You actually have to run on the treadmill . . .

Yes, that is right. Just buying a treadmill has absolutely no health benefits.

And in the same vein, just creating a risk management system does not provide any benefit. You actually have to activate that system and pay attenion to the signals that it sends. 

And you can count on the risk management system being disruptive.  In fact, if it is not disruptive, then you should shut it down. 

The risk management system is a waste of time and money if it just stays out of the way and you end up doing exactly what you would have done without it.  But, in at least 2/3 of the companies that claim to be running a risk management system, they have trouble coming up with even one story of how they changed what they were planning to do because of the risk management system.

Usually, in a company that is really running a risk management system, the stories of the impact of risk management are of major clashes. 

Risk management is a control system that focuses on three things:

• Riskiness of accepted risks
• Volume of accepted risks
• Return from accepted risks

The disruptions caused by an actual active risk management system fall into those three categories:

• Business that would have been accepted prior to risk management system is now deemed to be unacceptable because it is too risky.  Rejection of business or mitigation of the excess risk is now required. 
• Growth of risky business that may not have been restricted before the risk management system is now seen to be excessive.  Rejection of business or mitigation of the excess risk is now required. 
• Return from business where the risk was not previously measured is now seen to be inadequate compared to the risk involved.  Business emphasis is now shifted to alternatives with a better return for risk. 

Some firms will find the disruptions less than others, but there will almost always be disruptions. 

The worst case scenario for a new risk management system is that the system is implemented and then when a major potentially disruptive situation arises, an exception to the new risk management system is granted.  That is worst case because those major disruptive situations are actually where the risk management system pays for itself.  If the risk management only applies to minor business decisions, then the company will experience all of the cost of the system but very little of the benefits.

Decisions under partial information

Yesterday, RISKVIEWS admitted puzzlement regarding the following question from a study about decisions involving risk:

The managers were asked what they did when faced with a problem that involves risk, and they ranked the choices below; in this order:

(1) Collect more information
(2) Check different aspects of the problem
(3) Actively work on the problem to reduce the risk
(4) Delay the decision

(5) Avoid taking risks
(6) Delegate the decision

Did you guess why?  Well the answer is pretty simple.  The six choices here did not include the possibility of actually making a decision!

Risk managers need to realize that the people actually running a business sometimes (often?) need to make decisions with very partial information.  All too often, risk managers act as second guessers.  Making judgements on decisions made with partial information, judgements that are based on much more information and also informed by time consuming and lengthy analysis.

The right answer for business decisions involving risk is not any of these choices:

(1) Collect more information
(2) Check different aspects of the problem
(3) Actively work on the problem to reduce the risk
(4) Delay the decision

(5) Avoid taking risks
(6) Delegate the decision

The risk manager would be much more useful to the organization if instead of the second guessing, they spent time developing ways to incorporate risk into decisions that are made under partial information.

Key to such a process would be the development of methods to estimate risk without full risk model runs, and without full data and without lengthy analysis.

 

Decisions, Decisions

Someone did a paper on making decisions under risk.  As part of that study, they did a survey.  Here is one of the questions:

The managers were asked what they did when faced with a problem that involves risk, and they ranked the choices below; in this order:

(1) Collect more information
(2) Check different aspects of the problem
(3) Actively work on the problem to reduce the risk
(4) Delay the decision

(5) Avoid taking risks
(6) Delegate the decision

How would you rank these choices?

RISKVIEWS is puzzled by the question.  Can you guess why?  Answer tomorrow.

A Risk Register is the Siren Song of Risk Management

Before we go any further, let me state unequivocally that filling in boxes in a risk register chart is not Risk Management.

But on numerous occasions, RISKVIEWS has come across risk officers who have been concentrating on managing a Risk Register for multiple years.  That is why the Risk Register is the siren song of Risk Management.  No not the siren that makes a loud noise for the Fire Department.  The Sirens of Homer’s Odyssey.

The siren’s song attracted sailors who as they got closer to listen crashed upon the rocks and died.

So with risk managers and risk registers.  Risk registers provide two convenient things: plenty of tasks and evidence of accomplishment.  However the tasks are ultimately lower value and the accomplishment is usually only internal to the Risk Register.  The risk manager who is enthralled by the song of the risk register gets further and further into the world of the risk register and loses touch with the world of the company.  They try to find ways to entice others into the world of the risk register.

But real risk management requires only a simple list of risks, risk owners and risk mitigation activities.  This should never be maintained on spreadsheets in formats that can only be printed with 8 point type or never seen in total because there are just too many columns of important details.  Nor should the list of risks require a special purchased system that allows only registered users to view or enter information.

Managing the process of

Adding cash or profits now while adding risk

-or-

reducing cash or profits now while decreasing risk

is real risk management.  

Because the real job of risk management is not the manufacture of lists that are elevated in status by the name register.  Real risk management involves making difficult decisions and taking actions based upon those decisions.  Those decisions always involve a trade-off between cash or profits now and risk later.  Adding cash or profits now while adding risk later or reducing cash or profits now while decreasing risk later.  That is real risk management.

Controlling with a Cycle

No, not that kind of cycle… This kind:

This is a Risk Control Cycle.  It includes Thinking/Observing steps and Action Steps.  The only reason a sane organization would spend the time on the Assessing, Planning and Monitoring steps is so that they could be more effective with the Risk Taking, Mitigating and Responding steps.

A process capable of limiting losses can be referred to as a complete risk control process, which would usually include the following:

• Identification of risks—with a process that seeks to find all risks inherent in a insurance product, investment instrument, or other situation, rather than simply automatically targeting “the usual suspects.”
• Assess Risks – This is both the beginning and the end of the cycle.  As the end, this step is looking back and determining whether your judgment about the risk and your ability to select and manage risks is as good as you thought that it would be.  As the beginning, you look forward to form a new opinion about the prospects for risk and rewards for the next year.  For newly identified risks/opportunities this is the due diligence phase.
• Plan Risk Taking and Risk Management – Based upon the risk assessment, management will make plans for how much of each risk that the organization will plan to accept and then how much of that risk will be transferred, offset and retained.  These plans will also include the determination of limits
• Take Risks – organizations will often have two teams of individuals involved in risk taking.  One set will identify potential opportunities based upon broad guidelines that are either carried over from a prior year or modified by the accepted risk plan.  (Sales) The other set will do a more detailed review of the acceptability of the risk and often the appropriate price for accepting the risk.  (Underwriting)
• Measuring and monitoring of risk—with metrics that are adapted to the complexity and the characteristics of the risk as well as Regular Reporting of Positions versus Limits/Checkpoints— where the timing needed to be effective depends on the volatility of the risk and the rate at which the insurer changes their risk positions. Insurers may report at a granular level that supports all specific decision making and actions on a regular schedule.
• Regular risk assessment and dissemination of risk positions and loss experience—with a standard set of risk and loss metrics and distribution of risk position reports, with clear attention from persons with significant standing and authority in the organization.
• Risk limits and standards—directly linked to objectives. Terminology varies widely, but many insurers have both hard “Limits” that they seek to never exceed and softer “Checkpoints” that are sometimes exceeded. Limits will often be extended to individuals within the organization with escalating authority for individuals higher in the organizational hierarchy.
• Response – Enforcement of limits and policing of checkpoints—with documented consequences for limit breaches and standard resolution processes for exceeding checkpoints. Risk management processes such as risk avoidance for risks where the insurer has zero tolerance. These processes will ensure that constant management attention is not needed to assure compliance. However, occasional assessment of compliance is often practiced. Loss control processes to reduce the avoidable excess frequency and severity of claims and to assure that when losses occur, the extent of the losses is contained to the extent possible. Risk transfer processes, which are used when an insurer takes more risk than they wish to retain and where there is a third party who can take the risk at a price that is sensible after accounting for any counterparty risk that is created by the risk transfer process. Risk offset processes, which are used when insurer risks can be offset by taking additional risks that are found to have opposite characteristics. These processes usually entail the potential for basis risk because the offset is not exact at any time or because the degree of offset varies as time passes and conditions change, which is overcome in whole or in part by frequent adjustment to the offsetting positions. Risk diversification, which can be used when risks can be pooled with other risks with relatively low correlation. Risk costing / pricing, which involves maintaining the capability to develop appropriate views of the cost of holding a risk in terms of expected losses and provision for risk. This view will influence the risks that an insurer will take and the provisioning for losses from risks that the insurer has taken (reserves). This applies to all risks but especially to insurance risk management. Coordination of insurance profit/loss analysis with pricing with loss control (claims) with underwriting (risk selection), risk costing, and reserving, so that all parties within the insurer are aware of the relationship between emerging experience of the 
risks that the insurer has chosen to retain and the expectations that the insurer held when it chose to write and retain the risks.
• Assess Risks – and the cycle starts again.

This is one of the seven ERM Principles for Insurers

During a Crisis – A Lesson from Fire Fighters

The fire cycle: “The action-cycle of a fire from birth to death follows a certain pattern.  The fire itself may vary in proportion from insignificance to conflagration, but regardless of its proportions, origin, propagation or rate of progression, the cycle or pattern of controlling it includes these phases:

1. the period between discovery and the transmittal of the alarm or alerting of the fire forces;

2. the period between receipt of alarm by the fire service and arrival of firemen at the scene of the fire; and, finally,

3. the period between arrival on the fire ground and final extinguishment of the fire itself.

It is important to fire fighting to make sure that the right things happen during each phase and that each step takes as little time as possible.  For the first phase, that means having fire detection equipment in place and working properly that produces a signal that will be noticed and conveyed to the fire forces.  In the second phase, the fire fighters need to be organized to respond appropriately to the alarm.  And the third phase includes the process of diagnosing the situation and taking the necessary steps to put out the fire.

That is a good process model for risk managers to contemplate.  Ask yourself and your staff:

1. This is about the attitude and preparedness of company staff to accept that there may be a problem.  How long will it be before we know when an actual crisis hits the company?  How do our alarms work?  Are they all in functioning order?  Or will those closest to the problems delay notifying you of a potential problem?  Sometimes with fires and company crises, an alarm sounds and it is immediately turned off.  The presumption is that everything is normal and the alarm must be malfunctioning.  Or perhaps that the alarm is correct, but that it it calibrated to be too sensitive and there is not a significant problem.  As risk manager, you should urge everyone to err on the side of reporting every possible situation.  Better to have some extra responses than to have events, like fires, rage completely out of control before calling for help.
2.  This is about the preparedness of risk management staff to begin to respond to a crisis.  One problem that many risk management programs face is that their main task seems to be measuring and reporting risk positions.  If that is what people believe is their primary function, then the risk management function will not attract any action oriented people.  If that is the case in your firm, then you as risk manager need to determine who are the best people to recruit as responders and build a rapport with them in advance of the next crisis so that when it happens, you can mobilize their help.  If the risk staff is all people who excel at measuring, then you also need to define their roles in an emergency – and have them practice those roles.   No matter what, you do not want to find out who will freeze in a crisis during the first major crisis of your tenure.  And freezing (rather than panic) is by far the most common reaction.  You need to find those few people whose reaction to a crisis is to go into a totally focuses active survival mode.
3. This is about being able to properly diagnose a crisis and to execute the needed actions.  Fire Fighters need to determine the source of the blaze, wind conditions, evacuation status and many other things to make their plan for fighting the fire.  They usually need to form that plan quickly, mobilize and execute the plan effectively, making both the planned actions and the unplanned modifications happen as well as can be done.  Risk managers need to perform similar steps.  They need to understand the source of the problem, the conditions around the problem that are outside of the firm and the continuing involvement of company employees, customers and others.  While risk managers usually do not have to form their plan in minutes as fire fighters must, they do have to do so quickly.  Especially when there are reputational issues involved, swift and sure initial actions can make the world of difference.  And execution is key.  Getting this right means that the risk manager needs to know in advance of a crisis, what sorts of actions can be taken in a crisis and that the company staff has the ability to execute.  There is no sense planning to take actions that require the physical prowess  of Navy Seals if your staff are a bunch of ordinary office workers.  And recognizing the limitations of the rest of the world is important also.  If your crisis effects many others, they may not be able to provide the help from outside that you may have planned on.  If the crisis is unique to you, you need to recognize that some will question getting involved in something that they do not understand but that may create large risks for their organizations.

 

Knowing and Thinking must be linked to Doing

“One of the things that we’re trying to do is to get people to think more rather than know more,” said Rick Nason, associate professor of finance at Dalhousie University’s School of Business in Halifax, Nova Scotia. “In risk management we’ve gotten into a regulatory mode of knowing more, and unfortunately we’re stuck on techniques and forget how to think about risk. Going beyond knowing is what we’re trying to stress.”

Too few risk managers are actually empowered to actually DO anything.  Natural human nature steps in which leads these disempowered risk managers to elevate the importance of the things that they are empowered to do.  Knowing and Thinking are two of those things.

It is of course important to KNOW your risks and the possible paths to loss that go with each risk as well the current status of your exposures.  Nason rightly points out that regulatory risk management requirements work on the assumption that if a management team KNOWS about their risks that they can necessarily be counted on to react.  But that is often an unstated and unrequired assumption.  Perhaps regulators shy away from going any further in their prescriptions because of lack of authority.

Risk Management systems, such as ISO31000, build up a massive infrastructure of steps that are required to support the KNOWing objective.  A risk manager applying ISO31000 can keep very, very busy for several years building up that infrastructure without getting to the step of actually infringing upon management of the company.

Nason is right to suggest that THINKing is a step further.  But by focusing on THINKing, he makes the same sort of assumption, that if someone THINKs about their risks, they surely must eventually DO something about them.

The risk manager who wants to be effective must start with the end in mind (see Covey).  DOing must be the purpose of a risk management system.  A system that focuses on KNOWing or THINKing is merely a Risk Management Entertainment System.

Chief Mitigation Officer

Does your firm have a place for a Chief Mitigation Officer?  What is a mitigation officer, you ask?  Here is an excerpt from a job description from the CEA.

The Chief Mitigation Officer (CMO) will be responsible for the California Earthquake Authority’s (CEA) educational outreach efforts, collaborating with research institutions, and leading efforts to develop financial incentives to encourage seismic-risk mitigation.  The unique nature of the CEA’s public/private structure requires strong leadership capable of leading people and projects, and executing responsibilities through skillful collaboration, coordination and communication.   As a member of the executive management team, reporting directly to the Chief Executive Officer, the CMO will perform mitigation-project oversight as follows:

Duties / Responsibilities

۰    Manage statewide residential-retrofit programs designed to help California homeowners make their homes more resistant to earthquake damage and serve as the Executive Director of the California Residential Mitigation Program, a statutory Joint Powers Authority created for mitigation funding purposes.

۰    Develop programs aimed at educating the public on the importance of earthquake loss mitigation through multiple channels, including CEA participating insurers and the residential construction industry.

۰    Work with academic institutions, nonprofits, the residential construction industry, earthquake related research groups in both science and engineering, and other stakeholders to support mitigation-related research and educational activities, along with local, state and federal agencies to further California’s residential earthquake preparedness, protection and mitigation goals.

۰    Oversee programs providing financial assistance (loans, grants, rebates, or other financial incentives) that help homeowners with structural and contents retrofitting of their homes.  Contribute to the CEA’s ongoing efforts to establish justifiable mitigation premium discounts for CEA policyholders who make approved retrofit improvements to their homes.

Riskviews thinks that the idea has possibilities.  A different framing for some of the key activities in the risk management area.  Perhaps have two senior risk related positions, risk mitigation and risk evaluation.

For the Risk Mitigation, another firm might want to strongly downplay the outreach aspects that the CEA has a strong interest in.

Instead, The Chief Risk Mitigation Officer might be in charge of Risk Management Actions.

Momentum Risk

How many times have you heard this

If it isn’t broken don’t fix it.

As a risk manager, momentum risk is one of the most difficult risk to overcome.  (I wonder how many times on these posts I have claimed this?)

But this is the aspect of the Horizon disaster that led to millions and millions of barrels of oil spilling into the Gulf.  Before that the oil companies claimed that there had never been a failure of an oil rig in the Gulf.  So that was the Momentum assumption.  It had never failed so it never would fail.

Standing against that is the seemly endlessly negative point of view of the risk manager:

If anything can go wrong, it will.

Murphy‘s Law is usually taken as the ultimate statement of negative pessimism.  But instead you the risk manager need to use Murphy’s law as he did.  As a mantra to keep repeating to yourself as you look for ways to stress test a system.

Looking to engineering (Murphy was an engineer you know) for some thinking about stress to failure, we find this post:

When a component is subject to increasing loads it eventually fails.   It is comparatively easy to determine the point of failure of a component subject to a single tensile force. The strength data on the material identifies this strength.   However when the material is subject to a number of loads in different directions some of which are tensile and some of which are shear, then the determination of the point of failure is more complicated…

Some of your stress to failure tests will have to be tensile, some compressive, some shear, in different directions and in different combinations.  You should do this sort of testing to know the weakest points of your system.

But there is no guarantee that the system will fail at the weakest points either.  In fact, you may put in place methods to reduce stresses to those weakest points.  Remember that now elevates other points to be the new stresses.

And do not let Momentum thinking define your approach to likelihood of these stresses.  In physical systems, the engineer knows how the system is supposed to be used and can plan for the stresses of those uses.  But in many cases, the systems designed and tested by engineers are not used in the conditions planned for or even for the exact uses that the engineer anticipated.

Sound familiar?

Human systems are not so fixed as physical systems.  Humans react to the system that they are experiencing and adjust their actions according to the feedback that they are receiving from the system.  So human systems will almost always change as they are used.

Human systems will almost always change as they are used.

That is what makes it so much more difficult to be a risk manager for a financial firm than for a firm that deals mainly with physical risks.  As noted above the humans that interface with the physical risks system do change and adapt, but there are usually a larger portion of possibilities that are fixed by the constraints of the physical systems.

With financial risks, the idea of adapting and using a type of transaction or financial structure for alternate purposes has become the occupation of a large number of folks who command a large amount of resources.

So if, for example, you are using a particular type of derivative to accomplish a fairly straightforward risk management purpose, it is quite possible that the market for that instrument will suddenly be taken over by folks with lots and lots of money, fast computers and turnover averages in the thousands per week.  Their entry into a market will change pricing and the speed of changes in pricing and then one day, suddenly, they will decide, perhaps little by little, but possibly all at once, to abandon that trade and the market will snap to being something different still.

The same sort of thing happens in insurance, but at a different speed.  Lawyers are always out there looking to “perfect” an argument to create a new class of claimants against different businesses and their insurers. THis results in a sudden jump in claims costs.

Interestingly, the strategies for those two examples might be the exact opposite.  It might be best to move on from the market that is suddenly overtaken by high speed hedge fund traders.  But the only way to recover extra losses from a newly discovered and “perfected” cause of tort is to stay with the coverage.

But in all cases, the risk manager is faced with the problem of overcoming Momentum Risk.  Convincing others that something that is not broken needs attention and possibly even fixing.

Action and Inaction

Running a successful business requires doing something almost constantly.

But successful risk management may require doing very little for long stretches of time.

“Just because they say “ACTION” doesn’t mean you have to do anything”  Al Pacino

Good risk management means picking your times and picking your actions.

But there is much for the new risk manager to do between the day when they are first given their charge (the call of ACTION) and the day when they must take their first ACTION.

Many new risk managers get completely caught up in the process of creating a risk management system and the idea of ACTION gets moved into some sort of bureaucratic haze.  The risk management systems that are described in many textbooks and articles make it seem like ACTIONs will simply happen on their own if the system is all in place.

But any risk manager who has worked through the financial crisis or through any other major loss making crisis will tell you that the ACTIONs that take care of themselves through the system are only the easiest part of the ACTION that is really needed, that really adds value to the organization.  The really difficult ACTIONs are the ones that are not so clearly indicated, or the ACTIONs that come after a long period of inaction.

Those actions include things like stopping the growth of a profitable risk, stopping writing a particular risk or even shrinking risk positions.

“Every great mistake has a halfway moment, a split second when it can be recalled and perhaps remedied.”
Pearl Buck

There is a time as well when it is too late for the ACTION.  That is because it is usually in the late stages of a boom that the firm takes on the risks that end up making the largest losses.

And when the problem starts to become evident, it is usually much too expensive to lay off the risk positions.  The best you can hope for is to stop growing the positions.

So there are times, during a boom, when the most important but most difficult ACTION for a risk manager to take is to stop the growth of an overheated risk.

But there are many other times when the risk manager can concentrate on inaction.  Just letting the risk control system do its work.

Eggs and Baskets

Andrew Carnegie once famously said

“put all your eggs in one basket. and then watch that basket”

It seems impossible on first thought to think of that as a view consistent with risk management.  But Carnegie was phenomenally successful.  Is it possible that he did that flaunting risk management?

Garry Kasparov – World Chess Champ (22 years) put it this way…

“You have to rely on your intuition.  My intuition was wrong very few times.”

George Soros has said that he actually gets an ache in his back when the market is about to turn, indicating that he needs to abruptly change his strategy.

Soros, Kasparov, Carnegie are not your run of the mill punters.  They each had successful runs for many years.

My theory of their success is that the intuition of Kasparov actually does take into account much more than the long hard careful consideration of a middling chess master.  Carnegie and Soros also knew much more about their markets than any other person alive in their time.

While they may not have consciously been following the rules, they were actually incorporating all of the drivers of those rules into their decisions.  Most of those rules are actually “heuristics” or shortcuts that work as long as things are what they have been but are not of much use when things are changing.  In fact, those rules may be what is getting one into trouble during shifts in the world.

Risk models embody an implicit set of rules about how the market work.  Those models fail when the market fails to conform to the rules embedded in the model.  That is when things change, when your thinking needs to transcend the heuristics.

So where does that leave the risk manager?

The insights of the ultra successful types that are cited above can be seen to refute the risk management approach, OR they can be seen as a goal for risk managers.

The basket that Carnegie was putting all of his eggs into was steel.  His insight about steel was correct, but his statement about eggs and baskets is not particularly applicable to situations less transformational than steel.  It is the logic that many applied during the dot com boom, much to their regret in 2001/2002.

The risk manager should look at statements and positions like those above as levels of understanding to strive for.  If the risk managers work starts and remains a gigantic mass of data and risk positions without ever reaching any insights about the underlying nature of the risks that are at play, then something is missing.

Perhaps the business that the risk manager works for is one that by choice and risk tolerance insists on plodding about the middle of the pack in risk.

But the way that the risk manager can add the most value is when they are able to provide the insights about the baskets that can handle more eggs.  And can start to have intuitions about risks that are reliable and perhaps are accompanied by unmistakable physical side effects.

Risk Management Learns from Sun Tzu

Usually risk managers do not think of themselves as being at war.  But a risk manager is facing a number of foes.  And failure to succeed against those foes can result in the end of the enterprise.  So maybe the risk manager can learn from The Art of War.

Sun Tzu’s The Art of War has 11 chapters.  Each of these topics can be seen to have a lesson for risk managers.

1. Laying Plans explores the five fundamental factors that define a successful outcome (the Way, seasons, terrain, leadership, and management). By thinking, assessing and comparing these points you can calculate a victory, deviation from them will ensure failure. Remember that war is a very grave matter of state.             The risk manager of course needs plans.  Remember that risk management is a grave matter for the enterprise.
2. Waging War explains how to understand the economy of war and how success requires making the winning play, which in turn, requires limiting the cost of competition and conflict.        Risk management does not run on an unlimited budget.  In some cases risk managers have not completed their preparations because they have gone forward as if they could spend whatever it took to fulfill their vision for risk management.  Of course risk management spending needs to be at a sensible level for the enterprise.  Excessive risk management spending can harm an enterprise just as much as an unexpected loss.

1. Attack by Stratagem defines the source of strength as unity, not size, and the five ingredients that you need to succeed in any war.            The risk manager succeeds best if they are able to get the entire organization to support the risk management efforts, not just a large corporate risk management department.
2. Tactical Dispositions explains the importance of defending existing positions until you can advance them and how you must recognize opportunities, not try to create them.           The risk manager needs to build organizational strength to support risk management opportunistically.  A risk management program that does not wait for the right opportunities will create internal enemies and will then be fighting both the external risks as well as the internal enemies.
3. Energy explains the use of creativity and timing in building your momentum.            The risk manager also needs to be creative and needs to build momentum.  The best risk management program fits well with the culture of the organization.  That fit will need to be developed by creatively combining the ideas of risk management with the written and unwritten parts of the organizational imperatives.
4. Weak Points & Strong explains how your opportunities come from the openings in the environment caused by the relative weakness of your enemy in a given area.             Quite often the risk manager will know the right thing to do but will not be able to execute except at extreme danger to their position in the firm.  The openings for a risk manager to make the moves that will really lake a difference in the future of the firm come infrequently and without warning.  The Risk manager must be looking at these openings and be ready and able to act.
   
5. Maneuvering explains the dangers of direct conflict and how to win those confrontations when they are forced upon you.      Some thing that the risk managers job is the direct conflict with the important people in the firm who would put the firm in an excessively risky position.  This in inadvisable
6. Variation in Tactics focuses on the need for flexibility in your responses. It explains how to respond to shifting circumstances successfully.       Risk Management tactics will be the most successful if they are alligned with the actual risk environment.  See Plural Rationalities and ERM.
7. The Army on the March describes the different situations in which you find yourselves as you move into new enemy territories and how to respond to them. Much of it focuses on evaluating the intentions of others.        Rational Adaptability is the process of assessing the risk environment and selecting the risk management strategy that will work best for the environment.
8. Terrain looks at the three general areas of resistance (distance, dangers, and barriers) and the six types of ground positions that arise from them. Each of these six field positions offer certain advantages and disadvantages.      The risk environment has four main stages, Boom, Bust, Moderate and Uncertain.
9. The Nine Situations describe nine common situations (or stages) in a campaign, from scattering to deadly, and the specific focus you need to successfully navigate each of them.      Companies must determine their risk taking strategy and their risk appetite by looking at the risk environment as well as at their risk taking capacity.
10. The Attack by Fire explains the use of weapons generally and the use of the environment as a weapon specifically. It examines the five targets for attack, the five types of environmental attack, and the appropriate responses to such attack.
11. The Use of Spies focuses on the importance of developing good information sources, specifically the five types of sources and how to manage them.

Forget you ever read this

I just read a great post that may be a key to understanding both the course of the economy and the public sentiment about government policies.

Queasing over Quantitative Easing, Part III

David Merkel suggests that people are unhappy with the unfairness of government policies.

I would go even further.  People have overwhelmingly come to the conclusion that they need to reduce their own debt.  Many, many people are enduring what they think of as hardship (by ceasing to spend money that they do not have) to bring down their personal debt level.  At the same time, they see the government adding to the public debt.  People are not stupid.  They think of the government debt as THEIR debt.  So they are economizing for naught if for every dollar of debt that they reduce, the government adds a dollar of debt.

Perhaps some day someone will discover a Pelzman effect like mechanism at work with regard to debt.  During the credit bubble that led up to the financial crisis, people where almost totally insensitive to the level of debt.  But now there is a high degree of sensitivity.  So if people feel that there is a right level of debt, then they will take actions to get to that level.  If the government works against that effort, then they will adjust their personal targets so that the aggregate of personal and public debt comes into line with their perceived optimal level of debt.  This may not be because they set a specific target, but because the rising level of public debt makes people uncomfortable and they express that discomfort in the way of looking for more security and less debt.

So maybe the extreme cutting of government spending that is happening in the UK is what is actually needed.  Because the government actions do not exist in some “all things being equal” economics textbook argument.  Government policy and the economy exist in and among the people of the world.

It is widely known that household consumption is a large fraction and major driver of the GDP in the US.  So if we want the GDP to grow, we need to do the things that will get households spending again.  Not in an all things being equal world, but in the real world with real people.

An interesting wrinkle to this is that the Keynesian ideas of using government spending to get out of the Great Depression did not work until the spending for WWII came along and the war spending did the trick.  Some economists have suggested that showed that a larger amount of government spending was needed than was tried prior to WWII.  But the ideas above – that the government spending will not be effective if the people want to save may have kept the earlier spending from working.  The spending for WWII may have worked though BECAUSE people thought of that spending as having its own merits.  WWII spending was necessary.

So perhaps government spending cannot go against the grain of public sentiment to overcome the Paradox of Thrift, unless the public believes that the spending is necessary.

And now to finally link this discussion to risk and risk management…

Perhaps Greenspan is right when he says that he did not know how to pop a bubble.  Maybe that is because he did not believe that he could have changed public opinion about the value of an asset class.  He could take actions that might temporarily hurt the value of an asset class, but it was quite possible that the public attitude would swing right back and keep inflating the bubble in spite of the actions of the Fed.

The same thing certainly has been true within firms.  When the risk manager finds him/her self at odds with the prevailing idea in a firm about a risk, he/she is more likely to lose their job than to change the prevailing opinion.

So in all three cases, in the general economy in severe recession, in an asset bubble and in a company overconfident about a particular risk. the only actions that can be effective will be actions that are not obviously going against the grain.  The actions will need to be designed so that they appear to go with the popular sentiment even when they are really intended to change the fundamentals with regard to that sentiment.

So, I now realize that I need to keep this secret.  So please forget you ever read this.

On The Top of My List

I finished a two hour presentation on how to get started with ERM and was asked what were my top 3 things to keep in mind and top 3 things to avoid.

Here’s what I wish I had said:

Top three hings to keep in mind when starting an ERM Program:

1. ERM must have a clear objective to be successful.  That objective should reflect both the view of management and the board about the amount of risk in the current environment as well as the direction that the company is headed in terms of the future target of risk as compared to capacity.  And finally, the objective for ERM must be compatible with the other objectives of the firm.  It must be reasonably possible to accomplish both the ERM objective and the growth and profit objectives of the firm at the same time.
2. ERM must have someone who is committed to accomplishing the objective of ERM for the firm.  That person also must have the authority within the firm to resolve most conflicts between the ERM development process and the other objectives of the firm. And they must have access to the CEO to be able to resolve any conflicts that they do not have the authority to resolve personally.
3. Exactly what you do first is much less important than the fact that you start doing something to develop an ERM program.   Doing something that involves actually managing risk and reporting the activity is a better choice than a long term developmental project.  It is not optimal for the firm to commit to ERM, to identify resources for that process and then to have those people and ERM disappear from  sight for a year or more to develop the ERM system.  Much better to start giving everyone in management of the firm some ideas of what ERM looks and feels like.  Recognize that one product that you are building is confidence in ERM.

Things to Avoid:

1. Valuing ERM retrospectively taking into account only experienced gains and losses.  (see ERM Value)  A good ERM program changes the likelihood of losses, but in any short period of time actual losses are a matter of chance.  On the other hand, if your ERM programs works to a limit for losses from an individual transaction, then it IS a failure if the firm has losses above that amount for individual transactions.
2. Starting out on ERM development with the idea that ERM is only correct if it validates existing company decisions.  New risk evaluation systems will almost always find one or more major decisions that expose the company to too much risk in some way. At least they will if the evaluation system is Comprehensive.
3. Letting ERM routines substitute for critical judgment.  Some of the economic carnage of the Global Financial Crisis was perpetuated by firms where their actions were supported by risk management systems that told them that everything was ok.  But Risk managers need to be humble.

But in fact, I did get some of these out. So next time, I will be prepared.

Lightning or Lightning Bug

Mark Twain once observed that there was a difference between Lightning and Lightning Bug. An important difference.

The difference between the almost right word & the right word is really a large matter–it’s the difference between the lightning bug and the lightning.

Might there be a similar difference between Risk Management System and Risk Management?

A Risk Management System is composed of org charts, policy statements, Reports, meetings,committees, computer models, powerpoints and dashboards.

Risk Management means making tough decisions and taking unpopular actions that more than 9 out of 1o times will not look like they were the right calls after the facts.

But decisions and actions that every once in a long while will save the firm.

So can Risk Management happen inside of a Risk Management system?

But think about it.  Can you think of an example of a situation outside of a risk management system where getting more people involved results in MORE of the tough decisions being made?  Or MORE unpopular actions being taken?

So how should one go about creating a risk management system that actually does Risk Management?

Start with the tough decisions and unpopular actions that are sometimes needed.  Can you identify them?

Start there.  Find a person who has the qualities of discernment, judgment, balance, toughness and experience with the risk to make those tough decisions and to make sure that the unpopular actions happen.  Build the risk management system so that the person gets the information and authority and protection that they need to get the job done.

That would be difficult if that was all that was needed.  But this person, if they are doing their job, will be reversing some business decisions that might otherwise make some money.  So you also need an information system that assures top management that the risk manager is making the right tough decisions.

That system needs to help to identify whether the risk manager is making either Type I or Type II errors.  And if you want to keep a good risk manager and avoid keeping a bad risk manager, you need to have a realistic tolerance for the errors that your information system identifies.

Oh Hell.  It is much easier to just do the pretty risk management system and try to just take as much risk as everyone else.

Must be why so little Risk Management actually happens.

And Lightning Bugs are so pretty on a summer night.

It’s Usually the Second Truck

In many cases, companies survive the first bout of adversity.

It is the second bout that kills.

And more often than not, we are totally unprepared for that second hit.

Totally unprepared because of how we misunderstand statistics.

First of all, we believe that large loss events are unlikely and two large loss events are extremely unlikely.  So we decide not to prepare for the extremely unlikely event that we get hit by two large losses at the same time.  And in this case, “at the same time” may mean in subsequent years.  Some who look at correlation, only use an arbitrary calendar year split out of experience data.  So that they would consider losses in the third and fourth quarter to be happening at the same time but fourth quarter and first quarter of the next year would be considered different periods and therefore might show low correlations!

Second, we fail to deal with our reduced capacity immediately after a major loss event.  We still think of our capacity as it was before the first hit.  A part of our risk management plans for a major loss event should have been to immediately initiate a process to rationalize our risk exposures with our newly reduced capacity.  This may in part be due to the third issue.

Third, we misunderstand that the fact of the first event does not reduce the likelihood of the other risk events.  Those joint probabilities that made the dual event, no longer apply.  In fact, with the reduced capacity, the type of even that would incapacitate the firm has suddenly become much more likely.

Most companies that experience one large loss event do not experience a second shortly thereafter, but many companies that fail do.

So if your interest is to reduce the likelihood of failure, you should consider the two loss event situation as a scenario that you prepare for.

But those preparations will present a troubling alternative.  If, after the first major loss event, the actions needed include a sharp reduction in retained risk position, that will severely reduce the likelihood of growing back capacity.

Management is faced with a dilemma – that is two choices, neither of which are desirable.   But as with most issues in risk management, better to face those issues in advance and to make a reasoned plan, rather than looking away and hoping for the best.

But on further reflection, this issue can be seen to be one of over concentration in a single risk.  Some firms have reacted to this whole idea by setting their risk tolerance such that any one loss event will be limited to their excess capital.  Their primary strategy for this type of concentration risk is in effect a diversification strategy.

RECOVERING FROM CRISIS

By Jean-Pierre Berliet

The VBM process helps companies compare the value contribution of alternative strategies and select a course that would increase company value,

Weaknesses in its VBM process can prevent an insurance company from restoring its risk capacity through earnings retention or the raising of additional capital. Such weaknesses thereby limit its ability to resume growing and recover from a crisis

Access to capital is a critical strategic advantage during a financial crisis.

Companies with a strong reputation for value creation can raise new “recovery” capital without excessive shareholder dilution (e.g. Goldman Sachs). Others find it more difficult, or impossible, to access the public market. This makes them vulnerable to inroads by competitors or unsolicited tender offers. The primary purpose of VBM frameworks and processes is to ensure that companies consistently meet investor value creation expectations and survive crises.

VBM frameworks help managers compare alternatives, so that they can direct capital towards uses that would support the achievement of a sustainable competitive advantage, and also create value. This is challenging in the insurance industry because competitors can duplicate innovations in product features, service delivery, or operational effectiveness in relatively short times and can redirect capital at the stroke of a pen. Such competitive dynamics call for companies to compete by developing organizational capabilities that (a) are tougher to duplicate by competitors and (b) provide a pricing or cost advantage based on service quality, underwriting insights, investment performance, and risk and capital management

Because risk drives capital utilization in insurance businesses, the integration of ERM and VBM frameworks is required in order to develop strategies and plans that meet value expectations. Integration rests on (a) superior insights into risk exposures and capital consumption and (b) consistent risk metrics at the level of granularity needed to achieve a loss ratio advantage (possibly on the same level of granularity as loss ratios are calculated). In practice, these insights and metrics lead to decisions to reject businesses and strategies that will not create value. They provide a foundation for:

• Measuring capital utilization by line, by market, and in aggregate
• Driving a superior, more disciplined underwriting process
• Optimizing product features
• Maintaining pricing discipline through the underwriting cycle
• Pricing options and guarantees embedded in products fairly
• Controlling risk accumulation, by client and distribution channel
• Managing the composition of the book of business
• Driving marketing and distribution activities
• Optimizing risk and capital management strategies

Achieving superior shareholder returns is critical for a company to earn investor trust and maintain access to affordable capital. Having access to capital during a financial crisis may well be the ultimate indicator of success for a company’s VBM framework.

Anecdotal evidence suggests that insurance companies that consistently trade at significant premiums over book value have such insights about risk and maintain a highly disciplined approach to writing business.

The present crisis has increased the cost of capital dramatically, but not equally for all insurers. Capital remains most affordable to those with a strong record of value creation and adequate capital as a result of good risk management. Conversely, it has become prohibitive for those with a lesser record of value creation and who lost credibility as stewards of shareholders’ interests. The latter are at risk of forced mergers or liquidation, which may be punishment for not integrating ERM and VBM processes more effectively.

©Jean-Pierre Berliet

Berliet Associates, LLC

(203) 247-6448

jpberliet@att.net

Managing Operational Risk

By Jean-Pierre Berliet

Discussions with senior executives have suggested that decision signals from ERM would be more credible and that ERM would be a more effective management process if ERM were shown to support management of operational risk

Operational risk comprises two different types of risks: execution risk and strategic risk.

These two categories of operational risk are important to policyholders and shareholders because they can reduce both the insurance strength and the value of insurance companies.

Strategic risk stems from external changes that can undermine the profitability and growth expectations of a company’s business model and strategy, and therefore have a significant impact on its value. Execution risk originates in internal failures to manage the operations of a company competently, with the needed level of foresight, prudence, risk awareness, and preparedness. Execution and strategic risks impact insurance companies differently and, as a result, call for distinct mitigation strategies.

Execution risks

Although financial risks are the primary determinant of the volatility of financial results of insurance companies, execution risks can also cause material adverse deviations from expected financial results

Execution risks include, for example,   economic losses resulting from i) delays in alleviating adverse consequences of changes in the volume of activity (mismanagement), ii) events that can interrupt business operations whether man made or natural (lack of preparedness), and iii) failures in controls that cause economic losses, create liabilities or damage the company’s reputation (market conduct, regulatory compliance, bad faith in claim management, fraud, IT security, etc..).

Execution risks reduce current financial performance and company valuation. Company valuation is reduced because i) investors often view negative earnings  deviations as predictors of future decline in profitability and ii) performance volatility can derail the execution of a company’s growth strategy

Execution risks are relatively easy to identify, if not to mitigate for company management. Although stochastic modeling tools and event databases could be used to simulate the impact of execution risks on financial performance, and fine tune mitigation strategies, undertaking such modeling is very costly, and may be of limited value. Company management has fiduciary obligations to set in place processes designed to avoid executions risks, establish post event recovery procedures, and to ensure compliance.

Both policyholders and shareholders need to note that

• Execution risks can impact financial performance significantly in the year or period of occurrence but may have a more or less pronounced impact on performance in subsequent periods and company valuation, depending on the availability of recovery strategies and the preparedness of a company.
• The impact of execution risks on a company’s market value can be derived from estimated adjustments to free cash flow projections.  This is particularly significant in connection with risk events that erode a company’s competitive advantage or damage its reputation. Such events can reduce the market value of a company significantly by reducing its volume of business or its pricing flexibility.

Management processes and management action, not capital, are the natural remedy for execution risks. Board of Directors or Audit Committees of such boards have become increasingly involved in exercising oversight of execution risks and their management by operating executives.

Strategic Risks

Strategic risks can undermine the economic viability of the business model and future financial performance of insurance companies. They can have a significant adverse effect on i) a company’s insurance ratings and the credit worthiness of its debt and ii) its market capitalization. Strategic risks can cause otherwise solvent companies to lose a substantial share of their market value in a short time, provoke legal action by disgruntled shareholders, inflict serious economic losses to Directors, senior executives and other employees, and induce potential raiders to attempt a take over.

Strategic risks are also very important to policyholders, (especially those who have bought protection against slowly emerging liabilities or policies that provide indemnification benefits in the form of annuity payments), because strategic risks that undermine the ability of companies to earn formerly expected returns also reduce the credit worthiness of these companies. Strategic risks stem from external changes in the regulations, institutional arrangements, competition, technology or demand that can erode the competitive advantage of an insurance company and its ability to operate credibly and profitably as a going concern in the future.

Strategic risks do not receive as much attention as they should because they are difficult to identify and assess, and are often viewed as “uncontrollable”. At any point in time, it can be very difficult to assess whether a quantum change in any element of strategic risks is close to happening. When such a change occurs, however, its impact on future performance can cause a swift decline in the market values of a company.

To identify and manage strategic risks, companies need to:

• Conduct and challenge a periodic defensibility analysis of their business model and competitive advantage
• Monitor market developments for emerging trends with potential adverse effects (loss of business to competitors, emergence of new risk transfer technologies or product innovations, regulatory developments, etc.)
• Develop appropriate responses to adverse developments through adjustment in capabilities, redeployment of capacity, change in composition and level of service provided, industry level lobbying of lawmakers and regulators, sponsorship of and participation in industry associations, etc…
• Communicate reasons for and objectives of needed changes to both customers and shareholders.
• Integrate the planned strategic response into action plans, budgets and objectives of business units

Insurance companies need to include in ERM a process that provides consistent and updateable insights into strategic risks to which they are exposed. Because the insurance industry has been highly regulated, many insurance companies have not developed deep strategy development and assessment skills. It will be a challenge at first for such companies to establish strategic risk assessment frameworks powerful enough to yield robust insights but simple enough to be user friendly.

A number of companies that have already implemented comprehensive  frameworks to manage financial risks have begun addressing operational risks more formally. They believe that the introduction in operations management of specific risk management control components will create value by:

• Enhancing the level and the stability of their financial results
• Reducing the probability of serious value losses caused execution risks and strategic risks.

The establishment of operational effective risk management frameworks and processes within ERM is of critical importance to all constituents of insurance companies.

©Jean-Pierre Berliet

Berliet Associates, LLP

(203) 247 6448

jpberliet@att.net

May 22, 2010

Radical Collaboration

There are situations that require collaboration if they are going to be resolved in a manner that produces the largest combined benefit or the smallest combined loss.  This is not the “greatest good for the greatest number” objective of socialism – it is simple efficiency.  Collaborative results can be greater than competitive results.  It is the reason that a sports team where everyone is playing the same strategy does better than the team where each individual seeks to do their personal best regardless of what everyone else is doing.

There are also situations where the application of individual and separate and uncoordinated actions will result in a sub optimal conclusion and where the famous Invisible Hand points in the wrong direction.

You see, the reason why the Invisible Hand ever works is because by the creative destruction of wrong turns, the individual actions find a good way to proceed and eventually all resources are marshaled in following that optimal way of proceeding.  But for the Invisible Hand to be efficient, the destruction part of creative destruction needs to be small relative to the creative part.  For the Collaborative effort to be efficient, the collaboration needs to result in selection of an efficient approach without the need for destruction through a collaborative decision making process.  For the Collaborative effort to be necessary, the total cost of the risk management effort needs to exceed the amount that single firms could afford.

Remember the story of the Iliad. It is the story of armies that worked entirely on the Invisible Hand principle. Each warrior decided on his own what he would do, how and when he would fight.  It was the age of Heroes.

The stories of the success of Alexander and later the Roman armies was the success of an army that was collaborative.  The age of Heroes was over.   The efficiencies of the individual Heroes each finding their own best strategy and tactics was found to be inferior to the collaborative efforts of a group of soldiers who were all using the same strategy and tactics in coordination.

There are many situations in risk management were some sort of collaboration needs to be considered.

The Gulf Oil leak situation seems like it might be one of those.  BP is now admitting that it did not have the resources available or even the expertise to do what needs to be done.  And perhaps, this leak is a situation where the collective cost of their failure is much higher than society’s tolerance for this sort of loss.  But the frequency of this sort of problem has to date been so very low that having BP provide those capabilities may not have made economic sense.

However, there are hundreds of wells in the Gulf.  With clear hindsight, the cost of developing and maintaining the capacity to deal with this sort of emergency could have been borne jointly by all of the drillers in the Gulf.

There are many situations in risk management where collaboration would produce much better results than separate actions.  Mostly in cases where a common threat faces many where to overcome the threat would take more resources than any one could muster.

Remember the situation with LTCM?  No one bank could have helped LTCM alone, they would have gone down with LTCM.  But by the forced collaborative action, a large group of banks were able to keep the situation from generating large losses.  Now this action rankles many free marketeers, but it is exactly the sort of Radical Collaboration that I am talking about.  It did not involve any direct government funding.  It used the balance sheets of the group of banks to stabilize the situation and allow for an orderly disposition of LTCMs positions.  In the end, I beleive that it was reported that the banks did not end up taking a loss either.  (That was mostly an artifact of depressed market prices at the time of the rescue, I would guess.)

The exact same sort of thinking does NOT seem to have been tried with Lehman.  If Paulson could not find a single firm to rescue Lehman, he was not going to do anything.  But looking back and remembering LTCM, Paulson could have arranged an LTCM style rescue for Lehman.  In hindsight, that, even with government guarantees to sweeten the pot would have been better then the financial carnage that ensued.

Perhaps Paulson was one of the free marketeers that hated the LTCM “bailout”.  But in the end, he trampled the free market much worse than his predecessors did with LTCM when he bailed out AIG without even giving any thought to terms of the bailout.

Collaboration might have seemed radical to Paulson.  But it is sometimes needed for risk management.

Uncertain Decisions

There have been many definitions of ERM.  Most suffer from the “too many words” syndrome.  They are too long, making it likely that a casual reader will suffer reading fatigue before completing and therefore will decide that the topic is too complicated to be useful.

Here is a try at a very crisp definition:

ERM is a system for enhancing decision making under uncertainty that requires consideration of ALL of the risks of the enterprise.

And also for plain “Risk Management”

Risk Management is a system for enhancing decision making under uncertainty that focuses on risks as well as returns.

Fundamentally linking ERM and Risk Management to decision making is important, vitally important.  Otherwise funders of ERM programs will be quickly disenchanted with the expensive staffs and systems needed to support a Risk Management Entertainment System.

All ERM and Risk Management activities should be judged in terms of how well they support important decisions.

The important decisions that can be supported by ERM and Risk Management are many. Primary among them are:

1. How much risk should the company take?
2. How best to transition from the risk level that the company is taking to the risk level that the company should be taking?
3. How to assure that the company takes no more risk than it should take?
4. Which Risks should the company take?
5. How best to transition from the risks that the company is taking to the risks that the company should be taking?
6. How to manage the likelihood that the company will fall short of its earnings targets?

If a firm already has complete processes in place to make all of those decisions, then it already has ERM.  With the rising calls for ERM from regulators, rating agencies and boards, those firms will need to make sure that they can fully articulate the processes that they use to make those decisions.

If, on the other hand, a firm generally makes one or several of those decisions by default, as a fallout from other decisions or on a totally flexible basis as it happens in response to various market forces or on a purely momentum based process that ultimately relies upon some past decisions that may or may not have been made with any concern for risk; then future development of ERM could be vitally important.

The support that ERM provides to all of these decisions is of the nature of an eyes open approach to risk.  This general theme is perhaps the reason why ERM often seems to be a massive management information exercize.

But management information about risk is the means to supporting risk focused decision making, not the ends.

Five Stages of Rapid Decline

Jim Collins wrote the popular book “Good to Great” at the peak of the Dot Com boom.  His latest book is titled “How the mighty Fall” and features the five stages of rapid decline:

Stage 1: Hubris Born of Success

Stage 2: Undisciplined Pursuit of More

Stage 3: Denial of Risk and Peril

Stage 4: Grasping for Salvation

Stage 5: Capitulation to Irrelevance or Death

Strategic failure of a firm – which could come from a hubris fueled rapid decline or simply a shift of your customers when you are not paying enough attention is really a risk that for most firms dwarfs the risks that are measurable and that are managed through the techniques of quantitative risk management.

According to a study conducted by Royal Dutch Shell the average life expectancy of Fortune 500 firms is 40 to 50 years.  That implies a 2% to 2.5% average annual failure rate.

Firms that are holding capital for measurable risks at a 1/200 level are pretending to protect their firm at a 0.5% annual failure rate.

But are quantitative risk management programs focusing too much resources on the things that can be measured and creating the Hubris, the false sense of invulnerability that is number one on the list above.

Certainly at some banks and some insurers that was the case.

Once you are convinced that you “know how to control risk” you are likely to go for it – the Undisciplined pursuit of More of the second item.  Even if quantitative risk management is doing most of what is needed, successful risk management can and will lead to Hubris and undisciplined growth.

Of course, sooner or later that lack of discipline will result in a misstep.  And here is where risk management needs to be ready to make it real.  The most common reaction to a problem in this situation is to assume that (a) this is not real, (b) this could not be happening to us – we are too good for this and when the bad news persists and grows in size and scope (c) this will turn around soon, it is only a temporary blip.  Those attitudes result in waiting too long to start doing anything.  That is where risk management must be ready to step in again with realisim and good plans for what to do next.

Unless risk management is caught up in the Hubris and Denial.

So try to make your move, risk managers, before it is to volunteer as a pall bearer.

Volcano Risk

Remarks from Giovanni Bisignani (International Air Transport Association) at the Press Breakfast in Paris

The Volcano

There was one risk that we could not forecast. That is the volcanic eruption which has crippled the aviation sector.  First in Europe, but we saw increasing global implications.  The scale of this crisis is now greater than 9/11 when US air space was closed for three days.  In lost revenue alone, this is costing the industry at least $200 million a day.  On top of that, airlines face added costs of extra fuel for re-routing and passenger care – hotel, food and telephone calls.

For Europe’s carriers – the most seriously impacted – this could not have come at a worse time.  As just mentioned, we already expected the region to have the biggest losses this year.  For each day that planes don’t fly the losses get bigger.  We are now into our fifth day of closed skies.  Let me restate that safety is our number one priority. But it is critical that we place greater urgency and focus on how and when we can safely re-open Europe’s skies.

We are far enough into this crisis to express our dissatisfaction on how governments have managed the crisis:

• With no risk assessment
• No consultation
• No coordination
• And no leadership

In the face of a crisis that some have estimated has already cost the European economy billions of Euros, it is incredible that it has taken five days for Europe’s transport ministers to organize a conference call.

What must be done?

International guidance is weak. The International Civil Aviation Organization (ICAO) is the specialized UN agency for aviation. ICAO has guidance on information dissemination but no clear process for opening or closing airspace. Closing airspace should be the responsibility of the national regulator with the support of the air navigation service provider.  They rely on information from meteorological offices and Volcanic Ash Advisory Centers.

Europe has a unique system.  The region’s decisions are based on a theoretical model for how the ash spreads.  This means that governments have not taken their responsibility to make clear decisions based on fact.  Instead, it has been the air navigation service providers who announced that they would not provide service. These decisions have been taken without adequately consulting the operators—the airlines. This is not an acceptable system, particularly when the consequences for safety and the economy are so large.

I emphasize that safety is our top priority. But we must make decisions based on the real situation in the sky, not on theoretical models. The chaos, inconvenience and economic losses are not theoretical. They are enormous and growing. I have consulted our member airlines who normally operate in the affected airspace. They report missed opportunities to fly safely.  One of the problems with the European system is that the situation is seen as black or white. If there is the possibility of ash then the airspace is closed.  And it remains closed until the possibility disappears with no assessment of the risk.

We have seen volcanic activity in many parts of the world but rarely combined with airspace closures and never at this scale. When Mount St. Helens erupted in the US in 1980, we did not see large scale disruptions because the decisions to open or close airspace were risk managed with no compromise on safety.

Today I am calling for urgent action to safely prepare for re-opening airspace based on risk and fact.  I have personally asked ICAO President Kobeh and Secretary General Benjamin to convene an urgent extra-ordinary meeting of the ICAO Council later today. The first purpose would be to define government responsibility for the decisions to open or close airspace in a coordinated and effective way based on fact—not theory.

Airlines have run test flights to assess the situation.  The results have not shown any irregularities and the data is being passed to governments and air navigation service providers to help with their assessment. Governments must also do their own testing. European states must focus on ways to re-open the airspace based on this real data and on appropriate operational procedures to maintain safety.  Such procedures could include special climb and descent procedures, day time flying, restrictions to specific corridors, and more frequent boroscopic inspections of engines.

We must move away from blanket closures and find ways to flexibly open airspace. Risk assessments should be able to help us to re-open certain corridors if not entire airspaces.  I have also urged Eurocontrol to also take this up. I urge them to establish a volcano contingency center capable of making coordinated decisions.  There is a meeting scheduled for this afternoon that I hope will result in a concrete action plan.

Longer-term, I have also asked the ICAO Council to expedite procedures to certify at what levels of ash concentration aircraft can operate safely.  Today there are no standards for ash concentration or particle size that aircraft can safely fly through. The result is zero tolerance. Any forecast ash concentration results in airspace closure. We are calling on aircraft and engine manufacturers to certify levels of ash that are safe.

Summary

1. Safety is our number one priority
2. Governments must reopen airspace based on data that tell us it is safe. If not all airspace, at least some corridors
3. Governments must improve the decision-making process with facts—not theory
4. Governments must communicate better, consulting with airlines and coordinating among stakeholders
5. And longer-term, we must find a way to certify the tolerance of aircraft for flying in these conditions

Full Press release

You might wonder about your own Volcano Risk.  Check out an explanation of what is covered by State Farm.

Finally, I got a question from the press about companies that I knew that had prepared specifically for this event.  One more example of how the press misses the point.  ERM is not about guessing the future correctly.

For something that is as unique as this event, the best any company could have expected to do would have been to anticipated the broad class of events that would cause extended disruptions of flights, tested the impact of such a disruption on their business operations and made decisions about contingency plans that they might have put in place to prepare for such disruptions.

LIVE from the ERM Symposium

(Well not quite LIVE, but almost)

The ERM Symposium is now 8 years old.  Here are some ideas from the 2010 ERM Symposium…

• Survivor Bias creates support for bad risk models.  If a model underestimates risk there are two possible outcomes – good and bad.  If bad, then you fix the model or stop doing the activity.  If the outcome is good, then you do more and more of the activity until the result is bad.  This suggests that model validation is much more important than just a simple minded tick the box exercize.  It is a life and death matter.
• BIG is BAD!  Well maybe.  Big means large political power.  Big will mean that the political power will fight for parochial interests of the Big entity over the interests of the entire firm or system.  Safer to not have your firm dominated by a single business, distributor, product, region.  Safer to not have your financial system dominated by a handful of banks.
• The world is not linear.  You cannot project the macro effects directly from the micro effects.
• Due Diligence for mergers is often left until the very last minute and given an extremely tight time frame.  That will not change, so more due diligence needs to be a part of the target pre-selection process.

• For merger of mature businesses, cultural fit is most important.
• For newer businesses, retention of key employees is key

• Modelitis = running the model until you get the desired answer
• Most people when asked about future emerging risks, respond with the most recent problem – prior knowledge blindness
• Regulators are sitting and waiting for a housing market recovery to resolve problems that are hidden by accounting in hundreds of banks.
• Why do we think that any bank will do a good job of creating a living will?  What is their motivation?
• We will always have some regulatory arbitrage.
• Left to their own devices, banks have proven that they do not have a survival instinct.  (I have to admit that I have never, ever believed for a minute that any bank CEO has ever thought for even one second about the idea that their bank might be bailed out by the government.  They simply do not believe that they will fail. )
• Economics has been dominated by a religious belief in the mantra “markets good – government bad”
• Non-financial businesses are opposed to putting OTC derivatives on exchanges because exchanges will only accept cash collateral.  If they are hedging physical asset prices, why shouldn’t those same physical assets be good collateral?  Or are they really arguing to be allowed to do speculative trading without posting collateral? Probably more of the latter.
• it was said that systemic problems come from risk concentrations.  Not always.  They can come from losses and lack of proper disclosure.  When folks see some losses and do not know who is hiding more losses, they stop doing business with everyone.  None do enough disclosure and that confirms the suspicion that everyone is impaired.
• Systemic risk management plans needs to recognize that this is like forest fires.  If they prevent the small fires then the fires that eventually do happen will be much larger and more dangerous.  And someday, there will be another fire.
• Sometimes a small change in the input to a complex system will unpredictably result in a large change in the output.  The financial markets are complex systems.  The idea that the market participants will ever correctly anticipate such discontinuities is complete nonsense.  So markets will always be efficient, except when they are drastically wrong.
• Conflicting interests for risk managers who also wear other hats is a major issue for risk management in smaller companies.
• People with bad risk models will drive people with good risk models out of the market.
• Inelastic supply and inelastic demand for oil is the reason why prices are so volatile.
• It was easy to sell the idea of starting an ERM system in 2008 & 2009.  But will firms who need that much evidence of the need for risk management forget why they approved it when things get better?
• If risk function is constantly finding large unmanaged risks, then something is seriously wrong with the firm.
• You do not want to ever have to say that you were aware of a risk that later became a large loss but never told the board about it.  Whether or not you have a risk management program.

No Risk Management is Betting

So many times, the financial press gets it exactly backwards. (See Bloomberg) Firms who manage their risks by hedging or insurance are reported to be betting and firms who do not are simply subject to the normal fluctuations of uncontrollable events.

But Risk Management offers a real alternative to either betting or being tossed around by the frothy seas of misfortune.  Risk management offers the possibility of identifying and mitigating the most extreme negative events and trends of the world.

Imagine your business owns a building worth $100,000,000.  There is a 1 in 250 chance that a storm will hit your building and destroy the building leaving you with a $10 million piece of empty property and a $10 million clean up bill.  (ignore the business interruption for now).

So the expected cost of that loss is $400,000.  You get an insurance quote for $600,000.  There are two ways you can tell the story of purchasing insurance:

1. The firm can place a bet that its building will be destroyed by a storm.  If there is no storm, then they lose their bet.
2. The firm can manage its risk from a severe storm by buying an insurance policy.

Now if the storm does not happen, the story can be:

1. The firm lost its bet that its building would be destroyed.
2. The firm incurred a fixed cost of managing its storm risk and avoided the volatility of an uninsured situation.

And if the storm does one day hit, the story is:

1. The firm won its bet that a storm would destroy its building and was rewarded by a $100 million gain from insurance.
2. The losses from the storm were covered by the firms insurance.

Risk Management just is not a good story for the reporters, if told right.  For the firm, that may just be one more reason to consider risk management.

Now if the firm chooses not to buy the insurance, the coverage is twisted.  Again read two ways that it might be reported if there is no storm:

1. No story.  Nothing happened.
2. The firm got lucky and did not take a loss on its uninsured building.  They took a bet that had a huge downside for their shareholders for a very small payoff.

ANd if the storm hits, the story is reported as:

1. Tragedy strikes.  Unfortunate event causes $100 M loss.  CEO say “We are just not able to control the weather.”
2. The bet that management took went bad.  That bet was just not necessary.  Now shareholders have experienced large losses because the management was trying to save a little on insurance.  The CEO should be fired.

Unless the firm’s was in the business of long term weather forecasting they had no business making the bet when they did NOT buy the insurance.  THey had no expertise to tell them that they shouldn’t buy the insurance.

They were just gambling.

When your Parachute Doesn’t Open

Do you have a plan for what to do when your parachute doesn’t open?

Well, if you do not, pay attention.  Here is a 6 step checklist for what to do:

1. Signal your Buddy.
2. Get close with your Buddy.
3. Link your arms through his/her straps.
4. Open his/her chute.
5. Let your Buddy steer the chute.
6. Suggest that he/she look for an extra soft place to land (water).

There now.  Don’t you feel safer?

You say you do not parachute jump?  So what good it this?

Well, you must see that this is really good advice that can be applied to many situations.  Not just parachute jumping.

1.  Signal Your Buddy – this step might just be the most difficult.  That is because it requires two very different things.  First, you must recognize that you have a serious and potentially fatal problem.  You must be able to make that decision before it is too late.  So you probably need to have thought ahead to know how serious of a problem just might be terminal.  Second, you have to have a buddy in sight to be signaled.  If you are an individual working in risk management in a firm, you need to know in advance who is going to be your buddy in case of emergency.  This applies to entire firms as well.  The firm needs to know who they will go to when they might be in terminal trouble.

2.  Get Close with your Buddy – Troubled times are when you find out who your real buddies are.  Your fair weather friends will not be interested in getting close to you when you are in trouble.  This is the real definition of a Buddy.  Someone who is willing to be next you you then.  You need to realize that now and decide whether you have any real buddies.  If you are prarchute jumping, you need to figure that out on the ground, not in the air.  If you are managing risks, perhaps you are at the wrong firm if you look around and you do not know who your buddy is.  A firm with a good risk management program will more than encourage buddies, it will require them.  And it will foster a culture of mutual responsibility, not everyone for themselves. It needs to be a firmwide expectation that you can count on several potential buddies when a real problem crops up.

3.  Link your arms through his/her straps – for parachuting, holding on is not sufficient, the g-force that will hit when the chute opens with two people and one chute will rip you apart.  Also in risk management, the committment to the Buddy needs to be very firm.  All too often risk managers get blamed for inproper risk appetites, even when they had explicitly warned against the exact event that is causing the problem.  Many risk managers will sorely need to have someone who will remind management that the risk manager was not the one at fault. 

4.  Open his/her chute.  This is the key step for both the diver and the risk manager.  And it needs to be said and repeated and rehearshed.  The reason that the risk management might be of value to the organization is that it causes the organization to contemplate doing some things differently.  When there is severe troubles, the risk manager needs to be able to clearly call for action and the organization needs to be prepared to take that action, either by directly empowering the risk manager or through a cultural committment to real action based upon risk information.  The Buddy system described here might be a good way to create the possibility of quick action with some checks and balances in the event of severe threats.  The empowerment to action might require the agreement of the buddy. 

5.  Let your Buddy steer the chute.  This item on the checklist is there to acknowledge that the person who loses the chute might just be a little (or a lot) shook up and therefore might have somewhat impaired judgment.  The same might be true in the event of a disaster to the firm.  The buddy and the firm in general needs to look out for any actions that are of the nature of “doubling down” to recover past losses.  There must be a recognition that the best thing to do now can best be determined by looking at likely futures rather than the past. 

6.  Suggest that he/she look for an extra soft place to land (water).  The parachute will often not work exactly as planned when it carries two.  So the person steering needs to be particularly diligent to look for a softer than usual place to land.  So to with a risk management emergency.  It might be desirable to end up in a slightly more secure position than normal minimum standards after a major problem.  It will make everyone feel better.  The hardest story to tell is when a firm has had a major loss but was not able to really put on the brakes so is not sure if or how much further loss will be happening.  Both need to help with looking for that soft place to land.

The Risk of Market Value

In 1984, Warren Buffet gave a speech about value investing at Columbia University.  Here is a quote from that speech:

“it is extraordinary to me that the idea of buying dollar bills for 40 cents takes immediately with people or it doesn’t take at all. It’s like an inoculation. If it doesn’t grab a person right away, I find that you can talk to him for years and show him records, and it doesn’t make any difference. They just don’t seem to be able to grasp the concept, simple as it is.” Warren Buffett

Not about risk management but, if you can get your head around Buffett’s comment about upside, there is a logical counterparty about downside.

“Either the idea of buying dollar bills at $2 seems risky to someone immediately or it never will. If the response is, ‘if that is what the market rate is’ then just dig into your pocket and look for some dollars to sell.” Dave Ingram

In the book “The Greatest Trade Ever: The Behind-the-Scenes Story of How John Paulson Defied Wall Street and Made Financial History”, Greg Zuckerman tells just how difficult it was to be among the few investors who saw that the US mortgage market was overheated – that the market value of the houses and the securities written on the mortgages on those houses were all dollar bills being traded over and over again at $2.

But that was aggressive trading.  The risk management response with that knowledge would been to stay away.  And many, many financial institutions did stay away.  All of the press went to the firms that played that game to their and all of our detriment.

So the Paulson story of good to read because it tells about the other side of some of the trades.  And there always in another side, no matter how poorly the press chooses to cover it.

And the other side of the risk mismanagement by the largest banks and AIG is the risk management of the firms who were not exposed to overpriced mortgage securities.  But it is hard to make a story about the exposures that those firms did not have.

Which is one of the puzzles of risk management.  Sometimes the greatest successes are when nothing happens.

Crisis Pre-Nuptial

What is the reaction of your firm going to be in the event of a large loss or other crisis? 

If you are responsible for risk management, it is very much in your interest to enter into a Crisis Pre-Nuptial. 

The Crisis Pre-Nuptial has two important components. 

1. A protocol for management actions in the event of the crisis.  There is likely a need for there to be a number of these protocols.   These protocols can be extremely valuable, their value will most likely far exceed the entire cost of a risk management function.  Their value comes because they eliminate two major problems that firms face in the event of a crisis or large loss.  First is the deer in the headlights problem – the delay when no one is sure what to do and who is to do it.  That delay can mean that corrective actions are much less effective or much more expensive or both.  Second is the opposite, that too many people take actions, but that the actions are conflicting.  This again increasses costs and decreases effectiveness.  Just as with severe medical emergencies, prompt corrective actions are almost always more likely to have the most favorable results. 
2. Setting up an expectation that the crises and losses either are or are not an expected part of the risks that the firm is taking.  If the firm is taking high risks, but does not expect to ever experience losses, then there is a major disconnect between the two.  Just as a marital pre-nuptial agreement is a conscious acknowledgement that marriages sometimes end in divorce, a Crisis Pre-Nuptial is an acknowledgement that normal business activity sometimes involves losses and crises. 

Risk managers who have a Crisis Pre-Nuptial in place might, just might, have a better chance to survive with their job in tact after a crisis or large loss. 

And if someday, investors and/or boards come to the realization that firms that plan for rainy days are, in the long run, going to be more valuable, the information that is in the Crisis pre-nuptial could be very important information for them.

Basis Risk

In the simplest terms, basis risk is the difference between the hedge you bought and the risk that you own.  Especially the difference that is most noticeable when you had expected to be needing the hedge.

But that is not the topic here.  There is another Basis Risk.  That is the risk that you are using the wrong basis to judge your gains and losses.  This risk is particularly prevalent right after a bubble pops.  Everyone is comparing their wealth to what they thought that they had at the height of the bubble.

Here are two stories that show the problem with that:

1. Think about a situation where someone made an error in preparing your brokerage statement.  That IBM stock you have was worth $100,000.  The mistake was that an extra zero slipped in somehow.  The position was recorded as $1,000,000.  Add that in to your net worth and most of us would have an exaggerated feeling of wealth.  Think of how destructive to your long term happiness it would be if you really came to believe that you had that extra $900,000?  Two ways that could be destructive.  First of all, you could start spending other funds as if you had all that excess value.  Second of all, once you were informed of the error, you could then undertake more aggressive investments to try to make up the difference.  The only way to be safe from that destruction is if you never believe the erroneous basis for the IBM stock.
2. Possibly more realistic, think of someone in a casino.  During their day there they bet on some game or other continuously.  At one point in the visit, they are up by $100,000.  When they leave, they are actually down by $1000 compared to the amount they walked in the door with.  Should they tell people you lost $1000 or $101,000?

In both cases, it sounds silly to even think for long about the larger numbers as your “basis”.  But that seems to pervade the financial press.  Unfortunately, with regard to home values, many folks were persuaded to believe the erroneous valuation at the peak of the market and to borrow based upon that value.

So, now you know what is meant by this type of “Basis Risk”.  Unfortunately, it is potentially much larger than the first type of basis risk.  Behavioral Finance abounds with examples of how the wealth effect can distort the actions of people.  Possibly, the reason that the person in the casino walked out with a $1000 loss is realted to the sorts of destructive decisions that are made when wealth is suddenly increased.  Therefore, it is much more important to protect against this larger basis risk.

To protect against this type of risk requires a particularly strong ability to stick to your own “disciplined realism” valuation of your positions.  Plus an ability to limit your own valuation to include only reasonable appreciation.  Mark to mark is the opposite of the disciplined realism, at least when it comes to upside MTM.  For downside movements in value, it is best to make sure that your disciplined realism is at least as pessimistic as the market. 

This is a very different approach than what has been favored by the accounting profession and adoppted by most financial firms.  But they have found themselves in the position of the second story above.  They feel that they have made gigantic profits based upon the degree to which their bets are up in the middle of the session.  They have not left the casino yet, however.

And that is the last place where disciplined realism needs to be applied.  Most of us have been schooled to believe that “realized gains” are REAL and therefore can of course be recognized.  But think of that second story about the casino.  If you are taking those gains and putting them right back on the table, then you really do not “have” them in any REAL sense.  Firms need to adopt disciplined realism by recognizing that a series of similar positions are in reality not at all different from a single position held for a long time.  The gains should not be recognized until the size of the position is significantly reduced.

New Decade Resolutions

Here are New Decade Resolutions for firms to adopt who are looking to be prepared for another decade

1. Attention to risk management by top management and the board.  The past decade has been just one continuous lesson that losses can happen from any direction. This is about the survival of the firm.  Survival must not be delegated to a middle manager.  It must be a key concern for the CEO and board.
2. Action oriented approach to risk.  Risk reports are made to point out where and what actions are needed.  Management expects to and does act upon the information from the risk reports.
3. Learning from own losses and from the losses of others.  After a loss, the firm should learn not just what went wrong that resulted in the loss, but how they can learn from their experience to improve their responses to future situations both similar and dissimilar.  Two different areas of a firm shouldn’t have to separately experience a problem to learn the same lesson. Competitor losses should present the exact same opportunity to improve rather than a feeling of smug superiority.
   
4. Forwardlooking risk assessment. Painstaking calibration of risk models to past experience is only valuable for firms that own time machines.  Risk assessment needs to be calibrated to the future. 
   
5. Skeptical of common knowledge. The future will NOT be a repeat of the past.  Any risk assessment that is properly calibrated to the future is only one one of many possible results.  Look back on the past decade’s experience and remember how many times risk models needed to be recalibrated.  That recalibration experience should form the basis for healthy skepticism of any and all future risk assessments.

6. Drivers of risks will be highlighted and monitored.  Key risk indicators is not just an idea for Operational risks that are difficult to measure directly.  Key risk indicators should be identified and monitored for all important risks.  Key risk indicators need to include leading and lagging indicators as well as indicators from information that is internal to the firm as well as external. 
   
7. Adaptable. Both risk measurement and risk management will not be designed after the famously fixed Ligne Maginot that spectacularly failed the French in 1940.  The ability needs to be developed and maintained to change focus of risk assessment and to change risk treatment methods on short notice without major cost or disruption. 
   
8. Scope will be clear for risk management.  I have personally favored a split between risk of failure of the firm strategy and risk of losses within the form strategy, with only the later within the scope of risk management.  That means that anything that is potentially loss making except failure of sales would be in the scope of risk management. 
   
9. Focus on  the largest exposures.  All of the details of execution of risk treatment will come to naught if the firm is too concentrated in any risk that starts making losses at a rate higher than expected.  That means that the largest exposures need to be examined and re-examined with a “no complacency” attitude.  There should never be a large exposure that is too safe to need attention.   Big transactions will also get the same kind of focus on risk. 
   

Live Ammunition

Are you working with live ammunition with your risk management program?

What I mean is, when the risk models and the risk reports show a problem, is the reaction to promptly fix the problem, or is the reaction to start a study of the problem?

The question really is whether the risk management information streams are considered primary information for managing the firm or are they secondary systems?

If the reaction to an indication of a problem from the risk management systems is to initiate a study, then the implied presumption is that the real information systems say that everything is ok, and this secondary system says not. So we need to check this out.

Many commentators about risk management have been calling for “RISK” to be given authority. What I think that means is that RISK would be empowered to act when the risk management system tells of a problem. RISK would order that something be bought or sold or whatever to fix the problem.

I think that the presumption there is that there is no possibility that anyone other than RISK would actually ever act upon a warning from the risk management systems. So if risk management is to be taken seriously, then it must be for RISK to do that.

Well, wouldn’t it be much better if the risk management information was considered to be a primary information source for the folks who actually run the businesses? Think about it. If you run a bus company and want the drivers to stay within the speed limit, do you put someone in the back of the bus with a speedometer and a break pedal who will step on the brake whenever the bus starts to go too fast? Or do you train the bus driver to use the brake pedal herself?

Risk Management needs to be everyone’s job. If the CEO of the firm is not willing to hold business managers responsible for risk, then he really does not want risk management.

The job of RISK is not to over ride the bus drivers, it is to make sure that the speedometers and brakes work right, that the acceleration pedal does not stick down and that the driver is well trained in how to interpret the speedometer and use the brakes in the right way. RISK keeps the CEO and the Board informed about the effectiveness of the risk management system and helps top management to understand the risk reward choices that they are faced with when the major decisions about the firm’s future are being made.

Violator of Risk Limit

 

This may not be your corporate policy.  But you should be clear to all whether your risk limits are hard, soft or gigantic. 

A Hard risk limit is one where there just may be a rock and a snake for the violator.  Violations of limits are not expected to happen in a system with hard risk limits.  So maybe no one knows what the consequences are.  In systems with very hard limits, a system of “checkpoints” may develop that are actually soft limits that help managers to avoid coming too close to the hard limits.  These firms may have rules like “violations of limits must be reported to the board at the very next meeting”.  In addition, there may be a hard requirement to reverse or offset the actions that led to the violation within some short period of time, sometimes something like 72 hours. 

A Soft risk limit is very much the opposite.  Violation of a soft risk limit might most often result in raising the limit.  Or violations may simply be allowed to stand without any special notice or attempt to reverse.  A more diciplined soft limit system may track the number of violations and use the count of violations as an indication of potential issues. 

A Gigantic risk limit is very common.  There is no need to decide whether a Gigantic risk limit is hard or soft, because there is little chace that the firm will ever approach the limit.  Gigantic limits are often 200% or more than expected positions.  Commonly, Gigantic limits are are found in formal investment policies of firms or funds.  These are deliberately set so high that they will not get in the way of day to day operations of the investment managers, even if they want to make significant changes to the make-up of the fund.  Unfortunately, many firms have not yet realized that these policy limits are not useful risk limits.  But they do save money on snakes.

Risk Management Changed the Landscape of Risk

The use of derivatives and risk management processes to control risk was very successful in changing the risk management Landscape.

But that change has been in the same vein as the changes to forest management practices that saw us eliminating the small forest fires only to find that the only fires that we then had were the fires that were too big to control.  Those giant forest fires were out of control from the start and did more damage than 10 years of small fires.

The geography of the world from a risk management view is represented by this picture:

The ball represents the state of the world.  Taking a risk is represented by moving the ball one direction or the other.  If the ball goes over the top and falls down the sides, then that is a disaster.

So risk managers spend lots of time trying to measure the size of the valley and setting up processes and procedures so that the firm does not get up to the top of the valley onto one of the peaks, where a good stiff wind might blow the firm into the abyss.

The tools for risk management, things like derivatives with careful hedging programs now allowed firms to take almost any risk imaginable and to “fully” offset that risk.  The landscape was changed to look like this:

Managers believed that the added risk management bars could be built as high as needed so that any imagined risk could be taken.  In fact, they started to believe that the possibility of failure was not even real.  They started to think of the topology of risk looking like this:

Notice that in this map, there is almost no way to take a big enough risk to fall off the map into disaster.  So with this map of risk in mind, company managers loaded up on more and more risk.

But then we all learned that the hedges were never really perfect.  (There is no profit possible with a perfect hedge.)  And in addition, some of the hedge counterparties were firms who jumped right to the last map without bothering to build up the hedging walls.

And we also learned that there was actually a limit to how high the walls could be built.  Our skill in building walls had limits.  So it was important to have kept track of the gross amount of risk before the hedging.  Not just the small net amount of risk after the hedging.

Now we need to build a new view of risk and risk management.  A new map.  Some people have drawn their new map like this:

They are afraid to do anything.  Any move, any risk taken might just lead to disaster.

Others have given up.  They saw the old map fail and do not know if they are ever again going to trust those maps.

They have no idea where the ball will go if they take any risks.

So we risk managers need to go back to the top map again and revalidate our map of risk and start to convince others that we do know where the peaks are and how to avoid them.  We need to understand the limitations to the wall building version of risk management and help to direct our firms to stay away from the disasters.

Adaptability is the Key Survival Trait

…different and potentially much more difficult issues arise in the identification and measurement of risks where past experience is an uncertain or potentially misleading guide. When risk materialises, it may do so as a risk previously thought to be understood and managed that turns out to be very different indeed, and may do so quickly, well within normal audit cycles. The valuation of an asset or liability in a stressed market environment and the identification of other potential risks that may not previously have been encountered pose major questions for real-time assessment that are unlikely to have been factored into construction of the pre-existing business model.

Excerpt from the Walker Review

To survive such situations, it seems that the ability to quickly assess new situations, especially ones that look like old tried and true but that are seriously more dangerous, and to change what the organization is doing in response to these risks is key.

But to do that, significant amounts of senior resources must be dedicated to determining whether such risks are NOW in the environment each and every day.  The findings of this review must be taken very seriously and the organization must consider the possibility of changing course – not just a minor correction – a major change of business activity.

In addition to the discernment to identify such situations, the organization must cultivate the capacity to make such changes quickly and effectively.

An organization that can do those things have true adaptability and have a much better chance of survival.

However, for a business to be very profitable, it needs to be very focused, very efficient.  Everyone in the organization needs to be pointed in the same direction.  Doubt will undermine.

Within capitalism, the conflict is resolved by allowing individual businesses to maximize profits and relying on an assumption that there will be enough diversity of businesses that enough businesses will have chosen the right business model for the new environment.  Some of the most successful businesses from the old environment will fail to adapt, but some of the laggards will now thrive.

And therefore, the system survives.

But, that is not always so.  In some circumstances, too many firms choose the exact same strategy.  If the environment stays unchanging for too long, individual firms lose any adaptability that they might have had, they all become specialists in that one “most profitable thing”.  A major change in the environment and too many businesses fail too fast.

How does that happen?

Regulators play a large role.  The central bankers work very hard to keep the environment on a steady course, moderating the bumps that encourage diversity.

Prudential and risk management regulation also play a large role, forcing everyone to pay attention to the exact same risks and encouraging similar risk treatments through capital regime incentives.

So for the system to remain healthy, it needs adaptability and adaptability comes from diversity.  And diversity will not exist unless the environment is more variable.  There needs to be diversity in terms of both business strategy and interms of risk management approaches.

So improving the prudential regulation will have the effect of driving everyone to have the same risk management – it will have the perverse effect of diminishing the likelihood of survival of the system.

Black Swan Free World (10)

This is the final post in a 10 part series.

On April 7 2009, the Financial Times published an article written by Nassim Taleb called Ten Principles for a Black Swan Free World. Let’s look at them one at a time…

10. Make an omelette with the broken eggs. Finally, this crisis cannot be fixed with makeshift repairs, no more than a boat with a rotten hull can be fixed with ad-hoc patches. We need to rebuild the hull with new (stronger) materials; we will have to remake the system before it does so itself. Let us move voluntarily into Capitalism 2.0 by helping what needs to be broken break on its own, converting debt into equity, marginalising the economics and business school establishments, shutting down the “Nobel” in economics, banning leveraged buyouts, putting bankers where they belong, clawing back the bonuses of those who got us here, and teaching people to navigate a world with fewer certainties.

Of the ten suggestions, this one has the most value by far.  Unfortunately, this one may be the suggestion that has the least chance of being taken up.  No one is talking about any part of this.  We seem to be moving to try to set the world back into the place that is was, or very close to it.

We should be asking “What should be the place of banking in our economy?”  This is not a question of allowing the free market to choose.  The free market has nothing to do with this.  The role of the banking sector is entirely determined by the government.  The banking sector had grown to eat up a huge percentage of all of the profits of the entire economy.  Does that make any sense to anyone?  Banking can be a symbiont with the economy or it can be a parasite or it can be a cancer.  Before the crisis, banking had definitely moved beyond the level of parasite to becoming a harmful cancer.  Too much of all of the profits of all of business activity in the entire economy were being diverted to the banks and with the pay structure of the banks, into the pockets of a very small number of bankers.  Did that make any sense whatsoever?  Is there any way that anyone can show that situation makes for a healthy economy?  The bubbles that happened twice could be seen as the way that bankers justified their huge take from the economy.  If values were growing rapidly, no one seemed to mind that bankers took so much out of the deals.

Source:Evolution of the US Financial Sector Thomas Philippon

However, if the economy and the values of businesses and assets in the economy grow at only a sane pace, and bankers try to go back to the level of take from the economy that they have grown accustomed to, then the amount of total profits left for the rest of the economy are bound to be negative.  So unless we re-think things and figure out how to muzzle the banks, then we are headed for more bubbles that will justify their stratospheric incomes.

The financial sector, once it exceeds a certain share of the economy, should be viewed as a tax on the economy.  Many protest the taxes that the government imposes because the money is not well spent.  Well, the money from this tax goes to personal expenditures of the bankers themselves.  There is not even any pretense that this tax will be spent for the common good.

One question that really needs to be answered is how much of this financial “innovation” that is touted as the result is really beneficial to the economy and how much of it is just unnecessary complexity that hides that take of the bankers and hedge funds.  The excuse that is always given is that all of this financial innovation helps to provide lubrication for businesses.  But that is more like an excuse than a reason.  Mostly the financial innovation has fueled bubbles.  It has led to the excessive leverage that feeds into one sided deals for hedge fund managers.

More often than not, financial innovation has helped to fuel the extreme fixation on short term gains in the economy.  Financial innovation has featured hollowing out companies to maximize short term values.  Quite often the companies “helped” by this process turn into worthless shells somewhere along the process.  This destroys that productive capacity of the economy to allow for the extraction of the maximum amount of short term profits.

Financial innovation helps to turn corporate assets into profits and to take those profits out of the firm through leverage.

So Taleb’s suggestion that we think through Capitalism 2.0 is a good and timely one.  But we need to start asking the right questions to figure out what Capitalism 2.0 will be.

Black Swan Free World (9)

Black Swan Free World (8)

Black Swan Free World (7)

Black Swan Free World (6)

Black Swan Free World (5)

Black Swan Free World (4)

Black Swan Free World (3)

Black Swan Free World (2)

Black Swan Free World (1)

The Future of Risk Management – Conference at NYU November 2009

Some good and not so good parts to this conference.  Hosted by Courant Institute of Mathematical Sciences, it was surprisingly non-quant.  In fact several of the speakers, obviously with no idea of what the other speakers were doing said that they were going to give some relief from the quant stuff.

Sad to say, the only suggestion that anyone had to do anything “different” was to do more stress testing.  Not exactly, or even slightly, a new idea.  So if this is the future of risk management, no one should expect any significant future contributions from the field.

There was much good discussion, but almost all of it was about the past of risk management, primarily the very recent past.

Here are some comments from the presenters:

• Banks need regulator to require Stress tests so that they will be taken seriously.
• Most banks did stress tests that were far from extreme risk scenarios, extreme risk scenarios would not have been given any credibility by bank management.
• VAR calculations for illiquid securities are meaningless
• Very large positions can be illiquid because of their size, even though the underlying security is traded in a liquid market.
• Counterparty risk should be stress tested
• Securities that are too illiquid to be exchange traded should have higher capital charges
• Internal risk disclosure by traders should be a key to bonus treatment.  Losses that were disclosed and that are within tolerances should be treated one way and losses from risks that were not disclosed and/or that fall outside of tolerances should be treated much more harshly for bonus calculation purposes.
• Banks did not accurately respond to the Spring 2009 stress tests
• Banks did not accurately self assess their own risk management practices for the SSG report.  Usually gave themselves full credit for things that they had just started or were doing in a formalistic, non-committed manner.
• Most banks are unable or unwilling to state a risk appetite and ADHERE to it.
• Not all risks taken are disclosed to boards.
• For the most part, losses of banks were < Economic Capital
• Banks made no plans for what they would do to recapitalize after a large loss.  Assumed that fresh capital would be readily available if they thought of it at all.  Did not consider that in an extreme situation that results in the losses of magnitude similar to Economic Capital, that capital might not be available at all.
• Prior to Basel reliance on VAR for capital requirements, banks had a multitude of methods and often used more than one to assess risks.  With the advent of Basel specifications of methodology, most banks stopped doing anything other than the required calculation.
• Stress tests were usually at 1 or at most 2 standard deviation scenarios.
• Risk appetites need to be adjusted as markets change and need to reflect the input of various stakeholders.
• Risk management is seen as not needed in good times and gets some of the first budget cuts in tough times.
• After doing Stress tests need to establish a matrix of actions that are things that will be DONE if this stress happens, things to sell, changes in capital, changes in business activities, etc.
• Market consists of three types of risk takers, Innovators, Me Too Followers and Risk Avoiders.  Innovators find good businesses through real trial and error and make good gains from new businesses, Me Too follow innovators, getting less of gains because of slower, gradual adoption of innovations, and risk avoiders are usually into these businesses too late.  All experience losses eventually.  Innovators losses are a small fraction of gains, Me Too losses are a sizable fraction and Risk Avoiders often lose money.  Innovators have all left the banks.  Banks are just the Me Too and Avoiders.
• T-Shirt – In my models, the markets work
• Most of the reform suggestions will have the effect of eliminating alternatives, concentrating risk and risk oversight.  Would be much safer to diversify and allow multiple options.  Two exchanges are better than one, getting rid of all the largest banks will lead to lack of diversity of size.
• Problem with compensation is that (a) pays for trades that have not closed as if they had closed and (b) pay for luck without adjustment for possibility of failure (risk).
• Counter-cyclical capital rules will mean that banks will have much more capital going into the next crisis, so will be able to afford to lose much more.  Why is that good?
• Systemic risk is when market reaches equilibrium at below full production capacity.  (Isn’t that a Depression – Funny how the words change)
• Need to pay attention to who has cash when the crisis happens.  They are the potential white knights.
• Correlations are caused by cross holdings of market participants – Hunts held cattle and silver in 1908’s causing correlations in those otherwise unrelated markets.  Such correlations are totally unpredictable in advance.
• National Institute of Financa proposal for a new body to capture and analyze ALL financial market data to identify interconnectedness and future systemic risks.
• If there is better information about systemic risk, then firms will manage their own systemic risk (Wanna Bet?)
• Proposal to tax firms based on their contribution to gross systemic risk.
• Stress testing should focus on changes to correlations
• Treatment of the GSE Preferred stock holders was the actual start of the panic.  Leahman a week later was actually the second shoe to drop.
• Banks need to include variability of Vol in their VAR models.  Models that allowed Vol to vary were faster to pick up on problems of the financial markets.  (So the stampede starts a few weeks earlier.)
• Models turn on, Brains turn off.

MARTA – Risk Management… beyond mitigation

Submitted by Antony Marcano

From his Blog Testingreflections.com

In a previous rant about the misuse of the term mitigate in the context of risk management I listed the following strategies (I call them MARTA) for managing a given risk:

• Mitigate – Reduce the severity of its impact
• Avoid – Don’t do the thing that makes the risk possible
• Reduce – Make the risk less likely to happen
• Transfer – Move the impact of the problem to another party (e.g. insure such as paid insurance or outsource with penalties for failure)
• Accept – Do nothing or set aside budget to cope with the impact

I recently found myself having to explain this and used the analogy of crossing a busy road with fast-moving cars. What’s the risk? Well, you might get hit by a car.

This will probably be more useful if you take a moment to think of a busy road with fast moving traffic that you know of and then use each of the above strategies to identify different ways of managing the risk. What factors would be significant in deciding on which strategy (or combination of strategies) was the way to go?

Ok, now that you’ve had a chance to think about it, here is what I came up with:

• Mitigate – Walk down the street until I can find a section of the road where there is a 20mph speed restriction. (This is mitigation because I’m not necessarily making it any less likely that I’m hit, but if I am hit the ‘impact’ is reduced – i.e. I’ll probably live – albeit with injury).
• Avoid – I could simply not cross the street, by deciding that whatever is on the other side simply isn’t that important or I could use an underground subway (which of course has other risks associated with it depending on the area you’re in).
• Reduce – Find a stretch of road where there are fewer cars – reducing the probability of being hit by a car.
• Transfer – Get someone else to cross the street, maybe someone more skilled at crossing the road than me.
• Accept – Now, if it was a busy street, I wouldn’t ‘accept’ the risk. But, if the road allowed for lots of visibility and there were very few cars and there were speed bumps slowing the traffic down to 10mph then I might just accept the risk.

The person I explained this to found this to be a useful exercise in understanding my views on risk management – beyond mitigation. Hope you find this way of explaining it useful too.

» Antony Marcano’s blog

How to Fail

Reasons Civilizations Fail

from Jared Diamond
Author of “Guns, Germs & Steel”
1. Failure to anticipate a problem before it arrives
2. Failure to see a problem once it arrives
3. Failure to even try to solve a problem once they have perceived it
4. Failure to solve a problem that they are trying to solve.
http://www.edge.org/3rd_culture/diamond03/diamond_index.html

Diamond presents a simple taxonomy of failure.  Much of what risk management attempts to do is to prevent failures.

So a risk manager can use this list as a control list for risk management practices.

Failure to anticipate a problem before it arrives – this appplies to both emerging risks as well as identified risks. Anticipating a problem means more than just fretting about it; it means preparing for it as well.

Failure to see a problem once it arrives. Knowing of a risk, but not knowing when that risk becomes risky is almost as bad as not knowing about the risk at all.  The risk manager needs to assist the business manager in identifying when risk is risky.  In addition, there needs to be a process for identifying emerging risks, especially those that are just about emerged. 

Failure to even try to solve a problem once they have perceived it As Diamond points in his books, sometimes people fail to act because they know that the first action would be to stop or reduce something that is really important to them.  This part of the risk management role falls on the CEO.  The CEO needs to be able to take the reins out of the hand of the frozen manager.  And if it is the CEO that is frozen, then the board needs to act.

Failure to solve a problem that they are trying to solve. In the risk management context, this occurs when the standard rules and tools just do not work.  The risk manager needs to reframe the problem along with a scramble for alternate tools while throwing out the rules.

Capabilities

Your firm’s Risk Profile is a function of two things, the Opportunities for risk taking and your capabilities.  Using your capabilities, you will choose from your opportunities for risk to get your gross risk exposures. Then your capabilities will again take over and treat your risks to bring them to the net risks.

So your capabilities make two contributions to risk management.

A firm with strong capabilities will find the best opportunities from the choices that the firm has based upon its access to sourcing risks.  Those opportunities will have the most favorable risk reward potential.

Then the strong capabilities will seek to trim the risk through risk treatment, giving up as little return as possible while offsetting or otherwise reducing returns as much as possible.

A firm that wants to increase its capabilities has three choices:  Acquiring, Partnering or Training.

Risk capabilities can be Acquired in bulk by acquiring a firm with good capabilities, or by hiring one risk professional at a time.  With Partnering, the firm gets help from the partner who could be a consulting firm or an intermediary.  By using Training to acquire capabilities, the firm seeks to add capabilities to existing staff.

Each possibility has different short and long term costs and each has different levels of dependability and time to start up.

ERM Role in Implementing a Winning Acquisition Strategy (2)

From Mike Cohen

Part 2

(Part 1)

Execution of an Acquisition Strategy Goes Through Several Stages and Involves Many and Varied Complex, Interrelated Business Issues (they must be performed well, and there are numerous junctures where things can go awry … suggesting that many potential risks need to be addressed, and more effectively than they typically are)

– Defining the business case

– Considering the corporate strategy and the resulting (ideally enhanced) business model

* Fit vs. conflict

* Synergies; potential synergies are frequently overstated

* Diversification

– Assessing market opportunities and competitive dynamics

* Products

* Distribution

* Markets/segments

* Brand/reputation

– Financial impact

* Earnings

* Capital

* Economic value

* Assessment of an appropriate price

– Investments

* Asset classes

* Loss positions

* Liquidity

– Operational fit (or problematically, the need to ‘fix’ the target’s operations)

* Technology

* Administration

* Core competencies

– Integrating the target: melding the two organizations so that they can perform effectively together, while mitigating risk, volatility and confusion to the greatest extent possible

Q: Is an acquisition strategy a core competency of your company … can you execute such a transaction successfully?

Due Diligence Performed on any Acquisition Target: A Critical Activity on the Strategic and Tactical Levels

– Valuation, impact on future financial results

– Management/staff

– Profitability of new (potential), existing business

– Competitive market position; product management, distribution capabilities

– Synergies: strategic, operational, financial, market/product/distribution

– Investments

– Expense structure (opportunities for increasing efficiency and/or cost reduction)

– Technological capabilities or possible lack of fit

– Contractual obligations

– Areas of risk or uncertainty

Many acquisitions are viewed retrospectively as failures. A lack of accurate evaluation of/objectivity about prospective acquisition targets (using ‘rose-colored glasses’ leads many (most?) acquirers to have unrealizable goals for their transactions, and as a consequence the end results (strategic, financial or otherwise) do not meet expectations.  There is a considerable level of risk to the acquirer if the due diligence process is not conducted with sufficient accuracy and objectivity.

Evaluating the Capabilities of an Organization to Execute Successful Acquirer: Being a successful acquirer requires a number of skills and mind-sets:

– Knowing one’s own corporate vision, mission, strategy and operating model, and how  acquisitions complement them

– Having a disciplined approach: evaluating fit, paying an appropriate price based on economic value, both current and future

– Performing careful, accurate and objective due diligence on the target company and management counterparts … caveat emptor!

– Executing timely, well planned and orchestrated integration activities focus on achieving a favorable operational model and attaining a satisfactory level of cost savings; a number of  companies that acquired positive reputations as acquirers were in fact poor at integrating their acquisition(s), causing their organizations to implode

– Managing the staffs and corporate cultures sensitively. There is considerable amount of research that identifies human resource related issues as the most prevalent causes for acquisition failure; personalities (egos), conflicting management styles and cultures, and different compensation structures are all too common. Proactive conflict resolution is critical to steer the resulting entity past these pratfalls. Open and continuous communication is critical.

The General Lack of Success from Acquisitions is Attributed to Mismanaging One or More Critical Aspects of the Transaction with Material Risk

Strategy

– Incompatible cultures

– Incompatible business models

– Synergy non-existent or overestimated

Due Diligence

– Acquirer overpaid

– Foreseeable problems overlooked

– Acquired firm too unhealthy

– Overlooking aspects of the target where excessive divestiture or liquidation might be required

Implementation

– Inability to manage target

– Inability to implement change

– Clash of management styles/egos

Conclusion

An acquisition is arguably the most difficult business endeavor a company can undertake. This report discussed a considerable number of elements involved in acquisition activity; they are all complex, and there are many junctures in the process where a number of these elements can go awry or reach adverse conclusions, either derailing transactions that could have otherwise been successful or ‘proving’ the efficacy of transactions that upon closer scrutiny could not have succeeded and should have been avoided.

Studies of acquisition activity across all industries (not just insurance) have consistently  found that approximately two-thirds of these transactions yielded unsatisfactory results. One could observe that this is not surprising, as there are so many steps along the way that can turn into insurmountable roadblocks. Considering the myriad of factors that must be performed well, it is clear than sound, pragmatic risk management throughout the process and beyond is critical in order for acquisition activity to succeed

ERM Role in Implementing a Winning Acquisition Strategy

From Mike Cohen

Part 1 (of 2)

“Winning bids are made by winning bidders”
Author Unknown

“Is there such a dynamic as The Winners’ Curse?”
Richard H. Thaler

Is an acquisition strategy a positive endeavor for an insurance company? Is it a strategy necessary for the survival of some companies? In these difficult times, even for companies that have a track record of success in this arena, is an acquisition the answer? This report explores the various thought processes that companies go through when they consider an acquisition strategy, explores what activities need to take place in order for an acquisition to be seen as successful, and reflects on the role of enterprise risk management in improving the likelihood of success.

Success: According to Whom?

A property isn’t valued on the same terms by a buyer and a seller. Buyers and sellers are trying to accomplish different things relative to their particular situations:                                                                   – The buyer is trying to enhance his business (ideally strategically, not just financially … although improving one’s financial position at this point time looks very appealing!); on what criteria will the buyer’s acquisition be viewed a success?                                                                                                        – The seller is trying to either raise capital or increase focus; on what terms will the seller’s divestiture be viewed a success?

What can buyers and sellers do to increase their respective chances of success? What role can/should ERM play in these transactions?

Acquisitions as an Element of Corporate Strategy: Various Perspectives

What is the mind–set companies have as they consider acquisition activity?

“We see the opportunity to make suitable acquisitions at the right price as just another way of meeting our corporate objectives”

“We see acquisitions as crucial to achieving our objectives”

“We are an acquisition specialist”

“Our strategy is to make acquisitions and then integrate them effectively”

Which is of these approaches is right for you, if any … and, if so, under what circumstances? Given that acquisition activity in the aggregate has an uneven track record of success, how can acquirers improve their likelihood of success? Have the myriad of risks involved in such complicate endeavors not been understood and dealt with effectively, causing the majority of acquisitions to fall short of expectations?

Companies’ conversations with rating agencies have often revealed ‘curious’ expectations of acquisition activity:

“The deal is ‘fully priced,’ but we did not overpay”

“The deal will work because there is overlap”

“The deal will work because there is no overlap”

“Cultures are similar despite apparent differences”

“Although not accretive, it’s non-dilutive”

“Growth & profit objectives will be met through synergies”

Enhancing an Organization’s Business Model, in General and via Acquisition, to Better Meet Goals and Objectives

Can an Acquisition Be a Driver of Positive Change?

Existing business model   Clear business case for an acquisition  Enhanced business model

A well respected expert on business strategy and planning, Russell L. Ackoff, presented the concept of ‘idealized design” …  the best conceived business model a company can put into place. Does an acquisition help a company make its business model more effective? For this to happen, it must be supportive of the following:

– Mission, Vision: Is the acquisition consistent with the company’s strategic direction?
– Profitability: EPS, ROE, EVA; is the acquisition accretive to financial results, and if not when will it be? Are there dynamics/risks that could prevent attainment of the stated financial objectives?
– Competitive dynamics: Will additional market share provide the ability to dictate competitive terms? Given how fragmented the life insurance industry is, can the largest companies (as large as they are) alter competitive dynamics more in their favor? Does the acquisition enable the company to compete more strongly against powerful competitors?
– Market share: Are economics of scale gained? Is less desirable (unfavorably priced) business being acquired? As said, since most insurance business segments are so fragmented, even after decades of consolidation activity, does market share even matter?
– Is a company’s business profile materially enhanced?
– Is favorable diversification gained? Is focus lost?

Does an Acquisition Make a Company a More Successful Competitor?

– Expanding distribution
– Expanding geographic coverage
– Achieving business growth, scale
– Acquiring/enhancing functional capabilities
– Increasing profits and capital

To be continued …

Need to Shift the Defense . . . and the ERM

Sports analogies are so easy.

ERM is like the defense in football.  You would no more think of fielding a football team without a defensive squad then you would think of running a financial firm without ERM.  On the football field, if a team went out without any defensive players, they would doubtless be scored upon over and over again.

A financial firm without an ERM program would experience losses that were higher than what they wanted.

The ERM program can learn something from the football defenders.  The defenders, even when they do show up,  cannot get by doing the exact same thing over and over again.  The offensive of the other team would quickly figure out that they were entirely predictable and take them apart.  The defenders need to shift and compensate for the changes in the environment and in the play of the other team.

Banks with compliance oriented static ERM programs found this out in the financial crisis.  Their ERM program consisted of the required calculation of VaR using the required methods.  If you look at what happened in the crisis, many banks did not show any increase in VaR almost right up until the markets froze.  That is because the clever people at the origination end of the banks knew exactly how the ERM folks were going to calculate the VaR and they waltzed their fancy new CDO products right around the static defense of the ERM crew at the bank.

They knew that the ERM squad would not look into the quality of the underlying credit that went into the CDOs as long as those CDOs had the AAA stamp of approval from the rating agencies.  The ERM models worked very well off of the ratings and the banks had drastically cut back on their staff of credit analysts anyway.

They also knew that the spot on the gain and loss curve where the VaR would be calculated was fixed in advance.  As long as their new creation passed the VaR test at that one point, nobody was going to look any further.

So what would the football coach do if their defense kept doing the same thing over and over while the other team ran around them all game?  Would the coach decide to play the next season without a defense?  Or would he retrain and restaff his defense with new players who would move around and adapt and shift to different strategies as the game went along.

And that is what ERM needs to do.  ERM needs to make sure that it does not get stuck in a rut.  Because any predictable rut will not work for long.  The marketplace and perhaps some within their own companies will  find a way around them and defeat their purpose.

Lessons from a Bull Market that Never Happened

This is the 10 year anniversary of the publication of the book Dow 36000. Right now, the Dow is actually below the level of the Dow of 10 years ago.

Bret Arends writes about the lessons that two market crashes might have brought to investors in the Wall Street Journal.

Here are some thoughts on his seven lessons from the point of view of a risk manager, rather than an investor.

1.  Don’t forget dividends

Dividends are the hard cash part of stock returns.  As a risk managers, we need to keep in mind the difference between the real hard cash elements of the risks that we evaluate as opposed to the models and market values.

2.  Watch Out for Inflation

Inflation creates two major concerns for a risk manager.  The first is of course the concern of whether you have taken rising costs into account properly in the evaluation of multi period risks.  The second goes the other direction.  Because of inflation, the over conservative risk manager is a danger to his organization because she might just keep the business from growing enough to keep up with inflation.  A constant cycle of cost cutting to keep costs in line is not a viable long term strategy for a company.

3.  Don’t Overestimate Long Term Stock Returns.

The risk manager needs to keep reminding management of things like this.  Once someone pointed out that long term stock market average returns, even if you got them right, were misleading anyway because some part of that long run average was built up in a period when PE grew to historical highs.  So te starting point matters.  The same logic will apply to other financial series.  The starting point matters.

4.  Volatility Matters

You have to live through the short term to get to the long term.  The fact that your firm can afford the volatility does not mean that the board will keep the same management through what seems to them to be excessive volatility.  It is only the regulators who are focused on ruin only.  Watch your volatility.  Have conversations with your board about volatility.  Understand their volatility tolerance, both on a relative and on an absolute basis.

5.  Price Matters.

Risk managers need to focus both on controlling losses and on optimizing returns on risk.  So the prices of your risks does matter.  Some would argue that you only need to get a better return for risk that the market you are in (i.e. that risk reward is purely relative to the market), but just like volatility, the risk manager needs to understand the degree to which her board cares about absolute return and how much they care about relative return.

6.  Don’t Hurry.

Even more than investing, risk management needs careful thought.  That is why risk management is so very unlikely in a bank trading area where there is tremendous pressure to keep up with the frenetic pace of the trading desks.  If you are a risk manager in any other situation, you need to learn to insist on being given enough time to get your analysis correct.  If you are that risk manager on the trading desk, that is when you must have that authority to unwind things that turn out, when you take the time, after the fact, to be much worse than advertized by the trader.

7.  Don’t Forget Your Lifeboats.

The first thing that a risk manager needs to know is the exact situations where his firm will need a life boat.  Then he has to make sure that there are enough lifeboats and finally she must carefully watch for distant signs that the storm that will swamp the ship is on the horizon.  A firm that wants to survive for the long term will give its risk manager some leeway for false alarms, so that they are sure to be ready for the real thing.

Beware the Risk Management Entertainment Systems

To shoot a gun, the proper command is “Ready, Aim, Fire.”  While the Fire part is the only active part of that sequence, it is clearly known by all that there is usually little point to simply sighting a gun without firing.  And in fact, for anyone who has ever owned a gun, there is at least some attention required to keep the gun clean and free of obstructions and the ammunition “fresh”.  I suppose that all fits into the “Ready” command.  So guns are not all about “fire,” but it would make little sense to talk about a gun without spending quite a bit of time talking about what happens when you pull the trigger.

Many firms have invested in ERM.  They have spent money on creating elaborate measurement systems; they have invested much, much management time in Identifying, Monitoring, Analyzing, Discussing, Reviewing, Evaluating, Communicating and Consulting about their risks.  They have brought this information to their boards and communicated about all of this activity to their board.

When asked what happens when there is a problem indicated by all of this activity, some of these firms would say that when a problem is found, they put it on the agenda for the next risk committee meeting, which may well recommend that a study be performed and the study would be reviewed at the next committee meeting.  The committee might then decide to move that risk to the top of the next report into the highlighted section of the report, when it will stay until the situation is resolved.

Perhaps these risk management systems are like the gun that is never fired.  It is cleaned repeatedly, new ammunition is purchased on time and the sight is checked, but the gun is just not fired.

In the ERM field, this is what can be called a Risk Management Entertainment System (RMES).  Below is a flow chart depicting a RMES.

In many cases, literature that describes ERM programs give so much attention to these components and so little to the other component that actually turns a RMES into an actual Risk Management System – the action part of ERM, that is when the risk manager pulls the trigger and actually does something.

The following picture, taken from the AS/NZ 4360 Risk Management Standard shows a complete Risk Management system.  The additional section of the chart that differentiates this from a RMES, titled here “Risk Treatment,” is the only active section of the chart.

But the picture of ERM is still dangerously misleading.  The danger is both to the firm managers who think that ACTION is just a tiny part of ERM and to the ultimate reputation of ERM.

The Risk Maangement Entertainment Systems create a very strong impression that ERM is a talking and paper shuffling activity.  A waste of scarce corporate time, resources and dollars.

ERM needs to be about action.  If in the end, ERM does not result in any changes to a firm’s treatment of risks or selection of risks, then there was no real business reason for ERM.

ERM needs to look like this: