Seven Choices

Risk Management literature often portrays four choices for risk managers, avoid, transfer, mitigate or accept.
On The Southern Project Manager, Harry Hall suggests that there are actually seven choices:

The additions are all variations on the original four choices, but they are valuable alterations in point of view.  Away from the totally negative view that looks at risk as something bad that you want to get away from if at all possible.

RISKVIEWS particularly likes the choice of ENHANCE.  That means to improve your upside, usually by adding resources to make execution more effective.

A worthwhile read!

G20 Risk Management Directive 2008

RISKVIEWS sometimes remarks that ERM is the only management system that has been endorsed by the heads of state of the 20 largest economies (G20).  The following is an excerpt from the G20 directive from the fall of 2008.

Risk Management

Immediate Actions by March 31, 2009

•  Regulators should develop enhanced guidance to strengthen banks’ risk management practices, in line with international best practices, and should encourage financial firms to reexamine their internal controls and implement strengthened policies for sound risk management.

•  Regulators should develop and implement procedures to ensure that financial firms implement policies to better manage liquidity risk, including by creating strong liquidity cushions.

•  Supervisors should ensure that financial firms develop processes that provide for timely and comprehensive measurement of risk concentrations and large counterparty risk positions across products and geographies.

•  Firms should reassess their risk management models to guard against stress and report to supervisors on their efforts.

•  The Basel Committee should study the need for and help develop firms’ new stress testing models, as appropriate.

•  Financial institutions should have clear internal incentives to promote stability, and action needs to be taken, through voluntary effort or regulatory action, to avoid compensation schemes which reward excessive short-term returns or risk taking.

•  Banks should exercise effective risk management and due diligence over structured products and securitization.

Looking at this list several years on and from outside of banking, we can ask if other financial institutions can get anything from these points.  So we rephrase these points as questions (and provide preliminary answers for the insurance sector):

1. Are firms aware of risk management best practices?  Most of the larger firms are aware.  Quite a number of small to medium sized firms are not aware of best practices. 
2. Are firms managing liquidity risk?  Most insurers have provided for a very large range of liquidity needs. 
3. Are firms managing concentration risks?  Cat modeling provides information to most insurers about their property concentrations.  Other concentrations may not be as well attended to. 
4. Do firms assess their risk models?  Insurers that had risk models before the crisis are much more wary of those models now.  The insurance sector in the US has been slow in general to adopt a full company modeling approach.  Insurers in Europe and in much of the rest of the world have adopted full company models for Solvency II compliance purposes.  With the delay of Solvency II implementation, it remains to be seen whether those models will be used or shelved until required.  Actions taken purely to satisfy regulation tend to be less effective. 
5. Are firms using stress tests?  Most firms are using stress tests.  AM Best is urging all those who do not to develop the capability.
6. Do compensation programs incent decreasing or increasing stability?  Most incentive programs do not reflect risk and therefore may incent increasing instability. 
7. Do firms apply special diligence to more complicated risk structures?  Most non-life insurers do not tend to participate in complicated risk structures.  Many life insurers do manufacture and sell products with complicated embedded options and took large losses from those products in both 2001 and 2008 because they either did not try to hedge the risks (2001) or had hedging programs that did not perform as needed (2008).  All who offer these products have made serious adjustments to their offering, their hedging or both, but it remains to be seen whether that situation will hold until the next financial crisis disrupts things in an unanticipated manner.

So five years later, the insurance sector seems to have acted on the six points made by the G20 in 2008.  But there are many other elements to a fully effective ERM program.  The ongoing theme of the G20 follow through on risk management through the Financial Stability Board is extremely bank centric.  Insurers who rely upon this source of motivation for ERM will have the elements of ERM for their risks that line up with banks and little ERM for the insurance risks that predominate their operations.

In addition, banks and their supervisors do not seem to be even thinking about a true enterprise wide view of risk.  Insurers that have taken up ERM are adamant about such a view being central to their ERM program.

Efficiency can harm Resilience

Business people with Financial and Analytical training are schooled in the Improve approach to business management.  With the Improve approach, the business operations are subjected to continual process of looking for ways to get more out of the same resources or to use less resources to get the same results.  The Improve approach can be applied at a micro level, to each separate activity of the business.  It can also be applied at the macro level, where macro planning exercizes such as capital budgeting seek to get better returns for the available amount of capital.  An optimization process is the ultimate objective of an Improve mindset, where optimization seeks to find the best return that can be achieved with the available capital.   

 

For many situations, the Improve strategy can work well.  But there are situations when the Improve strategy starts to erode Resilience.

You all likely to remember fondly your first big win with an Improve approach.  You came in and quickly identified something that was ripe for a change.  Something where the operations were highly inefficient and you made sure that things changed and a big turnaround happened.  You really felt that you added to company value and to your own reputation. 

 

 Over time you were able to make many such improvements, on this picture, moving virtually everything on to the efficient frontier. 

Then you felt the need to find more wins.  You were imagining that you could help to completely change the game, to move the possibilities upwards.  Onto a new and more favorable frontier.  But in some cases, what happened instead is that you did change the game, but what you did was not exactly improve efficiency of the system, instead, you started to reduce the amounts of redundant resources of the system.  That improves the expected returns, but often drastically reduces Resilience.  On the picture above, you wanted to move from A* to A++ and instead you moved to A–.  You got the extra return that you wanted but increased the risk and reduced the resilience.  Some of the slack that you removed from the system was really needed, the system becomes very fragile without it.   You were not actually moving to a new more efficient frontier, you were simply adding risk and return. 

A simple example of this is with supply chain risk.  There are two examples of how supply chain choices can look like improvements in efficiency but are at least in part a decrease in resilience.

• The company had been dealing with 5 suppliers.  Those suppliers had different levels of costs and their competitiveness among them varied quarter by quarter.  You make a long term deal with one supplier to deliver the item at a fixed cost that is lower than what you had ever paid to the most competitive of the 5 suppliers.  The argument was that with the certainty of demand, they could be more efficient and pass along that efficiency to you with the lower price.  However, as many firms who relied upon a single Japanese supplier in 2011, the supply chain was now very sensitive to events that disrupt the single supplier. 
• The company has been manufacturing a key part to its main product forever.  However, under pressure to win a major contract, the company decides to sub contract the manufacture of that part to a low bidder.  The product is delivered and the sub contracted part fails.  Quite possibly, the savings that the sub contractor was able to deliver was achieved by reduction in expensive quality control.  When you selected the supplier, you were promised a level of quality control that was at least as strenuous as your own processes.  However, you had saved even more money by doing very little monitoring of the actual quality control.  By outsourcing, you had created a risk that the sub would not meet your quality standards and you did not recognize that assurance of those standards was something that you could not afford to outsource.  So the savings were achieved through increase in risk.  Again, not a move to a new frontier, but instead a rightward move along the old frontier to an option that you had all along when you manufactured the part yourself. 

How Does Strategic Risk Fit into an ERM Program?

When S&P was defining ERM for Insurance company rating purposes, Strategic Risk was deliberately and consciously left out. That was not because S&P thought that Strategic Risk was unimportant. It was because Strategic Risk was already a very important part of the rating process.

Strategic risk is that most fundamental risk for a business or other enterprise. It is the risk that there will no longer be a compelling reason for its continued existence.  The Strategic threat might be from a direct competitor, from major changes in customer behavior or from changing regulations.  (An illustrative, non-exhaustive list)

A Strategic risk is the risk that something will happen to your firm’s lead product or service similar to what happened to Internet Explorer.  In 2008, it had almost 70% market share.  In 2013, its maket share looks like it may fall to 20%.  In this case, the risk was from a competitor, Google.  (The scenario that played out was the exact story Microsoft told when its near monopoly was under attack.)

Strategic risks are rightly at the top of the list of concerns for top management of all companies including financial firms.  But there is not a great fit between these strategic risks and risk management.

Strategic risk is the topic of countless management books and it is also a favorite subject that is well covered in MBA programs.  In the past 50 years, management has been well schooled in the processes of identifying and managing strategic risk.  Try searching Amazon for books on Business Strategy.

The strategic risk does not easily lend itself to the control cycle approach that is fundamental to most other risk management.  And RISKVIEWS knows of no management teams that have willingly given over the management of strategic risk to the risk management staff.  That work is always a key task performed by top management.

So this leaves risk managers with a dilemma.  When they engage top management (or the board for that matter) in a discussion about risk identification, they will usually name strategic risks in at least 1/4 to 1/3 of the top risks.  Risk managers need to have an approach to dealing with that eventuality.  There are several possibilities:

• Put Strategic Risks off the table.  This is a common approach, but it creates a risk for the ERM program because it means that ERM will only deal with 2nd tier risks. Both Top Management and the Board will immediately or eventually drift away from paying any significant attention to ERM.
• Force Strategic Risk into the ERM template.  This means creating risk measures and limits and controls for Strategic Risks.  This approach is doomed to failure for a number of reasons.  First, as stated above, top management will not delegate Strategic Risk Management to the people who do the rest of risk management.  Second, Strategic risks do not lend themselves to the sort of statistical based measurement of most insurance, market and credit risks.  Strategic Risks are usually one time events.  When they happen, the company is dead or severely wounded.
• Create a side by side reporting process for Strategic Risks that uses some of the ideas from ERM to create some discipline for examining and discussing strategic risks.  What that means is that Strategic Risks would be included in a risk dashboard cover sheet of top risks that are reported regularly to the board.  The CEO or COO might be the risk owner.  Status and mitigation efforts can be reported just as other risks, but measurement would be purely subjective and hopefully not put into numeric terms in most cases.

With the side-by-side approach to Strategic Risk Management, the risks and activities are put in front of the board just as often as Insurance, Market, Credit and Operational Risks.  And in broadly the same format.  But most likely, all of Top Management and the Board will be totally engaged if a Strategic Risk gets into the red zone.