The Big C is behind every great Risk

Posted March 30, 2015 by riskviews
Categories: Diversification, Enterprise Risk Management

Tags: ,

Concentration, defined broadly, is the source of all risk.

In an unconcentrated pool of activities, all with potential for positive and negative outcomes, provides the Big D – Diversification.

So it seems simple to avoid C – just do D.

But we have so many ways to concentrate.  And concentration is particularly tempting.

  • When things are going well, it makes sense to do more of whatever it is that is working best.  That increases concentration. 
  • Once we learn how to do something right, it makes sense to do more.  That increases concentration.
  • One supplier is almost always the cheapest, fastest and best quality.  So we give them more business.  That increases concentration. 
  • That one product has better margins than the rest and it sells better too.  So we plan to increase our capacity to make that product.  That increases concentration. 
  • Our best distributor runs rings around the rest.  We are working on giving her a larger territory.  That increases concentration. 

The alternative, the diversifying alternative just doesn’t sound so smart.

  • Hold back when things are going well.
  • Do more of the things that you haven’t quite mastered.
  • Buy from the second and third best suppliers.
  • Keep up capacity for the lower margin lower selling products.
  • Restrict your best distributor from selling too much.

Remember Blockbuster?  There were Blockbuster stores everywhere fifteen years ago.  They did that one thing, rent physical videos through physical stores and did it so well that they drove out most of their competition.  But they were totally Concentrated.  When they were faced with a new competitor, Netflix, the CEO proposed changes to their business practices, including diversifying into online rentals.  Their board decided against going into a new lower margin product and fired the CEO.  Five years later, Blockbuster was toast.

Concentration risk is often strategic.

In the financial crisis, we found a new sort of concentration risk.  It was a network risk.  The banks were all highly concentrated in the financial sector – in exposure to other banks.  This network risk is now often called systemic risk.  But this risk is necessary because of the strategic choices of business models of the banks.  They all choose to do business in such a way to take up each other’s slack on a daily basis.  They all think that is much more efficient than operating with an irregular amount of slack resources.  In times running up to the financial crisis, the interdependency changed from just taking up each other’s overnight slack to some banks using that overnight facility from other banks to fund major fraction of their business activity.  (And woe is all that much of that business activity was fundamentally a loser. But that lack of underwriting by the banks of each other is a different story.)

Why is concentration risk so deadly?  The answer to that is pretty simple arithmetic.  If your conglomerate amounts to four similar sized separate divisions that do not interact so much, it is quite possible that if one of those businesses fails, that the conglomerate will be able to continue operating – wounded but fully able to operate the other three divisions.  But if your cousin’s venture has just one highly profitable, highly successful business, then his venture will either live or die with that one business.

In insurance, we see this concentration risk all of the time.  If you are an insurer that only writes business throughout the Pacific islands in the 1700’s, but you find that your best salesperson is on Easter Island and your highest margin product is business interruption insurance for the businesses that do the carving of the massive Moai statues.  So you do more and more business with your best salesperson selling your best product, until you are essentially a one product, one location insurer.  And then the last tree is used (or rats eat the roots).  All of your customers make claims at once.  You thought that you were diversified because you had 300 separate customers.  But those 300 customers all acted like just one when the trees were gone.

So diversification is not just about counting.  It is about understanding the differences or similarities of your risks.  And failure to understand those drivers will often lead to dangerous concentration.  Just ask those banks or that Easter Island insurer.

Berkshire Hathaway Risk Appetite

Posted March 20, 2015 by riskviews
Categories: Disclosure, Enterprise Risk Management, Risk Appetite

Tags: ,
“we are far more conservative in avoiding risk than most large insurers. For example, if the insurance industry should experience a $250 billion loss from some mega-catastrophe – a loss about triple anything it has ever experienced – Berkshire as a whole would likely record a significant profit for the year because of its many streams of earnings. We would also remain awash in cash and be looking for large opportunities in a market that might well have gone into shock. Meanwhile, other major insurers and reinsurers would be far in the red, if not facing insolvency.”
Warren Buffett, Berkshire Hathaway Letter to Shareholders, 2014
So Berkshire is prepared to pay out claims on an event that is three times as large as anything that has ever happened.
What are Berkshire’s competitors prepared for?
Here is an excerpt from the Swiss Re 2013 Annual Report:

Risk tolerance and limit framework

Swiss Re’s risk tolerance is an expression of the extent to which the Board of Directors has authorised the Group and Business Units’ executive management to assume risk. It represents the maximum amount of risk that Swiss Re is willing to accept within the constraints imposed by its capital and liquidity resources, its strategy, its risk appetite, and the regulatory and rating agency environment within which it operates. Risk tolerance criteria are specified for the Group and Business Units, as well as for the major legal entities.

A key responsibility of Risk Management is to ensure that Swiss Re’s risk tolerance is applied throughout the business. As part of this responsibility, Risk Management ensures that our risk tolerance targets are a key basis for our business planning processes. Furthermore, both our risk tolerance and risk appetite – the types and level of risk we seek to take within our risk tolerance – are clearly reflected in a limit framework across all risk categories. The limit framework is approved at the Group EC level through the Group Risk and Capital Committee. The individual limits are established through an iterative process to ensure that the overall framework complies with our Group-wide policies on capital adequacy and risk accumulation.

So they have a number but they are not saying what it is.  But they are telling us what they do with that number.

Now here is the Risk Limit Framework from the 2013 Partner Re annual report.

Partner Re

They have a number and here it is.  But look at how much more Buffet has disclosed.  He told that for Berkshire, an event that is three times the largest event experienced by the insurance industry, the loss would be significantly less than the earnings from the investments of Berkshire’s insurance and reinsurance companies plus the earnings of its non-insurance businesses.

Partner Re, whose disclosure is light years more specific than almost any other (re)insurer, is not quite so helpful.  It is good to know that they have the disclosed limits, but they have not provided any information to tell us how much that this adds up to in their mind.  If RISKVIEWS adds them up, these limits come to $21.5B.  Adding like that is the same as assuming that they all happen at once.  If we make the opposie assumption, that they are totally independent, we get a little more than $10B.  Partner Re’s capital is $7.5B.  So when they accept these risks, they must not think that it is likely to pay out their full limit, even on a fully diversified independent risk scenario.

So even with more specific disclosure than almost any other insurer, Partner Re has not revealed how they think of their risk appetite.

On the other hand, while Berkshire has given a better sense of their risk appetite, Buffett hasn’t revealed any number.

But this seems to RISKVIEWS to be real progress.  Perhaps some combination of these three disclosures would be the whole story of risk appetite at a (re) insurer.

We shall wait and see if somehow this evolution continues until investors and policyholders can get the information to understand how well prepared a (re) insurer is to pay its claims and remain in business in a extreme situation.

 

 

Risk Reporting Conflict of Interest

Posted March 2, 2015 by riskviews
Categories: Compensation, Enterprise Risk Management, Swine Flu

Tags: ,

We give much too little consideration to potential for conflict of interest in risk reporting.

Take for instance weather risk reporting.

Lens: Tamron 28-80mmScanned with Nikon CoolScan V ED

"Sneeuwschuiver". Licensed under CC BY-SA 2.5 via Wikimedia Commons

Many of the people who report on Weather Risk have a financial interest in bad weather.  Not that they own snow plowing services or something.  But take TV stations for example.  Local TV station revenue is largely proportional to their number of viewers.  Local news and weather are often the sole part of their schedule that they produce themselves and therefore get all or almost all of the revenue.  And viewership for local news programs may double with an impending snowstorm.  So they have a financial interest in predicting more snow.  The Weather Channel has the same dynamic, but a wider area from which to draw to find extreme weather situations.  But if there is any hint of a possible extreme weather situation in a major metropolitan area with millions of possible viewers, they have a strong incentive to report the worst case possibility.

This past January, there were some terrible snow forecasts for New York and Philadelphia:

For the Big Apple, the great Blizzard of 2015 was forecast to rival the paralyzing 1888 storm, dubbed the White Hurricane. Up to three feet of snow was predicted. Reality: About 10 inches fell.

The forecast in Philadelphia wasn’t any better – and arguably worse. Up to 14 inches of snow were forecast. The City of Brotherly Love tallied roughly 2 inches, about the same as Washington, D.C.

Washington Post,  January 27, 2015

In other cases, we go to the experts to get information about possible disasters from diseases.  But their funding depends very much on how important their specialty is seen to be to the politicians who approve their funding.

In 2005, the Bird Flu was the scare topic of the year.

“I’m not, at the moment, at liberty to give you a prediction on numbers, but I just want to stress, that, let’s say, the range of deaths could be anything from 5 to 150 million.”

David Nabarro, Senior United Nations system coordinator for avian and human influenza

Needless to say, the funding for health systems can be strongly impacted by the fear of such a pandemic.  At them time that statement was made, worldwide Bird Flu deaths were slightly over 100.  Not 100 thousand, 100 – the number right after 99.

But the purpose of this post is not writing this to disparage weather reporters or epidemiologists.  It is to caution risk managers.

Sometimes risk managers get the idea that they are better off if everyone had more concern for risk.  They take on the roll of Dr. Doom, pointing out the worst case potential in every situation.

This course of action is usually not successful. Instead of building respect for risk, the result is more often to create a steady distrust of statements from the risk manager.  The Chicken Little effect results.

Instead, the risk manager needs to focus on being painstakingly realistic in reporting about risk.  Risk is about the future, so it is impossible to get it right all of the time.  That is not the goal.  The goal should be to make reports on risk that consistently use all of the information available at the time the report is made.

And finally, a suggestion on communicating risk.  That is that risk managers need to develop a consistent language to talk about the likelihood and severity of a risk.  RISKVIEWS suggests that risk managers use three levels of likelihood:

  • Normal Volatility (as in within).  Each risk should have a range of favorable and unfavorable outcomes within the range of normal volatility.  This could mean within one standard deviation, or with a 1 in 10 likelihood. So normal volatility for the road that you drive to work might be for there to be one accident per month.
  • Realistic Disaster Scenario.  This might be the worst situation for the risk that has happened in recent memory, or it might be a believable bad scenario that hasn’t happened for risks where recent experience has been fairly benign.  For that road, two accidents in a week might be a realistic disaster.  It actually happened 5 years ago.  For the similar road that your spouse takes to work, there haven’t been any two accident weeks, but the volume of traffic is similar, so the realistic disaster scenario for that road is also two accidents in a week.
  • Worst case scenario.  This is usually not a particularly realistic scenario.  It does not mean worst case, like the sun blowing up and the end of the solar system.  It does mean something significantly worse than what you expect can happen. For the risk of car accidents on your morning commute, the worst case might be a month with 8 accidents.

So the 150 million number above for flu deaths is a worst case scenario.  As were the Great Blizzard predictions.  What actually happened was in line with normal volatility for a winter storm in those two cities.

If you, the risk manager, learn to always use language like the above, first of all, it will slow you down and make you think about what you are saying.  Eventually, your audience will get to learn what your terminology means and will be able to form their own opinion about your reliability.

And you will find that credibility for your risk reporting has very favorable impact on your longevity and compensation as a risk manager.

 

Out of Sight can lead to Out of Mind

Posted February 12, 2015 by riskviews
Categories: Enterprise Risk Management

Tags: ,

Once you have outsourced a process, there is a tendency to forget about it. 

Outsourcing has become possibly the most popular management practice of the past 15 years.  Companies large and small have outsourced many of the non-essential elements of their business.

Many property and casualty (non-life, general) insurers have, for example, outsourced their investment processes.

Over time, if the insurer had any expertise regarding investments, that expertise withered away.  It is quite common that there is only one or two people at a P&C insurer who actually pay any attention to the investments of the firm.

But when Out of Sight becomes Out of Mind, outsourcing becomes dangerous.

Boeing had an outsourcing problem in 2012 and 2013 that resulted in the grounding of their latest jetliner.  Batteries produced by a third party were catching fire.  The ultimate cause of the problem was never identified, but it happened at the point of connection between an outsourced product and the jetliner systems manufactured by Boeing.

There are many possible causes of outsourcing problems.  RISKVIEWS believes that primary among them is the reluctance to recognize that outsourcing will require a higher spend for risk management of the outsourced process.

More on Outsourcing Risk at http://blog.willis.com/2015/02/emerging-erm-risk-of-2015-outsourcing/

The CRO is making a list and checking it twice

Posted February 2, 2015 by riskviews
Categories: Chief Risk Officer, Enterprise Risk Management, Hedging, Reinsurance, Risk Management System

Tags: ,

“You never said that you wanted me to do that”  is an answer that managers often get when they point out a shortfall in performance.  And in many cases it is actually true.  As a rule, some of us tend to avoid too much writing things down.  And that is also true when it comes to risk management

That is where ERM policies come in.  The ERM policy is a written agreement between various managers in a company and the board documenting expectations regarding risk management.

policy

But too many people mistake a detailed procedure manual for a policy statement.  Often a policy statement can be just a page or two.

For Risk Management there are several places where firms tend to “write it down”:

  • ERM Policy – documents that the firm is committed to an enterprise wide risk management system and that there are broad roles for the board and for management.  This policy is usually approved by the board.  The ERM Policy should be reviewed annually, but may not be changed but every three to five years.
  • ERM Framework – this is a working document that lists many of the details of how the company plans to “do” ERM.  When an ERM program is new, this document many list many new things that are being done.  Once a program is well established, it will need no more or no less documentation than other company activities.  RISKVIEWS usually recommends that the ERM Framework would include a short section relating to each of the risk management practices that make up a Risk Management System.
  • Risk Appetite & Tolerance Statement – may be separate from the above to highlight its importance and the fact that it is likely to be more variable than the Policy statement, but not as detailed as the Framework.
  • Separate Risk Policies for major risk categories – almost all insurers have an investment policy.  Most insurers should consider writing policies for insurance risk.  Some firms decide to write operational risk policies as well.  Very few have strategic risk policies.
  • Policies for Hedging, Insurance and/or Reinsurance – the most powerful risk management tools need to have clear uses as well as clear lines of decision-making and authority.
  • Charter for Risk Committees – Some firms have three or more risk committees.  On is a board committee, one is at the executive level and the third is for more operational level people with some risk management responsibilities.  It is common at some firms for board committees to have charters.  Less so for committees of company employees.  These can be included in the ERM Framework, rather than as separate documents.
  • Job Description for the CRO – Without a clear job description many CROs have found that they become the scapegoat for whatever goes wrong, regardless of their actual authority and responsibilities before hand.

With written policies in place, the board can hold management accountable.  The CEO can hold the CRO responsible and the CRO is able to expect that may hands around the company are all sharing the risk management responsibilities.

More on ERM Policies on WillisWire.

http://blog.willis.com/2015/01/erm-in-practice-risk-policies-and-standards/

http://blog.willis.com/2014/02/erm-practices-policies-and-standards/

 

The ERM Pioneers and the Settlers – Let’s not have another range war!

Posted January 24, 2015 by riskviews
Categories: Chief Risk Officer, Enterprise Risk Management, Risk Management System

Tags: ,

Most of the people with CRO jobs are pioneers of ERM.  They came into ERM from other careers and have been working out what makes up an ERM process and how to make it work by hard work, trial & error and most often a good deal of experience on the other side of the risk – the risk taking side.

As ERM becomes a permanent (or at least a long term) business practice, it is more likely that the next generation of CROs will have come up through the ranks of the Risk function.  It is even becoming increasingly likely that they will have had some training and education regarding the various technical aspects of risk management and especially risk measurement.

The only problem is that some of the pioneers are openly disdainful of these folks who are likely to become their successors.  They will openly say that they have little respect for risk management education and feel strongly that the top people in Risk need to have significant business experience.

This situation is a version of the range wars in the Wild West.  The Pioneers were the folks who went West first.  They overcame great hardships to fashion a life out of a wilderness.  The Settlers came later and were making their way in a situation that was much closer to being already tamed.

Different skills and talents are needed for successful Pioneers than for successful Settlers.  Top among them is the Settlers need to be able to get along in a situation where there are more people.  The Risk departments of today are large and filled with a number of people with a wide variety of expertise.

Risk will transition from the Pioneer generation to the Settler generation of leadership.  That transition will be most successful if the Pioneers can help develop their Settler successros.

How to Show the Benefits of Risk Management

Posted January 2, 2015 by riskviews
Categories: risk assessment

Tags: ,

From Harry Hall at www.pmsouth.com

Sometimes we struggle to illustrate the value of risk management. We sense we are doing the right things. How can we show the benefits?

Some products such as weight loss programs are promoted by showing a “before picture” and an “after picture.” We are sold by the extraordinary improvements.

The “before picture” and “after picture” are also a powerful way to make known the value of risk management.

We have risks in which no strategies or actions have been executed. In other words, we have a “before picture” of the risks. When we execute appropriate response strategies such as mitigating a threat, the risk exposure is reduced. Now we have the “after picture.”

Let’s look at one way to create pictures of our risk exposure for projects, programs, portfolios, and enterprises.

Say Cheese

The first step to turning risk assessments into pictures is to assign risk levels.

Assume that a Project Manager is using a qualitative rating scale of 1 to 10, 10 being the highest, to rate Probability and Impact. The Risk Score is calculated by multiplying Probability x Impact. Here is an example of a risk table with a level of risk and the corresponding risk score range.

Level of Risk

Risk Score

Very Low

< 20

Low

21 – 39

Medium

40 – 59

High

60 – 79

Very High

> 80

Figure 1: Qualitative Risk Table

Looking Good

Imagine a Project Manager facilitates the initial risk identification and assessment. The initial assessment results in fifteen Urgent Risks – eight “High” risks and seven “Very High” risks.

Figure 2: Number of Risk before Execution of Risk Response Strategies

We decide to act on the Urgent Risks alone and leave the remaining risks in our Watch List. The team develops risk response strategies for the Urgent Risks such as ways to avoid and mitigate threats.

Figure 3: Number of Risks after Execution of Risk Response Strategies

After the project team executes the strategies, the team reassesses the risks. We see a drop in the number of Urgent Risks (lighter bars). The team has reduced the risk exposure and improved the potential for success.

How to Illustrate Programs, Portfolios, or Enterprises

Now, imagine a Program Manager managing four projects in a program. We can roll up the risks of the four projects into a single view. Figure 4 below illustrates the comparison of the number of risks before and after the execution of the risk strategies.

Figure 4: Number of Program risks before and after the execution of risk response strategies

Of course, we can also illustrate risks in a like manner at a portfolio level or an enterprise level (i.e., Enterprise Risk Management).

Tip of the Day

When you ask team members to rate risks, it is important we specify whether the team members are assessing the “before picture” (i.e., inherent risks) or the “after picture” (i.e., residual risks) or bothInherent risks are risks to the project in the absence of any strategies/actions that might alter the risk. Residual risks are risks remaining after strategies/actions have been taken.

Question: What types of charts or graphics do you use to illustrate the value of risk management?


Follow

Get every new post delivered to your Inbox.

Join 724 other followers

%d bloggers like this: