Transparency with Stakeholders Builds Trust and Enhances Risk Management

Risk Culture Belief Series

When banking regulators looked around at the financial institutions that fared less poorly during the 2008 financial crisis, one of the common themes that distinguished them was their dedication to internal transparency regarding their risks and risk management activities.  The belief that “Transparency with Stakeholders Builds Trust and Enhances Risk Management” underscores the profound impact of openness on an organization’s risk management framework and its overall relationship with stakeholders.

Strategic Significance of Transparency

The executives in central roles at those firms have constant access to the best information available. Those banks tended to react faster when their aggregate level of risk looked like it was headed above their risk tolerance. 

They also seemed to get into less trouble with risk concentration caused by people in different parts of the firm unintentionally piling onto similar and likely highly correlated risks. 

Transparency is just not expected from traditional risk management activities. Insurers that want to have an effective and disciplined ERM program must have Transparency.

In addition, Transparency in risk management fosters trust, not only with regulatory bodies but also with investors, customers, and employees. It involves clear communication about the organization’s risk exposure, risk management processes, and how risks are handled. This belief says that when stakeholders are well-informed, they are more likely to trust the organization’s management and decisions. This trust, in turn, strengthens the organization’s credibility and stability in the market.

Implementing Transparency in Practice

Generally executives are aware of the firm’s risks, but until ERM comes along and forces an actual discussion of risk, there is rarely a spontaneous agreement on priorities. For effective transparency, organizations must ensure that their risk management activities are visible and comprehensible to all stakeholders. This includes regular disclosures of risk assessments, risk management strategies, and the outcomes of such strategies. In the financial sector this might mean publishing detailed risk reports that explain the potential impacts of market changes on the institution’s portfolio and how these are being mitigated.

The RISKVIEWS blog provide examples of how financial institutions that adopted comprehensive disclosure practices not only complied with stringent regulatory requirements but also enhanced investor confidence during volatile market conditions. These institutions used transparency as a tool to manage expectations and provide a clear roadmap of their risk management strategies, which helped in mitigating panic and speculative actions by stakeholders.

Cultivating a Culture of Openness

Adopting this belief requires an organizational culture that values and practices openness at every level.

For over 20 years, some companies have practiced open-book management (OBM), sharing detailed information about their financial statements and business plans. But financial statements rarely provide actionable information about risk. Therefore, even in the OBM firms, there is generally a lack of knowledge about risk. With the transparency of risk and risk management information that comes from ERM, risk communication can become a part of the “Open Book.” 

There may be a paternalist urge to protect employees from scary information about risk, but ERM provides a language for talking not just about bad things that can happen, but also about what is being done about it. By including more employees in the risk discussion, there is also an increased chance that the firm will become aware of critical changes in the risk environment and possibilities for enhancing mitigation activities to better achieve the firm objectives with less disruption from unexpected adverse events. 

From the C-suite to the operational teams, everyone must understand the importance of transparency and its role in effective risk management. Encouraging a dialogue about risks and openly discussing failures as well as successes makes the organization more agile and responsive.

Conclusion and Forward Look

Embracing transparency is indispensable in the contemporary landscape where stakeholders demand more accountability and clarity. “Transparency with Stakeholders Builds Trust and Enhances Risk Management” is a principle that not only supports compliance but also catalyzes stronger, more trusting relationships with all parties involved in the organization’s ecosystem.

In our next post, we will explore the third Risk Culture Belief: “Cross-Functional Collaboration Optimizes Risk Response.” We’ll examine how integrating diverse functional expertise within an organization can lead to more robust risk mitigation strategies, driving home the value of collaborative approaches in contemporary risk management practices.

Permafrost

https://www.podbean.com/media/share/pb-mcesh-15f7806

Feedback loops are increasingly seen as important in climate projections. Melting permafrost is expected to accelerate warming of the planet and release pathogens unknown to us today. By Max Rudolph.

Regime Change – Scenarios

https://www.podbean.com/media/share/pb-jmzzq-15de6f8

Four scenario examples leading to Regime Change from Neil Howe, Ray Dalio, Peter Zeihan and the IPCC show us how widely the disruptions can differ while consistently ending up with a big regime change in our near-term future. Part 2 of a four-part series. By Dave Ingram and Max Rudolph

The Crucial Role of Context in Risk Management Decision-Making

Another Guest Post by ChatGPT

Whether it’s the regulatory landscape, organizational culture, or market conditions, the context in which an organization operates significantly influences its approach to managing risks. Context shapes every aspect of the risk management process, from identifying potential risks to implementing effective mitigation strategies. In the world of risk management, understanding the context is not just important—it’s essential.

Why Context Matters

Internal and External Environment: The context includes both internal factors, such as an organization’s structure and culture, and external factors, such as economic conditions, technological advancements, and regulatory requirements. These factors affect how risks are perceived, prioritized, and addressed.

Risk Perception and Evaluation: Different stakeholders may perceive the same risk differently based on their individual perspectives and experiences. For example, a risk that seems minor to a financial analyst might be considered significant by a safety officer. Understanding the context helps ensure that all relevant viewpoints are considered in the risk evaluation process.

Risk Mitigation Strategies: The effectiveness of risk mitigation strategies often depends on the specific circumstances surrounding a risk. For example, a strategy that works well in a stable market might be ineffective in a volatile one. Contextual awareness enables organizations to choose and adapt strategies that are appropriate for their particular situation.

Frameworks and Perspectives in Contextual Risk Management

Several frameworks and perspectives highlight the importance of context in risk management:

ISO 31000 Risk Management Framework: This framework emphasizes tailoring risk management to the organization’s context, considering both internal and external factors to ensure the effectiveness of risk management processes.

COSO ERM Framework: The COSO framework highlights the alignment of risk management with an organization’s strategy and performance, underscoring the importance of context in identifying and assessing risks.

Regulatory Requirements: Compliance with industry-specific regulations shapes the risk management context. For example, financial institutions must adhere to Basel III standards, which dictate specific risk management practices.

Organizational Culture: The culture of an organization, including its risk appetite and tolerance, influences how risks are managed. A strong risk culture fosters proactive risk management and open communication about risks.

Stakeholder Expectations: Understanding the expectations of various stakeholders, such as investors, customers, and employees, helps ensure that risk management aligns with their interests and concerns.

Technological Context: The rapid pace of technological change introduces new risks and opportunities. Organizations must consider their technological landscape, including cybersecurity threats and digital transformation initiatives, in their risk management strategies.

Incorporating Context into Risk Management

To effectively incorporate context into risk management, organizations can follow these steps:

Conduct a Contextual Analysis: Start by analyzing both the internal and external environment to identify factors that influence risk management. This includes assessing the regulatory landscape, market conditions, organizational culture, and technological advancements.

Engage Stakeholders: Involve stakeholders from different areas of the organization and external partners to gather diverse perspectives on risks and their potential impact. This helps ensure a comprehensive understanding of the context.

Tailor Risk Management Processes: Adapt risk identification, assessment, and mitigation processes to fit the specific context. This might involve using different risk assessment tools or modifying risk criteria based on the organization’s objectives and environment.

Monitor Changes in Context: Continuously monitor changes in the internal and external environment that could affect the organization’s risk profile. Stay agile and be prepared to adjust risk management strategies as the context evolves.

Communicate Contextual Insights: Share insights about the context and its implications for risk management with relevant stakeholders. Clear communication helps ensure that everyone understands the rationale behind risk management decisions.

Review and Update: Regularly review and update risk management practices to ensure they remain relevant and effective in the current context. This includes revising risk policies, procedures, and mitigation strategies as needed.

Conclusion

In conclusion, context is a critical factor in risk management decision-making. A deep understanding of the internal and external environment enables organizations to develop and implement risk management strategies that are tailored to their specific circumstances. By embracing a contextual approach, organizations can enhance their resilience, adaptability, and overall effectiveness in managing risks.

This post was created with a CustomGPT designed by RISKVIEWS. The GPT is called Risk Personalities Engine. To learn more about the Risk Personalities Engine. visit this page on the RISKVIEWS blog.

Interest Rate RIsk for Insurers

https://www.podbean.com/media/share/pb-vjyx3-15d6f83

When rates recently spiked it surprised many with direct and indirect implications. The market value of bonds decreased, and the price of replacement parts for autos increased. There are three ways that insurers can be affected by higher rates. Looking at past events help to prepare for similar tail events in the future. By Max Rudolph.

AI Can Help the CRO

A Guest Post by ChatGPT

For Chief Risk Officers (CROs) navigating the complex and rapidly evolving landscape of risk in financial institutions, artificial intelligence (AI) presents a suite of powerful tools to enhance decision-making, improve risk assessment, and optimize risk management processes. AI’s capabilities can significantly impact various aspects of a CRO’s job, making it a pivotal ally in addressing strategic, operational, and financial risks.

Enhanced Risk Identification and Assessment

AI can process vast amounts of data from diverse sources, including market trends, operational metrics, and social media, to identify and assess risks more efficiently than traditional methods. This capability allows CROs to detect emerging risks faster and with greater accuracy, facilitating proactive risk management. For instance, machine learning models can predict potential default risks by analyzing patterns in credit history, market conditions, and economic indicators, thereby enhancing the accuracy of credit risk assessments.

Strategic Decision Support

AI supports strategic decision-making by providing CROs with data-driven insights into risk-return trade-offs associated with different strategic choices. By simulating various scenarios and analyzing their potential impacts on the organization’s risk profile, AI helps CROs in making informed decisions that align with the company’s risk appetite and strategic objectives.

Operational Risk Management

AI can automate the monitoring of operational risks by analyzing transaction patterns, employee activities, and compliance with procedures, identifying anomalies that may indicate fraud, errors, or inefficiencies. This real-time monitoring capability enables CROs to swiftly address operational risks, reducing potential losses and improving operational resilience. Furthermore, AI-powered process automation can streamline risk management processes, enhancing efficiency and reducing the likelihood of human error.

Financial Risk Analysis

In the realm of financial risks, AI models excel at analyzing market data, economic indicators, and financial trends to forecast future market movements and assess the potential impact on the organization’s financial health. This analysis can include stress testing, value-at-risk (VaR) calculations, and sensitivity analyses, providing CROs with a comprehensive understanding of financial risks and the effectiveness of hedging strategies.

Risk Reporting and Communication

AI can also revolutionize risk reporting and communication by generating dynamic, real-time risk reports that offer insights into the current risk landscape. These reports can be tailored to different audiences, from the board of directors to operational teams, ensuring that all stakeholders have the information they need to understand and manage risks effectively.

Conclusion

For CROs, the adoption of AI in risk management offers a transformative approach to navigating the complexities of risk in the financial services industry. By enhancing risk assessment, supporting strategic decision-making, improving operational efficiency, and facilitating effective risk communication, AI enables CROs to manage risks more proactively and strategically. As the risk landscape continues to evolve, leveraging AI will be crucial for CROs aiming to foster a strong risk management culture and drive their organizations towards sustainable growth and resilience.

Dangerous Risks 2024: Return to Normal Concerns

https://www.podbean.com/media/share/pb-tqu5x-15bb078

The 2024 survey sees respondents react to recent increases in specific risks as technology evolves and the environment moves away from the pandemic. The top 4 risks are the same as those seen in 2019. By Dave Ingram and Max Rudolph.

No Free Lunch

https://www.podbean.com/media/share/pb-v7mqb-155b778

New asset classes like junk bonds and subprime mortgages initially promised high returns without too much risk. Many investors were surprised to find that the risk premium was insufficient to provide for actual losses when they came. Modelers need to adjust for incomplete investment cycles that include only the positive part (e.g., high spreads) but not the defaults and liquidity crises typical at the end of a cycle. By Max Rudolph

RiskMaster Cheat Code

https://www.podbean.com/media/share/pb-nw7u3-1581aab

Has any of your ERM program has been written down? Or is it at risk of being lost when a key player leaves the insurer?  The Risk Management Framework document provides the RiskMaster Cheat Codes for understanding the overall ERM system and for specific topics like stress testing and risk reporting to allow a new risk team to start from a solid base should that be needed. It also can act as a cheat sheet for the Board to be able to participate in ERM discussions even though they do not live in the system. By Dave Ingram.

Water, Water Everywhere

https://www.podbean.com/media/share/pb-c4r8z-156fb70

Climate change and population growth have stressed fresh water sources, leaving agriculture and coastal residents with opposing issues. While aquifers and rivers struggle, extreme weather and sea level rise provide an overabundance of water. Insurers increasingly are dealing with these extreme weather events that highlight the presence of too much water (hurricanes, inland flooding) or too little water (drought, fire).  Today Max covers some existing issues while others will be emerging at a later time. By Max Rudolph

Achieving Resilience

 

https://www.podbean.com/media/share/pb-78duc-155b765

Resilience can be described as bending without breaking. There are four aspects of ERM that all need to be fully adopted to achieve this important result. By Dave Ingram.

Using Risk Appetite: Contrarian Views

https://www.podbean.com/media/share/pb-5d3r4-1544f79

It is commonly assumed that higher returns require higher risk to be accepted. Fear and greed may outperform over the short term but often the last investor in does poorly. Long periods of stimulus provide warning that economic cycles come to an end eventually. By Max Rudolph.

Top 10 ERM Podcasts of 2023

Have you listened to these ten popular Crossing Thin Ice Podcasts of 2023?

https://crossingthinice.podbean.com/

Title	Released	Downloads
Spillover Diseases	Apr 07, 2023	207
Telling Your ERM Story to Rating Agency	Jul 10, 2023	186
Concentration	Aug 07, 2023	163
Inflation – Most Dangerous Risk of 2023	May 08, 2023	159
Six Futures for ERM	Sep 11, 2023	156
Super Volcano	Aug 21, 2023	153
Three Levels of Stress	Jun 07, 2023	150
Risk and Capital	Nov 06, 2023	136
Fear vs. Danger	Apr 24, 2023	134
Microplastics	Jun 19, 2023	126

Spillover Diseases – As humans encroach on new ecosystems diseases found in animals and birds can jump to a new home inside us. We think about coronavirus and influenza but should monitor closely diseases like bird flu and Ebola.
Risk Reporting to Rating Agencies – Insurers view interactions with rating agencies with trepidation, but a strategy can be implemented for your presentation that gives the rating agency what they need to know to give a fair review.
Concentration Risk – Concentration is added by doubling down on things you do well. This two-part article considers strategic drivers that add to concentration and tactical methods to mitigate these risks.
Inflation – Emerging risks sometimes seem like they come out of a science fiction movie. Solar storms are more than just pretty northern lights. An impactful solar storm happened as recently as 1859. While some problems with telegraph wires were reported, just imagine how much more we depend upon electronics now than we did then.
Six Futures for ERM – Scenario based planning is good for forming company strategy and it can also be good for planning risk management. There are a number of ways that the future might play out for risk management and the likelihood of each of the six possibilities mentioned here has probably changed significantly because of our experiences over the past two years. Which future will you be prepared for and which would have been a total surprise if you hadn’t read this article?
Super volcano – A volcano erupts somewhere, on average, every week. Eruptions large enough to impact the global environment happen much less frequently, but they have happened. The “Year without a Summer” in 1815 affected crops and immigration, and similar events will happen again. These Super Volcanoes tend to have numerous knock-on effects.
Stress Testing – Three levels of Stress – Stress tests come in various levels of adversity; normal volatility, realistic disasters and worst case scenarios. Aligning the situation to the appropriate stress test is very important when managing an insurer. Regulators are less interested in how you manage day-to-day, more in scenarios that might result in insolvency.
Risk and Capital – Stakeholder perception about the appropriate level of risk and the corresponding capital level varies. Some insurers focus on optimizing income and disbursements, while others find their goals aligned by holding redundant capital. Here we consider the available options and the pros and cons of each.
“Fear vs. Danger” – Using rational thought to balance fear and danger, with an appropriate response, is hard. Having a process to think about how to react improves the likelihood of success.”
Microplastics – Tiny pieces of plastic are found in the ocean, soils and the human body. This can’t be good. Scientists are still learning about the implications of microplastics, but it’s clear that better recycling and reduced use of plastic bottles, fishing nets, micro beads and nurdles are a start.

Regime Changes lead to New Normal

https://www.podbean.com/media/share/pb-4bdz4-151ecf3

Radical changes in our Physical, Political, Economic and Social systems have been and will continue to buffet humanity. Every so often the combined result is a major change of regime in which new patterns for each of these systems develops and persists for some time creating a new normal.  We make the case that this is coming in our world. By Max Rudolph and Dave Ingram

Leverage: The Flip Side of Risk Management

https://www.podbean.com/media/share/pb-kwyv3-1516af7

It is quite tempting, when interest rates are so very low, to take on debt just because you can. But that might not be the best thing for an organization, especially from a risk/reward perspective.  Leverage, or borrowing, can have a major impact on the risk profile of an organization that is not usually considered when talking about risk management. Leverage, it turns out, is actually the flip side of risk management. By Dave Ingram

Climate Migration

A Crossing Thin Ice Podcast – Sponsored by Actuarial Risk Management

https://www.podbean.com/media/share/pb-pspyx-14eacbb

No one is arguing anymore that the planet is not getting hotter, but what are the limits to temperature rise for humans survival? The ramifications for those who live in poverty in tropical zones is that they will need to move because of the heat. The alternatives are unacceptable. The world needs a plan to deal with massive climate migration. By Max Rudolph.

Risk and Capital

https://www.podbean.com/media/share/pb-v9zvq-14d6998

Stakeholder perception about the appropriate level of risk and the corresponding capital level varies. Some insurers focus on optimizing income and disbursements, while others find their goals aligned by holding redundant capital. Here we discuss several broad choices for the level of capital and the pros and cons of each based upon common business objectives. By Dave Ingram.

Interactions between risks: Implications for building scenarios

https://crossingthinice.podbean.com/e/interactions-between-risks-implications-for-building-scenarios/

Historically, scenarios have focused on one assumption at a time but that is not realistic in today’s quickly evolving world. Risk interactions are very important considerations and impact scenario assumptions dynamically. Three narrative scenarios that interact between financial and non-financial risks are discussed. By Max Rudolph.

Why Insurers Do ERM

https://www.podbean.com/media/share/pb-qr47i-14c51f9

Enterprise Risk Management is practiced in different ways by insurers. Some focus on the basics while others consider ERM as a strategic strength. In a recent survey, ARM asked what is most important to them about ERM.

The findings are that what S&P thought of as the most advanced ERM objective, Strategic Risk Management, is a lower priority to many insurers.  Perhaps this is a sign of the (very uncertain) times.

For more on Strategic RIsk Management 

After COVID

https://www.podbean.com/media/share/pb-vzfk7-14a3809

Prior to 2019, Pandemic was the most studied emerging risk. And now that one has happened, it is time to study our reactions to COVID. In this podcast, we look at the reactions that people typically have to near death experiences and find that they are similar to the reactions that companies are having to COVID. Several very different reactions have been observed, but only one has a lasting favorable impact on the risk management program. By Dave Ingram 

Six Futures for ERM

https://www.podbean.com/media/share/pb-553wy-149ed71

Scenario based planning is good for forming company strategy and it can also be good for planning risk management. There are a number of ways that the future might play out for risk management and the likelihood of each of the six possibilities mentioned here has probably changed significantly because of our experiences over the past two years. Which future will you be prepared for and which would have been a total surprise if you hadn’t listened to this podcast? By Dave Ingram

Super Volcano

https://www.podbean.com/media/share/pb-5g9b6-14789a1

A volcano erupts somewhere, on average, every week. Eruptions large enough to impact the global environment happen much less frequently, but they have happened. The “Year without a Summer” in 1815 affected crops and immigration, and similar events will happen again. These Super Volcanoes tend to have numerous knock-on effects. By Max Rudolph

Concentration

https://www.podbean.com/media/share/pb-nfa83-146f322

Concentration is added by doubling down on things you do well. This two-part article considers strategic drivers that add to concentration and tactical methods to mitigate these risks. By Dave Ingram and Max Rudolph.

Cascadia Earthquake

https://www.podbean.com/media/share/pb-83zhp-1457084

When a catastrophic event hasn’t happened since 1700 there is not much historical data to aid those who live there or insure residents. Here are some of the basic concerns. By Max Rudolph

Telling Your ERM Story to Rating Agency

https://www.podbean.com/media/share/pb-che39-144bbd3

There is a story about ERM that most insurers can tell. A story with four chapters: ERM Framework, Individual Risks, Aggregate Risk & Capital and the ERM Journey. Usually there isn’t enough time to tell the the ratings analyst all four chapters, so you have to choose.

This is a story that I have told privately many times over the years based upon my experiences as the first rating agency ERM specialist at S&P and as an advisor to insurers who are preparing to present.

Microplastics

 

New Crossing Thin Ice Emerging Risks Podcast

https://www.podbean.com/media/share/pb-5vz5q-1434294

Tiny pieces of plastic are found in the ocean, soils and the human body. This can’t be good. Scientists are still learning about the implications of microplastics, but it’s clear that better recycling and reduced use of plastic bottles, fishing nets, micro beads and nurdles are a start. By Max Rudolph

Prior Emerging Risks Podcasts

Episode 10. Solar Storms 
Solar storms are more than just pretty northern lights. A high impact solar storm happened as recently as 1859. Then, some problems with telegraph wires were reported, just imagine how much more we depend upon electronics now than we did in 1859. That is exactly what we try to do in this podcast.

Episode 7. Spillover Diseases  
As humans encroach on new ecosystems diseases found in animals and birds can jump to a new home inside us. We think about coronavirus and influenza but should monitor closely diseases like bird flu and Ebola. By Max Rudolph

Episode 5. Bacterial Antimicrobial Resistance 
This podcast is a challenge for you to consider something that is likely not yet on your risk register. Could the spread of bacteria with resistance to antibiotics have an impact on your business plans? We provide some questions that you might ask as well as some preliminary answers. By Max Rudolph

Three Levels of Stress

https://www.podbean.com/media/share/pb-b9eqk-141c0a3

Stress tests come in a wide variety of levels of adversity. This podcast suggests that we all should focus on just three: normal volatility, realistic disasters and worst case scenarios. Aligning the appropriate stress test to the audience is very important when managing risk for an insurer. Management, Boards and Regulators will each find something to like with these three levels of stress. By Dave Ingram

Solar Storms

https://www.podbean.com/media/share/pb-87fck-140cc58

Risk managers have a difficult job, anticipating risk events and interpreting how they interact and aggregate with internal exposures. Emerging risks play a key role in this analysis. One such emerging risk, Solar Storms, is much more than just pretty northern lights. An impactful solar storm happened as recently as 1859. Then, some problems with telegraph wires were reported, just imagine how much more we depend upon electronics now than we did in 1859. That is exactly what we do in this podcast.

Inflation – Most Dangerous Risk of 2023

https://www.podbean.com/media/share/pb-34vde-13e5c6e

A deep dive into the risk selected as the Most Dangerous of 2023.  We compare recent inflation spikes against past events, look at the drivers of the current bout of inflation, the impact on the insurance industry along with the most common responses.  In addition, we also invert the question and consider what would cause future inflation to be very low.  By Dave Ingram and Max Rudolph

Fear vs. Danger

https://www.podbean.com/media/share/pb-xx6kb-13dc9a1

Fear or Danger is a false choice. But using rational thought to balance fear and danger, and find an appropriate response, is very difficult. This repeatable process for thinking through how to react can improve your likelihood of success. By Dave Ingram.

This podcast refers to an article “Risk Intelligence” in the magazine Contingencies.  You can read that article here.

Spillover Diseases

https://www.podbean.com/media/share/pb-mtzhs-13d6861

As humans encroach on new ecosystems diseases found in animals and birds can jump to a new home inside us. We think about coronavirus and influenza but should monitor closely diseases like bird flu and Ebola. By Max Rudolph

Most Dangerous Risks

https://www.podbean.com/media/share/pb-54pkj-13c2ffd

Over 200 respondents in the Dangerous Risks to Insurers Survey reordered the top risks, with Inflation swapping with Cybersecurity and cybercrime, and Global/National recession moving into the top 5 at #3.

Bacterial Antimicrobial Resistance

https://www.podbean.com/media/share/pb-fjc7p-13a4a76

This podcast is a challenge for you to consider something that is likely not yet on your risk register. Could the spread of bacteria with resistance to antibiotics have an impact on your business plans? We provide some questions that you might ask as well as some preliminary answers.

Learning from Loss

https://www.podbean.com/media/share/pb-3347a-139b504

A major loss often causes management to question past decisions. They might even reverse some of them, but this may be an overreaction. The Chief Risk Officer improves the discussion by bringing a systematic review of the risk related decisions that preceded the loss. In many cases potential problems can be fixed without taking drastic and dramatic actions. 

Moderately Adverse Conditions

https://www.podbean.com/media/share/pb-r52jb-138cae5

We have generally used a continuation of the current environment as our base assumption. But now, with the encouragement of the NY DFS, that is being treated as worse than “Moderately Adverse” scenario. Insurers need to develop a robust set of stress scenarios to test reserve adequacy that include continuation of current conditions and a variety of variations in experience, not just interest rates.

Three Little Pigs

https://www.podbean.com/media/share/pb-e8t2j-1375fd9

When you encounter vastly different risk taking behaviors at two different businesses, you shouldn’t automatically presume that they are driven by totally different risk tolerances. In some cases they are actually the result of similar risk tolerances and major disagreements in risk assessment. Just ask the Three Little Pigs.

Variety of Decision Making

Over the past several years, an anthropologist (Thompson), a control engineer (Beck) and an actuary (Ingram) have formed an unlikely collaboration that has resulted in countless discussions among the three of us along with several published (and posted) documents.

Our work was first planned in 2018. One further part of what was planned is still under development — the application of these ideas to economic thinking. This is previewed in document (2) below, where it is presented as Institutional Evolutionary Economics.

Here are abstracts and links to the existing documents:

1. Model Governance and Rational Adaptability in Enterprise Risk Management, January 2020, AFIR-ERM section of the International Actuarial Association. The problem context here is what has been called the “Insurance Cycle”. In this cycle we recognize four qualitatively different risk environments, or seasons of risk. We address the use of models for supporting an insurer’s decision making for enterprise risk management (ERM) across all four seasons of the cycle. In particular, the report focuses expressly on: first, the matter of governance for dealing with model risk; and, second, model support for Rational Adaptability (RA) at the transitions among the seasons of risk. This latter examines what may happen around the turning points in the insurance cycle (any cycle, for that matter), when the risk of a model generating flawed foresight will generally be at its highest.
2. Modeling the Variety of Decision Making, August 2021, Joint Risk Management Section. The four qualitatively different seasons of risk call for four distinctly different risk-coping decision rules. And if exercising those strategies is to be supported and informed by a model, four qualitatively different parameterizations of the model are also required. This is the variety of decision making that is being modeled. Except that we propose and develop in this work a first blueprint for a fifth decision-making strategy, to which we refer as the adaptor. It is a strategy for assisting the process of RA in ERM and navigating adaptively through all the seasons of risk, insurance cycle after insurance cycle. What is more, the variety of everyday risk-coping decision rules and supporting models can be substituted by a single corresponding rule and model whose parameters vary (slowly) with time, as the model tracks the seasonal business and risk transitions.
3. The Adaptor Emerges, December 2021, The Actuary Magazine, Society of Actuaries. The adaptor strategy focuses on strategic change: on the chops and changes among the seasons of risk over the longer term. The attention of actuaries coping with everyday risk is necessarily focused on the short term. When the facts change qualitatively, as indeed they did during the pandemic, mindsets, models, and customary everyday rules must be changed. Our adaptor indeed emerged during the pandemic, albeit coincidentally, since such was already implied in RA for ERM.
4. An Adaptor Strategy for Enterprise Risk Management, April 2022, Risk Management Newsletter, Joint Risk Management Section. In our earlier work (2009-13), something called the “Surprise Game” was introduced and experimented with. In it, simulated businesses are obliged to be surprised and shaken into eventually switching their risk-coping decision strategies as the seasons of risk undergo qualitative seasonal shifts and transitions. That “eventually” can be much delayed, with poor business performance accumulating all the while. In control engineering, the logic of the Surprise Game is closely similar to something called cascade control. We show how the adaptor strategy is akin to switching the “autopilot” in the company driving seat of risk-coping, but ideally much more promptly than waiting (and waiting) for any eventual surprise to dawn on the occupant of the driving seat.
5. An Adaptor Strategy for Enterprise Risk Management (Part 2), July 2022, Risk Management Newsletter, Joint Risk Management Section. Rather than its switching function, the priority of the adaptor strategy should really be that of nurturing the human and financial resources in the makeup of a business — so that the business can perform with resilience, season in, season out, economic cycle after economic cycle. The nurturing function can be informed and supported by an adaptor “dashboard”. For example, the dashboard can be designed to alert the adaptor to the impending loss or surfeit of personnel skilled in implementing any one of the four risk-coping strategies of RA for ERM. We cite evidence of such a dashboard from both the insurance industry and an innovation ecosystem in Linz, Austria.
6. Adaptor Exceptionalism:Structural Change & Systems Thinking, March 2022, RISKVIEWS, Here we link Parts 1 and 2 of the Risk Management Newsletter article ((4) and (5) above). When we talk of “when the facts change, we change our mindsets”, we are essentially talking about structural change in a system, most familiarly, the economy. One way of grasping the essence of this, hence the essence of the invaluable (but elusive) systemic property of resilience, is through the control engineering device of a much simplified model of the system with a parameterization that changes relatively slowly over time — the adaptor model of document (2) above, in fact. This work begins to show how the nurturing function of the adaptor strategy is so important for the achievement of resilient business performance.
7. Adaptor Strategy: Foresight, May 2022, RISKVIEWS. This is a postscript to the two-part Newsletter article and, indeed, its linking technical support material of document (6). It identifies a third possible component of an adaptor strategy: that of deliberately probing the uncertainties in business behaviour and its surrounding risk environment. This probing function derives directly from the principle of “dual adaptive control” — something associated with systems such as guided missiles. Heaven forbid: that such should be the outcome of a discussion between the control engineer, the actuary, and the anthropologist!

Still to be completed is the full exposition of Institutional Evolutionary Economics that is previewed in Section 1 of Modeling the Variety of Decision Making (Item 2 above).

Determining Risk Capital

Knowing the amount of surplus an insurer needs to support risk is fundamental to enterprise risk management (ERM) and to the own risk and solvency assessment (ORSA).

With the increasing focus on ERM, regulators, rating agencies, and insurance and reinsurance executives are more focused on risk capital modeling than ever before.

Risk – and the economic capital associated with it – cannot actually be measured as you can measure your height. Risk is about the future.

To measure risk, you must measure it against an idea of the future. A risk model is the most common tool for comparing one idea of the future against others.

Types of Risk Models

There are many ways to create a model of risk to provide quantitative metrics and derive a figure for the economic capital requirement.

Each approach has inherent strengths and weaknesses; the trade-offs are between factors such as implementation cost, complexity, run time, ability to represent reality, and ease of explaining the findings. Different types of models suit different purposes.

Each of the approaches described below can be used for purposes such as determining economic capital need, capital allocation, and making decisions about risk mitigation strategies.

Some methods may fit a particular situation, company, or philosophy of risk better than others.

Factor-Based Models

Here the concept is to define a relatively small number of risk categories; for each category, we require an exposure metric and a measure of riskiness.

The overall risk can then be calculated by multiplying “exposure × riskiness” for each category, and adding up the category scores.

Because factor-based models are transparent and straightforward to apply, they are commonly used by regulators and rating agencies.

The NAIC Risk-Based Capital and the Solvency II Standard Formula are calculated in this way, as is A.M. Best’s BCAR score and S&P’s Insurance Capital Model.

Stress Test Models

Stress tests can provide valuable information about how a company might hold up under adversity. As a stand-alone measure or as an adjunct to factor-based methods, stress tests can provide concrete indications that reflect company-specific features without the need for complex modeling. A robust stress testing regime might reflect, for example:

Worst company results experienced in last 20 years
Worst results observed across peer group in last 20 years
Worst results across peer group in last 50 years (or, 20% worse than stage 2) Magnitude of stress-to-failure

Stress test models focus on the severity of possible adverse scenarios. While the framework used to create the stress scenario may allow rough estimates of likelihood, this is not the primary goal.

High-Level Stochastic Models

Stochastic models enable us to analyze both the severity and likelihood of possible future scenarios. Such models need not be excessively complex. Indeed, a high-level model can provide useful guidance.

Categories of risk used in a high-level stochastic model might reflect the main categories from a factor-based model already in use; for example, the model might reflect risk sources such as underwriting risk, reserve risk, asset risk, and credit risk.

A stochastic model requires a probability distribution for each of these risk sources. This might be constructed in a somewhat ad-hoc way by building on the results of a stress test model, or it might be developed using more complex actuarial analysis.

Ideally, the stochastic model should also reflect any interdependencies among the various sources of risk. Timing of cash flows and present value calculations may also be included.

Detailed Stochastic Models

Some companies prefer to construct a more detailed stochastic model. The level of detail may vary; in order to keep the model practical and facilitate quality control, it may be best to avoid making the model excessively complicated, but rather develop only the level of granularity required to answer key business questions.

Such a model may, for example, sub-divide underwriting risk into several lines of business and/or profit centers, and associate to each of these units a probability distribution for both the frequency and the severity of claims. Naturally, including more granular sources of risk makes the question of interdependency more complicated.

Multi-Year Strategic Models with Active Management

In the real world, business decisions are rarely made in a single-year context. It is possible to create models that simulate multiple, detailed risk distributions over a multi-year time frame.

And it is also possible to build in “management logic,” so that the model responds to evolving circumstances in a way that approximates what management might actually do.

For example, if a company sustained a major catastrophic loss, in the ensuing year management might buy more reinsurance to maintain an adequate A.M. Best rating, rebalance the investment mix, and reassess growth strategy.

Simulation models can approximate this type of decision making, though of course the complexity of the model increases rapidly.

Key Questions and Decisions

Once a type of risk model has been chosen, there are many different ways to use this model to quantify risk capital. To decide how best to proceed, insurer management should consider questions such as:

• What are the issues to be aware of when creating or refining our model?
• What software offers the most appropriate platform?
• What data will we need to collect?
• What design choices must we make, and which selections are most appropriate for us?
• How best can we aggregate risk from different sources and deal with interdependency?
• There are so many risk metrics that can be used to determine risk capital – Value at Risk, Tail Value at Risk, Probability of Ruin, etc. – what are their implications, and how can we choose among them?
• How should this coordinate with catastrophe modeling?
• Will our model actually help us to answer the questions most important to our firm?
• What are best practices for validating our model?
• How should we allocate risk capital to business units, lines of business, and/or insurance policies?
• How should we think about the results produced by our model in the context of rating agency capital benchmarks?
• Introducing a risk capital model may create management issues – how can we anticipate and deal with these?

In answering these questions, it is important to consider the intended applications. Will the model be used to establish or refine risk appetite and risk tolerance?

Will modeled results drive reinsurance decisions, or affect choices about growth and merger opportunities? Does the company intend to use risk capital for performance management, or ratemaking?

Will the model be used to complete the NAIC ORSA, or inform rating agency capital adequacy discussions?

The intended applications, along with the strengths and weaknesses of the various modeling approaches and range of risk metrics, should guide decisions throughout the economic capital model design process.

Risk Reward Management

In 1952, Harry Markowitz wrote the article “Portfolio Selection” which became the seed for the theory called Modern Portfolio Theory. Modern Portfolio Theory (MPT) promises a path to follow to achieve the maximum return for a given level of risk for an investment portfolio.

It is not clear who first thought to apply the MPT ideas to a portfolio of risks in an insurer. In 1974, Gustav Hamilton of Sweden’s Statsforetag proposed the “risk management circle” to describe the interaction of all elements in the risk management process, including assessment, control, financing and communication. In 1979, Randell Brubaker wrote about “Profit Maximization for a multi line Property/Liability Company.” Since then, the idea of risk and reward optimization has become to many the actual definition of ERM.

In 2005, Standard & Poor’s called the process “Strategic Risk Management”.

“Strategic Risk Management is the Standard & Poor’s term for the part of ERM that focuses on both the risks and returns of the entire firm. Although other aspects of ERM mainly focus on limiting downside, SRM is the process that will produce the upside, which is where the real value added of ERM lies.“

The Risk Reward Management process is nothing more or less than looking at the expected reward and loss potential for each major profit-making activity of an insurer and applying the Modern Portfolio Management ideas of portfolio optimization to that risk and reward information.

At the strategic level, insurers will leverage the risk and reward knowledge that comes from their years of experience in the insurance markets as well as from their enterprise risk management (ERM) systems to find the risks where their company’s ability to execute can produce better average risk-adjusted returns. They then seek to optimize the risk/reward mix of the entire portfolio of insurance and investment risks that they hold. There are two aspects of this optimization process. First is the identification of the opportunities of the insurer in terms of expected return for the amount of risk. The second aspect is the interdependence of the risks. A risk with low interdependency with other risks may produce a better portfolio result than another risk with a higher stand alone return on risk but higher interdependence.

Proposals to grow or shrink parts of the business and choices to offset or transfer different major portions of the total risk positions can be viewed in terms of risk-adjusted return. This can be done as part of a capital budgeting/strategic resource allocation exercise and can be incorporated into regular decision-making. Some firms bring this approach into consideration only for major ad hoc decisions on acquisitions or divestitures and some use it all the time.

There are several common activities that may support the macro- level risk exploitation.

Economic Capital
Economic capital (EC) is often calculated with a comprehensive risk model consistently for all of the actual risks of the company. Adjustments are made for the imperfect correlation of the risks. Identification of the highest-concentration risks as well as the risks with lower correlation to the highest-concentration risks is risk information that can be exploited. Insurers may find that they have an advantage when adding risks to those areas with lower correlation to their largest risks if they have the expertise to manage those risks as well as they manage their largest risks.

Risk-adjusted product pricing
Another part of the process to manage risk reward involves the Consideration principle. Product pricing is “risk-adjusted” using one of several methods. One such method is to look at expected profits as a percentage of EC resulting in an expected return-to-risk capital ratio. Another method reflects the cost of capital associated with the economic capital of the product as well as volatility of expected income. The cost of capital is determined as the difference between the price to obtain capital and the rate of investment earnings on capital held by the insurer. Product profit projections then will show the pure profit as well as the return for risk of the product. Risk-adjusted value added is another way of approaching risk-adjusted pricing.

Capital budgeting
The capital needed to fulfill proposed business plans is projected based on the economic capital associated with the plans. Acceptance of strategic plans includes consideration of these capital needs and the returns associated with the capital that will be used. Risk exploitation as described above is one of the ways to optimize the use of capital over the planning period. The allocation of risk capital is a key step in this process.

Risk-adjusted performance measurement (RAPM)
Financial results of business plans are measured on a risk-adjusted basis. This includes recognition of the cost of holding the economic capital that is necessary to support each business as reflected in risk-adjusted pricing as well as the risk premiums and loss reserves for multi-period risks such as credit losses or casualty coverages. This should tie directly to the expectations of risk- adjusted profits that are used for product pricing and capital budgeting. Product pricing and capital budgeting form the expectations of performance. Risk-adjusted performance measurement means actually creating a system that reports on the degree to which those expectations are or are not met.

For non-life insurers, Risk Reward Management involves making strategic trade-offs between insurance, credit (on reinsurance ceded) and all aspects of investment risk based on a long-term view of risk-adjusted return for all of their choices.

Insurers that do not practice Risk Reward Management usually fail to do so because they do not have a common measurement basis across all of their risks. The decision of many insurers to develop economic capital models provides a powerful tool that can be used as the common risk measure for this process. Economic capital is most often the metric used to define risk in the risk/reward equation of insurers.

Some insurers choose not to develop an EC model and instead rely upon rating agency or regulatory capital formulas. The regulatory and rating agency capital formulas are by their nature broad market estimates of the risk capital of the insurer. These formulae will over-state the capital needs for some of the insurer’s activity and understate the needs for others. The insurer has the specific data about their own risks and can do a better job of assessing their risks than any outsider could ever do. In some cases, insurers took high amounts of catastrophe exposure or embedded guarantee and option risks, which were not penalized in the generic capital formulas. In the end, some insurers found that they had taken much more risk than their actual loss tolerance or capacity.

Risk Reward Management provides insurers with the framework to take full advantage of the power of diversification in their risk selection. They will look at their insurance and investment choices based on the impact, after diversification, on their total risk/reward profile. These insurers will also react to the cycles in risk premium that exist for all of their different insurance risks and for all of their investment risks in the context of their total portfolio.

Sales of most insurance company products result in an increase in the amount of capital needed by the business due to low or negative initial profits and the need to support the new business with Economic Capital. After the year of issue, most insurance company products will show annual releases of capital both due to the earnings of the product as well as the release of supporting capital that is no longer needed due to terminations of prior coverages. The net capital needs of a business arise when growth (new sales less terminations) is high and/or profits are low and capital is released when growth is low and/or profits are high.

The definition of the capital needs for a product is the same as the definition of distributable earnings for an entire business: projected earnings less the increase in Economic Capital. The capital budgeting process will then focus on obtaining the right mix of short and long term returns for the capital that is needed for each set of business plans.

Both new and existing products can be subjected to this capital budgeting discipline. A forecast of capital usage by a new product can be developed and used as a factor in deciding which of several new products to develop. In considering new and existing products, capital budgeting may involve examining historic and projected financial returns.

This multi year view of capital usage does in fact apply to non-life products where the claims are not fully settled in the calendar year of issue.

Pitfalls of Risk Reward Management

In theory, optimization processes can be shown to produce the best results for practitioners. And for periods of time when fluctuations of experience are moderate and fall comfortably within the model parameters, continual fine tuning and higher reliance on the modeled optimization recommendations produce ever growing rewards for the expert practitioner. However, model errors and uncertainties are magnified when management relies upon the risk model to lever up the business. And at some point, the user of complex risk models will see that levering up their business seems to be a safe and profitable way to operate. When volatility shifts into a less predictable and/or higher level, the highly levered company can find it self quickly in major trouble.

Even without major deviations of experience, the Risk Reward Management principles can lead to major business disruptions. When an insurer makes a major change in its risk profile through an acquisition or divestiture of a large part of their business, the capital allocation of all other activities may shift drastically. Strict adherence to theory can whipsaw businesses as the insurer makes large changes in business.

Insurers need to be careful to use the risk model information to inform strategic decisions without overreliance and abdication of management judgment. Management should also push usage of risk and reward thinking throughout the organization. The one assumption that seems to cause the most trouble is correlation. The saying goes that “in a crisis, all correlations go to one”. If the justification for a major strategic decision is that correlations are far from one, management should take note of the above saying and prepare accordingly. In addition, management should study the variability of correlations over time. They will find that correlations are often highly unreliable and this should have a major impact on the way that they are used in the Risk Reward Management process.

Guide to ERM: Risk Limits and Controls

At the most fundamental level, enterprise risk management can be understood as a control cycle. In an insurance company’s risk control cycle, management needs to first identify the key risks.

Management then decides the risk quantity they are willing to accept and retain. These decisions form the risk limits. It is then imperative to monitor the risk-taking throughout the year and react to actual situations that are revealed by the monitoring.

Photo by Ann H on Pexels.com

The Risk Control Cycle

There are seven distinct steps in the typical risk control cycle:

1. Identify Risks – Choose which risks are the key controllable risks of the company
2. Assess – Examine what are the elements of the risks that need (or can be) controlled
3. Plan – Set the expectation for how much risk will be taken as an expected part of the plan and also the limits on how much more would be accepted and retained
4. Take Risks – Conduct the primary function of an insurance company
5. Mitigate – Take actions to keep the risks within limits
6. Monitor – Determine how risk positions compare to limits and report
7. Respond – Decide what actions to take if risk levels are significantly different from plan

Risk Control Cycle

The Complete Risk Control Process

A process capable of limiting losses can be referred to as a complete risk control process, which would usually include the following.

• Identification of risks: The identified risks should be the main exposures which a company faces rather than an exhaustive list of all risks. The risk identification process must involve senior management and should consider the risk inherent in all insurance products underwritten. It must also take a broader view of overall risk. For example, large exposures to different investment instruments or other non-core risks must be considered. It is vital that this risk list is re-visited periodically rather than simply automatically targeting “the usual suspects”
• Assess risks: This is both the beginning and the end of the cycle. At the beginning, you look forward to form a new opinion about the prospects for risk and rewards for the next year. At the end, management needs to assess how effective the control cycle has been. Did the selection process miss any key risks? Were limits set too high or perhaps too low? Were the breach processes effective?
• Plan risk taking and risk management: Based upon the risk assessment, management will make plans for how much of each risk the organization will plan to accept and then how much of that risk will be transferred, offset and retained to manage the net risk position in line with defined risk limits
• Take risks: Organizations will often start by identifying a list of potential risks to be taken based upon broad guidelines. This list is then narrowed down by selecting only risks which are aligned to overall corporate risk appetite. The final stage is deciding an appropriate price to be paid for accepting each risk (underwriting)
• Measuring and monitoring of risk: With metrics or risk measures which capture the movement of the underlying risk position. These risk positions should be reported regularly and checked against limits and, in some cases, against lower checkpoints . The frequency of these checks should reflect the volatility of the risk and the rate at which the insurer changes their risk positions. Insurers may choose to report regularly at a granular level that supports all decision making and potential breach actions. The primary objective of this step is facilitating upwards reporting of risk through regular risk assessment and dissemination of risk positions and loss experience using a standard set of risk and loss metrics. These reports convey the risk output from the overall ERM framework and should receive the clear attention of persons with significant standing and authority in the organization. This allows for action to be taken which is the vital Respond stage in the risk control cycle
• Risk limits and standards: Should be defined which are directly linked to objectives. Terminology varies widely, but many insurers have both hard “limits” that they seek to never exceed and softer “checkpoints” that are sometimes exceeded. Limit approval authority will often be extended to individuals within the organization with escalating amounts of authority for individuals higher in the organizational hierarchy. Limits ultimately need to be consistent with risk appetites, preferences and tolerances Additionally, there should be clear risk avoidance processes for risks where the insurer has zero tolerance. These ensure that constant management attention is not needed to assure compliance. A risk audit function is, however, often incorporated within the overall risk organization structure to provide an independent assessment of compliance.
• Respond: Enforcement of limits and policing of checkpoints, with documented consequences for limit breaches and standard resolution processes for exceeding checkpoints. In some cases, the risk environment will have changed significantly from when the limits were set and the limits need to be reassessed. Some risks may be much more profitable than expected and risk limits can be raised, while other have become more expensive and/or riskier and limits need to be lowered
• Assess risks: And the cycle starts again

The control cycle, and especially the risk appetite, tolerance and limit setting process can be the basis for a healthy discussion between management and the board.

Gaining the Greatest Benefit from the Risk Control Cycle

Ultimately, to get the most risk management benefit out of a risk control cycle, management must set limits at a level that matters and are tied to good measures of risk. These limits must be understood throughout the company and risk positions should be frequently and publicly reviewed so that any breaches can be identified.

But in addition to a policing function, the control cycle needs to include a learning element. With each pass through the cycle, management should gain some insight into the characteristics of their potential risks and associated mitigation alternatives, as well as the reactions of both to changes in the risk environment.

Guide to ERM: Risk Identification

Risk Identification is widely acknowledged at the very first step in forming a new ERM program. What is not so widely known is that the risk identification process needs to be repeated and refreshed to keep ERM alive. In this regard, ERM is like a lawn. Initially, the ground is prepared, it is seeded and fertilized and watered until a bed of green grass emerges. But the lawn will eventually deteriorate if it is not reseeded and fertilized and weeded and watered regularly. Repeating the risk identification process is one of the key steps to keeping the ERM program alive and green!

Photo by Pavel Danilyuk on Pexels.com

Risk Identification Process Adds Value

Companies considering the risk identification process should be aware that it is not a solution in itself and can only add value if the results are used as the first step in a risk control cycle.

This is an iterative process that refines managements’ understanding of the exposures that it is managing, and measures the effectiveness of the mitigation strategies employed in controlling risk:

For the risk identification process to be effective it is essential that senior management is directly involved from the outset. Regulators may give little or less credibility to an ORSA report if this ownership of ERM isn’t in place.

A brainstorming session involving the leaders of all risk taking functions across the business provides an effective starting point in compiling a list of significant risks.

This often results in a list containing 30 or more risks; if the process involves a broad range of people at many levels in the organization, it is not uncommon to have a list of 100 to 150 risks.

By considering each risk individually and quantifying its potential impact on the business, management can work towards a shorter list of high priority risks which should be the starting point of the risk control cycle.

Risk Control Cycle

Step 1: Identify All Significant Risks

Risks must be identified in order to:

>Ensure that the full range of significant risks is encompassed within the risk management process
>Develop processes to measure exposure to those risks
>Begin to develop a common language for risk management with the company

Some companies prefer to start with a comprehensive but generic list of risks. The company should then aim to select its own list by considering the following criteria:

• Relevance to the insurer’s activities
• Impact on the insurers financial condition
• Ability to manage separately from other risks

The risk output from the ERM program may be used in strategic capital allocation decisions within the on-going business planning process.

The final “risk list” should be checked for completeness and consistency with this intended use. A final check can be done by looking at the lists once separated into categories. Most risks can be classified into one of several categories.

For example:

• Underwriting Risk
• Market Risk
• Operational Risk
• Credit/Default Risk

Management can review the range of risks that appear in each category to make sure that they are satisfied with the degree to which they have addressed key exposures within each major category.

The remaining steps in the risk identification process are then used to narrow down this initial risk list to a set of high priority risks that can be the focus of ERM discussions among and with senior management and ultimately with the board.

Step 2: Understand Each Risk Exposure

It is necessary to develop a broad understanding of each of the risks selected from Step 1; this includes determining whether the risk is driven by internal or external events.

In some situations, it may prove helpful to actually plot the exact sequence of events leading to a loss situation. This could result in the identification of intermediate intervention points where losses can be prevented or limited.

Existing risk measurement and control processes should be documented, and if the loss sequence has been plotted, the location of each control process in the sequence can be identified.

The final step in understanding the risks is to study recent events related to risks, including loss events, successful risk control or mitigation, and near misses both in the wider world and inside the company. Such events should be studied and lessons can be learned and shared.

Step 3: Evaluate

The next step in the risk identification process is to evaluate the potential impact of each risk. This involves:

>Estimating the frequency of loss events, e.g., low, medium, and high
>Estimating potential severity of loss events, e.g., low, medium, and high
>Considering offsetting factors to limit frequency or severity of losses and understand potential control processes

Some insurers also include an additional aspect of the risks, velocity, which is defined as the rate at which the risk can develop into a major loss situation

Step 4: Prioritize

The evaluations of risk frequency, severity, and velocity from Step 3 are then combined into a single factor and the risks ranked.

The risks are ranked according to a combined score incorporating all three assessments. The ranking starts with the risk with the worst combination of frequency, severity, and velocity scores.

From this ranked list of risks, 10 to 15 risks are chosen to be the key risk list that will be the focus of senior management discussions. From that list, ultimately 4 – 6 risks are chosen to feature with the board.

This need not be a complex or time consuming task. Often a simple heat map approach provides an effective way for management to identify their highest priority risks:

The rest of the risks should not be ignored. Those risks may ultimately be addressed at another level within the insurer.

Regulatory Emphasis

Regulators have developed Own Risk and Solvency Assessment (ORSA) regimes which require re/insurers to demonstrate their use of appropriate enterprise risk management (ERM) practices to support their ability to meet prospective solvency requirements over the business planning period.

Regulators are providing only high-level guidelines and will expect companies to decide what “appropriate” means for them. There are a number of common threads linking the ORSA guidelines; one of these is the fundamental importance of risk identification.

ORSA Guidance Manual

This ORSA process is being applied in all parts of the globe. In the U.S., the National Association of Insurance Commissioners (NAIC) ORSA Guidance Manual names risk identification as one of the five key aspects of the insurer’s ERM program that should be described in the ORSA report.

That document provides a definition for risk identification and prioritization:

[a] process that is key to the organization; responsibility for this activity is clear; the risk management function is responsible for ensuring that the process is appropriate and functioning properly at all organizational levels

For the EU, the Solvency II ORSA requires that solo undertakings provide:

[a] qualitative description of risks [and] should subject the identified risks to a sufficiently wide range of stress test / scenario analyses to provide an adequate basis for the assessment of overall solvency needs.

In the case of groups, the ORSA should adequately identify, measure, monitor, manage and report all group specific risks.

Insurance Core Principles (ICP)

The risk identification process is key to all insurers, not just those required to prepare an ORSA. This wider relevance is underlined by the Financial Stability Board’s endorsement of the International Association of Insurance Supervisors (IAIS) Insurance Core Principles (ICPs); ICP 16 highlights the importance of ERM as a process of identifying, assessing, measuring, monitoring, controlling and mitigating risks.

Perhaps the most attractive feature of the risk identification process is its low cost, high-impact introduction to risk management that builds upon the existing infrastructure and risk knowledge in the company.

It does not require a large commitment to capital expenditures and, if done appropriately, will provide a valuable first step in rolling out risk management across the company.

The ICPs are guidance for the insurance regulators in all jurisdictions. The ORSA, or an equivalent process with an equally odd name, may well be eventually adopted in all countries.

Take Part in the 14th Survey of Emerging Risks

CLICK HERE TO PARTICIPATE

The Joint Risk Management Section of the Canadian Institute of Actuaries, the Casualty Actuarial Society, and the Society of Actuaries is overseeing an online survey to help understand individual risk managers’ perspectives on emerging risks. We value your insights and invite you to participate in this annual survey. Please complete this survey by Nov. 23rd. It should take about 15 minutes to complete. We hope you will share your thoughts and experiences in comment boxes. Responses from more than one risk manager within the same company are encouraged. All responses are anonymous. Thanks to the SOA Reinsurance and Financial Reporting Sections for supporting this research. If you have questions about the survey, please contact Jan Schuh at jschuh@soa.org.

You have to show up

Woody Allen’s adage that 80% of success is showing up is particularly difficult for some managers to take to heart regarding risk management.

When risk management is successful, there is no bell that rings.  There are no fireworks.  Usually, a successful risk management moment is evidenced by a lack of big surprises.

But most days, big surprises do not happen anyway.

So if risk managers want to be appreciated for their work, they have to do much more than just show up.  They need to build up the story around what a very good day looks like.

• One such story would be that a very good day might happen when the world experiences a major catastrophe.  A catastrophe that is in the wheel house of the firm.  And because of a good risk management process, the firm finds that its losses are manageable within its capacity to handle losses.
• In 2011, there were major earthquakes in New Zealand, Japan and Chile.  One reinsurer reported that they had exposures in all three zones but that they were still able to show a (very small) profit for the year.  They credited that result to a risk management process that had them limiting their exposure to any one zone.  A risk manager could work up a story of events like that happening (multi event stress scenarios) and preview the benefits of ERM.

With such stories in mind, when that big day comes when “Nothing Happens”, the risk managers can be ready to take credit!

But to do that, they need to be sure to show up.

 

Top 10 RISKVIEWS Posts of 2014 – ORSA Heavily Featured

RISKVIEWS believes that this may be the best top 10 list of posts in the history of this blog.  Thanks to our readers whose clicks resulted in their selection.

• Instructions for a 17 Step ORSA Process – Own Risk and Solvency Assessment is here for Canadian insurers, coming in 2015 for US and required in Europe for 2016. At least 10 other countries have also adopted ORSA and are moving towards full implementation. This post leads you to 17 other posts that give a detailed view of the various parts to a full ORSA process and report.
• Full Limits Stress Test – Where Solvency and ERM Meet – This post suggests a link between your ERM program and your stress tests for ORSA that is highly logical, but not generally practiced.
• What kind of Stress Test? – Risk managers need to do a better job communicating what they are doing. Much communications about risk models and stress tests is fairly mechanical and technical. This post suggests some plain English terminology to describe the stress tests to non-technical audiences such as boards and top management.
• How to Build and Use a Risk Register – A first RISKVIEWS post from a new regular contributor, Harry Hall. Watch for more posts along these lines from Harry in the coming months. And catch Harry on his blog, http://www.pmsouth.com
• ORSA ==> AC – ST > RCS – You will notice a recurring theme in 2014 – ORSA. That topic has taken up much of RISKVIEWS time in 2014 and will likely take up even more in 2015 and after as more and more companies undertake their first ORSA process and report. This post is a simple explanation of the question that ORSA is trying to answer that RISKVIEWS has used when explaining ORSA to a board of directors.
• The History of Risk Management – Someone asked RISKVIEWS to do a speech on the history of ERM. This post and the associated new permanent page are the notes from writing that speech. Much more here than could fit into a 15 minute talk.
• Hierarchy Principle of Risk Management – There are thousands of risks faced by an insurer that do not belong in their ERM program. That is because of the Hierarchy Principle. Many insurers who have followed someone’s urging that ALL risk need to be included in ERM belatedly find out that no one in top management wants to hear from them or to let them talk to the board. A good dose of the Hierarchy Principle will fix that, though it will take time. Bad first impressions are difficult to fix.
• Risk Culture, Neoclassical Economics, and Enterprise Risk Management – A discussion of the different beliefs about how business and risk work. A difference in the beliefs that are taught in MBA and Finance programs from the beliefs about risk that underpin ERM make it difficult to reconcile spending time and money on risk management.
• What CEO’s Think about Risk – A discussion of three different aspects of decision-making as practiced by top management of companies and the decision making processes that are taught to quants can make quants less effective when trying to explain their work and conclusions.
• Decision Making Under Deep Uncertainty – Explores the concepts of Deep Uncertainty and Wicked Problems. Of interest if you have any risks that you find yourself unable to clearly understand or if you have any problems where all of the apparent solutions are strongly opposed by one group of stakeholders or another.

Transparency, Discipline and Allignment

Firms that have existed for any length of time are likely to have risk management.  Some of it was there from the start and the rest evolved in response to experiences.  Much of it is very efficient and effective while some of the risk management is lacking in either efficiency of effectiveness.  But some of the risk management that they might need is either missing or totally ineffective.  It is somewhat hard to know, because risk management is rarely a major subject of discussion at the firm.  Risk management happens in the background.  It may be done without thinking.  It may be done by people who do not know why they are doing it.  Some risks of the firm are very tightly controlled while others are not.  But the different treatment is not usually a conscious decision.  The importance of risk management differs greatly in the minds of different people in the firm and sometimes the actions taken to reduce risk actually work against the desired strategy of the firm.  The proponents of carefully managed risk may be thought of as the business prevention department and they are commonly found to be at war with the business expansion department.

---

 

Enterprise Risk Management (ERM) is an approach to risk management that provides three key advantages over traditional, ad hoc, evolved risk management.  Those advantages are:

Transparency

Discipline

Alignment

ERM takes risk management out of the background and makes it an open and transparent primary activity of the firm.  ERM does not push any particular approach to risk, but it does promote openly discussing and deciding and documenting and communicating the approach to each major risk.  The risk appetite and tolerances are decided and spoken out loud and in advance in an ERM process, rather than in arrears (and after a major loss) as is more often the case with a traditional risk management program.

Transparency is like the math teacher you had in high school who insisted that you show your work.  Even if you were one of those super bright math geeks who could just do it all in your head and immediately write down the correct answer.  When you wrote down all of the steps, it was transparent to the math teacher that you really did know what you were doing.  Transparency means the same sort of thing with ERM.  It means showing your work.  If you do not like having to slow down and show your work, you will not like ERM.

ERM is based upon setting up formal risk control cycles.  A control cycle is a discipline for assuring that the risk controlling process takes place.  A discipline, in this context, is a repeatable process that if you consistently follow the process you can expect that the outcomes from that process will be more reliable and consistent.

A pick-up sports team may or may not have talent, but it is guaranteed not to have discipline.  A school team may have a little talent or a lot and some school teams have some discipline as well.  A professional sports team usually has plenty of talent.  Often professional teams also have some discipline.  The championship sports teams usually have a little more talent than most teams (it is extremely difficult in most sports to have lots more talent than average), but they usually have much more discipline than the teams in the lower half of the league.  Discipline allows the team to consistently get the best out of their most talented players.  Discipline in ERM means that the firm is more likely to be able to expect to have the risks that they want to have.

ERM is focused on Enterprise Risks.  In RISKVIEWS mind, Enterprise Risks are those risks that could result in losses that would require the firm to make major, unexpected changes to plans or that would disrupt the firm (without necessarily causing losses) in such a way that the firm cannot successfully execute the plans.  Enterprise Risks need to be a major consideration in setting plans.  Through discussions of Risk Appetite and Tolerance and returns for risks and the costs of risk mitigations, ERM provides a focus on alignment of the risk management with the strategic objectives of the firm.

To use another sports analogy, picture the football huddle where the quarterback says “ok.  Everyone run their favorite play!”  Without ERM, that is what is happening, at least regarding ERM at some companies.

Alignment feeds off of the Transparency of ERM and Discipline provides the payback for the Alignment.

Hierarchy Principle of Risk Management

The purpose of ERM is NOT to try to elevate all risk decisions to the highest possible level, but to master discerning the best level for making each risk decision and for getting the right information to the right person in time to make a good risk decision.

This is the Hierarchy Principle as it applies to ERM.  It is one of the two or three most important principles of ERM.  Why then, might you ask, haven’t we ever heard about it before, even from RISKVIEWS.

But most insurers follow the hierarchy principle for managing their Underwriting process for risk acceptance of their most important risks.  

You could argue that many of the most spectacular losses made by banks have been in situations where they did not follow the hierarchy principle.  

• Nick Leeson at Barings Bank was taking risks at a size that should have been decided (and rejected) by the board.
• Jerome Kerviel at Soc Gen was doing the same.
• The London Whale at JP Morgan is also said to have done that.  

On the other hand, Jon Corzine was taking outsized risks that eventually sank MF Global with the full knowledge and approval of the board.  Many people suggest that the CRO should have stopped that.  But RISKVIEWS believes that the Hierarchy Principle was satisfied.  

ERM is not and cannot be held responsible for bad decisions that are made at the very top of the firm, unless the risk function was providing flawed information that supported those decisions.  If, as happened at MF Global, the board and top management were making risk decisions with their eyes fully open and informed by the risk function, then ERM worked as it should.  

ERM does not prevent mistakes or bad judgment.

What ERM does that is new is that

1. it works to systematically determine the significance of all risk decisions, 
2. it ranks the significance and uses that information, along with other information such as risk velocity and uncertainty, to determine a recommendation of the best level to make decisions about each risk,
3. it assesses the ability of the firm to absorb losses and the potential for losses within the risks that are being held by the firm at any point in time,
4. it works with management and the board to craft a risk appetite statement that links the loss absorbing capacity of the firm with the preferences of management and the board for absorbing losses.

ERM does not manage the firm.  ERM helps management to manage the risks of the firm mainly by providing information about the risks.  

So why have we not heard about this Hierarchy Principle before?  

For many years, ERM have been fighting to get any traction, to have a voice.  The Hierarchy Principle complicates the message, so was left out by many early CROs and other pioneers.  A few were pushing for the risk function to be itself elevated as high as possible and they did not want to limit the risk message, deeming everything about risk to be of highest importance. But RISKVIEWS believes that it was mostly because the Hierarchy Principle is pretty fundamental to business management and is usually not explicitly stated anywhere else, even though it is applied almost always.

ERM now receives a major push from regulators, to a large extent from the ORSA.  In writing, the regulators do not require that ERM elevate all risk decisions.  But in practice, they are seeing some insurers who have been elevating everything and the regulators are adopting those examples as their standard for best in class.  

Just one more way that the regulatory support for ERM will speed its demise.  If regulators advocate for consistent violation of the Hierarchy principle, then ERM will be seen mainly as a wasteful burden.  

 

Has the risk profession become a spectator sport?

The 2013 ERM Symposium goes back to Chicago this year after a side trip to DC for 2012. This is the 11th year for the premier program for financial risk managers.   April 23 and 24th.

This year’s program has been developed around the theme, ERM: A Critical Self-Reflection, which asks:

• Has the risk profession become a spectator sport? One in which we believe we are being proactive, yet not necessarily in the right areas.
• For the most significant headlines during the past year, how was the risk management function involved?
• Since the financial crisis, has there been genuine learning and changes to how risk management functions operate?
• What are the lessons that have been learned and how are they shaping risk management today? If not, why?
• Does risk management have a seat at the table, at the correct table?
• Are risk managers as empowered as they should be?
• Is risk management asking the right questions?
• Is risk management as involved in decision making and value creation as it should be, at inception of ideas and during follow through?

On Wednesday, April 24 Former FDIC Chairman Sheila Bair will be the featured luncheon speaker

Sheila C. Bair served as the 19th chairman of the Federal Deposit Insurance Corporation for a five-year term, from June 2006 through July 2011. Bair has an extensive background in banking and finance in a career that has taken her from Capitol Hill to academia to the highest levels of government. Before joining the FDIC in 2006, she was the dean’s professor of financial regulatory policy for the Isenberg School of Management at the University of Massachusetts-Amherst since 2002.

The ERM Symposium and seminars bring together ERM knowledge from the insurance, energy and financial sectors.  Now in its 11th year, this premier global conference on ERM will offer: sessions featuring top risk management experts; seminars on hot ERM issues; ERM research from leading universities; exhibitors demonstrating their ERM services.  This program has been developed jointly by the Casualty Actuarial Society (CAS), the Professional Risk management International Association (PRMIA) and the Society of Actuaries (SOA).

Riskviews will be a speaker at three sessions out of more than 20 offered:

• Regulatory Reform: Responding to Complexity with Complexity – Andrew Haldane, executive director of Financial Stability at the Bank of England, recently made a speech at the Federal Reserve Bank of Kansas City’s Jackson Hole Economic Policy Symposium titled “The Dog and the Frisbee” warning that the growing complexity of markets and banks cannot be controlled with increasingly complex regulations. In fact, by attempting to solve the problem of complexity with additional complexity created by increased regulation, we may be missing the mark—perhaps simpler metrics and human judgment may be superior. Furthermore, in attempting to solve a complex problem with additional complexity, we may not have clearly defined or understand the problem. How does ERM fit into the solutions arsenal? Are there avenues left unexplored? Is ERM adding or minimizing complexity?
  • We are drowning in data, but can’t hope to track all the necessary variables, nor understand all or even the most important linkages. Given the wealth of data available, important signals may be lost in the overall “noise.”
  • Unintended consequences maybe lost/hidden in the maze of complexity thereby magnifying the potential impact of future events.
  • The importance of key variables changes throughout time and from situation to situation, so it’s not possible to predict in advance which ones will matter most in the next crisis.
  • We experience relatively few new crises that are mirror images of prior crises, so we really have limited history to learn how to prevent or to cure them.
  • Complex rules incent companies and individuals to “manage to the rules” and seek arbitrage, perhaps seeding the next crisis.

• Actuarial Professional Risk Management  –  The new actuarial standards for Risk Evaluation and Risk Treatment bring new help and new issues to actuaries practicing in the ERM field. For new entrants, the standards are good guidelines for preparing comprehensive analyses and reports to management. For more experienced practitioners, the standards lay out expectations for a product worthy of the highly-qualified actuary. However, meeting the standards’ expectations is not easy. This session focuses on clarifying key aspects of the standards.
• Enterprise Risk Management in Financial Intermediation  –  This session provides a framework for thinking about the rapidly evolving, some would say amorphous, subject of ERM, especially as applied at financial institutions and develops seven principles of ERM and considers their (mis)application in a variety of organizational settings. The takeaways are both foundational and practical.

Please join us for some ERM fun and excitement.

 

 

One Page ERM

The International Association of Insurance Supervisors adopted the following in late 2011 as a part of ICP 8.

ERM Mission Statements

From the Annual Reports:

A.     Risk management is a key part of our corporate management. Its task is not only to safeguard the Group’s financial strength in order to satisfy our obligations to clients and create sustained value for our shareholders, but also to protect Munich Re’s reputation. We achieve these objectives through global risk management encompassing all areas of our operations. (Munich Re)

B.     The financial crisis has demonstrated the importance of a strong and independent risk management function, as well as the need for an  integrated approach to  assessing and controlling  risks. To this end, we further enhanced our risk management by establishing a more robust governance process, intensifying our risk oversight and strengthening our  liquidity management. (Swiss Re)

C.     We employ an enterprise-wide approach to all risk taking and risk management activities globally. The enterprise risk management framework sets out policies and standards of practice related to risk governance, risk identification and monitoring, risk measurement, and risk control and mitigation. In order to ensure that we can effectively execute our risk management we continuously invest to attract and retain qualified risk professionals, and to build and maintain the necessary processes, tools and systems. (Manulife Financial)

D.    Management believes that effective risk management is of primary importance to the success of Goldman Sachs. Accordingly, we have a comprehensive risk management process to monitor, evaluate and manage the principal risks we assume in conducting our activities.

E.     AEGON’s risk management and control systems are designed to ensure that these risks are managed as effectively and efficiently as possible. For AEGON, risk management involves:
·      Understanding which risks the company is able to underwrite;
·      Assessing the risk-return trade-off associated with these risks;
·      Establishing limits for the level of exposure to a particular risk or combination of risks; and Measuring and monitoring risk exposures and actively managing the company’s overall risk and solvency positions.

F.     The mission of Zurich’s Enterprise Risk Management is to promptly identify, measure, manage, report and monitor risks that affect the achievement of our strategic, operational and financial objectives. This includes adjusting the risk profile in line with the Group’s stated risk tolerance to respond to new threats and opportunities in order to optimize returns.

G.     QBE’s risk management strategy is underpinned by a number of robust processes which are aimed at reducing uncertainty and volatility and avoiding unwelcome surprises. Risks are subject to rigorous identification and evaluation throughout the business management cycle.

H.    The management of risk is a core skill supporting the Group’s ability to offer both sustainable risk transfer solutions to its clients and attractive returns to shareholders. The management and identification of risk is the day to day responsibility of many of our staff and is a feature of all our business activities. (Amlin)

I.      Diversification is used as a tool to reduce the Group’s overall insurance risk profile by spreading exposures, thereby reducing the volatility of results. QBE’s approach is to diversify insurance risk, both by product and geographically.

J.      The Group employs a comprehensive risk management framework to identify, assess, manage and monitor the risks arising as a result of operating the business. The framework includes a comprehensive suite of risk policies, procedures, measurement, reporting and monitoring techniques and a series of stress tests and scenario analyses to ensure that the Group’s risk exposures are managed appropriately. (RSA)

How to do Risk Management in Lean Times

The good news for risk managers is that times have been tough, so that company management is listening more and more to your message.

The bad news for risk managers is that times have been tough, so there is not much budget for anyone, let alone an area where there is no hope of new revenue generation.

So risk managers are being asked to do more and more with less and less.

Here are some tips for how to manage to meet expectations without crashing the budget:

1. Identify the area or activity that now has the most expensive risk oversight process.  Identify the reason for that expense and make sure that a) there really is a need for that much oversight, b) if so, that the profit margins of the activity support the expense of the oversight and c) if there is a way that the riskiest 20% of that activity produces a high proportion of the profits.  Can a shift in the risk acceptance criteria or the risk limits make a drastic change in oversight needs without a drastic change in profitability?
2. Get more people involved in risk management.  This seems counter to the idea of decreasing costs of risk management, but in fact it can work well.  Study the things that the risk management staff is spending time on and determine which of those activities can be transfered to the business unit staff who can do the oversight on a very part time basis.  Your risk management staff can then shift to periodic review of their activities instead.  This should be promoted as a natural evolution of risk management.  Ultimately, the business units should be managing their own risk anyway.
3. Find out which risk reports are not being used and eliminate them.  Constructing management information reports can be a very time consuming part of your staff’s time.  Some of those reports are hopefully being relied upon for major decisions, but there may be some that just sit unread in the in boxes.
4. Reduce staff support for risk management in areas where activity levels are falling.  It is very important that risk management be ramped up with volumes and just as important that it be seen to ramp down with volumes.
5. Leverage outside resources.  In fat times, you may be declining free support from vendors and other business partners.  In lean times, they may be even more happy to provide their support.  Just make sure that the help that they give supports your needs.
6. Reduce frequency of time consuming model runs for risks that just do not change that much from run to run or that change proportionately with volumes of business.  See recent post on model accuracy.
7. Expand your own personal capacity by delegating more of the matters that have become more routine.  There is a natural tendency for the leader to be involved in everything that is new and important.  Sometimes, you forget to transfer those responsibilities to someone on your staff or even someone outside your staff once you are sure that it is up and going smoothly.  Let go.  Make sure that you have the time that will be needed to take up the next new thing.  Lean times will not last forever and you need to be available to pay attention to the thing that will pull your firm forward into the next stage of robust growth.

These are all the sorts of things that every manager in your firm should be thinking about.  Risk managers should be doing the same sorts of thinking.  You and your function are another natural part of the business environment of the firm.  You will not be immune from the pressures of business, nor should you expect to be.