ERM is not the End, It is the Means

Posted June 9, 2015 by riskviews
Categories: Enterprise Risk Management

Tags: ,

As RISKVIEWS meets with more and more insurers over time, it becomes increasingly obvious that they all have lots of Risk Management.  Probably because they are the survivors.  Perhaps there was much less Risk Management in the failed insurers.

So if they already have Risk Management, why do they need ERM? 

There are four possible reasons:

  1. Discipline -the sports teams with the most discipline win most championships.  The coach can count on the players to execute the same way every time.  In Risk Management, Discipline means doing the risk acceptance and risk mitigation the same way every time.  ERM expects that discipline, but ERM operates on a trust but verify approach.  Perhaps leaning more on the verify than the trust.  So when an Insurer adds ERM to its already pretty full Risk Management processes, they are opting for Risk Management that is totally reliable because it has discipline.
  2. Transparency -much of the existing Risk Management in an insurer is a fairly private affair.  It is done by the folks who need to be doing it but they rarely talk about it.  When ERM comes along, it seems that the number of reports goes up.  Some of those reports are of absolutely no help to the folks who are doing Risk Management.  Those reports are to let everyone else know that the Risk Management is still going on and things in the Risk Management world are still working as expected.  In one sense, Risk Management is all about making sure that some things rarely or never happen.  This Transparency about the actions that result with that nothing happening are the records that need to be kept for the defense of the Risk Manager as well.
  3. Alignment – most of existing Risk Management grew up as the insurer grew up.  That is a good thing because the Risk Management can be totally incorporated into all practices.  But one of the main goals of Risk Management is to make sure that the risks that are insufficiently managed do not disrupt the plans of the company.  The key element to that process is a Risk Tolerance.  With ERM, the Risk Tolerances can be Aligned with the current plans, not with the plans and tolerances of the managers at the time that an activity was first started or last overhauled.
  4. Resiliency – system resilience is not a usual part of traditional Risk Management.  Traditional RIsk Management is most often about defending the status quo.  Resilience is all about figuring out how best to adapt.  Within ERM is a process called Emerging Risks Management.  Emerging Risks Management is all about preparing for the risks that are definitely not yet banking on the door.  They may be far down the road or around the bend.  Emerging Risks Management is an exercise process that builds Resilience Muscles.

Those are the Ends.  ERM is the means to get to those ends.

Three Levels of Security

Posted April 15, 2015 by riskviews
Categories: Enterprise Risk Management

A Japanese judge is holding up plans to restart nuclear reactors in Japan.

“There is little rational basis for saying that an earthquake with a magnitude that exceeds the safety standard will not occur,” said Judge Higuchi, 62. “It is an optimistic view.”

RISKVIEWS does not know what the plans are for the safety of those plants.  But it seems that for many risk and safety related issues, we need to be thinking of three levels of security.

  1. At the first level of security, the impact of potential volatility will be managed to within tolerances with normal risk mitigation methods.  Processes will be maintained so that there is constant assurance that the normal risk mitigation methods are kept in operation.
  2. At the second level of security, the actual volatility will be too much for normal risk mitigation methods to contain.  But, this level of security involves extraordinary actions that need to be employed to keep an out of tolerance situation from getting worse and sometimes, if brought into action early enough to prevent the out of tolerance situation from developing.  These extraordinary actions will often conflict with other goals of the organization – for example for a business, they may endanger profit or growth goals.
  3. At the third level of security, the actual volatility will be too much for both normal mitigation or extraordinary actions to manage the impact to within tolerances.  The security plans need to be made in terms of containing the out of tolerance situation to limit the spread of damages – especially to prevent a situation of cascading failures.

With risk management plans for these three levels of security, there are no situations where the responsible party simply throws up their hands and walks away.

In the case of the Japanese Nuclear power, the impression from the press about the Fukishima disaster was that the nuclear power operators only had a first level plan, but with a fairly high threshold.  If the new plans for restarting the nuclear power plants are mainly a new first level security plan with a somewhat higher threshold, then the judge is right in relying the restart.

But, on the other hand, if Judge Higuchi is looking for a first level security plan with a threshold that is higher than the worst possible earthquake, he is being unrealistic.

The Big C is behind every great Risk

Posted March 30, 2015 by riskviews
Categories: Diversification, Enterprise Risk Management

Tags: ,

Concentration, defined broadly, is the source of all risk.

In an unconcentrated pool of activities, all with potential for positive and negative outcomes, provides the Big D – Diversification.

So it seems simple to avoid C – just do D.

But we have so many ways to concentrate.  And concentration is particularly tempting.

  • When things are going well, it makes sense to do more of whatever it is that is working best.  That increases concentration. 
  • Once we learn how to do something right, it makes sense to do more.  That increases concentration.
  • One supplier is almost always the cheapest, fastest and best quality.  So we give them more business.  That increases concentration. 
  • That one product has better margins than the rest and it sells better too.  So we plan to increase our capacity to make that product.  That increases concentration. 
  • Our best distributor runs rings around the rest.  We are working on giving her a larger territory.  That increases concentration. 

The alternative, the diversifying alternative just doesn’t sound so smart.

  • Hold back when things are going well.
  • Do more of the things that you haven’t quite mastered.
  • Buy from the second and third best suppliers.
  • Keep up capacity for the lower margin lower selling products.
  • Restrict your best distributor from selling too much.

Remember Blockbuster?  There were Blockbuster stores everywhere fifteen years ago.  They did that one thing, rent physical videos through physical stores and did it so well that they drove out most of their competition.  But they were totally Concentrated.  When they were faced with a new competitor, Netflix, the CEO proposed changes to their business practices, including diversifying into online rentals.  Their board decided against going into a new lower margin product and fired the CEO.  Five years later, Blockbuster was toast.

Concentration risk is often strategic.

In the financial crisis, we found a new sort of concentration risk.  It was a network risk.  The banks were all highly concentrated in the financial sector – in exposure to other banks.  This network risk is now often called systemic risk.  But this risk is necessary because of the strategic choices of business models of the banks.  They all choose to do business in such a way to take up each other’s slack on a daily basis.  They all think that is much more efficient than operating with an irregular amount of slack resources.  In times running up to the financial crisis, the interdependency changed from just taking up each other’s overnight slack to some banks using that overnight facility from other banks to fund major fraction of their business activity.  (And woe is all that much of that business activity was fundamentally a loser. But that lack of underwriting by the banks of each other is a different story.)

Why is concentration risk so deadly?  The answer to that is pretty simple arithmetic.  If your conglomerate amounts to four similar sized separate divisions that do not interact so much, it is quite possible that if one of those businesses fails, that the conglomerate will be able to continue operating – wounded but fully able to operate the other three divisions.  But if your cousin’s venture has just one highly profitable, highly successful business, then his venture will either live or die with that one business.

In insurance, we see this concentration risk all of the time.  If you are an insurer that only writes business throughout the Pacific islands in the 1700’s, but you find that your best salesperson is on Easter Island and your highest margin product is business interruption insurance for the businesses that do the carving of the massive Moai statues.  So you do more and more business with your best salesperson selling your best product, until you are essentially a one product, one location insurer.  And then the last tree is used (or rats eat the roots).  All of your customers make claims at once.  You thought that you were diversified because you had 300 separate customers.  But those 300 customers all acted like just one when the trees were gone.

So diversification is not just about counting.  It is about understanding the differences or similarities of your risks.  And failure to understand those drivers will often lead to dangerous concentration.  Just ask those banks or that Easter Island insurer.

Berkshire Hathaway Risk Appetite

Posted March 20, 2015 by riskviews
Categories: Disclosure, Enterprise Risk Management, Risk Appetite

Tags: ,
“we are far more conservative in avoiding risk than most large insurers. For example, if the insurance industry should experience a $250 billion loss from some mega-catastrophe – a loss about triple anything it has ever experienced – Berkshire as a whole would likely record a significant profit for the year because of its many streams of earnings. We would also remain awash in cash and be looking for large opportunities in a market that might well have gone into shock. Meanwhile, other major insurers and reinsurers would be far in the red, if not facing insolvency.”
Warren Buffett, Berkshire Hathaway Letter to Shareholders, 2014
So Berkshire is prepared to pay out claims on an event that is three times as large as anything that has ever happened.
What are Berkshire’s competitors prepared for?
Here is an excerpt from the Swiss Re 2013 Annual Report:

Risk tolerance and limit framework

Swiss Re’s risk tolerance is an expression of the extent to which the Board of Directors has authorised the Group and Business Units’ executive management to assume risk. It represents the maximum amount of risk that Swiss Re is willing to accept within the constraints imposed by its capital and liquidity resources, its strategy, its risk appetite, and the regulatory and rating agency environment within which it operates. Risk tolerance criteria are specified for the Group and Business Units, as well as for the major legal entities.

A key responsibility of Risk Management is to ensure that Swiss Re’s risk tolerance is applied throughout the business. As part of this responsibility, Risk Management ensures that our risk tolerance targets are a key basis for our business planning processes. Furthermore, both our risk tolerance and risk appetite – the types and level of risk we seek to take within our risk tolerance – are clearly reflected in a limit framework across all risk categories. The limit framework is approved at the Group EC level through the Group Risk and Capital Committee. The individual limits are established through an iterative process to ensure that the overall framework complies with our Group-wide policies on capital adequacy and risk accumulation.

So they have a number but they are not saying what it is.  But they are telling us what they do with that number.

Now here is the Risk Limit Framework from the 2013 Partner Re annual report.

Partner Re

They have a number and here it is.  But look at how much more Buffet has disclosed.  He told that for Berkshire, an event that is three times the largest event experienced by the insurance industry, the loss would be significantly less than the earnings from the investments of Berkshire’s insurance and reinsurance companies plus the earnings of its non-insurance businesses.

Partner Re, whose disclosure is light years more specific than almost any other (re)insurer, is not quite so helpful.  It is good to know that they have the disclosed limits, but they have not provided any information to tell us how much that this adds up to in their mind.  If RISKVIEWS adds them up, these limits come to $21.5B.  Adding like that is the same as assuming that they all happen at once.  If we make the opposie assumption, that they are totally independent, we get a little more than $10B.  Partner Re’s capital is $7.5B.  So when they accept these risks, they must not think that it is likely to pay out their full limit, even on a fully diversified independent risk scenario.

So even with more specific disclosure than almost any other insurer, Partner Re has not revealed how they think of their risk appetite.

On the other hand, while Berkshire has given a better sense of their risk appetite, Buffett hasn’t revealed any number.

But this seems to RISKVIEWS to be real progress.  Perhaps some combination of these three disclosures would be the whole story of risk appetite at a (re) insurer.

We shall wait and see if somehow this evolution continues until investors and policyholders can get the information to understand how well prepared a (re) insurer is to pay its claims and remain in business in a extreme situation.

 

 

Risk Reporting Conflict of Interest

Posted March 2, 2015 by riskviews
Categories: Compensation, Enterprise Risk Management, Swine Flu

Tags: ,

We give much too little consideration to potential for conflict of interest in risk reporting.

Take for instance weather risk reporting.

Lens: Tamron 28-80mmScanned with Nikon CoolScan V ED

"Sneeuwschuiver". Licensed under CC BY-SA 2.5 via Wikimedia Commons

Many of the people who report on Weather Risk have a financial interest in bad weather.  Not that they own snow plowing services or something.  But take TV stations for example.  Local TV station revenue is largely proportional to their number of viewers.  Local news and weather are often the sole part of their schedule that they produce themselves and therefore get all or almost all of the revenue.  And viewership for local news programs may double with an impending snowstorm.  So they have a financial interest in predicting more snow.  The Weather Channel has the same dynamic, but a wider area from which to draw to find extreme weather situations.  But if there is any hint of a possible extreme weather situation in a major metropolitan area with millions of possible viewers, they have a strong incentive to report the worst case possibility.

This past January, there were some terrible snow forecasts for New York and Philadelphia:

For the Big Apple, the great Blizzard of 2015 was forecast to rival the paralyzing 1888 storm, dubbed the White Hurricane. Up to three feet of snow was predicted. Reality: About 10 inches fell.

The forecast in Philadelphia wasn’t any better – and arguably worse. Up to 14 inches of snow were forecast. The City of Brotherly Love tallied roughly 2 inches, about the same as Washington, D.C.

Washington Post,  January 27, 2015

In other cases, we go to the experts to get information about possible disasters from diseases.  But their funding depends very much on how important their specialty is seen to be to the politicians who approve their funding.

In 2005, the Bird Flu was the scare topic of the year.

“I’m not, at the moment, at liberty to give you a prediction on numbers, but I just want to stress, that, let’s say, the range of deaths could be anything from 5 to 150 million.”

David Nabarro, Senior United Nations system coordinator for avian and human influenza

Needless to say, the funding for health systems can be strongly impacted by the fear of such a pandemic.  At them time that statement was made, worldwide Bird Flu deaths were slightly over 100.  Not 100 thousand, 100 – the number right after 99.

But the purpose of this post is not writing this to disparage weather reporters or epidemiologists.  It is to caution risk managers.

Sometimes risk managers get the idea that they are better off if everyone had more concern for risk.  They take on the roll of Dr. Doom, pointing out the worst case potential in every situation.

This course of action is usually not successful. Instead of building respect for risk, the result is more often to create a steady distrust of statements from the risk manager.  The Chicken Little effect results.

Instead, the risk manager needs to focus on being painstakingly realistic in reporting about risk.  Risk is about the future, so it is impossible to get it right all of the time.  That is not the goal.  The goal should be to make reports on risk that consistently use all of the information available at the time the report is made.

And finally, a suggestion on communicating risk.  That is that risk managers need to develop a consistent language to talk about the likelihood and severity of a risk.  RISKVIEWS suggests that risk managers use three levels of likelihood:

  • Normal Volatility (as in within).  Each risk should have a range of favorable and unfavorable outcomes within the range of normal volatility.  This could mean within one standard deviation, or with a 1 in 10 likelihood. So normal volatility for the road that you drive to work might be for there to be one accident per month.
  • Realistic Disaster Scenario.  This might be the worst situation for the risk that has happened in recent memory, or it might be a believable bad scenario that hasn’t happened for risks where recent experience has been fairly benign.  For that road, two accidents in a week might be a realistic disaster.  It actually happened 5 years ago.  For the similar road that your spouse takes to work, there haven’t been any two accident weeks, but the volume of traffic is similar, so the realistic disaster scenario for that road is also two accidents in a week.
  • Worst case scenario.  This is usually not a particularly realistic scenario.  It does not mean worst case, like the sun blowing up and the end of the solar system.  It does mean something significantly worse than what you expect can happen. For the risk of car accidents on your morning commute, the worst case might be a month with 8 accidents.

So the 150 million number above for flu deaths is a worst case scenario.  As were the Great Blizzard predictions.  What actually happened was in line with normal volatility for a winter storm in those two cities.

If you, the risk manager, learn to always use language like the above, first of all, it will slow you down and make you think about what you are saying.  Eventually, your audience will get to learn what your terminology means and will be able to form their own opinion about your reliability.

And you will find that credibility for your risk reporting has very favorable impact on your longevity and compensation as a risk manager.

 

Out of Sight can lead to Out of Mind

Posted February 12, 2015 by riskviews
Categories: Enterprise Risk Management

Tags: ,

Once you have outsourced a process, there is a tendency to forget about it. 

Outsourcing has become possibly the most popular management practice of the past 15 years.  Companies large and small have outsourced many of the non-essential elements of their business.

Many property and casualty (non-life, general) insurers have, for example, outsourced their investment processes.

Over time, if the insurer had any expertise regarding investments, that expertise withered away.  It is quite common that there is only one or two people at a P&C insurer who actually pay any attention to the investments of the firm.

But when Out of Sight becomes Out of Mind, outsourcing becomes dangerous.

Boeing had an outsourcing problem in 2012 and 2013 that resulted in the grounding of their latest jetliner.  Batteries produced by a third party were catching fire.  The ultimate cause of the problem was never identified, but it happened at the point of connection between an outsourced product and the jetliner systems manufactured by Boeing.

There are many possible causes of outsourcing problems.  RISKVIEWS believes that primary among them is the reluctance to recognize that outsourcing will require a higher spend for risk management of the outsourced process.

More on Outsourcing Risk at http://blog.willis.com/2015/02/emerging-erm-risk-of-2015-outsourcing/

The CRO is making a list and checking it twice

Posted February 2, 2015 by riskviews
Categories: Chief Risk Officer, Enterprise Risk Management, Hedging, Reinsurance, Risk Management System

Tags: ,

“You never said that you wanted me to do that”  is an answer that managers often get when they point out a shortfall in performance.  And in many cases it is actually true.  As a rule, some of us tend to avoid too much writing things down.  And that is also true when it comes to risk management

That is where ERM policies come in.  The ERM policy is a written agreement between various managers in a company and the board documenting expectations regarding risk management.

policy

But too many people mistake a detailed procedure manual for a policy statement.  Often a policy statement can be just a page or two.

For Risk Management there are several places where firms tend to “write it down”:

  • ERM Policy – documents that the firm is committed to an enterprise wide risk management system and that there are broad roles for the board and for management.  This policy is usually approved by the board.  The ERM Policy should be reviewed annually, but may not be changed but every three to five years.
  • ERM Framework – this is a working document that lists many of the details of how the company plans to “do” ERM.  When an ERM program is new, this document many list many new things that are being done.  Once a program is well established, it will need no more or no less documentation than other company activities.  RISKVIEWS usually recommends that the ERM Framework would include a short section relating to each of the risk management practices that make up a Risk Management System.
  • Risk Appetite & Tolerance Statement – may be separate from the above to highlight its importance and the fact that it is likely to be more variable than the Policy statement, but not as detailed as the Framework.
  • Separate Risk Policies for major risk categories – almost all insurers have an investment policy.  Most insurers should consider writing policies for insurance risk.  Some firms decide to write operational risk policies as well.  Very few have strategic risk policies.
  • Policies for Hedging, Insurance and/or Reinsurance – the most powerful risk management tools need to have clear uses as well as clear lines of decision-making and authority.
  • Charter for Risk Committees – Some firms have three or more risk committees.  On is a board committee, one is at the executive level and the third is for more operational level people with some risk management responsibilities.  It is common at some firms for board committees to have charters.  Less so for committees of company employees.  These can be included in the ERM Framework, rather than as separate documents.
  • Job Description for the CRO – Without a clear job description many CROs have found that they become the scapegoat for whatever goes wrong, regardless of their actual authority and responsibilities before hand.

With written policies in place, the board can hold management accountable.  The CEO can hold the CRO responsible and the CRO is able to expect that may hands around the company are all sharing the risk management responsibilities.

More on ERM Policies on WillisWire.

http://blog.willis.com/2015/01/erm-in-practice-risk-policies-and-standards/

http://blog.willis.com/2014/02/erm-practices-policies-and-standards/

 


Follow

Get every new post delivered to your Inbox.

Join 741 other followers

%d bloggers like this: