Hierarchy of Corporate Needs and ERM

In psychology 101 class you heard about Maslow’s hierarchy of needs, They are:

1. Physiological Needs
2. Safety Needs
3. Belonging
4. Eswteem
5. Self-Actualization

Corporations have needs as well.  The needs of firms is similar to the needs of the people in the firms.

Hierarchy of Corporate Needs

• Sales

• Profits

• Security

• Growth of Value

The ERM process can help companies to satisfy these needs.  In ways that no other business management process will. This is true for all businesses, but it is particularly true for financial services businesses like insurance and banking where every transaction can have a significant element of risk for the firm.

Sales

• For a business to exist, it must have something that it can sell to some market.
• ERM is usually thought of as “the Sales Prevention Department”.  But ERM can be instrumental in planning the sales process.  But let’s come back to that after discussing the other corporate needs.

Profits

• Once a firm has mastered the ability to produce or otherwise provide something that some market will buy, they need to figure out how to deliver that product or service at a cost lower than the price that the market will pay.  This is a combination of managing costs and convincing the market of the price that the product/service is worth.
• In businesses like insurance or banking, the fundamental transactions of the business involve risk taking in a way that is different from most other businesses.  Making a profit ultimately means getting the price right for risk and properly managing the risk so that it rarely gets out of hand.
• That is the prime territory for ERM – evaluating and managing risks.  So to satisfy this second need of corporations, at least for the corporations in the risk business,  ERM is needed.
• Without ERM, profits are hit or miss for firms in the risk business.

Security

• Once a business has a product that they can reliably sell to a market and has figured out a way to reliably deliver that product at a profit, then that business has value.  And the third need becomes important; Security.
• This is the case not just for companies in the risk business,  but for all types of firms.  Once they get used to making money, there is a strong need to keep that happening.
• But there are many, many things that can go wrong and put an end to that profitable business.  As a general class, we call those things RISKS.
• So risk management is applied by firms to deal with those things that might go wrong and end the stream of profits – separately, risk by risk as management becomes aware of those risks.
• Enterprise Risk Management provides a different approach, and one that should appeal to those who are fundamentally interested in the security of the firm.  While risk management seeks to prevent outsized losses from one cause or another, ERM seeks to manage outsized losses from ANY and ALL sources.

Growth of Value

• Once a business has Sales, Profits and Security the focus shifts.  And it shifts to growing the value of the firm.
• Some firms focus on growing their value by making more of the sales that they mastered at the outset of their existence.  Others seek to grow value by increasing their efficiency and increasing the profitability of their business.  A few are able to focus on both at the same time.
• However, the value of the firm, by some reckonings is the present value of future earnings.  Those future earnings can be higher because sales grow or because profits per unit grow.  But that future will be discounted by the market.  Discounted for both risk and for time.
• Since Risk is a major component to value, growing value means managing risk.  SO we are again back to ERM.  ERM helps management to see the trade-offs, the risk reward trade-offs, that will influence value.

Sales

• And so, back to sales.  What you find when you look to manage value with ERM is that it helps you to see the value of sales.  And what you see will be that different sales have a different impact on the value of the firm.
• So ERM can halp to guide the sales planning process, shedding light on which sales to plan to grow the most and which to limit.

So ERM can play a major role in the achievement of all four of the main Corporate Needs.

The World’s Largest Risk

Pension systems around the world are in total crisis. It is not a question whether the systems can fulfill any of their promises. There is not a real possibility that systems that exist can continue to pay the benefits that are now being paid to retirees over the next 40 years.

A loss that you know is coming is not a risk.

The risk is how the governments of the world will respond to this problem. Poor handling of this problem can bankrupt governments and throw an entire economy into a long term decline.

The fundamental issue is to find a way to balance the ability of an economy to pay retirement benefits with the needs of the bulge of retirees that the entire world will experience over the next 40 years. If governments try to pay out more than the economy can afford, then there will be very serious problems for those governments and their economies.

One very large problem is that in many countries, the pension benefits are not even set to be a reasonable self supporting system over time even without the age bulge.

Those issues should be tackled first. Those issues include:

Setting the basic benefit to be approximately 1.5% of wages per year of employment.
Full benefit for no less than 40 years of employment. Results in benefit of 60% of wages.
Full actuarial reduction of benefits for early retirement. Eliminate other subsidies where they exist.
Index pensions to wages, not to prices. Keeps link of benefits to revenues.

To work towards resolution of the age bulge requires benefit changes. Increases to taxes are likely to be counterproductive with the levels of government debt and changes to government spending and taxes that will be required to resolve those imbalances leave little leeway for pensions. The main change that will be needed will be to raise the retirement age. The above basic benefit of 1.5% for 40 years of employment needs to be shifted to a minimum of 45 years of employment. In some countries, the retirement age needs to be higher still. Needs of individuals who are not able to work because of physical problems of age will need to be handled under a disability system. That system will need to be policed to avoid overuse of the disability benefits.

This risk should be of high, though not immediate concern for all firms. How the governments resolve this issue will have massive impact on employment, taxes and the financial markets of each country. All firms should include this issue on their list of emerging risks and should do scenario analysis of the potential impact on their firms business, employees and investments.

This post was inspired by a World Bank presentation.  To learn of their positions on these issues and to get the facts and projections that they present on this topic see worldbank.org.

Identifying Risks

ERM programs all start out with a suggestion that you must identify your risks.

Risks should be identified within several major categories.  Here is a typical list of categories for an insurer:

• Insurance Risks
  • Underwriting
  • Reserving
• Investment RIsks
  • Interest
  • Credit
  • Equity
  • Foreign Exchange
• Other Counterparty Risks
• Operational Risks
  • Legal/Compliance
  • IT
  • Distribution
  • Human Resources
  • Operations
• Strategic Risks
• Group Risks

Sounds simple enough.  But there are two ways to do this that give very different results.

1. Top Down
2. Bottom Up

The bottom up process is urged by COSO and requires volumes of documentation and hours and hours of meetings and discussions.  The result is a list of as many as 100 or more risks for a major sized organization.  This process requires at least a year to accomplish.  However, at the end of that year, the top executives of the firm will find that the product may well not be ready for them to get any use out of it.

That is because risk identification and in fact risk management takes on very different character at different levels of the organization.  There almost needs to be three different risk management programs at any larger organization.  One that is oriented to the top management, one that is oriented to the middle management and one that is oriented to the supervisory levels.

The COSO type risk identification process is designed to serve the  supervisory and middle management.  The initial risk identification process is done at the supervisory level, which at a very large organization can mean hundreds of people.  The findings are eventually summarized and ranked, but the summary is at a level that is appropriate for middle management attention.

The top management is better served by a risk identification process that is more top down.  If top management is unable or unwilling to do the risk identification work themselves, then it can be a middle up process.

Regardless of how the process is started or ended, there will need to be guidelines for for the significance of risks.  A typical bottoms up risk identification can end up with well over 100 risks often as many as 200.

Prioritization is the second half of this basic risk management step.  And the prioritization will depend upon the significance of the risks and significance will be based upon a measurement of the risks.  Which is the second fundamental practice of ERM.

The thresholds should be established for significance of risks that should get board attention, a lower threshold that should get top management attention, then a lower threshold for middle management attention and a lower threshold for risks to get attention from supervisors.

None of the risks identified by the detailed bottoms up process are unimportant, but it is important to determine WHO they should be important to.

Risks can be mapped in a frequency severity matrix.

The third step of this practice is to classify the significant risks between those risks that are known by management to be well controlled and those that are less well controlled.

Immediate attention can then be focused on those risks that were shown to be of high significance and lower control, providing an immediate valuable product out of this very first stage of ERM.

This post is the first in a series to discuss the 8 ERM Fundamental Practices.  There is more material for starting ERM programs at Introduction to ERM.

Risk means Loss Potential

Definition of Risk from Merriam-Webster online dictionary:

Definition of RISK

1: possibility of loss or injury :peril

2: someone or something that creates or suggests a hazard

3: the chance of loss or the perils to the subject matter of an insurance contract; also: the degree of probability of such loss b: a person or thing that is a specified hazard to an insurer c: an insurance hazard from a specified cause or source <war risk>

4: the chance that an investment (as a stock or commodity) will lose value

These are the only four definitions offered.

So if you build an ERM system and want to use the definition of risk that is popular with ERM folks:

Risk is a deviation from expected.

It is almost certain that among an English speaking non-risk manager management audience, your program will start out with at one count of DOUBLESPEAK against you.

