interesting map.

Risk Trajectory – Do you know which way your risk is headed?

Posted July 25, 2016 by riskviews
Categories: Enterprise Risk Management, Risk Appetite, Risk Environment, Risk Management System

Tags: ,

Arrows

Which direction are you planning on taking?

  • Are you expecting your risk to grow faster than your capacity to bare risk?
  • Are you expecting your risk capacity to grow faster than your risk?
  • Or are you planning to keep growth of your risk and your capacity in balance?

If risk is your business, then the answer to this question is one of just a few statements that make up a basic risk strategy.

RISKVIEWS calls this the Risk Trajectory.  Risk Trajectory is not a permanent aspect of a businesses risk strategy.  Trajectory will change unpredictably and usually not each year.

There are four factors that have the most influence on Risk Trajectory:

  1. Your Risk Profile – often stated in terms of the potential losses from all risks at a particular likelihood (i.e. 1 in 200 years)
  2. Your capacity to bare risk – often stated in terms of capital
  3. Your preferred level of security (may be factored directly into the return period used for Risk Profile or stated as a buffer above Risk Profile)
  4. The likely rewards for accepting the risks in your Risk Profile

If you have a comfortable margin between your Risk Profile and your preferred level of security, then you might accept a risk trajectory of Risk Growing Faster than Capacity.

Or if the Likely Rewards seem very good, you might be willing to accept a little less security for the higher reward.

All four of the factors that influence Risk Trajectory are constantly moving.  Over time, anything other than carefully coordinated movements will result in occasional need to change trajectory.  In some cases, the need to change trajectory comes from an unexpected large loss that results in an abrupt change in your capacity.

For the balanced risk and capacity trajectory, you would need to maintain a level of profit as a percentage of the Risk Profile that is on the average over time equal to the growth in Risk Profile.

For Capacity to grow faster than Risk, the profit as a percentage of the Risk Profile would be greater than the growth in Risk Profile.

For Risk to grow faster than Capacity, Risk profile growth rate would be greater than the profit as a percentage of the Risk Profile.

RISKVIEWS would guess that all this is just as easy to do as juggling four balls that are a different and somewhat unpredictably different size, shape and weight when they come down compared to when you tossed them up.

 

Linking Strategy and ERM – The Final Frontier

Posted July 19, 2016 by riskviews
Categories: Enterprise Risk Management

4 steps to linking strategy and ERM

Many organizations have use the concepts and practices of Enterprise Risk Management to improve the control of their major risks. If applied properly, ERM will improve the transparency and discipline of risk management.  With a risk management regime that is transparent and disciplined, management should begin to notice whether it is aligned with company objectives…whether it is linked with strategy.  When linked with strategy, ERM can act like the crew on a catamaran who lean against the tilt of the boat in heavy wind.  Or to use another nautical analogy, can be the keel of the boat that helps to keep it upright.  The aligned ERM program will not be heavy cargo stacked on the deck, nor will it act like the passengers who run to the low side of the boat.

And better still, ERM can help the boat to get where it is going by helping to choose a path between or around the rocks.  But insurer strategies vary widely, so it seems logical that the linkage of ERM with strategy will vary.  And that may be the reason that there is so much difficulty with the process of aligning strategy and ERM.  Too much advice that focuses on just one way to accomplish that – one way that will work best with just one of the dozens of existing insurer strategies.

4 steps to linking strategy and ERM continues this discussion on the Willis Towers Watson blog.

You have to show up

Posted June 20, 2016 by riskviews
Categories: Chief Risk Officer, Enterprise Risk Management, ERM, Insurance Risk

Woody Allen’s adage that 80% of success is showing up is particularly difficult for some managers to take to heart regarding risk management.

When risk management is successful, there is no bell that rings.  There are no fireworks.  Usually, a successful risk management moment is evidenced by a lack of big surprises.

But most days, big surprises do not happen anyway.

So if risk managers want to be appreciated for their work, they have to do much more than just show up.  They need to build up the story around what a very good day looks like.

  • One such story would be that a very good day might happen when the world experiences a major catastrophe.  A catastrophe that is in the wheel house of the firm.  And because of a good risk management process, the firm finds that its losses are manageable within its capacity to handle losses.
  • In 2011, there were major earthquakes in New Zealand, Japan and Chile.  One reinsurer reported that they had exposures in all three zones but that they were still able to show a (very small) profit for the year.  They credited that result to a risk management process that had them limiting their exposure to any one zone.  A risk manager could work up a story of events like that happening (multi event stress scenarios) and preview the benefits of ERM.

With such stories in mind, when that big day comes when “Nothing Happens”, the risk managers can be ready to take credit!

But to do that, they need to be sure to show up.

 

Management by Onside Kick

Posted June 6, 2016 by riskviews
Categories: Credit Risk, Data, Decision Makng, Enterprise Risk Management, Hedging, Uncategorized

Tags:

Many American football fans can recall a game when their team drove the ball 80 or more yards in the waning moments of the game to pull within a touchdown of the team that had been dominating them. Then they call for the on side kick – recover the ball and charge to a win within a few more plays.

But according to NFL stats, that onside kick succeeds only 20% of the time in the waning minutes of the game.

Mid game onside kicks – that are surprises – work 60% of the time.

But mostly it is the successful onside kicks that make the highlights reel. RISKVIEWS guesses that on the highlights those kicks are 80% or more successful.

And if you look back on the games of the teams that make it to the Super Bowl, they probably were successful the few times that they called that play.

What does that mean for risk managers?

Be careful where you get your statistics. Big data is now very popular. Winners use Big Data. So many conclude that it will give better indications. But make sure that your data inputs are not from highlight reels or from the records of the best year for a company.

Many firms use default data collected by rating agencies for example to parameterize their credit models. But the rating agencies would point out that the data is from rated companies only. This makes little difference for rated Bonds. There the bonds are rated from issue to maturity or default. But if you want to build a default model of insurers or reinsurers then you need to know that many insurers and some reinsurers will drop their rating if it falls below a level where it hurts their business. So ratings transition statistics for insurers are more like the highlight reels below a certain level.

Some models of dynamic hedging strategies were in effect taking the mid game success rates and assuming that they would apply in bad times. But like the onside kick, things worked very different.

So realize that a business strategy and especially a risk mitigation strategy may work differently when things have gone all a mess.

And an onside kick is nothing more than putting the ball in play and praying that something good will happen.

Have you become “Nose Blind” to deficiencies in your ERM program?

Posted May 16, 2016 by riskviews
Categories: Enterprise Risk Management

You may have seen the commercial for the room freshener about becoming “Nose Blind” to odors.

Well, the same thing happens all the time, even in good ERM programs.

In the early days of ERM, the smart CRO is willing to take the victories that they can get and not let the “perfect be the enemy of the good”. And if they do it right, they will end up with an ERM program much faster then the perfectionist CRO and his two or three successors.

But, that CRO will eventually become “nose blind” to the weak spots in ERM. Just as a long term homeowner who goes to sell a house and has a hard time believing that new buyers cannot just step over that bad spot on the floor just as they have been doing for 10 years.

That is the reason that an outside audit of an ERM program is needed every so often.  The outside audit brings in a fresh nose.  But you need to be careful in charging the auditor.

There are two aspects of the ERM program that the auditor needs to look for:

  1. Poor execution of the ERM Framework
  2. Incomplete ERM Framework

And the nose blindness might apply in either aspect.  The CRO may have become nose blind to the places where someone is doing a weak job of execution.  Again, this may have been the area that was least supportive of ERM when the program was new.  So due to steady opposition, the CRO eventually just learns to live with whatever the managers in that area are willing to do, however minimal and ineffective.  And the CRO could be responsible to choosing to not attempt some normal parts of an ERM program when they are first making up the ERM Framework of the company.  Or, the standard that was initially used as the template for the ERM Framework might not have been very good for the types of risks that are taken by the company.  For example, the COSO ERM standard is intended to be applicable to all sorts of firms.  Its advise is fairly generic.  An insurer is a firm whose business it is to accept financial responsibility for other people’s risks.  There are a number of ERM standards developed specifically for insurers.  But an insurer that uses the COSO ERM standard as its sole guide will have difficulty achieving the level of ERM program maturity of those who followed insurance specific standards.

For those without the budget to hire an outside auditor can use two techniques can help you to clear the air and smell things with fresh nose:

  1. For execution issues, ask your folks to do peer audits of each other.  When people from your weakest area see the level of practice in another area, they will get some sense of what they are missing.  And when the people from the strongest execution area folks do an audit of another area, their best practices can be spread more widely.
  2. Review your ERM Framework against a different standard than the one that you used to create it.  Do not pull punches, if that different standard says to do something in a certain manner, mark your framework as potentially deficient if you are not operating in that manner.  Then work to honestly resolve these issues.  These alternate standards may have their own area of nose blindness, but they would never have risen to standard status unless they had some serious benefits for the users.

Frequency and Severity

Posted April 19, 2016 by riskviews
Categories: Enterprise Risk Management

There are not any statistics available, but some form of guessing frequency and severity for each risk is most likely the most popular approach to risk assessment.

Which is a problem, since that approach is fatally flawed.

There are at least three fatal flaws:

  1. Guessing is a weak approach to assessing anything.
  2. The Frequency/Severity idea only actually applies to a few rare situations.
  3. Frequency/Severity pairs are not actually comparable.

But there is a simple fix for this.  That fix would be to pick two levels of frequency and then determine the loss that is likely at both levels of frequency.  Most useful would be to look at worse losses that might occur under “Normal Volatility” and also look at the losses for each risk that would be considered a “Realistic Disaster”.  Losses from different risks CAN be compared on each of those two levels.

For more information about the Frequency Severity approach and this alternate approach, see:

For ERM, a Better Solution to Guessing Frequency and Severity Pairs for Risks on the Willis Towers Watson Wire

 

Real World Risks

Posted December 16, 2015 by riskviews
Categories: Black Swan, Enterprise Risk Management, Risk

Tags:

There are many flavors of Risk Management.  Each flavor of risk manager believes that they are addressing the Real World.

  • Bank risk managers believe that the world consists of exactly three sorts of risk:  Market, Credit and Operational.  They believe that because that is the way that banks are organized.  At one time, if you hired a person who was a banking risk manager to manage your risks, their first step would be to organize the into those three buckets.
  • Insurance Risk Managers believe that a company’s insurable risks – liability, E&O, D&O, Workers Comp, Property, Auto Liability – are the real risks of a firm.  As insurance risk managers have expanded into ERM, they have adapted their approach, but not in a way that could, for instance, help at all with the Credit and Market risk of a bank.
  • Auditor Risk Managers believe that there are hundreds of risks worth attention in any significant organization. Their approach to risk is often to start at the bottom and ask the lowest level supervisors.  Their risk management is an extension of their audit work.  Consistent with the famous Guilliani broken windows approach to crime.  However, this approach to risk often leads to confusion about priorities and they sometimes find it difficult to take their massive risk registers to top management and the board.
  • Insurer Risk Managers are focused on statistical models of risk and have a hard time imagining dealing with risks that are not easily modeled such as operational and strategic risks.  The new statistical risk managers often clash with the traditional risk managers (aka the underwriters) whose risk management takes the form of judgment based selection and pricing processes.
  • Trading Desk Risk Managers are focused on the degree to which any traders exceed their limits.  These risk managers have evolved into the ultimate risk takers of their organizations because they are called upon to sometime approve breaches when they can be talked into agreeing with the trader about the likelihood of a risk paying off.  Their effectiveness is viewed by comparing the number of days that the firm’s losses exceed the frequency predicted by the risk models.

So what is Real World Risk?

Start with this…

Top Causes of death

  • Heart disease
  • stroke
  • lower respiratory infections
  • chronic obstructive lung disease
  • HIV
  • Diarrhea
  • Lung cancers
  • diabetes

Earthquakes, floods and Hurricanes are featured as the largest insured losses. (Source III)

Cat LossesNote that these are the insured portion of the losses.  the total loss from the Fukishima disaster is estimated to be around $105B.  Katrina total loss $81B. (Source Wikipedia)

Financial Market risk seems much smaller.  When viewed in terms of losses from trading, the largest trading loss is significantly smaller than the 10th largest natural disaster. (Source Wikipedia)

Trading LossesBut the financial markets sometimes create large losses for everyone who is exposed at the same time.

The largest financial market loss is the Global Financial Crisis of 2008 – 2009.  One observer estimates the total losses to be in the range of $750B to $2000B.  During the Great Depression, the stock market dropped by 89% over several years, far outstripping the 50% drop in 2009.  But some argue that every large drop in the stock market is preceded by an unrealistic run up in the value of stocks, so that some of the “value” lost was actually not value at all.

If your neighbor offers you $100M for your house but withdraws the offer before you can sell it to him and then you subsequently sell the house for $250k, did you lose $99.75M?  Of course not.  But if you are the stock market and for one day you trade at 25 time earnings and six months later you trade at 12 times earnings, was that a real loss for any investors who neither bought or sold at those two instants?

So what are Real World Risks?

 

Comments welcomed…

 

Real World Risk Institute

Posted November 28, 2015 by riskviews
Categories: Enterprise Risk Management

They work first to develop

the principles and methodology for what we call real-world rigor in decision making and codify a clear-cut way to approach risk.

Then they offer to teach those principles and methods to a small group of students.

They are

  • 2 risk takers, former full-time traders (with combined experience of more than half a century)
  • 2 persons known to have an attitude problem
  • 6 Phds (quant/math), 4 businessmen/quants/advisors to hedge funds, 2 owners of analytics firms (competing with one another)
  • 2 UHNWI (Ultra High Net Worth Individuals)
  • 4 persons who specialize in tail events in both theory and real-life practice
  • More than 25 books, and around 500 scholarly publications
  • 4 are probabilists with deep enough a knowledge of probability to respect practice and explain things with concepts and pictures

Their leader is Nassim Taleb, author of The Black Swan and other books.

They are offering a MINI-CERTIFICATE IN REAL WORLD RISK MANAGEMENT* Feb 22-26 2016, New York City, 9 AM-5 PM.

Find them at Real World Risk Institute

Inequality and Lotteries

Posted October 21, 2015 by riskviews
Categories: Compensation

Tags:

There has been much talk about how unacceptable the degree of financial inequality that there is in the US.  And it seems to be getting worse and worse.

But what we have seems to be exactly what most people want in general.  Probably the only part of it that most people would change is the part where they personally are not one of the fortunate wealthy few.

The lottery is the perfect example of a mechanism to achieve an unequal society.

Everyone buys a ticket for a small amount of money.  The jackpot grows until it reaches $301 million.  The winner is drawn.  The result is one rich person with $301M and everyone else goes back to their regular life and stops dreaming about becoming that one rich person – for a week at least.

If that happens several times a year and everyone is either a winner or has a low to moderate job, then a vastly unequal society develops.

After one year, there will be 3 – 4 multi-millionaires and the entire rest of the population will have wealth that is a tiny fraction of those ultra rich.  After a decade, the ranks of the ultra rich will have grown to 30 or 40.  At that point, the top .000001% of the population will have .03% of the total wealth.

Each year, the country will grow more and more unequal, with a tiny fraction of the population commanding an ever growing proportion of the total wealth.

But that is why there is no uprising against the super rich.  Everyone else believes that they might one day hit the lottery and win their position in that group.  And when that happens, they do not want a tax regime, for instance, that will just take their riches away.

 

No Reward without Risk

Posted September 29, 2015 by riskviews
Categories: Business, Enterprise Risk Management

Tags: ,

Is that so? Well, only if you live in a textbook. And RISKVIEWS has not actually checked whether there really are text books that are that far divorced from reality.

Actually, in the world that RISKVIEWS has inhabited for many years, there are may real possibilities, for example:

  • Risk without reward
  • Reward without risk
  • Risk with too little Reward
  • Risk with too much Reward
  • Risk with just the right amount of reward

The reason why it is necessary to engage nearly everyone in the risk management process is that it is very difficult to distinguish among those and other possibilities.

Risk without reward describes many operational risks.

Reward without risk is the clear objective of every capitalist business.  Modern authors call it a persistent competitive advantage, old school name was monopoly.  Reward without risk is usually called rent by economists.

Risk with too little reward is what happens to those who come late to the party or who come without sufficient knowledge of how things work.  Think of the poker saying “look around the table and if you cannot tell who is the chump, it is you.”  If you really are the chump, then you are very lucky if your reward is positive.

Risk with too much reward happens to some first comers to a new opportunity.  They are getting some monopoly effects.  Perhaps they were able to be price setters rather than price takers, so they chose a price higher than what they eventually learned was needed to allow for their ignorance.  Think of Apple in the businesses that they created themselves.  Their margins were huge at first, and eventually came down to …

Risk with just the right amount of reward happens sometimes, but only when there is a high degree of flexibility in a market – especially no penalty for entry and exit.  Sort of the opposite of the airline industry.

No Reward Without Risk

Comparing Eagles and Clocks

Posted August 11, 2015 by riskviews
Categories: Enterprise Risk Management

Tags: ,

Original Title: Replacing Disparate Frequency Severity Pairs.  Quite catchy, eh?

But this message is important.  Several times, RISKVIEWS has railed against the use of Frequency Severity estimates as a basis for risk management.  Most recently

Just Stop IT! Right Now. And Don’t Do IT again.

But finally, someone asked…

What would you do instead to fix this?

And RISKVIEWS had to put up or shut up.

But the fix was not long in coming to mind.  And not even slightly complicated or difficult.

Standard practice is to identify a HML for Frequency and Severity for each risk.  But RISKVIEWS does not know any way to compare a low frequency, high impact risk with a medium frequency, medium impact risk.  Some people do compare the risks by rating the frequency and severity on a numerical scale and then adding or multiplying the values for frequency and severity for each risk to get a “consistent” factor.  However, this process is frankly meaningless.  Like multiplying the number of carrots times the number of cheese slices in your refrigerator.

But to fix it is very easy.

The fix is this…

For each risk, develop two values.  First is the loss expected over a 5 year period under normal volatility.  The second is the loss that is possible under extreme but not impossible conditions – what Lloyd’s calls a Realistic Disaster.

These two values then each represent a different aspect of each risk.  They can each be compared across all of the risks.  That is you can rank the risks according to how large a loss is possible under Normal Volatility and how large a loss is possible under a realistic disaster.

Now, if you are concerned that we are only looking at financial risks with this approach, you can go right ahead and compare the impact of each risk on some other non-financial factor, under both normal volatility and under a realistic disaster.  The same sort of utility is there for any other factor that you like.

If you do this carefully enough, you are likely to find that some risks are more of a problem under normal volatility and others under realistic disasters.  You will also find that some risks that you have spent lots of time on under the Disparate Frequency/Severity Pairs method are just not at all significant when you look at the consistently with other risks.

So you need to compare risk estimates where one aspect is held the same.  Like comparing two bikes:

Helsinki_city_bikes

Or two birds:

ISU_mute_swans

But you cannot compare a bird and a Clock:

Adalberti_1

Bahnsteiguhr[1]

And once you have those insights, you can more effectively allocate your risk management efforts!

“Adalberti 1” by Juan lacruz – Own work. Licensed under CC BY-SA 3.0 via Wikimedia Commons – https://commons.wikimedia.org/wiki/File:Adalberti_1.jpg#/media/File:Adalberti_1.jpg

Separation of Risk Taking and Reporting

Posted July 23, 2015 by riskviews
Categories: Enterprise Risk Management

The separation of Risk Reporting from risk taking is a key tenet of ERM and especially of bank risk culture. The idea is that someone other than the person who is judged for the P& L of risks must be the one who reports on risk positions.

If looked at from a logical perspective, this must be because business unit people, such as risk traders, are not to be trusted. When faced with the opportunity, they will lie about their risk positions.

This might be because the people who might be doing the false reporting believe that what they are doing is ok because that there is something different between risk and profit. Risk is about the future. A measure of risk is ephemeral. It exists in a moment and is never proven by experience. In most cases, risk either becomes a loss or it evaporates to nothingness. It is that later sense that tempts the traders and other risk miss reporters. In their reckoning, “no harm, no foul”. If the risk didn’t become a loss, it really doesn’t matter what number we wrote down for it. And if these is a loss, what is important is the amount of the loss, not the potential loss that we call the risk measure. They may consider themselves to be realists.

Profits are different, aren’t they? They are about the past. So when they are recorded, profits are facts, aren’t they? Well, no, not really. Profits usually depend upon several estimates of provisions for future contingencies.  Sarbanes-Oxley in the US, has set up a massive system that leads to a statement by the CEO that the financial reports, the reports of profits are correct. So for profits, the CEO can be the ultimate arbiter if the company spends enough time following auditing procedures. The CEO can be trusted to report on his or her own profits, usually a key determinate in compensation. But for Risk, many call for a CRO who is independent of the CEO, who reports directly to the board, so that this independence of risk reporting and risk taking can be maintained at every level. The presumption is that the CEO does not believe in ERM, so will be tempted to apply the “no harm, no foul” principle from time to time.

This is evidence of a broken  risk culture, not a part of an effective risk culture.

That line of thinking means that in general, management and especially the traders do not believe in the risk management program of the organization. It means that no one actually believes that it is important whether the bank stays within its risk tolerance. That if a risk trader were to lie about their risk position and make a profit because the risk did not become a loss, that the organization would not fire or censure or probably even sincerely reprimand the trader as a matter of policy. And the manager who gave the “reprimand with a wink” would be considered the real carrier of the company culture rather than the risk management person who pointed out the misrepresentation. That risk management person would be considered in league with the regulators, not the bank. A member of the Business Prevention Squad.

That is not the reaction of a bank to most dishonest actions. For example, if someone in a bank were caught walking out of work one day with their pockets stuffed with cash, that person would doubtless be sacked immediately and turned over to the police. But if a risk trader misstates their risk position and because of that misstatement is able to maintain a risk position that they otherwise would have had to sell or offset that leads to them walking out of the bank with a large (sometimes extremely large) check, then that dishonest is ok. It is ok because “no harm, no foul”. Which is the same as saying that the bank does not really believe in one of the central tenants of risk management. That is the idea that your risk evaluation is a good indicator of your expected losses over time. Which leads to the belief that limiting the potential loss indicated from risk evaluation, over the long haul will limit the losses.

That is what is totally wrong about the Risk Culture discussion from the regulators as epitomized in the FSB paper on Risk Culture. In that document, regulators are urged to perform evaluation of the risk culture of the bank. But the evaluation is all about assessing whether banks are going through the motions of a good risk culture. It includes the separation of risk reporting and risk taking as one of the key components of a strong risk culture. By this approach, the regulators are acknowledging that the banks will never actually reform their cultures to the extent that they will actually expect their employees not to lie about their activities. They are, in effect, saying that the key financial services of the advanced economies of the world should be expected to always operate in such a manner.

The most important aspect of risk management culture is whether the board and management believe in the importance of ERM. If they believe in ERM, they will execute as competently as they execute most other important functions. If they do not believe in ERM, telling them in detail how to execute ERM is of little impact.  And the aspect of risk culture called “Tone at the Top” will be delivered without a wink.

Knowing the results from Stress Tests in Advance

Posted July 13, 2015 by riskviews
Categories: Enterprise Risk Management, Stress Test

Tags:

Insurers and regulators need to adopt the idea of characterizing stress tests scenario frequency as:

 

Normal Volatility

Realistic Disaster

Worst Case

 

Or something equivalent.

 

With the idea that it is reasonable for an insurer to prepare for a Realistic Disaster Scenario, but not practical to be prepared for all Worst Case scenarios. Not practical because the insurance would cost too much and less insurance would be sold.

 

With such a common language about frequency relating to stress tests, the results of the stress testing and the response to those results can make much more sense.

 

The outcomes of stress testing then fall into a pattern as well.

 

  • An insurer should be able to withstand normal volatility without any lasting reduction to capital.

 

  • An insurer should be able to withstand a Realistic Disaster for most of their risks without a game changing impairment of capital, i.e. it would be realistic for them to plan to earn their way back to their desired level of capital. For the most significant one or two risks, a Realistic Disaster may result in Capital impairment that requires special actions to repair. Special actions may include a major change to company strategy.

 

  • An insurer can usually withstand a Worst Case scenario for most of their risks with the likelihood that for some, there will be an impairment to capital that requires special actions to repair. For the largest one or two risks, the insurer is unlikely to be able to withstand the Worst Case scenario.

 

Those three statements are in fact a requirement for an insurer to be said to be effectively managing their risks.

So the ORSA and any other stress testing process should result in the development of the story of what sorts of stresses require special management actions and what types result in failure of the insurer.  And for an insurer with a risk management program that is working well, those answers should be known for all but one or two of their risks.  Those would the second and third largest risks.  An insurer with a perfect risk management program will not have very much daylight between their first, second and third largest risks and therefore may well be able to survive some worst case scenarios for even their largest risks.

ERM is not the End, It is the Means

Posted June 9, 2015 by riskviews
Categories: Enterprise Risk Management

Tags: ,

As RISKVIEWS meets with more and more insurers over time, it becomes increasingly obvious that they all have lots of Risk Management.  Probably because they are the survivors.  Perhaps there was much less Risk Management in the failed insurers.

So if they already have Risk Management, why do they need ERM? 

There are four possible reasons:

  1. Discipline -the sports teams with the most discipline win most championships.  The coach can count on the players to execute the same way every time.  In Risk Management, Discipline means doing the risk acceptance and risk mitigation the same way every time.  ERM expects that discipline, but ERM operates on a trust but verify approach.  Perhaps leaning more on the verify than the trust.  So when an Insurer adds ERM to its already pretty full Risk Management processes, they are opting for Risk Management that is totally reliable because it has discipline.
  2. Transparency -much of the existing Risk Management in an insurer is a fairly private affair.  It is done by the folks who need to be doing it but they rarely talk about it.  When ERM comes along, it seems that the number of reports goes up.  Some of those reports are of absolutely no help to the folks who are doing Risk Management.  Those reports are to let everyone else know that the Risk Management is still going on and things in the Risk Management world are still working as expected.  In one sense, Risk Management is all about making sure that some things rarely or never happen.  This Transparency about the actions that result with that nothing happening are the records that need to be kept for the defense of the Risk Manager as well.
  3. Alignment – most of existing Risk Management grew up as the insurer grew up.  That is a good thing because the Risk Management can be totally incorporated into all practices.  But one of the main goals of Risk Management is to make sure that the risks that are insufficiently managed do not disrupt the plans of the company.  The key element to that process is a Risk Tolerance.  With ERM, the Risk Tolerances can be Aligned with the current plans, not with the plans and tolerances of the managers at the time that an activity was first started or last overhauled.
  4. Resiliency – system resilience is not a usual part of traditional Risk Management.  Traditional RIsk Management is most often about defending the status quo.  Resilience is all about figuring out how best to adapt.  Within ERM is a process called Emerging Risks Management.  Emerging Risks Management is all about preparing for the risks that are definitely not yet banking on the door.  They may be far down the road or around the bend.  Emerging Risks Management is an exercise process that builds Resilience Muscles.

Those are the Ends.  ERM is the means to get to those ends.

Three Levels of Security

Posted April 15, 2015 by riskviews
Categories: Enterprise Risk Management

A Japanese judge is holding up plans to restart nuclear reactors in Japan.

“There is little rational basis for saying that an earthquake with a magnitude that exceeds the safety standard will not occur,” said Judge Higuchi, 62. “It is an optimistic view.”

RISKVIEWS does not know what the plans are for the safety of those plants.  But it seems that for many risk and safety related issues, we need to be thinking of three levels of security.

  1. At the first level of security, the impact of potential volatility will be managed to within tolerances with normal risk mitigation methods.  Processes will be maintained so that there is constant assurance that the normal risk mitigation methods are kept in operation.
  2. At the second level of security, the actual volatility will be too much for normal risk mitigation methods to contain.  But, this level of security involves extraordinary actions that need to be employed to keep an out of tolerance situation from getting worse and sometimes, if brought into action early enough to prevent the out of tolerance situation from developing.  These extraordinary actions will often conflict with other goals of the organization – for example for a business, they may endanger profit or growth goals.
  3. At the third level of security, the actual volatility will be too much for both normal mitigation or extraordinary actions to manage the impact to within tolerances.  The security plans need to be made in terms of containing the out of tolerance situation to limit the spread of damages – especially to prevent a situation of cascading failures.

With risk management plans for these three levels of security, there are no situations where the responsible party simply throws up their hands and walks away.

In the case of the Japanese Nuclear power, the impression from the press about the Fukishima disaster was that the nuclear power operators only had a first level plan, but with a fairly high threshold.  If the new plans for restarting the nuclear power plants are mainly a new first level security plan with a somewhat higher threshold, then the judge is right in relying the restart.

But, on the other hand, if Judge Higuchi is looking for a first level security plan with a threshold that is higher than the worst possible earthquake, he is being unrealistic.

The Big C is behind every great Risk

Posted March 30, 2015 by riskviews
Categories: Diversification, Enterprise Risk Management

Tags: ,

Concentration, defined broadly, is the source of all risk.

In an unconcentrated pool of activities, all with potential for positive and negative outcomes, provides the Big D – Diversification.

So it seems simple to avoid C – just do D.

But we have so many ways to concentrate.  And concentration is particularly tempting.

  • When things are going well, it makes sense to do more of whatever it is that is working best.  That increases concentration. 
  • Once we learn how to do something right, it makes sense to do more.  That increases concentration.
  • One supplier is almost always the cheapest, fastest and best quality.  So we give them more business.  That increases concentration. 
  • That one product has better margins than the rest and it sells better too.  So we plan to increase our capacity to make that product.  That increases concentration. 
  • Our best distributor runs rings around the rest.  We are working on giving her a larger territory.  That increases concentration. 

The alternative, the diversifying alternative just doesn’t sound so smart.

  • Hold back when things are going well.
  • Do more of the things that you haven’t quite mastered.
  • Buy from the second and third best suppliers.
  • Keep up capacity for the lower margin lower selling products.
  • Restrict your best distributor from selling too much.

Remember Blockbuster?  There were Blockbuster stores everywhere fifteen years ago.  They did that one thing, rent physical videos through physical stores and did it so well that they drove out most of their competition.  But they were totally Concentrated.  When they were faced with a new competitor, Netflix, the CEO proposed changes to their business practices, including diversifying into online rentals.  Their board decided against going into a new lower margin product and fired the CEO.  Five years later, Blockbuster was toast.

Concentration risk is often strategic.

In the financial crisis, we found a new sort of concentration risk.  It was a network risk.  The banks were all highly concentrated in the financial sector – in exposure to other banks.  This network risk is now often called systemic risk.  But this risk is necessary because of the strategic choices of business models of the banks.  They all choose to do business in such a way to take up each other’s slack on a daily basis.  They all think that is much more efficient than operating with an irregular amount of slack resources.  In times running up to the financial crisis, the interdependency changed from just taking up each other’s overnight slack to some banks using that overnight facility from other banks to fund major fraction of their business activity.  (And woe is all that much of that business activity was fundamentally a loser. But that lack of underwriting by the banks of each other is a different story.)

Why is concentration risk so deadly?  The answer to that is pretty simple arithmetic.  If your conglomerate amounts to four similar sized separate divisions that do not interact so much, it is quite possible that if one of those businesses fails, that the conglomerate will be able to continue operating – wounded but fully able to operate the other three divisions.  But if your cousin’s venture has just one highly profitable, highly successful business, then his venture will either live or die with that one business.

In insurance, we see this concentration risk all of the time.  If you are an insurer that only writes business throughout the Pacific islands in the 1700’s, but you find that your best salesperson is on Easter Island and your highest margin product is business interruption insurance for the businesses that do the carving of the massive Moai statues.  So you do more and more business with your best salesperson selling your best product, until you are essentially a one product, one location insurer.  And then the last tree is used (or rats eat the roots).  All of your customers make claims at once.  You thought that you were diversified because you had 300 separate customers.  But those 300 customers all acted like just one when the trees were gone.

So diversification is not just about counting.  It is about understanding the differences or similarities of your risks.  And failure to understand those drivers will often lead to dangerous concentration.  Just ask those banks or that Easter Island insurer.

Berkshire Hathaway Risk Appetite

Posted March 20, 2015 by riskviews
Categories: Disclosure, Enterprise Risk Management, Risk Appetite

Tags: ,
“we are far more conservative in avoiding risk than most large insurers. For example, if the insurance industry should experience a $250 billion loss from some mega-catastrophe – a loss about triple anything it has ever experienced – Berkshire as a whole would likely record a significant profit for the year because of its many streams of earnings. We would also remain awash in cash and be looking for large opportunities in a market that might well have gone into shock. Meanwhile, other major insurers and reinsurers would be far in the red, if not facing insolvency.”
Warren Buffett, Berkshire Hathaway Letter to Shareholders, 2014
So Berkshire is prepared to pay out claims on an event that is three times as large as anything that has ever happened.
What are Berkshire’s competitors prepared for?
Here is an excerpt from the Swiss Re 2013 Annual Report:

Risk tolerance and limit framework

Swiss Re’s risk tolerance is an expression of the extent to which the Board of Directors has authorised the Group and Business Units’ executive management to assume risk. It represents the maximum amount of risk that Swiss Re is willing to accept within the constraints imposed by its capital and liquidity resources, its strategy, its risk appetite, and the regulatory and rating agency environment within which it operates. Risk tolerance criteria are specified for the Group and Business Units, as well as for the major legal entities.

A key responsibility of Risk Management is to ensure that Swiss Re’s risk tolerance is applied throughout the business. As part of this responsibility, Risk Management ensures that our risk tolerance targets are a key basis for our business planning processes. Furthermore, both our risk tolerance and risk appetite – the types and level of risk we seek to take within our risk tolerance – are clearly reflected in a limit framework across all risk categories. The limit framework is approved at the Group EC level through the Group Risk and Capital Committee. The individual limits are established through an iterative process to ensure that the overall framework complies with our Group-wide policies on capital adequacy and risk accumulation.

So they have a number but they are not saying what it is.  But they are telling us what they do with that number.

Now here is the Risk Limit Framework from the 2013 Partner Re annual report.

Partner Re

They have a number and here it is.  But look at how much more Buffet has disclosed.  He told that for Berkshire, an event that is three times the largest event experienced by the insurance industry, the loss would be significantly less than the earnings from the investments of Berkshire’s insurance and reinsurance companies plus the earnings of its non-insurance businesses.

Partner Re, whose disclosure is light years more specific than almost any other (re)insurer, is not quite so helpful.  It is good to know that they have the disclosed limits, but they have not provided any information to tell us how much that this adds up to in their mind.  If RISKVIEWS adds them up, these limits come to $21.5B.  Adding like that is the same as assuming that they all happen at once.  If we make the opposie assumption, that they are totally independent, we get a little more than $10B.  Partner Re’s capital is $7.5B.  So when they accept these risks, they must not think that it is likely to pay out their full limit, even on a fully diversified independent risk scenario.

So even with more specific disclosure than almost any other insurer, Partner Re has not revealed how they think of their risk appetite.

On the other hand, while Berkshire has given a better sense of their risk appetite, Buffett hasn’t revealed any number.

But this seems to RISKVIEWS to be real progress.  Perhaps some combination of these three disclosures would be the whole story of risk appetite at a (re) insurer.

We shall wait and see if somehow this evolution continues until investors and policyholders can get the information to understand how well prepared a (re) insurer is to pay its claims and remain in business in a extreme situation.

 

 

Risk Reporting Conflict of Interest

Posted March 2, 2015 by riskviews
Categories: Compensation, Enterprise Risk Management, Swine Flu

Tags: ,

We give much too little consideration to potential for conflict of interest in risk reporting.

Take for instance weather risk reporting.

Lens: Tamron 28-80mmScanned with Nikon CoolScan V ED

"Sneeuwschuiver". Licensed under CC BY-SA 2.5 via Wikimedia Commons

Many of the people who report on Weather Risk have a financial interest in bad weather.  Not that they own snow plowing services or something.  But take TV stations for example.  Local TV station revenue is largely proportional to their number of viewers.  Local news and weather are often the sole part of their schedule that they produce themselves and therefore get all or almost all of the revenue.  And viewership for local news programs may double with an impending snowstorm.  So they have a financial interest in predicting more snow.  The Weather Channel has the same dynamic, but a wider area from which to draw to find extreme weather situations.  But if there is any hint of a possible extreme weather situation in a major metropolitan area with millions of possible viewers, they have a strong incentive to report the worst case possibility.

This past January, there were some terrible snow forecasts for New York and Philadelphia:

For the Big Apple, the great Blizzard of 2015 was forecast to rival the paralyzing 1888 storm, dubbed the White Hurricane. Up to three feet of snow was predicted. Reality: About 10 inches fell.

The forecast in Philadelphia wasn’t any better – and arguably worse. Up to 14 inches of snow were forecast. The City of Brotherly Love tallied roughly 2 inches, about the same as Washington, D.C.

Washington Post,  January 27, 2015

In other cases, we go to the experts to get information about possible disasters from diseases.  But their funding depends very much on how important their specialty is seen to be to the politicians who approve their funding.

In 2005, the Bird Flu was the scare topic of the year.

“I’m not, at the moment, at liberty to give you a prediction on numbers, but I just want to stress, that, let’s say, the range of deaths could be anything from 5 to 150 million.”

David Nabarro, Senior United Nations system coordinator for avian and human influenza

Needless to say, the funding for health systems can be strongly impacted by the fear of such a pandemic.  At them time that statement was made, worldwide Bird Flu deaths were slightly over 100.  Not 100 thousand, 100 – the number right after 99.

But the purpose of this post is not writing this to disparage weather reporters or epidemiologists.  It is to caution risk managers.

Sometimes risk managers get the idea that they are better off if everyone had more concern for risk.  They take on the roll of Dr. Doom, pointing out the worst case potential in every situation.

This course of action is usually not successful. Instead of building respect for risk, the result is more often to create a steady distrust of statements from the risk manager.  The Chicken Little effect results.

Instead, the risk manager needs to focus on being painstakingly realistic in reporting about risk.  Risk is about the future, so it is impossible to get it right all of the time.  That is not the goal.  The goal should be to make reports on risk that consistently use all of the information available at the time the report is made.

And finally, a suggestion on communicating risk.  That is that risk managers need to develop a consistent language to talk about the likelihood and severity of a risk.  RISKVIEWS suggests that risk managers use three levels of likelihood:

  • Normal Volatility (as in within).  Each risk should have a range of favorable and unfavorable outcomes within the range of normal volatility.  This could mean within one standard deviation, or with a 1 in 10 likelihood. So normal volatility for the road that you drive to work might be for there to be one accident per month.
  • Realistic Disaster Scenario.  This might be the worst situation for the risk that has happened in recent memory, or it might be a believable bad scenario that hasn’t happened for risks where recent experience has been fairly benign.  For that road, two accidents in a week might be a realistic disaster.  It actually happened 5 years ago.  For the similar road that your spouse takes to work, there haven’t been any two accident weeks, but the volume of traffic is similar, so the realistic disaster scenario for that road is also two accidents in a week.
  • Worst case scenario.  This is usually not a particularly realistic scenario.  It does not mean worst case, like the sun blowing up and the end of the solar system.  It does mean something significantly worse than what you expect can happen. For the risk of car accidents on your morning commute, the worst case might be a month with 8 accidents.

So the 150 million number above for flu deaths is a worst case scenario.  As were the Great Blizzard predictions.  What actually happened was in line with normal volatility for a winter storm in those two cities.

If you, the risk manager, learn to always use language like the above, first of all, it will slow you down and make you think about what you are saying.  Eventually, your audience will get to learn what your terminology means and will be able to form their own opinion about your reliability.

And you will find that credibility for your risk reporting has very favorable impact on your longevity and compensation as a risk manager.

 

Out of Sight can lead to Out of Mind

Posted February 12, 2015 by riskviews
Categories: Enterprise Risk Management

Tags: ,

Once you have outsourced a process, there is a tendency to forget about it. 

Outsourcing has become possibly the most popular management practice of the past 15 years.  Companies large and small have outsourced many of the non-essential elements of their business.

Many property and casualty (non-life, general) insurers have, for example, outsourced their investment processes.

Over time, if the insurer had any expertise regarding investments, that expertise withered away.  It is quite common that there is only one or two people at a P&C insurer who actually pay any attention to the investments of the firm.

But when Out of Sight becomes Out of Mind, outsourcing becomes dangerous.

Boeing had an outsourcing problem in 2012 and 2013 that resulted in the grounding of their latest jetliner.  Batteries produced by a third party were catching fire.  The ultimate cause of the problem was never identified, but it happened at the point of connection between an outsourced product and the jetliner systems manufactured by Boeing.

There are many possible causes of outsourcing problems.  RISKVIEWS believes that primary among them is the reluctance to recognize that outsourcing will require a higher spend for risk management of the outsourced process.

More on Outsourcing Risk at http://blog.willis.com/2015/02/emerging-erm-risk-of-2015-outsourcing/

The CRO is making a list and checking it twice

Posted February 2, 2015 by riskviews
Categories: Chief Risk Officer, Enterprise Risk Management, Hedging, Reinsurance, Risk Management System

Tags: ,

“You never said that you wanted me to do that”  is an answer that managers often get when they point out a shortfall in performance.  And in many cases it is actually true.  As a rule, some of us tend to avoid too much writing things down.  And that is also true when it comes to risk management

That is where ERM policies come in.  The ERM policy is a written agreement between various managers in a company and the board documenting expectations regarding risk management.

policy

But too many people mistake a detailed procedure manual for a policy statement.  Often a policy statement can be just a page or two.

For Risk Management there are several places where firms tend to “write it down”:

  • ERM Policy – documents that the firm is committed to an enterprise wide risk management system and that there are broad roles for the board and for management.  This policy is usually approved by the board.  The ERM Policy should be reviewed annually, but may not be changed but every three to five years.
  • ERM Framework – this is a working document that lists many of the details of how the company plans to “do” ERM.  When an ERM program is new, this document many list many new things that are being done.  Once a program is well established, it will need no more or no less documentation than other company activities.  RISKVIEWS usually recommends that the ERM Framework would include a short section relating to each of the risk management practices that make up a Risk Management System.
  • Risk Appetite & Tolerance Statement – may be separate from the above to highlight its importance and the fact that it is likely to be more variable than the Policy statement, but not as detailed as the Framework.
  • Separate Risk Policies for major risk categories – almost all insurers have an investment policy.  Most insurers should consider writing policies for insurance risk.  Some firms decide to write operational risk policies as well.  Very few have strategic risk policies.
  • Policies for Hedging, Insurance and/or Reinsurance – the most powerful risk management tools need to have clear uses as well as clear lines of decision-making and authority.
  • Charter for Risk Committees – Some firms have three or more risk committees.  On is a board committee, one is at the executive level and the third is for more operational level people with some risk management responsibilities.  It is common at some firms for board committees to have charters.  Less so for committees of company employees.  These can be included in the ERM Framework, rather than as separate documents.
  • Job Description for the CRO – Without a clear job description many CROs have found that they become the scapegoat for whatever goes wrong, regardless of their actual authority and responsibilities before hand.

With written policies in place, the board can hold management accountable.  The CEO can hold the CRO responsible and the CRO is able to expect that may hands around the company are all sharing the risk management responsibilities.

More on ERM Policies on WillisWire.

http://blog.willis.com/2015/01/erm-in-practice-risk-policies-and-standards/

http://blog.willis.com/2014/02/erm-practices-policies-and-standards/

 

The ERM Pioneers and the Settlers – Let’s not have another range war!

Posted January 24, 2015 by riskviews
Categories: Chief Risk Officer, Enterprise Risk Management, Risk Management System

Tags: ,

Most of the people with CRO jobs are pioneers of ERM.  They came into ERM from other careers and have been working out what makes up an ERM process and how to make it work by hard work, trial & error and most often a good deal of experience on the other side of the risk – the risk taking side.

As ERM becomes a permanent (or at least a long term) business practice, it is more likely that the next generation of CROs will have come up through the ranks of the Risk function.  It is even becoming increasingly likely that they will have had some training and education regarding the various technical aspects of risk management and especially risk measurement.

The only problem is that some of the pioneers are openly disdainful of these folks who are likely to become their successors.  They will openly say that they have little respect for risk management education and feel strongly that the top people in Risk need to have significant business experience.

This situation is a version of the range wars in the Wild West.  The Pioneers were the folks who went West first.  They overcame great hardships to fashion a life out of a wilderness.  The Settlers came later and were making their way in a situation that was much closer to being already tamed.

Different skills and talents are needed for successful Pioneers than for successful Settlers.  Top among them is the Settlers need to be able to get along in a situation where there are more people.  The Risk departments of today are large and filled with a number of people with a wide variety of expertise.

Risk will transition from the Pioneer generation to the Settler generation of leadership.  That transition will be most successful if the Pioneers can help develop their Settler successros.

How to Show the Benefits of Risk Management

Posted January 2, 2015 by riskviews
Categories: risk assessment

Tags: ,

From Harry Hall at www.pmsouth.com

Sometimes we struggle to illustrate the value of risk management. We sense we are doing the right things. How can we show the benefits?

Some products such as weight loss programs are promoted by showing a “before picture” and an “after picture.” We are sold by the extraordinary improvements.

The “before picture” and “after picture” are also a powerful way to make known the value of risk management.

We have risks in which no strategies or actions have been executed. In other words, we have a “before picture” of the risks. When we execute appropriate response strategies such as mitigating a threat, the risk exposure is reduced. Now we have the “after picture.”

Let’s look at one way to create pictures of our risk exposure for projects, programs, portfolios, and enterprises.

Say Cheese

The first step to turning risk assessments into pictures is to assign risk levels.

Assume that a Project Manager is using a qualitative rating scale of 1 to 10, 10 being the highest, to rate Probability and Impact. The Risk Score is calculated by multiplying Probability x Impact. Here is an example of a risk table with a level of risk and the corresponding risk score range.

Level of Risk

Risk Score

Very Low

< 20

Low

21 – 39

Medium

40 – 59

High

60 – 79

Very High

> 80

Figure 1: Qualitative Risk Table

Looking Good

Imagine a Project Manager facilitates the initial risk identification and assessment. The initial assessment results in fifteen Urgent Risks – eight “High” risks and seven “Very High” risks.

Figure 2: Number of Risk before Execution of Risk Response Strategies

We decide to act on the Urgent Risks alone and leave the remaining risks in our Watch List. The team develops risk response strategies for the Urgent Risks such as ways to avoid and mitigate threats.

Figure 3: Number of Risks after Execution of Risk Response Strategies

After the project team executes the strategies, the team reassesses the risks. We see a drop in the number of Urgent Risks (lighter bars). The team has reduced the risk exposure and improved the potential for success.

How to Illustrate Programs, Portfolios, or Enterprises

Now, imagine a Program Manager managing four projects in a program. We can roll up the risks of the four projects into a single view. Figure 4 below illustrates the comparison of the number of risks before and after the execution of the risk strategies.

Figure 4: Number of Program risks before and after the execution of risk response strategies

Of course, we can also illustrate risks in a like manner at a portfolio level or an enterprise level (i.e., Enterprise Risk Management).

Tip of the Day

When you ask team members to rate risks, it is important we specify whether the team members are assessing the “before picture” (i.e., inherent risks) or the “after picture” (i.e., residual risks) or bothInherent risks are risks to the project in the absence of any strategies/actions that might alter the risk. Residual risks are risks remaining after strategies/actions have been taken.

Question: What types of charts or graphics do you use to illustrate the value of risk management?

New Year’s ERM Resolution – A Risk Diet Plan

Posted December 31, 2014 by riskviews
Categories: Change Risk, Control Cycle, Enterprise Risk Management

Tags: ,

Why do you need an aggregate risk limit?

For the same reason that a dieter needs a calorie limit.  There are lots and lots of fad diets out there.  Cottege Cheese diets, grapefruit diets, low carb, low fat, liquid.  And they might work, but only if you follow them exactly, with absolutely no deviation.  If you want to make some substitution, many diets do not have any way to help you to adapt.  Calories provide two things that are desparately needed to make a diet work.  Common currency for substitutions and a metric that can be applied to things not contemplated in the design of the diet.

So if you do a calorie counting diet, you can easily substitute one food for another with the same calorie count.  If some new food becomes available, you do not have to wait for the author of the diet book to come up with a new edition and hope that it includes the new food.  All you need to do is find out how much calories the new food has.

The aggregate risk limit serves the exact same role role for an insurer.  There may be an economic capital or other comprehensive risk measure as the limit.  That risk measure is the common currency.  That is the simple genius of VaR as a risk metric.  Before the invention of VaR by JP Morgan, the risk limit for each risk was stated in a different currency.  Premiums for one, PML for another, percentages of total assets for a third.  But the VaR thinking was to look at everything via its distribution of gains and losses.  Using a single point on that distribution.  That provided the common currency for risk.

The diet analogy is particularly apt, since minimizing weight is no more desirable than minimizing risk.  A good diet is just like a good risk tolerance plan – it contains the right elements for the person/company to optimum health.

And the same approach provided the method to consistently deal with any new risk opportunity that comes along.

So once an insurer has the common currency and ability to place new opportunities on the same risk basis as existing activities, then you have something that can work just like calories do for dieters.

So all that is left is to figure out how many calories – or how much risk – should make up the diet.

And just like a diet, your risk management program needs to provide regular updates on whether you keep to the risk limits.

 

Top 10 RISKVIEWS Posts of 2014 – ORSA Heavily Featured

Posted December 29, 2014 by riskviews
Categories: Assumptions, Decision Makng, Economic Capital, Emerging Risks, Enterprise Risk Management, ERM, Modeling, ORSA, Risk, Risk Appetite, risk assessment, Risk Culture, Risk Limits, Risk Management, Stress Test, Tail Risk, Uncertainty

Tags: ,

RISKVIEWS believes that this may be the best top 10 list of posts in the history of this blog.  Thanks to our readers whose clicks resulted in their selection.

  • Instructions for a 17 Step ORSA Process – Own Risk and Solvency Assessment is here for Canadian insurers, coming in 2015 for US and required in Europe for 2016. At least 10 other countries have also adopted ORSA and are moving towards full implementation. This post leads you to 17 other posts that give a detailed view of the various parts to a full ORSA process and report.
  • Full Limits Stress Test – Where Solvency and ERM Meet – This post suggests a link between your ERM program and your stress tests for ORSA that is highly logical, but not generally practiced.
  • What kind of Stress Test? – Risk managers need to do a better job communicating what they are doing. Much communications about risk models and stress tests is fairly mechanical and technical. This post suggests some plain English terminology to describe the stress tests to non-technical audiences such as boards and top management.
  • How to Build and Use a Risk Register – A first RISKVIEWS post from a new regular contributor, Harry Hall. Watch for more posts along these lines from Harry in the coming months. And catch Harry on his blog, http://www.pmsouth.com
  • ORSA ==> AC – ST > RCS – You will notice a recurring theme in 2014 – ORSA. That topic has taken up much of RISKVIEWS time in 2014 and will likely take up even more in 2015 and after as more and more companies undertake their first ORSA process and report. This post is a simple explanation of the question that ORSA is trying to answer that RISKVIEWS has used when explaining ORSA to a board of directors.
  • The History of Risk Management – Someone asked RISKVIEWS to do a speech on the history of ERM. This post and the associated new permanent page are the notes from writing that speech. Much more here than could fit into a 15 minute talk.
  • Hierarchy Principle of Risk Management – There are thousands of risks faced by an insurer that do not belong in their ERM program. That is because of the Hierarchy Principle. Many insurers who have followed someone’s urging that ALL risk need to be included in ERM belatedly find out that no one in top management wants to hear from them or to let them talk to the board. A good dose of the Hierarchy Principle will fix that, though it will take time. Bad first impressions are difficult to fix.
  • Risk Culture, Neoclassical Economics, and Enterprise Risk Management – A discussion of the different beliefs about how business and risk work. A difference in the beliefs that are taught in MBA and Finance programs from the beliefs about risk that underpin ERM make it difficult to reconcile spending time and money on risk management.
  • What CEO’s Think about Risk – A discussion of three different aspects of decision-making as practiced by top management of companies and the decision making processes that are taught to quants can make quants less effective when trying to explain their work and conclusions.
  • Decision Making Under Deep Uncertainty – Explores the concepts of Deep Uncertainty and Wicked Problems. Of interest if you have any risks that you find yourself unable to clearly understand or if you have any problems where all of the apparent solutions are strongly opposed by one group of stakeholders or another.

Economic Capital for Banking Industry

Posted December 22, 2014 by riskviews
Categories: Enterprise Risk Management, Modeling, risk assessment

Tags:

Everything you ever wanted to know but were afraid to ask.

For the last seventeen years I have hated conversations with board members around economic capital. It is perfectly acceptable to discuss Market risk, Credit risk or interest rates mismatch in isolation but the minute you start talking about the Enterprise, you enter a minefield.

The biggest hole in that ground is produced by correlations. The smartest board members know exactly which buttons to press to shoot your model down. They don’t do it out of malice but they won’t buy anything they can’t accept, reproduce or believe.

Attempt to explain Copulas or the stability of historical correlations in the future and your board presentation will head south. Don’t take my word for it. Try it next time.  It is not a reflection on the board, it is a simple manifestation of the disconnect that exist today between the real world of Enterprise risk and applied statistical modeling. And when it comes to banking regulation and economic capital for banking industry, the disconnect is only growing larger.

Frustrated with our ineptitude with the state of modeling in this space three years ago we started working on an alternate model for economic capital.  The key trigger was the shift to shortfall and probability of ruin models in bank regulation as well as Taleb’s assertions in the area of how risk results should be presented to ensure informed decision making.   While the proposed model was a simple extension of the same principles on which value at risk is based, we felt that some of our tweaks and hacks delivered on our end objective – meaningful, credible conversations with the board around economic capital estimates.

Enterprise models for estimating economic capital simply extend the regulatory value at risk (VaR) model. The theory focuses on anchoring expectations.  If institutional risk expectations max out at 97.5% then 99.9% can represent unexpected risk. The appealing part of these logistics is that the anchors can shift as more points become visible in the underlying risk distribution. In the simplest and crudest of forms, here is what economic capital models suggest

While regulatory capital model compensate for expected risk, economic capital should account for unexpected risk. The difference between two estimates is the amount you need to put aside for economic capital modeling.”

The plus point with this approach is that it ensures that Economic Capital requirements will always exceed regulatory capital requirements. It removes the possibility of arbitrage that occurs when this condition doesn’t hold. The downside is the estimation of dependence between business lines.  The variations that we proposed short circuited the correlation debate. It also recommended using accounting data, data that the board had already reconciled and sign off on.

EconomicCapitalModel

Without further ado, there is the series that presents our alternate model for estimating economic capital for banking industry Discuss, dissect, modify, suggest. We would love to hear your feedback.

Economic Capital – An alternate Model

Can we use the accounting data series and skip copulas and correlation modeling for business lines altogether? Take a look to find the answer.

EconomicCapital-Framework

Economic Capital Case Study – setting the context

We use publicly available data from Goldman Sachs, JP Morgan Chase, Citibank, Wells Fargo & Barclays Bank from the years 2002 to 2014 to calculate economic capital buffers in place at these 5 banks. Three different approaches are used. Two centered around Capital Adequacy. One using the regulatory Tier 1 leverage ratio.

EconomicCapital-CaseStudy

Economic Capital Models – The appeal of using accounting data

Why does accounting data work? What is the business case for using accounting data for economic capital estimation? How does the modeling work.

EconomicCapital-ModelFlow

Calculating Economic Capital – Using worst case losses

Our first model uses worst case loss. If you are comfortable with value at risk terminology, this is historical simulation approach for economic capital estimation.  We label it model one

EconomicCapitalCaseStudy

Calculating Economic Capital – Using volatility

Welcome to the variance covariance model for economic capital estimation. The results will surprise you.  Presenting model two.

EconomicCapital-Intervention

Calculating Economic Capital – Using Leverage ratio

We figured it was time that we moved from capital adequacy to leverage ratios.  Introducing model three.

TrailingLeverageRatio

How to Build and Use a Risk Register

Posted December 18, 2014 by riskviews
Categories: Enterprise Risk Management, Risk Identification, Risk Management System

Tags: ,

From Harry Hall at www.pmsouth.com

Project managers constantly think about risks, both threats and opportunities. What if the requirements are late? What if the testing environment becomes unstable? How can we exploit the design skills of our developers?

Let’s consider a simple but powerful tool to capture and manage your risks – the Risk Register. What is it? What should it include? What tools may be used to create the register? When should risk information be added?

The Risk Register is simply a list of risk related information including but not limited to:

  • Risk Description. Consider using this syntax: Cause -> Risk -> Impact. For example: “Because Information Technology is updating the testing software, the testing team may experience an unstable test environment resulting in adverse impacts to the schedule.”
  • Risk Owner. Each risk should be owned by one person and that person should have the knowledge and skills to plan and execute risk responses.
  • Triggers. Triggers indicate when a risk is about to occur or that the risk has occurred.
  • Category. Assigning categories to your risks allows you to filter, group, analyze, and respond to your risks by category. Standard project categories include schedule, cost, and quality.
  • Probability Risk Rating. Probability is the likelihood of risk occurring. Consider using a scale of 1 to 10, 10 being the highest.
  • Impact Risk Rating. Impact, also referred to as severity or consequence, is the amount of impact on the project. Consider using a scale of 1 to 10, 10 being the highest.
  • Risk Score. Risk score is calculated by multiplying probability x impact. If the probability is 8 and the impact is 5, the risk score is 40.
  • Risk Response Strategies. Strategies for threats include: accept the risk, avoid the risk, mitigate the risk, or transfer the risk. Strategies for opportunities include: accept the risk, exploit the risk, enhance the risk, or share the risk.
  • Risk Response Plan or Contingency Plan. The risk owner should determine the appropriate response(s) which may be executed immediately or once a trigger is hit. For example, a risk owner may take immediate actions to mitigate a threat. Contingency plans are plans that are executed if the risk occurs.
  • Fallback Plans. For some risks, you may wish to define a Fallback Plan. The plan outlines what would be done in the event that the Contingency Plan fails.
  • Residual Risks. The risk owner may reduce a risk by 70%. The remaining 30% risk is the residual risk. Note the residual risk and determine if additional response planning is required.
  • Trends. Note if each risk is increasing, decreasing, or is stable.

The Risk Register may be created in a spreadsheet, database, risk management tool, SharePoint, or a project management information system. Make sure that the Risk Register is visible and easy to access by your project team members.

The risk management processes include: 1) plan risk management, 2) identify risks, 3) evaluate/assess risks, 4) plan risk responses, and 5) monitor and control risks.

The initial risk information is entered when identifying risks in the planning process. For example, PMs may capture initial risks while developing the Communications Plan or the project schedule. The initial risk information may include the risks, causes, triggers, categories, potential risk owners, and potential risk responses.

As you evaluate your risk in the planning process, you should assign risk ratings for probability and impact and calculate the risk scores.

Next, validate risk owners and have risk owners complete response plans.

Lastly, review and update your risks during your team meetings (i.e., monitoring and control). Add emerging risks. Other reasons for updating the risk register include change requests, project re-planning, or project recovery.


%d bloggers like this: