Why?

My favorite book of the Bible is Job.  That could have been called the book of WHY.  Everyone throughout the book assumes that there must be an answer and they try out those answers but none seems to fit.

Finally, they get an answer, but it is not the sort of answer that they were looking for.  The answer that they get is something like”you would never understand”.

But the risk manager is always being asked why?  Asked to explain the unexplainable.

David Hackett Fisher advised historians to avoid WHY.  To stick with who, what, when, where  and how.

A why question tends to become a metaphysical question. It is also an imprecise question, for the adverb ‘why’ is slippery and difficult to define. Sometimes it seeks a cause, sometimes a motive, sometimes a reason, sometimes a description, sometimes a process, sometimes a purpose, sometimes a justification.

This list of definitions for the word why is useful to the risk manager however, because often there is no “why” under some definitions, but the other definitions can help to provide a path to an answer that is probably less than satisfactory but better than nothing.

Nothing being the same as the answer “it is still a 1 in 100 event, we were just unlucky”.

If you want the company’s executives to really embrace ERM, then the risk manager needs to have all of these definitions and as many of the answers as humanly possible on hand.  The executive will need the risk manager to provide the words that they can use and feel comfortable lording it over their peers who do not have such a smart risk management department.  They need the words than answer WHY.

The famous quote about risk..

“We were seeing things that were 25-standard deviation moves, several days in a row.”

David Vinar, CFO Goldman Sachs
August 2007

Vinar obviously had someone who did not have the above list of definitions of WHY on hand, he got the S— Happens answer from a math geek.

Executives need to be brought into the Baysian recalibration process.  Each year, the  experience of the year needs to be placed on the scale from the model (as Vinar did above) and the scale then either accepted or rejected.  (Which step Vinar obviously did after making that statement.)

That exercize ought to be a part of every year end wrap up from the risk department.  Their recount of the who, what, when, where, how and WHY of the events of the year.

Advertisement

Risk Language

This is one of the eight Fundamental ERM practices. These practices are the foundations of a new ERM program.

Risk Language is not commonly recognized in most ERM literature as a fundamental practice.  But all you need to do is to talk with a management team that has a common risk language and another who does not and it is difficult to see why it is not.  The management with the common language can much more often articulate a common vision of risk management and especially of risk appetite.  The objectives of the ERM program of a firm without a common risk language are usually not understood similarly by more than a tiny handful of people.

When hearing the story of ERM at a firm it seems to be a much more likely explanation for the firm without the common language that their ERM program exists mostly for the purpose of entertaining outsiders than for impacting the management of the firm.

At the earliest stage of development of an ERM program, the lack of a language should become apparent.  Ask any two managers what they think is meant by an unacceptably large loss and you are likely to get as many different answers as you have answerers.

Ask that same set of people what would be an acceptable level of sales or profits and they will all usually be able to clearly state the company goals for the current year.

So the objective in this area as it is with measurement is to put risk on the same footing as sales and profits, to give it the same clarity and unanimity of understanding and purpose.

There are several steps to gaining a risk language for a firm.

1. Existing Risk Terms – Making a collection of existing risk terminology used commonly in different parts of the company is a good first step.  Notice where different parts of the company have different terms for one idea and other places where people have different meanings for the same term.  Those conflicts need to be resolved so that there is one main set of terms used within the company for those ideas.
2. Standard Risk terms – It is not necessary that each firm adopts an entire vocabulary about risk from outside the firm.  But on the same token, there are a wide variety of standardized terms for risk.  Take a look at Risk Glossary, for example.  A good first step would be to take a short list of terms from a source like that and start to make sure that everyone starts to learn those terms.
3. New Risk Terms – As ERM grows within the company, new terminology will develop for particular ideas.  Some of that terminology will emanate from the risk department and some will come from the executives as they seek to repeat things that they hear at the risk committee meetings.  For some time, everyone needs to be deliberate about the process of coining new terminology.  Conscious that one way of saying something seems to “stick” better than another.  Encourage the formation of this vocabulary.

Besides forming this new vocabulary, it is extremely important that both the risk staff and the other managers who are members of risk committees make sure to use the new risk terminology inn their everyday work.  Language is naturally built by usage, not by dictionaries.

One last thought… ERM practice is a combination of some very expensive things and very simple things.  In general, the largest firms can afford the very expensive things more easily while the simple things are usually executed much more effectively in small firms.  This is one of the simple things.

 

Intrinsic Risk

If you were told that someone had flipped a coin 60 times and had found that heads were the results 2/3 of the time, you might have several reactions.

• You might doubt whether the coin was a real coin or whether it was altered.
• You might suspect that the person who got that result was doing something other than a fair flip.
• You might doubt whether they are able to count or whether they actually counted.
• You doubt whether they are telling the truth.
• You start to calculate the likelihood of that result with a fair coin.

Once you take that last step, you find that the story is highly unlikely, but definitely not impossible.  In fact, my computer tells me that if I lined up 225 people and had them all flip a coin 60 times, there is a fifty-fifty chance  that at least one person will get that many heads.

So how should you evaluate the risk of getting 40 heads out of 60 flips?  Should you do calculations based upon the expected likelihood of heads based upon an examination of the coin?  You look at it and see that there are two sides and a thin edge.  You assess whether it seems to be uniformly balanced.  Then you conclude that you are fairly certain of the inherent risk of the coin flipping process.

Your other choice to assess the risk is to base your evaluation on the observed outcomes of coin flips.  This will mean that the central limit theorem should help us to eventually get the right number.  But if your first observation is that person described above, then it will be quite a few additional observations before you find out what the Central Limit Theorem has to tell you.

The point being that a purely observation based approach will not always give you the best answer.   Good to make sure that you understand something about the intrinsic risk.

If you are still not convinced of this, ask the turkey.  Taleb uses that turkey story to explain a Black Swan.  But if you think about it, many Black Swans are nothing more than ignorance of intrinsic risk.

Measuring Risks

What gets measured gets managed.

Measuring risks is the second of the eight ERM Fundamental Practices.

There are many, many ways to measure risks.  For the most part, they give information about different aspects of the risks.  Some basic types of measures include:

• Transaction Flows, measuring counts or dollar flows of risk transactions
• mean Expected Loss
• Standard deviation of loss
• Expected loss at a particular confidence interval (also known as VaR or Value at Risk)
• Average expected loss beyond a certain confidence interval (also known as TVaR, Expected Shortfall, and other names)

So you needs to think about what you want from a risk measure.  Here are some criteria of a GOOD RISK MEASURE:

1. Timely – if you do not get the information about risk in time, the information is potentially entertaining or educational, but not useful.

2. Accurately distinguishes broad degrees of riskiness within the broad risk class – allowing you to discern whether one choice is riskier than another.

3. Not too expensive or time intensive to produce – the information needs to be more valuable than the cost of the process that produces it, either in dollars or opportunity cost based on the time it uses up.

4. Understood by all who must use – some will spend lots of time making sure that they have a risk measure that is the theoretical BEST.  But the improvements from intellectual purity may come with a large trade-off in the ability of a broad audience to understand.  And if people in power do not understand something, there are few who will really rely on it when their career’s are at stake in an extreme risk situation.

5. Actionable – the risk measure must be able to point to a possible action.   Otherwise, it just presents management with a difficult and unpleasant puzzle that needs to be solved.  And risk is often not a presenting problem, but a possible problem, so it is easier always to defer actions that are unclearly indicated.

If you can set up your risk measurement systems so that you can satisfy all five of those criteria, then you can feel pretty good. Your risk management system is well served.

But some do not stop there.  They look for EXCELLENT RISK MEASURES.  Those are measures that in addition to satisfying the five criteria above:

6. Can help to identify changes to risk quality – this is the Achilles heel of the risk measurement process.  The deterioration of the key riskiness of the individual risks.  Without this ability, it is possible for a tightly managed risk portfolio to fail unexpectedly because the measures gradually drifted away from the actual underlying riskiness of the portfolio of risks.

7. Provides information that is consistent across different Broad Classes of Risk – this would allow a firm to actually do Risk Steering.  And to more quantitatively assess their Diversification.  So this quality is needed to support two of the four key ERM Strategies and is also needed to  apply an enterprise view to Risk Trading and Loss Controlling.

8. For most sensitive risks will pinpoint variations in risk levels – this is the characteristic that brings a risk measure to the ultimate level of actionability.  This is the information that risk managers who are seeking to drive their risk measurement down to the transaction level should be seeking to achieve.  However, it is very important to know the actual accuracy of the risk measure in these situations.  When the standard error is much larger than the differences in risk between similar transaction then process has gone ahead of substance.

 

 

Turkey Risk

On Thanksgiving Day her in the US, let us recall Nassim Taleb’s story about the turkey.  For 364 days the turkey saw no risk whatsoever, just good eats.  Then one day, the turkey became dinner.

For some risks, studying the historical record and making a model from experience just will not give useful results.

And, remembering the experience of the turkey, a purely historical basis for parameterizing risk models could get you cooked.

Happy Thanksgiving.

What is Too Big to Fail?

There seems to be various discussions going around about who needs to be considered Systemically important to qualify for “Special Attention” from regulators. Very large money managers are saying that they are not systemically important.

But it seems to me that there are quite a number of considerations. And everyone seems to be arguing solely from the part of that list that exempts them.

When thinking about money managers, I would think of the following:

1. How is their liquidity managed? Can they really raise funds fast enough to satisfy a run on the bank?
2. If they were to try to liquidate their funds, what would that do to the financial markets?
3. How interconnected are they to other financial firms? Do regulators now have information about that?
4. What about the future? (Isn’t that our concern, not the past or even the current situation?)

• Could they shift their liquidity practices to become much more illiquid?
• Their argument revolves around leverage, how much could they change their leverage under their current regulations? They can quickly leverage through derivatives as well as borrowing.
• Could they become the center of new risky financial behavior that would endanger the financial sector?

That last point is a major concern of regulators regarding the Insurance industry. And they have history on their side. The insurance industry helped the financial sector to blow the mortgage business up to 4 or 5 times the underlying.

All you need to do that is a big balance sheet and a willingness to take one side of a trade without balancing it with the other side. And the money managers as well as the insurance companies both have exactly those characteristics.

Risk Regimes

Lately, economists talk of three phases of the economy, boom, bust and “normal”. These could all be seen as risk regimes. And that these regimes exist for many different risks.

There is actually a fourth regime and for many financial markets we are in that regime now. I would call that regime “Uncertain”. In July, Bernanke said that the outlook for the economy was “unusually uncertain”.

So these regimes would be:

• Boom – high drift, low vol
• Bust – negative drift, low vol
• Normal – moderate drift, moderate vol
• Uncertain – unknown drift and unknown vol (both with a high degree of variability)

So managing risk effectively requires that you must know the current risk regime.

There is no generic ERM that works in all risk regimes.  And there is no risk model that is valid in all risk regimes.

Risk Management is done NOW to impact on your current risk positions and to manage your next period potential losses.

So think about four risk models, not about how to calibrate one model to incorporate experience from all four regimes.  The one model will ALWAYS be fairly wrong, at least with four different models, you have a chance to be approximately right some of the time.

Watch your Own Wallet

Polling the people who work at the New York banks that were at the center of the financial crisis, people were asked which of the following statements that they agreed with the most:

1. We did it and we need to do something differently.
2. They did it and they need to do something differently.
3. Space Aliens did it and we hope that they do not do it again.

The poll results are in and the findings are:

• No one answered that they agreed with 1.
• The innocent all were able to answer that they agreed with 2.
• Those who were directly involved in the problems that led to the crisis all answered 3.

So the conclusion that you should reach from this survey is that nothing will be different in the future.  The financial system will be run mostly the same as it had been run.

Your only protection is to WATCH YOUR OWN WALLET.  That is, pay attention yourselves to things that might turn into the next set of systemic risks.  Those things will all tend to be very large systematic risks.

So you need to use the emerging risks type process on the largest systematic risks.  You need to assess periodically whether your firm’s exposures to these risks might in a crash result in firm ending losses.  (Or you can prepare your application for a bailout – good luck on that).

Then you need to have a heart to heart discussion with your board.  Stories of the firms that did the worst in the crisis tell that their boards urged them to take more and more risk.

Risk managers need to know whether it is their board’s wishes to be dancing up until the band sinks below the water or to stop perhaps a few songs before and leave the ship ahead of the crash.

Is it Better to Be Lucky than Smart?

It certainly is cheaper and easier.  But is it BETTER?

The main difference between lucky and smart is that smart is more likely to be able to repeat than luck.

But I think that there are two different types of smart, and one is much better than the other.

• The first type of smart is able to discern patterns and trends.  This type of smart can do momentum trading.  They figure out what works in this phase of the cycle of the part of the world that they are in and they discern how to take advantage of one aspect of the trend.
• The second type of smart is able to discern not just the trend, but they can see that the trend will not last.  So they can plan for the change in trend.  This type of smart is adaptable.
• The lucky see nor care about trends or changes in trends.  What they choose works.  Some of the lucky are able to convince themselves and those around them that their “gut” can really pick out the right answers.  Those are the dangerous lucky.

If you are led by the lucky, your firm might fail at any time.  The formerly lucky CEO will not have a clue as to why they failed. Over time, they will have relied on their gut more and more and their success will get them more and more authority and autonomy.  People forget that if all business decisions were random coin tosses, someone will guess the right toss 10 times in a row with nothing more than luck behind their string.

If you are led by the Momentum leader, your firm will thrive as long as the wave that they identified keeps going.  In some cases, the leader and the firm come to believe that the trend that you follow IS the way that they world will be forever.  More and more of the company becomes dependent on the assumption that the trend continues.  When the trend fails, the company will falter or fail.  If enough people and enough firms have been following that same trend, the entire economy might falter.  If a trend last long enough, then it is quite likely that more and more people and firms will notice the trend and start to work on the assumption that the trend will continue.

But if you are working in a firm with an adaptable leader, then the firm will not do as well as peers during the peak of the trend.  Your firm will not be putting all of your eggs into the basket of trend immortality.  Your firm will be looking around for things that will work even if the trend changes.  Your firm will have the resilience to weather the change in trend and perhaps some business activity planned that will work even in a new environment.  Your firm will be working smart towards the long term.

So is it better to be lucky than smart?  Not in the long run, not in my mind.

It’s All Relative

Another way to differentiate risks and loss situations is to distinguish between systematic losses and losses where your firm ends up in the bottom quartile of worst losses.

You can get to that by way of having a higher concentration of a risk exposure than your peers.  Or else you can lose more in proportion to your exposure than your peers.

The reason it can be important to distinguish these situations is that there is some forgiveness from the market, from your customers and from your distributors if you lose money when everyone else is losing it.  But there is little sympathy for the firm that manages to lose much more than everyone else.

And worst of all is to lose money when no one else is losing it.

So perhaps you might want to go through each of your largest risk exposures and imagine how either of these three scenarios might hit you.

• One company had a loss of 50% of capital during the credit crunch of the early 1990’s.  Their largest credit exposure was over 50% of capital and it went south.  Average recoveries were 60% to 80% in those days, but this default had a 10% recovery.  That 60% to 80% was an average, not a guaranteed recovery amount.  Most companies lost less than 5% of capital in that year.
• Another company lost well over 25% of capital during the dot com bust.  They had concentrated in variable annuities.  No fancy guarantees, just guaranteed death benefits.  But their clientele was several years older than their average competitors.  And the difference in mortality rate was enough that they had losses that were much larger than their competitors, who were also not so concentrated in variable annuities.
• Explaining their claims for Hurricane Katrina that were about 50% higher as a percent of their expected total claims, one insurer found that they had failed to reinsure a large commercial customer whose total loss from the hurricane made up almost 75% of the excess.  Had they followed their own retention rules on that one case, that excess would have been reduced by half.

So go over your risks.  Create scenarios for each major risk category that might send your losses far over the rest of the pack.  Then look for what needs to be done to prevent those extraordinary losses.

ERM, not just a good idea, Its the Law

IAIS Adopts ICP 16 on ERM

The International Association of Insurance Supervisors (IAIS) has adopted ERM as an Insurance Core Principle (ICP).

ERM is an acknowledged practice and has become an established discipline and separately identified function assuming a much greater role in many insurers’ everyday business practices. Originally, risk management only facilitated the identification of risks, and was not fully developed to provide satisfactory methods for measuring and managing risks, or for determining related capital requirements to cover those risks.
ERM processes being developed today by insurers increasingly use internal models and sophisticated risk metrics to translate risk identification into management actions and capital needs. Internal models are recognised as powerful tools that may be used, where it is proportionate to do so, to enhance company risk management and to better embed risk culture in the company. They can be used to provide a common measurement basis across all risks (e.g. same methodology, time horizon,  risk measure, level of confidence, etc.) and enhance strategic decision-making, for example capital allocation and pricing.

By this time next year, they expect to have revised the full set of ICPs.  All insurance supervisors are expected to reflect the revised ICPs in their legal frameworks and supervisory practices.  All G20 insurance supervisors will be expected to undertake a self-assessment against the new ICPs by early 2012.

Link to ICP 16

Europeans will notice that ICP 16 is very similar to Pillar 2 of Solvency 2.  Folks in the US will notice that this is very similar to documents that the NAIC has exposed for comment in the last year.

Riskviews has visited a number of non-G20 countries in the past six months and insurers there have all said that their regulators are starting to talk about ERM requirements or have already put them in place.