## Archive for October 2013

### Ignoring a Risk

October 31, 2013

Ignoring is perhaps the most common approach to large but infrequent risks.

Most people think of a 1 in 100 year event as something so rare as it will never happen.

But just take a second and look at the mortality risk of a life insurer.  Each insured has on average around a 1 – 2 in 1000 likelihood of death in any one year.  However, life insurers do not plan for zero claims.  They plan for 1 -2 in 1000 of their policies to have a death claim in any one year.  No one thinks it odd that something with a 1-2 in 1000 likelihood happens hundreds of times in a year.  No one goes around scoffing at the validity of the model or likelihood estimate because such a rare event has happened.

But somehow, that seemingly totally simple minded logic escapes most people when dealing with other risks.  They scoff at how silly that it is that so many 1 in 100 events happen in a year.  Of course, they say, such estimated of likelihood MUST be wrong.

So they go forth ignoring the risk and ignoring the attempts at estimating the expected frequency of loss.  The cost of ignoring a low frequency risk is zero in most years.

And of course, any options for transferring such a risk will have both an expected frequency and an uncertainty charge built in.  Which make those options much too expensive.

The big difference is that a large life insurer takes on hundreds of thousands and in the largest cases, millions of exposures to the 1-2 in 1000 risks. Of course, the law of large numbers turns these individual ultra low frequency risks into a predictable claims pattern, in many cases one with a fairly tight distribution of possible claims.

But because they are ignored, no one tries to know how many of those 1 in 100 risks that we are exposed to.  But the statistics of 20 or 50 or 100 totally unrelated 1 in 100 risks is exactly the same as the life insurance math.

With 100 totally unrelated independent 1 in 100 risks, the chance of one or more turning into a loss in any one year is 63%!

And the most common reaction to the experience of a 1 in 100 event happening is to decide that the statistics are all wrong!

After Superstorm Sandy, NY Governor Cuomo told President Obama that NY “has a 100-year flood every two years now.”  Cuomo had been governor for less than two full years at that point.

The point is that organizations must go against the natural human impulse to separately decide to ignore each of their “rare” risks and realize that the likelihood of experiencing one of these rare events is not so rare, what is uncertain is which one.

### Reviewing a Risk Control Framework

October 29, 2013

[The material below is the work of an ad hoc IAA working group.  It was produced in 2011 but never completed or published.  RISKVIEWS is sharing so that this good work can be viewed.]

A Risk Control Framework (RCF) can be considered as the measuring stick against which risk management performance will be judged. It is right at the heart of the co-ordinated activities used to control an organisation with regard to risk, that is risk management.

The effective management and leverage of risk should add to the bottom line of an organisation that implements it. The risk control framework is a central tool in an organisations armoury, that can be used to ensure that the organisation achieves its strategic goals, with regard to an accepted and monitored level of risk.

There needs to be committment at a high level to managing the risk, and this should be transparent. This would involve the risk managers having a very clear view of what the company does and not just trying to avoid risk. It should be undertaken to the extent that it pays for itself, although this is hard to measure. Ownership and implementation by all is required as a risk in one small section of the organisation can be a serious threat to the whole organisation.

A RCF would need to be bespoke and fit the organisation’s Vision, Mission, Objectives, Strategy and Tactics (VMOST).

<An organization’s vision is all about what is possible, all about potential and may be aspirational. The mission is what it takes to make that vision come true. Happy to change the words or put in a definition, the point being that there is a bigger picture view of whats going on that the risk control frame work need to be informed by this. I really want to get across that the risk management need to be alighned, to what the organisation is trying to achieve >.

The RCF can act as a focus and ensure that:

• There are no gaps and that there is appropriate accountability
• Aligning organsiations objectives with the RCF
• The reporting mechanisms and management system is embedded – this could be a driver of culture
• A uniform risk criteria and evaluation metrics is created – those accountable know how they are going to be measured

Given much risk is derived from a company’s culture (think investment banking culture/ENRON etc), and that the ease of implementing the key stages will also depend on culture. For example if the risk control framework may be excellent on paper, but if it is not implemented effectively then it is not worth the paper it is written on.

A clear goal of the RCF is to ensure clarity of the risks being managed along with appropriate accountability (with individuals) for ensuring effective action.

When implementing an RCF (either creating a new one or testing an existing RCF) then the following model internal factors (using the McKinsey 7 s framework ) should be considered:-

Hard factors (tangible)
Systems

• Are there systems in place that can assist in risk identification and monitoring?
• Can an IT soution be implemented for subsets of systemic risk (e.g. aggregate monitoring for RI’s)?
• What are the legal minimums with respect to certain risks, how is compliance measured?
• Is there information already gathered

Strategy

• Does strategic planning consider risk management, is it open to this, can risk management contribute?
• Does risk management have board level support?
• What is the organisations risk appetite?
• What is the organisations risk tolerance?

Structure

• Is the risk management function senior enough to have an influence?
• Do the risks need to be restructured so that a single individual/department can take the key responsibility for certain cross function risks?
• Is there a forum for considered emergent risks?
• Are there regional or location specific risks to consider, how integrated is the whole approach?

Soft factors (intangible)
Style

• The way management goes about solving problems, listening or dominant there are ways to measure this
• Passive vs active management
• Business goal driven or risk averse
• Who makes the key decisions – who is involved – is this structured?  Does risk management get a seat?

Staff

• The collective presence of the people- different styles will appeal to certain types: gung ho vs risk averse
• How active is the framework managed, active “positive assurance” to passive “nothing has come my way”
• Are staff time poor, are there dedicated risk staff in business units?
• Is risk perceived as compliance rather than business driven?

Skills

• Is there suffienct understanding of what is risky and what is unknown?
• Are the risk able to be measured
• Are there enough skillfull communicators to ensure that messages sent are received in the same context internally

Shared Values

• infighting between depts, risk mgmt seen as an inhibitor rather than strategic?
• Is the companies strategic vision emebeded in the culture, is each department headed in the same direction?
• Is there interdepartmental meetings happening or a siloed approach?
• How are decisions made, centralised vs local, is this effective, who has the final say?

The above can act as a litmus test to perhaps assess the receptiveness or otherwise of the risk management in general, an important part is the links between the factors. For risk management to be effective it needs to be part of “the way things are done around here”, ie the companies culture.

The following are the key minimum generic elements that need to be considered in a Risk Control Framework(RCF):-

• Risk identification
• Risk monitoring
• Policies and limits
• Risk Treatment
• Limit Compliance
• Feedback

Effectiveness

It can often be difficult to measure the effectiveness of effective controls as the events that the controls are in place to prevent never happen. This lack of event could be an effective control well implemented or an uneccesary control (similar to the old anti elephant powder joke).

Below we give some definitions on the effectiveness of the RCF using the minimum criteria identified above.

• Risk identification – Not all significant risk exposures have been identified.
• Risk monitoring – Company’s risk monitoring is informal, irregular, and of questionable accuracy.
• Policies and limits – Risk limits are not documented or are so broad that they do not have any impact on operational decision making. Risk limits and policies are not widely known or understood.
• Risk Treatment – Risk-management activities are situational, ad hoc, and driven by individual judgment.
• Limit Compliance – Review of compliance of limits is irregular, and often there are no consequences for exceeding limits.
• Feedback – Company quickly puts loss situations behind it without review or with a review of extremely limited scope.

Basic Risk Control Framework

• Risk identification – Significant risk exposures are believed to have been identified.
• Risk monitoring – Company’s risk monitoring is performed post events, tend to miss events before they occur
• Policies and limits – Risk limits are documented,  but they have limited impact prior to an event that is they do not have any impact on operational decision making.
• Risk Treatment – Risk-management activities not laid out, but are raised to management
• Limit Compliance – Review of compliance of limits is irregular, and often there are no consequences for exceeding limits.
• Feedback – Company quickly puts loss situations behind it without review or with a review of extremely limited scope.

Standard Risk Control Framework

• Risk identification – Company management has performed a process of identifying risks exposures and the most significant of those exposures.
• Risk monitoring – Company monitors all significant risks on a regular basis, with timely and accurate measures of risk.
• Policies and limits – Company has clearly documented policies and limits for risk taking and risk management that are widely understood within the company.
• Risk Treatment – Company has clear programs in place that are regularly used to manage the risks the company takes.
• Limit Compliance – Company has a process in place to see that risk limits and risk-management programs are followed as planned. Exceeding limits has clear, predetermined, and effective consequences.
• Feedback – Company has a loss post-mortem process to determine if its processes need improvement.

• Risk identification – Company management has performed a process of identifying risks exposures and the most significant of those exposures. This is holistic and done a part of the usual way of doing business.
• Risk monitoring – Company monitors all significant risks as a matter of course
• Policies and limits – Company has clearly documented policies and limits for risk taking and risk management that are widely understood within the company, these are embedded and part of normal routines, they never get challenged and don’t get in the way of the business.
• Risk Treatment – Company has clear and integrated programs in place that are regularly used to manage the risks the company takes.
• Limit Compliance – Company has a process in place to see that risk limits and risk-management programs are followed as planned. Exceeding limits has clear, predetermined, and effective consequences, although in practice risk limits are amolst never challenged.
• Feedback – Company has a loss post-mortem process to determine if its processes need improvement.

### Rational Adaptability is needed for risk management success

October 28, 2013

There is no single approach to risk management that will work for all risks nor, for any one risk, is there any one approach to risk management that will work for all times.  Rational Adaptability is the strategy of altering your approach to risk management with the changes in the risk environment.

Willis Re execs Dave Ingram and Alice Underwood have teamed with anthropologist Michael Thompson to produce a series of articles that discuss the four risk environments and four risk management strategies that are linked to four risk attitudes that are adapted from anthropology work from the 1980’s.

The four risk attitudes are: Pragmatists, who believe that the world is uncertain and unpredictable; Conservators, whose world belief is of peril and high risk; Maximizers, who see the world as low-risk and fundamentally self-correcting; and Managers, whose world is moderately risky, but not too risky for firms that are guided properly.

We have been living through an Uncertain risk environment where the optimal risk management strategy is Diversification of risks.  The height of the Financial Crisis was, of course, a Bust risk environment where the optimal strategy was Loss Controlling.  Prior to the crisis, some sectors were experiencing a Boom risk environment where Risk Trading was the best strategy.  And the long Moderate environment that preceded the boom for many years resulted in many companies adopting a Risk Steering strategy to optimize risk and reward.

These ideas were presented by Alice, Dave and Mike at two conferences in Europe in 2012 and published as a series of six articles on the InsuranceERM webzine.  Those six articles have been compiled into a single report by InsuranceERM that is now available from their website.

This is just the latest in a long series of work on this topic (and the most comprehensive to date).  Please see https://riskviews.wordpress.com/plural-rationalities/ for a comprehensive look at this work over the past several years.

### EMERGING RISKS SURVEY

October 24, 2013

TAKE PART IN THE ANNUAL EMERGING RISKS SURVEY

The Joint Risk Management Section, sponsored by the Casualty Actuarial Society, Canadian Institute of Actuaries, and the Society of Actuaries, is interested in better understanding how risk managers deal with emerging risks.

This online survey is a follow-up to earlier surveys of emerging risks and will help to provide insight to evolving trends.

We would greatly appreciate you taking the time to complete the survey by November 12. It should take about 10 minutes to complete the basic survey. We hope you will share your thoughts and experiences in comment boxes.
All responses are anonymous.

Thanks very much for your consideration!

Take the Survey

Or copy and paste the URL below into your internet browser:
http://soa.qualtrics.com/WRQualtricsSurveyEngine/?SID=SV_enCCsQQRC69rImF&RID=MLRP_42djj6AnslfxzjT&_=1

### Hit Me!

October 23, 2013

RISKVIEWS just noticed that this blog had exactly 150,000 hits as of today!

In the scheme of things on the web that is an extremely small number.  But this is a blog about risk management that has no particular marketing scheme, not any idea of making anyone any money.   RISKVIEWS also writes for the WillisWire blog and a post there will get 25,000 hits in a week.

But from RISKVIEWS point of view, 150,000 is an amazing number of hits.  It is really hard to imagine.

WordPress has a statistical package that tells me that RISKVIEWS has had 107 hits today and 242 on the day with the most hits.

Over half the hits to RISKVIEWS are folks looking at the collection of Risk Management Quotes

But there is a surprising degree to which visitors are looking at many of the old posts on the blog.  That is gratifying.  Only a few posts are in any way time sensitive.  It is good to know that old posts are still seen as potential worthwhile by visitors.

So if you ended up on this page and were expecting some wise words about risk and risk management, feel free to brouse the categories listed on the right.  I would recommend that you try Uncertainty.  RISKVIEWS always likes writing about that.

And by the time RISKVIEWS was done typing this, the count was up to 150,005.

Many Thanks!

### Decisions under partial information

October 22, 2013

Yesterday, RISKVIEWS admitted puzzlement regarding the following question from a study about decisions involving risk:

The managers were asked what they did when faced with a problem that involves risk, and they ranked the choices below; in this order:

(2) Check different aspects of the problem
(3) Actively work on the problem to reduce the risk
(4) Delay the decision

(5) Avoid taking risks
(6) Delegate the decision

Did you guess why?  Well the answer is pretty simple.  The six choices here did not include the possibility of actually making a decision!

Risk managers need to realize that the people actually running a business sometimes (often?) need to make decisions with very partial information.  All too often, risk managers act as second guessers.  Making judgements on decisions made with partial information, judgements that are based on much more information and also informed by time consuming and lengthy analysis.

The right answer for business decisions involving risk is not any of these choices:

(2) Check different aspects of the problem
(3) Actively work on the problem to reduce the risk
(4) Delay the decision

(5) Avoid taking risks
(6) Delegate the decision

The risk manager would be much more useful to the organization if instead of the second guessing, they spent time developing ways to incorporate risk into decisions that are made under partial information.

Key to such a process would be the development of methods to estimate risk without full risk model runs, and without full data and without lengthy analysis.

### Decisions, Decisions

October 20, 2013

Someone did a paper on making decisions under risk.  As part of that study, they did a survey.  Here is one of the questions:

The managers were asked what they did when faced with a problem that involves risk, and they ranked the choices below; in this order:

(2) Check different aspects of the problem
(3) Actively work on the problem to reduce the risk
(4) Delay the decision

(5) Avoid taking risks
(6) Delegate the decision

How would you rank these choices?

RISKVIEWS is puzzled by the question.  Can you guess why?  Answer tomorrow.

### Resilience for the Default

October 17, 2013

In a speech given at the NY Stock Exchange, RISKVIEWS said that there are four paths to Resilience, depending upon the economic environment:

• Boom – During the boom, the best resilience strategy is to grow!
• Bust – Triage is the strategy best-suited resilience strategy for the bust.
• Moderate – During the moderate phase steadily improving is the best strategy.
• Uncertain – And the best strategy during uncertain times, as you have all figured out the hard way, is to diversify your business.

Many people and companies have been sticking with the Uncertain stage strategy – some for several years now.  The political uncertainty has made that the sanest strategy.  But when there is an actual default situation, we will all be faced with assuming that we will be continuing on with the drabness of the Uncertain stage or will we be popping into the Bust stage?

It makes a big difference to corporate and personal actions.

Under a continuation of the Uncertain phase, the best strategy is to continue with the small decisions to incrementally grow or shrink operations.  Not making any big commitments or any big decisions.  The firms that emerge successfully when the economy finally climbs out of Uncertainty are those who are already doing something that becomes a booming growth area.  But only if they quickly recognize that the Uncertainty has ended and they shift into growth mode.

If the default creates a Bust environment, the companies who will be best off will be those who most quickly realize that and who immediately start to trim their less successful activities and associated expenses.  These firms will deplete less of their resources defending a losing business and be better prepared to protect their core business through the Bust period.  The ultimate winners will also need to recognize the end of the Bust and still have the resources to support the slow (or fast) growth that marks the end of the Bust.

This is where those scenarios come in handy.  A company that has worked its way through the scenarios of the changes in environment will be better prepared to make these decisions about shifts in the environment.

### Default Scenarios

October 16, 2013

What are the scenarios that you have been thinking about with the US Government Default situation?

NBC News has seven.

1.  Depression and Unemployment

2.  Dollar down, prices and rates up

3.  Down go investments

4.  Social security payments halt

5.  Banking operations freeze

6.  Money market funds break

7.  Global markets walloped

If you are a risk manager, you have probably already worked through your nightmare scenario and have at least some ide of what you might do.

But if you are like the rest of us, you are probably just betting the they will work it out in the end.

Deep in our hearts, we would all choose a scenario with no surprises.  Peter Wack, the father of scenario planning at Shell

My personal scenario is a muddle through.  Just like in the situation of the Lehman default, where the decision was not to act until they saw the repercussions of the default ripple through global financial markets, the US Congress fails to reach a deal until some payments are delayed.  The Treasury goes forward with the deferral process – paying bills in order of when they were due once they have the money.  This goes on for a week or two and several of the NBC scenarios start to happen all at once.  Then Congress finally acts and extends the debt ceiling.

They are still all wrapped up in their own world though and they only pass an extension that will work for several months.  This turns out to be not enough to calm the markets and the chaos continues, even though the US is now paying its bills.

Ultimately, it results in the development of an alternate structure for the global reserve currency.  This results in a permanent rise in the cost of funds for the US government.  Which is itself catastrophic given the historically high debt levels and the long term government funding crisis.

But wait, discounting to the rescue.  With interest rates higher, the future value of many long term obligations, especially at the state and local level suddenly shifts downwards.  The funds that did the least to immunize themselves to interest rate shifts are saved by the power of compound interest as pension obligations magically shrink.

In the end, we – that is the developed countries that depend upon the modern financial system for our wealth – are all poorer by a third or more.  And the US eventually votes one party or the other into a majority position and we try one of their solutions for a time.

But that drop in wealth is only recovered over a generation.