The WC Roundup is hosting the 207th Cavalcade of Risk. This bi-weekly blog is a collection of risk-related posts covering topics from finance, to insurance, to health.
Archive for April 2014
We can know, looking back at last year, how much risk that an insurer was exposed to. And we can simply look at the balance sheet to see how much capital that they held. So that is the way we have tended to look at solvency. Backwards. Was the insurer solvent last year end? Not really useful information. Unless…
That is, unless you make some potentially heroic assumptions about the future. Not an unusual assumption. Just that common assumption that the future will be just like the past.
That assumption is usually ok. Let’s see. In the past 15 years, it has been correct four or five times. But is that good enough for solvency work – a system that might give the right answer a third of the time?!?
But there is a solution. Regulators have led us right up to that solution but they haven’t yet dared to say what it is. Perhaps they do not know, or even that they are not thinking that the backward looking problem has two aspects. We are making two of the heroic assumptions:
- We are assuming that the environment will be the same in the near future as the recent past.
- We are assuming that the company activity will be the same in the near future as the recent past.
The regulatory response to these two shaky assumptions is:
- Stress Scenarios
- Look forward using company plans
Solution 1 can help, but solution 2 can be significantly improved by using the ERM program and risk appetite. You may have noticed that regulators have all said that ERM is very important. And that Risk Appetite is a very, very important part of ERM. But they have never, ever, explained why it is important.
Well, the true answer is that it can be important. It can be the solution to one part of the backward looking problem. The idea of looking forward with company plans is a step in the right direction. But only a half step. The full step solution is the FULL LIMIT STRESS TEST.
That test looks forward to see how the company will operate based upon the risk appetite and limits that management has set. ERM and risk appetite provide provide a specific vision of how much risk is allowed by management and the board. The plan represents a target, but the risk appetite represents the most risk that the company is willing to take.
So the FULL LIMIT STRESS TEST would involve looking at the company with the assumption that it chooses to take the full amount of risk that the ERM program allows. That can then be combined with the stress scenarios regarding the external environment.
Now the FULL LIMIT STRESS TEST will only actually use the risk appetite for firms that have a risk appetite and an ERM program that clearly functions to maintain the risk of he firm within the risk appetite. For firms that do not have such a system in place, the FULL LIMIT STRESS TEST needs to substitute some large amount of growth of risk that is what industry experience tells us that can happen to a firm that has gone partially or fully out of control with regard to its risk taking.
That makes the connection between ERM and Solvency very substantial and realistic.
- A firm with a good risk management program and tight limits and overall risk appetite will need the amount of capital that would support the planned functioning of the ERM program. The overall risk appetite will place a limit on the degree to which ALL individual risk limits can be reached at the same time.
- An otherwise similar firm with a risk management program and loose risk appetite will need to hold higher capital.
- A similar firm with individual risk limits but no overall risk appetite will need to hold capital to support activity at the limit for every single risk.
- A firm without a risk management program will need to hold capital to support the risks that history tells us that a firm with uncontrolled growth of risk might take on in a year. A track record of informal control of risk growth cannot be used as a predictor of the range of future performance. (It may be valuable to ask all firms to look at an uncontrolled growth scenario as well, but for firms with a good risk control process will be considered to prepare for that scenario with their ERM program.)
- A firm without any real discipline of its risk management system will be treated similarly to a firm without an ERM program.
With this FULL LIMIT STRESS TEST, ERM programs will then be fully and directly connected to Solvency in an appropriate manner.
All firms are performing a difficult balancing act. They are balancing the need to go out and take risks by doing something to expand their businesses with the need to be safe and secure. Most firms have found a happy spot – at least for now – in that balancing act.
Firms in the risk business are doing a double balancing act. They always have the same sort of risk of failure that all businesses have – that is the risk that they will not have enough customers. In addition, they have the risk that the business that they have captured may just blow up in their faces with claims or losses far in excess of their expectations.
So when a firm in the risk taking business learns how to survive their dual balancing act, they will be very sensible if they are very, very reluctant to make changes to their process for balancing. They are going to be extremely skeptical if the advice for change comes from someone – a regulator or member of their own company’s risk management team – who has not real world experience of this balancing.
To most of the successful managers of risk taking firms, ERM seems like an awkward and unnatural process. To them, ERM manuals read like a book of detailed instructions on how to breathe.
That is because these firms all have plenty of risk management already.
However, the ERM imperative from the regulators and rating agencies requires that they explain that risk management and that they adopt some formal processes and documentation that was not, in their opinion, needed.
There are two approaches to achieving the ERM that is wanted by these outside forces:
- Clean Slate – work to install a comprehensive ERM program as if on a clean slate, ignoring or replacing all existing risk management activities. This results in a complete ERM program that will fulfill all of the external requirements.
- Augmentation – work to carefully understand the existing risk management system. Start by documenting the strengths of that system. Next move to identifying the weaknesses of that system and then making adjustments and additions to improve risk management performance in those areas of weakness.
RISKVIEWS strongly favors the second approach. RISKVIEWS has observed that many firms following the Clean Slate approach never complete the installation of the new ERM system, or if they do complete it, they abandon it after a short time period. Firms following the Augmentation approach also will falter with installation but they have usually added to their ability to explain what they already do well and may have added a few new risk management practices that actually enhance their business.
The first step in the Augmentation approach is to develop an understanding of the possibilities that an ERM program presents and to choose from those possibilities the practices that the firm will want to include in its ERM program. Those possibilities include:
- A strict control process for risks that the firm has a zero tolerance for.
- Risk measurement and tracking for control of the risks that the firm wants to limit exposures.
- Risk based pricing for those risks that the firm takes to make its profits to assure that the sales that are one of the primary objectives of the firm are supporting the long term performance of the enterprise.
- A risk profile that communicates the relationship between plans and risks taking over time.
- A process for assessing and maintaining adequate capital for the risks taken by the firm.
- Risk capital allocation to support the process of optimization of risk adjusted returns.
- Communication of risk management processes for the board and outside audiences.
- An assurance process regarding continuous implementation of the risk management program.
Once management selects the ERM practices that they want for their ERM program, they then need to go through the self assessment exercise.
More on that in a following post…..
By Max J. Rudolph, FSA CFA CERA MAAA
This is an excerpt from a paper that was submitted to the North American CRO Council 2013 Call for Papers on October 11, 2013.
Enterprise risk management can be an exercise in adding value or simply another in a long list of buzz words popular with directors, investors and rating agencies. It may even be seen as a roadblock and interventionist tool by company management. An appropriate balance must be maintained. What is the right mix of constraints versus growth, qualitative versus quantitative analysis, and short versus long time horizons? These are all questions that the successful ERM process must resolve to build transparency around all risks and build firm resilience.
Company resources are tight, and ERM is viewed by some simply as a cost. In the annual Survey of Emerging Risks that I author we continually find more being asked of risk managers, but without commensurate resources being added. Risk culture is the driver here. Where risk is embedded in a firm, both top-down and bottom-up, it is recognized that better decisions are made by considering all types of risks.
Unfortunately many Risk Departments are set up to fail by focusing entirely on constraints, being able to stop a project but not being viewed as a partner who understands how risks aggregate and interact to increase returns. The prior reputation of the risk team predetermines its success, and this is driven from the top. If senior management involves the risk team early in new product development, for example, they are able to suggest adjustments that may lead to a more stable product or provide an internal hedge against a product sold in another part of the company. If the CEO (Chief Executive Officer) views the risk team as a cost center then they will not be successful.
Each company must integrate the risk team into an existing organizational chart based on the underlying risk culture. At some companies the primary risks, typically at manufacturing or service focused firms, can be covered by insurance. The Chief Risk Officer (CRO) becomes a coordinator who seeks out competitive rates and coordinates insurer expertise with in-house risk mitigation. In this situation the CRO might report to the Chief Financial Officer (CFO) or Treasurer and be a low level officer or high level manager. The position rarely gets involved in strategic planning discussions and reports to the board are generally canned and informational, covering tactical plans and recent results. Key risk indicators typically provide lagging data.
Small firms will likely add the CRO duties, and sometimes the title, to the CFO as he is the primary provider of oversight at such firms. Reports to the board are part of normal financial disclosures and can incorporate strategic topics. Key risk indicators provide lagging information but can incorporate leading indicators as well.
Many larger financial firms, with higher levels of financial risk relative to operational risk, have a CRO position that reports to the board, with a dotted line to someone on the senior management team. This position often focuses on data collection and board presentations designed mostly to make the board able to say they have considered risks, or they can be a key management team member that engages the board to understand how the firm’s risk profile is evolving and the potential implications. Done right the focus is on leading risk indicators and brainstorming between areas. This has added benefits of oversight and succession planning.
Unfortunately, many firms rely primarily on quantitative data collected from experts in the business units rather than filling the risk team with business experts and experienced practitioners who can qualitatively question specific practices before they get out of control.
Large firms have an additional hurdle as they tend to be bureaucracies, and those who rise through the ranks have often avoided stressful challenges rather than acting as providers of useful contrarian advice. A small firm may have better risk management practices because the CRO has business experience that drives qualitative analysis rather than an overreliance on quantitative models. The largest companies tend to fall into a trap where complex models are developed and the shortcomings of those models are ignored or included in small print as a footnote. While quantitative analysis is important, everything that counts can’t be counted.
Best practice org chart: firms that want to improve their decision making should segment their risk management team between data collectors, where a consistent ERM process is developed and implemented, and strategic planning. The CRO should manage the planning process, making sure that consistent assumptions and models are input to consistent models. Interactions between areas, transparency and concentration risk should be considered. This position should report directly to the CEO, and perhaps not to the board, and be the primary source of common sense oversight to the management team. This natural skeptic must be protected politically by the CEO or it won’t work. Interestingly, this role could be filled externally by a consultant who provides honest feedback. Many firms will place employees with this type of expertise in senior management roles running a line or as CFO.
©2013 Rudolph Financial Consulting, LLC
The remainder of this essay is available here.
Notes from two sessions:
- Market Risk
- Operational Risk
- Credit Risk – Spread + Default
- Regulation – Multiple and conflicting requirements from Local, Regional and International regulators
- Regulations – constantly changing
- Prolonged Low interest Rates
What are Insurers doing in response to top risks:
- Not getting paid for all risks that they take
- CRO acts as buffer for regulatory risk – best response is regular discussions with regulator
Senior Management buy in is most important for CRO and success of ERM
Need a diverse ERM team
Risk management folks in Business Units are an important source of information about what is going on
Three lines of defense: BU risk taking are primarily responsible, RM provides risk measurement and risk policies, Audit provides assurance of compliance with policies and limits
CRO is part of value creation chain. But needs to avoid any conflicts of interest
One CRO has his own model, does not depend on business unit model.
With multiple models that is a risk of spending too much analytical time on cross model validation and not enough using model
Need to pay attention to PV of future benefits of current plans
Look at scenarios that are not in the models
Focus should be on the really key parameters for the risks that have a real impact on the balance sheet
Almost impossible to get interdependency correct
ORSA requirements mean that one company that had been doing internal solvency assessment for over 10 years must increase efforts and especially documentation
CRO is the Face of the ERM program to internal and external audiences
CRO must engage with BU leaders as an equal in the organization
CRO heads the Risk and Control Committee
Primary function of Risk function is challenge and oversight
CRO leads a full day ERM meeting with the board once per year
ORSA sign-off is new board role – focuses attention (Bermuda)
Board engagement depends on good communication about risk – not too technical
New board members get risk education session – had been only for new members of risk committee, but other board members complained and insisted
First time for public risk and risk management disclosures. Highly concerned about interpretation and questions from various audiences
Regulation is having too much influence on Risk Management priorities – using up the RM budget and resources with things that would not otherwise be a priority to the company
But regulatory focus means higher priority and notice of RM in company
Regulators may be going overboard with local capital requirements resulting in stranded capital for some groups, reducing the value of diversification and increasing the cost of insurance
One group has model for regulatory report that does not necessarily fit with local requirements – CRO must resolve
CRO does not want to be DR. NO – RM should be adviser to business
Strategy advisor – managing a portfolio of risks – Risk Tolerances tied to Risk limits based upon capital budgeting concerns
CRO contribution to risk controlling – making the mitigation more effective or less costly
Explaining risk culture – why does the company have limits and do risk mitigation
- Staying on top of constantly changing regulatory changes
- Internal positioning of Risk – not the technocrats of risk
- State of Flux of everything – lots of changes – rules still evolving – need to help company to navigate
- Establishing and maintaining role of CRO as strategic advisor
- Turnover of top management – making sure new managers are up to speed with risk management framework
- Risk culture – what the employees do when no on is looking. Getting everyone to make the same sorts of choices
- How to get risk function involved in supporting corporate goals
- Group risk policy much too detailed. Risk principles may conflict with detailed policies.
CRO must be willing to Fall on their sword. That is just part of the job. Must be willing to challenge when things are not right. Actuarial standards are good support for this.
Lots more. Get the recordings when they are available.