The definition of DOUBLESPEAK, per Wikipedia is:

Doublespeak (sometimes called doubletalk) is language that deliberately disguises, distorts, or reverses the meaning of words. Doublespeak may take the form of euphemisms (e.g., “downsizing” for layoffs), making the truth less unpleasant, without denying its nature. It may also be deployed as intentional ambiguity, or reversal of meaning (for example, naming a state of war “peace”). In such cases, doublespeak disguises the nature of the truth, producing a communication bypass.

You start your discussion of Risk Management by telling everyone that UP is DOWN and HOT is COLD.  That OPPORTUNITIES are RISKS.

There is a common English meaning of the word risk that works very well to support Risk Management activities.

The objective of that other DOUBLESPEAK meaning of the word risk is to convey that risk managers can help to find and support opportunities.

Just say that. Say that you can help to find and support opportunities.

It will come off much better than redefining words that everyone knows the meaning of at the outset of your discussion.

Reliance on Risk Management

Many life insurance firms may not really be aware of the degree to which they are exposed to risk.

When these firms write a life insurance policy, they are immediately exposed to a significant amount of gross risk.  Looking at the entire liability book, the risk is immense.  Many multiples of capital.

I  am not talking about the fact that face amounts of insurance far exceed premiums.  What I am trying to point out is that there is a very large amount of risk created by accepting premiums with the guarantee of certain surrender values.  (There is somewhat more mortality risk there than many insurers may realize, but it is not significant on a gross basis compared to the interest rate risk on the cash values.)

Insurers tend to forget about this because there is a very longstanding practice of offsetting that risk by investing funds (called the assets) of the life insurer.

The folks who are insisting on market value accounting for insurance liabilities are trying to point out this fact of life.

In many markets, the insurer will then take investment risk – credit or market – with the investments and finally they will do something further that deeply offends the market value folks.

They will split some of the money that they are paid in risk premium with their policyholder/customer.

This practice can probably be traced back to the time when the predominant form of life insurance was mutual life insurance.  Under that structure, the policyholder is thought to share the risk of the insurance company, and it therefore makes sense that they would share in the risk premium.

Non-mutual firms found that they could not compete with this because most customers did not understand that they had the choice of one level of return within their insurance policy at a certain level of risk and a lower level of return with a lower amount of risk. The customers usually just saw the net return.  Risk was not communicated well.  Usually risk was communicated very vaguely while return seemed to be really tangibly conveyed.

So what the market value folks are trying to accomplish is to overcome hundreds of years of confusion about the actual level of risk of an insurer.

You see, risk premiums are usually collected in advance of losses.  If an insurer is paying some fraction of its risk premiums to its customers, and it does not have a loss sharing mechanism as is fundamental to a mutual insurance scheme, then it is acting similarly to a leveraged hedge fund.

The resources of the insurer to absorb losses is the capital, but the exposure to losses extends to a much larger pool of insured funds.

So the market valuing of insurance liabilities is really a risk recognition exercize.  It is trying to make a point, that point being that the practices of insurers have evolved to become much riskier than what they had been in the past.  And the mark to market system would force insurers to acknowledge that additional risk at the point at which they decide to tak on the risk.

Now, it appears that IFRS accounting is heading a different direction.  The IASB seems to be backing away from a full mark to market system for assets.  This will wreck havoc on the balance sheets and income statements of the insurers who will be marking their liabilities but not their assets to market.

Sort of like the mess that has existed in the other direction for some time not, were insurers in many situations have been marking assets, but not liabilities to market.

Insurance has a reputation for totally opaque financial reporting.  It seems that this reputation will continue to be well deserved.

Risk Management Learns from Sun Tzu

Usually risk managers do not think of themselves as being at war.  But a risk manager is facing a number of foes.  And failure to succeed against those foes can result in the end of the enterprise.  So maybe the risk manager can learn from The Art of War.

Sun Tzu’s The Art of War has 11 chapters.  Each of these topics can be seen to have a lesson for risk managers.

1. Laying Plans explores the five fundamental factors that define a successful outcome (the Way, seasons, terrain, leadership, and management). By thinking, assessing and comparing these points you can calculate a victory, deviation from them will ensure failure. Remember that war is a very grave matter of state.             The risk manager of course needs plans.  Remember that risk management is a grave matter for the enterprise.
2. Waging War explains how to understand the economy of war and how success requires making the winning play, which in turn, requires limiting the cost of competition and conflict.        Risk management does not run on an unlimited budget.  In some cases risk managers have not completed their preparations because they have gone forward as if they could spend whatever it took to fulfill their vision for risk management.  Of course risk management spending needs to be at a sensible level for the enterprise.  Excessive risk management spending can harm an enterprise just as much as an unexpected loss.

1. Attack by Stratagem defines the source of strength as unity, not size, and the five ingredients that you need to succeed in any war.            The risk manager succeeds best if they are able to get the entire organization to support the risk management efforts, not just a large corporate risk management department.
2. Tactical Dispositions explains the importance of defending existing positions until you can advance them and how you must recognize opportunities, not try to create them.           The risk manager needs to build organizational strength to support risk management opportunistically.  A risk management program that does not wait for the right opportunities will create internal enemies and will then be fighting both the external risks as well as the internal enemies.
3. Energy explains the use of creativity and timing in building your momentum.            The risk manager also needs to be creative and needs to build momentum.  The best risk management program fits well with the culture of the organization.  That fit will need to be developed by creatively combining the ideas of risk management with the written and unwritten parts of the organizational imperatives.
4. Weak Points & Strong explains how your opportunities come from the openings in the environment caused by the relative weakness of your enemy in a given area.             Quite often the risk manager will know the right thing to do but will not be able to execute except at extreme danger to their position in the firm.  The openings for a risk manager to make the moves that will really lake a difference in the future of the firm come infrequently and without warning.  The Risk manager must be looking at these openings and be ready and able to act.
   
5. Maneuvering explains the dangers of direct conflict and how to win those confrontations when they are forced upon you.      Some thing that the risk managers job is the direct conflict with the important people in the firm who would put the firm in an excessively risky position.  This in inadvisable
6. Variation in Tactics focuses on the need for flexibility in your responses. It explains how to respond to shifting circumstances successfully.       Risk Management tactics will be the most successful if they are alligned with the actual risk environment.  See Plural Rationalities and ERM.
7. The Army on the March describes the different situations in which you find yourselves as you move into new enemy territories and how to respond to them. Much of it focuses on evaluating the intentions of others.        Rational Adaptability is the process of assessing the risk environment and selecting the risk management strategy that will work best for the environment.
8. Terrain looks at the three general areas of resistance (distance, dangers, and barriers) and the six types of ground positions that arise from them. Each of these six field positions offer certain advantages and disadvantages.      The risk environment has four main stages, Boom, Bust, Moderate and Uncertain.
9. The Nine Situations describe nine common situations (or stages) in a campaign, from scattering to deadly, and the specific focus you need to successfully navigate each of them.      Companies must determine their risk taking strategy and their risk appetite by looking at the risk environment as well as at their risk taking capacity.
10. The Attack by Fire explains the use of weapons generally and the use of the environment as a weapon specifically. It examines the five targets for attack, the five types of environmental attack, and the appropriate responses to such attack.
11. The Use of Spies focuses on the importance of developing good information sources, specifically the five types of sources and how to manage them.

Rational Adaptability

In any given risk environment, companies holding a risk perspective and following an ERM program aligned with external circumstances will fare best.

In order to thrive under all future risk regimes, a firm ideally would follow a strategy of Rational Adaptability. This involves three key steps: 1. Discernment of changes in risk regime, 2. Willingness to shift risk perspective, and 3. Ability to modify ERM program. The difference between Rational Adaptability and the process of “natural selection” where firm go through a “natural” process of change of risk attitude and risk strategy is conscious recognition of the validity of differing risk perspectives and proactive implementation of changes in strategy. Individuals often find it difficult to change their risk perspective. Therefore, a company that wishes to adopt Rational Adaptability must ensure that its key decision-makers represent a diversity of risk perspectives.

Furthermore, the corporate culture and the managers themselves must value each of the risk perspectives for its contributions to the firm’s continued success. An insurance company is best served by drawing on the respective expertise of underwriters, actuaries, accountants, contract attorneys and claims experts—and members of one discipline should not feel slighted when the expertise of another discipline is called upon. Similarly, any firm that wishes to optimize its success under each of the various risk regimes should have Maximizers, Conservators, Managers and Pragmatists among its senior management; and those who hold any one of these risk perspectives should acknowledge that there are times when another perspective should take the lead. The CEO must exercise judgment and restraint, shifting among strategies as needed and shifting responsibilities among the management team as required.

Rational Adaptability recognizes that during Boom Times, risk really does present significant opportunities—and it is appropriate to empower the Profit Maximizers, focusing ERM efforts on Risk Trading to ensure that risks are correctly priced using a consistent firm-wide metric. When the environment is Moderate, the firm employing Rational Adaptability will give additional authority to its Risk Reward Managers, examining the results of their modeling and using these to reevaluate long-term strategies. And in times of Recession, a firm following Rational Adaptability shifts its focus to Conservation: tightening underwriting standards and placing special emphasis on firm-wide risk identification and risk control. Resisting the pull of his or her own personal risk perspective, the CEO must be willing to listen—and act—when others in the firm warn that the company’s risk management strategy is getting a little too concentrated on one and possibly not the optimal risk attitude and risk strategy.

Yet in each risk regime, there are companies following strategies that are not well aligned with the environment. Some of these firms muddle along with indifferent results and survive until their preferred environment comes back. Others sustain enough damage that they do not survive; some change their risk perspective and ERM program to take advantage of the new environment. Meanwhile, new firms enter the market with risk perspectives and ERM programs that are aligned with the current environment. Since many of the poorly aligned firms shrink, die out or change perspective— and since new firms tend to be well-aligned with the current risk regime—the market as a whole adjusts to greater alignment with the risk environment via a process of “natural selection.”

This an excerpt from the article “The Full Spectrum of RIsk Management”  co-authored by Alice Underwood.

This post is a part of the Plural Rationalities and ERM project.

 

Pick the Targets before You Start Judging

In a Oct. 3 FT article, it says that just 30% of 465 executives surveyed said that “they were able to tap risk management programmes to prepare for and minimize the negative outcomes” of the recession.

But I wonder whether minimizing impact of a recession was among the targeted risks of those risk management programs.

And in addition, I wonder whether the risk managers would have been permitted to even think seriously about the impact of a recession as serious as the one that we have (and continue to) experienced.

Financial firms that would have been very well prepared for this recession would have been doing quite a bit more hedging than their peers and the cost of that hedging would have severely reduced earnings prior to the recession.

Non-Financial firms that would have been well prepared would have been running with very low inventories and with loads of unfilled positions, running tons of expensive  overtime prior to the flop.

The article also said that “only 44 percent said that they had adequately captured the potential problems before the downturn.

Some of that may be risk managers being slammed for being poor fortune tellers.   They did not foresee the size of this recession so they missed it.

I would suggest that these survey results are a case of risk management as scape goat.

Don’t get me wrong.  There are times when risk management gets it wrong.

But if you want risk managers to be focused upon minimizing the impact of a once in 75 year recession, then you ought to tell them that before the recession hits, not after.

And if accurate predictions of the economy are required of risk managers, then you ought to completely change your ideas about how much risk managers should be paid.

By the way, if you know now what sort of result you would have wanted from the recession, then that information should be used to set the firm’s risk tolerance – which should be done in advance, not after the fact.

But in fact, 80% of the firms have never agreed on a risk tolerance.  Quite often the reason for not picking one is a reluctance of management to have their options restricted by such a limit, to allow the board into decisions that they want to make without the help of the board.

Really Different

What if the future is really different from the past? What does that do to the whole approach of quantitative risk management? When do you give up on the models that just do not help?

Here is a scenario of a Really Different Future

Farrell suggests that the economy will go through chaos for 10 years until things get so bad that we decide to actually do something about it.

We talk about stress testing for our companies.  What I am trying to suggest here is stress testing our risk management approach.

How well does your risk management system hold up to the scenario described in that article?

I am not asking for a top of the head answer.  I am suggesting that you walk through 10 years of economic bad times, alternating with uncertain times like the past 18 months.

Does your ERM system give good advice throughout?  Or do your models continually give bad signals as they very slowly incorporate the emerging world mess?  And then when things come back in 10 years, will the models be wrong again on the low side for another 10 years or more as you incorporate better experience?

So is there another choice?  I think so.  The choice is multiple risk models of different regimes.  You need a model of high volatility and low drift, a model of high drift and low volatility, a model of moderate volatility and moderate drift and a model of negative drift and low volatility.

Think about it.  If those four models reflect states of the world, is there any point in using a model that combines all four sets of experience?  It will always be wrong.  A Bayesian model that is constantly updating for experience assumes a stable underlying distribution.  Otherwise it is just wrong all the time.

Think about it.  If the next 10 years will be years of high volatility and low drift interspersed with periods of negative drift with low volatility, what good is a model with moderate volatility and moderate drift?  Or the combined all regime model of slightly higher volatility with slightly lower drift.