Risk Management Culture

To date Riskviews has featured discussions of issues relating to Risk Culture 27 times.  While we talk about the Eight ERM Fundamentals, Culture is THE ERM FUNDAMENTAL.

While Standard & Poor’s uses this category to include a variety of practices including governance, disclosure and risk appetite, here we mean solely the manner that people outside of the risk management department are brought into the risk management process in a firm.

Decisions need to be made regarding who to get involved in doing and then who else to tell about the objectives and plans and activities of risk management in the firm.

Some companies do this on a need to know basis, involving only those who must get involved to make things work and only telling those who have an active role.

At the opposite extreme are firms who say that risk management is everyone’s job and who therefore work very hard to make sure that everyone understands everything that is going on.

The firms in the first group are focused on efficiency.  Management usually believes that everyone must stay focused upon their own primary responsibilities.  A select few are given responsibility for risk management activities and everyone else is kept out of the way.  Knowledge of the risk management work in these firms is usually restricted to top management and line management only in the situations where the risk management efforts need to be integrated into the operational unit’s activities.

The firms in the second group believe that risk management is everyone’s job because crippling risks can take many forms, both currently known and unknown.  And that these risks can emanate from any part of the firm.  They do not believe that just because there has never been a large problem from one activity, that there never can be.

For the first type of firm, risk management culture means that risk management is one of those things that separates the cognoscenti from the rest of the firm.  Risk management culture means keeping those in the know up to date on everything that is important about risk and risk management.  Each one of the restricted group must take a major responsibility to join in this activity.

For the second type of firm. there will be a totally different type of activity supporting risk management culture.  That will involve training sessions and informational newsletters.  One firm holds an annual conference about risk management and allows anyone at the supervisory level and above in the firm to attend.  Another firm puts an ERM related message on the intranet home page and changes that message at least once per week.

The second type of firm will welcome input from anyone to their ERM processes.

Business Risks

US News and World Report had a recent feature “20 Companies that Cratered in 2010“.

Reading their article, I can only come up with four reasons why the 20 firms went bankrupt:

1. Overconcentration in the mortgage backed securities market.  (Ambac)
2. Failed to adapt to competition with a new approach to the business (Affiliated Media, Mareican Media, Penton Media, Blockbuster, Movie Gallery, Newsweek, Oriental Trading)
3. Insufficient New Products (Hummer, Mercury, Pontiac, MGM)
4. Insufficient resilience to recession due to excess debt (Inkeepers USA, Jennifer Convertibles, Loehmann’s, Mesa Air, Uno Restuarant Holdings, Urban Brands, Swoozies, A&P)

Fully 95%, 19 out of 20 of these bankruptcies are caused by business risks.

Meanwhile, risk managers in the insurance industry are off building risk management systems that assure that there is no more than a 1/200 chance of a loss large enough to cause a bankruptcy.

But Business Risk is not on the list of risks that are being considered in the Solvency II or Basel III regimes.

Fully 95% of US bankruptcies in 2010 were caused by business risks.  Does that mean that we are building a system that assures that we are 99.5% safe from 5% of the risks?

Does this give risk managers a hint as to why top management may only want to devote a small amount of their attention to the management of those 5% risks?

Are top management spending their time paying attention to those pesky risks of Competition, Products and Resilience?

Risk Managers can and should address those risks as well.  But rather than moving away from the risk management discipline, risk managers should be looking to see how the risk management processes can be of help with those risks.

Now, for the folks who think of risk management purely as a modeling exercize, this discussion is largely over.  But if you see your risk management program as a management control system, then there is much for you to bring to help with these risks.

These risks can be handled like any of the Operational risks that are difficult to model.  Key Risk indicators are identified and monitored.  Triggers can be set to initiate actions.  And actions taken to react to increasing indication of risks.

For the three big Business Risks that took down companies in 2010, there are particular concerns:

• Competition – Business managers must move away from sports analogies.  They make companies particularly at risk for this type of competition.  In sports, the opposing team rarely starts playing a totally different game.  The football team will not be opposed by a hockey club.  But in business, there is often not anything to stop a competitor from starting to play a totally different game.  Risk management needs to be built from te premise that there really are very few rules restricting competitors.
• Product Risk – in many cases that largest source of product risk is a successful product.  Especially a highly profitable successful product.  Firms with such often find it extremely difficult to justify the cost and risk and low profitability of new products.  The risk manager needs to consider addressing this risk from the point of view of revenue diversification.  Concentrations are often the most profitable and the most risky in the long term.
• Resilience – This comes closer to regular risk management territory.  But often a major change in business volume either up or down is not a scenario that is factored into the risk model.  Most often, the level of business activity is taken as a constant!  How totally unrealistic is that?  The level of business activity is definitely NOT constant and NOT predictable.  It is at least as uncertain as any of the things that ARE being modeled.  Risk models can be used to evaluate the impact of simultaneous changes in the level of business along with other adverse events.   Perhaps it might make sense to also assume that if volumes are going up beyond a certain range, that selectivity might be going down.  Or that if volumes are decreasing, that margins might be squeezed in addition to the expense squeeze because of competition for the lower amount of business.

Risk managers can bring something to the table for discussions of Business Risk.  But it will take breaking out of their sometimes self imposed bounds.

Best ERM Quotes of 2010

There were 68 new posts to the Risk Management Quotes page on Riskviews in 2010.

Here are my favorite 10.  You may disagree.

‘No institution, including our own, should be too big too fail’.   Jamie Dimon

‘We did eat our own cooking – and we choked on it’.  Brian Moynihan

So it is said that if you know your enemies and know yourself, you can win a hundred battles without a single loss.  If you only know yourself, but not your opponent, you may win or may lose.  If you know neither yourself nor your enemy, you will always endanger yourself.    Sun Tzu

“We focus on risk before we focus on return. The best investors do not target return. They focus first on risk.”  Seth Klarman

Barings was always described as this wake up call that nobody would ever forget, but the fact is, only lip service was ever played to the fact that risk management needed to improve  Nick Leeson (in 2009)

Information about causation, even if imperfect, is powerful. It is ignored in the frequentist approach at a great loss for the risk manager.   Organizing one’s understanding about how the world might work into a coherent and tractable analytical probabilistic framework is not an easy task.  Ricardo Rebonato

Fill your bowl to the brim and it will spill.  Lao Tzu

The essential problem is that our models—both risk models and economic models—as complex as they have become, are still too simple to capture the full array of critical variables that govern global economic reality.  Alan Greenspan

Economies are in greatest peril not when investors willfully take crazy financial risks but when no one seems to perceive risk and the need to insulate the economy from it.  Nicole Gelinas

“What one does see, again and again, in the history of financial crises is that when an accident is waiting to happen, it eventually does.” Reinhart &  Rogoff

Risk Limits and Controlling

A New York Times Magazine article on Jamie Dimon, now CEO of JP Morgan Chase Bank, tells that he once set a risk limit for Travelers…

• Losses from a once in a hundred year storm could not exceed a quarter’s earnings.

For the quantifiable risks that banks and insurers have aplenty, that is exactly how a risk limit needs to read.  It must state a frequency (once in a hundred or 1%) and a severity (one quarter’s earnings).

That sort of simple clarity seems to escape most financial firms.  Probably that is because they have little experience with the frequency part of that statement.

Think of this analogy.  You are sitting there in an office building deciding what to set as the speed limit for a new transportation system.  That system has newly designed roads and vehicles.  You do not know the tolerances of either the roads or the vehicles.  You have been a passenger on test runs, but during that test, you were not shown the speeds that the vehicle was going.

What might make sense in that situation, would be for the person being asked to make the decisions on speed limits to be told what speed that they had been going on the long straight-aways, on the gradual curves, the sharp curves and how long it took to stop the vehicle at various speeds.  In addition, more trips, more experience, should be undertaken and the speed of the vehicle should be noted under various weather conditions as well as types of roads.

Polls often reveal that the most common shortfall of ERM development is in the area of Risk Tolerance and Risk Appetite.  In many cases, that shortfall is due to the inexperience of management and boards with the frequency information.

There is no shortcut to getting that experience.  But there are simple exercizes that can be undertaken to look at prior experiences and tell the story of just how fast the firm was going and how severe the weather was.

The best such exercize is to look backwards in time over the recent past as well as to famously adverse periods in the more remote past.  For each of those situations, the backwards looking frequency can be assigned.  This is done by looking at the current risk model and determining the frequency that is aligned with the level of gains losses that were experienced in general.  That frequency is analogous to the weather.  Then the risk analyst can look at the firm’s own gain or loss experience and the frequency that the model could attribute to that size gain or loss.

Once a firm has some comfort with frequency, they can write a real risk appetite statement.

And after that, they can go through an exercize each year of deciding what frequency to assign to the experience of the year’s gains and losses.

A Wealth of Risk Management Research

The US actuarial profession has produced and/or sponsored quite a number of risk management research projects.  Here are links to the reports:  A Study of International Solvency Regimes

Determinants of Insurers’ Reputational Risk

2010 Emerging Risks Survey

Reflecting Risk in Pricing Survey Report

Potential Impact of Pandemic Influenza on the U.S. Health Insurance Industry

2009 Emerging Risks Survey

Exploration of Reputational Risk from the Perspective of a Variety of Stakeholders

Policyholder Behavior in the Tail Risk Management Section Working Group UL with Secondary Guarantee 2009 Survey Results

Enterprise Risk Management (ERM) Practice as Applied to Health Insurers, Self-Insured Plans, and Health Finance Professionals

A New Approach for Managing Operational Risk: Addressing the Issues Underlying the 2008 Global Financial Crisis

Policyholder Behavior in the Tail Joint Risk Management Section Working Group Variable Annuity Guaranteed Benefits 2009 Survey Results

The Financial Crisis and Lessons for Insurers

Corporate Reputational Risk and ERM: An Analysis from the Perspective of Various Stakeholders

Emerging Risks Survey

Policyholder Behavior in the Tail Risk Management Section Working Group UL with Secondary Guarantee 2008 Survey Results

Copula Phase Transitions Report

Economic Capital: Correlation Matrices and Other Techniques–A Survey and Discussion

Policyholder Behavior in the Tail Risk Management Section Working Group Variable Annuity Guaranteed Benefits 2007 & 2008 Survey Results

Risk Based Capital Covariance Project

Application of Structural Equation Modeling to the Linkage of Risk Management, Capital Management and Financial Management for the Insurance Industry

Risk Management Terminology

Linkage of Risk Management, Capital Management and Financial Management

Policyholder Behavior in the Tail Project–Annuity Lapse Modeling

Enterprise Risk Management for Property–Casualty Insurance Companies

Policyholder Behavior in the Tail Risk Management Section Working Group Variable Annuity Guaranteed Benefits Survey Results

Action and Inaction

Running a successful business requires doing something almost constantly.

But successful risk management may require doing very little for long stretches of time.

“Just because they say “ACTION” doesn’t mean you have to do anything”  Al Pacino

Good risk management means picking your times and picking your actions.

But there is much for the new risk manager to do between the day when they are first given their charge (the call of ACTION) and the day when they must take their first ACTION.

Many new risk managers get completely caught up in the process of creating a risk management system and the idea of ACTION gets moved into some sort of bureaucratic haze.  The risk management systems that are described in many textbooks and articles make it seem like ACTIONs will simply happen on their own if the system is all in place.

But any risk manager who has worked through the financial crisis or through any other major loss making crisis will tell you that the ACTIONs that take care of themselves through the system are only the easiest part of the ACTION that is really needed, that really adds value to the organization.  The really difficult ACTIONs are the ones that are not so clearly indicated, or the ACTIONs that come after a long period of inaction.

Those actions include things like stopping the growth of a profitable risk, stopping writing a particular risk or even shrinking risk positions.

“Every great mistake has a halfway moment, a split second when it can be recalled and perhaps remedied.”
Pearl Buck

There is a time as well when it is too late for the ACTION.  That is because it is usually in the late stages of a boom that the firm takes on the risks that end up making the largest losses.

And when the problem starts to become evident, it is usually much too expensive to lay off the risk positions.  The best you can hope for is to stop growing the positions.

So there are times, during a boom, when the most important but most difficult ACTION for a risk manager to take is to stop the growth of an overheated risk.

But there are many other times when the risk manager can concentrate on inaction.  Just letting the risk control system do its work.

ERM-An Economic Sustainability Proposition Webcast – January 12 & 14

We are pleased to announce the fourth global webinar on enterprise risk management. The programs are a mix of backward and forward looking subjects as our actuarial colleagues across the globe seek to develop the science and understanding of the factors that are likely to influence our business and professional environment in the future. The programs in each of the three regions are a mix of technical and qualitative dissertations dealing with subjects as diverse as regulatory reform, strategic and operational risks, on one hand, and the modeling on tail risks and implied volatility surfaces, on the other. For the first time, and in keeping with our desire to ensure a global exchange of information, each of the regional programs will have presentations from speakers from the other two regions on subjects that have particular relevance to their markets.
For more information and to register:
http://www.soa.org/professional-development/event-calendar/event-detail/erm-economic/2011-01-12/default.aspx

Risk Organization

Some say that in a perfect world, there is no need for a separate Risk Organization.   But that is probably not true.

Think about the Hierarchy of Corporate Needs:

Hierarchy of Corporate Needs

• Sales

• Profits

• Security

• Growth of Value

Most successful larger organizations have a separate Sales department.  There certainly are firms that go around saying that “Sales are everyone’s job”, but they invariably have people who’s only job is Sales.

Move along to Profits and the picture shifts somewhat.  Often there is one department that has responsibility for pricing, another for assisting with managing expenses and the largest component is the folks who are responsible for tracking profits – the accounting department.  Again, many firms also say that “Profits is everyone’s job”, but they do assign many people to jobs that deal primarily with Profits.

So, that brings us to Security, which is the flip side of Risk.  Security needs a parallel structure to what you find for Profits. The system of work assignments for Profits has evolved over many years.

Many firms have set out to create a Risk system on a much, much shorter time frame.  One approach would be to say that since Losses are the opposite of Profits, then assign the responsibility for Security to the same people who have that responsibility for Profits. But what is likely to happen there is that attention to Profits will most often trump attention to Risk.  That is natural, since Profits are higher up the Hierarchy of Corporate Needs than Risk. In addition, measuring Profits is most often done in arrears and Risk can best be managed when measured in advance.  In fact, when responsibility for Risk is given to the folks who are experienced in managing Profits, they often make the mistake of trying to manage Risk by looking backwards.

So certainly to get started, and probably for the foreseeable future, Risk will need its own organization.

Risk Organizations will often include Risk Committees, sometimes more than one.  The committee roles will include High level decision making (Steering), Technical Leadership, and Execution.

One of the most important aspects of a Risk organization is the assignment of responsibility for Risk.   In many firms it is best to assign responsibility to a Line manager that controls the business that creates the risk.  The person with responsibility should be a person who does periodically stand before the board.  They should be asked to say to the board regularly where things stand with respect to managing their Risk.

As with Profits, there is a need for an independent role of Risk measurement.  Usually that role is given responsibility for both prospective measurement of Risk exposures as well as the analysis of losses.

When people talk about independence for Risk, the place where that is really needed is between the responsibility for managing Risk and the responsibility for measuring Risk and assessing losses.  The same way that is done for Profits. No one would consider assigning Profit management to the folks who measure Profits.

Eggs and Baskets

Andrew Carnegie once famously said

“put all your eggs in one basket. and then watch that basket”

It seems impossible on first thought to think of that as a view consistent with risk management.  But Carnegie was phenomenally successful.  Is it possible that he did that flaunting risk management?

Garry Kasparov – World Chess Champ (22 years) put it this way…

“You have to rely on your intuition.  My intuition was wrong very few times.”

George Soros has said that he actually gets an ache in his back when the market is about to turn, indicating that he needs to abruptly change his strategy.

Soros, Kasparov, Carnegie are not your run of the mill punters.  They each had successful runs for many years.

My theory of their success is that the intuition of Kasparov actually does take into account much more than the long hard careful consideration of a middling chess master.  Carnegie and Soros also knew much more about their markets than any other person alive in their time.

While they may not have consciously been following the rules, they were actually incorporating all of the drivers of those rules into their decisions.  Most of those rules are actually “heuristics” or shortcuts that work as long as things are what they have been but are not of much use when things are changing.  In fact, those rules may be what is getting one into trouble during shifts in the world.

Risk models embody an implicit set of rules about how the market work.  Those models fail when the market fails to conform to the rules embedded in the model.  That is when things change, when your thinking needs to transcend the heuristics.

So where does that leave the risk manager?

The insights of the ultra successful types that are cited above can be seen to refute the risk management approach, OR they can be seen as a goal for risk managers.

The basket that Carnegie was putting all of his eggs into was steel.  His insight about steel was correct, but his statement about eggs and baskets is not particularly applicable to situations less transformational than steel.  It is the logic that many applied during the dot com boom, much to their regret in 2001/2002.

The risk manager should look at statements and positions like those above as levels of understanding to strive for.  If the risk managers work starts and remains a gigantic mass of data and risk positions without ever reaching any insights about the underlying nature of the risks that are at play, then something is missing.

Perhaps the business that the risk manager works for is one that by choice and risk tolerance insists on plodding about the middle of the pack in risk.

But the way that the risk manager can add the most value is when they are able to provide the insights about the baskets that can handle more eggs.  And can start to have intuitions about risks that are reliable and perhaps are accompanied by unmistakable physical side effects.