How to do Risk Management in Lean Times

The good news for risk managers is that times have been tough, so that company management is listening more and more to your message.

The bad news for risk managers is that times have been tough, so there is not much budget for anyone, let alone an area where there is no hope of new revenue generation.

So risk managers are being asked to do more and more with less and less.

Here are some tips for how to manage to meet expectations without crashing the budget:

1. Identify the area or activity that now has the most expensive risk oversight process.  Identify the reason for that expense and make sure that a) there really is a need for that much oversight, b) if so, that the profit margins of the activity support the expense of the oversight and c) if there is a way that the riskiest 20% of that activity produces a high proportion of the profits.  Can a shift in the risk acceptance criteria or the risk limits make a drastic change in oversight needs without a drastic change in profitability?
2. Get more people involved in risk management.  This seems counter to the idea of decreasing costs of risk management, but in fact it can work well.  Study the things that the risk management staff is spending time on and determine which of those activities can be transfered to the business unit staff who can do the oversight on a very part time basis.  Your risk management staff can then shift to periodic review of their activities instead.  This should be promoted as a natural evolution of risk management.  Ultimately, the business units should be managing their own risk anyway.
3. Find out which risk reports are not being used and eliminate them.  Constructing management information reports can be a very time consuming part of your staff’s time.  Some of those reports are hopefully being relied upon for major decisions, but there may be some that just sit unread in the in boxes.
4. Reduce staff support for risk management in areas where activity levels are falling.  It is very important that risk management be ramped up with volumes and just as important that it be seen to ramp down with volumes.
5. Leverage outside resources.  In fat times, you may be declining free support from vendors and other business partners.  In lean times, they may be even more happy to provide their support.  Just make sure that the help that they give supports your needs.
6. Reduce frequency of time consuming model runs for risks that just do not change that much from run to run or that change proportionately with volumes of business.  See recent post on model accuracy.
7. Expand your own personal capacity by delegating more of the matters that have become more routine.  There is a natural tendency for the leader to be involved in everything that is new and important.  Sometimes, you forget to transfer those responsibilities to someone on your staff or even someone outside your staff once you are sure that it is up and going smoothly.  Let go.  Make sure that you have the time that will be needed to take up the next new thing.  Lean times will not last forever and you need to be available to pay attention to the thing that will pull your firm forward into the next stage of robust growth.

These are all the sorts of things that every manager in your firm should be thinking about.  Risk managers should be doing the same sorts of thinking.  You and your function are another natural part of the business environment of the firm.  You will not be immune from the pressures of business, nor should you expect to be.

Advertisement

How many significant digits on your car’s speedometer?

Mine only shows the numbers every 20 and has markers for gradations of 5. So the people who make cars think that it is sufficient accuracy to drive a car that the driver know the speed of the car within 5.
And for the sorts of things that one usually needs to do while driving, that seems fine to me. I do not recall ever even wondering what my speed is to the nearest .0001.

That is because I never need to make any decisions that require the more precise value.
What about your economic capital model? Do you make decisions that require an answer to the nearest million? Or nearest thousand, or nearest 1?  How much time and effort goes into getting the accuracy that you do not use?

What causes the answer to vary from one time you run your model to another?  Riskviews tries to think of the drivers of changes as volume variances and rate variances.

The volume variances are the changes you experience because the volume of risk changes.  You wrote more or less business.  Your asset base grew or shrunk.

Rate variances are the changes that you experience because the amount of risk per unit of activity has changed.  Riskviews likes to call this the QUALITY of the risk.  For many firms, one of the primary objectives of the risk management system is to control the QUANTITY of risk.

QUANTITY of risk = QUALITY of risk times VOLUME of risk.

Some of those firms seek to control quantity of risk solely by managing VOLUME.  They only look at QUALITY of risk after the fact.  Some firms only look at QUALITY of risk when they do their economic capital calculation.  They try to manage QUALITY of risk from the modeling group.  That approach to managing QUALITY of risk is doomed to failure.

That is because QUALITY of risk is a micro phenomena and needs to be managed operationally at the stage of risk acceptance.  Trying to manage it as a macro phenomena results in the development of a process to counter the risks taken at the risk acceptance area with a macro risk offsetting activity.  This adds a layer of unnecessary cost and also adds a considerable amount of operational risk.

Some firms have processes for managing both QUANTITY and QUALITY of risk at the micro level.  At the risk acceptance stage.  The firm might have tight QUALITY criteria for risk acceptance or if the firm has a broad range of acceptable risk QUALITY it might have QUANTITY of risk criteria that have been articulated as the accumulation of quantity and quality.  (In fact, if they do their homework, the firms with the broad QUALITY acceptance will find that some ranges of QUALITY are much preferable to others and they can improve their return for risk taking by narrowing their QUALITY acceptance criteria.)

Once the firm has undertaken one or the other of these methods for controlling quality, then the need for detailed and complex modeling of their risks decreases drastically.  They have controlled their accumulation of risks and they already know what their risk is before they do their model.

Ten Commandments for a Crash

Joshua Brown wrote “Ten Commandments for a Crash”  – his advice for stock traders in a stock market crash.  Most of his ideas can be generalized to refer to any situation where large losses or even the threat of large losses occurs.

1.  Acknowledge that its a crash.

This is first and most difficult.  The natural impulse of humans when things look worse than they ever imagined is to close your eyes and hope that it was a dream.  To wait for things to come back to normal.  But sometimes the only survivors are the people who stopped imagining a return to normal first and accepted the bad news as reality.

2.  Pencils Down! 

This means abandoning your research based upon the previous paradigm.  Do not run the model one more time to see what it says.  All of the model parameters are now suspect.  You do not usually know enough to say which ones are still true.

3.  Don’t listen to “stockpickers” or sell-side equity analysts.

Get your head out of the nits.  Your usual business may require that you are a master of the details of your markets.  You are looking to build your year’s result up over 52 weeks, looking to create 1/52 of your target return each week.  But when the crisis hits, the right macro decisions can change your results by half a year’s worth of normal business.

4.  Ignore the asset-gatherers and the brokerage firm strategists,

Know the bias of the people you are getting advice from.  They may be saying what is necessary for THEIR firm to make it through the crash, no matter what their advice would do to you.

5.  Make sacrifices

You are going to need to let go of one or several of the things that you were patiently nursing along in hopes of a big payoff later on when they came around.  Make these decisions sooner rather than later.  Otherwise, they will be dragging you down along with everything else.  Think of it as a scale change.  The old long term opportunities mostly become losers while some of the marginally profitable situations become your new opportunities.  Choose fast.

6.  Make two lists.

Those are the lists of things that you might now want to start doing if the terms suddenly get sweeter and the things where you plan to dump unless you can tighten the terms.  Keep updating the list every day as you get new information.  Act on the list as opportunities change.

7.  Watch sentiment more closely

This is the flip side to #1 above.  The analysis may no longer be of help, but a good handle on the sentiment of your market will be invaluable.  It will tell you when it is time to press for the stricter terms from your list #6.

8.  Abandon any hope or intention of catching the bottom.

This may be an excuse for not making decisions when things are unclear.  Guess what?  THe bottom is only ever clear afterwards.

9.  Suspend disbelief.

Any opinions that you have that some aspect of your business environment will never get “that” bad will often be trashed by reality.  In case you have been asleep for the last decade, each crisis results in new bigger losses than ever before.  The sooner you get off the illusion that you know exactly how bad it can get, the sooner you will be making the right decisions and avoiding totally wrongly timed moves.

10.  Stop being a know-it-all and shut up.

Everyone out there seems to know a small part of what is happening that no one else knows and is totally ignorant of most of what is going on from their own internal sources.  If you talk all of the time, you will never learn those other pieces of the puzzle.

A good list.  Some things to think about.  A challenge to work these ideas into your planning for emerging risks.  Need to practice adopting this point of view.

Read more: http://www.thereformedbroker.com/2011/09/22/the-ten-crash-commandments/#ixzz1YsTTo7ky

Climbing the Risk Management Mountain

The pursuit of risk management is in some respects like climbing a mountain.

Your choice of the risks that you will plan to manage (rather than avoiding or eliminating) is like your choice of mountain. Some mountains will be more difficult to climb than others. Some have well worn paths to the top. And sometimes there is a shift in the weather than makes even the most traveled path unusually dangerous.

Some folks have been living on the side of their mountain for generations. They considered that they are the experts of that particular mountain. But then one day, a band of outlanders shows up with new equipment and takes a new route that takes them higher up the mountain than any of the locals have ever gone.  Sometimes, however, those outsiders only look like they are going straight to the top.  Sometimes they are stopped short by perils that the locals knew well.  With risk management, there have been firms managing some risks for a long time who have been brushed aside by competitors with rocket scientists.  Some of those rockets took the firms right to the top, others flamed out along the way.

There are many ways to approach climbing a mountain.  Some choose the southern route, others the northern.  And many different places to stop the climb and declare success.  For some risk managers, the climb may stop when the largest one or two risks of the firm are separately under control.  Others will seek to reach the spot on the mountain where the capital model can be found.  They undertook climbing risk management mountain to get a handle on managing their capital.  A third group will stay unswervingly on the path that is laid out with the railings and signs put there by the regulators.  They seek only to achieve the point on the mountain of regulatory compliance.  They do not seem to care that standing for too long on that spot may not be safe in all weather either.  The final group is looking to get to the top of the mountain, to stand on the highest pinnacle.  They feel that mastering risk management can only be done if they are standing on top of all of their risks at once.  They feel that any other spot on the risk management mountain is not for them.

Having spotted the place where they want to end up, many people stand transfixed by the immense task ahead of them and fail to start.  They do not see any way that they can get from where they are to that remote point up the mountain that is partially obscured by the clouds.  They see some others already at those points and cannot figure out how to jump right up to join them.

They sometimes do not realize that those who are already far up the path got there most often by focusing instead on the next step, rather than on the endpoint.  Some of those who are far up the mountain may in fact have started out to reach a different point and made corrections to their ascent path as the realized the conditions as well as their own capabilities.

Others who already live part way up the mountain are confused.  They are looking at the instruction manual for climbing this mountain.  The book always starts at the bottom of the mountain.  And it assumes that you are someone who does not already own some (possibly most) of the equipment needed for climbing.   The whole thing seems impossible to make sense out of for you.  You are not even going to consider going to the bottom of the mountain and leaving all of your equipment and expertise behind.

Most insurers are in the position of the villagers living on the side of the mountain.  They are getting instructions to start at the bottom of the south side of Risk Management Mountain, while they live on the north.  What they need is not generic instructions.  What they need is instructions that start with what they know and with the equipment and experience that they have.  They need to know the best path to get to the place where they want to go from where they are.

Diversity and Resilience

Can’t we all just learn to “Get it Right”?

Just picture a ship with a large flat deck and thousands of passengers on the deck. The boat lists to one side and the passengers scurry to the other side to avoid going over the edge in the side that is dipping. Guess what happens? The boat now lists to the other side. Stabilizing the boat requires that everyone is spread about the entire deck. But since we do not necessarily know the exact spots where everyone needs to stand, some moving around makes sense. Just as long as everyone does not start moving together.

The world we live in is a much more complex and dynamic system than a ship at sea. We definitely do not know what is the safest course of action for everyone to take. We do know what hasn’t worked. We suspect that some of the things that we thought did work in the past were actually not good ideas. We do not know how to get the world to go backwards in time to when things were working best. In fact, they weren’t working best for someone then anyway.

Diversity is the most sensible approach when we do not know what will work. With a diversified approach it is quite possible that some will be doing the exact wrong thing, but at the same time, some will be doing the best thing for what comes next.

Only if we are certain of what will come next can we be sure to pick the best course. When too many people pick any single course of action, however, there often are unintended consequences.
Never before had mortgage loans in the US all gone down together, but when everyone started to increase the amount of leverage in the mortgage system, the leverage itself became the cause of massive correlation.

Ecological systems that are more diverse are more resilient. Human systems are the same.

You need to know how much risk you’ve been taking first

Everyone struggles with choosing a risk appetite.  But that is the first mistake.  Risk appetite will not be singular.  Risk Appetite is plural.  It refers to any aspect of risk that goes beyond what you will comfortably accept.

In the paper Risk and Light, it mentions a number of aspects of risk:

• Type A Risk – Short Term Volatility of cash flows in 1 year
• Type B Risk – Short Term Tail Risk of cash flows in 1 year
• Type C Risk – Uncertainty Risk (also known as parameter risk)
• Type D Risk – Inexperience Risk relative to full multiple market cycles
• Type E Risk – Correlation to a top 10
• Type F Risk – Market value volatility in 1 year
• Type G Risk – Execution Risk regarding difficulty of controlling operational losses
• Type H Risk – Long Term Volatility of cash flows over 5 or more years
• Type J Risk – Long Term Tail Risk of cash flows over 5 years or more
• Type K Risk – Pricing Risk (cycle risk)
• Type L Risk – Market Liquidity Risk
• Type M Risk – Instability Risk regarding the degree that the risk parameters are stable

It is quite possible that a full risk appetite would could address each of these aspects of risk and more.

But a more difficult hurdle is the fact that in many cases risk exposure is not consciously known.  In some cases, that is because of a confusion between RISK and LOSS.  Some of that is because of the overuse of the word risk.  In many situations, risk is used to mean an expected loss.

But for risk appetite, it is never the expected loss or even the actual losses that is of concern for a risk appetite.  The risk that matters is the potential for future loss.

But to have any idea of how much risk that a person or a firm might be comfortable with, they need to have experience with risk.  To have an  articulate risk appetite, that experience must have been quantified.

How much was the risk exposure last year?  How much was it the previous year?

And when we try to think of how much risk, we need to recognize that risk has many aspects that may need to be quantified.  Risk is complicated.  It does not reside in a single number.

Why would we think that it did?  Try to name anything important that can be represented with a single number.  Can you represent your car with a single number?  Can you represent your brother with a single number?  Can you represent a book with a single number?  Risk is a potential for future loss, that potential has many more possibilities than an existing physical object.  The object needs to represented by many different numbers.

But not all of the aspects of risk are ultimately important in most situations.

But before anyone or any business can form a risk appetite, they need to identify the characteristics of risk that are most important to them and then they need to build an experience base.  They need to know how much risk that they have taken in the past.  They need to know how much they can get paid for taking the risk.  They need to know when they were at risk of having their lights put out.

Better to have this experience in real time.  But second best is to work backwards into the past.

Faced with real information, matched up to real experience, then the stories of how to create a risk attitude will then start to make sense.

But up til then, it just won’t mean anything.

Who are we kidding?

When we say that we are “measuring” the 1/200 risk of loss of our activities?
For most risks, we do not even have one observation of a 200 year period.
What we have instead is an extrapolation based upon an assumption that there is a mathematical formula that relates the 1/200 year loss to something that we do have confidence in.

Let’s look at some numbers.  I am testing the idea that we might be able to know what the 1/10 loss would be if we have 50 years of observations.  Our process is to rank the 50 years and look at the 45th worst loss.  We find that loss is $10 million.

Now if we build a model where our probability of losing $10 million or more is 10% and we run that model 100 times, we get a histogram like this:

So in this test, with an underlying probability of 10%, the frequency of 50 year periods with 5 observations of losses of $10 million or larger is only 22%!

When I repeat the test with a frequency assumption of 15% or of 6.67%, I get exactly 5 observations with a frequency of about 10% in each case.

So given 50 years of observations and 5 occurrences, it seems that it is quite possible that the underlying likelihood might be 50% higher or 1/3 lower.

Try to imagine the math of getting a 1/200 loss pick correct.  What might the confidence interval be around that number?

Who are we kidding?

The World is not the Same – After

In reality, there is no accurate way to calibrate a risk model right after a major loss event. That is because there is always a good chance that the world will change as a result of the experiences of the event.

In Japan, the rebuilding after the losses from the earthquake/tsunami will not replace what was there. The buyers of the products that were manufactured in Japan who were disrupted by the event have all found alternatives. And they have learned from the even to diversify their suppliers or at least deal with a supplier who has diversified exposure to risk. The Japan after the event will not be the same Japan as before.

A market or an industry, a company or a people rarely go back to doing things exactly the same way after a major crisis.

They may become much more conservative about the risk that caused the crisis.  They may just move on, like New Orleans which is now less than one third its pre-Katrina size.  They may adopt many new rules and regulations like Sarbanes-Oxley or Dodd-Frank.  Or they may finally start listening to their risk managers or even hire new CROs.

If you want to have a model that includes the year after a crisis, then you will need to study past crises and the reactions to those events.  What that may mean is that there are ripple effects of the crisis in the model. Not just another random year.  Because regardless of what the theories say, the world displays multi year effects.  Events are not over simply because the model turns to another time slot.

 

 

During the Crisis

There are three Phases to Risk Management,

• Preparation,
• Crisis Management and
• Picking up the pieces

During the Crisis, the most important thing is that you are able to assess the situation, choose the appropriate action and finally and most importantly ACT.

Many people are prone to freeze during a crisis.  They go into a daze because some main steady thing in their life is no longer there and working.

On the anniversary of 911, it is interesting to notice that an article A Survival Guide to Catastrophe from 2008 is the most popular article today at Time.com.

It tells the story of how several people escaped several famous catastrophes.  In each case, some of the people who died in those situations were frozen.

The human brain goes through three stages during a crisis: disbelief, deliberation and action.  The frozen people have stuck on the disbelief or deliberation stages.

That is where the Preparation phase is important.  With proper preparation, people can be taught to quickly identify the reality of the crisis and to know in advance their best options.  The purpose of the preparation is then to shorten the time to get to the third stage.  ACTION.  And to make sure that when you get there, you take the right action.

During the World Trade Center crisis, some people did act quickly, and climbed the stairs right up to the roof.  Others made the right choice and went down the stairs.

This Crisis Management thinking does not just refer to physical crises.  Financial firms are faced with financial crises.  In those situations, managers of the firm go through the exact same stages:  disbelief, deliberation and action.  They can get stuck in either of the first two stages until it is too late.  They can also choose the wrong action.

Much of risk management literature seems to be about the risk management things that are needed during the moderately risky, normal times.  But risk management is also needed in the midst of the crisis.  The risk mitigation tactics that work best in moderately risky, normal times may not even be available in a crisis.  There needs to be preparation for a possible crisis so that managers will promptly identify the crisis and know in advance the types of options that they may have and also know how to go about choosing the best options.

Firms that provide property insurance to disaster prone areas have learned that it is much more than good customer service to have claims people on the ground to start writing checks as soon as possible after the disaster.  Firms that trade in financial markets have learned, if they did not know already, that trading is not always continuous.

Whatever your firm does, the risk manager should be developing and training managers about crisis plans.

Where Do You Hide?

US Hurricane Risk

The lines on the graph represent the paths of the 50 most deadly US hurricanes on record.  The numbers on the lines are the number of deaths.

One important thing to notice is that there is nowhere on the eastern or southern coasts of the US coast that has not experienced deadly hurricanes.

That suggests two strategies for dealing with hurricane risk for an individual.

1. Avoiding it by moving well inside the lines.
2. Building up a residential system that is resilient to the forces of hurricanes.

The first strategy is suspect until you study the risks of those areas.  The area just outside the lines includes the New Madrid fault and an area that has experienced major inland windstorms, hailstorms and floods in the recent past.   So there is no guarantee of safety by risk avoidance.

That leaves resilience as the best bet.  Resilience will involve learning about safety measures, setting a risk tolerance and finding out how strong of a storm fits within the risk tolerance.

In Japan, they set their risk tolerance to be that they would not accept a risk of a storm that is within the range of all past experience.  They thought of that as a zero risk tolerance.  They learned on 311 that their actual risk tolerance (storms within the historical observations) and their notional risk tolerance (zero) were not the same thing.

For an insurer or a business, there are very different options.  Diversification and insurance/reinsurance may be chosen instead of resiliency.

Society and the Default Put

The idea of the Limited Liability Corporation is one of the innovations that is credited with making capitalism work. The structure allows a person or group to form a business without risking their entire fortune. That is the way that economics textbooks say it. It sounds like all upside.

But wait a minute. Think about it like a risk manager. A real risk manager, not the hucksters who sold the “risk goes away if you split it fine enough” or the “no increase in total risk because of diversification benefits” stories.

A real risk manager knows that a loss is a loss. A dollar (or euro, or pound) is a dollar. Losses do not disappear EVER. Unless you do the work to prevent them.

And limited liability is NOT a loss prevention program. It prevents losses from transmitting to a certain party. The owner of the company. But someone always gets those losses.

Think about it for just a fraction of a second. If a company has obligations that it cannot pay, who has a loss? You figured it out; their counterparties take the loss. It might be customers, suppliers, subcontractors, their bank, or bondholders. The limited liability idea protects only one group – the owners/shareholders. Everyone else has unlimited liability!

What we saw in the crisis, if you owe the bank $100,000 they own you. If you owe the bank $10,000,000 then you own the bank.

This limited liability idea is totally embedded now. Everyone believes that they have the RIGHT to create problems for everyone else that deals with them and JUST WALK AWAY.

In ancient times, the ultimate collateral was the debtor’s personal freedom. A person who defaulted on a debt became an indentured servant of the lender in the case of default. This idea persisted in one form or another until the 1800s when debtors prisons became out of favor. The US was one country that led the way on this movement. The US has always had a much easier attitude to bankruptcy. There has always been much less stigma attached to bankruptcy along with the easier legal climate.

So the system works this way – people and businesses can go bankrupt easily and put their excess losses onto their counterparties. And in reaction to this, counterparties must be careful who they do business with.

That means that Credit Risk Management is a fundamental aspect of the business environment.

However, when you recognize the underlying fundamental reason for that statement, you may question whether the new statistical based Credit Risk Management that has developed over the past 25 years actually satisfies the fundamental need of the system.

Under the statistical approach to CRM, diversification is the key risk management tool. This has replaced the time consuming and labor intensive credit underwriting process.

But it is the underwriting process that works to counter balance the default put that is implicit in the bankruptcy rules.

Without the underwriting, the statistical process will simply not work. It will give totally wrong information. That is because statistics does not work on any old bunch of numbers. Statistics only works on homogeneous sets of numbers.

Let’s review. The default put creates a situation where a person or a firm can take on obligations that they cannot repay AND they will not be held responsible to repay. When people or businesses operate AS IF they were going to pay obligations, then they can receive value from counterparties that is in excess of the value that they will repay. So their counterparties need to police this imbalance.

Statistical CRM means that the lender will make many loans with the expectation that only a few will fail to repay and there will be limited losses from those failures. But once borrowers notice this (or intermediaries who have a better chance to notice) their best outcome is to borrow as much as they can, to leverage up as much as possible. Their upside in the event that everything turns out well is then enormous and they suffer none of the downside.

So statistical CRM leads directly to deterioration in credit quality through excess leverage. No one is actually watching to make sure that the credit risk per loan is staying constant.

And the main risk management tool of diversification fails when the loans themselves become the major source of risk. The correlation between excessive lending and defaults is very high. It is different from the correlation between loans that can be repaid easily.

All this results directly from that default put.  You need to understand the true dynamics of the system if you want to get your risk management right.

Don’t Forget to Breathe

All air breathing organisms do not need any special process to avoid the risk of simply forgetting to breathe. Mostly, they just do it automatically. And if for some strange reason, they stop breathing, their body very quickly develops a violent response to the lack of new air.

Drinking and eating are not quite so automatic, but it is also unnecessary to remind people not to starve to death, when they have a choice to do otherwise.

Animals, including humans, can be observed to also have many, many automatic risk management behaviors. Fear of heights, startle reactions, fight or flight adrenalin releases, and so on. In fact, if you are at a loss of how to deal with any business risk, just go down the list of human natural defenses against risk and you will get lots and lots of different ideas. The natural environment in which the human species evolved was and remains very dangerous. Risks come at us from every direction. Some are constant (like falling from a great height) and some change all the time (like predators and competitors for resources).

Many business managers will contend that their company has developed automatic systems that are embedded in the DNA of the firm to handle risk. The continued existence of the firm is put in evidence as the primary proof of that contention.

The problem with believing that sort of argument is that while a failure to breathe will send an animal into fits of gasping, and dancing on the edge of a cliff will make most animal’s head spin with a natural fear reflex, there is no noticeable consequences of a business stopping their risk management activities.

There are natural, automatic and almost fool proof mechanisms in animals to prevent them from taking some of the most immediately dangerous risks. There are absolutely none of those in a business setting.

So even if there has been a long history of ingrained risk management actions in a firm, a sudden change in personnel can send all that right out the window.

One way of looking at a risk management system is as the replacement for the natural fail safe mechanisms.

Nature saw fit to add a violent automatic natural reaction to a lack of air to the automatic breathing mechanism that can be consciously overridden. The business risk management traditions can be easily and painlessly overridden, unless there is a good risk management system to make the company gasp for breath.

You might find yourself swimming underwater. You override your natural urge to breathe. There are interesting things to see underwater. But you will find it very difficult to stay under too long. Your body has failsafe mechanisms that means you have to work at it very hard to stay under long enough to really hurt yourself. In fact, the mechanism seems to have such a margin of error that you start to want to come back up when you still have the capacity to get back to the surface.

Companies have no similar automatic mechanism.  When someone fails to do the risk management that they should, usually the reaction is that things look and seem better.  Most often, risk management depresses profits, and reduces choices.  The feedback that is experienced leads the exact wrong direction.

A risk management system is the answer to the problem.  The risk management system needs to have mechanisms to keep reminding employees that they need to follow the system rules.

Risk management is not at all like breathing.  In fact quite the opposite.  A firm that wants to have risk management for the long term will need to have a formal process to remind employees that it is important.  In addition, the importance of risk management needs to be periodically reinforced by statements of support from top management.

Risk management is more like a medicine that a person who feels perfectly fine is asked to take regularly.  Every day, they get up and take this medicine, but there is no obvious indication that the medicine is needed.  Many will simply start to forget to take the medicine.  Stop wasting the time it takes to buy and take the medicine.  Avoid even minor side effects.

On the other hand, things that are bad for your health are give quite positive short term feedback.

The trick is to make risk management become more and more like breathing.  To make it a reflex and to build up the mechanisms that will send out danger signals if someone tries to override those automatic mechanism.

What Can You Control?

Framing is of vital importance in identifying risks.
Risks need to be framed in a way that you CAN actually control them.  If you say that your major risk is a drop in the stock market, then you are framing that risk as something that you cannot control.

If instead, if you frame it as a sudden drop in the value of your investments, then you are very highly in control of your risk.  You can choose your investments.  Your choice to manage the risk becomes a tractable risk reward trade-off.  You can buy hedges to mitigate the amount of your losses.

The same goes for Hurricanes or other acts of nature.  If you say that your risk is hurricanes, then you cannot control hurricanes and you are done.  The risk management committee can go home early.  But if you say that your risk is “damage caused by hurricanes”, suddenly you are in charge.  You have options and you have responsibilities.  You have the option to move some of your activities out of the path of hurricanes.  You have the option to make sure that the construction of your building can withstand some or all hurricanes and the concurrent storm surge.  You have the option of buying insurance to make sure that your damages are reimbursed.

So look at your list of risks.  Make sure that even if it says Hurricane, that you are treating it as a manageable risk.  As if it said “damage caused by hurricanes” that you can manage and you are not just throwing up your hands because you cannot stop a hurricane.

 

Exceeding Risk Limits – – 10 Investor Questions (8)

Riskviews was once asked by an insurance sector equity analyst for 10 questions that they could ask company CEOs and CFOs about ERM.  Riskviews gave them 10 but they were trick questions.  Each one would take an hour to answer properly.  Not really what the analyst wanted.

Here they are:

1. What is the firm’s risk profile?
2. How much time does the board spend discussing risk with management each quarter?
3. Who is responsible for risk management for the risk that has shown the largest percentage rise over the past year?
4. What outside the box risks are of concern to management?
5. What is driving the results that you are getting in the area with the highest risk adjusted returns?
6. Describe a recent action taken to trim a risk position?
7. How does management know that old risk management programs are still being followed?
8. What were the largest positions held by company in excess of risk the limits in the last year?
9. Where have your risk experts disagreed with your risk models in the past year?
10. What are the areas where you see the firm being able to achieve better risk adjusted returns over the near term and long term?

They never come back and asked for the answer key.  Here it is:

This sounds like a “when did you stop beating your wife” type question.  But it isn’t.  In fact it is the opposite.

The wrong answer is “we didn’t have any positions in excess of limits.  That answer indicates that the limits are not effective.  They are too high or else, the company has a Berlin Wall type limit system – they shoot anyone who gets close.  That sort of limit system discourages thoughtful risk taking.  It insists on fearful risk taking.  Everyone will be so afraid of getting near the limits that each person will invent their own checkpoint that is lower than the limit.  They will stay below the checkpoint instead of the limit.  The Berlin Wall type of limit system ends up encouraging everyone in the company to create their own checkpoints.  It takes the decision making on risk out of top management hands.

The right answer is that the CEO knows that there have been breaches of the limits and knows why and knows what happened as a result of the breach.  The breaches are not a problem is they are low in both frequency and severity.

Having a few breaches means that the people who are empowered to take risks are also looking to find the best opportunities for the firm and are making every effort to make good deals.  They are working as hard as they can to win and they are sometimes a little over enthusiastic.  The company has a system that finds these instances and communicates them all the way up to the top, which they should.  Another reason why the CEO might say that there are no breaches is because the CEO is never told about the breaches.

And the consequences of breaches are important as well.  One firm once told RISKVIEWS that whenever there was a breach of a limit that management reacted by raising the limit!!!

That is equivalent to having no limits.  It might be a good result to raise the limit occasionally.  But the main reaction to breaching a limit should be to work to get the situation back to within the limit.  For market traded investments, the easiest option is to put on a hedge or to sell the position.  For insurance risk, the option is to obtain reinsurance.  Another reaction might be to cease to accept similar risks until that risk class is within the limit.  Finally, there may be a reaction that is some sort of sanction on the person who caused the breach.  In some cases the breach may be so significant and so clearly against the policies of the company that termination might be the sanction.  That is an unusual situation.  In some cases, a person is transfered either temporarily or permanently to a different position.  In some cases, the sanction might be an adjustment to bonus.  Most common is a reprimand.

The situations where the reaction is to raise the limit might be those where the limit breach was for a transaction that is clearly of exceedingly favorable prospects – one where the risk reward prospects are clearly superior.

In a company with a really vibrant risk management culture, the CEO might want to tell you a story as long and nuanced as the above.  Give that CEO extra points.