Archive for December 2014

New Year’s ERM Resolution – A Risk Diet Plan

December 31, 2014

Why do you need an aggregate risk limit?

For the same reason that a dieter needs a calorie limit.  There are lots and lots of fad diets out there.  Cottege Cheese diets, grapefruit diets, low carb, low fat, liquid.  And they might work, but only if you follow them exactly, with absolutely no deviation.  If you want to make some substitution, many diets do not have any way to help you to adapt.  Calories provide two things that are desparately needed to make a diet work.  Common currency for substitutions and a metric that can be applied to things not contemplated in the design of the diet.

So if you do a calorie counting diet, you can easily substitute one food for another with the same calorie count.  If some new food becomes available, you do not have to wait for the author of the diet book to come up with a new edition and hope that it includes the new food.  All you need to do is find out how much calories the new food has.

The aggregate risk limit serves the exact same role role for an insurer.  There may be an economic capital or other comprehensive risk measure as the limit.  That risk measure is the common currency.  That is the simple genius of VaR as a risk metric.  Before the invention of VaR by JP Morgan, the risk limit for each risk was stated in a different currency.  Premiums for one, PML for another, percentages of total assets for a third.  But the VaR thinking was to look at everything via its distribution of gains and losses.  Using a single point on that distribution.  That provided the common currency for risk.

The diet analogy is particularly apt, since minimizing weight is no more desirable than minimizing risk.  A good diet is just like a good risk tolerance plan – it contains the right elements for the person/company to optimum health.

And the same approach provided the method to consistently deal with any new risk opportunity that comes along.

So once an insurer has the common currency and ability to place new opportunities on the same risk basis as existing activities, then you have something that can work just like calories do for dieters.

So all that is left is to figure out how many calories – or how much risk – should make up the diet.

And just like a diet, your risk management program needs to provide regular updates on whether you keep to the risk limits.


Top 10 RISKVIEWS Posts of 2014 – ORSA Heavily Featured

December 29, 2014

RISKVIEWS believes that this may be the best top 10 list of posts in the history of this blog.  Thanks to our readers whose clicks resulted in their selection.

  • Instructions for a 17 Step ORSA Process – Own Risk and Solvency Assessment is here for Canadian insurers, coming in 2015 for US and required in Europe for 2016. At least 10 other countries have also adopted ORSA and are moving towards full implementation. This post leads you to 17 other posts that give a detailed view of the various parts to a full ORSA process and report.
  • Full Limits Stress Test – Where Solvency and ERM Meet – This post suggests a link between your ERM program and your stress tests for ORSA that is highly logical, but not generally practiced.
  • What kind of Stress Test? – Risk managers need to do a better job communicating what they are doing. Much communications about risk models and stress tests is fairly mechanical and technical. This post suggests some plain English terminology to describe the stress tests to non-technical audiences such as boards and top management.
  • How to Build and Use a Risk Register – A first RISKVIEWS post from a new regular contributor, Harry Hall. Watch for more posts along these lines from Harry in the coming months. And catch Harry on his blog,
  • ORSA ==> AC – ST > RCS – You will notice a recurring theme in 2014 – ORSA. That topic has taken up much of RISKVIEWS time in 2014 and will likely take up even more in 2015 and after as more and more companies undertake their first ORSA process and report. This post is a simple explanation of the question that ORSA is trying to answer that RISKVIEWS has used when explaining ORSA to a board of directors.
  • The History of Risk Management – Someone asked RISKVIEWS to do a speech on the history of ERM. This post and the associated new permanent page are the notes from writing that speech. Much more here than could fit into a 15 minute talk.
  • Hierarchy Principle of Risk Management – There are thousands of risks faced by an insurer that do not belong in their ERM program. That is because of the Hierarchy Principle. Many insurers who have followed someone’s urging that ALL risk need to be included in ERM belatedly find out that no one in top management wants to hear from them or to let them talk to the board. A good dose of the Hierarchy Principle will fix that, though it will take time. Bad first impressions are difficult to fix.
  • Risk Culture, Neoclassical Economics, and Enterprise Risk Management – A discussion of the different beliefs about how business and risk work. A difference in the beliefs that are taught in MBA and Finance programs from the beliefs about risk that underpin ERM make it difficult to reconcile spending time and money on risk management.
  • What CEO’s Think about Risk – A discussion of three different aspects of decision-making as practiced by top management of companies and the decision making processes that are taught to quants can make quants less effective when trying to explain their work and conclusions.
  • Decision Making Under Deep Uncertainty – Explores the concepts of Deep Uncertainty and Wicked Problems. Of interest if you have any risks that you find yourself unable to clearly understand or if you have any problems where all of the apparent solutions are strongly opposed by one group of stakeholders or another.

Economic Capital for Banking Industry

December 22, 2014

Everything you ever wanted to know but were afraid to ask.

For the last seventeen years I have hated conversations with board members around economic capital. It is perfectly acceptable to discuss Market risk, Credit risk or interest rates mismatch in isolation but the minute you start talking about the Enterprise, you enter a minefield.

The biggest hole in that ground is produced by correlations. The smartest board members know exactly which buttons to press to shoot your model down. They don’t do it out of malice but they won’t buy anything they can’t accept, reproduce or believe.

Attempt to explain Copulas or the stability of historical correlations in the future and your board presentation will head south. Don’t take my word for it. Try it next time.  It is not a reflection on the board, it is a simple manifestation of the disconnect that exist today between the real world of Enterprise risk and applied statistical modeling. And when it comes to banking regulation and economic capital for banking industry, the disconnect is only growing larger.

Frustrated with our ineptitude with the state of modeling in this space three years ago we started working on an alternate model for economic capital.  The key trigger was the shift to shortfall and probability of ruin models in bank regulation as well as Taleb’s assertions in the area of how risk results should be presented to ensure informed decision making.   While the proposed model was a simple extension of the same principles on which value at risk is based, we felt that some of our tweaks and hacks delivered on our end objective – meaningful, credible conversations with the board around economic capital estimates.

Enterprise models for estimating economic capital simply extend the regulatory value at risk (VaR) model. The theory focuses on anchoring expectations.  If institutional risk expectations max out at 97.5% then 99.9% can represent unexpected risk. The appealing part of these logistics is that the anchors can shift as more points become visible in the underlying risk distribution. In the simplest and crudest of forms, here is what economic capital models suggest

While regulatory capital model compensate for expected risk, economic capital should account for unexpected risk. The difference between two estimates is the amount you need to put aside for economic capital modeling.”

The plus point with this approach is that it ensures that Economic Capital requirements will always exceed regulatory capital requirements. It removes the possibility of arbitrage that occurs when this condition doesn’t hold. The downside is the estimation of dependence between business lines.  The variations that we proposed short circuited the correlation debate. It also recommended using accounting data, data that the board had already reconciled and sign off on.


Without further ado, there is the series that presents our alternate model for estimating economic capital for banking industry Discuss, dissect, modify, suggest. We would love to hear your feedback.

Economic Capital – An alternate Model

Can we use the accounting data series and skip copulas and correlation modeling for business lines altogether? Take a look to find the answer.


Economic Capital Case Study – setting the context

We use publicly available data from Goldman Sachs, JP Morgan Chase, Citibank, Wells Fargo & Barclays Bank from the years 2002 to 2014 to calculate economic capital buffers in place at these 5 banks. Three different approaches are used. Two centered around Capital Adequacy. One using the regulatory Tier 1 leverage ratio.


Economic Capital Models – The appeal of using accounting data

Why does accounting data work? What is the business case for using accounting data for economic capital estimation? How does the modeling work.


Calculating Economic Capital – Using worst case losses

Our first model uses worst case loss. If you are comfortable with value at risk terminology, this is historical simulation approach for economic capital estimation.  We label it model one


Calculating Economic Capital – Using volatility

Welcome to the variance covariance model for economic capital estimation. The results will surprise you.  Presenting model two.


Calculating Economic Capital – Using Leverage ratio

We figured it was time that we moved from capital adequacy to leverage ratios.  Introducing model three.


How to Build and Use a Risk Register

December 18, 2014

From Harry Hall at

Project managers constantly think about risks, both threats and opportunities. What if the requirements are late? What if the testing environment becomes unstable? How can we exploit the design skills of our developers?

Let’s consider a simple but powerful tool to capture and manage your risks – the Risk Register. What is it? What should it include? What tools may be used to create the register? When should risk information be added?

The Risk Register is simply a list of risk related information including but not limited to:

  • Risk Description. Consider using this syntax: Cause -> Risk -> Impact. For example: “Because Information Technology is updating the testing software, the testing team may experience an unstable test environment resulting in adverse impacts to the schedule.”
  • Risk Owner. Each risk should be owned by one person and that person should have the knowledge and skills to plan and execute risk responses.
  • Triggers. Triggers indicate when a risk is about to occur or that the risk has occurred.
  • Category. Assigning categories to your risks allows you to filter, group, analyze, and respond to your risks by category. Standard project categories include schedule, cost, and quality.
  • Probability Risk Rating. Probability is the likelihood of risk occurring. Consider using a scale of 1 to 10, 10 being the highest.
  • Impact Risk Rating. Impact, also referred to as severity or consequence, is the amount of impact on the project. Consider using a scale of 1 to 10, 10 being the highest.
  • Risk Score. Risk score is calculated by multiplying probability x impact. If the probability is 8 and the impact is 5, the risk score is 40.
  • Risk Response Strategies. Strategies for threats include: accept the risk, avoid the risk, mitigate the risk, or transfer the risk. Strategies for opportunities include: accept the risk, exploit the risk, enhance the risk, or share the risk.
  • Risk Response Plan or Contingency Plan. The risk owner should determine the appropriate response(s) which may be executed immediately or once a trigger is hit. For example, a risk owner may take immediate actions to mitigate a threat. Contingency plans are plans that are executed if the risk occurs.
  • Fallback Plans. For some risks, you may wish to define a Fallback Plan. The plan outlines what would be done in the event that the Contingency Plan fails.
  • Residual Risks. The risk owner may reduce a risk by 70%. The remaining 30% risk is the residual risk. Note the residual risk and determine if additional response planning is required.
  • Trends. Note if each risk is increasing, decreasing, or is stable.

The Risk Register may be created in a spreadsheet, database, risk management tool, SharePoint, or a project management information system. Make sure that the Risk Register is visible and easy to access by your project team members.

The risk management processes include: 1) plan risk management, 2) identify risks, 3) evaluate/assess risks, 4) plan risk responses, and 5) monitor and control risks.

The initial risk information is entered when identifying risks in the planning process. For example, PMs may capture initial risks while developing the Communications Plan or the project schedule. The initial risk information may include the risks, causes, triggers, categories, potential risk owners, and potential risk responses.

As you evaluate your risk in the planning process, you should assign risk ratings for probability and impact and calculate the risk scores.

Next, validate risk owners and have risk owners complete response plans.

Lastly, review and update your risks during your team meetings (i.e., monitoring and control). Add emerging risks. Other reasons for updating the risk register include change requests, project re-planning, or project recovery.

Emerging Risks

December 16, 2014

By Max Rudolph

OVER THE PAST YEAR THERE HAS BEEN lots of publicity about cyber security risk. Data breaches and NSA surveillance may be top of mind, but a host of emerging risks show concerning signs and interaction possibilities. In the 7th survey of emerging risks, a group of risk managers shared their thoughts about current and future risks. Trending up are risks sur- rounding greater regulatory focus and cyber security, with oil price shock trending down as supplies have picked up.

Emerging risks look across longer time horizons, 10 years or more, and for outliers that would create disruption to business as usual. An earthquake in Los Angeles or a hurricane in Miami could be a horrific event for those living through it, but historical data shows the likelihood of such events to be high when viewed across centuries or millennium. Emerging risks look at events like plague or space weather that tend not to be considered when making business decisions. These risks evolve over many years, so one would expect stability in risks considered.

Over five years have passed since Bear Stearns and Lehman Brothers ceased to be independent. While many risk managers are concerned about the calm in today’s markets, the truth is that they have more time to think about risks that might not impact them for 10 years than they did in 2009. This shows up in trend data and the concentration of risk combinations.

In the year since the previous survey, equity markets and oil prices continued their trend upward, while the dollar reversed course and strengthened versus the Euro. Here are the top six responses, when asked for the top five emerging risks (percentages based on number of surveys).

1. Financial volatility (59%)
2. Cyber security/interconnectedness of infrastructure (47%)

3. Blow up in asset prices (30%) 4. Demographic shift (30%)
5. Failed and failing states (29%) 6. Regional instability (29%)

This represents shifting pattern away from geopolitical and economic categories and toward technological, societal and environmental. Here are the top five choices from a year ago.

1. Financial volatility (62%)
2. Regional instability (42%)
3. Cyber security/interconnectedness of infrastructure (40%)
4. Failed and failing states (33%)
5. Chinese economic hard landing (31%)

Excerpt from Risk Management, August 2014

Read the full survey report at SOA.ORG

Communicating with the CEO

December 14, 2014

What’s the job of a CEO? When you come down to it, a CEO’s job is to make decisions. The right decisions. Knowing your CEO’s priorities is key to communicating effectively.

“The single biggest problem in communication is the illusion that it has taken place.”

GB Shaw

Many business leaders climb the corporate ladder using a path that requires more “fast, heuristic-based” thinking than “technical, algorithmic analysis.” That’s not necessarily a bad thing!

Business schools teach you to define key metrics and then find solutions that optimize those metrics seeking to maximize expected value. But executives more often prefer to maximize likely profits from among possibilities with acceptable downside potential. This approach works well for executives who must make decisions quickly—especially when not all of the variables can readily be quantified. So it’s no surprise that many CEOs make use of it.

The point of communication isn’t to speak. It’s to be heard and understood— to have influence and motivate action.Effective communication requires knowing what information you want to convey and what action you want to motivate, but that’s not enough. You must also know your audience—in this case CEOs—well enough to determine what factors will truly resonate and motivate them to take the desired action based on your information.

It’s a good idea, for example, to have a sense of the CEO’s thinking style, decision process and risk attitude.

Change is always seen as potentially painful and dangerous. When the company is in a truly painful spot, you may be able to get the CEO to take a different approach…but even then, flexibility in your communication style is much more likely to be effective. Remember: the CEO’s job isn’t just to make decisions—it’s to make the right decisions. So any information you bring to your CEO must be communicated in a useful format, so that he or she can chart the right course for the company.

– See more at:

%d bloggers like this: