Guide to ERM: Risk Limits and Controls

At the most fundamental level, enterprise risk management can be understood as a control cycle. In an insurance company’s risk control cycle, management needs to first identify the key risks.

Management then decides the risk quantity they are willing to accept and retain. These decisions form the risk limits. It is then imperative to monitor the risk-taking throughout the year and react to actual situations that are revealed by the monitoring.

Photo by Ann H on Pexels.com

The Risk Control Cycle

There are seven distinct steps in the typical risk control cycle:

1. Identify Risks – Choose which risks are the key controllable risks of the company
2. Assess – Examine what are the elements of the risks that need (or can be) controlled
3. Plan – Set the expectation for how much risk will be taken as an expected part of the plan and also the limits on how much more would be accepted and retained
4. Take Risks – Conduct the primary function of an insurance company
5. Mitigate – Take actions to keep the risks within limits
6. Monitor – Determine how risk positions compare to limits and report
7. Respond – Decide what actions to take if risk levels are significantly different from plan

Risk Control Cycle

The Complete Risk Control Process

A process capable of limiting losses can be referred to as a complete risk control process, which would usually include the following.

• Identification of risks: The identified risks should be the main exposures which a company faces rather than an exhaustive list of all risks. The risk identification process must involve senior management and should consider the risk inherent in all insurance products underwritten. It must also take a broader view of overall risk. For example, large exposures to different investment instruments or other non-core risks must be considered. It is vital that this risk list is re-visited periodically rather than simply automatically targeting “the usual suspects”
• Assess risks: This is both the beginning and the end of the cycle. At the beginning, you look forward to form a new opinion about the prospects for risk and rewards for the next year. At the end, management needs to assess how effective the control cycle has been. Did the selection process miss any key risks? Were limits set too high or perhaps too low? Were the breach processes effective?
• Plan risk taking and risk management: Based upon the risk assessment, management will make plans for how much of each risk the organization will plan to accept and then how much of that risk will be transferred, offset and retained to manage the net risk position in line with defined risk limits
• Take risks: Organizations will often start by identifying a list of potential risks to be taken based upon broad guidelines. This list is then narrowed down by selecting only risks which are aligned to overall corporate risk appetite. The final stage is deciding an appropriate price to be paid for accepting each risk (underwriting)
• Measuring and monitoring of risk: With metrics or risk measures which capture the movement of the underlying risk position. These risk positions should be reported regularly and checked against limits and, in some cases, against lower checkpoints . The frequency of these checks should reflect the volatility of the risk and the rate at which the insurer changes their risk positions. Insurers may choose to report regularly at a granular level that supports all decision making and potential breach actions. The primary objective of this step is facilitating upwards reporting of risk through regular risk assessment and dissemination of risk positions and loss experience using a standard set of risk and loss metrics. These reports convey the risk output from the overall ERM framework and should receive the clear attention of persons with significant standing and authority in the organization. This allows for action to be taken which is the vital Respond stage in the risk control cycle
• Risk limits and standards: Should be defined which are directly linked to objectives. Terminology varies widely, but many insurers have both hard “limits” that they seek to never exceed and softer “checkpoints” that are sometimes exceeded. Limit approval authority will often be extended to individuals within the organization with escalating amounts of authority for individuals higher in the organizational hierarchy. Limits ultimately need to be consistent with risk appetites, preferences and tolerances Additionally, there should be clear risk avoidance processes for risks where the insurer has zero tolerance. These ensure that constant management attention is not needed to assure compliance. A risk audit function is, however, often incorporated within the overall risk organization structure to provide an independent assessment of compliance.
• Respond: Enforcement of limits and policing of checkpoints, with documented consequences for limit breaches and standard resolution processes for exceeding checkpoints. In some cases, the risk environment will have changed significantly from when the limits were set and the limits need to be reassessed. Some risks may be much more profitable than expected and risk limits can be raised, while other have become more expensive and/or riskier and limits need to be lowered
• Assess risks: And the cycle starts again

The control cycle, and especially the risk appetite, tolerance and limit setting process can be the basis for a healthy discussion between management and the board.

Gaining the Greatest Benefit from the Risk Control Cycle

Ultimately, to get the most risk management benefit out of a risk control cycle, management must set limits at a level that matters and are tied to good measures of risk. These limits must be understood throughout the company and risk positions should be frequently and publicly reviewed so that any breaches can be identified.

But in addition to a policing function, the control cycle needs to include a learning element. With each pass through the cycle, management should gain some insight into the characteristics of their potential risks and associated mitigation alternatives, as well as the reactions of both to changes in the risk environment.

Advertisement

Hierarchy Principle of Risk Management

The purpose of ERM is NOT to try to elevate all risk decisions to the highest possible level, but to master discerning the best level for making each risk decision and for getting the right information to the right person in time to make a good risk decision.

This is the Hierarchy Principle as it applies to ERM.  It is one of the two or three most important principles of ERM.  Why then, might you ask, haven’t we ever heard about it before, even from RISKVIEWS.

But most insurers follow the hierarchy principle for managing their Underwriting process for risk acceptance of their most important risks.  

You could argue that many of the most spectacular losses made by banks have been in situations where they did not follow the hierarchy principle.  

• Nick Leeson at Barings Bank was taking risks at a size that should have been decided (and rejected) by the board.
• Jerome Kerviel at Soc Gen was doing the same.
• The London Whale at JP Morgan is also said to have done that.  

On the other hand, Jon Corzine was taking outsized risks that eventually sank MF Global with the full knowledge and approval of the board.  Many people suggest that the CRO should have stopped that.  But RISKVIEWS believes that the Hierarchy Principle was satisfied.  

ERM is not and cannot be held responsible for bad decisions that are made at the very top of the firm, unless the risk function was providing flawed information that supported those decisions.  If, as happened at MF Global, the board and top management were making risk decisions with their eyes fully open and informed by the risk function, then ERM worked as it should.  

ERM does not prevent mistakes or bad judgment.

What ERM does that is new is that

1. it works to systematically determine the significance of all risk decisions, 
2. it ranks the significance and uses that information, along with other information such as risk velocity and uncertainty, to determine a recommendation of the best level to make decisions about each risk,
3. it assesses the ability of the firm to absorb losses and the potential for losses within the risks that are being held by the firm at any point in time,
4. it works with management and the board to craft a risk appetite statement that links the loss absorbing capacity of the firm with the preferences of management and the board for absorbing losses.

ERM does not manage the firm.  ERM helps management to manage the risks of the firm mainly by providing information about the risks.  

So why have we not heard about this Hierarchy Principle before?  

For many years, ERM have been fighting to get any traction, to have a voice.  The Hierarchy Principle complicates the message, so was left out by many early CROs and other pioneers.  A few were pushing for the risk function to be itself elevated as high as possible and they did not want to limit the risk message, deeming everything about risk to be of highest importance. But RISKVIEWS believes that it was mostly because the Hierarchy Principle is pretty fundamental to business management and is usually not explicitly stated anywhere else, even though it is applied almost always.

ERM now receives a major push from regulators, to a large extent from the ORSA.  In writing, the regulators do not require that ERM elevate all risk decisions.  But in practice, they are seeing some insurers who have been elevating everything and the regulators are adopting those examples as their standard for best in class.  

Just one more way that the regulatory support for ERM will speed its demise.  If regulators advocate for consistent violation of the Hierarchy principle, then ERM will be seen mainly as a wasteful burden.  

 

Reviewing the Risk Environment

The new US Actuarial Standards of Practice 46 and 47 suggest that the actuary needs to assess the risk environment as a part of risk evaluation and risk treatment professional services. The result of that evaluation should be considered in that work.

And assessment of the risk environment would probably be a good idea, even if the risk manager is not a US actuary.
But what does it mean to assess the risk environment?  One example of a risk environment assessment can be found on the OCC website.  They prepare a report titled “Semi Annual Risk Perspective“.

This report could be a major source of information, especially for Life Insurers, about the risk environment.  And for Non-Life carriers, the outline can be a good road map of the sorts of things to review regarding their risk environment.

Part I: Operating Environment

• Slow U.S. Economic Growth Weighs on Labor Market
• Sluggish European Growth Also Likely to Weigh on U.S. Economic Growth in Near Term
• Treasury Yields Remain Historically Low
• Housing Metrics Improved
• Commercial Real Estate Vacancy Recovery Uneven Across Property Types

Part II: Condition and Performance of Banks.

A. Profitability and Revenues: Improving Slowly..

• Profitability Increasing .
• Return on Equity Improving, Led by Larger Banks .
• Fewer Banks Report Losses
• Noninterest Income Improving for Large and Small Banks.
• Trading Revenues Return to Pre-Crisis Levels
• Counterparty Credit Exposure on Derivatives Continues to Decline ………….
• Low Market Volatility May Understate Risk
• Net Interest Margin Compression Continues..

B. Loan Growth Challenges

• Total Loan Growth: C&I Driven at Large Banks; Regionally Uneven for Small Banks….

• Commercial Loan Growth Led by Finance and Insurance, Real Estate, and Energy …

• Residential Mortgage Runoff Continues, Offsetting Rising Demand for Auto and Student Loans………….

C. Credit Quality: Continued Improvement, Although Residential Real Estate Lags

• Charge-Off Rates for Most Loan Types Drop Below Long-Term Averages
• Shared National Credit Review: Adversely Rated Credits Still Above Average Levels .
• Significant Leveraged Loan Issuance Accompanied by Weaker Underwriting.
• New Issuance Covenant-Lite Leveraged Loan Volume Surges .
• Commercial Loan Underwriting Standards Easing .
• Mortgage Delinquencies Declining, but Remain Elevated.
• Auto Lending Terms Extending ..

Part III: Funding, Liquidity, and Interest Rate Risk

• Retention Rate of Post-Crisis Core Deposit Growth Remains Uncertain
• Small Banks’ Investment Portfolios Concentrated in Mortgage Securities
• Commercial Banks Increasing Economic Value of Equity Risk

Part IV: Elevated Risk Metrics

• VIX Index Signals Low Volatility…
• Bond Volatility Rising but Near Long-Term Average
• Financials’ Share of the S&P 500 Rising but Remains Below Average
• Home Prices Rising .
• Commercial Loan Delinquencies and Losses Decline to Near or Below Average ..
• Credit Card Delinquencies and Losses Near Cyclical Lows .

Part V: Regulatory Actions

• Banks Rated 4 or 5 Continue to Decline
• Matters Requiring Attention Gradually Decline
• Enforcement Actions Against Banks Slow in 2013

For those who need a broader perspective, the IMF regularly publishes a report called World Economic Output.  That report is much longer but more specifically focused on the general level of economic activity.  Here are the main chapter headings:

Chapter 1. Global Prospects and Policies

Chapter 2. Country and Regional Perspectives

Chapter 3. Dancing Together? Spillovers, Common Shocks, and the Role of Financial and Trade Linkages

Chapter 4. The Yin and Yang of Capital Flow Management: Balancing Capital Inflows with Capital outflows

The IMF report also includes forecasts, such as the following:

 

The Cost of Risk Management

PNC Chairman and Chief Executive Officer James E. Rohr is quoted in the Balitomore Sun as saying that Dodd Frank would raise costs and that those costs would ultimately be passed along to the customers.

Now Riskviews is not trying to suggest that Dodd Frank is necessarily good risk management.

But risk management, like regulation, usually has a definite cost and indefinite benefits.

The opponents of Dodd Frank, like the opponents of risk management will always point to those sure costs and a reason not to do regulations or risk management.

But with Dodd Frank, looking backwards, it is quite easy to imagine that more regulation of banks could have a pennies to millions cost – benefit relationship.  The cost of over light regulation of the banks was in the trillions in terms of the losses in the banks plus the bailout costs to the government PLUS the costs to the economy.  Everyone who has lost a job or lost profits or lost bonuses or who will ultimately pay for the government deficit that resulted from the decreased economic activity have or will pay the cost of underregulated banks.

The same sort of argument can be made for risk management.  The cost of good risk management is usually an increase to costs or a decrease to revenues in good times.  This is offset by a reduction to losses that might have been incurred in bad times.  This is a view that is REQUIRED by our accounting systems.  A hedge position MUST be reported as something with lower revenues than an unhedged position.  Lack of Risk Management is REQUIRED to be reported as superior to good risk management except when a loss occurs.

Unless and until someone agrees to a basis for reporting risk adjusted financials, this will be the case.

Someone who builds a factory on cheap land by the river that floods occasionally but who does not insure their factory MUST report higher profits than the firm next door that buys expensive flood insurance, except in the year that the flood occurs.

A firm that operates in a highly regulated industry may look less profitable than a firm that is able to operate without regulation AND that is able to shed most of their extreme losses to the government or to third parties.

Someone always bears those risk costs.  But it is a shame when someone like Rohr tries to make that look as if the cost of regulation are the only possible costs.

Risk Management Success

Many people struggle with clearly identifying how to measure the success of their risk management program.

But they really are struggling with is either a lack of clear objectives or with unobtainable objectives.

Because if there are clear and obtainable objectives, then measuring success means comparing performance to those objectives.

The objectives need to be framed in terms of the things that risk management concentrates upon – that is likelihood and severity of future problems.

The objectives need to be obtainable with the authority and resources that are given to the risk manager.  A risk manager who is expected to produce certainty about losses needs to either have unlimited authority or unlimited budget to produce that certainty.

The most difficult part of judging the success of a risk management program is when those programs are driven by assessments of risk that end up being totally insufficient.  But again the real answer to this issue is authority and budget.  If the assumptions of the model are under the control of the risk manager, that is totally under the risk manager’s control, then the risk manager would be prudent to incorporate significant amounts of margin either into the model or into the processes that use the model for model risk.  But then the risk manager is incented to make the model as conservative as their imagination can make it.  The result will be no business – it will all look too risky.

So a business can only work if the model assumptions are the join responsibility of the risk manager and the business users.

But there are objectives for a risk management program that can be clear and obtainable.  Here are some examples:

1. The Risk Management program will be compliant with regulatory and/or rating agency requirements
2. The Risk Management program will provide the information and facilitate the process for management to maintain capital at the most efficient level for the risks of the firm.
3. The Risk Management program will provide the information and facilitate the process for management to maintain profit margins for risk (pricing in insurance terms) at a level consistent with corporate goals.
4. The Risk Management program will provide the information and facilitate the process for management to maintain risk exposures to within corporate risk tolerances and appetites.
5. The Risk Management program will provide the information and facilitate the process for management and the board to set and update goals for risk management and return for the organization as well as risk tolerances and appetites at a level and form consistent with corporate goals.
6. The Risk Management program will provide the information and facilitate the process for management to avoid concentrations and achieve diversification that is consistent with corporate goals.
7. The Risk Management program will provide the information and facilitate the process for management to select strategic alternatives that optimize the risk adjusted returns of the firm over the short and long term in a manner that is consistent with corporate goals.
8. The Risk Management program will provide information to the board and for public distribution about the risk management program and about whether company performance is consistent with the firm goals for risk management.

Note that the firm’s goals for risk management are usually not exactly the same as the risk management program’s goals.  The responsibility for achieving the risk management goals is shared by the management team and the risk management function.

Goals for the risk management program that are stated like the following are the sort that are clear, but unobtainable without unlimited authority and/or budget as described above:

X1  The Risk Management program will assure that the firm maintains profit margins for risk at a level consistent with corporate goals.

X2  The Risk Management program will assure that the firm maintains risk exposures to within corporate risk tolerances and appetites so that losses will not occur that are in excess of corporate goals.

X3  The Risk Management program will assure that the firm avoids concentrations and achieve diversification that is consistent with corporate goals.

X4  The Risk Management program will assure that the firm selects strategic alternatives that optimize the risk adjusted returns of the firm over the short and long term in a manner that is consistent with corporate goals.

The worst case situation for a risk manager is to have the position in a firm where there are no clear risk management goals for the organization (item 4 above) and where they are judged on one of the X goals but which one that they will be judged upon is not determined in advance.

Unfortunately, this is exactly the situation that many, many risk managers find themselves in.

Second Step to a New ERM Program

Everyone knows the first step – Identify your risks.

But what should you do SECOND?  The list of ERM practices is long.  Riskviews uses an eight item list of ERM Fundamentals to point the way to early ERM developments.

And you want to make sure that you avoid Brick Walls and Touring Bikes.

But the Second Step is not a practice of ERM.  The Second Step is to identify the motivation for risk management.  As mentioned in another post, there are three main motivations:  Compliance, Capital Adequacy and Decision making.

If Compliance is the motivation, then the ERM development process will be to obtain or develop a checklist of items that must be completed to achieve compliance and to work to put something in place for each of those items that will create the ability to check off that item.

If Capital Adequacy is the motivation, then building an Economic Capital model is the main task that is needed for ERM development.

If Decision making is the motivation, then the process becomes somewhat more involved.  Start with identifying the risk attitude of the firm.  Knowing the risk attitude of the firm, the risk management strategy can then be selected.  Each of the ERM Fundamentals can then be implemented in a way that is adapted to the risk strategy.

This process has been described in the post Risk Attitudes and the New ERM Program.

But knowing the motivation is key.  A newly appointed risk management officer might have fallen in love with literature describing the Risk Steering strategy of ERM.  They would set up a big budget for capital modeling and start to set up risk committees and write rules and policy statements…..

And then hit a brick wall.

That is because they did not clearly identify the motivation for their appointment to be the risk management officer.  The term ERM actually means something totally different to different folks.  Usually one of the three motivations:  Compliance, Capital Adequacy, or Decision Making.

A company that is primarily motivated by Capital Adequacy will have minimal interest in any of the active parts of the ERM practices.  A company motivated by compliance will want to know that each and every step in their ERM process satisfies a requirement.  Talking about enhanced decision making as the reason for steps in the ERM development process will either confuse or even anger management of these companies.

The reaction to a mismatch of ERM program to motivation is similar to someone who booked a cruise for their vacation and found themselves on a cross country biking tour.

Most modern cruise ships feature the following facilities:

• Casino – Only open when the ship is in open sea
• Spa
• Fitness center
• Shops – Only open when ship is in open sea
• Library
• Theatre with Broadway style shows
• Cinema
• Indoor and/or outdoor swimming pool
• Hot tub
• Buffet restaurant
• Lounges
• Gym
• Clubs

Keep that contrast in mind when you are making your plans for a new ERM system.

Liquidity Risk Management for a Bank

A framework for estimating liquidity risk capital for a bank

From Jawwad Farid

Capital estimation for Liquidity Risk Management is a difficult exercise. It comes up as part of the internal liquidity risk management process as well as the internal capital adequacy assessment process (ICAAP). This post and the liquidity risk management series that can be found at the Learning Corporate Finance blog suggests a framework for ongoing discussion based on the work done by our team with a number of regional banking customers.

By definition banks take a small Return on asset (1% – 1.5%) and use leverage and turnover to scale it to a 15% – 18% Return on Equity. When market conditions change and a bank becomes the subject of a name crisis and a subsequent liquidity run, the same process becomes the basis for a death chant for the bank.  We try to de-lever the bank by selling assets and paying down liabilities and the process quickly turns into a fire sale driven by the speed at which word gets out about the crisis.

Figure 1 Increasing Cash Reserves

Reducing leverage by distressed asset sales to generate cash is one of the primary defense mechanisms used by the operating teams responsible for shoring up cash reserves. Unfortunately every slice of value lost to the distressed sale process is a slice out of the equity pool or capital base of the bank. An alternate mechanism that can protect capital is using the interbank Repurchase (Repo) contract to use liquid or acceptable assets as collateral but that too is dependent on the availability of un-encumbered liquid securities on the balance sheet as well as availability of counterparty limits. Both can quickly disappear in times of crisis. The last and final option is the central bank discount window the use of which may provide temporary relief but serves as a double edge sword by further feeding the name and reputational crisis.  While a literature review on the topic also suggest cash conservation approaches by a re-alignment of businesses and a restructuring of resources, these last two solutions assume that the bank in question would actually survive the crisis to see the end of re-alignment and re-structuring exercise.

Liquidity Reserves: Real or a Mirage

A questionable assumption that often comes up when we review Liquidity Contingency Plans is the availability or usage of Statutory Liquidity and Cash Reserves held for our account with the Central Bank.  You can only touch those assets when your franchise and license is gone and the bank has been shut down. This means that if you want to survive the crisis with your banking license intact there is a very good chance that the 6% core liquidity you had factored into your liquidation analysis would NOT be available to you as a going concern in times of a crisis. That liquidity layer has been reserved by the central bank as the last defense for depositor protection and no central bank is likely to grant abuse of that layer.

Figure 2 Liquidity Risk and Liquidity Run Crisis

As the Bear Stearns case study below illustrate the typical Liquidity crisis begins with a negative event that can take many shapes and forms. The resulting coverage and publicity leads to pressure on not just the share price but also on the asset portfolio carried on the bank’s balance sheet as market players take defensive cover by selling their own inventory or aggressive bets by short selling the securities in question. Somewhere in this entire process rating agencies finally wake up and downgrade the issuer across the board leading to a reduction or cancellation of counterparty lines.  Even when lines are not cancelled given the write down in value witnessed in the market, calls for margin and collateral start coming in and further feed liquidity pressures.

What triggers a Name Crisis that leads to the vicious cycle that can destroy the inherent value in a 90 year old franchise in less than 3 months.  Typically a name crisis is triggered by a change in market conditions that impact a fundamental business driver for the bank. The change in market conditions triggers either a large operational loss or a series of operation losses, at times related to a correction in asset prices, at other resulting in a permanent reduction in margins and spreads.  Depending on when this is declared and becomes public knowledge and what the bank does to restore confidence drives what happens next. One approach used by management teams is to defer the news as much as possible by creative accounting or accounting hand waving which simply changes the nature of the crisis from an asset price or margin related crisis to a much more serious regulatory or accounting scandal with similar end results.

Figure 3 What triggers a name crisis?

The problem however is that market players have a very well established defensive response to a name crisis after decades of bank failures. Which implies that once you hit a crisis the speed with which you generate cash, lock in a deal with a buyer and get rid of questionable assets determined how much value you will lose to the market driven liquidation process. The only failsafe here is the ability of the local regulator and lender of last resort to keep the lifeline of counterparty and interbank credit lines open.  As was observed at the peak of the crisis in North America, UK and a number of Middle Eastern market this ability to keep market opens determines how low prices will go, the magnitude of the fire sale and the number of banks that actually go under.

Figure 4 Market response to a Name Crisis and the Liquidity Run cycle.

The above context provides a clear roadmap for building a framework for liquidity risk management. The ending position or the end game is a liquidity driven asset sale. A successful framework would simply jump the gun and get to the asset sale before the market does. The only reason why you would not jump the gun is if you have cash, a secured contractually bound commitment for cash, a white knight or any other acceptable buyer for your franchise and an agreement on the sale price and shareholders’ approval for that sale in place.  If you are missing any of the above, your only defense is to get to the asset sale before the market does.

The problem with the above assertion is the responsiveness of the Board of directors and the Senior executive team to the seriousness of the name crisis. The most common response by both is a combination of the following

a)     The crisis is temporary and will pass. If there is a need we will sell later.

b)    We can’t accept these fire sale prices.

c)     There must be another option. Please investigate and report back.

This happens especially when the liquidity policy process was run as a compliance checklist and did not run its full course at the board and executive management level.  If a full blown liquidity simulation was run for the board and the senior management team and if they had seen for themselves the consequences of speed as well as delay such reaction don’t happen. The board and the senior team must understand that illiquid assets are equivalent of high explosives and delay in asset sale is analogous to a short fuse. When you combine the two with a name crisis you will blow the bank irrespective of its history or the power of its franchise. When the likes of Bear, Lehman, Merrill, AIG and Morgan failed, your bank and your board is not going to see through the crisis to a different and pleasant fate.

(more…)

ERM News comes in Threes

There are three news items about changes to approach by two rating agencies and a regulator.

1. AM Best announced that they were adding two pages of ERM questions to their Supplemental Ratings Questionnaire (SRQ)
2. S&P announced that they are now going forward with reviewing internal capital models for consideration in their view of capital adequacy.
3. The IAIS has adopted an Insurance Core Principal (ICP 16) that requires that all insurance regulators adopt requirements that insurers should perform an Own Risk and Solvency Assessment (ORSA) and the NAIC will be starting to announce their plans for compliance with this in mid-February.

The place for insurers to stand and ignore ERM is shrinking quickly.

But Riskviews has noticed that when you talk people in the insurance industry about ERM, there are at least three different topics that they think about:

• Economic Capital Modeling – a large fraction of people think that ERM means Economic Capital modeling.  So when they hear that rating agency or regulator wants to hear about ERM, they might say that they do not have one, so there is nothing to talk about.  The S&P announcement confirms their belief.  They read the Best SRQ questions and only see the spots that require numbers, completley ignoring as unimportant the parts about culture.
• Compliance with rating agency or regulatory requirements.  These three news items are strong motivators for those who think that ERM is compliance.  These folks had heard AM Best asking about ERM, but saw no outcome from that process so they eventually lost interest in ERM themselves.  Now they are back to being interested.  The ORSA idea is confusing to these folks, because they already are doing their compliance regarding capital adequacy.  The ORSA seems like redundant regulation to them.  They do not see the shift of responsibility from the regulator to the board and management that is fundamental to the ORSA idea.
• Management decision making.  These firms are using ERM to enhance their decision making processes.  They hear these announcements and are annoyed at the additional distraction from the real risk management.  Some of them will not change what they are doing at all to enhance their “score” with the rating agencies or regulators.  There is too much of the firm;s real value at stake to risk changing their risk management program to suit these outsiders who do not know much about the company or its risks.

The news comes in threes and the reactions comes in threes as well.

Global Convergence of ERM Requirements in the Insurance Industry

Role of Own Risk and Solvency Assessment in Enterprise Risk Management

Insurance companies tend to look backwards to see if there was enough capital for the risks that were present then. It is important for insurance companies to be forward looking and assess whether enough capital is in place to take care risks in the future. Though it is mandatory for insurance firms to comply with solvency standards set by regulatory authorities, what is even more important is the need for top management to be responsible for certifying solvency. Performing Own Risk and Solvency Assessment (ORSA) is the key for the insurance industry.

• Global Convergence of ERM Regulatory requirements with NAIC adoption of ORSA regulations
• Importance of evaluating Enterprise Risk Management for ORSA
• When to do an ORSA and what goes in an ORSA report?
• Basic and Advanced ERM Practices
• ORSA Plan for Insurers
• Role of Technology in Risk Management

Join this MetricStream webinar

Date: Wednesday February 16, 2011
Time: 10 am EST | 4 pm CET | 3pm GMT
Duration: 1 hour

Death by Solvency

Another great post by  Maggid.

It seems that Solvency II is perfectly designed to reproduce the conditions that led US banks to believe that they were impervious to risks.  They and the regulators believed that they knew what they were doing with regard to Risks and Risk Management.

In 2004, the US Federal Reserve allowed investment banks to cut their capital levels by 2/3, tripling their potential leverage!  Not to worry, they knew how to manage risk.

European insurers are all being told that they need to have economic capital models to manage risks.  A few firms have had these models for more than five years now.  Those models tell us that those firms can reduce their capital by a third or more.

But everyone leaves out of their thinking two important things that will always happen.

The first is called the Peltzman effect by economists.  John Adams calls it the Risk Thermostat effect.  In both cases, it means that when people feel risk decreasing due to safety measures, they often respond by increasing the riskiness of their behaviors.  So the success of Solvency II will make some firms feel safer and some of them will take additional risks because of that.

The second effect is what I call the Law of Risk and Light.  That says that you will accumulate risks wherever you are not looking out for them.  So anywhere that there is a flaw in the Economic Capital model, the activity that accentuates that flaw will look like the best, most desirable business to be in.

But read Maggid’s post.  He provides some actual analysis to support his argument.

Window Dressing

The Wall Street Journal reported today that banks are again very actively doing significant amounts of end out the quarter clean-up that is otherwise known as “window dressing“.

This is a practice that works well, allowing banks to hold capital (figured on their quarter end balance sheets) that is much lower than the risk levels that they are using to create their profits.  This makes them look safer to investors in addition to boosting their ROE.

And while it probably is within the rules of Basel II, it violates the underlying idea behind Pillar 1 and Pillar 3.

The idea behind Pillar 1 is that the banks should hold capital for their risks.  This window dressing practice clearly illustrates one of the major logical flaws in the application of Pillar 1.

To understand the flaw, you need to think for a minute about what the capital is for.  It is not actually for the risks that the bank held during the quarter, nor is it mostly for the risks that happen to be on the balance sheet as of the end of the quarter.  It is primarily to protect the bank in the event of losses form the risks that the banks will be exposed to during the next quarter.  The beginning of quarter balance sheet is being used as a proxy for the risks over the coming quarter.

For a firm that has a highly disciplined risk management process, it would actually make more sense for the firm to hold capital for the RISK LIMITS that it has extended for the coming quarter.  That would be a firm where you could rely upon them to keep their risks within their risk limits for the most part. This makes more sense than holding capital for some arbitrary point in time.  The window dressing proves that point better than any possible theoretical argument.  Besides being the wrong idea, it is subject to easy manipulation.

For firms that are not disciplined in keeping their risks within their risk limits, something higher than the level of capital on their risk limits would be the logical level.  For these firms it would make sense to keep track of the degree to which they exceed their limits (at maximum) and charge them for capital at a level above that.  Say for example 200%.  So if a firm exceeds its risk limits by 10% at maximum in a quarter, their capital for the next quarter would be 120% of the capital needed to support their risk limits for the following quarter.

This check on risk discipline would have several benefits.  It moves the easy possibility of manipulation away from the capital level.  The “legal” window dressing would have to be replaced by fraudulent manipulation of risk reports to fix the capital level.  In addition, disclosure of the degree to which a bank exceeds its risk limit could be disclosed under Pillar 3 and then investors and counterpraties could give their reaction to a bank that cannot control its risks exposures.

In addition, this same logic could be applied to insurers under Solvency II.  There is no reason why insurance regulators need to follow the flawed logic of the banking regulators.

Addendum:  Above I say that the window dressing works well.  That is only partly true.  Sometimes, it does not work at all.  And banks can become stuck with risks and losses from those risks that are far larger than what they had been disclosing.  That happens when markets freeze up.

You see, if many banks are doing the same sorts of window dressing, they all run the risk that there will be too many sellers and not enough buyers for those couple of days at the end of the quarter.  Or maybe just for that one night.  And the freeze is likeliest when the losses are about tho strike.

So in reality, window dressing is not a good plan if you believe that things can ever go poorly.

Will History Repeat?

In the 1980’s a dozen or more firms in the US and Canadian Life Insurance sector created and used what were commonly called required surplus systems.  Dale Hagstrom wrote a paper that was published in 1981, titled Insurance Company Growth .  That paper described the process that many firms used of calculating what Dale called Augmented Book Profits.  An Augmented Book Profit later came to be called Distributable Earnings in insurance company valuations.  If you download that paper, you will see on page 40, my comments on Dale’s work where I state that my employer was using the method described by Dale.

In 1980, in the first work that I was able to affix my newly minted MAAA, I documented the research into the risks of Penn Mutual Life Insurance Company that resulted in the recommendation of the Required Surplus, what we would now call the economic capital of the firm.  By the time that Dale’s paper was published in 1981, I had documented a small book of memos that described how the company would use a capital budgeting process to look at the capital utilized by each line of business and each product.  I was the scribe, the ideas come mostly from the Corporate Actuary, Henry B. Ramsey. We created a risk and profit adjusted new business report that allowed us to show that with each new product innovation, our agents immediately shifted sales into the most capital intensive or least profitable product.  It also showed that more and more capital was being used by the line with the most volatile short term profitability.  Eventually, the insights about risk and return caused a shift in product design and pricing that resulted in a much more efficient use of capital.

Each year, throughout the 1980’s, we improved upon the risk model each year, refining the methods of calculating each risk.  Whenever the company took on a new risk a committee was formed to develop the new required surplus calculation for that risk.

In the middle of the decade, one firm, Lincoln National, published the exact required surplus calculation process used by their firm in the actuarial literature.

By the early 1990’s, the rating agencies and regulators all had their own capital requirements built along the same lines.

AND THEN IT HAPPENED.

Companies quickly stopped allocating resources to the development and enhancement of their own capital models.  By the mid-1990’s, most had fully adopted the rating agency or regulatory models in the place of their own internal models.

When a new risk came around, everyone looked into how the standard models would treat the new risk.  It was common to find that the leading writers of a new risk were taking the approach that if the rating agency and regulatory capital models did not assess any capital to the new risk, then there was NO RISK TO THE FIRM.

Companies wrote more and more of risks such as the guaranteed minimum benefits for variable annuities and did not assess any risk capital to those risks.  It took the losses of 2001/2002 for firms to recognize that there really was risk there.

Things are moving rapidly in the direction of a repeat of that same exact mistake.  With the regulators and rating agencies more and more dictating the calculations for internal capital models and proscribing the ERM programs that are needed, things are headed towards the creation of a risk management regime that focuses primarily on the management of regulatory and rating agency perception of risk management and away from the actual management of risks.

This is not what anyone in the risk management community wants.  But once the regulatory and rating agency visions of economic capital and ERM systems are fully defined, the push will start to limit activity in risk evaluation and risk management to just what is in those visions – away from the true evaluation of and management of the real risks of the firm.

It will be clear that it is more expensive to pursue the elusive and ever changing “true risk” than to satisfy the fixed and closed ended requirements that anyone can read.  Budgets will be slashed and people reassigned.

The Use Test – A Simple Suggestion

Many are concerned about what the “Use Test” will be. Will it be a pop quiz or will companies be allowed to study?

Well, I have a suggestion for a simple and, I believe, fairly foolproof test. That would be for top management (not risk management or modeling staff) to be able to hold a conversation about their risk profile each year.

Now the first time that they can demonstrate that would not be the “Use Test”. It would be the second or third time that would constitute the test.

The conversation would be simple. It would involve explaining the risk profile of the firm – why the insurer is taking each of the major risks, what do they expect to get out of that risk exposure and how are they making sure that the potential losses that they experience are not worse than represented by their risk model. This discussion should include recognition of gross risk before offsets as well as net retained risk.

After the first time, the discussion would include an explanation of the reasons for the changes in the risk profile – did the profile change because the world shifted or did it change due to a deliberate decision on the part of management to take more or less or to retain more or less of a risk.

Finally a third part of the discussion would be to identify the experience of the past year in terms of its likelihood as predicted by the model and the degree to which that experience caused the firm to recalibrate its view of each risk.

To pass the test, management would merely need to have a complete story that is largely consistent from year to year.

Those who fail the test would be making large changes to their model calibration and their story from year to year – stretching to make it look like the model information was a part of management decisions.

Some firms who might have passed before the crisis who should have failed were firms who in successive years told the same story of good intentions with no actions in reducing outsized risks.

For firms who are really using their models, there will be no preparation time needed for this test. Their story for this test will be the story of their firm’s financial management.

Ideally, I would suggest that the test be held publicly at an investor call.

Risk Management in 2009 – Reflections

Perhaps we will look back at 2009 and recall that it is the turning point year for Risk Management.  The year that boards ans management and regulators all at once embraced ERM and really took it to heart.  The year that many, many firms appointed their first ever Chief Risk Officer.  They year when they finally committed the resources to build the risk capital model of the entire firm.

On the other hand, it might be recalled as the false spring of ERM before its eventual relegation to the scrapyard of those incessant series of new business management fads like Management by Objective, Managerial Grid, TQM, Process Re-engineering and Six Sigma.

The Financial Crisis was in part due to risk management.  Put a helmet on a kid on a bicycle and they go faster down that hill.  And if the kid really doesn’t believe in helmets and they fail to buckle to chin strap and the helmet blows off in the wind, so much the better.  The wind in the hair feels exhilarating.

The true test of whether the top management is ready to actually DO risk management is whether they are expecting to have to vhange some of their decisions based upon what their risk assessment process tells them.

The dashboard metaphor is really a good way of thinking about risk management.  A reasonable person driving a car will look at their dashboard periodically to check on their speed and on the amount of gas that they have in the car.  That information will occasionally cause them to do something different than what they might have otherwise done.

Regulatory concentration on Risk Management is. on the whole, likely to be bad for firms.  While most banks were doing enough risk management to satisfy regulators, that risk management was not relevant to stopping or even slowing down the financial crisis.

Firms will tend to load up on risks that are not featured by their risk assessment system.  A regulatory driven risk management system tends to be fixed, while a real risk management system needs to be nimble.

Compliance based risk management makes as much sense for firms as driving at the speed limit regardless of the weather, road conditions or the conditions of the car’s breaks and steering.

Many have urged that risk management is as much about opportunities as it is about losses.  However, that is then usually followed by focusing on the opportunities and downplaying the importance of loss controlling.

Preventing a dollar of loss is just as valuable to the firm as adding a dollar of revenue.  A risk management loss controlling system provides management with a methodology to make that loss prevention a reliable and repeatable event.  Excess revenue has much more value if it is reliable and repeatable.  Loss control that is reliable and repeatable can have the same value.

Getting the price right for risks is key.  I like to think of the right price as having three components.  Expected losses.  Risk Margin.  Margin for expenses and profits.  The first thing that you have to decide about participating in a market for a particular type of risk is whether the market in sane.  That means that the market is realistically including some positive margin for expenses and profits above a realistic value for the expected losses and risk margin.

Most aspects of the home real estate and mortgage markets were not sane in 2006 and 2007.  Various insurance markets go through periods of low sanity as well.

Risk management needs to be sure to have the tools to identify the insane markets and the access to tell the story to the real decision makers.

Finally, individual risks or trades need to be assessed and priced properly.  That means that the insurance premium needs to provide a positive margin for expenses and profits above the realistic provision for expected losses and a reasonable margin for risk.

There were two big hits to insurers in 2009.  One was the continuing problems to AIG from its financial products unit.  The main lesson from their troubles ought to be TANSTAAFL.  There ain’t no such thing as a free lunch.  Selling far out of the money puts and recording the entire premium as a profit is a business model that will ALWAYS end up in disaster.

The other hit was to the variable annuity writers.  In their case, they were guilty of only pretending to do risk management.  Their risk limits were strange historical artifacts that had very little to do with the actual risk exposures of the firm.  The typical risk limits for a VA writer were very low risk retained from equities if the potential loss was due to an embedded guarantee and no limit whatsoever for equity risk that resulted in drops in basic M&E revenue.  A typical VA hedging program was like a homeowner who insured every item of his possessions from fire risk, but who failed to insure the house!

So insurers should end the year of 2009 thinking about whether they have either of those two problems lurking somewhere in their book of business.

Are there any “far out of the money” risks where no one is appropriately aware of the large loss potential ?

Are there parts of the business where risk limits are based on tradition rather than on risk?

Have a Happy New Year!

The Future of Risk Management – Conference at NYU November 2009

Some good and not so good parts to this conference.  Hosted by Courant Institute of Mathematical Sciences, it was surprisingly non-quant.  In fact several of the speakers, obviously with no idea of what the other speakers were doing said that they were going to give some relief from the quant stuff.

Sad to say, the only suggestion that anyone had to do anything “different” was to do more stress testing.  Not exactly, or even slightly, a new idea.  So if this is the future of risk management, no one should expect any significant future contributions from the field.

There was much good discussion, but almost all of it was about the past of risk management, primarily the very recent past.

Here are some comments from the presenters:

• Banks need regulator to require Stress tests so that they will be taken seriously.
• Most banks did stress tests that were far from extreme risk scenarios, extreme risk scenarios would not have been given any credibility by bank management.
• VAR calculations for illiquid securities are meaningless
• Very large positions can be illiquid because of their size, even though the underlying security is traded in a liquid market.
• Counterparty risk should be stress tested
• Securities that are too illiquid to be exchange traded should have higher capital charges
• Internal risk disclosure by traders should be a key to bonus treatment.  Losses that were disclosed and that are within tolerances should be treated one way and losses from risks that were not disclosed and/or that fall outside of tolerances should be treated much more harshly for bonus calculation purposes.
• Banks did not accurately respond to the Spring 2009 stress tests
• Banks did not accurately self assess their own risk management practices for the SSG report.  Usually gave themselves full credit for things that they had just started or were doing in a formalistic, non-committed manner.
• Most banks are unable or unwilling to state a risk appetite and ADHERE to it.
• Not all risks taken are disclosed to boards.
• For the most part, losses of banks were < Economic Capital
• Banks made no plans for what they would do to recapitalize after a large loss.  Assumed that fresh capital would be readily available if they thought of it at all.  Did not consider that in an extreme situation that results in the losses of magnitude similar to Economic Capital, that capital might not be available at all.
• Prior to Basel reliance on VAR for capital requirements, banks had a multitude of methods and often used more than one to assess risks.  With the advent of Basel specifications of methodology, most banks stopped doing anything other than the required calculation.
• Stress tests were usually at 1 or at most 2 standard deviation scenarios.
• Risk appetites need to be adjusted as markets change and need to reflect the input of various stakeholders.
• Risk management is seen as not needed in good times and gets some of the first budget cuts in tough times.
• After doing Stress tests need to establish a matrix of actions that are things that will be DONE if this stress happens, things to sell, changes in capital, changes in business activities, etc.
• Market consists of three types of risk takers, Innovators, Me Too Followers and Risk Avoiders.  Innovators find good businesses through real trial and error and make good gains from new businesses, Me Too follow innovators, getting less of gains because of slower, gradual adoption of innovations, and risk avoiders are usually into these businesses too late.  All experience losses eventually.  Innovators losses are a small fraction of gains, Me Too losses are a sizable fraction and Risk Avoiders often lose money.  Innovators have all left the banks.  Banks are just the Me Too and Avoiders.
• T-Shirt – In my models, the markets work
• Most of the reform suggestions will have the effect of eliminating alternatives, concentrating risk and risk oversight.  Would be much safer to diversify and allow multiple options.  Two exchanges are better than one, getting rid of all the largest banks will lead to lack of diversity of size.
• Problem with compensation is that (a) pays for trades that have not closed as if they had closed and (b) pay for luck without adjustment for possibility of failure (risk).
• Counter-cyclical capital rules will mean that banks will have much more capital going into the next crisis, so will be able to afford to lose much more.  Why is that good?
• Systemic risk is when market reaches equilibrium at below full production capacity.  (Isn’t that a Depression – Funny how the words change)
• Need to pay attention to who has cash when the crisis happens.  They are the potential white knights.
• Correlations are caused by cross holdings of market participants – Hunts held cattle and silver in 1908’s causing correlations in those otherwise unrelated markets.  Such correlations are totally unpredictable in advance.
• National Institute of Financa proposal for a new body to capture and analyze ALL financial market data to identify interconnectedness and future systemic risks.
• If there is better information about systemic risk, then firms will manage their own systemic risk (Wanna Bet?)
• Proposal to tax firms based on their contribution to gross systemic risk.
• Stress testing should focus on changes to correlations
• Treatment of the GSE Preferred stock holders was the actual start of the panic.  Leahman a week later was actually the second shoe to drop.
• Banks need to include variability of Vol in their VAR models.  Models that allowed Vol to vary were faster to pick up on problems of the financial markets.  (So the stampede starts a few weeks earlier.)
• Models turn on, Brains turn off.

Monty Python on governance, risk, and compliance

Guest Post from Riskczar

I read too much about what GRC needs or what ERM needs but far too often suggestions read like my favourite Monty Python skit (a lot of easier said than done steps):

Alan	Well, last week we showed you how to become a gynecologist. And this week on ‘How to do it’ we’re going to show you how to play the flute …but first, here’s Jackie to tell you all how to rid the world of all known diseases.
Jackie	Hello, Alan.
Alan	Hello, Jackie.
Jackie	Well, first of all become a doctor and discover a marvellous cure for something, and then, when the medical profession really starts to take notice of you, you can jolly well tell them what to do and make sure they get everything right so there’ll never be any diseases ever again.
Alan	Thanks, Jackie. Great idea. How to play the flute. (picking up a flute) Well here we are. You blow there and you move your fingers up and down here.

So when I read very articulate comments like these from the blog Corporate Integrity, it makes me think of how you play the flute:

Risk management does not happen in a vacuum … The board and management have to clearly define and communicate the culture of risk taking, acceptance, tolerance, and appetite. … Once a proper culture of risk management is defined – including risk tolerance, and appetite – this gets established and communicated through policies and procedures.

… organizations need to establish an enterprise committee to initiate a collaboration on defining, communicating, and managing a culture of risk in their environment. The goal is to define and communicate a culture of risk, establish it in policy and procedures, and monitor adherence to staying within boundaries of risk tolerance and appetite.

Again, easier said than done. I am not criticizing this approach, I actually agree 100% with what he writes, it’s just very difficult to execute.

Telling someone how to play the flute is not the same as teaching him or her how to play the flute, which take a lot of time, patience and practice. And telling business leaders or organizations what boards and committees need to do is not the same a getting buy in, getting them to do it and being successful at it.