Archive for February 2011

Risk Capacity Measurement

February 28, 2011

By  Jean-Pierre Berliet

In insurance companies, where “production” consists of risk assumption and risk accumulation, measuring a company’s risk capacity and risk capacity utilization is not as straightforward as in companies that manufacture widgets. Like industrial companies, insurance companies need to measure and manage their “production” or rather “risk” (accumulation) capacity.

 

The recent crisis has demonstrated that insurance companies need to measure and manage their risk capacity utilization in relation to the amount of risk capacity lest they become overextended. In insurance companies, risk capacity needs to be determined so as to satisfy:

  • Solvency concerns of policyholders, for which insurance strength ratings assigned by the leading independent rating agencies and A.M. Best are generally accepted as proxies. Shareholders are also interested in these ratings, which they view as indicators of companies’ ability to attract and retain customers and achieve their financial objectives.
  • Maintenance of regulatory Risk Based Capital (RBC) adequacy ratios sufficient to prevent regulators from intervening in company management.

 

Risk capacity is most commonly a measure of an insurance company’s ability to accumulate risk exposures, on a going concern basis, while meeting risk tolerance constraints of solvency-focused stakeholders (policyholders, rating agencies and regulators). Risk concerns of these stakeholders are generally expressed as confidence levels at which a company is capable of meeting particular standards of performance, (e.g. maximum probability of default, maintenance of the capital needed to support a target rating or RBC adequacy level) over a defined time horizon.

 

A company’s risk capacity is customarily measured by its available capital and its risk capacity utilization is measured by the amount of capital needed to meet the risk tolerance constraints of credit-sensitive stakeholders, given its present portfolio of risk exposures. In order to gain the confidence of investors and customers and to enjoy a viable future, an insurance company needs to understand how its strategic plan impacts the prospective utilization of its risk capacity, and therefore the adequacy of its capital in relation to its projected financial performance and growth aspirations.

 

To perform this assessment, a company needs to estimate its prospective risk capacity utilization (i.e. capital required) for executing its strategic plan. To perform this analysis, it needs to project its risk profile over a three to five years planning horizon (approximating going concern conditions), under growth assumptions embedded in its strategic plan. A properly constructed risk profile should enable a company to consider the impact of extreme conditions, often scenarios that include multiple catastrophes or financial crises, as well as the contribution of earnings retention to risk capacity. This basic strategic planning exercise, completed in a risk-aware framework will demonstrate the risk capital (and, thus, capacity utilization) required to execute the strategic plan.

Ideally, the required financial models should be capable of producing i) full distributions of financial outcomes rather than tail sections of these distributions, ii) elements of the balance sheet and P&L statements needed to calculate earnings, earnings volatility, downside risk from planned earning amounts in future periods, iii) calculations of RBC, and associated capital adequacy ratios, including A.M. Best’s capital adequacy ratio (BCAR) and iv) financial performance reports developed under multiple accounting standards, including statutory and GAAP or IFRS, or on an economic basis. These data are needed for management to explore how capital requirements and thus also risk capacity utilization respond to changes in risk strategy and business strategy.

 

The company’s risk profile can be derived from the aggregation of the distributions of financial results of individual lines or business segments based on the amount and volatility characteristics of exposures, limits assumed, applicable reinsurance treaties, and asset mix, over a three to five year time horizon so as to approximate going concern conditions.

 

The use of multi-year solvency analyses of companies’ risk profile, instead of a one year horizon required under the regulatory provisions of many jurisdictions, typically results in significantly higher estimates of risk capital requirements and risk capacity utilization than those obtained under the one year horizon. As a result, companies that rely primarily on one year solvency analyses to assess the adequacy of their capital tend to understate their capital requirements and are more likely to overextend themselves. Importantly, the underlying assumption that capital shortfalls could be covered as and when needed by raising capital from investors has been shown to be unrealistic during the recent financial crisis, highlighting what may be a fundamental flaw in the widely touted Solvency II framework.

 

 

 

 

 

Jean-Pierre Berliet

(203) 247-6448

jpberliet@att.net

 

February 14, 2011

 

 

Note: This article is abstracted from the “Risk Management and Business Strategy in P/C Insurance Companies” briefing paper published by Advisen (www.advisen.com) and available at the Corner Store.

 

Dealing with Crisis

February 24, 2011

Risk management has two important phases.  The first phase is Between Crises (BC) and the second phase is During Crises (DC).  The skills and activities needed for these two phases are totally different.  This post will talk about the DC phase.

During the Crisis, the concentration of the risk manager must shift to survival.  Much has been made of the famous saying from Baron Rothchild

“Buy when there’s blood in the streets, even if the blood is your own.

But Rothchild famously made his own luck by arranging that he was the first to know the outcome of the battle of Waterloo.  And when the crisis hits, that is what you will hope that you, or your predecessor did before the crisis – make some of that sort of luck.

One of the things that often happens is that the organization will seem to shift right out from under you.  The norms and objectives that you thought were agreed are no longer in place.  You will be judged by a set of rules that are being written right now.

An old (1938) article by Robert Merton, SOCIAL STRUCTURE AND ANOMIE, suggests that there are five ways that people can react to situations where they are unhappy with how the rules and norms are working:

  1. Conformity
  2. Innovation
  3. Ritualism
  4. Retreat
  5. Rebellion

Conformity means that they simply continue to operate under the old rules and norms as if nothing has happened.  In many cases, risk managers act as if this is the only possibility however.

Innovation means that they try to come up with a new way to solve their problem within the same structure that was in place.  Innovation may or may not work and if it does not work, then one of the other responses will be next. Often the risk manager is trying to innovate the way out of the crisis.

Ritualism means that they start to go through the motions of following the old rules, even though there is a strong sense that those rules no longer work as that had been working.  Things get more rigid and hierarchical.  Stepping on the wrong person’s toes has become a more significant infraction than it had been.

Retreat means that the organization freezes.  In some cases, it is the CEO who retreats, simply disappearing from the scene and lines of authority become blurry.

Rebellion means that the old rules and norms of the company are overthrown and new rules and norms replace the old quite rapidly.  This is most often accompanied by major management personnel changes.  But sometimes not.

The risk manager needs to be aware of these possibilities and make plans accordingly.

COSO & ISO 31000 & ERM for Insurers

February 23, 2011

Over the years, Riskviews has seen many risk management systems that are developed by people, usually auditors, from the COSO guide to ERM.  What is most commonly seen is that COSO based ERM system has a few characteristics in common:

  • They usually take at least a year to implement phase 1.  By the end of that year, no actual improvements or changes to actual risk treatment activities take place.  The most common product of that year’s efforts is a risk register.
  • The risk register usually contains at least 100 risks.  Many of these systems have closer to 200 risks identified.
  • Top management is completely baffled about why they need to spend their time paying any attention to such activity.  If you ask them anything about risk or risk management at the end of the year, you will often find that they cannot recall anything specific about the process.

The COSO process seems to be totally a Loss Controlling approach to ERM.  This approach would appeal to companies and managers of companies who have the Conservator risk attitude. Riskviews has found that a small minority of insurance company management have the Conservator risk attitude and that almost zero insurance firms are managed with a Conservator risk approach.    That is another way of saying that COSO does not fit well with insurance company management approaches.

ISO 31000 is new risk management standard that was developed from the Australia/New Zealand standards that have been used and improved over the past 15 years.  The following post gives a discussion of the differences between the two.

Norman Marks quotes Grant Purdy on the ways that ISO 31000 is superior to COSO.

ISO 31000 does not clearly fall into the Loss Controlling category of ERM approach.  It seems to seek to be in the Risk Steering camp.  Which makes it much more applicable to insurers, many of which are managed with the Manager risk approach.

Riskviews main complaint about ISO 31000 is with the degree to which it emphasizes endless process over actual risk treatment action.

ISO 31000 encourages firms to adopt what Riskviews calls a Risk Management Entertainment System.  Sadly, this is not a joke.  Many firms will proudly present a show and tell about their reports and meetings and org charts and policy statements when asked about ERM and be flummoxed when asked about any actual risk treatment that is taking place and where it fits into the risk management system.

That is a major problem with detailed prescriptive systems like ISO 31000.  While that document says nearly all the right things, the people who pick it up and seek to apply it quite often do not get the sense of what is IMPORTANT and what is less important in developing an ERM system.

In fact, what is actually IMPORTANT is that ERM helps management to focus on the important risks of the firm and making the right moves so that exposures to those risks are of the size that they would choose.  Human beings have limitations and those limitations would suggest that these important risks need to number less than 10 if they are really going to get top management attention.

And in practice, the people who implement COSO and ISO 31000 risk management systems often miss that most important objective.

Integrating Risk Capacity and Business Strategy

February 22, 2011

From Jean-Pierre Berliet

To succeed as a “going concern”, an insurance company needs to conduct its business so as to:

• Maintain insurance strength ratings it needs to retain and attract policyholders
• Maintain a capital position deemed adequate by regulators
• Meet shareholders’ expectations for earnings level and stability.

The first two conditions call for a company to demonstrate that it will honor its promises to pay indemnification benefits promptly and fully, i.e. that it is and will remain solvent and have the capital on hand to continue to conduct ‘business as usual’ in the future. They call for a company to determine how much risk capital it needs to ensure its credit worthiness, in relation to risks that it assumes to execute its strategic plan.

The third condition calls for a company to sustain and even enhance its credibility with capital market investors, to support its market valuation, keep its cost of capital and thus also the cost of its risk capacity competitive. If the level and stability of its earnings did not meet the requirements of capital market investors, a company could lose investors’ support. This could cause its valuation multiples to decline and the cost of its capital and risk capacity to increase.

Together, these three conditions require a company to establish a capacity management framework (focused on insuring solvency and the quality of promises made to policyholders) aligned with its business strategy management process (focused on meeting shareholders’ expectations for financial performance). Note, however, that no such alignment can enable a company to create value for its shareholders unless the company is positioned to achieve a competitive advantage in attracting, serving and retaining customers. It thus behooves management always to verify that their company:

• Can achieve a competitive advantage based on superior risk insights, service capabilities, deal flow generation, cost of capital and operating efficiencies

• Provide products that attract, serve and retain customers
• Has the capital required to sustain the ratings it needs to compete and the willingness to assume the resulting performance volatility
• Has the organizational capabilities needed to manage and control underwriting, claim processing, investment and risk management activities
• Has the insights and processes needed to ensure pricing discipline and alignment of management and shareholders’ interests.

Based on such an explicit understanding of its strategic position and capabilities relative to its competitors’, alignment of risk capacity management and business strategy management calls for a company to integrate relevant strategy considerations outlined above in the components of its risk strategy, especially:

• Risk policy, specifying risks that will be assumed to accomplish financial objectives while meeting risk tolerance constraints of external stakeholders
• Risk appetite, defined as the amount of risk capacity that can be deployed/utilized in pursuit of its strategy in light of the company’s total risk capacity
• Risk limits, which reflect its risk policy and appetite for risk and control risk taking in the development and execution of its operating plans and budgets

Based on projections of financial results expected under a particular risk capacity deployment strategy and business strategy, embodied in a set of risk limits, a company can ascertain whether its plan can meet the return objectives and risk tolerances of its stakeholders. As needed, it can also seek to identify and assess alternative strategies that may provide superior trade-offs between risk and return that may call for changes in risk policy, risk appetite, risk limits and business strategy (the iterative process by which such enhancements can be identified and developed is shown on Figure 2).

Figure 1 displays how solvency risk concerns of policyholders and other credit-focused stakeholders and value risk concerns of shareholders, expressed as risk tolerance constraints, at stated confidence levels and over a defined time period, help to frame a company’s risk strategy. The components of the risk strategy (i.e. risk appetite, risk policy and risk limits) reflect boundaries set on the deployment of a company’s risk capacity by i) the amount of the (paid-up) capital available to support risk assumption and accumulation, and ii) the cost of this capital, generally measured by shareholders’ total return requirement (TSR).

Figure 2 demonstrates how a company can align its business strategy, risk capacity and risk strategy management processes to meet the solvency risk concerns of policyholders and the earnings (value) concerns of shareholders. It demonstrates the distinct places of risk capacity, risk appetite, risk policy, risk limits in the business strategy and risk strategy management processes and highlights the centrality of risk limits to the integration and alignment of these processes.

Managing conflicting agendas

Financial risks generated by, or in connection with, the issuance of insurance contracts manifest themselves in the volatilities of a company’s operating cash-flows and reported earnings that are of concern to i) policyholders and other stakeholders with an interest in its credit worthiness and solvency (rating agencies and regulators) and ii) shareholders with a focus on risk to the value of their investment. These two groups of stakeholders have conflicting views about how a company can best address their risk concerns.

Policyholders, as the most senior creditors, view increases in capital as added protection and a natural protection against the risk of default by a company. By contrast, risk to value for shareholders caused by the volatility of financial results cannot be remedied efficiently by addition of capital (i.e. increases in risk capacity). First, other things being equal, an increase in capital would need to be very large to generate enough income to mitigate earnings volatility sufficiently. Second, such increase would so dilute returns that it would undermine rather than support valuation multiples. Consequently, shareholders look to insurance companies to manage and control the volatility of their cash-flows and earnings through development and implementation of appropriate risk policies designed to limit the volatility of their financial results.

In addition, however, shareholders also concern themselves with declines in relative valuation multiples. Such declines result generally from the incidence of strategic risks, i.e. events that reduce a company’s future earnings or revenue growth prospects by causing i) its competitive position to erode or ii) changes in its operating environment that undermine the viability of its business model. Shareholders expect companies to support their valuation multiples and protect them from strategic risks by i) building flexibility and real options in their strategies, ii) transferring or avoiding risks that cannot be mitigated, iii) pursuing strategies that can support their expectations for profitability and growth.

Conclusion

Based on the framework for integration of risk management and business strategy outlined above, an insurance company could develop a road-map to:
• Align its business strategy with the risk tolerances of its stakeholders as well as the amount and cost of its risk capacity
• Develop the decision frameworks and analytical capabilities needed to integrate its risk and business strategy management processes
By following such a road-map, an insurance company could develop and execute business and risk strategies that enhance its financial performance and its relative market valuation.

Jean-Pierre Berliet
(203) 247-6448
jpberliet@att.net

February 14, 2011

Note: This article is abstracted from the “Risk Management and Business Strategy in P/C Insurance Companies” briefing paper published by Advisen (www.advisen.com) and available at the Corner Store.

Regime Change

February 18, 2011

In risk modeling, the idea of regime change is a mathematical expression.  A change from one mathematical rule to another.

But in the world, Regime Change can have a totally different meaning.  Like what is happening in Egypt.

When someone sits atop a government for 30 years, it is easy to assume that next week they will still be on top.

Until that is no longer true.

When there is a regime change, it happens because the forces that were in a stable equilibrium shift in some way so that they can no longer support a continuation of the past equilibrium.  In hindsight, it is possible to see that shift.  But the shift is often not so obvious in advance.

Again, as when the Soviet Union fell apart, the intelligence services were seemingly taken by surprise.

But is there really any difference between the two types of regime change?  Is it any easier to actually notice an impending regime change on a modeled risk than an impending political risk?

Why are we so bad at seeing around corners?

In the area of public health, it is well known that diseases follow a standard path called an S curve.  That is the path of a curve plotting the number of people infected by a disease over time.  The path has a slight upward slope at first then the slope gets much, much steeper and eventually it slows down again.

When a new disease is noticed, some observers who come upon information about the disease during that middle period during the rapid upward slope will extrapolate and predict that the disease incidence will grow to be much higher than it ever gets.

The reason for the slowdown in the rate of growth of the disease is because diseases are most often self limiting because people do not usually get the disease twice.  Diseases are spread by contact between a carrier and an uninfected person.  In the early stages of a disease, the people who make the most contacts with others are the most likely to become infected and themselves become carriers.  Eventually, they all lose the ability to be carriers and become immune and the number of times that infected carriers come into contact with uninfected persons starts to drop.  Eventually, such contacts become rare.

It is relatively easy to build a model of the progression of a disease.  We know what parameters are needed.  We can easily estimate those that we cannot measure exactly and can correct our estimates as we make observations.

We start out with of model of a disease that assumes that the disease is not permanent.

We plan for regime change.

Perhaps that is what we need for the rest of our models.  We should start out by assuming that no pattern that we observe is permanent.  That each regime carries the seeds of its own destruction.

If we start out with that assumption, we will look to build the impermanence of the regime into our models and look for the signs that will show that whatever guesses we had to make initially about the path of the next regime change can be improved.

Because when we build a model that does not include that assumption, we do not even think about what might cause the next regime change.  We do not make any preliminary guesses.  The signs that the next change is coming are totally ignored.

In the temperate zones where four very different seasons are the norm, the signs of the changes of seasons are well known and widely noticed.

The signs of the changes in regimes of risks can be well known and widely noticed as well, but only if we start out with a model that allows for regime changes.

Outsourcing Risk

February 16, 2011

Last week the Seattle Times had an incredible story about the ultimate costs of a failed outsourcing strategy at Boeing.

The story quotes Wall Street sources to say that ultimately the failure of outsourcing partners created $12 Billion of extra costs on a project initially planned to cost $5 Billion.

“We spent a lot more money in trying to recover than we ever would have spent if we’d tried to keep the key technologies closer to home,” said Boeing Commercial Airplanes Chief Jim Albaugh.

The story is probably one extreme of bad outsourcing.  In many cases it works out well.  But it is quite likely that firms often make the mistake of ignoring or downplaying risk and uncertainty and only look at cost savings when they make outsourcing decisions.

One simple way to look at the uncertainty is with the 5 point scale from “Getting a Handle on Uncertainty“.  But perhaps because of the “one off” nature of outsourcing, one point should be added to the uncertainty score.

But doubtless, firms who get “comfortable” with outsourcing, get comfortable with a higher degree of uncertainty.

Integrating ERM and Value Based Management

February 15, 2011

from Jean-Pierre Berliet

The global financial crisis has reduced the market capitalization and price to book ratios of property/casualty insurance companies dramatically. According to a study published by Bank of America Merrill Lynch in August 2009, the S&P P/C index was trading at a 1.0 price/book ratio at that time, sharply down from a 1.4 average over the last three years and a 1.6 over the last 20 years. The updated historical valuations report published in August 2010 indicates that the S&P P/C index was trading at a 1.1 price/book ratio at that time. Excluding Progressive, companies in the Merrill Lynch index were trading then at an average price/book ratio of .89. This data suggests that the industry lost credibility with investors in 2008-2009 and has failed so far to persuade them that it is positioned to resume growing profitably in an uncertain rate environment.

Ironically, the crisis started just a few years after rating agencies began to include an assessment of the effectiveness of enterprise risk management (ERM) in their rating decisions and after they had given most insurers passing grades or above. It is clear now that ERM did not prevent a number of insurance companies from overextending themselves. Investors have concluded that risk management failed broadly and is disconnected from business strategy. They are justified in wondering whether risk management frameworks and processes of insurance companies will be more effective in the present lower volume and lower rate environment. Under such expected market conditions, investors are concerned that companies might lack discipline and write business at inadequate rates in order to achieve their premium volume objectives.

More generally, investors are concerned that strategic planning frameworks of many insurance companies are “expected value” focused, and are thus myopic about risk. In addition, investors are also aware that design weaknesses of ERM frameworks cause many executives i) to distrust “ex-post” decision signals provided by risk adjusted management performance metrics and ii) often to ignore resulting decision signals to redeploy capital or optimize asset allocation and reinsurance strategies. The existence of significant weaknesses in strategic planning and ERM frameworks and management processes explains why establishing tight and credible linkages between ERM and business strategy decisions is problematic and why ex-post measurement of risk adjusted performance is not viewed by investors as helpful. Just like the cleaning up of risks that manifested themselves, such as catastrophes and investment losses, ex-post risk management accomplishes only little, too late, and at great cost.

To respond to concerns of investors, insurance companies need to make their strategic planning and ERM frameworks capable of addressing credibly, and in a mutually consistent manner, the risk management issues raised and business strategy decisions impacted by the asymmetrical distribution of the financial results of insurance businesses. Investors believe, in particular, that risk management would create more value if i) risk insights guided the management and deployment of a company’s risk capacity “ex-ante”, that is before insurance policies were bound or investment decisions were made, and ii) strategy decisions about risk assumption and accumulations always took into consideration the adequacy of insurance rates and changes in market volume

These considerations call for the integration of value and risk governance frameworks and management processes in insurance companies. In the absence of such integration, there will be an enduring disconnect between strategy and risk management, and neither value based management (VBM) nor ERM will be credible or effective.

To be effective, the integration framework must recognize that, in insurance businesses, the cost of risk is known only after contracts have expired and related liabilities have run off. This unique peculiarity of loss costs, the raw material of insurance businesses, makes ex-post risk management a contradiction in terms. It places risk issues at the core of strategy development and execution. To achieve the needed integration of ERM and VBM, insurance companies must be careful to develop and establish distinct but tightly aligned:

  • Governance frameworks for VBM and ERM, that specify the respective roles and responsibilities of the Board of Directors, external advisers, and Senior Management with regard to the development and approval of a company’s business mission and strategic plan, including i) the evaluation of risk return trade-offs, ii) the setting of financial objectives, iii) the oversight of strategy execution, and iv) accountability for results
  • Managerial frameworks and processes capable of ensuring alignment of business strategy and risk management decisions across risk types, operational activities and products or markets.

Risk management must not be an afterthought in insurance businesses. An insurance company needs to establish “ex-ante” risk management as an essential foundation for the effective integration of its VBM and ERM frameworks. Ex-ante risk management is based on the observation that, together, risk assumption and accumulation functions in insurance companies are analogous to production in industrial companies. A properly designed risk management framework that supports “ex-ante” management of risk exposure accumulations should help an insurance company:

  • Achieve loss costs and earnings volatility advantages
  • Reduce both the amount and the cost of the capital they require
  • Support effective development and execution of its business strategy

Such possibilities make “ex-ante” risk management concepts and tools and risk capacity management as important to business strategies of insurance companies as scale, equipment and machinery specialization, flexible automation and outsourcing, i.e. production strategy elements, are to business strategies of industrial companies. Notably, ex-ante risk management requires insurance companies to develop and use insights about risks that can provide a competitive advantage. Unlike cost reduction, product or service enhancements or pricing initiatives, risk insights and the underlying ability to compete on analytics, cannot be easily or rapidly duplicated by competitors. They can thus enable insurance companies to achieve more enduring margin improvements and escape for a while the strategic stalemate conditions under which they operate in many businesses.

To restore their credibility, insurance companies need to persuade investors that “ex-ante” risk management will support effective strategy implementation and drive risk capacity deployment, thereby improving financial performance. To accomplish the required alignment of risk capacity management, risk taking and business strategy management, companies need to establish the following three distinct but tightly integrated frameworks for:

  • Measuring and assessing risk capacity utilization
  • Addressing financial risk concerns of external stakeholders
  • Deploying and leveraging risk capacity.

Integration of these frameworks would be effected through development of risk limits by line of business and business segment. Such risk limits would provide an insurance company a means to i) drive and control the deployment of its risk capacity toward uses that are projected to meet the return expectations and risk tolerances of its external stakeholders, ii) develop performance metrics needed to assess risk and return trade-offs of alternative strategies and align risk capacity management and business strategies and iii) improve risk capacity utilization and enhance financial performance.

To establish and use these frameworks, insurance companies need to integrate risk insights that emerge at the intersection of actuarial analysis, underwriting expertise, strategy analysis and financial simulation.

Jean-Pierre Berliet

(203) 247-6448

jpberliet@att.net

February 14, 2011

Note: This article is abstracted from the “Risk Management and Business Strategy in P/C Insurance Companies” briefing paper published by Advisen (www.advisen.com) and available at the Corner Store.

Avoiding Risk Management

February 14, 2011

In the past two years, many firms and many investors have de-risked their world.

On the other hand, there is no shortage of advice that you should never seek to avoid all risk.  Try typing the two words “Avoid Risk” into Google and more than half of the links that come up are discussions of why that is not a good strategy.

But one of the links that is on the first page is from the Chronicle of Higher Education.  The headline is “Most Colleges Avoid Risk Management

So you now have the classic two by two grid of choices:

Each of the four choices has adherents.  But there are pluses and minuses to each choice.

1.  Avoid Risk/Avoid Risk Management – a person or organization can do very well with this choice.  Until – – – they are struck by a risk that they did no know that they were taking.  The only risks that a person who avoids all risk takes are those risk that they are unaware of.  This strategy also requires that the world not change too much.  The largest risk to this choice is the risk that the person or organization will no longer have a viable strategy.  By avoiding risk, they have saved themselves from the agony of failure but also from the joy of successfully developing new strategies – some of which might become the strategy for the future.

2.  Avoid Risk/Risk Management – This was the Mubarak strategy.  It was very successful for 30 years.  Then, suddenly, it stopped working.  It feel victim to the failure to adapt risk which is the second type mentioned above.   But by practicing risk management, he was able to avoid the first risk above – the risk of taking risks unawares.  A firm with a very successful product or business might take up this strategy, seeking to maximize value of that successful strategy.

“People who don’t take risks generally make about two big mistakes a year. People who do take risks generally make about two big mistakes a years.” – Peter F. Drucker

3.  Take Risks/ Avoid Risk Management – On its face, this choice seems clearly irrational.  However, it is widely practiced and sometimes by people that are held to be highly successful geniuses in their fields.  What we fail to recognize is that some of these folks are simply lucky and the rest might well be geniuses.  The lucky are noticed because of survivor bias.  So if you choose this strategy, you are following in the footsteps of some of the most famous.  And in your own experience, you have probably worked with people who got where they are because of luck.  Someone has to get 8 tails in a row flipping coins.  And if you award a senior vice presidency to everyone who does …

4.  Take Risks / Risk Management – this seems like the most sensible choice.  You are then left with the decision of how to choose the risks that you take and which sort of risk management to practice.  Which are the main topics of this blog.

In my experience, I have found that some people define risk taking as 3 above – that is diving off the board without looking down first.  When they say “you must take risks to get the rewards” they are thinking about the blind risk taking of 3.  I can only suggest that a firm should seek to avoid applying strategy 3 to something on which the survival of the firm depends.

Thanks to Riskczar for the Drucker quote.

Getting a Handle on Uncertainty

February 11, 2011

Frank Knight looked for the reason why firms are able to make a profit (in perfect competition situations that is) and he ultimately decided that firms were paid for UNCERTAINTY.  He then went on to distinguish uncertainty from risk.  Risk is the toss of the dice.  With risk, the frequency & severity distribution of possible outcomes is known.  Uncertainty differs fundamentally from risk because with uncertainty, the future likelihoods are unknown.

You are uncertain, to varying degrees, about everything in the future; much of the past is hidden from you; and there is a lot of the present about which you do not have full information. Uncertainty is everywhere and you cannot escape from it. Dennis Lindley

In risk management, we tend to treat everything as if it were a Knightian RISK and totally ignore UNCERTAINTY. We do our best job of estimating the frequency distribution of gains and losses and treat every best estimate the same.  See Sins of Risk Measurement.

But we can and should make an effort to identify the uncertainty that lurks, to vastly differing degrees within our risk measures.  A simple start to such an effort would be to develop a classification system for UNCERTAINTY.

  1. Almost Totally Certain – like a prediction of time of sunrise.  No experience contrary to predictions and good reason to believe that there will not be a regime change in the event.  Highly unlikely that any human activity will fall into this category.  Humans are just not this predictable.
  2. Highly certain – like a prediction of the Cubs not winning the World Series.  Never happened, but it is possible, but highly unlikely that there will be a regime change.  Things in this category will be things that there is a long amount of historical evidence.  The possibility of a fall in home prices were felt to fall into this category, but the historical evidence turned out to be from one single cycle.  To put something in this category, a firm should have direct experience with the activity in question so that there is insight within the firm about the reasons for the historical drivers of the seemingly highly certain event.
  3. Conditionally certain – Apple will stay successful as long as Jobs stays healthy (oops).  For these sorts of uncertain events, the firm should have a that clear idea of the drivers of a string of predictable experience and an understanding that the driver(s) are not themself highly certain events.
  4. Somewhat uncertain – “Bill says that it takes him 20 minutes to get to the airport” or “it usually takes me 20 minutes to get to the airport but sometimes it is an hour.” Here the firm either has only moderate amounts of experience to judge the actual uncertainty and the event seems to be fairly certain or else the firm has experience and knows that the event is somewhat uncertain.
  5. Unknown uncertainty – “this is the first time I am parachute jumping and I plan to land in my backyard lawn chair.”  Something new.  With only limited knowledge of other people’s experiences and not enough experience to know whether there are significant differences in the drivers.

The first time a firm does an economic capital model, they might classify the result as having Level 5 uncertainty.  Over time, some calculations might move up to Level 4 or Level 3.  In a few areas, the firm might have been doing risk calculations for a particular risk over much longer time and could move up to Level 2 uncertainty there.

But change the question from an estimation of a 1-in-200 risk to a “will this project make money or not” question and is is quite possible that many of the answers might have Level 2 or Level 3 uncertainty.

But firms should try assigning Uncertainty ratings to their efforts.  And track over time the degree to which the firm is devoting resources to projects with Level 5 Uncertainty.

Riskviews has worked for several firms that were over 100 years old at the time and those firms usually were very uncomfortable taking on any Level 5 Uncertainty.  Most often they kept those activities small until they gained experience.  When they went for long periods of time with no Level 5 Uncertainty, however, they tended to shrink relative to the rest of the industry.

On the other hand, the financial crisis was touched off by Banks and other institutions who committed to enough Level 4 and Level 5 uncertainty to send them over the edge.  Investors would certainly be interested to know how much Level 5 Uncertainty that a firm is taking at any point in time.

Using an Uncertainty scale like this and discussing the reasons for changes to the level of commitment to higher uncertainty projects will be a healthy and productive exercise for many firms.

Liquidity Risk Management for a Bank

February 9, 2011

A framework for estimating liquidity risk capital for a bank

From Jawwad Farid

Capital estimation for Liquidity Risk Management is a difficult exercise. It comes up as part of the internal liquidity risk management process as well as the internal capital adequacy assessment process (ICAAP). This post and the liquidity risk management series that can be found at the Learning Corporate Finance blog suggests a framework for ongoing discussion based on the work done by our team with a number of regional banking customers.

By definition banks take a small Return on asset (1% – 1.5%) and use leverage and turnover to scale it to a 15% – 18% Return on Equity. When market conditions change and a bank becomes the subject of a name crisis and a subsequent liquidity run, the same process becomes the basis for a death chant for the bank.  We try to de-lever the bank by selling assets and paying down liabilities and the process quickly turns into a fire sale driven by the speed at which word gets out about the crisis.

Figure 1 Increasing Cash Reserves

Reducing leverage by distressed asset sales to generate cash is one of the primary defense mechanisms used by the operating teams responsible for shoring up cash reserves. Unfortunately every slice of value lost to the distressed sale process is a slice out of the equity pool or capital base of the bank. An alternate mechanism that can protect capital is using the interbank Repurchase (Repo) contract to use liquid or acceptable assets as collateral but that too is dependent on the availability of un-encumbered liquid securities on the balance sheet as well as availability of counterparty limits. Both can quickly disappear in times of crisis. The last and final option is the central bank discount window the use of which may provide temporary relief but serves as a double edge sword by further feeding the name and reputational crisis.  While a literature review on the topic also suggest cash conservation approaches by a re-alignment of businesses and a restructuring of resources, these last two solutions assume that the bank in question would actually survive the crisis to see the end of re-alignment and re-structuring exercise.

Liquidity Reserves: Real or a Mirage

A questionable assumption that often comes up when we review Liquidity Contingency Plans is the availability or usage of Statutory Liquidity and Cash Reserves held for our account with the Central Bank.  You can only touch those assets when your franchise and license is gone and the bank has been shut down. This means that if you want to survive the crisis with your banking license intact there is a very good chance that the 6% core liquidity you had factored into your liquidation analysis would NOT be available to you as a going concern in times of a crisis. That liquidity layer has been reserved by the central bank as the last defense for depositor protection and no central bank is likely to grant abuse of that layer.

Figure 2 Liquidity Risk and Liquidity Run Crisis

As the Bear Stearns case study below illustrate the typical Liquidity crisis begins with a negative event that can take many shapes and forms. The resulting coverage and publicity leads to pressure on not just the share price but also on the asset portfolio carried on the bank’s balance sheet as market players take defensive cover by selling their own inventory or aggressive bets by short selling the securities in question. Somewhere in this entire process rating agencies finally wake up and downgrade the issuer across the board leading to a reduction or cancellation of counterparty lines.  Even when lines are not cancelled given the write down in value witnessed in the market, calls for margin and collateral start coming in and further feed liquidity pressures.

What triggers a Name Crisis that leads to the vicious cycle that can destroy the inherent value in a 90 year old franchise in less than 3 months.  Typically a name crisis is triggered by a change in market conditions that impact a fundamental business driver for the bank. The change in market conditions triggers either a large operational loss or a series of operation losses, at times related to a correction in asset prices, at other resulting in a permanent reduction in margins and spreads.  Depending on when this is declared and becomes public knowledge and what the bank does to restore confidence drives what happens next. One approach used by management teams is to defer the news as much as possible by creative accounting or accounting hand waving which simply changes the nature of the crisis from an asset price or margin related crisis to a much more serious regulatory or accounting scandal with similar end results.

Figure 3 What triggers a name crisis?

The problem however is that market players have a very well established defensive response to a name crisis after decades of bank failures. Which implies that once you hit a crisis the speed with which you generate cash, lock in a deal with a buyer and get rid of questionable assets determined how much value you will lose to the market driven liquidation process. The only failsafe here is the ability of the local regulator and lender of last resort to keep the lifeline of counterparty and interbank credit lines open.  As was observed at the peak of the crisis in North America, UK and a number of Middle Eastern market this ability to keep market opens determines how low prices will go, the magnitude of the fire sale and the number of banks that actually go under.

Figure 4 Market response to a Name Crisis and the Liquidity Run cycle.

The above context provides a clear roadmap for building a framework for liquidity risk management. The ending position or the end game is a liquidity driven asset sale. A successful framework would simply jump the gun and get to the asset sale before the market does. The only reason why you would not jump the gun is if you have cash, a secured contractually bound commitment for cash, a white knight or any other acceptable buyer for your franchise and an agreement on the sale price and shareholders’ approval for that sale in place.  If you are missing any of the above, your only defense is to get to the asset sale before the market does.

The problem with the above assertion is the responsiveness of the Board of directors and the Senior executive team to the seriousness of the name crisis. The most common response by both is a combination of the following

a)     The crisis is temporary and will pass. If there is a need we will sell later.

b)    We can’t accept these fire sale prices.

c)     There must be another option. Please investigate and report back.

This happens especially when the liquidity policy process was run as a compliance checklist and did not run its full course at the board and executive management level.  If a full blown liquidity simulation was run for the board and the senior management team and if they had seen for themselves the consequences of speed as well as delay such reaction don’t happen. The board and the senior team must understand that illiquid assets are equivalent of high explosives and delay in asset sale is analogous to a short fuse. When you combine the two with a name crisis you will blow the bank irrespective of its history or the power of its franchise. When the likes of Bear, Lehman, Merrill, AIG and Morgan failed, your bank and your board is not going to see through the crisis to a different and pleasant fate.

(more…)

Economic Capital Review by S&P

February 7, 2011

Standard & Poor’s started including an evaluation of insurers’ enterprise risk management in its ratings in late 2005. Companies that fared well under the stick of ERM evaluation there was the carrot of potentially lower capital requirements.  On 24 January, S&P published the basis for an economic capital review and adjustment process and announced that the process was being implemented immediately.

The ERM review is still the key. Insurers must already have a score from their ERM review of “strong” or “excellent” before they are eligible for any consideration of their capital model. That strong or excellent score implies that those firms have already passed S&P’s version of the Solvency II internal mode use test — which S&P calls strategic risk management (SRM). Those firms with the strong and excellent ERM rating will all have their economic capital models reviewed.

The new name for this process is the level III ERM review. The level I review is the original ERM process that was initiated in 2005. The level II process, started in 2006, is a more detailed review that S&P applies to firms with high levels of risk and/or complexity. That level II review included a more detailed look at the risk control processes of the firms.

The new level III ERM review looks at five aspects of the economic capital model: methodology, data quality, assumptions and parameters, process/execution and testing/validation.

Read More at InsuranceERM.com

Sins of Risk Measurement

February 5, 2011
.
Read The Seven Deadly Sins of Measurement by Jim Campy

Measuring risk means walking a thin line.  Balancing what is highly unlikely from what it totally impossible.  Financial institutions need to be prepared for the highly unlikely but must avoid getting sucked into wasting time worrying about the totally impossible.

Here are some sins that are sometimes committed by risk measurers:

1.  Downplaying uncertainty.  Risk measurement will always become more and more uncertain with increasing size of the potential loss numbers.  In other words, the larger the potential loss, the less certain you can be about how certain it might be.  Downplaying uncertainty is usually a sin of omission.  It is just not mentioned.  Risk managers are lured into this sin by the simple fact that the less that they mention uncertainty, the more credibility their work will be given.

2.  Comparing incomparables.  In many risk measurement efforts, values are developed for a wide variety of risks and then aggregated.  Eventually, they are disaggregated and compared.  Each of the risk measurements are implicitly treated as if they were all calculated totally consistently.  However,  in fact, we are usually adding together measurements that were done with totally different amounts of historical data, for markets that have totally different degrees of stability and using tools that have totally different degrees of certitude built into them.  In the end, this will encourage decisions to take on whatever risks that we underestimate the most through this process.

3.  Validate to Confirmation.  When we validate risk models, it is common to stop the validation process when we have evidence that our initial calculation is correct.  What that sometimes means is that one validation is attempted and if validation fails, the process is revised and tried again.  This is repeated until the tester is either exhausted or gets positive results.  We are biased to finding that our risk measurements are correct and are willing to settle for validations that confirm our bias.

4.  Selective Parameterization.  There are no general rules for parameterization.  Generally, someone must choose what set of data is used to develop the risk model parameters.  In most cases, this choice determines the answers of the risk measurement.  If data from a benign period is used, then the measures of risk will be low.  If data from an adverse period is used, then risk measures will be high.  Selective paramaterization means that the period is chosen because the experience was good or bad to deliberately influence the outcome.

5.  Hiding behind Math.  Measuring risk can only mean measuring a future unknown contingency.  No amount of fancy math can change that fact.  But many who are involved in risk measurement will avoid ever using plain language to talk about what they are doing, preferring to hide in a thicket of mathematical jargon.  Real understanding of what one is doing with a risk measurement process includes the ability to say what that entails to someone without an advanced quant degree.

6.  Ignoring consequences.  There is a stream of thinking that science can be disassociated from its consequences.  Whether or not that is true, risk measurement cannot.  The person doing the risk measurement must be aware of the consequences of their findings and anticipate what might happen if management truly believes the measurements and acts upon them.

7.  Crying Wolf.  Risk measurement requires a concentration on the negative side of potential outcomes.  Many in risk management keep trying to tie the idea of “risk” to both upsides and downsides.  They have it partly right.  Risk is a word that means what it means, and the common meaning associated risk with downside potential.  However, the risk manager who does not keep in mind that their risk calculations are also associated with potential gains will be thought to be a total Cassandra and will lose all attention.  This is one of the reasons why scenario and stress tests are difficult to use.  One set of people will prepare the downside story and another set the upside story.  Decisions become a tug of war between opposing points of view, when in fact both points of view are correct.

There are doubtless many more possible sins.  Feel free to add your favorites in the comments.

But one final thought.  Calling it MEASUREMENT might be the greatest sin.

ERM News comes in Threes

February 2, 2011

There are three news items about changes to approach by two rating agencies and a regulator.

  1. AM Best announced that they were adding two pages of ERM questions to their Supplemental Ratings Questionnaire (SRQ)
  2. S&P announced that they are now going forward with reviewing internal capital models for consideration in their view of capital adequacy.
  3. The IAIS has adopted an Insurance Core Principal (ICP 16) that requires that all insurance regulators adopt requirements that insurers should perform an Own Risk and Solvency Assessment (ORSA) and the NAIC will be starting to announce their plans for compliance with this in mid-February.

The place for insurers to stand and ignore ERM is shrinking quickly.

But Riskviews has noticed that when you talk people in the insurance industry about ERM, there are at least three different topics that they think about:

  • Economic Capital Modeling – a large fraction of people think that ERM means Economic Capital modeling.  So when they hear that rating agency or regulator wants to hear about ERM, they might say that they do not have one, so there is nothing to talk about.  The S&P announcement confirms their belief.  They read the Best SRQ questions and only see the spots that require numbers, completley ignoring as unimportant the parts about culture.
  • Compliance with rating agency or regulatory requirements.  These three news items are strong motivators for those who think that ERM is compliance.  These folks had heard AM Best asking about ERM, but saw no outcome from that process so they eventually lost interest in ERM themselves.  Now they are back to being interested.  The ORSA idea is confusing to these folks, because they already are doing their compliance regarding capital adequacy.  The ORSA seems like redundant regulation to them.  They do not see the shift of responsibility from the regulator to the board and management that is fundamental to the ORSA idea.
  • Management decision making.  These firms are using ERM to enhance their decision making processes.  They hear these announcements and are annoyed at the additional distraction from the real risk management.  Some of them will not change what they are doing at all to enhance their “score” with the rating agencies or regulators.  There is too much of the firm;s real value at stake to risk changing their risk management program to suit these outsiders who do not know much about the company or its risks.

The news comes in threes and the reactions comes in threes as well.


%d bloggers like this: