## Archive for March 2011

### Modeling Uncertainty

March 31, 2011

The message that windows gives when you are copying a large number of files gives a good example of an uncertain environment.  That process recently took over 30 minutes and over the course of that time, the message box was constantly flashing completely different information about the time remaining.  Over the course of one minute in the middle of that process the readings were:

8 minutes remaining

53 minutes remaining

45 minutes remaining

3 minutes remaining

11 minutes remaining

It is not true that the answer is random.  But with the process that Microsoft has chosen to apply to the problem, the answer is certainly unknowable.  For an expected value to vary over a very short period of time by such a range – that is what I would think that a model reflecting uncertainty would  look like.

An uncertain situation could be one where you cannot tell the mean or the standard deviation because there does not seem to be any repeatable pattern to the experience.

Those uncertain times are when the regular model – the one with the steady mean and variance – does not seem to give any useful information.

The flip side of the uncertain times and the model with unsteady mean and variance that represents those times is the person who expects that things will be unpredictable.  That person will be surprised if there is an extended period of time when experience follows a stable pattern, either good or bad or even a stable pattern centered around zero with gains and losses.  In any of those situations, the competitors of that uncertain expecting person will be able to use their models to run their businesses and to reap profits from things that their models tell them about the world and their risks.

The uncertainty expecting person is not likely to trust a model to give them any advice about the world.  Their model would not have cycles of predictable length.  They would not expect the world to even conform to a model with the volatile mean and variance of their expectation, because they expect that they would probably get the volatility of the mean and variance wrong.

That is just the way that they expect it will happen.   A new Black Swan every morning.

Correction, not every morning, that would be regular.  Some mornings.

### It’s the Jobs, Stupid

March 29, 2011

Some time ago, economists noticed that people, or consumers in their terminology, are important to the economy.

What would we see if we assumed that it is not markets, or traders, or businesses, but people that was the only important factor in understanding the economy?

Here are some thoughts:

• The Great Depression was a symptom of a problem that people had.  That problem was that there was no place in the economy for a large fraction of the population.  The introduction of the tractor and the combine harvester greatly improved the productivity of agriculture.  The flip side of productivity is a reduction in the need for laborers.  The massive unemployment of the Great Depression was not due to an irrational contraction in demand.  There was a rational contraction of jobs.
• The efforts to stimulate economic activity during the depression failed because there was literally nothing for the vast numbers of unneeded farm workers to do.  Nothing that they had the training or the experience doing.
• When WWII came, the war effort resulted in America becoming the factory of the Allied efforts.  Americans were trained en mass to work in the modern factories.  This changed the labor situation in the US drastically.
• During WWII, the other large advanced economies in the world destroyed each other’s economies.  When the war was over, the American economy was able to quickly switch over to peacetime manufacturing and the global competition was busy rebuilding.  So America had a period of time to create a huge lead in its capabilities.  The manufacturing economy created great wealth and when the European and Japanese economies came back up to speed, there was more than enough for all to be wealthy.
• Starting in the 1990’s another wave of productivity enhancement started with the internet and other electronic media.  At the same time, many of the advanced manufacturing jobs started to shift to China as it opened up to trade with the outside world.  The China wage for manufacturing was originally 10% of the American wage for manufacturing work.  India did the same for office work providing a source of office labor at 25% of the American wage.
• In the first decade of 2000, the housing boom masked the situation.  Many people found that they had enough wealth to spend for what they wanted from the inflated values of their homes.  Many people were employed in the housing construction business, building homes that were ultimately found to be unwanted.  White collar jobs were also created by the housing boom selling houses and processing the mortgages that turned out to be so, so bad.
• The Financial Crisis can be seen as another situation like the Great Depression.  There are no jobs for a large fraction of the population in several countries including the US.  Without jobs, because there is not enough work in those economies for their skills.
• The unemployment problem will be not be solved by simple stimulus.  The manufacturing and construction skills of a large segment of the working age population are no longer valuable enough to support a middle class lifestyle in the advanced economies.
• At the same time, there is a demographic issue.  Well known.  The retiring Baby Boomers may cause a major shift of spending further away from investing and into consumption.  Satisfying their needs will probably solve the short term employment issues in the economies of all of the advanced nations.  Growth of economies has been driven in part by growth of populations.  There is no model for operating a segment of the world economy with a shrinking population that is favorable to that segment.
• The advantage that America had because of WWII has by now completely dissipated.

This related to risk and risk management because of the relationship between leverage and risk.  One of the solutions that has been a reaction to the slow growth is leverage.  And slow growth plus leverage is the recipe for disaster.  More on the relation of risk and leverage in another post.

### Systems of Controlling

March 28, 2011

The four methods of controlling chart above can be very helpful to envision ways to improve risk management control systems.  A control system can use one or several of these methods.  But first it might require a little translation:

1. Contrived Randomness – choosing by lots does not seem to be a control method, but in fact it is a part of a method that is used every day in almost every business.  Contrived randomness is usually used along with another of the control techniques.  Instead of constantly applying the other control processes, they are applied in a random fashion.  It is easy to imagine how the contrived randomness is vital to cost effective and just plain effective controlling.  If Oversight, for example, is used for controlling on a constant basis, it is very costly, requiring review of every single outcome.  However, if the Oversight is applied regularly, say every 10th event, then the cost is reduced by 90%, but the effectiveness is also reduced by up to 90%.  That is because the person who is being overseen can easily adjust to comply with the control process only on every 10th event and fail to comply the other 9 times without the control process noticing.  Using a random schedule means that a person seeking to avoid the effort of compliance is at much higher risk of being caught by oversight.  And even better, BF Skinner found that intermittent reinforcement provided by positive situations found in random inspections can have much higher impact on creating favorable habits than regular or even constant reinforcement.  The chart also suggest rotation of staff.  This part of the Contrived Randomness approach to controlling is seen in the efforts by banks to control fraud by shifting employees and especially by doing more thorough audits during employee vacations, which is again a combination of randomness and Oversight.
2. Mutuality – When Mutuality is used as a control system, it sometimes uses peer review, in addition to processes that involve partnering.  The partnering process can be very expensive, or it may save time and money depending on the process.  When the partnering involves two people doing what one might have done, then the extra cost is obvious.  In fact, the cost might well be more than double for a two person term because of the degree in interaction between the partners that might add time to the tasks.  This must be offset by an increase in effectiveness, quality or continuity for the doubling of resources to make sense.  But the control system application of peer review is very common.  The peer review can be at several possible levels – the peer can be doing a very high level check – “does this make sense?”  Or they can be doing a more thorough review.  Or the peer can be trying to totally independently reproduce the work being reviewed.  In addition, the decision must be made of the frequency of the peer review.  The same ideas expressed above about intermittent reinforcement apply to peer review.
3. Oversight – monitoring from a supervisory position is the most common form of control.   The supervisor is the most natural candidate for the type of oversight that is needed.  It means broadening the supervisor’s role to go beyond the accomplishment of the primary objective of the unit to also include the controlling objectives.  The downside to this method is the dilution of the supervisor’s attention distracting them from the accomplishment of the primary objective.  In addition, there is the potential mismatch of skills and talents.  In some cases, the primary objective and the controlling objectives require very different methods and skills.
4. Competition – Competition is another technique that  may be difficult to imagine as a control method.  And what is needed to make competition a controlling system is openness of information about the activities that are to be controlled.  For different members of a team to compete, they need to know what and how the others are doing.  This openness is not very common.  But one of the objectives of the open office movement is the free controlling that automatically comes in the open environment.  Some firms do use Competition through a totally open system of managing where all members of a unit know about what every other member is doing.  Control breaches then can only happen if the entire unit agrees that they are necessary.

Many would think that Oversight is the main form of controlling.  Hopefully, this post will expand your view to include these other options.

### What’s Next?

March 25, 2011

Turbulent Times are Next.

At BusinessInsider.com, a feature from Guillermo Felices tells of 8 shocks that are about to slam the global economy.

#1 Higher Food Prices in Emerging Markets

#2 Higher Interest Rates and Tighter Money in Emerging Markets

#3 Political Crises in the Middle East

#4 Surging Oil Prices

#5 An Increase in Interest Rates in Developed Markets

#6 The End of QE2

#7 Fiscal Cuts and Sovereign Debt Crises

#8 The Japanese Disaster

How should ideas like these impact on ERM systems?  Is it at all reasonable to say that they should not? Definitely not.

These potential shocks illustrate the need for the ERM system to be reflexive.  The system needs to react to changes in the risk environment.  That would mean that it needs to reflect differences in the risk environment in three possible ways:

1. In the calibration of the risk model.  Model assumptions can be adjusted to reflect the potential near term impact of the shocks.  Some of the shocks are certain and could be thought to impact on expected economic activity (Japanese disaster) but have a range of possible consequences (changing volatility).  Other shocks, which are much less certain (end of QE2 – because there could still be a QE3) may be difficult to work into model assumptions.
2. With Stress and Scenario Tests – each of these shocks as well as combinations of the shocks could be stress or scenario tests.  Riskviews suggest that developing a handful of fully developed scenarios with 3 or more of these shocks in each would be the modst useful.
3. In the choices of Risk Appetite.  The information and stress.scenario tests should lead to a serious reexamination of risk appetite.  There are several reasonable reactions – to simply reduce risk appetite in total, to selectively reduce risk appetite, to increase efforts to diversify risks, or to plan to aggressively take on more risk as some risks are found to have much higher reward.

The last strategy mentioned above (aggressively take on more risk) might not be thought of by most to be a risk management strategy.  But think of it this way, the strategy could be stated as an increase in the minimum target reward for risk.  Since things are expected to be riskier, the firm decides that it must get paid more for risk taking, staying away from lower paid risks.  This actually makes quite a bit MORE sense than taking the same risks, expecting the same reward for risks and just taking less risk, which might be the most common strategy selected.

The final consideration is compensation.  How should the firm be paying people for their performance in a riskier environment?  How should the increase in market risk premium be treated?

See Risk adjusted performance measures for starters.

More discussion on a future post.

### Infrastructure Risk – Too High

March 23, 2011

The American Society of Civil Engineers has produced a reportcard on the state of the infrastructure in the US.

The good news is that the richest country in the world did not flunk.

The bad news is that the overall average grade is a D.

Now Warren Buffet reminds us that you shouldn’t expect an unbiased answer if you ask a barber whether you need a haircut.  And in this case, the civil engineers would benefit significantly from an increase of attention to infrastructure.

But let’s look at the sorts of suggestions that they make.  Many of them can be generalized to other areas of risk. (Paraphrased by Riskviews)

• Encourage risk reduction/management programs
• Use the best of current science rather than continuing to follow science from many years ago
• Develop emergency action plans
• Develop maintenance standards
• Establish plan to fund needed improvements in risk management
• Evaluate specific impact of failure to improve risk management
• Educate stakeholders regarding above
• Establish a regular review process

In the case of infrastructure, there is a recognized lifespan of the systems and a continual deterioration expected.

Risk systems in general are not thought of as wasting assets, but perhaps that is simply because risk management is so new.

Perhaps even the firms that have achieved the point of a full and integrated set of risk management systems should think of the useful life of those systems.

“The principal reason we have train crashes is a lack of investment in rail infrastructure – and the reason we have systemic crises is a lack of investment in financial infrastructure.”  Hugo Bänziger, in the FT

The money will always be there to keep funding innovations in the way that risk is added to a firm.

### Where to Draw the Line

March 22, 2011

“The unprecedented scale of the earthquake and tsunami that struck Japan, frankly speaking, were among many things that happened that had not been anticipated under our disaster management contingency plans.”  Japanese Chief Cabinet Secretary Yukio Edano.

In the past 30 days, there have been 10 earthquakes of magnitude 6 or higher.  In the past 100 years, there have been over 80 earthquakes magnitude 8.0 or greater.  The Japanese are reputed to be the most prepared for earthquakes.  And also to experience the most earthquakes of any settled region on the globe.  By some counts, Japan experiences 10% of all earthquakes that are on land and 20% of all severe earthquakes.

But where should they, or anyone making risk management decisions, draw the line in preparation?

In other words, what amount of safety are you willing to pay for in advance and what magnitude of loss event are you willing to say that you will have to live with the consequences.

That amount is your risk tolerance.  You will do what you need to do to manage the risk – but only up to a certain point.

That is because too much security is too expensive, too disruptive.

You are willing to tolerate the larger loss events because you believe them to be sufficiently rare.

In New Zealand,  that cost/risk trade off thinking allowed them to set a standard for retrofitting of existing structures of 1/3 of the standard for new buildings.  But, they also allowed 20 years transition.  Not as much of an issue now.  Many of the older buildings, at least in Christchurch are gone.

But experience changes our view of frequency.  We actually change the loss distribution curve in our minds that is used for decision making.

Risk managers need to be aware of these shifts.  We need to recognize them.  We want to say that these shifts represent shifts in risk appetite.  But we need to also realize that they represent changes in risk perception.  When our models do not move as risk perception moves, the models lose fundamental credibility.

In addition, when modelers do things like what some of the cat modeling firms are doing right now, that is moving the model frequency when people’s risk perceptions are not moving at all, they also lose credibility for that.

So perhaps you want scientists and mathematicians creating the basic models, but someone who is familiar with the psychology of risk needs to learn an effective way to integrate those changes in risk perceptions (or lack thereof) with changes in models (or lack thereof).

The idea of moving risk appetite and tolerance up and down as management gets more or less comfortable with the model estimations of risk might work.  But you are still then left with the issue of model credibility.

What is really needed is a way to combine the science/math with the psychology.

Market consistent models come the closest to accomplishing that.  The pure math/science folks see the herding aspect of market psychology as a miscalibration of the model.  But they are just misunderstanding what is being done.  What is needed is an ability to create adjustments to risk calculations that are applied to non-traded risks that allow for the combination of science & math analysis of the risk with the emotional component.

Then the models will accurately reflect how and where management wants to draw the line.

### Risk Manager Survey of Emerging Risks

March 21, 2011

“There is currently an upsurge in management’s willingness to listen to risk managers.”   But Risk Managers consistently show a disturbing tendency towards projecting the next crisis from the last.  Now in its fourth year, the Emerging Risks Survey from the Joint Risk Management Section and conducted by Max Rudolph.

Emerging risks are risks that are evolving in uncertain ways, have been forgotten in their dormancy, or are new.  Emerging risks typically do not have a known distribution, that is their frequency is unknown.

In 2007, a shock to oil prices was seen as the top “emerging risk” in the first survey of risk managers.  That year had seen a major spike in oil prices.  In 2008, a blow-up in asset prices was identified as the top “emerging risk” immediately following the melt down of the sub prime market and a major drop in stock prices.  In 2009, a fall in the value of the US dollar was identified as the top “emerging risk” at the end of a year when many major currencies had strengthened against the dollar.  The new 2010 survey, released this week, indicates again that a fall in the US dollar is the top “emerging risk”.

If in fact these risk managers are advising their employers in the same way that they answer surveys, firms will continue to be well prepared for the last crisis and unprepared for the next one.

However, when asked to identify the single top emerging risk concern, a Chinese economic hard landing was the top pick with 14% of the respondents selecting that choice.  That is certainly a scenario that has not just recently happened.  So at least 14% of the respondents are doing some forward thinking.

March 18, 2011

The ninth ERM Symposium in Chicago was the crossroads of ERM for a few days.

Heard there:

• The Financial crisis was not the failure of regulators, except perhaps the OTS.
• Compliance culture of risk management in banks contributed to the crisis
• 85% of bank losses were from the structured finance area.
• Securitization was 30 years old, but there was a quantum jump of complexity.
• Banks were supposed to have been sophisticated enough to control their risks.
• Discussion of subsidization of housing was broadly blamed.
• Riskviews suggests that only a tiny part of the fault is with housing policy.  Rest is simply finger pointing at best and deliberate misdirection at worst.  Losses and problems in banks were 400% or more higher than actual losses in mortgages, possibly 1000% or more higher.  Severe losses resulted from using housing as the basis for gambling.  They could have just as easily have bet on rainfall.  Then would they blame the weather for the losses?  Securities in play far exceeded the amount of mortgages.  And the multiple layers of bets concentrated on the worst stuff.
• Regulators need to keep up with innovation and excessive leverage from innovation.
• Riskviews:  No evidence that regulators have even started to deal with excessive leverage except in the crudest manner.  It is still possible to derivatives to skip right past leverage rules.  If you can replicated a highly levered position with a derivative position, then the derivative position IS A HIGHLY LEVERED POSITION.
• German regulator requires that banks have a Risk Controller who reports directly to the board.
• ERM is not an EASY button from Staples.
• Energy firms that had excessive trading losses were allowed to fail.
• Banking suffered from concentrated opacity.
• The board has to challenge management about risk.  Masters of the Universe approach or the smartest guys in the room tries to intimidate the board into feeling too stupid if they ask any questions.
• There will need to be major cultural changes for ICAAP/ORSA to be effective.
• Many banks and insurers should be failing the use test for ERM regulation to be effective.
• Stress testing is becoming a major tool for regulators.
• European regulators could not apply real stress tests because that would have meant publicly asking banks to look at a scenario of major sovereign defaults in Europe.
• Regulators need to be able to pay competitive market salaries
• Cross boarder collaboration among regulators has broken out.
• Difficult for risk managers to operate under multiple constraints of multiple regulators, accounting systems.
• Riskviews: It would be much faster to reach wrong conclusions if there were only one system to worry about.  That is not the way to go if there is really a concern about risk.  The multiple points of view encourage true understanding of the underlying risks.
• Banks are natural oligopolies
• Nice tree/forest story:  Small trees take resources from the forest.  Large trees shade smaller trees making it harder for them to get sunlight.  Old trees die and fall crashing through the forest taking out smaller trees.
• Riskviews:  This story illustrates to me that there is too much worry and manipulation to try to fix short term issues.  Natural processes work fairly well.  But interference has allowed a few trees to grow so large that little else can gro making the forest unhealthy.  Solution is to trim largest trees and plant/encourage new smaller trees.
• Things that people say will never go wrong will go wrong.
• Compliance should be the easy part of ERM, not the whole thing
• Asking dumb questions should be seen as good for firm.  10th dumb question might reveal something that no one else saw.
• There is a lack of imagination of adverse events.  US has cultural optimism.  Culture is risk seeking.
• Swiss approach to regulating banks is for their banks to hold the most capital.  Credit Swisse has signaled that they will seek lower return on capital.  Using that as marketing advantage – they are the most secure banks.
• 90% of Risk Management professionals believe that Dodd Frank will push the risks of the financial system out of regulated banks into unregulated financial enterprises. (Hedge Funds)
• Trade-off between liquidity and transparency is not true
• Requirements to post collateral may not increase costs at all for non-financial firms.  The dealers were changing them for the lack of collateral.  Prices may go down net of all costs.
• Bear Stearns was well capitalized.
• People understand and prefer principles based regulation.  But when trust is gone everything moves towards rules.
• Riskviews:  MTM should be adjusted for illiquidity.  Much larger adjustment than being contemplated for illiquid insurance liabilities.  Need to compare position size to trading volume.  If position is much larger than trading volume then liquidity adjustment needs to reflect possible price movements during the time needed to liquidate.
• Many CROs have been given the role of minimizing capital required for the firm.
• Insurers are moving rapidly to the bank model for this.
• The range of ERM practices are narrowing
• Riskviews: Narrow range of practices is only a good thing if the next large risk event is cooperative with practices that everyone is using.  Diversity is much, much healthier.
• Need to get rid of arb between trading and banking books in banks.
• FSA wants the whole world on one standard
• Riskviews: Solves one problem.  Creates another that is doubtless much, much larger.
• Difficult to explain decisions when there are multiple accounting and regulatory systems.
• Investors need to do their own due diligence
• Counterparties are not your friends.
• Supervisors need to learn to say no.
• Caveat Emptor
• Riskviews: Modern US society has moved in the opposite direction of Caveat Emptor.  It is always someone else’s fault.  Risk Management needs to overcome this tendency.
• Businesses need to learn to say no to non-core activities, no matter how good they look.  They usually do not have the expertise to really examine them, not to manage them.
• A risk metric that makes you more effective makes you special.
• Reduction of ROE target would take off pressure to take excessive risks.
• Regulators put 80% weight on model and 20% weight on judgment.  Should be the other way around.
• We have shifted to being too focused on risk, need to balance business need for returns.
• There will be unintended consequences from the major shifts in regulation.
• Must not freeze in a crisis.  Need to act and act approximately correctly.
• Moral Hazard was a major issue.  Some people should be put in jail because of the crisis.
• Riskviews: The losses to bank executives and employees were enormous.  People look at salaries of remaining bankers, forgetting that there are now 10% to 20% less of them.  Shareholders of Citi are still off 90% from the peak.  Execs whose net worth was largely in stock holdings and stock options are still out quite a large amount of money.  Riskviews has trouble understanding the moral hazard argument.  It does not match up well with any facts except the bail outs.  Moral hazard ONLY seems to have impact on creditors of banks.  Not unimportant but not the largest driver in bank activities.
• SIFI do get GSE level cost of borrowing.
• Riskviews: My question is why it is good public policy for monetary policy to transfer so much money to the shareholders and employees of banks?  They have been able operate at approximately zero cost of goods sold for four years now.  Their lending rates do not pass all of those savings along.  Why does it make sense for the banks to find themselves to be so smart and well paid when they are being totally supported by monetary policy.  In any other business you would have to be totally brain dead to not succeed if someone gave you your raw materials for free.
• More market discipline is needed.
• Riskviews:  AMEN

### Risk Policy

March 14, 2011

A risk policy specifies which risks a company will be willing to assume and which risks it will not. The risk policy of an insurance company focuses on:

• creating and protecting shareholders’ value from the volatility of its financial results, and
• containing the impact of this volatility on the cost of its capital and thus also, the cost of its risk capacity

Since insurance contracts involve assumption of insurance and investment risks, risk policies of insurance companies must include distinct insurance and investment components.

Insurance risk policy

To develop its insurance risk policy, a company needs to takes into account its ability to establish and sustain a competitive advantage by leveraging superior capabilities (e.g. underwriting expertise, claim management, risk management, etc.).  It must evaluate the attractiveness of individual insurance markets based on analysis and assessment of key factors that shape business strategy, including:

• Market structure and characteristics (size in premium revenue, number of accounts, distribution of exposures by location, industry, etc.)
• Revenue growth potential
• Business acquisition and underwriting expenses
• Changes in customer needs and value perceptions
• Assessment of relative competitive positions
• Loss frequency and severity, and expected loss ratio
• Correlations with macro economic factors (e.g., inflation and GDP growth rates), and other markets served by the company.
• Systemic insurance risk
• Availability, cost  and anticipated use of reinsurance

Insurance companies can use data available from public and private sources (e.g., brokers) to estimate the level and volatility of revenues and earnings associated with specific exposure types, i.e. to develop an “ex-ante” assessment of the risks it considers accumulating. The underlying loss distributions can then be used to develop estimates of i) capital intensity, ii)  the impact of the accumulation of specific exposures on the company’s risk profile, iii) the utilization of its risk capacity and iv) financial performance under alternative risk policies. In every situation, there is a need to verify that a company’s capital and earnings base are sufficient relative to limits written and the probable maximum loss of the portfolio to protect the company’s ratings and ensure the viability of the company as a going concern.

Investment risk policy

The investment risk policy needs to address the following two effects of investment value volatility that might cause:

• The absolute market value of invested assets to fall in a given time period, thereby reducing available capital and risk capacity
• Changes in the market value of invested assets relative to the value of liabilities that increase the volatility of the company’s capital position, thereby  also increasing the probability of downgrading, or of intervention by regulators in company management

These effects of investment value volatility are addressed through reinsurance and asset strategies that contain the volatility of net assets. Insurance companies determine the extent and manner in which these strategies can be optimized, and supplemented in certain cases by arrangement of back-up lines of credit, through analysis of the volatility of their cash flows, taking into consideration the execution of their strategy, the potential liquidity and value volatility of their invested assets and the payment patterns of their liabilities. Note that liabilities of insurance companies, unlike bank demand deposits and overnight funding, are a source of relatively stable funding. Many companies take investment positions that take advantage of this relative illiquidity to create value.

The objective of an investment risk policy is to guide management in ascertaining when, to what extent and how a company should deviate from investing in a portfolio that replicates its liabilities. Its investment risk policy, at a minimum, should specify:

• Which asset classes are permissible, by type, rating class, liquidity, etc.
• Which risk types may be assumed to enhance returns, given a company’s risk capacity (e.g. interest rate, credit, inflation, currency, beta, idiosyncratic, liquidity, etc.)
• How much of the assets may be invested in alternative assets, including illiquid positions (e.g. venture capital, real estate, hedge funds, funds of funds, etc.)
• Guidelines for diversification within and between asset classes
• How much volatility in investment income and portfolio value is consistent with the  respective solvency and value risk tolerances of the company’s stakeholders
• Guidelines for using hedging strategies, and controlling counterparty risk

To develop this policy, a company needs to simulate the impact of alternative guidelines in relation to liabilities and the risk capital consumed, assess their contribution to economic objectives, and identify the range of acceptable asset allocations and strategies. Ultimately, the policy should provide a framework within which a company can determine how much of its return to seek through investment in risk-free instruments, or instruments that provide extra “market return” (beta) or even additional skill-based returns (alpha).

Revision of risk policy

Although it is widely recognized that an insurance company needs to develop its risk policy when it starts operating, there is no consensus on how often an established company needs to revise its risk policy.

Many insurance companies review their risk policy when they are contemplating an acquisition or entering a new business. Because such decisions can have a significant impact on their risk profile, companies often perform detailed pro-forma actuarial analyses to develop the risk insights they need before making a commitment. However, when no significant change in business portfolio is contemplated, insurance executives are often reluctant to invest time to revisit their company’s risk policy.

The recent crisis suggests, however, that there is hardly any activity of greater importance to the survival and success of insurance companies.

Jean-Pierre Berliet

(203) 247-6448

jpberliet@att.net

February 14, 2011

### ERM Events from Sim

March 12, 2011

SimErgy ERM Boot Camp
June 6-8, 2011
This practical hands-on program is designed to give participants tangible skills that can be applied immediately to successfully implement ERM. It uses a stimulating and dynamic combination of lectures, individual and group exercises, and case studies. The program is led by Sim Segal, FSA, CERA, and is based on his new book, Corporate Value of Enterprise Risk Management, his consulting experience, and his MBA/EMBA course at Columbia Business School.

The 10 Key ERM Criteria (Webinar)
May 25, 2011, 12:15pm – 1:15pm Eastern
A persistent issue in ERM is the lack of accepted ERM standards. This webinar presents 10 key criteria that define best practices and which can be used as a standard benchmark to evaluate the robustness of any ERM program. We will discuss common industry practices and evaluate them against each of these criteria. Speaker: Sim Segal, President, SimErgy Consulting

Five Keys to Successful Risk Identification (Webinar)
June 22, 2011, 12:15pm – 1:15pm Eastern
Risk identification is the first step in the ERM process cycle. Most assume that by now common practice must have evolved into best practice. However, this is not so. This webinar reveals the critical mistakes routinely made in risk identification that can derail the ERM process, and the five keys to successfully avoiding them. Speaker: Sim Segal, President, SimErgy Consulting

Thursdays, 12:15pm Eastern
SimErgy introduces an innovative medium for ERM discourse: a weekly radio program. Premiering March 31st, Risk Radio, airs Thursdays at 12:15pm Eastern. Hosted by SimErgy president Sim Segal, Risk Radio follows a talk radio format with 30 minutes of topical discussions on ERM. Occasional guests are featured and listeners may call in.

Also, See Sim’s new book at https://www.simergy.com/ermbook.html

### ERM Questions for US Insurers

March 10, 2011

A.M. Best added a Supplemental Rating Questionnaire (SRQ) for insurers at the end of 2010. While it will provide interesting information that will aid the analyst develop questions for a face-to-face meeting, the mainly checklist format will limit its value. A better option would be for a company to utilize this SRQ to develop an internal risk management report that could be presented to the board and external stakeholders much as insurers generate an investment management report. The A.M. Best checklist could be a by-product of this process. A.M. Best’s statement that “each company’s need for ERM is different” is absolutely correct. Organizations with complex and varied product mixes should spend their time understanding both the silo risks and the interactions between those silos. Going into 2006 insurers (and rating agencies) did not have leading indicators in place to monitor housing prices, yet that proved to be the driver leading to the financial crisis. There is little in this questionnaire that is forward looking toward new and emerging risks.

### Concentration

The questionnaire does not do enough to focus on concentration of exposures. No credit is awarded for a diversified group of independent risks. There is also no mention of counterparty risk with reinsurers. The financial crisis left reinsurers ever more entangled, and if one ever experiences financial difficulties a contagion effect could drag quite a few down with them. If that happens there is no reason to think that insurers would not batten down the hatches as banks did with their loan portfolios. Insurers should have a contingency plan for this possibility, along with performing other stress tests and board discussions.

### Key Risk Indicators

The questionnaire refers to reporting risk metrics. This should be more specific. Financial statements do a pretty good job of reporting lagging indicators such as revenue and net income. What would be more useful when managing risk are leading indicators. What metric can I look at today to anticipate future revenue? Keeping track of metrics such as agent retention, applications received, or unemployment will allow the line manager to better understand the business line and the risk manager to better identify potential risks. Today, many insurers are developing this process but it is still evolving.

### Risk Culture

In the risk culture section of the questionnaire, terms such as risk/return measures and reporting risk jump out at me. Not all risks can be measured, and many can’t be measured accurately. That does not mean they can’t, and certainly does not mean they should not, be managed. Examples would include the likelihood and severity of civil unrest around the world. It is not important to judge precisely how likely these events might be, but it is important to think about how you might react if such an event does occur. Options are generally limited after an event occurs, and time is often the critical factor. Reporting risk means many things to many people. It would be preferred to have a dialogue about risks, using a written report as a starting point.

### Identifying Risks

In the Risk Identification/Measurement/Monitoring section of the questionnaire, A.M. Best asks “Who is the most responsible for identifying material risks to the company’s financial position?” This seems to be a no-win question, as no matter who is listed shortcomings will be associated with it. If you list the CEO, then the CRO is short-changed. If you list the CRO, the line managers wonder what their role is. Perhaps a better question would be to ask who is responsible for consolidating risks and looking at them holistically, scanning for emerging risks as well. It will be interesting to see what A.M. Best does with the table considering the largest potential threats to financial strength. There is no consistent approach to estimated potential impact. Two companies with the exact same exposure to a risk might report vastly different dollar figures. The higher number might be generated by the organization that better understands the risk.

### Economic Capital

The most interesting question to me would be to ask how independent of results are the modelers? Who do they report to? How is their bonus determined? My perception is that there is subtle pressure put on modelers to hit certain results and that they should understand their models well enough to know which levers to pull that won’t raise a warning flag. At this point there is no audit requirement for an economic capital model.

### Forward Looking

Missing in this questionnaire, as well as the NAIC’s Risk Focused Examinations, is a view of the future. In my opinion, if there is not an immediate solvency issue then the most interesting question is what could impair this organization in the future. For many insurance firms this will be related to selling profitable products and being flexible. It is hard to find distribution without giving away either options or returns. Consolidation in the insurance industry is likely. How many companies have considered their competitive position is their competitors merge? For distressed firms it is rarely a previously managed risk that takes them down. What environmental scanning is being done? What Risks are you Worried about Today? Risks that could be included in this type of analysis would be considered stress tests by many, but how many organizations would share more than they think their competitors are sharing? Here are some risks to ponder, along with their unintended consequences, in no order.

• Low interest rate environment is replaced by an inflationary shock
• A new competitor enters the insurance market with a known and trusted brand and new distribution channel (WalMart comes to mind)
• A reinsurer becomes insolvent due to investment losses, stressing other reinsurers.
• The insurance industry experiences higher trending mortality, with a flurry of 30-50 deaths due to obesity
• Climate change results in changing weather patterns, with more volatile weather and crop patterns
• A consolidator enters the industry, generating economies of scale that reduce potential returns by 2%.
• Infrastructure around the world ends its useful lifetime and is not replaced.
• Water wells are drilled in developed countries by farmers and local communities to access an aquifer.
Warning: The information provided in this newsletter is the opinion of Max Rudolph and is provided for general information only. It should not be considered investment advice. Information from a variety of sources should be reviewed and considered before decisions are made by the individual investor. My opinions may have already changed, so you don’t want to rely on them. Good luck! Warning: The information provided in this newsletter is the opinion of Max Rudolph and is provided for general information only. It should not be considered investment advice. Information from a variety of sources should be reviewed and considered before decisions are made by the individual investor. My opinions may have already changed, so you don’t want to rely on them. Good luck!

### Chief Mitigation Officer

March 9, 2011

Does your firm have a place for a Chief Mitigation Officer?  What is a mitigation officer, you ask?  Here is an excerpt from a job description from the CEA.

The Chief Mitigation Officer (CMO) will be responsible for the California Earthquake Authority’s (CEA) educational outreach efforts, collaborating with research institutions, and leading efforts to develop financial incentives to encourage seismic-risk mitigation.  The unique nature of the CEA’s public/private structure requires strong leadership capable of leading people and projects, and executing responsibilities through skillful collaboration, coordination and communication.   As a member of the executive management team, reporting directly to the Chief Executive Officer, the CMO will perform mitigation-project oversight as follows:

Duties / Responsibilities

۰    Manage statewide residential-retrofit programs designed to help California homeowners make their homes more resistant to earthquake damage and serve as the Executive Director of the California Residential Mitigation Program, a statutory Joint Powers Authority created for mitigation funding purposes.

۰    Develop programs aimed at educating the public on the importance of earthquake loss mitigation through multiple channels, including CEA participating insurers and the residential construction industry.

۰    Work with academic institutions, nonprofits, the residential construction industry, earthquake related research groups in both science and engineering, and other stakeholders to support mitigation-related research and educational activities, along with local, state and federal agencies to further California’s residential earthquake preparedness, protection and mitigation goals.

۰    Oversee programs providing financial assistance (loans, grants, rebates, or other financial incentives) that help homeowners with structural and contents retrofitting of their homes.  Contribute to the CEA’s ongoing efforts to establish justifiable mitigation premium discounts for CEA policyholders who make approved retrofit improvements to their homes.

Riskviews thinks that the idea has possibilities.  A different framing for some of the key activities in the risk management area.  Perhaps have two senior risk related positions, risk mitigation and risk evaluation.

For the Risk Mitigation, another firm might want to strongly downplay the outreach aspects that the CEA has a strong interest in.

Instead, The Chief Risk Mitigation Officer might be in charge of Risk Management Actions.

### Risk Management Success

March 8, 2011

Many people struggle with clearly identifying how to measure the success of their risk management program.

But they really are struggling with is either a lack of clear objectives or with unobtainable objectives.

Because if there are clear and obtainable objectives, then measuring success means comparing performance to those objectives.

The objectives need to be framed in terms of the things that risk management concentrates upon – that is likelihood and severity of future problems.

The objectives need to be obtainable with the authority and resources that are given to the risk manager.  A risk manager who is expected to produce certainty about losses needs to either have unlimited authority or unlimited budget to produce that certainty.

The most difficult part of judging the success of a risk management program is when those programs are driven by assessments of risk that end up being totally insufficient.  But again the real answer to this issue is authority and budget.  If the assumptions of the model are under the control of the risk manager, that is totally under the risk manager’s control, then the risk manager would be prudent to incorporate significant amounts of margin either into the model or into the processes that use the model for model risk.  But then the risk manager is incented to make the model as conservative as their imagination can make it.  The result will be no business – it will all look too risky.

So a business can only work if the model assumptions are the join responsibility of the risk manager and the business users.

But there are objectives for a risk management program that can be clear and obtainable.  Here are some examples:

1. The Risk Management program will be compliant with regulatory and/or rating agency requirements
2. The Risk Management program will provide the information and facilitate the process for management to maintain capital at the most efficient level for the risks of the firm.
3. The Risk Management program will provide the information and facilitate the process for management to maintain profit margins for risk (pricing in insurance terms) at a level consistent with corporate goals.
4. The Risk Management program will provide the information and facilitate the process for management to maintain risk exposures to within corporate risk tolerances and appetites.
5. The Risk Management program will provide the information and facilitate the process for management and the board to set and update goals for risk management and return for the organization as well as risk tolerances and appetites at a level and form consistent with corporate goals.
6. The Risk Management program will provide the information and facilitate the process for management to avoid concentrations and achieve diversification that is consistent with corporate goals.
7. The Risk Management program will provide the information and facilitate the process for management to select strategic alternatives that optimize the risk adjusted returns of the firm over the short and long term in a manner that is consistent with corporate goals.
8. The Risk Management program will provide information to the board and for public distribution about the risk management program and about whether company performance is consistent with the firm goals for risk management.

Note that the firm’s goals for risk management are usually not exactly the same as the risk management program’s goals.  The responsibility for achieving the risk management goals is shared by the management team and the risk management function.

Goals for the risk management program that are stated like the following are the sort that are clear, but unobtainable without unlimited authority and/or budget as described above:

X1  The Risk Management program will assure that the firm maintains profit margins for risk at a level consistent with corporate goals.

X2  The Risk Management program will assure that the firm maintains risk exposures to within corporate risk tolerances and appetites so that losses will not occur that are in excess of corporate goals.

X3  The Risk Management program will assure that the firm avoids concentrations and achieve diversification that is consistent with corporate goals.

X4  The Risk Management program will assure that the firm selects strategic alternatives that optimize the risk adjusted returns of the firm over the short and long term in a manner that is consistent with corporate goals.

The worst case situation for a risk manager is to have the position in a firm where there are no clear risk management goals for the organization (item 4 above) and where they are judged on one of the X goals but which one that they will be judged upon is not determined in advance.

Unfortunately, this is exactly the situation that many, many risk managers find themselves in.

### Assessing Risk Capacity Utilization

March 7, 2011

In practice, the risk tolerance constraints (i.e. maximum expected default probability at the company’s target rating) of rating agencies determine the minimum amount of capital that a company needs to secure the rating it needs to execute its strategic plan on a going concern basis. When a company’s available capital is higher than this minimum, the company uses a fraction of its risk capacity, equal to the ratio of this minimum amount to available capital. If available capital is lower than this capital requirement, the ratio becomes greater than one; the company is overextended and needs to take corrective action.

In this discussion, we are deliberately refraining from using “economic capital” as a measure of capital utilization, capital availability, risk capacity or risk capacity utilization because the term “economic” can have several distinct meanings that create confusion. We focus on measures of capital and risk capacity that can provide robust guideposts for making decisions about management and deployment of a company’s risk capacity, in relation to its available capital.

The figure below displays how the proposed risk capacity and capital concepts interact with each other and provide a framework for an insurance company to assess the adequacy of its risk capacity and its capital as well as determine its risk appetite. It sets out a framework that links the principal uses of an insurance company’s total available capital, to strategic drivers of capital and risk capacity utilization. Under this framework, a company needs to:

• Set aside a “strategic reserve” intended to fund unforeseen opportunities (e.g. acquisitions) that is deducted from available capital to determine available risk capacity
• Determine the risk capital requirement needed to execute its growth strategy, including i) the modeled strategic risk capital requirement derived from analysis of its prospective risk profile and ii) a “safety buffer” ensuring that its strategy can be executed, at a high level of confidence set by its Board of Directors, in spite of:
• Catastrophic  loss or investment scenarios that might cause downgrading by rating agencies or RBC adequacy to so decline that regulators would be required to intervene
• Understatement  of the modeled strategic risk capital requirement caused by “model risk”,  or by risks that are inherently difficult to model appropriately (e.g. systemic risk, operational risks that increase insurance or investment losses, parameter risks, unstable correlations)
• Extreme circumstances that can reduce and sometimes eliminate benefits from diversification across lines or across insurance and investment activities
• The risk that a company might not be able to raise capital from investors on terms acceptable to shareholders when needed to restore its capital position

In the wake of the financial crisis, many companies are trying to determine how large a capital safety buffer (including off balance sheet contingent capital) they should have to absorb losses caused by catastrophic events while containing the negative impact of additional capital on profitability metrics, especially their return on shareholders’ equity. In practice, they would like to hold enough capital to ensure that their insurance strength rating would remain at or above the level needed to sustain the confidence of customers and regulators over a suitably long time period (e.g. ten years) at a high confidence level, while avoiding declines in returns that might reduce their valuation multiples.

As shown by the figure, a company’s capital requirement represents its risk capacity utilization under its strategic plan as well as its risk appetite.  When this capital requirement, including the suitable safety buffer discussed above, is smaller than the company’s risk capacity (as shown on the figure) the company has “excess capital”. It has an option to deploy some or all of its excess capital productively or return it to investors. When this capital requirement, including the safety buffer, is greater than the company’s risk capacity, a company is overextended and need to take action to reduce planned capacity utilization or raise additional capital to increase its risk capacity.

The mutual dependency of a company’s risk profile, risk capacity utilization, risk capacity, capital available and risk appetite and the irreducible uncertainty of financial results of insurance activities create a context in which management needs to ensure that risk capacity management and strategy management are aligned with the return expectations and risk concerns of shareholders.

Jean-Pierre Berliet

(203) 247-6448

jpberliet@att.net

February 14, 2011

### Risk Appetite and Risk Attitude

March 3, 2011

Riskczar writes about differing risk appetites this week.

I want to introduce a nuance to his discussion.  He mentions that his risk appetite is less than both his brother and his significant other.

The Risk Doctor presents a view of risk attitude that tracks directly with what Trevor calls differing risk appetites.  They both look at it as a spectrum of higher risk appetites to lower.  David suggests that anyone with a higher risk appetite has one risk attitude while someone with a lower risk appetite has another risk attitude.  Which is consistent with the digestive term appetite that is used.

However, another way of looking at this is possible and is suggested by the Plural Rationalities approach to risk that is often featured here on Riskviews.

With the Plural Rationalities approach, it is suggested that folks with an apparent higher risk appetite may well simply perceive that there is less risk than someone with a lower risk appetite.  The people who perceive that risk is very high are called Conservators.  The people who perceive that risk is very low are called Maximizers and the people who perceive that risk is moderate are called Managers. Finally Plural Rationalities suggests that there is a fourth risk attitude that is possessed by folks who just do not think that they can know how risky that something really is.  They are called Pragmatists.

These Pragmatists do not fit onto the spectrum of risk appetites.  However, plenty of these people exist.  They are the undecideds in the polls about risk.  They do not feel that the future is highly predictable, so they choose not to try.  They therefore seem to be less convinced about likelihood of favorable outcomes as well.  Or lack of likelihoods either.  Lottery tickets are appealing to some Pragmatists.  Pragmatists may take on situations that are seen to be high risk by the Conservators and pass up on situations that are seen as low risk to the Maximizers.  Pragmatists are also often frustrating to the Managers because they fail to follow the logical conclusions reached by the Managers.

But Pragmatists are well suited for the situation that seems to have settled over many economies in the world in the recent past.  The Uncertain economy.  Modern economics does not even officially have that as a phase of an economic system, though some economists have repeatedly described the current situation with that exact word.  Their approach the the Uncertain economy is to try to get it to change into one of the other stages that they do think that they understand.

So the Maximizers and Conservators are not choosing more risk or less risk as the Rational Expectations theory suggests, they are actually believing that the world is less risky (Maximizers) or more risky(Conservators).

They are not acting irrationally, they are acting according to their own rationality.

This would be irrational, except for the fact that in some periods of time, they are correct.

Once they start to notice that their view of risk is no longer correct, slowly but surely they eventually change their risk attitude to adjust to the current reality.

This process explains the market cycles without having to assume irrationalities.  Instead we need to acknowledge Plural Rationalities.

### The Difference between Risk & Loss

March 2, 2011

Risk Management has caused many people to substitute one four letter word for another.  They will use the word RISK when they should be saying LOSS.  And there is a world of difference between the two.  It is the difference between the gleam in eye of the loving newly weds and the cry of the babe in the middle of the night.  (Really dating myself there.  That is one from a 1950’s movie.)

A RISK is a potential for a LOSS.  The LOSS is the realization of that negative potential.  A RISK is running across a busy street blindfolded.  A LOSS is getting hit by a car while doing that.

All RISKs do not result in LOSSes and all LOSSes do not result from RISKs.

A RISK is putting a revolver with one bullet up to your head and pulling the trigger.  A LOSS is the result of the chamber with the bullet being fired.  A RISK without LOSS is when you pull the trigger and the hammer hits an empty chamber.  A LOSS without RISK would be putting a revolver full of bullets up to your head and pulling the trigger.

So if someone asks you what you intend to do when your RISK limit is exceeded, you have choices.  One of those choices is to ignore the breach and hope that you are fortunate.  Those who make that decision and do not find that RISK turning into a LOSS will go down as RISK geniuses.  Those who find themselves facing a LOSS that is larger than they can bare will be thought to be dunces.

Other choices involve the many ways that one can use to reduce the frequency or severity of the RISK, to bring it within your limit.  But even if you do take those choices, your reduced RISK may still make a LOSS.  If your evaluation of the RISK was correct, then the reduced RISK may not make a LOSS that exceeds your limit.  But if your estimate of the RISK was incorrect and you have a LOSS, then the LOSS may be larger than your limit, even if you carefully followed procedures to reduce the RISK.

But if someone asks you what you intend to do when a LOSS exceeds your limit, that is an entirely different story.  The choices there are few.  The LOSS has happened.  You should then (a) learn to live with the consequences of the LOSS that you were trying to avoid by setting the limit and (b) try to learn the cause of the loss that exceeds your limit and discern whether you can make changes that will help you to avoid such situations in the future.

Learning to live with the consequences of the LOSS may well mean adjusting your risk limits to the lower risk buffers that you may now have access to.  The opposite of learning to live with the consequences is the destructive but common practice of “doubling down”.  When a gambler “doubles down” after a loss they are hoping to make back their losses with their next bet.  Traders are sometimes prone to this thinking.  They conclude that such behavior is the only way to save their job after a large loss.  Often such actions lead to the opposite consequence for the trader.

Learning from the LOSS means means tracking down whether the excess LOSS resulted from excess RISK taking, RISK measurement error or results from a predictable but highly unlikely event.  The excess RISK taking can be from failure to follow procedures including the failure sited above to act once a breach of limit is found.  Other failures can be seen from Jared Diamonds excellent analysis of failure.

However, when answering these questions, be aware that sometimes folks have started to use the word RISK when they should be using the word LOSS.  One person recently was talking about their risk management program and  went so far as to say “realization of the negative potential of a risk” when they meant LOSS.

### Second Step to a New ERM Program

March 1, 2011

Everyone knows the first step – Identify your risks.

But what should you do SECOND?  The list of ERM practices is long.  Riskviews uses an eight item list of ERM Fundamentals to point the way to early ERM developments.

And you want to make sure that you avoid Brick Walls and Touring Bikes.

But the Second Step is not a practice of ERM.  The Second Step is to identify the motivation for risk management.  As mentioned in another post, there are three main motivations:  Compliance, Capital Adequacy and Decision making.

If Compliance is the motivation, then the ERM development process will be to obtain or develop a checklist of items that must be completed to achieve compliance and to work to put something in place for each of those items that will create the ability to check off that item.

If Capital Adequacy is the motivation, then building an Economic Capital model is the main task that is needed for ERM development.

If Decision making is the motivation, then the process becomes somewhat more involved.  Start with identifying the risk attitude of the firm.  Knowing the risk attitude of the firm, the risk management strategy can then be selected.  Each of the ERM Fundamentals can then be implemented in a way that is adapted to the risk strategy.

This process has been described in the post Risk Attitudes and the New ERM Program.

But knowing the motivation is key.  A newly appointed risk management officer might have fallen in love with literature describing the Risk Steering strategy of ERM.  They would set up a big budget for capital modeling and start to set up risk committees and write rules and policy statements…..

And then hit a brick wall.

That is because they did not clearly identify the motivation for their appointment to be the risk management officer.  The term ERM actually means something totally different to different folks.  Usually one of the three motivations:  Compliance, Capital Adequacy, or Decision Making.

A company that is primarily motivated by Capital Adequacy will have minimal interest in any of the active parts of the ERM practices.  A company motivated by compliance will want to know that each and every step in their ERM process satisfies a requirement.  Talking about enhanced decision making as the reason for steps in the ERM development process will either confuse or even anger management of these companies.

The reaction to a mismatch of ERM program to motivation is similar to someone who booked a cruise for their vacation and found themselves on a cross country biking tour.

Most modern cruise ships feature the following facilities:

• Casino – Only open when the ship is in open sea
• Spa
• Fitness center
• Shops – Only open when ship is in open sea
• Library
• Theatre with Broadway style shows
• Cinema
• Indoor and/or outdoor swimming pool
• Hot tub
• Buffet restaurant
• Lounges
• Gym
• Clubs

Keep that contrast in mind when you are making your plans for a new ERM system.