Archive for the ‘Cultural Theory of Risk’ category

Risk Culture and Enterprise Risk Management (1/2 Day Seminar)

September 2, 2014

Afternoon of September 29 – at the ERM Symposium #ERMSYM

Bad risk culture has been blamed as the ultimate source of problems that have caused gigantic losses and corporate failures in the past 10 years. But is that a helpful diagnosis of the cause of problems or just a circular discussion? What is risk culture anyway? Is it a set of practices that a company can just adopt or does culture run deeper than that? How does risk culture vary between countries and continents? How do risk cultures go bad and can they be fixed? This is, of course, a discussion of the human side of Enterprise Risk Management. 

This half-day seminar (1 – 4:30 p.m.) will draw together materials from business organizational theorists, anthropologists, regulators, rating agencies, investors, corporations, insurers and auditors to help define risk culture and diagnose problem causes. The objective is to provide the attendees with multiple perspectives on risk culture to help them to survive and thrive within the potentially multiple risk cultures that they find themselves operating alongside – or against. In addition, the speakers will draw upon their own experiences and observations to provide a number of practical examples of how risk cultures can and do go wrong. This discussion may help you to identify the signs of devolving risk culture if they start to appear in your organization. Finally, the difficult topic of fixing a bad risk culture will be discussed. That part of the discussion will help attendees to attain a realistic perspective on that extremely difficult process. 

The seminar will be presented by three speakers from very diverse backgrounds. Andrew Bent, Risk Coordinator for Suncor Energy Inc. has also worked in multiple levels of government in New Zealand and Canada. Bent has co-authored several articles and papers on strategic risk assessment and the use of root cause analysis in risk management. Carol Clark is Senior Policy Advisor at the Federal Reserve Bank of Chicago where she has most recently been focused on operational risk issues associated with high speed trading. Her research has been published in the Journal of Payment Systems Law, the Federal Reserve Bank of Chicago’s Chicago Fed Letter and Economic Perspectives as well as Euromoney Books. Dave Ingram is Executive Vice President at Willis Re where he advises insurers on ERM practices. Ingram has worked extensively with both Life and Property and Casualty insurers on various aspects of risk management over the past 30 years. He has recently co-authored a series of articles and papers on risk culture and has had a number of experiences with the risk cultures of over 200 insurers.

Andrew Bent, ARM-E, ARM-P, CCSA, CRMA, Risk Coordinator, Suncor Energy
Carol Clark, Senior Policy Advisor, Federal Reserve Bank of Chicago 
David Ingram, CERA, PRM, EVP, Willis Re


Risk Culture gets the Blame

March 18, 2014

Poor Risk Culture has been often blamed for some of the headline corporate failures of the past several years.  Regulators and rating agencies have spoken out about what they would suggest as important elements of a strong risk culture and the following 10 elements all show up on more than one of those lists:

1.      Risk Governance – involvement of the board in risk management

2.      Risk Appetite – clear statement of the risk that the organization would be willing to accept

3.      Compensation – incentive compensation does not conflict with goals of risk management

4.      Tone at the Top – board and top management are publically vocal in support of risk management

5.      Accountability – Individuals are held accountable for violations of risk limits

6.      Challenge – it is acceptable to publically disagree with risk assessments

7.      Risk Organization – individuals are assigned specific roles to facilitate the risk management program, including a lead risk officer

8.      Broad communication /participation in RM – risk management is everyone’s job and everyone knows what is happening

9.      RM Linked to strategy – risk management program is consistent with company strategy and planning considers risk information

10.    Separate Measurement and Management of risk – no one assesses their own performance regarding risk and risk management

Those are all good things for a firm to do to make it more likely for their risk management to succeed, but this list hardly makes up a Risk Culture.


The latest WillisWire post in the ERM Practices series talks about Risk Culture from the perspective of the fundamental beliefs of the people in the organization about risk.

And RISKVIEWS has made over 50 posts about various aspects of risk culture.

Risk Culture Posts in RISKVIEWS

Planning for Risk in 2014

January 2, 2014

Barry Ritholtz provides some outstanding predictions for 2014.

His point, that we cannot predict the future, is well made.

But equally true, we need to have some view of the future in order to continue.  The position that Ritholtz takes, that the future cannot be predicted is actually one of the four Risk Beliefs that is described by the Theory of Plural Rationality.  If you hold that disbelief about any of your risks, then your best strategy is to make many smaller commitments.

The other three beliefs are:

  • Risk is predictable and it will be very high.  Need to be extremely careful. Probably shouldn’t plan to grow at all.
  • Risk is predictable and it will be low.  Time to expand.
  • Risk is predictable and it will be moderate.  Careful and limited risk taking and expansion can work well.

If you are in the risk business, then you choose a strategy for each risk.  Hopefully, you will be doing that AFTER you have collected information about the trajectory of each major risk.

However, some management teams will start from the results that they “must have” to determine their strategy.

If you have done that you should look now at your belief for each risk.  Where you see a mismatch between your belief and your strategy for a risk, you should start making contingency plans.  Otherwise, you will be in for a Surprise.

For example, if you planned to grow at a substantial pace, you need to experience a low risk environment.  Otherwise, your growth is likely to be a very mixed blessing.  (see the Surprise article for details of the surprises that can be experienced by every mismatch between the actual risk environment and the risk strategy)


Collective Approaches to Risk in Business: An Introduction to Plural Rationality Theory

December 18, 2013

New Paper Published by the NAAJ

This article initiates a discussion regarding Plural Rationality Theory, which began to be used as a tool for understanding risk 40 years ago in the field of social anthropology. This theory is now widely applied and can provide a powerful paradigm to understand group behaviors. The theory has only recently been utilized in business and finance, where it provides insights into perceptions of risk and the dynamics of firms and markets. Plural Rationality Theory highlights four competing views of risk with corresponding strategies applied in four distinct risk environments. We explain how these rival perspectives are evident on all levels, from roles within organizations to macro level economics. The theory is introduced and the concepts are applied with business terms and examples such as company strategy, where the theory has a particularly strong impact on risk management patterns. The principles are also shown to have been evident in the run up to—and the reactions after—the 2008 financial crisis. Traditional “risk management” is shown to align with only one of these four views of risk, and the consequences of that singular view are discussed. Additional changes needed to make risk management more comprehensive, widely acceptable, and successful are introduced.

Co-Author is Elijah Bush, author of German Muslim Converts: Exploring Patterns of Islamic Integration.

ERM on WillisWire

December 3, 2013

Risk Management: Adaptability is Key to Success


There is no single approach to risk management that will work for all risks nor, for any one risk, is there any one approach to risk management that will work for all times. Rational adaptability is the strategy of altering … Continue reading →

Resilience for the Long Term

Resilient Sprout in Drought

In 1973, CS Holling, a biologist, argued that the “Equilibrium” idea of natural systems that was then popular with ecologists was wrong.He said that natural systems went through drastic, unpredictable changes – such systems were “profoundly affected by random events”.  … Continue reading →

Management is Needed: Not Incentive Compensation

Bizman in Tie

Many theoreticians and more than a few executives take the position that incentive compensation is a powerful motivator. It therefore follows that careful crafting of the incentive compensation program is all that it takes to get the most out of a … Continue reading →

A Gigantic Risk Management Entertainment System


As video gaming has become more and more sophisticated, and as the hardware to support those games has become capable of playing movies and other media, video game consoles have now become “Entertainment Systems”.  Continue reading →

Panel at ERM Symposium: ERM for Financial Intermediaries

SS Meaning of Risk Mgmt  77408059 April 23 12

Insurance company risk managers need to recognize that traditional activities like underwriting, pricing and reserving are vitally important parts of managing the risks of their firm. Enterprise risk management (ERM) tends to focus upon only two or three of the … Continue reading →

ERM Symposium Panel: Actuarial Professional Risk Management

SS Risk Button - Blank Keys  53606569 April 23

In just a few days, actuaries will be the first group of Enterprise Risk Management (ERM) professionals to make a commitment to specific ERM standards for their work. In 2012, the Actuarial Standards Board passed two new Actuarial Standards of … Continue reading →

Has the Risk Profession Become a Spectator Sport?

The 2013 ERM Symposium goes back to Chicago this year after a side trip to DC for 2012. This is the 11th year for the premier program for financial risk managers. Continue reading →

What to Do About Emerging Risks…


WillisWire has on several occasions featured opinions from a large number of our contributors about what might be the next emerging risk in various sectors. But what can be done once you have identified an emerging risk? Continue reading →

U.S. Insurers Need to Get Ready for ORSA


Slowly, but surely, and without a lot of fanfare, U.S. insurance regulators have been orchestrating a sea change in their interaction with companies over solvency.  Not as dramatic as Solvency II in Europe, but the U.S. changes are actually happening … Continue reading →

Resiliency vs. Fragility


Is there really a choice?  Who would choose to be Fragile over Resilient? Continue reading →

– See more at:

Rational Adaptability is needed for risk management success

October 28, 2013

There is no single approach to risk management that will work for all risks nor, for any one risk, is there any one approach to risk management that will work for all times.  Rational Adaptability is the strategy of altering your approach to risk management with the changes in the risk environment.

Willis Re execs Dave Ingram and Alice Underwood have teamed with anthropologist Michael Thompson to produce a series of articles that discuss the four risk environments and four risk management strategies that are linked to four risk attitudes that are adapted from anthropology work from the 1980’s.

The four risk attitudes are: Pragmatists, who believe that the world is uncertain and unpredictable; Conservators, whose world belief is of peril and high risk; Maximizers, who see the world as low-risk and fundamentally self-correcting; and Managers, whose world is moderately risky, but not too risky for firms that are guided properly.

We have been living through an Uncertain risk environment where the optimal risk management strategy is Diversification of risks.  The height of the Financial Crisis was, of course, a Bust risk environment where the optimal strategy was Loss Controlling.  Prior to the crisis, some sectors were experiencing a Boom risk environment where Risk Trading was the best strategy.  And the long Moderate environment that preceded the boom for many years resulted in many companies adopting a Risk Steering strategy to optimize risk and reward.

These ideas were presented by Alice, Dave and Mike at two conferences in Europe in 2012 and published as a series of six articles on the InsuranceERM webzine.  Those six articles have been compiled into a single report by InsuranceERM that is now available from their website.

This is just the latest in a long series of work on this topic (and the most comprehensive to date).  Please see for a comprehensive look at this work over the past several years.

Resilience in the Long Run

June 20, 2013

[A speech delivered at the New York Stock Exchange, June 19, 2013 by Dave Ingram]

NYSE_Door copy

Did any of you notice last fall when New York City shut down for a week?

That wasn’t on my list of likely problems for 2013.

That experience brought home to me the difference between Risk Management, the idea that I have been selling for over 10 years, and Resilience.

When I looked around during that week, I saw first hand what Resilience looked like.  And also what it looked like to be fragile.  The Resilient people and firms were going about their business.  The Fragile were waiting in lines for gas and picking up the pieces of their businesses and dwellings.

And that is when it struck me that Resilience is what people and businesses want, not Risk Management.

So today, I am going to take you on a quick tour of Resilience.

The first time I can find that someone used the term Resilience in the way that we now use it was in 1973.  CS Holling, a biologist, wrote a paper titled “Resilience and Stability of Ecological Systems”.  Hollings main point was that the EQUILIBRIUM idea of  natural systems that was then popular with ecologists was wrong.  Natural systems went through drastic, unpredictable changes – such systems were “profoundly affected by random events”.  He defined resilience as

A measure of the ability of these systems to absorb changes . . . and still persist.

He also talked about how natural systems going through a four phase cycle.  A cycle that is amazingly like what we experience in business.

To illustrate those four phases to you, I will use a graph that you are doubtless all familiar with, not necessarily this exact graph, but you are all very aware of how housing prices have performed over the past 10+ years.


For the first 20+ years of this graph, housing prices were moderately volatile.  There were some large swings as well as short term bounces in housing prices.  We will call that a Moderate period.  Then for a few years, prices went almost straight up.  We will call that phase a Boom.  Which as we all well know as followed by a Bust.  But the unusual thing about this chart is that it very clearly shows the environment that we all have been struggling with for the past 3 – 4 years.  A time when things do not seem to be going in any direction.  An Uncertain phase.

What I came here to tell you is that Resilience means something different in each of these four phases.  And the firms that are the most Resilient will take advantage of the best strategy during each phase.

During the Boom, the best Resilience strategy is to Grow!  Triage is the strategy best suited Resilience strategy for the Bust.  During the Moderate phase steadily Improving is the best strategy.  And during Uncertain times,  as you have all figured out the hard way is to Diversify your business.  The good thing is that these four phases will be repeated and  some version of these four strategies will always be the best Resilience strategy for your firm.  Let me now take you beyond the one word description.

The strategy of the Boom is Growth.  That is not obviously a Resilience strategy.  But here is where I borrow the most from the biologist, Holling.  In Holling’s view of living systems, the species that had the best long-term resilience were those that took advantage of the best times to grow to be the most numerous and the strongest.  So Grow your business and Grow your balance sheet during the boom.  It is not hard to notice the start of the Boom.  Either your sales start to jump, or else, you notice that your competitor’s sales will jump.  During the Boom, your job will be to help to fund that expansion of capacity that is needed to grow.  The thing to watch out for is that at the end of the Boom, many, many firms have borrowed very heavily to fund their growth, and some of them are stuck with one plant too many, possibly even an unfinished plant built entirely with borrowed funds.  So for the Boom, you want to make sure that your firm can grow and take advantage of the great environment but you need to be on the look-out for the end of the Boom and help to steer your firm away from making that one too many expansionary steps.  A tricky call to make and not likely to be a popular position at the time.

The strategy of the Bust is Triage.  Trimming away those pieces of the operation that are not self supporting and not reliably profitable.  This is a drill that many of you have gone through several times now.  The Bust phase is not hard to recognize, as you know.  The bottom falls out, sometimes very quickly, and other times gradually over a few quarters.  This Triage operation needs to be started as soon as the Bust is clearly upon you.  There may not as much resistance to the Triage during the Bust.  The problem is to make sure that your firm will still have the resources for growth that will come with the end of the Bust.  The Biologist view of this phase is that the Resilient species is that the most Resilient species are the ones that can both survive their worst environment but also be healthy enough to successfully go around the cycle one more time.  So minimal survival is not sufficient.

The Moderate environment is when the somewhat boring strategy of Improving is best.  In this environment the little things add up.  Your engineers and quants and other expert employees are the best asset of the company.  Improve is a resilience strategy because these improvements are small and carefully implemented.  The Moderate environment still is dangerous and changes must be made carefully.  It is a little tricky to see the start of a Moderate environment, the indications of its start are mostly negative – extreme events, both good and bad become less and less common.  Those of us with a financial background will mostly feel at home in the Moderate background.  If your among the older half of the audience today, you doubtless remember well the Greenspan led “Great Moderation” from 1984 to 2001, a long time with only moderate ups and downs in the economy.  Our abilities to help to carefully fine tune a company to maximize its efficiency were very valuable and in demand.

But it is important to realize that that very push for efficiency gradually starts to reduce Resilience and in some ways that Great Moderation with the almost 20 year period of Improve strategy created the fragility that helped to make the Great Recession so toxic.

More on this in a minute.

Finally, in Uncertain times Diversity is the best Resilience strategy.  That means that you need to move away from the strategies that concentrated all of your investment into those things that you did best and instead limit the degree to which your firm is dependent on any one product, or territory or distributor or supplier or manufacturing process.  You have also been building up your firm’s cash position.  And as the Uncertain times persist, you start to see opportunities to acquire smaller firms who can help to broaden your base even further.  With the Diversify strategy, you are admitting that you are not really sure what will come next.  That any of your business units may be the next growth opportunity or any might well tank completely.  However, you need to be aware that the Diversify mindset is toxic when the Uncertain period ends.  Then you will need to shrug off the slow and careful decision-making and the undercommittment.


So what is next?  That will certainly vary by sector.  Some sectors, like energy extraction have already entered a new Boom.  But for most of us, the most likely course is for the Uncertanly to gradually reduce and for our environment to slide into a Moderate phase.  That may have already happened in your sector.  Have you noticed it?

And when it does, you will be back in the game of promoting Efficiency and Improvement as the Resilience strategy of the firm.  Slow and gradual growth of business and of margins.

Since I expect that the Moderate environment is most likely next and because the Improve strategy that is the best Resilience strategy for that period is the strength of us financial types, I want spend just a little more time looking at how the Improve strategy works, when it is working well and what happens when it starts to erode Resilience.


You all likely to remember fondly your first big win in a Moderate environment.  You came in and quickly identified something that was ripe for a change.  Something where the operations were highly inefficient and you made sure that things changed and a big turn around happened.  You really felt that you added to company value and to your own reputation.


Over time you were able to make many such improvements, on this picture, moving virtually everything on to the efficient frontier.


Then you felt the need to find more wins.  You were imagining that you could help to completely change the game, to move the possibilities upwards.  But in some cases, what happened instead is that you did change the game, but what you did was not exactly improve efficiency of the system, instead, you started to reduce the amounts of redundant resources of the system.  That improves the expected returns, but often drastically reduces Resilience.  On the picture above, you wanted to move from A* to A++ and instead you moved to A–.  You got the extra return that you wanted but increased the risk and reduced the resilience.  Some of the slack that you removed from the system was really needed, the system becomes very fragile without it.

So far I have been very theoretical here.  Let’s think of this in terms of Outsourcing.  Outsourcing often looks like a game changer, moving to A++.  But the reduced costs of outsourcing are only a game changer if your subcontractor maintains a similar or better resilience as your insourcing alternative.  If what you are getting is paying less for less Resilience, then you have moved to A–.  More return but at a possibly markedly increased risk.

And if you are Outsourcing something that is of primary importance to your business, then you have shifted the required key competence for your firm to succeed.  If you key competence had been to manufacture Part XYZ, and you Outsource that work, then the key competence that you now need is the management of subcontractors.  Some of the savings that you think that you are getting comes from the fact that you did not necessarily factor in enough cost for management of the subcontractors.  And a key questions becomes whether you can be sure that your firm can keep the same degree of resilience so that it really is an A++ move and not an A—move that trades off cost for Resilience.

Leverage or debt is that way that we get this wrong in the financial sector where I work.  In our sector, the relationship between equity capital and risk is the key to resilience.  But many banks and insurers will lever up their business, increasing profitability for shareholders while decreasing Resilience.

One of the key problems in even noticing this issue of decreasing Resilience with increasing efficiency is that the problem is hard to see.  Resilience is clearly a corporate asset, but it does not appear n the balance sheet.  Accounting gives exactly wrong signals about risk and resiliency.  Reducing resiliency will usually be reported on an accounting statement as an improvement in financial condition.  It is profitable.  That is a big problem because RISKS IN THE LIGHT SHRINK AND RISKS IN THE DARK GROW.  (Ingram’s Law of Risk and Light).

Now let’s look at how these ideas apply to the risks that concern us the most.  A survey conducted by Allianz Insurance Group produced this list of Top Risks for 2013:

  1. Business interruption, supply chain risk
  2. Natural catastrophes
  3. Fire, explosion
  4. Intensified competition
  5. Changes in legislation and regulation
  6. Market fluctuations
  7. Theft, fraud, corruption
  8. Loss of reputation or brand value
  9. Commodity price increases
  10. Credit availability

Let’s look at how these ideas about Resilience apply to some of these top risks:

Supply Chain

This is usually a major part of your basic business.

  •  Grow – Have suppliers or alternates that can handle big increases in your orders
  •  Diversify – Multiple really different options
  •  Improve – Need the most efficient supply chain BUT highest efficiency is VERY FRAGILE
  •  Triage – Trim without killing supplier

Natural Catastrophe

Natural Catastrophes are one of the random elements that can trigger shifts in the Environment. The year after the SF EQ of 1906 saw a major recession in the US with a 30% drop in industrial production. In recent years, major cats like Katrina have not triggered such a shift.  Seeing Sandy shut down NYC for much of a week was a shock.  A few buildings not two blocks from here were not back in operation until the end of May. In 1995, Kobe earthquake caused an unexpected drop in the Japanese stock market which led to the failure of Barings Bank

You assess RESILIENCE to Nat Cats with stress testing.  I would suggest testing stress scenarios that are two times the worst prior event

Fire, Explosion

  •  Grow – Will be adding buildings quickly
  •  Diversify – Don’t concentrate operations – no single fire can hurt much
  •  Improve – Concentrate operations for max efficiency.  Outsourcing means your resilience is affected by theirs – Bangladesh mill collapse
  •  Triage – Resilience is a factor in choosing which buildings to close


  •  Grow – Big First mover advantage – popular to say that you are fast follower, but some followers get in fast enough to get the highest margin business, some delay just enough that they get none of the best business, Some are moving in just as the first movers are moving on to some other category killer.
  •  Diversify – Watch out for others who are diversifying into your market.  They will heedlessly reduce margins.  Make sure that you are not playing that role in some market that you are diversifying into.
  •  Improve – Arms race with competitors.  Do not try to believe that cutting costs is a long term strategy for a company.
  •  Triage – Temptation to keep looking over at your target competitors.  Don’t do that during the Bust.  That can be fatal.  You can end up following them off of the cliff.


I want to say just a few words about disclosure for two reasons.   First, because it is a new hot topic and second because I want to repeat something that I heard an insurer CRO say that I wanted to share.  The hot topic part of this is that the SEC has recently spoken out about risk disclosures – specifically saying that boilerplate was not sufficient, that meaningful risk disclosure was required.  And for the most part, all US firms risk disclosures are boilerplate.  And in fact, not particularly thoughtful boilerplate.  So, in advance of a major loss event, you need to make an attempt to disclose the risk that might lead to the loss.  Then comes the question of disclosing risk mitigation and other risk management activities.  Most companies do not disclose.  That decision is highly questionable in my mind.  If you are a company that is doing all that you can to promote Resilience thinking and actions, you look no different from the firm that does exactly nothing.  My guess is that these decisions are made based upon a risk only analysis, rather than a risk reward analysis.  However, after you have suffered a major loss, from a practical point of view, it is more or less mandatory to start disclosing those practices.  I am having trouble understanding that logic tree.  Maybe you do.

The idea to share, that you may want to consider when you reevaluate your policy regarding these disclosures is that a perception among investors that you are acting responsibly towards your risks that is formed from your repeated disclosure of those activities would go a long way towards putting you in the position of not needing as much apology after the loss and will regain full investor confidence sooner than your competitors who do not tell such a story in years when there were no losses.  Think about it, how does that sort of thing work within your companies?


Holling said that the species that were the most resilient grew enough when the environment was right so that there were still enough members left at the end of the bust.  And they also were able to avoid making any fatal errors in any of the other environments.

So my final advice is:

  • Choose the right Resilience strategy in each environment so that the company has the capacity to both survive the next bust, but also come out of it strong enough to thrive and grow in the following cycle of Moderate and Boom environments
  • Take care not to unconsciously destroy resilience when increasing efficiency
  • Shine a light on those risks in the dark
  • Stress Test your most dangerous risks to find weaknesses
  • Pay attention NOW to what you will need for the next environment

%d bloggers like this: