Archive for February 2010

Burn out, Fade Away …or Adapt

February 27, 2010

When I was a kid in the 1960’s, I was sick and tired of how much time on TV and movies was taken up with stories of WWII.  Didn’t my parent’s generation get it?  WWII was ancient history.  It was done.  Move on.  Join the real world that was happening now.

From that statement, you can tell that I am a Boomer.  But I am already sick and tired of how much ink and TV and movies and Web time is devoted to the passing of the world as the Boomers remember the golden age of our youth.  Gag me.  Am I going to have to hear this the entire rest of my life?  Get over it.  Move on.  Live in the current world.

Risk managers need to carefully convey that message to the folks who run their companies as well.  What ever way the world was in the “Glory Days” of the CEO or Business Unit manager’s career, things are different.  Business is different.  Risks are different.  Strategies and companies must adapt.  Adapt, Burn Out or Fade Away are the choices.  Better to Adapt.

I saw this happen once before in my career.  Interest rates steadily rose from the late 1940’s through the early 1980’s.  A business strategy that emphasized amassing cash, locking in a return promise and investing it in interest bearing instruments could show a steady growth in profits almost every single year without too much difficulty.  Then suddenly in the mid-1980’s that didn’t work anymore.  Interest rates went down more than up for a decade and have since stayed low.  Firms either adapted, burned out or faded away.

We have just concluded a (thankfully) brief period of massive financial destruction and are in an uncertain period.  When we come out of this uncertainty, some of the long held strategies of firms will not work.  Risks will be different.

The risk manager needs to be one of the voices that helps to make sure that this is recognized.

In addition, the risk manager needs to recognize that one or many of the risk models that were used to assess risk in past periods will no longer work well.  The risk manager needs to stand ready to adapt or fade away.

And the models need to be calibrated to the new world, not the old.  Calibrating to include the worst of the recent past might seem like prudent risk management, but it may well not be realistic.  If the world reverts to a reasonable growth pattern, the next such event may well not happen for 75 years.  Does your firm really need to avoid exposures to the sorts of things that lost money in 2008 for 75 years?  Or would that mean forgoing most of the business opportunities of that period?

Getting the correct answers to those questions will mean the different between Growth, burn out or fading away for your firm.

Lessons for Insurers (4)

February 25, 2010

In late 2008,  the The CAS, CIA, and the SOA’s Joint Risk Management Section funded a research report about the Financial Crisis.  This report featured nine key Lessons for Insurers.  Riskviews will comment on those lessons individually…

4. Insurers should establish a robust liquidity management system to ensure that they have ample liquidity under stress scenarios.

The only trouble with this advice it that it is totally unneeded.  That is because almost all cases of insurer problems with liquidity, those problems were preceded by a loss that significantly exceeded management expectations for a worst loss.

So it would not have made a difference whether those insurers planned more for liquidity, those plans would have been inadequate.

Insurers are generally cash flow positive.  Liquidity is only ever a problem if that changes drastically.  Even the “runs on the bank” that have occured on insurers have followed large losses.

So this advice sounds nice, but is actually unnecessary.  If insurers properly anticipate extreme losses, then they will be prepared to pay those losses without triggering problems.

That is because they will:

  1. Price for the losses so that they have sufficient income to pay the losses.

  2. Only accept as much of the risks that might trigger extreme losses as they can afford and spread effectively.

Those are fundamental risk management tasks.  If they are done properly, liquidity management is relatively trivial.  It consists of remembering not to invest the funds you have on hand to pay those extreme claims in instruments that are illiquid or or widely fluctuating value.

Seems like a good rule in general.  One that many insurers forget after many years of positive cashflows.

Lessons for Insurers (1)

Lessons for Insurers (2)

Lessons for Insurers (3)

Lessons for Insurers (4)

Lessons for Insurers (5)

Lessons for Insurers (6)

The Use Test – A Simple Suggestion

February 23, 2010

Many are concerned about what the “Use Test” will be. Will it be a pop quiz or will companies be allowed to study?

Well, I have a suggestion for a simple and, I believe, fairly foolproof test. That would be for top management (not risk management or modeling staff) to be able to hold a conversation about their risk profile each year.

Now the first time that they can demonstrate that would not be the “Use Test”. It would be the second or third time that would constitute the test.

The conversation would be simple. It would involve explaining the risk profile of the firm – why the insurer is taking each of the major risks, what do they expect to get out of that risk exposure and how are they making sure that the potential losses that they experience are not worse than represented by their risk model. This discussion should include recognition of gross risk before offsets as well as net retained risk.

After the first time, the discussion would include an explanation of the reasons for the changes in the risk profile – did the profile change because the world shifted or did it change due to a deliberate decision on the part of management to take more or less or to retain more or less of a risk.

Finally a third part of the discussion would be to identify the experience of the past year in terms of its likelihood as predicted by the model and the degree to which that experience caused the firm to recalibrate its view of each risk.

To pass the test, management would merely need to have a complete story that is largely consistent from year to year.

Those who fail the test would be making large changes to their model calibration and their story from year to year – stretching to make it look like the model information was a part of management decisions.

Some firms who might have passed before the crisis who should have failed were firms who in successive years told the same story of good intentions with no actions in reducing outsized risks.

For firms who are really using their models, there will be no preparation time needed for this test. Their story for this test will be the story of their firm’s financial management.

Ideally, I would suggest that the test be held publicly at an investor call.

Chief Risk Scape Goat

February 22, 2010

There are repeated calls from the bank risk management community for more “AUTHORITY” for Chief Risk Officers.  Most recently by the European Bank Supervisors.  In their report of “High Level Principles for Risk Management” they actually call for a CRO that is totally independent of the hierarchy of the bank – reporting directly to the board.

This is a perfect solution – but not to the problem that they are addressing.  It is a solution to the problem of CEO responsibility for risk and risk management.  If a bank follows the EBS suggestion and makes the CRO totally independent of the CEO, then the CEO clearly no longer has any responsibility for risk, risk management or even losses.

So the CEO is responsible for gains and the CRO is responsible for losses.

Seems like a sweet arrangement for the CEO.  Not so sweet for the Bank.

There are several possible outcomes, but only one likely one.  The likely one is that the CRO will get this position and then will be totally ignored until the time comes to find someone responsible for a bad outcome and then the CRO will be toast.  The CEO just bought a free pass for bad results.

The desired outcome is not much better.  The desired outcome is that there will be a constant fight between the CEO and the 99% of the organization that works for him/her and the CRO with his/her 200 strong risk department.  The CEO will not have to listen to the CRO.  The CRO will need to decide how often to take his/her arguments up to the board.  The CRO is given “authority”.

But what is really needed is not to have a more powerful cop.  What is needed is for the entire organization to have a role in keeping the enterprise in business.  That will not be accomplished by making one person solely responsible.  Unless that one person is the CEO.

Any Road Will Do

February 20, 2010

Is what the Cheshire Cat told Alice.  Since she did not know where she was going.

And unfortunately, that is where the European Bank Supervisors seem to be regarding Risk Management.  They just published a short paper entitled “High level principles for risk management”, which despite the lofty title gives very little clear guidance at a high level.   I will instead point you to something along the same lines that WAS well written that DOES represent actual principles of risk management.  I refer you to the BIS report in Interest Rate Risk Management from 1997.  Their 11 top principles are listed below.

A. The role of the board and senior management

Principle 1: In order to carry out its responsibilities, the board of directors in a bank should approve interest rate risk management policies and procedures, and should be informed regularly of the interest rate risk exposure of the bank.

Principle 2: Senior management must ensure that the structure of the bank’s business and the level of interest rate risk it assumes are effectively managed, that appropriate policies and procedures are established to control and limit these risks, and that resources are available for evaluating and controlling interest rate risk.
Principle 3: Banks should have a risk management function with clearly defined duties that reports risk exposures directly to senior management and the board of directors and is sufficiently independent from the business lines of the bank. Larger or more
complex banks should have units responsible for the design and administration of the bank’s interest rate risk management system.

B. Policies and procedures

Principle 4: It is essential that banks’ interest rate risk policies and procedures be clearly defined and consistent with the nature and complexity of their activities. These policies should address the bank’s exposures on a consolidated basis and, as appropriate, also at the level of individual affiliates.

Principle 5: It is important that banks identify the risks inherent in new products and activities and ensure these are subject to adequate procedures and controls before being introduced or undertaken. Major hedging or risk management initiatives should be approved in advance by the board or its appropriate delegated committee.

C. Measurement and monitoring system

Principle 6: It is essential that banks have interest rate risk measurement systems that capture all material sources of interest rate risk and that assess the effect of interest rate changes in ways which are consistent with the scope of their activities. The assumptions underlying the system should be clearly understood by risk managers and bank management.
Principle 7: Banks must establish and enforce operating limits and other practices that maintain exposures within levels consistent with their internal policies.

Principle 8: Banks should measure their vulnerability to loss under stressful market conditions – including the breakdown of key assumptions – and consider those results when establishing and reviewing their policies and limits for interest rate risk.

Principle 9Banks must have adequate information systems for monitoring and reporting interest rate exposures to senior management and boards of directors on a timely basis.

D. Independent controls

Principle 10: Banks must have adequate internal controls for their interest rate risk management process and should evaluate the adequacy and integrity of those controls periodically. Individuals responsible for evaluating control procedures must be independent of the function they are assigned to review.

Principle 11: Banks should periodically conduct an independent review of the adequacy and integrity of their risk management processes. Such reviews should be available to relevant supervisory authorities.

These principles are so universal that you will find that if you simply substitute the name of any other risk for the words “interest rate” in the sentences above, you will still have an excellent list of risk management principles.  In fact, just substitute the words “Bank”  or even “Insurer” for interest rate above and you now have a complete and coherent set of PRINCIPLES FOR RISK MANAGEMENT.

The most puzzling thing to me is that this BIS report has long been superseded by something with wording much more like the meandering and fuzzy report of the CEBS.  Don’t take my word for it, the newest version of this BIS interest rate risk management paper is available on their website.  Compare the wording of that report to these crystal clear principles and let me know where you see any improvements.

When your Parachute Doesn’t Open

February 16, 2010

Do you have a plan for what to do when your parachute doesn’t open?

Well, if you do not, pay attention.  Here is a 6 step checklist for what to do:

  1. Signal your Buddy.
  2. Get close with your Buddy.
  3. Link your arms through his/her straps.
  4. Open his/her chute.
  5. Let your Buddy steer the chute.
  6. Suggest that he/she look for an extra soft place to land (water).

There now.  Don’t you feel safer?

You say you do not parachute jump?  So what good it this?

Well, you must see that this is really good advice that can be applied to many situations.  Not just parachute jumping.

1.  Signal Your Buddy – this step might just be the most difficult.  That is because it requires two very different things.  First, you must recognize that you have a serious and potentially fatal problem.  You must be able to make that decision before it is too late.  So you probably need to have thought ahead to know how serious of a problem just might be terminal.  Second, you have to have a buddy in sight to be signaled.  If you are an individual working in risk management in a firm, you need to know in advance who is going to be your buddy in case of emergency.  This applies to entire firms as well.  The firm needs to know who they will go to when they might be in terminal trouble.

2.  Get Close with your Buddy – Troubled times are when you find out who your real buddies are.  Your fair weather friends will not be interested in getting close to you when you are in trouble.  This is the real definition of a Buddy.  Someone who is willing to be next you you then.  You need to realize that now and decide whether you have any real buddies.  If you are prarchute jumping, you need to figure that out on the ground, not in the air.  If you are managing risks, perhaps you are at the wrong firm if you look around and you do not know who your buddy is.  A firm with a good risk management program will more than encourage buddies, it will require them.  And it will foster a culture of mutual responsibility, not everyone for themselves. It needs to be a firmwide expectation that you can count on several potential buddies when a real problem crops up.

3.  Link your arms through his/her straps – for parachuting, holding on is not sufficient, the g-force that will hit when the chute opens with two people and one chute will rip you apart.  Also in risk management, the committment to the Buddy needs to be very firm.  All too often risk managers get blamed for inproper risk appetites, even when they had explicitly warned against the exact event that is causing the problem.  Many risk managers will sorely need to have someone who will remind management that the risk manager was not the one at fault. 

4.  Open his/her chute.  This is the key step for both the diver and the risk manager.  And it needs to be said and repeated and rehearshed.  The reason that the risk management might be of value to the organization is that it causes the organization to contemplate doing some things differently.  When there is severe troubles, the risk manager needs to be able to clearly call for action and the organization needs to be prepared to take that action, either by directly empowering the risk manager or through a cultural committment to real action based upon risk information.  The Buddy system described here might be a good way to create the possibility of quick action with some checks and balances in the event of severe threats.  The empowerment to action might require the agreement of the buddy. 

5.  Let your Buddy steer the chute.  This item on the checklist is there to acknowledge that the person who loses the chute might just be a little (or a lot) shook up and therefore might have somewhat impaired judgment.  The same might be true in the event of a disaster to the firm.  The buddy and the firm in general needs to look out for any actions that are of the nature of “doubling down” to recover past losses.  There must be a recognition that the best thing to do now can best be determined by looking at likely futures rather than the past. 

6.  Suggest that he/she look for an extra soft place to land (water).  The parachute will often not work exactly as planned when it carries two.  So the person steering needs to be particularly diligent to look for a softer than usual place to land.  So to with a risk management emergency.  It might be desirable to end up in a slightly more secure position than normal minimum standards after a major problem.  It will make everyone feel better.  The hardest story to tell is when a firm has had a major loss but was not able to really put on the brakes so is not sure if or how much further loss will be happening.  Both need to help with looking for that soft place to land.

Take CARE in evaluating your Risks

February 12, 2010

Risk management is sometimes summarized as a short set of simply stated steps:

  1. Identify Risks
  2. Evaluate Risks
  3. Treat Risks

There are much more complicated expositions of risk management.  For example, the AS/NZ Risk Management Standard makes 8 steps out of that. 

But I would contend that those three steps are the really key steps. 

The middle step “Evaluate Risks” sounds easy.  However, there can be many pitfalls.  A new report [CARE] from a working party of the Enterprise and Financial Risks Committee of the International Actuarial Association gives an extensive discussion of the conceptual pitfalls that might arise from an overly narrow approach to Risk Evaluation.

The heart of that report is a discussion of eight different either or choices that are often made in evaluating risks:


The main point of the report is that for a comprehensive evaluation of risk, these are not choices.  Both paths must be explored.

%d bloggers like this: