Incorporating Risk into Planning and Strategy

Risk has traditionally been a minor part of strategy discussions in many firms.

Usually you get it out of the way at the very start with a Strengths, Weaknesses, Opportunities and Threats (SWOT) discussion.  As quickly as possible, the planners shift into concentrating on discussion of Opportunities.  That is what they are there for anyway – Opportunities.

Utility theory and the business education that flows from utility theory suggests very little consideration of risk.  Not none at all, but very little.  Opportunities where the gains from the expected opportunities exceed the losses from the expected threats are considered good.  That is one spot where risk creeps in.  In addition, risk might be also reflected as an externality – the capital required by a regulator or ratings agency.

Financial economics came along and offered a more complicated view of risk.  Instead of using a fuzzily determined present value of risk from utility theory, Financial Economics substitutes the market cost of risk.

Risk management suggests a completely different and potentially contradictory approach.

The risk management approach to bringing risk into planning and strategy is to make risk appetite central to strategy selection.  The internal risk appetite becomes the constraint instead of the external capital constraint.  For firms that were using that external capital constraint as a key factor in planning, this could be an easy switch.  But often is actually is not.

The boards and management of most firms have failed to choose their own risk appetite constraint.

Riskviews believes that this is because the folks who have spent their entire careers under and external constraint system are ill equipped to set their own limits.  They do not have the experience with trial and error of setting risk appetite unlike the long experience that they have with most of their other management decisions.  For most management decisions, they came up through the management ranks watching their predecessors make good and bad decisions and succeed or fail.  When they reached their current positions, they had a lifetime of experience with most of the types of decisions that they need to make.

Now risk managers and regulators and rating agencies and consultants tell them that they need to make an entirely new decision about risk appetite, and then lever all of their other important decisions off of that one decision.  And when they look back upon their education and experience there was no mention at all of this risk appetite stuff.

And as the discussion at the start of this post states, the business education did not include risk appetite either.

But there are other ways that risk can be incorporated into the planning and strategy.

• Risk Profile.  A part of the statement of the impact that the plan will have on the company should be a before and after risk profile.  This will show how the plan either grows the larger risks of the firm or diversifies those risks.   Risk cannot be fully described by any one number and therefore there is not one single pie chart that is THE risk profile of the firm.  The risk profile should be presented so that it shows the key aspects of risk that are the consequences of the plan – intended or unintended.  That may mean showing the geographic risk profile, the product by product risk profile, the risk profile by distribution system or the risk profile by risk type.  By looking at these risk profiles, the planners will naturally be drawn to the strengths and weaknesses of the risk aspects of the plan.  They will see the aspects of risk that are growing rapidly and therefore need extra attention from a control perspective.  And even if there are none of those reactions, the exposure to the risk information will eventually lead to a better understanding of risk and a drift towards more risk aware planning.
• Risk management view of gains and losses.  Planning usually starts with a review of recent experience.  The risk managers can prepare a review of the prior year that describes the experience for each risk in terms of the exceedence probability from the risk models.  This could lead to a discussion of the model calibration and possibly to either better credibility for the risk model or a different calibration that can be more credible.
• Risk Controls review.  Each risk operated within a control system.  The above review of recent experience should include discussion of whether the control systems worked as expected or not.
• Risk Pricing review.  The review of gains and losses can also be done as a review of the risk margins compared to the risks for each major business or product or risk type.  Comparison to a neutral index could be considered as well.  With this review, the question of whether the returns of the firm were a result of taking more risk or from better selection and management of the risks taken should be addressed.

Some management groups will be much more interested in one or another of these approaches.  The risk manager must seek to find the approach to discussing risk that fits management’s interests for risk to become a part of planning and strategy.  Without that match, any discussions of risk that take place to satisfy regulatory or rating agency pressures will be largely perfunctory.

 

Advertisement

A Cure for Overconfidence

“FACTS FROM THE INTERNET”

• 86% of a group of college students say that they are better looking than their classmates
• 19% of people think that they belong to the richest 1% of the population
• 82% of people say they are in the top 30% of Safe Drivers
• 80% of students think they will finish in the top half of their class
• In a confidence-intervals task, where subjects had to judge quantities such as the total egg production of the U.S. or the total number of physicians and surgeons in the Boston Yellow Pages, they expected an error rate of 2% when their real error rate was 46%.
• 68% of lawyers in civil cases believe that their side will win
• 81% of new business owners think their business will succeed, but also say that 61% of the businesses like theirs will fail

But on the other hand,

• A test of 25,000 predictions by weather forecasters found no overconfidence

We all know what is different about weather forecasters.  The make predictions regularly with confidence intervals attached AND they always get feedback about how good that their forecast actually was.

So the Overconfidence effect, that is seen by psychologists as one of the most reliable of biases in decision making, is merely the effect of under training in developing opinions about confidence intervals.

This conclusion leads directly to a very important suggestion for risk managers.  Of course risk managers are trying to act like weather forecasters.  But they are often faced with an audience who are overconfident – they believe that their ability to manage the risks of the firm will result in much better outcomes than is actually likely.

But the example of weather forecasters seems to show that the ability to realistically forecast confidence intervals can be learned by a feedback process.  Risk managers should make sure that in advance of every forecast period that they make the model for frequency and severity of losses are widely known.  And then at the end of every forecast period that they show how actual experience does or does not confirm the forecast.

Many risk models allow for a prediction of the likelihood of every single exact dollar gain or loss that is seen to be possible.  So at the end of each period, when the gain or loss for that period is known, the risk manager should make a very public review of the likelihoods that were predicted for the level of gain or loss that actually occurred.

This sort of process is performed by the cat modelers.  After every major storm, they go through a very public process of discovering what the model said was the likelihood of the size loss that the storm produced.

The final step is to decide whether or not to recalibrate the model as a result of the storm.

Overconfidence can be cured by experience.

Was Lindberg really Lucky?

Charles Lindberg made the fist solo transatlantic flight in 1927.

He was called Lucky Lindy because he succeeded at something that was judged to be highly unlikely.  In fact, by analyzing prior experience you would give his solo trans Atlantic flight a ZERO likelihood.

So his flight was a freak occurrence.  A Black Swan.

Six years later, Italo Balboa led a group of 24 planes across the Atlantic.  By the 1940’s, flights across the Atlantic were a very regular thing.

Think about Lucky Lindberg when you imagine the next major catastrophe.  You may not be able to get the event right, but there will be something that never happened that will be significantly worse that we imagined.  And after it happens, there will be a few more larger events until events of that magnitude become commonplace.

Now instead of assigning that sequence a zero probability, figure out how to include that in your risk management system.

Major Regime Change – The Debt Crisis

A regime change is a corner that you cannot see around until you get to it.  It is when many of the old assumptions no longer hold.  It is the start of a new set of patterns.  Regime changes are not necessarily bad, but they are disruptive.  Many of the things that made people and companies successful under the old regime will no longer work.  But there will be completely new things that will now work.

The current regime has lasted for over 50 years.  Over that time, debt went all in one direction – UP.  Most other financial variables went up and down over that time, but their variability was in the context of a money supply that was generally growing somewhat faster than the economy.

Increasing debt funds some of the growth that has fueled the world economies over that time.

But that was a ride that could not go on forever.  At some point in time the debt servicing gets to be too high in comparison to the capacity of the economy.  The economy has gone through the stage of hedge lending (see Financial Instability) where activities are able to afford payments on their debt as well as repayment of principal long ago.  The economy is in the stage of Speculative Finance where activities are able to afford payments on the debt, but not the repayment of principal.  The efforts to pay down debt will tell us whether it is possible to reverse course on that.  If one looks ahead to the massive pensions crisis that looms in the moderate term, then you would likely judge that the economy is in Ponzi Financing land where the economy can neither afford the debt servicing or the payment of principal.

All this seems to be pointing towards a regime change regarding the level of debt and other forward obligations in society.  With that regime change, the world economy may shift to a regime of long term contraction in the amount of debt or else a sudden contraction (default) followed by a long period of massive caution and reduced lending.

Riskviews does not have a prediction for when this will happen or what other things will change when that regime change takes place.  But risk managers are urged to take into account that any models that are calibrated to historical experience may well mislead the users.  And market consistent models may also mislead for long term decision making (or is that will continue to mislead for long term decision making – how else to characterize a spot calculation) until the markets come to incorporate the impact of a regime change.

This may be felt in terms of further extension of the uncertainty that has dogged some markets since the financial crisis or in some other manner.

However it materializes, we will be living in interesting times.

The Cost of Risk Management

PNC Chairman and Chief Executive Officer James E. Rohr is quoted in the Balitomore Sun as saying that Dodd Frank would raise costs and that those costs would ultimately be passed along to the customers.

Now Riskviews is not trying to suggest that Dodd Frank is necessarily good risk management.

But risk management, like regulation, usually has a definite cost and indefinite benefits.

The opponents of Dodd Frank, like the opponents of risk management will always point to those sure costs and a reason not to do regulations or risk management.

But with Dodd Frank, looking backwards, it is quite easy to imagine that more regulation of banks could have a pennies to millions cost – benefit relationship.  The cost of over light regulation of the banks was in the trillions in terms of the losses in the banks plus the bailout costs to the government PLUS the costs to the economy.  Everyone who has lost a job or lost profits or lost bonuses or who will ultimately pay for the government deficit that resulted from the decreased economic activity have or will pay the cost of underregulated banks.

The same sort of argument can be made for risk management.  The cost of good risk management is usually an increase to costs or a decrease to revenues in good times.  This is offset by a reduction to losses that might have been incurred in bad times.  This is a view that is REQUIRED by our accounting systems.  A hedge position MUST be reported as something with lower revenues than an unhedged position.  Lack of Risk Management is REQUIRED to be reported as superior to good risk management except when a loss occurs.

Unless and until someone agrees to a basis for reporting risk adjusted financials, this will be the case.

Someone who builds a factory on cheap land by the river that floods occasionally but who does not insure their factory MUST report higher profits than the firm next door that buys expensive flood insurance, except in the year that the flood occurs.

A firm that operates in a highly regulated industry may look less profitable than a firm that is able to operate without regulation AND that is able to shed most of their extreme losses to the government or to third parties.

Someone always bears those risk costs.  But it is a shame when someone like Rohr tries to make that look as if the cost of regulation are the only possible costs.

Learning from Disaster – The Honshu Earthquake

Steve Covey called it Sharpening the Saw.  A good risk management program will be continually learning.  The school of hard knocks is an extremely expensive teacher.  It is much better to audit the course by observing the experiences of others and learning from them.  The effective risk management program will be actively working to audit the courses of others experiences.

With that in mind, Risk Management magazine has devoted the May 2011 issue to learning from the Honshu earthquake.  There are four articles that review some key aspects of the Japanese experience as it appears right now.

• Nuclear Safety – the problems at the Fukushima Daiichi reactor came from the multiple events that struck.  The safety provisions were sufficient for the earthquake, but not for the tsunami.  There are specific questions raised in the article here about the specific design of the reactor cooling system.  But a greater question is the approach to providing for extreme events.  The tsunami was greater than any on the historical record.  Should it be necessary to prepare for adverse events that are significantly worse than the worst that has ever happened?  If so, how much worse is enough?  Do we even have a way to talk about this important question?
• Building Codes – the conclusion here is that Japanese building codes worked fairly well.  Many larger buildings were still standing after both the quake and the tsunami.  Christchurch did not fare as well.  But New Zealand codes were thought to be very strict.  However, the fault that was responsible for the earthquake there was only discovered recently.  So Christchurch was not thought to be in a particularly quake prone area.  As they overhaul the building codes in NZ, they do not expect to get much argument from strengthening the codes significantly in the Canterbury region.  The question is whether any other places will learn from Christchurch’s example and update their codes?
• Supply Chain – the movement over the past 10 years or more has been to “just-in-time” supply chain management.  What is obvious now is that the tighter that the supply chain is strung, the more that it is susceptible to disruption – the riskier that it is.   What we are learning is that great efficiency can bring great risk.  We need to look at all of our processes to see whether we have created risks without realizing through our efforts to improve efficiency.
• Preparedness – ultimately, our learnings need to be turned into actions.  Preparedness is one set of actions that we should consider.  The Risk Magazine focuses on making a point about the interconnectedness of all society now.  They say “Even a simple sole proprietorship operating a company in rural South Dakota can be negatively affected by political and social unrest in Egypt.”  We risk managers need to be aware of what preparedness means for each of our vulnerabilities and the degree to which we have reached a targeted stage of readiness.

Whenever there is a major crisis anywhere in the world, risk managers should review the experience to see what they can learn.  They can look for parallels to their business.  Can systems at their firm  withstand similar stresses?  What preparedness would create enough resilience?  What did they learn from their adversity?

Imminent Risk – Employee Turnover

Many risks go in cycles.  And While it makes some sense to keep an eye on them during the part of the cycle when they are low, it makes much more sense to concentrate on them when they are imminent.

A recent report from Metlife “Study of Employee Benefits Trends” diverts from its primary topic to spend an entire chapter on The Erosion of Employee Loyalty.  One startling statistic that they report is that over one third of employees say that if they have the choice, they will change employers in 2011!

Risk managers often think of risks like employee turnover as being “soft” risks that are difficult to measure and model.  But that may be mostly due to lack of familiarity.  In this case, people have measured the costs.  The Society of Human Resources Management (SHRM) has estimated that turnover costs vary by the level of employee.  For minimum wage employees, the costs are 30% to 50% and goes up for more skilled employees – up as high as 400% of salary for the most skilled employees.

And that does not take into account that the people who are most able to leave are the most competent and productive of your employees.

So your firm has an imminent risk that will emerge when the job market in your industry opens up.  You will know exactly when that risk is going to hit.  You will know because your firm will start to hire more after several years of low or zero hiring.  Once you notice the actual turnover, it will be too late. So monitoring hiring by your own firm and in your part of the economy is your key risk leading indicator.

The risk treatment steps to take would be those that might impact either the frequency or severity of the losses from this risk.  (duh)

Metlife includes this discussion in their report on employee benefits so that they can make the case that more employee benefits would be an effective preventative.

But before setting out to define risk treatment plans, the risk manager will want to look at the loss estimates.  That SHRM study points to costs from the hiring process, from training costs as well as productivity losses.  Each firm should examine their practices and experience to refine the general estimate to their situation.  Some firms will always choose to hire highly experienced employees to minimize the training and lost productivity costs.  Other firms will go to the other extreme, hiring mostly at the entry level and expecting to promote from within to replace any higher level losses.

Salary costs are a large percentage of financial businesses costs.  The management of this cost could probably benefit from some good quantitative analysis, if that is not already the practice.

If the SHRM costs are correct and even half the people identified by Metlife are able to change jobs, then firms on the average are facing extra costs of as much as 20% of payroll.

Do the math, where does this put employee turnover risk in terms of your top ten risks list?

Looking at Risk through a Telescope, Reading Glasses or a Wide Angle Lens

Risk managers need to be looking at the risks that may nibble away at the firm, risks that may deliver swift killing blows as well as risks that will slowly strangle the firm.

Risk managers need to use the Telescope to look for risks that are remote.  The Emerging Risks.  Those risks may be tiny specks in the far distance.  The risk manager may need to use their imagination to see what harm those tiny specs might do.  They need to arrange things appropriately to prepare for the day when the speck might turn into a real threat.  The firms who use the telescope to view those risks will be able to take the actions far in advance that will make their eventual defense against the risk more effective and economical.

Risk managers also need to use the Reading Glasses to look at the fine details of the things that go by each and every day.  By a careful detailed review, the risk manager may find cracks in the structure or activity that appeared very sturdy up until then.  They can take actions to patch those cracks and to look for alternatives.

Risk managers should also look with a wide angle lens for risks coming at them.  The wide angle lens allows them to see risks coming at them from every direction.  When the risk manager crosses the one way street, they will often quickly look in the “wrong” direction to make sure that nothing is coming from that direction either.  They know that risk is not bound by any rules.  In fact, risk is often most dangerous when it moves directly in the opposite direction that the rules would have you think to look.

Risk managers who have built up processes with a fixed focus that look in only the directions that are required will find that the largest risks are not going to congregate in the spots where they have focused.

Risks will move out of those bright spots where the risk managers are focusing into the dark.  And they will move closer and closer and get larger and larger as long as no one looks at them.

Getting Independence Right

Independence of the risk function is very important.  But often, the wrong part of the risk function is made independent.

It is the RISK MEASUREMENT AND REPORTING part of the risk function that needs to be independent.  If this part of the risk function is not independent of the risk takers, then you have the Nick Leeson risk – the risk that once you start to lose money that you will delay reporting the bad news to give yourself a little more time to earn back the losses, or the Jérôme Kerviel risk that you will simply understate the risk of what you are doing to allow you to enhance return on risk calculations and avoid pesky risk limits.

When Risk Reporting is independent, then the risk reports are much less likely to be fudged in the favor of the risk takers.  They are much more likely to simply and factually report the risk positions.  Then the risk management system either reacts to the risk information or not, but at least it has the correct information to make the decision on whether to act or not.

Many discussions of risk management suggest that there needs to be independence between the risk taking and the entire risk management function.  This is a model for risk disaster, but a model that is very common in banking.  Under this type of independence there will be a steady war.  A war that it it likely that the risk management folks will lose.  The risk takers are in charge of making money and the independent risk management folks are in charge of preventing that.  The risk takers, since they bring in the bacon, will always be much more popular with management than the risk managers, who add to costs and detract from revenue.

Instead, the actual risk management needs to be totally integrated within the risk taking function.  This will be resisted by any risk takers who have had a free ride to date.  So the risk takers can decide what would be the least destructive way to stay within their risk limits.  In a system of independent risk management, the risk managers are responsible for monitoring limit breaches and taking actions to unwind over limit situations.  In many cases, there are quite heated arguments around those unwinding transactions.

Under the reporting only independence model, the risk taking area would have responsibility for taking the actions needed to stay within limits and resolving breaches to limits.  (Most often those breaches are not due to deliberate violations of limits, but to market movements that cause breaches to limits to grow out of previously hedged positions.)

Ultimately, it would be preferable if the risk taking area would totally own their limits and the process to stay within those limits.

However, if the risk measurement and reporting is independent, then the limit breaches are reported and the decisions about what to do about any risk taking area that is not owning their limits is a top management decision, rather than a risk manager decision that sometimes gets countermanded by the top management.

Kellog Corporate Governance Conference II

Notes from comments by ERM session panelists:

Walter Havenstein, CEO, SAIC

Succession planning and leadership development seen as the most important ERM process at SIAC.  (Firm had been led by founder for 35 years up to 2003.)

Business of SIAC is 90% to government.  Large fraction of that business is Top Secret.  Needed to form special board committee to handle Classified Business oversight.  Board members with security clearances (Former DOD and Military officials).   This committee reports quarterly to board – saying what it can about classified work.

Work is highly technical and operationally sensitive – very high risk.  Risk decisions usually were about which people could work on which projects.

James McNerney, CEO, Boeing

There was much too much risk in the company when he became CEO.  ERM has made a big difference.  Risk management is integrated top to bottom and horizontally (covariance risk)

“you have to absorb some risk to make progress”

Boeing was the merger of four large companies.  There were not common views of anything, not any top to bottom or horizontal integration.  Operations are centered upon local plants.  There were compliance issues – Finance, Legal and HR did not collaborate.  Had to strengthen internal controls to deal with compliance issues.

Boeing made an acquisition that brought in much more tail risk than they knew.  And they had added a huge amount of risk with the BIG NEW PRODUCT (787).

Have used the COSO framework for ERM.  That has served Boeing well. It was easy to work hard at ERM because the risks were very visible.  Risk management does not slow Boeing down, it speeds us up.  The annual rhythms of ERM work well.  They are asking the same questions every year and 80% of the answers come back the same as the prior year, but each year 20% come back different – and those different answers are important to know.

At Boeing, risk of every one of 16 major projects is so large that any one could bring down the firm.  This makes risk management extremely important.

Jim Kackley – Herman Miller board member

ERM process was urged on CEO by the Audit committee of board.  They wanted a more rigorous look at risks and they insisted that ERM be a value added process – not just a cost drag.

Started ERM process at Senior Management level – not bottom up (COSO) process.  Identified 40 risks.  Afraid that if they got the whole company involved it would lead to too risk averse of a culture.  Supplemented senior management views with interviews of next level managers.  10 critical risks were then chosen for risk management focus.

Risks are not discreet.  In 2008, pension plan went from fully funded to underfunded causing problems with cash, balance sheet, income and debt covenants.  There was a cascading risk effect.

Another major risk comes from subcontractors.

High focus on likelihood of risks vs. Risk Gap (residual risk).  Created mitigation framework for each major risk.  Senior managers were given specific risk oversight assignments and reported to board about status of each major risk.  Risk management was seen as primarily a board responsibility.

CEO had to present strategic plans with a discussion of how each major strategy related to the top risks.

Each spring, the board reviews Global Risks; such things as sovereign default risk, Japan sourcing risk, Arab Spring.  Ends with a roundtable discussion where each board member gets 5 minutes to say what their major concern might be.

High degree of concern that company might become too risk averse.

================================================================================

RISKVIEWS OBSERVATION: There was at least one attendee who was worried that ANY attention to risk might be bad for a businesses entrepreneurial spirit! In his mind, the ONLY defense is a good offense.

Other comments during Q&A:

There is a trend towards more board awareness of risk.  Each director brings in different past experiences with risk so listening to their guidance on risk may be very helpful in a wide range of situations.

Sometimes risk management focuses on trivial things and wastes the board’s time.

Boards do not necessarily need to get involved in crisis management.

Most important way to manage M&A risk is to really do due diligence.

Kellog Corporate Governance Conference I

Remarks by David Ingram

I have been asked to start off the program by describing to you what I think that Enterprise Risk Management means.

ERM is a term that is used by many people to mean many very different things.  In my experience, some would say that ERM is an extension of Sarbanes Oxley.  Some would say that it is the process that got banks into trouble by forcing them to make decisions with faulty models.  Others would say that ERM is just a compliance exercise or the latest management consultant buzz word.

All that is a shame.  Because ERM has the potential to be so much more useful than any of that.  ERM can be the systematic process that a business uses to ensure that the it has the resilience to survive.  You see I believe that a business has three overarching goals:  Sales, Profits and Survival.  Businesses have long had organized processes to achieve those first two goals.  ERM is just the process that a business uses to achieve that third overarching goal – Survival.

In business, with all the adversity both from competitors and from the all the other adverse possibilities in the rest of the world,  you need to be either lucky or careful to survive.

People commonly confuse the two.  Lucky Lindbergh was extremely careful.  The popular story was that he dashed off with two sandwiches in a sack.  But he readily admitted that he also had five days of army rations that he thought he could survive on for much longer.  Lindbergh was careful.

Careful does not mean that you do not take risks.  It means that you take them with your eyes open and with preparation.

So, I want to explain what I think ERM is by telling you about five important things about a risk management program that are needed to make it work.

1. It is about the future.
2. Know what you want.
3. Pay attention and communicate.
4. Empower someone to take actions in response to risk situations.
5. Best results from ERM if you can align your risk attitude and risk strategy with the risk environment

ERM is about the Future

ERM is about the future and it is about making sure that there is a future.  Studies tell us that in an average 5 years period, about 80% of firms in the S&P 500 will continue on the S&P 500, about 7% will fail or be acquired and about 13% will drop off the S&P 500.

Risk management is about your future and the possibility that your firm could be one of the 400 S&P 500 firms continue in the S&P 500.  Not the 100 x S&P 500.

One of the disconcerting things about the future is that you do not know what is going to happen.  That means that one of the key management tricks that you have learned for management, the trick of boiling everything down to just the one most important number will not work.  If you have heard discussions of how VaR was the problem – the problem was the one number approach, not the one number that was used.  When you are talking about success, you may well be able to represent that with just one number.  But failure can come from any direction.   So because risk management is about the future, a very different management approach is needed.

In fact, I wrote a paper entitled Risk and Light that explains how using a one number approach to risk is likely to lead to unexpected accumulations of risks that you are not paying attention to.

So risk management is about looking out for ALL of the future things that could put your firm into the 100 x S&P list.  And making plans to deal with those things.  It is not primarily about preventing the reoccurrence of the last problem.

Know what you want

Now studies show that about 50% of the firms that are trying to do risk management do not have an objective for their risk management.  That objective is called a risk appetite.  Risk Appetite is the amount of risk that a firm is willing to take consciously.  From my personal experience at S&P listening to about 200  firms, I would say that the correct number is more like 75%.

I just said that on the average, S&P 500 firms have a 7% chance of failing or being merged out of existence and a 13% chance of falling off the S&P 500.  I would call those statistics the average effective risk appetite of the S&P 500 firms.  That effective risk appetite is the degree of riskiness of the firm in actuality.

When I was an analyst at S&P, they had an estimate for effective risk appetite of all of the rated firms.   Those estimates varied by credit quality.  There is a 1% to 14% chance of defaulting and a 10% to 15% chance of downgrade.

Many people say that they do not have a risk appetite because it is too difficult to come up with some top of the house combined estimate of risk.  I am not suggesting that you use S&P’s estimate, just pointing out that is can be done and perhaps you can do a better job yourself.

Knowing what you want means that you know what risk you are taking and what risk you want to be taking.

Pay Attention and Communicate

To get to the point where you can choose a risk appetite you need to be well aware of your effective risk appetite over several years and the sensitivity of the ERA to your management decisions and the variability of your risk environment.

And you will need to continue to pay attention and communicate about your risk position and potential changes.  That will likely require assigning some resources.

Empower someone to act

When I was at S&P, I saw quite a number of insurers who had developed great risk monitoring systems, they had appointed a Chief Risk Officer.  They had established risk committees and risk charters.  But when I asked what they did when confronted with an indicated risk problem, they talked about doing studies and holding emergency meetings and presenting findings.

I called those the Risk Management Entertainment Systems.  Because they never spoke of actually DOING anything as a result of their risk management program.

It is only really risk management if someone is empowered to do something.

But maybe that never happens because those actions will often fall into the category of “taking away the punchbowl just when the party gets going” as William Martin former Federal Reserve chairman said (and Greenspan famously never, ever did.)

Best results from ERM if you can align your risk attitude and risk strategy with the risk environment

Well, I have been told that you are all well aware of all of what I have just said.  You have an ERM program that looks ahead to the future, you have set your risk appetite, you pay attention and communicate your changing risk positions and you have empowered someone to act.

But I suspect, that even if you are doing those four things, you still may not be happy with your ERM system.  That may be because you did not know that you have to choose the risk management strategy that fits your situation.

The choices for risk strategy are:

–      Loss Controlling – Prevent Defense

–      Risk Trading – Cost Benefit Approach to Risk on a risk by risk basis

–      Risk Steering – Risk Selection based upon risk and reward

–      Diversification – Spread your risk exposures

If someone built you a risk management system they may not have even asked you what approach you wanted.  They may have believed that the approach that they favored was the “right” way to do ERM and therefore that is the way that you should do ERM.

You will be unhappy with your ERM system if it does not fit your risk attitude.  Your risk attitude is your belief about the risk environment.

You may believe that the risk environment is

–      Bust – high risk/loss

–      Boom – Low risk/high gains

–      Moderate – Some risk / manageable gains & losses

–      Uncertain – unpredictable risk and reward

So your best chance of Success is if there is alignment

Between…

–      your belief about risk environment – your Risk Attitude

–      your approach to risk management – your Risk Strategy

Fits with the

–      Actual Risk Environment

We have been calling this idea of alignment Rational Adaptability.  It means working to understand the risk environment, and to tailor your risk management strategy to the environment.  Sounds simple minded.  But it is actually fairly difficult and rarely achieved for a variety of reasons.

• The risk environment may be different for different risks that you are exposed to and your strategy can be varied for each different risk.
• Often a shift in the risk environment that management does not pick up and adjust to quickly enough is a reason for change of management.
• A risk management system that follows a risk strategy that is not aligned with the risk environment will be ignored.
• A risk attitude that is not aligned with the risk environment will lead to sub optimal risk decisions.

So in a nutshell, that is my explanation.

ERM means being careful, looking at the future, knowing what risk you want, paying attention, communicating but all in the context of a risk strategy – your risk strategy – not one out of the ERM box.