Here’s to 2011

Another year has passed us by.  In 2011, Riskviews blog saw a dramatic upsurge in readership.  That surge was coincident with changes to the Google search routines.  Hits jumped from about 2000 per month in 2010 to a steady 3000 per month in 2011.

The Risk Management quotes were still by far the favorite feature of the blog, with about 800 hits per month.  That has been steady for over 3 years now.  What changed was the hits to the other content.  The home page saw over 6000 hits in 2011, or about 500 per month.  Some posts from prior years continue to be very popular.

Here are the most popular new posts from 2011:

Integrating ERM and Value Based Management

Avoiding Risk Management 

Risk Appetite and Risk Attitude

The Difference Between Risk and Loss

Risk Capacity Measurement

Integrating Risk Capacity and Business Management

Assessing Risk Capacity Utilization

Risk Management Success

COSO & ISO31000 & ERM for Insurers

Liquidity Risk Management for a Bank

Five of these posts were written by Riskviews, four by Jean-Pierre Berliet and one by Jawwad Farid.

72 Risk Management Quotes added in 2011

And the total library of Risk Management quotes has about 250 total quotes.  Here are my 10 most favorite:

“Every person takes the limits of their own field of vision for the limits of the world.”  Arthur Schopenhauer

Life is a series of failures punctuated by brief successes. James Altucher

Managing risk is not just about assessing and monitoring all the things that could go wrong. Rather it is about understanding all the things that need to go right for an organization to achieve its mission and objectives.  UN Joint Staff Pension Fund ERM Policy Statement

Across the grand sweep of history, the relationship between risk and return has been loose and variable.
Warren Hatch

“Call on God, but row away from the rocks.” Hunter S Thompson

“It don’t matter how hard you hit if you cannot take a punch” from the song Lend a Hand by Jakob Dylan

Don’t forget that people sometimes make very silly mistakes, especially when dealing with derivatives. Kevin Dowd

Frankly, I’m suspicious of anyone who has a strong opinion on a complicated issue.  Scott Adams

People are disposed to get angry and punish those who violate the models that they themselves are using, but the targets of such sanctions often do not acknowledge that that particular model applies, or that their acts were transgressions, so they perceive the intended sanctions as illegitimate aggression.   Alan Fiske

“everyone has a plan ’till they get punched in the mouth”  Mike Tyson

 

Risk Based Liquidity

Guest Post from David Merkel at Aleph Blog

When there is financial failure, it comes as a result of illiquidity.  Now, truly, these parties are insolvent, because they took the risk of not being able to pay cash when it was due.  Illiquidity and insolvency are really the same thing, though many obfuscate.

If you can’t pay cash, it doesn’t matter what your assets are worth in “normal” times.  Banks should have planned in advance to make sure liquidity was always adequate, rather than doing the usual borrow short, lend long, that they usually do.

But after reading through the Fed ‘s proposal on bank solvency, I conclude that they may not get the picture.  They spend time on liquidity and other issues.  With liquidity, it is uncertain how they will view repo markets.  To me, those should be view as short-term finance of long dated assets.

During times of crisis, repo markets seize up, with rising repo haircuts.  Maybe I’ve read the Fed’s proposal wrong, but it seems that it neglects repo funding, which had a large effect on the recent crisis.

If banks had to be able to size their activity to survive a rise in repo haircuts equal to half of the highest that we have seen, it would probably be enough to make the issue go away, because the haircuts would be less likely to rise as a result of that restraint.

Now, I appreciate the perspective of this article from Dealbreaker on the topic.  All of the assets of the bank support all of the liabilities. In one sense, there are no assets that are tagged “equity” and others tagged “liability.”

P&C Insurance works a little different.  In that, premium reserves are invested in high quality short-term debt.  Claim reserves are invested in high quality debt similar to the period that claims are expected to be paid out over.  The remainder (the equity) can be invested in risk assets in order to earn a decent return for shareholders.  The idea is this: match liabilities with high quality assets of the same length, and take risk with the remainder of assets, realizing that they might might needed for liquidity in the worst case scenarios.

But really, banks should not be viewed differently.  They should invest like P&C or life insurers.  Invest in high quality assets equal to the terms of their liabilities — deposits (estimate stickiness), savings accounts (same), CDs (the term is known).  After that, take risks with the remaining assets in ways that reflect their comparative advantage, realizing that they might might needed for liquidity in the worst case scenarios.  Illiquid investments (e.g. private equity)  should not be allowed for a majority of of those investments.

If banks don’t engage in asset/liability mismatches aka maturity transformation, most of the risks of bank runs will go away.  And that is what I propose.  Note that if that happens, average people will have to pay some fee each year to have a checking account.  Banks would be liquidity utilities.

This fits under my rubric that the insurance industry is much better regulated than the banking industry.  Were it in my power to do so, I would turn banking regulation over to the states, and leave to the Fed control of monetary policy only.  You would soon see intolerant banking regulation, much like we see in insurance, and defaults would decline.

What could be better?

One in Two Hundred

The odds of Earth being hit by the asteroid Apophis in 2039 was determined to be 1 in 200.

later corrected to be 1 in 48,000

The odds a person is 80 years old are 1 in 250.4 (US, 5/2009).

If 200 insurance companies are meeting Solvency II capital requirements should we expect that one of them will fail each year?

Do we really have any idea of the answer to that question?

Or can we admit that calculating a 1/200 capital requirement is not really the same as knowing how much capital it takes to prevent failures at that rate?

Calculating a 1/200 capital requirement is about creating capital requirements that are related to the level of risk of the insurer.  Calculating a 1/200 capital requirement is about trying to make the relationship of the capital level to the risk level consistent for different insurers with all different types of risk.  Calculating a 1/200 capital requirement is about having a regulatory requirement that is reasonably close to the actual level of capital held by insurers presently.

It actually cannot be about knowing the actual likelihood of very large losses.  Because it is unlikely that we will ever actually know with any degree of certainty what the actual size of the 1/200 losses might be.

We agree on methods for extrapolating losses from observed frequency levels.  So perhaps, we might know what a 1/20 loss might be and we use “scientific” methods to extrapolate to a 1/200 value.  These scientific assumptions are about the relationship between the 1/20 loss that we might know with some confidence and the 1/200 loss.  Instead of just making an assumption about the relationship between the 1/20 and the 1/200 loss, we make an intermediate assumption and let that assumption drive the ultimate answer.  That intermediate assumption is usually an assumption of the statistical relationship between frequency and severity.  By making that complicated assumption and letting it drive the ultimate values, we are able to obscure our lack of real knowledge about the likelihood of extreme values.  By making complicated assumptions about something that we do not know, we make sure that we can keep the discussion out of the hands of folks who might not fully understand the mathematics.

For the simplest such assumption, i.e. that of a Gaussian or Normal Distribution, the relationships are something like this:

• For a risk with a coefficient of variance of 100% (i.e. the mean = standard deviation), the 1/200 loss is approximately 250% of the 1/20 loss
• For a risk with a coefficient of variance of 150% (1.e. the mean = 2/3 the standard deviation) the 1/200 loss is approximately 200% of the 1/20 loss
• For a risk with a coefficient of variance of 200% (i.e. the mean = 1/2 the standard deviation) the 1/200 loss is approximately 180% of the 1/20 loss
• For a risk with a coefficient of variance of 70%, the 1/200 loss is 530% of the 1/20 loss

The graph above is the standard deviation/mean looking backwards at the S&P 500 annual returns for each of the previous 21 twenty-year periods.  So based upon that data, we see that the 1/200 loss might be somewhere between 530% and 180% of the worst result in the 20 year period.

And in this case, we base this upon the assumption that the returns are normally distributed. We simply varied the parameters as we made observations.

What this suggests is that the distribution is not at all stable based upon 20 observations.  So using this approach to extrapolating losses at more remote frequency looks like it will have some severe issues with parameter risk.

You can look at every single sub model and find that there is huge parameter risk.

So the conclusion should be that the 1/200 standard is a convention, rather than a claim that such a calculation might be reliable.

What’s Your Philosophy?

Strategic Risk Magazine has a piece with interviews of a dozen risk managers.  Once question was “What’s Your Philosophy?”  Here are the answers that they received:

Risk management is a fantastic career opportunity as it gives people a very broad and deep perspective on the business through strategic and operational involvement, dealing with people at all levels in an organisation.

Reed Elsevier chief risk officer Arnout van der veer

Risk management now is a career option – it wasn’t when I first started down this route. Certainly the world today is a riskier place and there is a demand for professional, competent people. You need to be qualified in a relevant discipline (business studies, economics, and so on – financial and economic literacy is key) and consider one of the excellent MBAs now available.

DLA Piper chief risk officer Julia Graham

My philosophy over the years has been to take new opportunities as they arise. The job is what you make it, using your skills and competencies.

Morgan Crucible director of risk assurance Paul Taylor

To be an enterprise risk manager, you need to get a solid grounding in business and management at different levels. It’s not an entry-level job.

Ferma vice-president and GDF Suez deputy chief risk officer Michel Dennery

There are uncertainties in everything we do, and hence a career in risk management provides the opportunity to explicitly do what everyone intellectually knows must be done. Further, the concept of uncertainty provides an intriguing angle from which a company can be addressed.

LEGO senior director, strategic risk management Hans Laessøe

You have to care – about jobs, the health of the employees, the health of the factories and the health of the business.

Ferma president and director of risk management for Pirelli Worldwide Jorge luzzi

If you are able to communicate to your colleagues the concept that a risk manager can help the company’s business, protecting profit margins and business continuity, and they understand this, risk management is a really enjoyable job.

Prysmian group risk manager  Alessandro de Felice

My motivation is to create value to my organisation by ensuring that we can deliver what we promise to our customers and shareholders through a well-functioning risk management process.

Assa Abloy group risk and insurance manager Fredrik Finnman

Risk managers should built professional skills over the following pillars: knowledge of risk measurement techniques; knowledge of the company’s processes; skills in spreading the risk culture inside the company; knowledge of the insurance business and risk underwriting: skills in leading internal working groups and designing procedures and control processes.

Telecom Italia corporate risk manager Paolo Rubini

Risk management is about managing risks inherent to the business, so it is critical to understand your business. Moving the company towards a different way of thinking about risk is all about change management and leadership. It’s important to share thoughts and experiences with other colleagues in the field. Attending professional and international events, such as the Ferma Forum, specific seminars and courses to meet other practising risk professionals is a good way to do this.

Campfrio Food Group director of corporate risk management and Ferma board member Christina Martinez

Conflicts about Risk

The headline reads:

Corzine Ignored Warnings from Chief Risk Officer

This story reveals several things about the nature of risk and the CRO job.

First, the nature of risk.  Risk is always about the future.  There will always be disagreements about the level of risk.  True disagreements.  People believing completely different things.  And it is the future we are talking about.  No one KNOWS for certain about the future.  And also, risk is potential for loss.  In many cases, even after the fact, no one can know how much risk that there was.  A severe adverse event that had a likelihood of 10% might not happen in the coming year.  Another equally severe event with a 0.1% likelihood migh happen.  Exposure to the 10% event was certainly riskier than an equal sized exposure to the 0.1% event.  Even if the less risky exposure produced a loss while the more risky exposure did not.

So the fact that the MF Global position produced a large, firm ending loss does not prove that the CRO was right.

In fact, what other stories reveal is that the board thought that the positions were more risky than Corzine.  And that is pretty typical of what you will see at financial services firms.  The top executives generally have the opinion that the environment is somewhat less risky than the board sees it while the non-executive employees generally see much, much more risk that either the executives or the board.

This tends to create exactly the dynamic that played out at MF Global where the CEO ignored the CRO warnings and the board very slightly restricted the CEO.

About the CRO

Many people forget that the Chief Risk Officer is usually not independent of the CEO.  If there is a company where the CEO does not think that they are totally responsible for risk, then the CRO will not have enough power or influence with the board to remedy that problem.  And if a CEO is aware that they are responsible for company results, good or bad, then clearly the job of the CRO, for better or for worse, is to execute the risk strategy of the CEO.  NOT to critique that policy to the board.

RISKVIEWS tends to think of the risk appetite as the expression of the objective of the risk management system.  The CRO should not be setting their own objective.  So at MF Global, if the risk appetite was expressed as some sort of broad statement about corporate security, then the conflict became what is described above – a disagreement about the calibration of the risk model.

But the story says that the board approved some of the positions and disapproved a proposal to increase those positions even more that was made by the CEO.  That makes it sound like there was a risk appetite and that the board, even if they did not say it in advance, knew when it was exceeded.

So the CROs job is not to stand in judgment of both the CEO and the Board.  The CROs job is to work within the risk appetite of the board.

All Risks are not Enterprise Risks

Some Enterprise Risk management programs feature lists of 75 or more risks that the ERM program attends to.

This approach to ERM drastically reduces the potential power of ERM to help to focus attention to Enterprise Risks.

An Enterprise Risk is a class of events that could severely damage the capability of the enterprise to achieve its mission.  No serious undertaking has 75 classes of events that could stop them in their tracks.

A serious undertaking might have 5 such risks.  Usually less.  Things that in spite of the best efforts of management could stop them in their tracks.  There are probably another 5 or so risks that are potentially that serious, but that the firm has, for the most part, under control.

What Enterprise Risk Management is about is a constant effort to pay attention to those 10 or so top risks.  To make sure that a new potential trouble is not creeping into that top 10.  To make sure that  they are not accidentally taking on much more of those risks.  To find ways to mitigate that first group of top risks.  To make sure that the controls on that second group of top risks are still sufficient.  And to make sure that there are not any secondary risks outside of this list that are very highly correlated with the Enterprise Risks.

Dave Sandberg likes to classify risks into three classes:

• Risks that threaten the earnings of the firm
• Risks that threaten the capital of the firm
• Risks that threaten the promises of the firm

A well managed firm will attend to all three types of risks, but the Enterprise Risks are the risks that threaten capital and promises that should be the concern of the Enterprise Risk Management program of the firm.  They should be the concern of the top executives of the firm.  Those risks should be the concern of the directors of the firm.

10 Things We Didn’t Learn from Enron

A great piece from ABC News lists 10 things that we should have but didn’t learn from Enron, on the 10th anniversary…

1. Conflicts of interest continue to occur
2. If it’s too good to be true, it probably isn’t
3. Regulators and the regulated continue their dance
4. Transparency is vital
5. More capital is better
6. Excessive leverage is as dangerous as a bad bet
7. Corporate leadership makes all the difference in the world–for good and for bad

8. Preferred stockholders get preferred treatment

9. Still building fragile financial structures

10. Important names make mistakes too

Riskviews comments:

1.  Conflicts – The risk manager should be aware of who benefits from each major program of the firm and who stands to lose if a program runs into trouble.  If those two parties are different, then there are strong incentives for abuse of the program.  Suggestions from a party that could benefit but not be at risk to change the program should be viewed very carefully.

2.  Too Good to be True – But this time is different!!!  The four most dangerous words.

3.  Regulators – someone needs to be able to identify and change situations where the regulators are too cozy with the regulated.  The myth that firms will self regulate was exposed to be a total falsehood in the 2008 Financial crisis.  Real regulation is needed in the financial services business where firms are primarily selling promises.  Whether you are Madoff or Lehman Brothers, the most lucrative approach for managers of a financial services firm is to make promises and not make sufficient provision for satisfying those promises.  Regulators need to assure the customers that a clear standard is maintained for security of those promises.

4.  Transparency – in RISKVIEWS opinion, real transparency is much better than supervision.  Market discipline is much more sure than regulatory discipline.  Because market counterparties have skin in the game.  Regulators actually have multiple agendas.  To date, transparency has never been tried, however.  But there are rumours that current depressed bank valuations are in part a market reaction to the fundamental lack of transparency of the banks.  RISKVIEWS hopes that one of the banks tries to be transparent and shows the rest of the sector what happens to their valuation.  US insurers have operated with extremely high transparency for some risks but total lack of transparency for others.  RISKVIEWS hopes that the insurance regulators will stop being agreeable to that situation.

5.  More Capital &

6.  Excessive Leverage  –  these two points are the same.  More capital is less risky, More leverare is more risky.

7.  Leadership – In most companies, leadership is more aggressive than the rank and file of the firm.  And the risk reward equation for top management and the rank and file is totally different as well.  See #1, above.

8.  Preferred Treatment – Why doesn’t the SEC simply mandate disclosure of who gets paid what under different scenarios.  And mandate that be disclosed to new purchasers of a security?  At least to those who intend to hold the security for more than 15 minutes.

9.  Fragile structures – Insurers and banks are being asked to present “stress to failure” tests to show regulators what degree of stress would cause them to fail.  Perhaps that would be a good disclosure for investors as well.  What sort of stress causes a structure to fail?

10.  Mistakes – This is a good reason for diversification.  Into totally different sorts of investments in totally different sectors.  Mistakes can be made from entire secotrs, as we saw in the financial crisis.

But read the ABC comments.  They are all good as well.