Inequality and Lotteries

Posted October 21, 2015 by riskviews
Categories: Compensation


There has been much talk about how unacceptable the degree of financial inequality that there is in the US.  And it seems to be getting worse and worse.

But what we have seems to be exactly what most people want in general.  Probably the only part of it that most people would change is the part where they personally are not one of the fortunate wealthy few.

The lottery is the perfect example of a mechanism to achieve an unequal society.

Everyone buys a ticket for a small amount of money.  The jackpot grows until it reaches $301 million.  The winner is drawn.  The result is one rich person with $301M and everyone else goes back to their regular life and stops dreaming about becoming that one rich person – for a week at least.

If that happens several times a year and everyone is either a winner or has a low to moderate job, then a vastly unequal society develops.

After one year, there will be 3 – 4 multi-millionaires and the entire rest of the population will have wealth that is a tiny fraction of those ultra rich.  After a decade, the ranks of the ultra rich will have grown to 30 or 40.  At that point, the top .000001% of the population will have .03% of the total wealth.

Each year, the country will grow more and more unequal, with a tiny fraction of the population commanding an ever growing proportion of the total wealth.

But that is why there is no uprising against the super rich.  Everyone else believes that they might one day hit the lottery and win their position in that group.  And when that happens, they do not want a tax regime, for instance, that will just take their riches away.


No Reward without Risk

Posted September 29, 2015 by riskviews
Categories: Business, Enterprise Risk Management

Tags: ,

Is that so? Well, only if you live in a textbook. And RISKVIEWS has not actually checked whether there really are text books that are that far divorced from reality.

Actually, in the world that RISKVIEWS has inhabited for many years, there are may real possibilities, for example:

  • Risk without reward
  • Reward without risk
  • Risk with too little Reward
  • Risk with too much Reward
  • Risk with just the right amount of reward

The reason why it is necessary to engage nearly everyone in the risk management process is that it is very difficult to distinguish among those and other possibilities.

Risk without reward describes many operational risks.

Reward without risk is the clear objective of every capitalist business.  Modern authors call it a persistent competitive advantage, old school name was monopoly.  Reward without risk is usually called rent by economists.

Risk with too little reward is what happens to those who come late to the party or who come without sufficient knowledge of how things work.  Think of the poker saying “look around the table and if you cannot tell who is the chump, it is you.”  If you really are the chump, then you are very lucky if your reward is positive.

Risk with too much reward happens to some first comers to a new opportunity.  They are getting some monopoly effects.  Perhaps they were able to be price setters rather than price takers, so they chose a price higher than what they eventually learned was needed to allow for their ignorance.  Think of Apple in the businesses that they created themselves.  Their margins were huge at first, and eventually came down to …

Risk with just the right amount of reward happens sometimes, but only when there is a high degree of flexibility in a market – especially no penalty for entry and exit.  Sort of the opposite of the airline industry.

No Reward Without Risk

Comparing Eagles and Clocks

Posted August 11, 2015 by riskviews
Categories: Enterprise Risk Management

Tags: ,

Original Title: Replacing Disparate Frequency Severity Pairs.  Quite catchy, eh?

But this message is important.  Several times, RISKVIEWS has railed against the use of Frequency Severity estimates as a basis for risk management.  Most recently

Just Stop IT! Right Now. And Don’t Do IT again.

But finally, someone asked…

What would you do instead to fix this?

And RISKVIEWS had to put up or shut up.

But the fix was not long in coming to mind.  And not even slightly complicated or difficult.

Standard practice is to identify a HML for Frequency and Severity for each risk.  But RISKVIEWS does not know any way to compare a low frequency, high impact risk with a medium frequency, medium impact risk.  Some people do compare the risks by rating the frequency and severity on a numerical scale and then adding or multiplying the values for frequency and severity for each risk to get a “consistent” factor.  However, this process is frankly meaningless.  Like multiplying the number of carrots times the number of cheese slices in your refrigerator.

But to fix it is very easy.

The fix is this…

For each risk, develop two values.  First is the loss expected over a 5 year period under normal volatility.  The second is the loss that is possible under extreme but not impossible conditions – what Lloyd’s calls a Realistic Disaster.

These two values then each represent a different aspect of each risk.  They can each be compared across all of the risks.  That is you can rank the risks according to how large a loss is possible under Normal Volatility and how large a loss is possible under a realistic disaster.

Now, if you are concerned that we are only looking at financial risks with this approach, you can go right ahead and compare the impact of each risk on some other non-financial factor, under both normal volatility and under a realistic disaster.  The same sort of utility is there for any other factor that you like.

If you do this carefully enough, you are likely to find that some risks are more of a problem under normal volatility and others under realistic disasters.  You will also find that some risks that you have spent lots of time on under the Disparate Frequency/Severity Pairs method are just not at all significant when you look at the consistently with other risks.

So you need to compare risk estimates where one aspect is held the same.  Like comparing two bikes:


Or two birds:


But you cannot compare a bird and a Clock:



And once you have those insights, you can more effectively allocate your risk management efforts!

“Adalberti 1” by Juan lacruz – Own work. Licensed under CC BY-SA 3.0 via Wikimedia Commons –

Separation of Risk Taking and Reporting

Posted July 23, 2015 by riskviews
Categories: Enterprise Risk Management

The separation of Risk Reporting from risk taking is a key tenet of ERM and especially of bank risk culture. The idea is that someone other than the person who is judged for the P& L of risks must be the one who reports on risk positions.

If looked at from a logical perspective, this must be because business unit people, such as risk traders, are not to be trusted. When faced with the opportunity, they will lie about their risk positions.

This might be because the people who might be doing the false reporting believe that what they are doing is ok because that there is something different between risk and profit. Risk is about the future. A measure of risk is ephemeral. It exists in a moment and is never proven by experience. In most cases, risk either becomes a loss or it evaporates to nothingness. It is that later sense that tempts the traders and other risk miss reporters. In their reckoning, “no harm, no foul”. If the risk didn’t become a loss, it really doesn’t matter what number we wrote down for it. And if these is a loss, what is important is the amount of the loss, not the potential loss that we call the risk measure. They may consider themselves to be realists.

Profits are different, aren’t they? They are about the past. So when they are recorded, profits are facts, aren’t they? Well, no, not really. Profits usually depend upon several estimates of provisions for future contingencies.  Sarbanes-Oxley in the US, has set up a massive system that leads to a statement by the CEO that the financial reports, the reports of profits are correct. So for profits, the CEO can be the ultimate arbiter if the company spends enough time following auditing procedures. The CEO can be trusted to report on his or her own profits, usually a key determinate in compensation. But for Risk, many call for a CRO who is independent of the CEO, who reports directly to the board, so that this independence of risk reporting and risk taking can be maintained at every level. The presumption is that the CEO does not believe in ERM, so will be tempted to apply the “no harm, no foul” principle from time to time.

This is evidence of a broken  risk culture, not a part of an effective risk culture.

That line of thinking means that in general, management and especially the traders do not believe in the risk management program of the organization. It means that no one actually believes that it is important whether the bank stays within its risk tolerance. That if a risk trader were to lie about their risk position and make a profit because the risk did not become a loss, that the organization would not fire or censure or probably even sincerely reprimand the trader as a matter of policy. And the manager who gave the “reprimand with a wink” would be considered the real carrier of the company culture rather than the risk management person who pointed out the misrepresentation. That risk management person would be considered in league with the regulators, not the bank. A member of the Business Prevention Squad.

That is not the reaction of a bank to most dishonest actions. For example, if someone in a bank were caught walking out of work one day with their pockets stuffed with cash, that person would doubtless be sacked immediately and turned over to the police. But if a risk trader misstates their risk position and because of that misstatement is able to maintain a risk position that they otherwise would have had to sell or offset that leads to them walking out of the bank with a large (sometimes extremely large) check, then that dishonest is ok. It is ok because “no harm, no foul”. Which is the same as saying that the bank does not really believe in one of the central tenants of risk management. That is the idea that your risk evaluation is a good indicator of your expected losses over time. Which leads to the belief that limiting the potential loss indicated from risk evaluation, over the long haul will limit the losses.

That is what is totally wrong about the Risk Culture discussion from the regulators as epitomized in the FSB paper on Risk Culture. In that document, regulators are urged to perform evaluation of the risk culture of the bank. But the evaluation is all about assessing whether banks are going through the motions of a good risk culture. It includes the separation of risk reporting and risk taking as one of the key components of a strong risk culture. By this approach, the regulators are acknowledging that the banks will never actually reform their cultures to the extent that they will actually expect their employees not to lie about their activities. They are, in effect, saying that the key financial services of the advanced economies of the world should be expected to always operate in such a manner.

The most important aspect of risk management culture is whether the board and management believe in the importance of ERM. If they believe in ERM, they will execute as competently as they execute most other important functions. If they do not believe in ERM, telling them in detail how to execute ERM is of little impact.  And the aspect of risk culture called “Tone at the Top” will be delivered without a wink.

Knowing the results from Stress Tests in Advance

Posted July 13, 2015 by riskviews
Categories: Enterprise Risk Management, Stress Test


Insurers and regulators need to adopt the idea of characterizing stress tests scenario frequency as:


Normal Volatility

Realistic Disaster

Worst Case


Or something equivalent.


With the idea that it is reasonable for an insurer to prepare for a Realistic Disaster Scenario, but not practical to be prepared for all Worst Case scenarios. Not practical because the insurance would cost too much and less insurance would be sold.


With such a common language about frequency relating to stress tests, the results of the stress testing and the response to those results can make much more sense.


The outcomes of stress testing then fall into a pattern as well.


  • An insurer should be able to withstand normal volatility without any lasting reduction to capital.


  • An insurer should be able to withstand a Realistic Disaster for most of their risks without a game changing impairment of capital, i.e. it would be realistic for them to plan to earn their way back to their desired level of capital. For the most significant one or two risks, a Realistic Disaster may result in Capital impairment that requires special actions to repair. Special actions may include a major change to company strategy.


  • An insurer can usually withstand a Worst Case scenario for most of their risks with the likelihood that for some, there will be an impairment to capital that requires special actions to repair. For the largest one or two risks, the insurer is unlikely to be able to withstand the Worst Case scenario.


Those three statements are in fact a requirement for an insurer to be said to be effectively managing their risks.

So the ORSA and any other stress testing process should result in the development of the story of what sorts of stresses require special management actions and what types result in failure of the insurer.  And for an insurer with a risk management program that is working well, those answers should be known for all but one or two of their risks.  Those would the second and third largest risks.  An insurer with a perfect risk management program will not have very much daylight between their first, second and third largest risks and therefore may well be able to survive some worst case scenarios for even their largest risks.

ERM is not the End, It is the Means

Posted June 9, 2015 by riskviews
Categories: Enterprise Risk Management

Tags: ,

As RISKVIEWS meets with more and more insurers over time, it becomes increasingly obvious that they all have lots of Risk Management.  Probably because they are the survivors.  Perhaps there was much less Risk Management in the failed insurers.

So if they already have Risk Management, why do they need ERM? 

There are four possible reasons:

  1. Discipline -the sports teams with the most discipline win most championships.  The coach can count on the players to execute the same way every time.  In Risk Management, Discipline means doing the risk acceptance and risk mitigation the same way every time.  ERM expects that discipline, but ERM operates on a trust but verify approach.  Perhaps leaning more on the verify than the trust.  So when an Insurer adds ERM to its already pretty full Risk Management processes, they are opting for Risk Management that is totally reliable because it has discipline.
  2. Transparency -much of the existing Risk Management in an insurer is a fairly private affair.  It is done by the folks who need to be doing it but they rarely talk about it.  When ERM comes along, it seems that the number of reports goes up.  Some of those reports are of absolutely no help to the folks who are doing Risk Management.  Those reports are to let everyone else know that the Risk Management is still going on and things in the Risk Management world are still working as expected.  In one sense, Risk Management is all about making sure that some things rarely or never happen.  This Transparency about the actions that result with that nothing happening are the records that need to be kept for the defense of the Risk Manager as well.
  3. Alignment – most of existing Risk Management grew up as the insurer grew up.  That is a good thing because the Risk Management can be totally incorporated into all practices.  But one of the main goals of Risk Management is to make sure that the risks that are insufficiently managed do not disrupt the plans of the company.  The key element to that process is a Risk Tolerance.  With ERM, the Risk Tolerances can be Aligned with the current plans, not with the plans and tolerances of the managers at the time that an activity was first started or last overhauled.
  4. Resiliency – system resilience is not a usual part of traditional Risk Management.  Traditional RIsk Management is most often about defending the status quo.  Resilience is all about figuring out how best to adapt.  Within ERM is a process called Emerging Risks Management.  Emerging Risks Management is all about preparing for the risks that are definitely not yet banking on the door.  They may be far down the road or around the bend.  Emerging Risks Management is an exercise process that builds Resilience Muscles.

Those are the Ends.  ERM is the means to get to those ends.

Three Levels of Security

Posted April 15, 2015 by riskviews
Categories: Enterprise Risk Management

A Japanese judge is holding up plans to restart nuclear reactors in Japan.

“There is little rational basis for saying that an earthquake with a magnitude that exceeds the safety standard will not occur,” said Judge Higuchi, 62. “It is an optimistic view.”

RISKVIEWS does not know what the plans are for the safety of those plants.  But it seems that for many risk and safety related issues, we need to be thinking of three levels of security.

  1. At the first level of security, the impact of potential volatility will be managed to within tolerances with normal risk mitigation methods.  Processes will be maintained so that there is constant assurance that the normal risk mitigation methods are kept in operation.
  2. At the second level of security, the actual volatility will be too much for normal risk mitigation methods to contain.  But, this level of security involves extraordinary actions that need to be employed to keep an out of tolerance situation from getting worse and sometimes, if brought into action early enough to prevent the out of tolerance situation from developing.  These extraordinary actions will often conflict with other goals of the organization – for example for a business, they may endanger profit or growth goals.
  3. At the third level of security, the actual volatility will be too much for both normal mitigation or extraordinary actions to manage the impact to within tolerances.  The security plans need to be made in terms of containing the out of tolerance situation to limit the spread of damages – especially to prevent a situation of cascading failures.

With risk management plans for these three levels of security, there are no situations where the responsible party simply throws up their hands and walks away.

In the case of the Japanese Nuclear power, the impression from the press about the Fukishima disaster was that the nuclear power operators only had a first level plan, but with a fairly high threshold.  If the new plans for restarting the nuclear power plants are mainly a new first level security plan with a somewhat higher threshold, then the judge is right in relying the restart.

But, on the other hand, if Judge Higuchi is looking for a first level security plan with a threshold that is higher than the worst possible earthquake, he is being unrealistic.


Get every new post delivered to your Inbox.

Join 776 other followers

%d bloggers like this: