Archive for October 2013

Ignoring a Risk

October 31, 2013

Ignoring is perhaps the most common approach to large but infrequent risks.

Most people think of a 1 in 100 year event as something so rare as it will never happen.

But just take a second and look at the mortality risk of a life insurer.  Each insured has on average around a 1 – 2 in 1000 likelihood of death in any one year.  However, life insurers do not plan for zero claims.  They plan for 1 -2 in 1000 of their policies to have a death claim in any one year.  No one thinks it odd that something with a 1-2 in 1000 likelihood happens hundreds of times in a year.  No one goes around scoffing at the validity of the model or likelihood estimate because such a rare event has happened.

But somehow, that seemingly totally simple minded logic escapes most people when dealing with other risks.  They scoff at how silly that it is that so many 1 in 100 events happen in a year.  Of course, they say, such estimated of likelihood MUST be wrong.

So they go forth ignoring the risk and ignoring the attempts at estimating the expected frequency of loss.  The cost of ignoring a low frequency risk is zero in most years.

And of course, any options for transferring such a risk will have both an expected frequency and an uncertainty charge built in.  Which make those options much too expensive.

The big difference is that a large life insurer takes on hundreds of thousands and in the largest cases, millions of exposures to the 1-2 in 1000 risks. Of course, the law of large numbers turns these individual ultra low frequency risks into a predictable claims pattern, in many cases one with a fairly tight distribution of possible claims.

But because they are ignored, no one tries to know how many of those 1 in 100 risks that we are exposed to.  But the statistics of 20 or 50 or 100 totally unrelated 1 in 100 risks is exactly the same as the life insurance math.

With 100 totally unrelated independent 1 in 100 risks, the chance of one or more turning into a loss in any one year is 63%!

And the most common reaction to the experience of a 1 in 100 event happening is to decide that the statistics are all wrong!

After Superstorm Sandy, NY Governor Cuomo told President Obama that NY “has a 100-year flood every two years now.”  Cuomo had been governor for less than two full years at that point.

The point is that organizations must go against the natural human impulse to separately decide to ignore each of their “rare” risks and realize that the likelihood of experiencing one of these rare events is not so rare, what is uncertain is which one.

Reviewing a Risk Control Framework

October 29, 2013

[The material below is the work of an ad hoc IAA working group.  It was produced in 2011 but never completed or published.  RISKVIEWS is sharing so that this good work can be viewed.]

A Risk Control Framework (RCF) can be considered as the measuring stick against which risk management performance will be judged. It is right at the heart of the co-ordinated activities used to control an organisation with regard to risk, that is risk management.

The effective management and leverage of risk should add to the bottom line of an organisation that implements it. The risk control framework is a central tool in an organisations armoury, that can be used to ensure that the organisation achieves its strategic goals, with regard to an accepted and monitored level of risk.

There needs to be committment at a high level to managing the risk, and this should be transparent. This would involve the risk managers having a very clear view of what the company does and not just trying to avoid risk. It should be undertaken to the extent that it pays for itself, although this is hard to measure. Ownership and implementation by all is required as a risk in one small section of the organisation can be a serious threat to the whole organisation.

A RCF would need to be bespoke and fit the organisation’s Vision, Mission, Objectives, Strategy and Tactics (VMOST).

<An organization’s vision is all about what is possible, all about potential and may be aspirational. The mission is what it takes to make that vision come true. Happy to change the words or put in a definition, the point being that there is a bigger picture view of whats going on that the risk control frame work need to be informed by this. I really want to get across that the risk management need to be alighned, to what the organisation is trying to achieve >.

The RCF can act as a focus and ensure that:

  • There are no gaps and that there is appropriate accountability
  • Aligning organsiations objectives with the RCF
  • The reporting mechanisms and management system is embedded – this could be a driver of culture
  • A uniform risk criteria and evaluation metrics is created – those accountable know how they are going to be measured

Given much risk is derived from a company’s culture (think investment banking culture/ENRON etc), and that the ease of implementing the key stages will also depend on culture. For example if the risk control framework may be excellent on paper, but if it is not implemented effectively then it is not worth the paper it is written on.

A clear goal of the RCF is to ensure clarity of the risks being managed along with appropriate accountability (with individuals) for ensuring effective action.

When implementing an RCF (either creating a new one or testing an existing RCF) then the following model internal factors (using the McKinsey 7 s framework ) should be considered:-

Hard factors (tangible)
Systems

  • Are there systems in place that can assist in risk identification and monitoring?
  • Can an IT soution be implemented for subsets of systemic risk (e.g. aggregate monitoring for RI’s)?
  • What are the legal minimums with respect to certain risks, how is compliance measured?
  • Is there information already gathered

Strategy

  • Does strategic planning consider risk management, is it open to this, can risk management contribute?
  • Does risk management have board level support?
  • What is the organisations risk appetite?
  • What is the organisations risk tolerance?

Structure

  • Is the risk management function senior enough to have an influence?
  • Do the risks need to be restructured so that a single individual/department can take the key responsibility for certain cross function risks?
  • Is there a forum for considered emergent risks?
  • Are there regional or location specific risks to consider, how integrated is the whole approach?

Soft factors (intangible)
Style

  • The way management goes about solving problems, listening or dominant there are ways to measure this
  • Passive vs active management
  • Business goal driven or risk averse
  • Who makes the key decisions – who is involved – is this structured?  Does risk management get a seat?

Staff

  • The collective presence of the people- different styles will appeal to certain types: gung ho vs risk averse
  • How active is the framework managed, active “positive assurance” to passive “nothing has come my way”
  • Are staff time poor, are there dedicated risk staff in business units?
  • Is risk perceived as compliance rather than business driven?

Skills

  • adaptable, thoughtfull, processing?
  • Is there suffienct understanding of what is risky and what is unknown?
  • Are the risk able to be measured
  • Are there enough skillfull communicators to ensure that messages sent are received in the same context internally

Shared Values

  • infighting between depts, risk mgmt seen as an inhibitor rather than strategic?
  • Is the companies strategic vision emebeded in the culture, is each department headed in the same direction?
  • Is there interdepartmental meetings happening or a siloed approach?
  • How are decisions made, centralised vs local, is this effective, who has the final say?

The above can act as a litmus test to perhaps assess the receptiveness or otherwise of the risk management in general, an important part is the links between the factors. For risk management to be effective it needs to be part of “the way things are done around here”, ie the companies culture.

The following are the key minimum generic elements that need to be considered in a Risk Control Framework(RCF):-

  • Risk identification
  • Risk monitoring
  • Policies and limits
  • Risk Treatment
  • Limit Compliance
  • Feedback

Effectiveness

It can often be difficult to measure the effectiveness of effective controls as the events that the controls are in place to prevent never happen. This lack of event could be an effective control well implemented or an uneccesary control (similar to the old anti elephant powder joke).

Below we give some definitions on the effectiveness of the RCF using the minimum criteria identified above.

Ad Hoc Risk Control Framework

  • Risk identification – Not all significant risk exposures have been identified.
  • Risk monitoring – Company’s risk monitoring is informal, irregular, and of questionable accuracy.
  • Policies and limits – Risk limits are not documented or are so broad that they do not have any impact on operational decision making. Risk limits and policies are not widely known or understood.
  • Risk Treatment – Risk-management activities are situational, ad hoc, and driven by individual judgment.
  • Limit Compliance – Review of compliance of limits is irregular, and often there are no consequences for exceeding limits.
  • Feedback – Company quickly puts loss situations behind it without review or with a review of extremely limited scope.

Basic Risk Control Framework

  • Risk identification – Significant risk exposures are believed to have been identified.
  • Risk monitoring – Company’s risk monitoring is performed post events, tend to miss events before they occur
  • Policies and limits – Risk limits are documented,  but they have limited impact prior to an event that is they do not have any impact on operational decision making.
  • Risk Treatment – Risk-management activities not laid out, but are raised to management
  • Limit Compliance – Review of compliance of limits is irregular, and often there are no consequences for exceeding limits.
  • Feedback – Company quickly puts loss situations behind it without review or with a review of extremely limited scope.

Standard Risk Control Framework

  • Risk identification – Company management has performed a process of identifying risks exposures and the most significant of those exposures.
  • Risk monitoring – Company monitors all significant risks on a regular basis, with timely and accurate measures of risk.
  • Policies and limits – Company has clearly documented policies and limits for risk taking and risk management that are widely understood within the company.
  • Risk Treatment – Company has clear programs in place that are regularly used to manage the risks the company takes.
  • Limit Compliance – Company has a process in place to see that risk limits and risk-management programs are followed as planned. Exceeding limits has clear, predetermined, and effective consequences.
  • Feedback – Company has a loss post-mortem process to determine if its processes need improvement.

Advanced Risk Control Framework

  • Risk identification – Company management has performed a process of identifying risks exposures and the most significant of those exposures. This is holistic and done a part of the usual way of doing business.
  • Risk monitoring – Company monitors all significant risks as a matter of course
  • Policies and limits – Company has clearly documented policies and limits for risk taking and risk management that are widely understood within the company, these are embedded and part of normal routines, they never get challenged and don’t get in the way of the business.
  • Risk Treatment – Company has clear and integrated programs in place that are regularly used to manage the risks the company takes.
  • Limit Compliance – Company has a process in place to see that risk limits and risk-management programs are followed as planned. Exceeding limits has clear, predetermined, and effective consequences, although in practice risk limits are amolst never challenged.
  • Feedback – Company has a loss post-mortem process to determine if its processes need improvement.

Rational Adaptability is needed for risk management success

October 28, 2013

There is no single approach to risk management that will work for all risks nor, for any one risk, is there any one approach to risk management that will work for all times.  Rational Adaptability is the strategy of altering your approach to risk management with the changes in the risk environment.

Willis Re execs Dave Ingram and Alice Underwood have teamed with anthropologist Michael Thompson to produce a series of articles that discuss the four risk environments and four risk management strategies that are linked to four risk attitudes that are adapted from anthropology work from the 1980’s.

The four risk attitudes are: Pragmatists, who believe that the world is uncertain and unpredictable; Conservators, whose world belief is of peril and high risk; Maximizers, who see the world as low-risk and fundamentally self-correcting; and Managers, whose world is moderately risky, but not too risky for firms that are guided properly.

We have been living through an Uncertain risk environment where the optimal risk management strategy is Diversification of risks.  The height of the Financial Crisis was, of course, a Bust risk environment where the optimal strategy was Loss Controlling.  Prior to the crisis, some sectors were experiencing a Boom risk environment where Risk Trading was the best strategy.  And the long Moderate environment that preceded the boom for many years resulted in many companies adopting a Risk Steering strategy to optimize risk and reward.

These ideas were presented by Alice, Dave and Mike at two conferences in Europe in 2012 and published as a series of six articles on the InsuranceERM webzine.  Those six articles have been compiled into a single report by InsuranceERM that is now available from their website.

This is just the latest in a long series of work on this topic (and the most comprehensive to date).  Please see https://riskviews.wordpress.com/plural-rationalities/ for a comprehensive look at this work over the past several years.

EMERGING RISKS SURVEY

October 24, 2013

 TAKE PART IN THE ANNUAL EMERGING RISKS SURVEY

The Joint Risk Management Section, sponsored by the Casualty Actuarial Society, Canadian Institute of Actuaries, and the Society of Actuaries, is interested in better understanding how risk managers deal with emerging risks. 

This online survey is a follow-up to earlier surveys of emerging risks and will help to provide insight to evolving trends.

We would greatly appreciate you taking the time to complete the survey by November 12. It should take about 10 minutes to complete the basic survey. We hope you will share your thoughts and experiences in comment boxes.
All responses are anonymous.

If you have questions about the survey, please contact Barbara Scott.

Thanks very much for your consideration!
 

Follow this link to the Survey:
Take the Survey

Or copy and paste the URL below into your internet browser:
http://soa.qualtrics.com/WRQualtricsSurveyEngine/?SID=SV_enCCsQQRC69rImF&RID=MLRP_42djj6AnslfxzjT&_=1

Hit Me!

October 23, 2013

RISKVIEWS just noticed that this blog had exactly 150,000 hits as of today!

In the scheme of things on the web that is an extremely small number.  But this is a blog about risk management that has no particular marketing scheme, not any idea of making anyone any money.   RISKVIEWS also writes for the WillisWire blog and a post there will get 25,000 hits in a week. 

But from RISKVIEWS point of view, 150,000 is an amazing number of hits.  It is really hard to imagine. 

WordPress has a statistical package that tells me that RISKVIEWS has had 107 hits today and 242 on the day with the most hits. 

Over half the hits to RISKVIEWS are folks looking at the collection of Risk Management Quotes

But there is a surprising degree to which visitors are looking at many of the old posts on the blog.  That is gratifying.  Only a few posts are in any way time sensitive.  It is good to know that old posts are still seen as potential worthwhile by visitors. 

So if you ended up on this page and were expecting some wise words about risk and risk management, feel free to brouse the categories listed on the right.  I would recommend that you try Uncertainty.  RISKVIEWS always likes writing about that. 

And by the time RISKVIEWS was done typing this, the count was up to 150,005. 

Many Thanks!

Decisions under partial information

October 22, 2013

Yesterday, RISKVIEWS admitted puzzlement regarding the following question from a study about decisions involving risk:

The managers were asked what they did when faced with a problem that involves risk, and they ranked the choices below; in this order:

(1) Collect more information
(2) Check different aspects of the problem
(3) Actively work on the problem to reduce the risk
(4) Delay the decision

(5) Avoid taking risks
(6) Delegate the decision

Did you guess why?  Well the answer is pretty simple.  The six choices here did not include the possibility of actually making a decision!

Risk managers need to realize that the people actually running a business sometimes (often?) need to make decisions with very partial information.  All too often, risk managers act as second guessers.  Making judgements on decisions made with partial information, judgements that are based on much more information and also informed by time consuming and lengthy analysis.

The right answer for business decisions involving risk is not any of these choices:

(1) Collect more information
(2) Check different aspects of the problem
(3) Actively work on the problem to reduce the risk
(4) Delay the decision

(5) Avoid taking risks
(6) Delegate the decision

The risk manager would be much more useful to the organization if instead of the second guessing, they spent time developing ways to incorporate risk into decisions that are made under partial information.

Key to such a process would be the development of methods to estimate risk without full risk model runs, and without full data and without lengthy analysis.

 

Decisions, Decisions

October 20, 2013

Someone did a paper on making decisions under risk.  As part of that study, they did a survey.  Here is one of the questions:

The managers were asked what they did when faced with a problem that involves risk, and they ranked the choices below; in this order:

(1) Collect more information
(2) Check different aspects of the problem
(3) Actively work on the problem to reduce the risk
(4) Delay the decision

(5) Avoid taking risks
(6) Delegate the decision

How would you rank these choices?

RISKVIEWS is puzzled by the question.  Can you guess why?  Answer tomorrow.


%d bloggers like this: