How many significant digits on your car’s speedometer?

Regulatory regimes require companies to waste huge amounts of money on useless precision of risk evaluation.

Riskviews

Mine only shows the numbers every 20 and has markers for gradations of 5. So the people who make cars think that it is sufficient accuracy to drive a car that the driver know the speed of the car within 5.
And for the sorts of things that one usually needs to do while driving, that seems fine to me. I do not recall ever even wondering what my speed is to the nearest .0001.

That is because I never need to make any decisions that require the more precise value.
What about your economic capital model? Do you make decisions that require an answer to the nearest million? Or nearest thousand, or nearest 1?  How much time and effort goes into getting the accuracy that you do not use?

What causes the answer to vary from one time you run your model to another?  Riskviews tries to think of…

View original post 372 more words

Advertisement

Whose Job is it to do ERM?

“We are not big enough to need ERM.” says the smaller company CEO.  “So we all do it together.”

But what is everyone’s job, is no one’s responsibility.  No one is held accountable for how or even whether ERM functions actually happen.

If a company wants to have ERM, then they must make assignments – assignments to individuals.

This process, these assignments, are what RISKVIEWS calls Risk Organization.  Everyone does not need the same Risk Organization, but everyone who is serious about ERM needs to clearly assigning responsibility for the risk identification, measurement and management of risks.

This week’s post on the WillisWire series on ERM Practices is about Risk Organization:

ERM Practices: Risk Organization

This is Part 4 of a 14 part series on the ERM practices that support an ORSA. The other pieces in that series so far are:

Risk Identification

Risk Measurement

Risk Limits and Controls

RISKVIEWS has also posted discussions of Risk Organization.  Here are a few examples:

Risk Organization

CEO is still the Real CRO

Chief Scapegoat in Waiting

Tug of War

Doing ERM is the Control Cycle

RISKVIEWS has commented many times that Risk MANAGEMENT is not a spectator sport.  It is all about DOING.

If Risk Management never results in the firm DOING something different than what would have been done before Risk Management  – then STOP IMMEDIATELY.  You are wasting your time and money.

The DOING part of Risk Management is not particularly tricky or difficult.  Doing ERM is accomplished with a Control Cycle.

In fact Doing ERM is accomplished with one control cycle for each major risk and one control cycle over all risks in total.

WillisWire has recently featured a piece on risk limits and the risk control cycle that would apply to each major risk.

ERM Practices: Risk Limits and Controls

Which is from the 14 part ERM Practices for Insurance Company ORSA series.  The other pieces in that series so far are:

Risk Identification  and

Risk Measurement

RISKVIEWS has often posted about Control Cycles as well.  Here are two examples:

Controlling with a Cycle about the control cycles for each risks and

ERM Control Cycle about the overall ERM control of total risk

You need good Risk Sense to run an insurance company

It seems to happen all too frequently.

A company experiences a bad loss and the response of management is that they were not aware that the company had such a risk exposure.

For an insurance company, that response just isn’t good enough.  And most of the companies where management has given that sort of answer were not insurers.

At an insurance company, managers all need to have a good Risk Sense.

Risk Sense is a good first order estimate of the riskiness of all of their activities. 

Some of the companies who have resisted spending the time, effort and money to build good risk models are the companies whose management already has an excellent Risk Sense.  Management does not see the return for spending all that is required to get what is usually just the second digit.

By the way, if you think that your risk model provides reliable information beyond that second digit, you need to spend more time on model validation.

To have a reliable Risk Sense, you need to have reliable risk selection and risk mitigation processes.  You need to have some fundamental understanding of the risks that are out there in the areas in which you do business.  You also need to  be constantly vigilant about changes to the risk environment that will require you to adjust your perception of risk as well as your risk selection and mitigation practices.

Risk Sense is not at all a “gut feel” for the risk.  It is instead more of a refined heuristic.  (See Evolution of Thinking.)  The person with Risk Sense has the experience and knowledge to fairly accurately assess risk based upon the few really important facts about the risks that they need to get to a conclusion.

The company that needs a model to do basic risk assessment, i.e. that does not have executives who have a Risk Sense, can be highly fragile.  That is because risk models can be highly fragile.  Good model building actually requires plenty of risk sense.

The JP Morgan Chase experiences with the “London Whale” were a case of little Risk Sense and staff who exploited that weakness to try to get away with excessive risk taking.  They relied completely on a model to tell them how much risk that they were taking.  No one looked at the volume of activity and had a usual way to create a good first order estimate of the risk.  The model that they were using was either inaccurate for the actual situation that they were faced with or else it was itself gamed.

A risk management system does not need to work quite so hard when executives have a reliable Risk Sense.  If an executive can look at an activity report and apply their well honed risk heuristics, they can be immediately informed of whether there is an inappropriate risk build up or not.  They need control processes that will make sure that the risk per unit of activity is within regular bounds.  If they start to have approved activities that involve situations with much higher levels of risk per unit of activity, then their activity reports need to separate out the more risky activities.

Models are too fragile to be the primary guide to the level of risk.  Risk taking organizations like insurers need Risk Sense.

Can’t skip measuring Risk and still call it ERM

Many insurers are pushing ahead with ERM at the urging of new executives, boards, rating agencies and regulators.  Few of those firms who have resisted ERM for many years have a history of measuring most of their risks.

But ERM is not one of those liberal arts like the study of English Literature.  In Eng Lit, you may set up literature classification schemes, read materials, organize discussion groups and write papers.  ERM can have those elements, but the heart of ERM is Risk Measurement.  Comparing those risk measures to expectations and to prior period measures.  If a company does not have Risk Measurement, then they do not have ERM.

That is the tough side of this discussion, the other side is that there are many ways to measure risks and most companies can implement several of them for each risk without the need for massive projects.

Here are a few of those measures, listed in order of increasing sophistication:

1. Risk Guesses (AKA Qualitative Risk Assessment)
– Guesses, feelings
– Behavioral Economics Biases
2. Key Risk Indicators (KRI)
– Risk is likely to be similar to …
3. Standard Factors
– AM Best,  S&P, RBC
4. Historical Analysis
– Worst Loss in past 10 years as pct of base (premiums,assets).
5. Stress Tests
– Potential loss from historical or hypothetical scenario
6. Risk Models
– If the future is like the past …
– Or if the future is different from the past in this way …

More discussion of Risk Measurement on WillisWire:

Guide to ERM: Risk Measurement & Reporting

     Part 2 of a 14 part series

Start with a Risk Profile

And on RISKVIEWS:

Measuring Risks

Risk Assessment –  55 other posts relating to risk measurement and risk assessment.

Reviewing the Risk Environment

The new US Actuarial Standards of Practice 46 and 47 suggest that the actuary needs to assess the risk environment as a part of risk evaluation and risk treatment professional services. The result of that evaluation should be considered in that work.

And assessment of the risk environment would probably be a good idea, even if the risk manager is not a US actuary.
But what does it mean to assess the risk environment?  One example of a risk environment assessment can be found on the OCC website.  They prepare a report titled “Semi Annual Risk Perspective“.

This report could be a major source of information, especially for Life Insurers, about the risk environment.  And for Non-Life carriers, the outline can be a good road map of the sorts of things to review regarding their risk environment.

Part I: Operating Environment

• Slow U.S. Economic Growth Weighs on Labor Market
• Sluggish European Growth Also Likely to Weigh on U.S. Economic Growth in Near Term
• Treasury Yields Remain Historically Low
• Housing Metrics Improved
• Commercial Real Estate Vacancy Recovery Uneven Across Property Types

Part II: Condition and Performance of Banks.

A. Profitability and Revenues: Improving Slowly..

• Profitability Increasing .
• Return on Equity Improving, Led by Larger Banks .
• Fewer Banks Report Losses
• Noninterest Income Improving for Large and Small Banks.
• Trading Revenues Return to Pre-Crisis Levels
• Counterparty Credit Exposure on Derivatives Continues to Decline ………….
• Low Market Volatility May Understate Risk
• Net Interest Margin Compression Continues..

B. Loan Growth Challenges

• Total Loan Growth: C&I Driven at Large Banks; Regionally Uneven for Small Banks….

• Commercial Loan Growth Led by Finance and Insurance, Real Estate, and Energy …

• Residential Mortgage Runoff Continues, Offsetting Rising Demand for Auto and Student Loans………….

C. Credit Quality: Continued Improvement, Although Residential Real Estate Lags

• Charge-Off Rates for Most Loan Types Drop Below Long-Term Averages
• Shared National Credit Review: Adversely Rated Credits Still Above Average Levels .
• Significant Leveraged Loan Issuance Accompanied by Weaker Underwriting.
• New Issuance Covenant-Lite Leveraged Loan Volume Surges .
• Commercial Loan Underwriting Standards Easing .
• Mortgage Delinquencies Declining, but Remain Elevated.
• Auto Lending Terms Extending ..

Part III: Funding, Liquidity, and Interest Rate Risk

• Retention Rate of Post-Crisis Core Deposit Growth Remains Uncertain
• Small Banks’ Investment Portfolios Concentrated in Mortgage Securities
• Commercial Banks Increasing Economic Value of Equity Risk

Part IV: Elevated Risk Metrics

• VIX Index Signals Low Volatility…
• Bond Volatility Rising but Near Long-Term Average
• Financials’ Share of the S&P 500 Rising but Remains Below Average
• Home Prices Rising .
• Commercial Loan Delinquencies and Losses Decline to Near or Below Average ..
• Credit Card Delinquencies and Losses Near Cyclical Lows .

Part V: Regulatory Actions

• Banks Rated 4 or 5 Continue to Decline
• Matters Requiring Attention Gradually Decline
• Enforcement Actions Against Banks Slow in 2013

For those who need a broader perspective, the IMF regularly publishes a report called World Economic Output.  That report is much longer but more specifically focused on the general level of economic activity.  Here are the main chapter headings:

Chapter 1. Global Prospects and Policies

Chapter 2. Country and Regional Perspectives

Chapter 3. Dancing Together? Spillovers, Common Shocks, and the Role of Financial and Trade Linkages

Chapter 4. The Yin and Yang of Capital Flow Management: Balancing Capital Inflows with Capital outflows

The IMF report also includes forecasts, such as the following:

 

Building Risk Culture is a two legged beast

RISKVIEWS is reading about Business Organizational Culture – particularly the Corporate Culture Survival Guide by Edgar Shein.

Shein suggests that culture has three aspects:  Artifacts, Espoused Values and Underlying Assumptions.  Artifacts are what you can easily see happening. Espoused Values are public statements about what is wanted, things like policies and mission statements. Underlying Assumptions are the part of culture that is difficult (not impossible) to discern and very time consuming to change.  These are the things that really determine the choices and decisions of the firm.

Shein suggests that culture is formed as a new company has the successes that cause it to survive and thrive.  The initial culture is a combination of the vision and rules of the founder along with the learned values from those early experiences.

He says that culture change comes about when the Underlying Assumptions no longer seem to work and people can feel motivated to learn new approaches that if they succeed, become the new Underlying Assumptions.

To me, RISK seems particularly difficult for this process.  Most new ventures are founded with a willful disregard for RISK.  So it is relatively rare for a newer firm to have a healthy respect for risk.

In addition, the result of good risk management is a reduction in the likelihood of the experience of undesirable adverse events (UAEs).  That is also the outcome from LUCK.  In both cases, the indication of good results is a LACK of bad experience.

The Risk Culture develops as the firm experiences adverse outcomes and then only if they learn that a risk management process can reduce the likelihood that they will experience UAEs.  Otherwise, the Underlying Assumption will be that whatever the firm is doing is just right to avoid those UAEs.  Sort of like the sports star who failed to shave before the game where they scored 2 goals, so they forever after deliberately do not shave on the day of a game.

Building or Changing a Risk Culture, in my opinion, involves teaching the idea that a deliberate and comprehensive risk management process can accomplish the reduction in likelihood of UAEs.

The students may be very responsive after a major adverse experience.  Otherwise, the Risk Culture Builder needs to depend on stories of other companies that succeed and fail to avoid the major adverse experiences.

The Risk Culture Builder must be prepared to turn every experience of the organization and of other organizations into stories that support the formation of a positive Risk Culture. But it takes an extremely good story teller to create motivation to adopt a healthy Risk Culture from stories of other companies.

Risk Management is actually more about managing tendencies than actual management of UAEs.  Which is one of the things that makes Risk Culture Building particularly difficult.  Most people will judge the Risk Culture successes in terms of the actual losses experienced.  Meaning, if there are losses, then risk management is not worth the trouble.

Risk Management will only result in near zero losses if the risk tolerance is near zero.  And then only if the risk manager is given the nearly unlimited budget that it takes to actually eliminate most risk.

Instead, what can be expected from Risk Management, that is from a tendency to reduce frequency and/or severity of UAEs is loss experience that is better than those who do not practice risk management on the average, over time, when adjusted for differences in the inherent risk profile of the different organizations.

In building and reinforcing the risk culture, the Risk Culture Builder needs to be ready to explain how well (or poorly) that the company is succeeding with that.

Because ultimately, those stories, the stories of how the risk management program is succeeding or how the lack of risk management has failed are an extremely important leg of the risk culture building process.

The other leg (risk management culture is a two legged beast), is the story of how the risk management program needs to work to support achievement of the risk appetite.  That story needs to be told, not in terms of explaining the parts of a risk management framework, but instead that story is about the outcomes to be expected.

So for both legs, or both stories, the Risk Culture Builder needs to have a clear idea in mind of how the results of risk management will be demonstrable.

And that is another story.

Risk Identification – don’t just mail it in

ERM programs all start out with a suggestion that you must identify your risks.

Many folks take this as a trivial exercize.  But it is not.  There are two important reasons why not:

1. Everyone has risks in the same major categories, but the way that those categories are divided into the action level is important.  All insurers have UNDERWRITING RISK.  But almost all insurers should be subdividing their UDERWRITING RISK into major subcategories, usually along the lines that they manage their insurance business.  Even the very smallest single line single state insurers sub divide their insurance business.  Risks should also be subdivided.
2. Names are important.  Your key risks must have names that are consistent with how everyone in the company talks.

Best practice companies will take the process of updating very seriously.  They treat it as a discovery and validation process.

To read more about Risk identification, see the WillisWire post

ERM Practices: Risk Identification

(This is the first of a 14 part series about the ERM practices that are needed to support the new ORSA Process)

and the RISKVIEWS post

Identifying Risks

Deciding “What Should We Do?” in the Risk Business

Risk models can be used primarily to answer two very important questions for an enterprise whose primary activity is the risk business.

1. How did we do?
2. What should we do?

The “how did we do” question looks backwards on the past, usually for 90 days or a full year.  For answering that question properly for a firm in the risk business it is absolutely necessary to have information about the amount of risk that the firm is exposed to during that period.

The “what should we do” question looks forward on the future.  The proper time period for looking forward is the same as the length of the shadow into the future of the decision.  Most decisions that are important enough to be brought to the attention of top management or the board of a company in the risk business have a shadow that extends past one year.

That means that the standard capital model with its one year time frame should NOT be the basis for making WHAT SHOULD WE DO? decisions.  That is, unless you plan on selling the company at the end of the year.

Let’s think about it just a little bit.

Suppose the decision is to buy a laptop computer for the business use of one of the employees of an insurer.  You can use two streams of analysis for that decision.  You can assume that the only use of that computer is what utility that can be had from the computer during the calendar year of purchase and then you plan to sell the computer, along with the rest of the company, at the end of the calendar year.  The computer is valued at the end of the year at a fair market value.  Or you can project forward, the utility that you will get from that employee having a computer over its useful life, perhaps three years.

The first calculation is useful.  It tells us “HOW DID WE DO?” at the end of the calendar year.  But it not a sensible basis to make the decision about whether to buy the computer or not.  The reason for that is not because there is anything wrong with the calendar year calculation.  In theory, you could even run your company by deciding at the end of each calendar year, whether you wanted to continue running the company or not.  And then if you decide to continue, you then must decide whether to sell every laptop or not, and similarly to sell every part of your business or not.

Most companies will automatically make the decision to continue, will not consider selling every part of their company, even if they have gone through the trouble of doing a “for sale” valuation of everything.  That approach fits better with Herbert Simon’s “Satisficing” idea than with the theory of maximizing value of the enterprise.

But from a less theoretical point of view, putting absolutely everything on the table for a decision could be very time consuming.  So what most companies is to imagine a set of conditions for the future when a decision is made and then as the future unfolds, it it does not deviate significantly from those assumptions, decisions are not reopened.  But unfortunately, at many companies, this process is not an explicit conscious process.  It is more vague and ad hoc.

Moving away from laptops to risk.  For a risk decision, first notice that almost all risk decisions made by insurers will have an effect for multiple years.  But decision makers will often look forward one year at financial statement impact.  They look forward one year at a projection of the answer to the “How DID WE DO? question. This will only produce a full indication of the merit of a proposal if the forward looking parts of the statement are set to reflect the full future of the activity.

The idea of using fair value for liabilities is one attempt to put the liability values on a basis that can be used for both the “How did we do?” and the “What should we do?” decisions.

But it is unclear whether there is an equivalent adjustment that can be made to the risk capital.  To answer “How did we do?” the risk capital needed has been defined to be the capital needed right now.  But to determine “What should we do?”, the capital effect that is needed is the effect over the entire future.  There is a current year cost of capital effect that is easily calculated.

But there is also the effect of the future capital that will be tied up because of the actions taken today.

The argument is made that by using the right current year values, the decisions can really be looked at as a series of one year decisions.  But that fails to be accurate for at least two reasons:

• Friction in selling or closing out of a long term position.  The values posted, even though they are called fair value rarely reflect the true value less transaction costs that could be received or would need to be paid to close out of a position.  It is another one of those theoretical fictions like a frictionless surface.  Such values might be a good starting point for negotiating a sale, but anyone who has ever been involved in an actual transaction knows that the actual closing price is usually different.  Even the values recorded for liquid assets like common equity are not really the amounts that can be achieved at sale tomorrow for anyone’s actual holdings.  If the risk that you want to shed is traded like stocks AND your position is not material to the amounts normally traded, then you might get more or less than the recorded fair value.  However, most risk positions that are of concern are not traded in a liquid market and in fact are usually totally one of a kind risks that are expensive to evaluate.  A potential counterparty will seek through a hearty negotiation process to find your walk away price and try to get just a litle bit more than that.
• Capital Availability – the series of one year decisions idea also depends on the assumption that capital will always be available in the future at the same cost as it is currently.  That is not always the case.  In late 2008 and 2009, capital was scarce or not available.  Companies who made commitments that required future capital funding were really scrambling.  Many ended up needing to change their commitments and others who could not had to enter into unfavorable deals to raise the capital that they needed, sometimes needing to take on new partners on terms that were tilted against their existing owners.  In other time, cheap capital suddenly becomes dear.  That happened when letters of credit that had been used to fulfill offshore reinsurer collateral requirements suddenly counted when determining bank capital which resulted in a 300% increase in cost.

RISKVIEWS says that the one year decision model is also just a bad idea because it makes no sense for a business that does only multi year transactions to pretend that they are in a one year business.  It is a part of the general thrust in financial reporting and risk management to try to treat everything like a bank trading desk.  And also part of a movement led by CFOs of the largest international insurers to seek to only have one set of numbers used for all financial decision-making.  The trading desk approach gave a theoretical basis for a one set of numbers financial statement.  However, like much of financial economics, the theory ignores a number of major practicalities.  That is, it doesn’t work in the real world at all times.

So RISKVIEWS proposes  that the solution is to acknowledge that the two decisions require different information.

Planning for Risk in 2014

Barry Ritholtz provides some outstanding predictions for 2014.

His point, that we cannot predict the future, is well made.

But equally true, we need to have some view of the future in order to continue.  The position that Ritholtz takes, that the future cannot be predicted is actually one of the four Risk Beliefs that is described by the Theory of Plural Rationality.  If you hold that disbelief about any of your risks, then your best strategy is to make many smaller commitments.

The other three beliefs are:

• Risk is predictable and it will be very high.  Need to be extremely careful. Probably shouldn’t plan to grow at all.
• Risk is predictable and it will be low.  Time to expand.
• Risk is predictable and it will be moderate.  Careful and limited risk taking and expansion can work well.

If you are in the risk business, then you choose a strategy for each risk.  Hopefully, you will be doing that AFTER you have collected information about the trajectory of each major risk.

However, some management teams will start from the results that they “must have” to determine their strategy.

If you have done that you should look now at your belief for each risk.  Where you see a mismatch between your belief and your strategy for a risk, you should start making contingency plans.  Otherwise, you will be in for a Surprise.

For example, if you planned to grow at a substantial pace, you need to experience a low risk environment.  Otherwise, your growth is likely to be a very mixed blessing.  (see the Surprise article for details of the surprises that can be experienced by every mismatch between the actual risk environment and the risk strategy)

 

2013 Year in Riskviews – Report from WordPress

The WordPress.com stats helper monkeys prepared a 2013 annual report for this blog.

Here’s an excerpt:

The concert hall at the Sydney Opera House holds 2,700 people. This blog was viewed about 37,000 times in 2013. If it were a concert at Sydney Opera House, it would take about 14 sold-out performances for that many people to see it.

Click here to see the complete report.