You Must Abandon All Presumptions
If you really want to have Enterprise Risk Management, then you must at all times abandon all presumptions. You must make sure that all of the things to successfully manage risks are being done, and done now, not sometime in the distant past.
A pilot of an aircraft will spend over an hour checking things directly and reviewing other people’s checks. The pilot will review:
- the route of flight
- weather at the origin, destination, and enroute.
- the mechanical status of the airplane
- mechanical issues that may have been improperly logged.
- the items that may have been fixed just prior to the flight to make certain that system works
- the flight computer
- the outside of the airplane for obvious defects that may have been overlooked
- the paperwork
- the fuel load
- the takeoff and landing weights to make sure that they are within limits for the flight
Most of us do not do anything like this when we get into our cars to drive. Is this overkill? You decide.
When you are expecting to fly somewhere and there is a last minute delay because of something that seems like it should have really been taken care of, that is likely because the pilot finds something that someone might normally PRESUME was ok that was not.
Personally, as someone who takes lots and lots of flights, RISKVIEWS thinks that this is a good process. One that RISKVIEWS would recommend to be used by risk managers.
THE NO PRESUMPTION APPROACH TO RISK MANAGEMENT
Here are the things that the Pilot of the ERM program needs to check before taking off on each flight.
1. Risks need to be diversified. There is no risk management if a firm is just taking one big bet.
2. Firm needs to be sure of the quality of the risks that they take. This implies that multiple ways of evaluating risks are needed to maintain quality, or to be aware of changes in quality. There is no single source of information about quality that is adequate.
3. A control cycle is needed regarding the amount of risk taken. This implies measurements, appetites, limits, treatment actions, reporting, feedback
4. The pricing of the risks needs to be adequate. At least if you are in the risk business like insurers, for risks that are traded. For risks that are not traded, the benefit of the risk needs to exceed the cost in terms of potential losses.
5. The firm needs to manage its portfolio of risks so that it can take advantage of the opportunities that are often associated with its risks. This involves risk reward management.
6. The firm needs to provision for its retained risks appropriately, in terms of set asides (reserves) for expected losses and capital for excess losses.
A firm ultimately needs all six of these things. Things like a CRO, or risk committees or board involvement are not on this list because those are ways to get these six things.
The Risk Manager needs to take a NO PRESUMPTIONS approach to checking these things. Many of the problems of the financial crisis can be traced back to presumptions that one or more of these six things were true without any attempt to verify.