Welcome to our RISKVIEWS blog series on the 30 Risk Culture Beliefs, a comprehensive exploration of the core principles that should guide any organization’s approach to effective risk management. Over the course of this series, we will delve deep into each belief, unpacking their significance and practical implications for businesses, especially those in high-stakes industries like finance and insurance.
Risk management is often viewed through the narrow lens of mitigation and compliance. However, these 30 Risk Culture Beliefs challenge us to see risk management as a multifaceted tool that not only safeguards but also strategically enhances organizational capabilities. From fostering a proactive risk-aware culture to aligning risk management with corporate strategy, these beliefs serve as pillars that support robust decision-making frameworks.
Each blog post in this series will focus on a single belief, breaking down how it influences organizational behavior, decision-making, and strategic planning. We aim to provide insights into how these beliefs can be integrated into the daily operations of a company, influencing everything from the boardroom to the front lines. By understanding and implementing these principles, organizations can transform their risk management practices from reactive protocols to strategic assets.
We are thinking of these beliefs as a menu, rather than as a prescription. We would not expect any one company to adopt all 30. If fact, you might find that some of them might be a little contradictory. Each company’s risk management culture will consist of a different set of choices from this list with different hierarchy of importance for the chosen beliefs within the organization. Some of the beliefs might be directed towards the entire company while others are focused towards the executive management team and some are pointed at the risk management staff and CRO.
Our journey through the 30 Risk Culture Beliefs will equip you with the knowledge to foster a culture that embraces calculated risks, promotes transparency, and improves resilience. Whether you are a risk management professional, a business leader, or just keen on enhancing your organization’s approach to risk, this series will offer valuable perspectives that can be tailored to your needs.
Join us as we explore how these foundational beliefs can shape risk-conscious strategies that not only protect but also propel organizations towards sustainable growth and stability. Stay tuned for our first post, where we will begin with the belief that “Continuous Learning is Critical to Adapting to an Evolving Risk Landscape,” setting the stage for a thoughtful and proactive approach to enterprise risk management.
For Chief Risk Officers (CROs) navigating the complex and rapidly evolving landscape of risk in financial institutions, artificial intelligence (AI) presents a suite of powerful tools to enhance decision-making, improve risk assessment, and optimize risk management processes. AI’s capabilities can significantly impact various aspects of a CRO’s job, making it a pivotal ally in addressing strategic, operational, and financial risks.
Enhanced Risk Identification and Assessment
AI can process vast amounts of data from diverse sources, including market trends, operational metrics, and social media, to identify and assess risks more efficiently than traditional methods. This capability allows CROs to detect emerging risks faster and with greater accuracy, facilitating proactive risk management. For instance, machine learning models can predict potential default risks by analyzing patterns in credit history, market conditions, and economic indicators, thereby enhancing the accuracy of credit risk assessments.
Strategic Decision Support
AI supports strategic decision-making by providing CROs with data-driven insights into risk-return trade-offs associated with different strategic choices. By simulating various scenarios and analyzing their potential impacts on the organization’s risk profile, AI helps CROs in making informed decisions that align with the company’s risk appetite and strategic objectives.
Operational Risk Management
AI can automate the monitoring of operational risks by analyzing transaction patterns, employee activities, and compliance with procedures, identifying anomalies that may indicate fraud, errors, or inefficiencies. This real-time monitoring capability enables CROs to swiftly address operational risks, reducing potential losses and improving operational resilience. Furthermore, AI-powered process automation can streamline risk management processes, enhancing efficiency and reducing the likelihood of human error.
Financial Risk Analysis
In the realm of financial risks, AI models excel at analyzing market data, economic indicators, and financial trends to forecast future market movements and assess the potential impact on the organization’s financial health. This analysis can include stress testing, value-at-risk (VaR) calculations, and sensitivity analyses, providing CROs with a comprehensive understanding of financial risks and the effectiveness of hedging strategies.
Risk Reporting and Communication
AI can also revolutionize risk reporting and communication by generating dynamic, real-time risk reports that offer insights into the current risk landscape. These reports can be tailored to different audiences, from the board of directors to operational teams, ensuring that all stakeholders have the information they need to understand and manage risks effectively.
Conclusion
For CROs, the adoption of AI in risk management offers a transformative approach to navigating the complexities of risk in the financial services industry. By enhancing risk assessment, supporting strategic decision-making, improving operational efficiency, and facilitating effective risk communication, AI enables CROs to manage risks more proactively and strategically. As the risk landscape continues to evolve, leveraging AI will be crucial for CROs aiming to foster a strong risk management culture and drive their organizations towards sustainable growth and resilience.
Larger organizations with mature ERM programs tend to have evolved a short list of major risk management specific roles; many of which are part-time additions to already full time positions, while some are full time risk management only roles. Smaller organizations tend to need an ERM operation with all part-timers. We will call the former “Group ERM” programs and the latter “Company ERM”.
The organizing process always begins with two roles – the senior sponsor and the risk officer. During the developmental phase, these two roles are very similar to those of Executive Sponsor and Project Manager as defined for normal project management[1]. The Executive Sponsor initiates a project and gets appropriate resources and budget for the project. The Project Manager runs the project on a day-to-day basis. During implementation, the Project Manager will keep the Executive Sponsor informed of progress and setbacks. When problems are outside of the Project Manager’s authority, the Executive Sponsor will help by bringing in assistance or removing blockages from outside of the project team.
Chief Risk Officer
The risk officer role that was the project manager for the initial development of a new ERM function will usually grow into a senior management role with the title of Chief Risk Officer (CRO).
The CRO differs from organization to organization, but generally have some or all of these responsibilities:
Head the Risk Management Function
Chair the Risk Committee
Report to the Board on ERM
Report to shareholders on risk and capital management
Communicate risk and risk management matters to other stakeholders including rating agencies, employees, regulators
Each of these will be discussed in following sections of this chapter.
The Chief Risk Officer may report directly to the CEO or, more often to the Chief Financial Officer. Or else, the CRO role is handled by another senior officer such as the Internal Auditor, or, in an insurer, the Chief Underwriting Officer or Chief Actuary.
The CRO has a wide variety of roles. First and foremost, the CRO provides leadership and vision for the organization’s ERM program. They must have a clear idea of the ERM objectives and the ability to direct a diverse group of employees throughout the organization, most of whom do not officially report to the CRO, to follow that vision. The CRO is the point person in establishing and updating the ERM Framework, the ERM Policies and the Risk Appetite/Tolerance/Limit system. This requires the CRO to understand the degree to which formal documents and processes fit with the organization’s culture. The CRO is always the champion of intelligent risk management – risk management that fits the objectives, needs and budget of the organization. The CRO may be the owner of the Enterprise Risk Model or that model may be owned by the Chief Actuary.
The CRO will lead the discussion that leads to the formation and updating of the Risk Appetite and Tolerance. This discussion will be based upon a single risk metric that is common to all risks; in countries that have adopted Solvency II, that single metric for insurers is almost always related to capital. This is a source of conflict between the regulatory process and the management culture, especially in for-profit insurers, because otherwise, the preference for risk metric would likely be tied to earnings shortfalls rather than capital.
The CRO is the leader of value added risk management. That means using the information from the ERM system to help the growth of the firm’s risk adjusted value. That requires some version of risk-adjusted financial results for various business units, territories and/or products. The risk-adjustment is most often made based on Economic Capital either via a cost-of-capital adjustment to earnings, or through the reliance on a return on risk capital ratio.
The CRO is the champion for the Value Added ERM, a major part of the implementation, as well as in explaining the idea and the results to stakeholders. A major step in that process is the development and implementation of the analytic platform for Economic Capital Allocation. The CRO may be responsible to perform analysis of risk-adjusted plan proposals and act as a resource to business units for developing risk-adjusted proposals. As time progresses, the CRO will also work with the CFO to provide monitoring of plan vs. actual performance.
The CRO’s wide range of responsibilities means that there is no single route to the position. A Canadian survey[2] of twenty-one CROs found that, in their opinion, CROs needed to be skilled in Math, Finance, Communication and Accounting.
Management Risk Committee
Most organizations form one or more risk management committees with a major role in the ERM framework. There are three main reasons: To provide support and assistance for the CRO, to help keep the ERM process realistic (i.e. Intelligent ERM above); and, to direct the application of resources for ERM activities that are outside of the risk management department.
Most often, the Risk Committee will focus first on the ERM reports to the board, reviewing the draft reports prepared by the risk management department for quality assurance, to make sure that the CRO will be able to tell the story that goes with the report, and that both the CRO and the risk committee members can answer any questions raised by the ERM report. The Risk Committee is the nexus of Risk Culture for the organization – each area of the organization that has a major role in risk taking and risk management is usually represented on the risk committee.
The exact responsibilities of the Risk Committee will vary by organization. The four most common and most important responsibilities are:
Setting Risk Appetite and Tolerance
Approving Risk framework and policies
Allocating Risk Appetite & Setting Risk Limits
Setting standards for risk assessment and economic capital
The Risk Committee is usually responsible for setting (or recommending for approval by the board) the Risk Appetite and Tolerance for the organization. This is a difficult and often tentative process the first time; mainly because the Risk Committee, like most of the management team, has little experience with the concepts behind Risk Appetite and Tolerance, and is wary about possibly making a mistake that will end up damaging the organization. Once an initial Risk Appetite and Tolerance are set, making adjustments for early imperfections and updates for changing plans and circumstances become much more routine exercises.
The Risk committee usually approves the Risk Framework and Risk Policies – in some cases, they are recommended for approval to the Board. These will lay out the responsibilities of the CRO, Risk Committee, Risk Owners and ERM Department. The Risk Committee should review these documents to make sure that they agree with the suggested range of responsibilities and authorities of the CRO. The new responsibilities and authorities of the CRO are often completely new activities for an organization, or, they may include carving some responsibilities and authorities out of existing positions. The Risk Committee members are usually top managers within the organization who will need to work with the CRO, not just in the Risk Committee context, but also in the ways that the CRO’s new duties overlap with their business functions. The committee members will also be concerned with the amount of time and effort that will be required of the Risk Owners, who for the most part will either be the Risk Committee members or their senior lieutenants.
In some organizations, the allocation of Risk Appetite and setting of risk limits is done in the planning process; but most often, only broad conclusions are reached and the task of making the detailed decisions is left to the Risk Committee. For this, the Risk Committee usually relies upon detailed work performed by the Risk Department or the Risk Owners. The process is usually to update projections of risk capital requirements to reflect the final planning decisions and then to adjust Risk Appetite for each business unit or risk area and recommend limits that are consistent with the Risk Appetite.
Many ERM programs have legacy risk assessment and economic capital calculation standards that may or may not be fully documented. As regulatory processes have intruded into risk assessment, documentation and eventually consistency are required. In addition, calls for consistency of risk assessment often arise when new products or new risks are being considered. These discussions can end up being as much political as they are analytical, since the decision of what processes and assumptions make a risk assessment consistent with existing products and risks often determines whether the new activity is viable. And since the Risk Committee members are usually selected for their position within the organization’s hierarchy, rather than their technical expertise, they are the right group to resolve the political aspects of this topic.
Other topics that may be of concern to the Risk Committee include:
Monitoring compliance with limits and policies
Reviewing risk decisions
Monitoring risk profile
Proposing risk mitigation actions
Coordinate the risk control processes
Identify emerging risks
Discussing the above with the Board of Directors as agreed
Larger organizations often have two or more risk committees – most common is to have an executive risk committee made up of most or all of the senior officers and a working risk committee whose members are the people responsible for implementing the risk framework and policies. In other cases, there are separate risk committees for major risk categories, which sometimes predate the ERM program.
Risk Owners
Many organizations assign a single person the responsibility for each major risk. Going beyond an organizational chart, a clear organizational structure includes documented responsibilities and clear decision making and escalation procedures. Clarity on roles and responsibilities—with regard to oversight and decision-making—contributes to improvement capability and expertise to meet the changing needs of the business[3].
Specifically, the Risk Owner is the person who organizationally resides in the business and is responsible for making sure that the risk management is actually taking place as risks are taken, which most of ten should the most effective way to manage a risk.
The Risk Owner’s role varies considerably depending upon the characteristics of the risk.
Insurance and Investment risks are almost always consciously accepted by organizations, and the process of selecting the accepted risks is usually the most important part of risk management. That is why insurance risk owners are often Chief Underwriting Officers, and Chief Investment officers are often the owners of Investment risks. However, risk structuring, in the form of setting the terms and conditions of the insurance contract is a key risk mitigation effort, and may not be part of the Chief Underwriter role. On the other hand, structuring of investments, in situations where investments are made through a privately structured arrangement, is usually done within the Investment area. Other risk mitigations, through reinsurance and hedging could also be within or outside of these areas. Because of the dispersion of responsibilities for different parts of the risk management process, exercise of the Risk Owner responsibilities for Insurance Risks are collaborative among several company officers. In some firms, there is a position of Product Manager who is the natural Risk Owner of a product’s risks. The specialization of various investment types means that in many firms, a different lieutenant of the Chief Investment Officer is the risk owner for Equity risk, Credit Risk, Interest Rate Risk and risks from Alternative investments.
Operational risks are usually accepted as a consequence of other decisions; the opportunities for risk selection are infrequent as processes are updated. Often the risk owners for Operational risks are managers in various parts of the organization.
Strategic risks are usually accepted through a firm’s planning process. Usually the risk owners are the members of the top management team (management board) who are closest to each strategic risk, with the CEO taking the Risk Owner position for the risk of failure of the primary strategy of the firm.
The Risk Owner may be responsible to make a periodic Report on the status of their risk and Risk Management to the governing Board. This report may include:
Plans for Exposure to risk and Risk Strategy
Plans to exploit and mitigate
Changes to Exposures taken and Remaining after mitigation
Adequacy of resources to achieve plans
Risk Management Department
In all but the smallest organizations, the CRO’s responsibilities require more work and attention than can be provided by a single person. The CRO will gain an assistant and eventually an entire department. The risk management department serves primarily as support staff for the CRO and Risk Committee. In addition, they may also be subject matter experts on risk management to assist Risk Owners. Usually, the risk management department also compiles the risk reports for the risk committees and Board. They are also usually tasked to maintain the risk register as well as the risk management framework and risk policies.
Internal Audit
Internal Audit often has an assurance role in ERM. They will look to see that there is effective and continual compliance with Policies and Standards, and tracking and handling of risk limit breaches.
If there is no Internal Audit involvement, this compliance assurance responsibility falls to the risk management department; that may create a conflict between compliance role and advisory role of the risk management department. Compliance is the natural role of Internal Audit and giving this role to Internal Audit allows risk management to have more of a consultative and management information role.
In many firms, the roles for risk owners, the risk management department, along with internal audit, have been formalized under the title “Three Levels of Defense.”
This approach is often coupled with a compliance role for the board audit committee.
When internal audit is involved in this manner, there is sometimes a question about the role’s scope. That question is: whether internal audit should limit its role to assurance of compliance with the ERM Framework and policies, or should it also have a role reviewing the ERM Framework itself? To answer that question, the organization must assess the experience and capabilities of internal audit in enterprise risk management against the cost of engaging external experts to perform a review[4].
CEO Role in ERM
It is fairly common for a description of ERM roles at a bank or insurer to talk about roles for the board,CRO, and front line management, but not to mention any specific part for the CEO.
“No one has any business running a huge financial institution unless they regard themselves as the Chief Risk Officer” – Warren Buffett, speaking at the New School (2013)
Warren Buffett, the CEO of Berkshire Hathaway, has said many times that he is the Chief Risk Officer of his firm and that he does not believe that it would be a good idea to delegate that responsibility to another individual. While his position is an extreme that is not accepted by most CEO’s of financial institutions, there is an important role for the CEO that is very close to Buffett’s idea.
For the CRO and the ERM program to be effective, the organization needs clarity on the aspects of risk management which the CEO is directly delegating his or her authority to the CRO, which are being delegated to the Risk Committee, and which risk management decisions are being delegated to the Risk Owners. Leading up to the financial crisis of 2008, the authority for some risk decisions were not clearly delegated to either the CRO or the Risk Owners in some banks, and CEO’s remained aloof from resolving the issue[5].
[1] Executive Engagement: The Role of the Sponsor, Project Management Institute,
[2] “A Composite Sketch of a Chief Risk Officer”, Conference Board of Canada, 2001
[3] CRO Forum, Sound Risk Culture in the Insurance Industry, (2015)
[4] Institute of Internal Auditors, The Three Lines of Defense In Effective Risk Management And Control, (2013)
[5] Senior Supervisors Group, Risk Management Lessons from the Global Banking Crisis of 2008 (2009)
Woody Allen’s adage that 80% of success is showing up is particularly difficult for some managers to take to heart regarding risk management.
When risk management is successful, there is no bell that rings. There are no fireworks. Usually, a successful risk management moment is evidenced by a lack of big surprises.
But most days, big surprises do not happen anyway.
So if risk managers want to be appreciated for their work, they have to do much more than just show up. They need to build up the story around what a very good day looks like.
One such story would be that a very good day might happen when the world experiences a major catastrophe. A catastrophe that is in the wheel house of the firm. And because of a good risk management process, the firm finds that its losses are manageable within its capacity to handle losses.
In 2011, there were major earthquakes in New Zealand, Japan and Chile. One reinsurer reported that they had exposures in all three zones but that they were still able to show a (very small) profit for the year. They credited that result to a risk management process that had them limiting their exposure to any one zone. A risk manager could work up a story of events like that happening (multi event stress scenarios) and preview the benefits of ERM.
With such stories in mind, when that big day comes when “Nothing Happens”, the risk managers can be ready to take credit!
“You never said that you wanted me to do that” is an answer that managers often get when they point out a shortfall in performance. And in many cases it is actually true. As a rule, some of us tend to avoid too much writing things down. And that is also true when it comes to risk management
That is where ERM policies come in. The ERM policy is a written agreement between various managers in a company and the board documenting expectations regarding risk management.
But too many people mistake a detailed procedure manual for a policy statement. Often a policy statement can be just a page or two.
For Risk Management there are several places where firms tend to “write it down”:
ERM Policy – documents that the firm is committed to an enterprise wide risk management system and that there are broad roles for the board and for management. This policy is usually approved by the board. The ERM Policy should be reviewed annually, but may not be changed but every three to five years.
ERM Framework – this is a working document that lists many of the details of how the company plans to “do” ERM. When an ERM program is new, this document many list many new things that are being done. Once a program is well established, it will need no more or no less documentation than other company activities. RISKVIEWS usually recommends that the ERM Framework would include a short section relating to each of the risk management practices that make up a Risk Management System.
Risk Appetite & Tolerance Statement – may be separate from the above to highlight its importance and the fact that it is likely to be more variable than the Policy statement, but not as detailed as the Framework.
Separate Risk Policies for major risk categories – almost all insurers have an investment policy. Most insurers should consider writing policies for insurance risk. Some firms decide to write operational risk policies as well. Very few have strategic risk policies.
Policies for Hedging, Insurance and/or Reinsurance – the most powerful risk management tools need to have clear uses as well as clear lines of decision-making and authority.
Charter for Risk Committees – Some firms have three or more risk committees. On is a board committee, one is at the executive level and the third is for more operational level people with some risk management responsibilities. It is common at some firms for board committees to have charters. Less so for committees of company employees. These can be included in the ERM Framework, rather than as separate documents.
Job Description for the CRO – Without a clear job description many CROs have found that they become the scapegoat for whatever goes wrong, regardless of their actual authority and responsibilities before hand.
With written policies in place, the board can hold management accountable. The CEO can hold the CRO responsible and the CRO is able to expect that may hands around the company are all sharing the risk management responsibilities.
Most of the people with CRO jobs are pioneers of ERM. They came into ERM from other careers and have been working out what makes up an ERM process and how to make it work by hard work, trial & error and most often a good deal of experience on the other side of the risk – the risk taking side.
As ERM becomes a permanent (or at least a long term) business practice, it is more likely that the next generation of CROs will have come up through the ranks of the Risk function. It is even becoming increasingly likely that they will have had some training and education regarding the various technical aspects of risk management and especially risk measurement.
The only problem is that some of the pioneers are openly disdainful of these folks who are likely to become their successors. They will openly say that they have little respect for risk management education and feel strongly that the top people in Risk need to have significant business experience.
This situation is a version of the range wars in the Wild West. The Pioneers were the folks who went West first. They overcame great hardships to fashion a life out of a wilderness. The Settlers came later and were making their way in a situation that was much closer to being already tamed.
Different skills and talents are needed for successful Pioneers than for successful Settlers. Top among them is the Settlers need to be able to get along in a situation where there are more people. The Risk departments of today are large and filled with a number of people with a wide variety of expertise.
Risk will transition from the Pioneer generation to the Settler generation of leadership. That transition will be most successful if the Pioneers can help develop their Settler successros.
But this sounds like a recipe for disaster. When everyone is responsible, often no one takes responsibility. And if everyone is responsible, how is a decision ever reached?
Everyone needs to have different responsibilities within an ERM program. So most often, people are given partial responsibility for ERM depending upon their everyday job responsibilities.
And in addition, a few people are given special new responsibilities and new roles (usually part time) are created to crystallize those new roles and responsibilities. Those new roles are most often called:
Risk Owners
Risk Committee Members
But there are lots and lots of ways of dishing out the partial responsibilities. RISKVIEWS suggests that there is no one right or best way to do this. But instead, it is important to make sure that every risk management task is being done and that there is some oversight to each task. (Three Lines of Defense is nice, but not really necessary. There are really only two necessary functions – doing and assurance.)
The purpose of ERM is NOT to try to elevate all risk decisions to the highest possible level, but to master discerning the best level for making each risk decision and for getting the right information to the right person in time to make a good risk decision.
This is the Hierarchy Principle as it applies to ERM. It is one of the two or three most important principles of ERM. Why then, might you ask, haven’t we ever heard about it before, even from RISKVIEWS.
But most insurers follow the hierarchy principle for managing their Underwriting process for risk acceptance of their most important risks.
You could argue that many of the most spectacular losses made by banks have been in situations where they did not follow the hierarchy principle.
Nick Leeson at Barings Bank was taking risks at a size that should have been decided (and rejected) by the board.
Jerome Kerviel at Soc Gen was doing the same.
The London Whale at JP Morgan is also said to have done that.
On the other hand, Jon Corzine was taking outsized risks that eventually sank MF Global with the full knowledge and approval of the board. Many people suggest that the CRO should have stopped that. But RISKVIEWS believes that the Hierarchy Principle was satisfied.
ERM is not and cannot be held responsible for bad decisions that are made at the very top of the firm, unless the risk function was providing flawed information that supported those decisions. If, as happened at MF Global, the board and top management were making risk decisions with their eyes fully open and informed by the risk function, then ERM worked as it should.
ERM does not prevent mistakes or bad judgment.
What ERM does that is new is that
it works to systematically determine the significance of all risk decisions,
it ranks the significance and uses that information, along with other information such as risk velocity and uncertainty, to determine a recommendation of the best level to make decisions about each risk,
it assesses the ability of the firm to absorb losses and the potential for losses within the risks that are being held by the firm at any point in time,
it works with management and the board to craft a risk appetite statement that links the loss absorbing capacity of the firm with the preferences of management and the board for absorbing losses.
ERM does not manage the firm. ERM helps management to manage the risks of the firm mainly by providing information about the risks.
So why have we not heard about this Hierarchy Principle before?
For many years, ERM have been fighting to get any traction, to have a voice. The Hierarchy Principle complicates the message, so was left out by many early CROs and other pioneers. A few were pushing for the risk function to be itself elevated as high as possible and they did not want to limit the risk message, deeming everything about risk to be of highest importance. But RISKVIEWS believes that it was mostly because the Hierarchy Principle is pretty fundamental to business management and is usually not explicitly stated anywhere else, even though it is applied almost always.
ERM now receives a major push from regulators, to a large extent from the ORSA. In writing, the regulators do not require that ERM elevate all risk decisions. But in practice, they are seeing some insurers who have been elevating everything and the regulators are adopting those examples as their standard for best in class.
Just one more way that the regulatory support for ERM will speed its demise. If regulators advocate for consistent violation of the Hierarchy principle, then ERM will be seen mainly as a wasteful burden.
For a set of activities to be called ERM, they must satisfy ALL of these Key Ideas…
Transition from Evolved Risk Management to planned ERM
Comprehensive – includes ALL risks
Measurement – on a consistent basis allows ranking and…
Aggregation – adding up the risks to know total
Capital – comparing sum of risks to capital – can apply security standard to judge
Hierarchy – decisions about risks are made at the appropriate level in the organization – which means information must be readily available
Risk management activities that do not satisfy ALL Key Ideas may well be good and useful things that must be done, but they are not, by themselves ERM.
Many activities that seek to be called ERM do not really satisfy ALL Key Ideas. The most common “fail” is item 2, Comprehensive. When risks are left out of consideration, that is the same as a measurement of zero. So no matter how difficult to measure, it is extremely important to really, really be Comprehensive.
But it is quite possible to “fail” on any of the other Key Ideas.
The Transition idea usually “fails” when the longest standing traditional risk management practices are not challenged to come up to ERM standards that are being applied to other risks and risk management activities.
Measurement “fails” when the tails of the risk model are not of the correct “fatness“. Risks are significantly undervalued.
Aggregation “fails” when too much independence of risks is assumed. Most often ignored is interdependence caused by common counter parties.
Capital “fails” when the security standard is based upon a very partial risk model and not on a completely comprehensive risk model.
Hierarchy “fails” when top management and/or the board do not personally take responsibility for ERM. The CRO should not be an independent advocate for risk management, the CRO should be the agent of the power structure of the firm.
In fact Hierarchy Failure is the other most common reason for ERM to fail.
Risk Management is often seen as the Business Prevention Department and the Chief Risk Officer as the Wizard of NO.
But in some ways that can be seen as a glass half full, half empty sort of thing.
A major and sometimes neglected aspect of risk management relates to dealing with the planning for and execution of major changes. We call this CHANGE RISK MANAGEMENT.
If we think of the Control Cycle as the major manifestation of risk management, Change Risk Management is the special process that is followed to make sure that important new things get on to the Control Cycle without stumbling.
Many times, these changes are the future of the company. They are the new products, new distribution systems, new territories and acquisitions that will change the course of the company’s path forward.
The Change Risk management process can be performed as Business Prevention or it can be a support to the success of the company. A good Change Risk Management process will help to identify the ways that the new activity might fail or might harm the firm. If the Change Risk Management process is designed properly, the Risk Management inputs of that sort can be brought into the process in plenty of time to correct the problems that cause the concerns. In that sense, fixing those problems adds to the potential success of the company.
But if Risk Management is brought very late to the process, many people have become invested in the change as it is currently planned and any input from risk management that something might go wrong is seen as an attempt to scuttle the project.
So timing and attitude are the two things that make the Change Risk Management process something that supports the success of the company.
“We are not big enough to need ERM.” says the smaller company CEO. “So we all do it together.”
But what is everyone’s job, is no one’s responsibility. No one is held accountable for how or even whether ERM functions actually happen.
If a company wants to have ERM, then they must make assignments – assignments to individuals.
This process, these assignments, are what RISKVIEWS calls Risk Organization. Everyone does not need the same Risk Organization, but everyone who is serious about ERM needs to clearly assigning responsibility for the risk identification, measurement and management of risks.
This week’s post on the WillisWire series on ERM Practices is about Risk Organization:
Sean Ringsted is Chief Risk Officer and Chief Actuary for ACE Limited since 2008. Ringsted is responsible for the continued development and implementation of ACE’s risk management strategy and processes, and for ensuring a consistent risk management framework across the company. Ringsted also oversees all major actuarial functions, including reserving, pricing, and capital performance measurement. Ringsted’s previous roles at ACE include Chief Actuary for ACE Group from 2004 to 2008, Executive Vice President and Chief Risk Officer for ACE Tempest Re from 2002 to 2004, and Senior Vice President and Chief Actuary for ACE Tempest Re from 1998 to 2002. Mr. Ringsted holds a Bachelor of Science in biochemistry from Bristol University and a doctorate in biochemistry from Oxford University. He also is a Fellow of the Institute of Actuaries (FIA). Ringsted is also chairman of the North American CRO Council, which has been increasingly active in promoting best practice in risk management and is gaining respect from regulators and standard-setting bodies at a domestic and international level.
The Enterprise Risk Management program at ACE from their annual report.
As an insurer, ACE is in the business of profitably managing risk for its customers. Since risk management must permeate an organization conducting a global insurance business, we have an established Enterprise Risk Management (ERM) framework that is integrated into management of our businesses and is led by ACE’s senior management. As a result, ERM is a part of the day-to-day management of ACE and its operations.
Our global ERM framework is broadly multi-disciplinary and its objectives include:
support core risk management responsibilities at division and corporate levels through the identification and management of risks that aggregate and/or correlate across divisions;
identify, analyze, and mitigate significant external risks that could impair the financial condition of ACE and/or hinder its business objectives;
coordinate accumulation guidelines and actual exposure relative to guidelines, risk codes, and other risk processes;
provide analysis and maintain accumulation and economic capital and information systems that enable business leaders to make appropriate and consistent risk/return decisions;
identify and assess emerging risk issues; and
develop and communicate to our business lines consistent risk management processes
ACE’s Enterprise Risk Management Board (ERMB) reports to and assists the Chief Executive Officer in the oversight and review of the ERM framework which covers the processes and guidelines used to manage insurance risk, financial risk, strategic risk, and operational risk. The ERMB is chaired by ACE’s Chief Risk Officer and Chief Actuary. The ERMB meets at least monthly, and is comprised of ACE’s most senior executives, in addition to the Chair: the Chief Executive Officer, Chief Financial Officer, Chief Investment Officer, Chief Claims Officer, General Counsel, Chief Executive Officer for Insurance – North America, Chief Executive Officer for ACE Overseas General, and our Chief Executive Officer for Global Reinsurance.
The ERMB is provided support from various sources, including the Enterprise Risk Unit (ERU) and Product Boards. The ERU is responsible for the collation and analysis of two types of information. First, external information that provides insight to the ERMB on risks that might significantly impact ACE’s key objectives and second, internal risk aggregations from its business writings and other activities such as investments. The ERU is independent of the operating units and reports to our Chief Risk Officer and Chief Actuary. The Product Boards exist to provide oversight for products that we offer globally. A Product Board currently exists for each of the following products; property/energy, marine, casualty, professional lines, aviation, and political risk. Each Product Board is responsible for ensuring consistency in underwriting and pricing standards, identification of emerg- ing issues, and guidelines for relevant accumulations.
ACE’s Chief Risk Officer and Chief Actuary also reports to the Board’s Risk & Finance Committee, which helps execute the Board’s supervisory responsibilities pertaining to ERM. The role of the Risk & Finance Committee includes evaluation of the integrity and effectiveness of our ERM procedures and systems and information; governance on major policy decisions pertain- ing to risk aggregation and minimization, and assessment of our major decisions and preparedness levels pertaining to perceived material risks. The Audit Committee, which regularly meets with the Risk & Finance Committee, provides oversight of the financial reporting process and safeguarding of assets.
Others within the ERM structure contribute toward accomplishing ACE’s ERM objectives, including regional management, Internal Audit, Compliance, external consultants, and managers of our internal control processes and procedures.
Reinsurance Protection
As part of our risk management strategy, we purchase reinsurance protection to mitigate our exposure to losses, including catastrophes, to an acceptable level. Although reinsurance agreements contractually obligate our reinsurers to reimburse us for an agreed-upon portion of our gross paid losses, this reinsurance does not discharge our primary liability to our insureds and, thus, we ultimately remain liable for the gross direct losses. In certain countries, reinsurer selection is limited by local laws or regulations. In most countries there is more freedom of choice, and the counterparty is selected based upon its financial strength, claims settlement record, management, line of business expertise, and its price for assuming the risk transferred. In support of this process, we maintain an ACE authorized reinsurer list that stratifies these authorized reinsurers by classes of business and acceptable limits. This list is maintained by our Reinsurance Security Committee (RSC), a committee comprising senior management personnel and a dedicated reinsurer security team. Changes to the list are authorized by the RSC and recommended to the Chair of the Enterprise Risk Management Board. The reinsurers on the authorized list and potential new markets are regularly reviewed and the list may be modified following these reviews. In addition to the authorized list, there is a formal exception process that allows authorized reinsurance buyers to use reinsurers already on the authorized list for higher limits or different lines of business, for example, or other reinsurers not on the authorized list if their use is supported by compelling business reasons for a particular reinsurance program.
A separate policy and process exists for captive reinsurance companies. Generally, these reinsurance companies are established by our clients or our clients have an interest in them. It is generally our policy to obtain collateral equal to the expected losses that may be ceded to the captive. Where appropriate, exceptions to the collateral requirement are granted but only after senior management review. Specific collateral guidelines and an exception process are in place for ACE USA and Insurance – Overseas General, both of which have credit management units evaluating the captive’s credit quality and that of their parent company. The credit management units, working with actuaries, determine reasonable exposure estimates (collateral calculations), ensure receipt of collateral in an acceptable form, and coordinate collateral adjustments as and when need-
ed. Currently, financial reviews and expected loss evaluations are performed annually for active captive accounts and as needed for run-off exposures. In addition to collateral, parental guarantees are often used to enhance the credit quality of the captive.
In general, we seek to place our reinsurance with highly rated companies with which we have a strong trading relationship.
Investments
Our objective is to maximize investment income and total return while ensuring an appropriate level of liquidity, investment quality and diversification. As such, ACE’s investment portfolio is invested primarily in investment-grade fixed-income securities as measured by the major rating agencies. We do not allow leverage or complex credit structures in our investment portfolio.
The critical aspects of the investment process are controlled by ACE Asset Management, an indirect wholly-owned subsidiary of ACE. These aspects include asset allocation, portfolio and guideline design, risk management and oversight of external asset managers. In this regard, ACE Asset Management:
conducts formal asset allocation modeling for each of the ACE subsidiaries, providing formal recommendations for the portfolio’s structure;
establishes recommended investment guidelines that are appropriate to the prescribed asset allocation targets;
provides the analysis, evaluation, and selection of our external investment advisors;
establishes and develops investment-related analytics to enhance portfolio engineering and risk control;
monitors and aggregates the correlated risk of the overall investment portfolio; and
provides governance over the investment process for each of our operating companies to ensure consistency of approach and adherence to investment guidelines.
Under our guidance and direction, external asset managers conduct security and sector selection and transaction execution. This use of multiple managers benefits ACE in several ways – it provides us with operational and cost efficiencies, diversity of styles and approaches, innovations in investment research and credit and risk management, all of which enhance the risk adjusted returns of our portfolios.
ACE Asset Management determines the investment portfolio’s allowable, targeted asset allocation and ranges for each of the operating segments. These asset allocation targets are derived from sophisticated asset and liability modeling that measures correlated histories of returns and volatility of returns. Allowable investment classes are further refined through analysis of our operating environment, including expected volatility of cash flows, potential impact on our capital position, as well as regulatory and rating agency considerations.
Under the overall supervision of the Risk & Finance Committee of the Board, ACE’s governance over investment management is rigorous and ongoing. Among its responsibilities, the Risk & Finance Committee of the Board:
reviews and approves asset allocation targets and investment policy to ensure that it is consistent with our overall goals, strategies, and objectives;
reviews and approves investment guidelines to ensure that appropriate levels of portfolio liquidity, credit quality, diversification, and volatility are maintained; and
systematically reviews the portfolio’s exposures including any potential violations of investment guidelines.
We have long-standing global credit limits for our entire portfolio across the organization and for individual obligors. Exposures are aggregated, monitored, and actively managed by our Global Credit Committee, comprised of senior executives, including our Chief Financial Officer, our Chief Risk Officer, our Chief Investment Officer, and our Treasurer. Additionally, the Board has established a Risk & Finance Committee which helps execute the Board’s supervisory responsibilities pertaining to enterprise risk management including investment risk.
Within the guidelines and asset allocation parameters established by the Risk & Finance Committee, individual investment committees of the operating segments determine tactical asset allocation. Additionally, these committees review all investment- related activity that affects their operating company, including the selection of outside investment advisors, proposed asset allocations changes, and the systematic review of investment guidelines.
Do you have a clear distinction between “What’s Risk vs What’s Actuarial?” It seems that the roles of Risk Management and Actuarial are utterly intertwined and overlapping, thus causing utter confusion, within the company of my employ. While we have internally agreed to a segregation of duties over two years ago, the organization has barely moved forward to align itself accordingly.
Any attempt I have made to seek external guidance has not resulted in any definitive clarity. In response to the question “What’s Risk vs What’s Actuarial?”, most consultants offer “it depends on the company”. Solvency II guidance seems to indiscriminately interchange, say, risk management function (risk management is everyone’s job) with Risk Management Department.
I should clarify – when I refer to Actuarial, I am referring to “all four legs of the actuarial stool” – namely, Pricing, Modeling/Projections, Valuation, and Experience Studies.
In fact, it really does depend upon the company. That is because actuarial roles are extremely broad in some companies and very narrow in others.
The four legs of the actuarial stool referenced, “Pricing, Modeling/Projections, Valuation, and Experience Studies” are in fact a moderately broad definition. In the most narrowly drawn situations, the actuarial role is limited solely to situations where an actuarial opinion is required by law or regulation. In companies that define the actuarial role in that manner, there is almost no overlap with the Risk function.
But Risk can be defined differently in different companies as well. In some companies, the definition of the Risk function takes in only what is needed to get capital relief from regulators or rating agencies. Or to satisfy other requirements of the same audiences.
In companies where both the Actuarial and Risk roles are broadly defined, there is great potential for overlap.
The Actuarial Function in these firms will include not only “Pricing, Modeling/Projections, Valuation, and Experience Studies” but may also have a role in broad financial oversight and or broad risk oversight. In fact, RISKVIEWS worked for two insurers with such a broad definition of the actuarial function.
A broadly defined Risk function in these firms will overlap most clearly with those last two roles. With the installation of a separate Risk function, it seems clear that the broad risk oversight once performed by the Actuarial function needs to be surrendered. But there are Risk aspects of all five of the other functions listed.
Pricing – A strong Risk function will want to make sure that pricing is appropriate for the risks of the activities
Modeling/Projections – A strong Risk function will want to perform stress tests that are in fact simple projections.
Valuation – Since the definition of the capital of the firm is totally dependent upon the valuation of the liabilities of the firm and the Risk function usually has a major role regarding capital adequacy, a strong Risk function will have a high interest in Valuation of Liabilities.
Experience Analysis – The process that has been developed by actuaries to update Liabilities from year to year includes the collection and analysis of quite a large amount of information about the emerging experience of the firm. This information is also used in Pricing. And should be a main part of the information needed to evaluate the risks of the firm. Which makes this area of high importance to Risk.
Broad Financial Oversight – Actuaries in many insurers have already lost this role to CFOs years ago. But in the cases where they have not, the CRO becomes a new challenger with the idea that Risk should oversee the strategic risk and capital budgeting processes.
Some of the conflict is a matter of competition between the leader of a “new” function within the firm and the leader of an “old” function. The firms where this conflict is the worst would be the firms where there is a broadly defined Actuarial and Risk function. The development of a new Risk function in these firms can be interpreted as Actuarial losing influence. This perception would add to the conflict and to the confusion. Risk will want to control its own destiny, so would naturally want to control much of what had “always” been Actuarial. Actuarial would not want to lose any responsibility and may therefore seek to maintain parallel activities even where Risk is now performing a former Actuarial function.
At the other extreme, a number of companies see the very high degree of overlap between the Actuarial function and the Risk function and have named their Chief Actuary to be their Chief Risk Officer. The success of that approach will depend upon the degree to which the Chief Actuary is willing to appropriately prioritize the activities needed to support the new responsibilities. In these cases, the conflict described above between Risk and Actuarial will take place, but a large part of it will be inside the Chief Actuary / CRO’s head.
I am a senior ‘Risk Management & Insurance’ and ‘Finance’ double major at Butler University. I was wondering if you would be able to lend some advice for my future career endeavors. One question is “what made you chose the consulting risk management side over more of a singular corporation risk management position?” My basic concern is that unlike finance, I feel the path for a student to get involved with the risk management industry is much less defined. I keep hearing how most risk managers usually start in a completely different corporate function. I am just trying to do my due diligence and research to get insight into all career paths before I choose which way I want to go. Daniel Gable
Daniel, some Risk Management career paths are very new. New enough that there are not yet any people who entered the field out of college and who are now in retirement. Now, if you are majoring in “Risk Management and Insurance”, then you are aware that there is a long established career centering upon the management of corporate insurance purchasing programs. But the risk management programs that go beyond insurance purchasing, in banks, insurance companies and in many other industries are all new enough that they mostly had to go outside the field for at least initial leadership. Those people will value skills and experiences that come from a wider range of experiences than someone might have who has always worked in risk management. So their senior staff positions will have some people who also did not start out in a risk management career.
RISKVIEWS’ perspective is that risk management will be best served if a balance of highly trained risk management specialists along with a significant number of people with broader business perspectives and especially experiences working in the areas where the risk is taken on.
The highly trained risk management specialists are needed to keep the technical rigor of the risk management program up to a similar level to the areas that originate the risk taking.
WARNING: SPORTS ANALOGY AHEAD
The best sports teams prevail against their rivals only if they have great natural players in both offensive and defensive positions. There are an extremely small number of players who can excel at either offense or defense. Most players in most sports are much better at one or the other. Risk management programs need to find the natural defenders who also excel at the technical skills that are needed to monitor the risk taking effectively.
But only some risk management work can be accomplished by highly technically competent trained risk managers. Some of risk management requires people with the experience and gut instincts about the business who can tell when something just “smells” wrong. To get this experience, one needs to have lived in the business, understand the motivations and choices that are available to the people in the business as well as their competition and the markets that they operate in. This is all experience that is very difficult to get working from within the risk management program.
At the top of the risk management system is a Chief Risk Officer. Like most senior executives, this person will need a high degree of leadership/managerial/political skills. Perhaps much more so than most of the people who work in the risk management program. In the last year or so, there have been a steady stream of bank CROs moving to CEO positions. So in many places, it is a position with a serious future.
Finally, Daniel asked about consulting vs. working inside a company? First of all, many consulting firms hire few if any entry level people. They usually look to find people with at least a few years of experience inside of the firms that they are likely to consult for. Once you have enough experience to have a choice, the option is for breadth vs. depth. RISKVIEWS has over ten years of experience in both situations. Inside of a company, a person may get the chance to develop a deep understanding of one or several aspects of the company operations. Many people get a feeling of satisfaction from mastering their environment in this way and developing the ability to work with people and situations that they know very well. Many corporate jobs are also in a fixed location, so that people who have strong reasons to want to be home most nights would prefer that. While there is some uncertainty about continuation of corporate jobs, many jobs are secure for a decade or more at a time. Consulting positions on the other hand provide the person to get a very broad perspective on the many different ways that things are being done in the industry. Consulting often offers the possibility of doing different work without it having a significant impact on career path. Consultants often travel, some a little and most quite a bit. An advantage for some and a big disadvantage for others. Consulting work is insecure, often it is unknown what work a consultant will be doing in six months. Some people are very excited by the variety and uncertainty of consulting work. Consultants need to have excellent communications skills, especially the “client facing” consultants.
In both the question of starting out in risk management or moving to risk management after working in a business and the question of starting early in consulting vs. after some work inside of a business, the considerations end up being similar. A few people have the talent to pick up enough of the details of the business life to be able to be effective consultants or risk managers from outside of the business, but most people need to live it to be really effective risk managers or consultants.
Daniel is studying Finance as well as Risk Management. RISKVIEWS cannot give any advice in finance careers, but will observe that with the effect of the financial crisis and the resulting changes to regulation of banks, the future finance career path may well be very different than it has been for the past 20 years.
In that article Rachel Wolcott suggests that the CRO needs to be powerful enough to buck the most powerful traders.
What she fails to recognize is that the CRO and the trader are both acting out the orders of the CEO. If the CEO is telling the CRO to enforce a risk limit and also telling the trader that he is free to break the limit, then it is not the power of the CRO that is the problem.
It is a CEO that wants the appearance of risk management and the profits from excessive risk both at the same time.
CEOs will often allow underlings to “fight it out” rather than making all of the decisions in the company. In this case, however, everyone must realize that when it appears the CRO is too weak to do their job, that means that the CEO is not standing behind them and is completely responsible for the risk that is being taken by the overaggressive traders.
The American Banker has a new column on risk management. The first article is here. Clifford Rossi makes some good points about the JP Morgan story. But Riskviews takes issue with one point that he makes…
The paradigm of the trader and the risk manager are fundamentally at odds. The trader will believe that if they are given the funds to make one more trade, they will make up all of the past losses and post a large gain. The stories of successful traders and hedge fund managers all read the same, losses, growing losses, no one else believes in the trader. Finally, they are vindicated by a large gain that makes them the hero. When you listen to the stories from Bear Sterns and Lehman, folks who were involved all say that it was just a liquidity issue. If they just had a little more funds, they would have made the trades that would have brought the firm back.
The risk manager on the other hand believes that there must be a limit to the amount that is put at risk by the firm. Do not bet what you cannot afford to lose. The risk manager believes that even the best theory can have a run of bad luck that the firm cannot afford.
Ultimately, the risk manager is not the moral compass of the firm. The risk manager is nothing more or less than the person who is charged to make sure that the CEO and the Board understand and are fully aware and approve of all of the risk taking activities of the firm. To make that process work, the risk manager will ask the board and CEO to pre-approve some activities and to require to be notified about others.
In JP Morgan’s case, the board and CEO should have been aware of what was going on, of the size of the positions. Perhaps they did not give clear directions to the risk manager or perhaps the risk manager for some reason failed to report the risk positions.
However, it should have been a business decision made by the Board and CEO, not a decision of the trader or of the risk manager. The loss that resulted would be a decision that did not work out as intended, not even necessarily a bad decision. All decisions do not work out well. And while $3 Billion is a large amount of money, it is only a fraction of earnings for a good year for JP Morgan.
If the decision to make the trade(s) that added up to the $3 Billion loss were made by the trader and not reported to the CEO and Board, then and only then is this a risk management failure.
Just watch Demi Moore get fired in Margin Call. She said that she had sounded the alarm about the risky trades that were the main topic of the film a year ago. But her warnings were obviously not heeded and when things turned out poorly as she had warned, she was fired as the scapegoat.
Just read the stories about the two Chief Risk Officers at MF Global. Both of them sounded alarms about the trades that eventually bankrupted the firm. Roseman left over the issue. Stockman is testifying to Congress about exactly when he determined that the trades were too risky.
A House committee is expected to disclose on Thursday that MF Global, under Jon S. Corzine, stripped critical powers from its top executive in charge of controlling risk, according to a person briefed on the matter. NYTimes
Riskview suggests that they have it all wrong. Corzine is the one who is responsible for the risk management of MF Global. No one is suggesting that Corzine was ill served by his CRO. Instead, the discussion suggests that the board should have listened to the CRO and not the CEO. Easy to say in hindsight. But in fact, the CRO is an agent of the CEO. If the board sets up the CRO as their agent within the firm who can trump the CRO, then the board is overstepping its role. If the board does not like what the COE is doing, the board has the responsibility to replace the CEO.
If the board wants to know more about the risk of the firm than the CEO wants to tell, then the board should not be going around the CEO to people who work for the CEO.
Congress should be talking to the board members who repeatedly approved Corzine’s decisions. The CRO is now being used as a scapegoat by the board and by congress.
The position of CRO at a firm that does fail is even more perilous than usual for that position. When the firm fails or comes close to failure, the CRO can become the scapegoat for failure to act. And the fact that the CRO did not have the authority, does not change that process at all.
That is because there is a myth that the CRO is in charge of preventing bad things from happening. That is not the case.
The CRO job is to make sure that management has the tools and the people and the information to prevent bad things from happening. Only if the CRO is set up as someone with MORE authority in the organization than the CEO should the CRO be held responsible when bad things that they did warn about do happen.
Riskviews 