Risk managers have a difficult job, anticipating risk events and interpreting how they interact and aggregate with internal exposures. Emerging risks play a key role in this analysis. One such emerging risk, Solar Storms, is much more than just pretty northern lights. An impactful solar storm happened as recently as 1859. Then, some problems with telegraph wires were reported, just imagine how much more we depend upon electronics now than we did in 1859. That is exactly what we do in this podcast.
A deep dive into the risk selected as the Most Dangerous of 2023. We compare recent inflation spikes against past events, look at the drivers of the current bout of inflation, the impact on the insurance industry along with the most common responses. In addition, we also invert the question and consider what would cause future inflation to be very low. By Dave Ingram and Max Rudolph
Fear or Danger is a false choice. But using rational thought to balance fear and danger, and find an appropriate response, is very difficult. This repeatable process for thinking through how to react can improve your likelihood of success. By Dave Ingram.
This podcast refers to an article “Risk Intelligence” in the magazine Contingencies. You can read that article here.
As humans encroach on new ecosystems diseases found in animals and birds can jump to a new home inside us. We think about coronavirus and influenza but should monitor closely diseases like bird flu and Ebola. By Max Rudolph
Over 200 respondents in the Dangerous Risks to Insurers Survey reordered the top risks, with Inflation swapping with Cybersecurity and cybercrime, and Global/National recession moving into the top 5 at #3.
This podcast is a challenge for you to consider something that is likely not yet on your risk register. Could the spread of bacteria with resistance to antibiotics have an impact on your business plans? We provide some questions that you might ask as well as some preliminary answers.
A major loss often causes management to question past decisions. They might even reverse some of them, but this may be an overreaction. The Chief Risk Officer improves the discussion by bringing a systematic review of the risk related decisions that preceded the loss. In many cases potential problems can be fixed without taking drastic and dramatic actions.
We have generally used a continuation of the current environment as our base assumption. But now, with the encouragement of the NY DFS, that is being treated as worse than “Moderately Adverse” scenario. Insurers need to develop a robust set of stress scenarios to test reserve adequacy that include continuation of current conditions and a variety of variations in experience, not just interest rates.
When you encounter vastly different risk taking behaviors at two different businesses, you shouldn’t automatically presume that they are driven by totally different risk tolerances. In some cases they are actually the result of similar risk tolerances and major disagreements in risk assessment. Just ask the Three Little Pigs.
Over the past several years, an anthropologist (Thompson), a control engineer (Beck) and an actuary (Ingram) have formed an unlikely collaboration that has resulted in countless discussions among the three of us along with several published (and posted) documents.
Our work was first planned in 2018. One further part of what was planned is still under development — the application of these ideas to economic thinking. This is previewed in document (2) below, where it is presented as Institutional Evolutionary Economics.
Here are abstracts and links to the existing documents:
Model Governance and Rational Adaptability in Enterprise Risk Management, January 2020, AFIR-ERM section of the International Actuarial Association. The problem context here is what has been called the “Insurance Cycle”. In this cycle we recognize four qualitatively different risk environments, or seasons of risk. We address the use of models for supporting an insurer’s decision making for enterprise risk management (ERM) across all four seasons of the cycle. In particular, the report focuses expressly on: first, the matter of governance for dealing with model risk; and, second, model support for Rational Adaptability (RA) at the transitions among the seasons of risk. This latter examines what may happen around the turning points in the insurance cycle (any cycle, for that matter), when the risk of a model generating flawed foresight will generally be at its highest.
Modeling the Variety of Decision Making, August 2021, Joint Risk Management Section. The four qualitatively different seasons of risk call for four distinctly different risk-coping decision rules. And if exercising those strategies is to be supported and informed by a model, four qualitatively different parameterizations of the model are also required. This is the variety of decision making that is being modeled. Except that we propose and develop in this work a first blueprint for a fifth decision-making strategy, to which we refer as the adaptor. It is a strategy for assisting the process of RA in ERM and navigating adaptively through all the seasons of risk, insurance cycle after insurance cycle. What is more, the variety of everyday risk-coping decision rules and supporting models can be substituted by a single corresponding rule and model whose parameters vary (slowly) with time, as the model tracks the seasonal business and risk transitions.
The Adaptor Emerges, December 2021, The Actuary Magazine, Society of Actuaries. The adaptor strategy focuses on strategic change: on the chops and changes among the seasons of risk over the longer term. The attention of actuaries coping with everyday risk is necessarily focused on the short term. When the facts change qualitatively, as indeed they did during the pandemic, mindsets, models, and customary everyday rules must be changed. Our adaptor indeed emerged during the pandemic, albeit coincidentally, since such was already implied in RA for ERM.
An Adaptor Strategy for Enterprise Risk Management, April 2022, Risk Management Newsletter, Joint Risk Management Section. In our earlier work (2009-13), something called the “Surprise Game” was introduced and experimented with. In it, simulated businesses are obliged to be surprised and shaken into eventually switching their risk-coping decision strategies as the seasons of risk undergo qualitative seasonal shifts and transitions. That “eventually” can be much delayed, with poor business performance accumulating all the while. In control engineering, the logic of the Surprise Game is closely similar to something called cascade control. We show how the adaptor strategy is akin to switching the “autopilot” in the company driving seat of risk-coping, but ideally much more promptly than waiting (and waiting) for any eventual surprise to dawn on the occupant of the driving seat.
An Adaptor Strategy for Enterprise Risk Management(Part 2), July 2022, Risk Management Newsletter, Joint Risk Management Section. Rather than its switching function, the priority of the adaptor strategy should really be that of nurturing the human and financial resources in the makeup of a business — so that the business can perform with resilience, season in, season out, economic cycle after economic cycle. The nurturing function can be informed and supported by an adaptor “dashboard”. For example, the dashboard can be designed to alert the adaptor to the impending loss or surfeit of personnel skilled in implementing any one of the four risk-coping strategies of RA for ERM. We cite evidence of such a dashboard from both the insurance industry and an innovation ecosystem in Linz, Austria.
Adaptor Exceptionalism:Structural Change & Systems Thinking, March 2022, RISKVIEWS, Here we link Parts 1 and 2 of the Risk Management Newsletter article ((4) and (5) above). When we talk of “when the facts change, we change our mindsets”, we are essentially talking about structural change in a system, most familiarly, the economy. One way of grasping the essence of this, hence the essence of the invaluable (but elusive) systemic property of resilience, is through the control engineering device of a much simplified model of the system with a parameterization that changes relatively slowly over time — the adaptor model of document (2) above, in fact. This work begins to show how the nurturing function of the adaptor strategy is so important for the achievement of resilient business performance.
Adaptor Strategy: Foresight, May 2022, RISKVIEWS. This is a postscript to the two-part Newsletter article and, indeed, its linking technical support material of document (6). It identifies a third possible component of an adaptor strategy: that of deliberately probing the uncertainties in business behaviour and its surrounding risk environment. This probing function derives directly from the principle of “dual adaptive control” — something associated with systems such as guided missiles. Heaven forbid: that such should be the outcome of a discussion between the control engineer, the actuary, and the anthropologist!
Still to be completed is the full exposition of Institutional Evolutionary Economics that is previewed in Section 1 of Modeling the Variety of Decision Making (Item 2 above).
Knowing the amount of surplus an insurer needs to support risk is fundamental to enterprise risk management (ERM) and to the own risk and solvency assessment (ORSA).
With the increasing focus on ERM, regulators, rating agencies, and insurance and reinsurance executives are more focused on risk capital modeling than ever before.
Risk – and the economic capital associated with it – cannot actually be measured as you can measure your height. Risk is about the future.
To measure risk, you must measure it against an idea of the future. A risk model is the most common tool for comparing one idea of the future against others.
Types of Risk Models
There are many ways to create a model of risk to provide quantitative metrics and derive a figure for the economic capital requirement.
Each approach has inherent strengths and weaknesses; the trade-offs are between factors such as implementation cost, complexity, run time, ability to represent reality, and ease of explaining the findings. Different types of models suit different purposes.
Each of the approaches described below can be used for purposes such as determining economic capital need, capital allocation, and making decisions about risk mitigation strategies.
Some methods may fit a particular situation, company, or philosophy of risk better than others.
Factor-Based Models
Here the concept is to define a relatively small number of risk categories; for each category, we require an exposure metric and a measure of riskiness.
The overall risk can then be calculated by multiplying “exposure × riskiness” for each category, and adding up the category scores.
Because factor-based models are transparent and straightforward to apply, they are commonly used by regulators and rating agencies.
The NAIC Risk-Based Capital and the Solvency II Standard Formula are calculated in this way, as is A.M. Best’s BCAR score and S&P’s Insurance Capital Model.
Stress Test Models
Stress tests can provide valuable information about how a company might hold up under adversity. As a stand-alone measure or as an adjunct to factor-based methods, stress tests can provide concrete indications that reflect company-specific features without the need for complex modeling. A robust stress testing regime might reflect, for example:
Worst company results experienced in last 20 years Worst results observed across peer group in last 20 years Worst results across peer group in last 50 years (or, 20% worse than stage 2) Magnitude of stress-to-failure
Stress test models focus on the severity of possible adverse scenarios. While the framework used to create the stress scenario may allow rough estimates of likelihood, this is not the primary goal.
High-Level Stochastic Models
Stochastic models enable us to analyze both the severity and likelihood of possible future scenarios. Such models need not be excessively complex. Indeed, a high-level model can provide useful guidance.
Categories of risk used in a high-level stochastic model might reflect the main categories from a factor-based model already in use; for example, the model might reflect risk sources such as underwriting risk, reserve risk, asset risk, and credit risk.
A stochastic model requires a probability distribution for each of these risk sources. This might be constructed in a somewhat ad-hoc way by building on the results of a stress test model, or it might be developed using more complex actuarial analysis.
Ideally, the stochastic model should also reflect any interdependencies among the various sources of risk. Timing of cash flows and present value calculations may also be included.
Detailed Stochastic Models
Some companies prefer to construct a more detailed stochastic model. The level of detail may vary; in order to keep the model practical and facilitate quality control, it may be best to avoid making the model excessively complicated, but rather develop only the level of granularity required to answer key business questions.
Such a model may, for example, sub-divide underwriting risk into several lines of business and/or profit centers, and associate to each of these units a probability distribution for both the frequency and the severity of claims. Naturally, including more granular sources of risk makes the question of interdependency more complicated.
Multi-Year Strategic Models with Active Management
In the real world, business decisions are rarely made in a single-year context. It is possible to create models that simulate multiple, detailed risk distributions over a multi-year time frame.
And it is also possible to build in “management logic,” so that the model responds to evolving circumstances in a way that approximates what management might actually do.
For example, if a company sustained a major catastrophic loss, in the ensuing year management might buy more reinsurance to maintain an adequate A.M. Best rating, rebalance the investment mix, and reassess growth strategy.
Simulation models can approximate this type of decision making, though of course the complexity of the model increases rapidly.
Key Questions and Decisions
Once a type of risk model has been chosen, there are many different ways to use this model to quantify risk capital. To decide how best to proceed, insurer management should consider questions such as:
What are the issues to be aware of when creating or refining our model?
What software offers the most appropriate platform?
What data will we need to collect?
What design choices must we make, and which selections are most appropriate for us?
How best can we aggregate risk from different sources and deal with interdependency?
There are so many risk metrics that can be used to determine risk capital – Value at Risk, Tail Value at Risk, Probability of Ruin, etc. – what are their implications, and how can we choose among them?
How should this coordinate with catastrophe modeling?
Will our model actually help us to answer the questions most important to our firm?
What are best practices for validating our model?
How should we allocate risk capital to business units, lines of business, and/or insurance policies?
How should we think about the results produced by our model in the context of rating agency capital benchmarks?
Introducing a risk capital model may create management issues – how can we anticipate and deal with these?
In answering these questions, it is important to consider the intended applications. Will the model be used to establish or refine risk appetite and risk tolerance?
Will modeled results drive reinsurance decisions, or affect choices about growth and merger opportunities? Does the company intend to use risk capital for performance management, or ratemaking?
Will the model be used to complete the NAIC ORSA, or inform rating agency capital adequacy discussions?
The intended applications, along with the strengths and weaknesses of the various modeling approaches and range of risk metrics, should guide decisions throughout the economic capital model design process.
In 1952, Harry Markowitz wrote the article “Portfolio Selection” which became the seed for the theory called Modern Portfolio Theory. Modern Portfolio Theory (MPT) promises a path to follow to achieve the maximum return for a given level of risk for an investment portfolio.
It is not clear who first thought to apply the MPT ideas to a portfolio of risks in an insurer. In 1974, Gustav Hamilton of Sweden’s Statsforetag proposed the “risk management circle” to describe the interaction of all elements in the risk management process, including assessment, control, financing and communication. In 1979, Randell Brubaker wrote about “Profit Maximization for a multi line Property/Liability Company.” Since then, the idea of risk and reward optimization has become to many the actual definition of ERM.
In 2005, Standard & Poor’s called the process “Strategic Risk Management”.
“Strategic Risk Management is the Standard & Poor’s term for the part of ERM that focuses on both the risks and returns of the entire firm. Although other aspects of ERM mainly focus on limiting downside, SRM is the process that will produce the upside, which is where the real value added of ERM lies.“
The Risk Reward Management process is nothing more or less than looking at the expected reward and loss potential for each major profit-making activity of an insurer and applying the Modern Portfolio Management ideas of portfolio optimization to that risk and reward information.
At the strategic level, insurers will leverage the risk and reward knowledge that comes from their years of experience in the insurance markets as well as from their enterprise risk management (ERM) systems to find the risks where their company’s ability to execute can produce better average risk-adjusted returns. They then seek to optimize the risk/reward mix of the entire portfolio of insurance and investment risks that they hold. There are two aspects of this optimization process. First is the identification of the opportunities of the insurer in terms of expected return for the amount of risk. The second aspect is the interdependence of the risks. A risk with low interdependency with other risks may produce a better portfolio result than another risk with a higher stand alone return on risk but higher interdependence.
Proposals to grow or shrink parts of the business and choices to offset or transfer different major portions of the total risk positions can be viewed in terms of risk-adjusted return. This can be done as part of a capital budgeting/strategic resource allocation exercise and can be incorporated into regular decision-making. Some firms bring this approach into consideration only for major ad hoc decisions on acquisitions or divestitures and some use it all the time.
There are several common activities that may support the macro- level risk exploitation.
Economic Capital Economic capital (EC) is often calculated with a comprehensive risk model consistently for all of the actual risks of the company. Adjustments are made for the imperfect correlation of the risks. Identification of the highest-concentration risks as well as the risks with lower correlation to the highest-concentration risks is risk information that can be exploited. Insurers may find that they have an advantage when adding risks to those areas with lower correlation to their largest risks if they have the expertise to manage those risks as well as they manage their largest risks.
Risk-adjusted product pricing Another part of the process to manage risk reward involves the Consideration principle. Product pricing is “risk-adjusted” using one of several methods. One such method is to look at expected profits as a percentage of EC resulting in an expected return-to-risk capital ratio. Another method reflects the cost of capital associated with the economic capital of the product as well as volatility of expected income. The cost of capital is determined as the difference between the price to obtain capital and the rate of investment earnings on capital held by the insurer. Product profit projections then will show the pure profit as well as the return for risk of the product. Risk-adjusted value added is another way of approaching risk-adjusted pricing.
Capital budgeting The capital needed to fulfill proposed business plans is projected based on the economic capital associated with the plans. Acceptance of strategic plans includes consideration of these capital needs and the returns associated with the capital that will be used. Risk exploitation as described above is one of the ways to optimize the use of capital over the planning period. The allocation of risk capital is a key step in this process.
Risk-adjusted performance measurement (RAPM) Financial results of business plans are measured on a risk-adjusted basis. This includes recognition of the cost of holding the economic capital that is necessary to support each business as reflected in risk-adjusted pricing as well as the risk premiums and loss reserves for multi-period risks such as credit losses or casualty coverages. This should tie directly to the expectations of risk- adjusted profits that are used for product pricing and capital budgeting. Product pricing and capital budgeting form the expectations of performance. Risk-adjusted performance measurement means actually creating a system that reports on the degree to which those expectations are or are not met.
For non-life insurers, Risk Reward Management involves making strategic trade-offs between insurance, credit (on reinsurance ceded) and all aspects of investment risk based on a long-term view of risk-adjusted return for all of their choices.
Insurers that do not practice Risk Reward Management usually fail to do so because they do not have a common measurement basis across all of their risks. The decision of many insurers to develop economic capital models provides a powerful tool that can be used as the common risk measure for this process. Economic capital is most often the metric used to define risk in the risk/reward equation of insurers.
Some insurers choose not to develop an EC model and instead rely upon rating agency or regulatory capital formulas. The regulatory and rating agency capital formulas are by their nature broad market estimates of the risk capital of the insurer. These formulae will over-state the capital needs for some of the insurer’s activity and understate the needs for others. The insurer has the specific data about their own risks and can do a better job of assessing their risks than any outsider could ever do. In some cases, insurers took high amounts of catastrophe exposure or embedded guarantee and option risks, which were not penalized in the generic capital formulas. In the end, some insurers found that they had taken much more risk than their actual loss tolerance or capacity.
Risk Reward Management provides insurers with the framework to take full advantage of the power of diversification in their risk selection. They will look at their insurance and investment choices based on the impact, after diversification, on their total risk/reward profile. These insurers will also react to the cycles in risk premium that exist for all of their different insurance risks and for all of their investment risks in the context of their total portfolio.
Sales of most insurance company products result in an increase in the amount of capital needed by the business due to low or negative initial profits and the need to support the new business with Economic Capital. After the year of issue, most insurance company products will show annual releases of capital both due to the earnings of the product as well as the release of supporting capital that is no longer needed due to terminations of prior coverages. The net capital needs of a business arise when growth (new sales less terminations) is high and/or profits are low and capital is released when growth is low and/or profits are high.
The definition of the capital needs for a product is the same as the definition of distributable earnings for an entire business: projected earnings less the increase in Economic Capital. The capital budgeting process will then focus on obtaining the right mix of short and long term returns for the capital that is needed for each set of business plans.
Both new and existing products can be subjected to this capital budgeting discipline. A forecast of capital usage by a new product can be developed and used as a factor in deciding which of several new products to develop. In considering new and existing products, capital budgeting may involve examining historic and projected financial returns.
This multi year view of capital usage does in fact apply to non-life products where the claims are not fully settled in the calendar year of issue.
Pitfalls of Risk Reward Management
In theory, optimization processes can be shown to produce the best results for practitioners. And for periods of time when fluctuations of experience are moderate and fall comfortably within the model parameters, continual fine tuning and higher reliance on the modeled optimization recommendations produce ever growing rewards for the expert practitioner. However, model errors and uncertainties are magnified when management relies upon the risk model to lever up the business. And at some point, the user of complex risk models will see that levering up their business seems to be a safe and profitable way to operate. When volatility shifts into a less predictable and/or higher level, the highly levered company can find it self quickly in major trouble.
Even without major deviations of experience, the Risk Reward Management principles can lead to major business disruptions. When an insurer makes a major change in its risk profile through an acquisition or divestiture of a large part of their business, the capital allocation of all other activities may shift drastically. Strict adherence to theory can whipsaw businesses as the insurer makes large changes in business.
Insurers need to be careful to use the risk model information to inform strategic decisions without overreliance and abdication of management judgment. Management should also push usage of risk and reward thinking throughout the organization. The one assumption that seems to cause the most trouble is correlation. The saying goes that “in a crisis, all correlations go to one”. If the justification for a major strategic decision is that correlations are far from one, management should take note of the above saying and prepare accordingly. In addition, management should study the variability of correlations over time. They will find that correlations are often highly unreliable and this should have a major impact on the way that they are used in the Risk Reward Management process.
At the most fundamental level, enterprise risk management can be understood as a control cycle. In an insurance company’s risk control cycle, management needs to first identify the key risks.
Management then decides the risk quantity they are willing to accept and retain. These decisions form the risk limits. It is then imperative to monitor the risk-taking throughout the year and react to actual situations that are revealed by the monitoring.
There are seven distinct steps in the typical risk control cycle:
Identify Risks – Choose which risks are the key controllable risks of the company
Assess – Examine what are the elements of the risks that need (or can be) controlled
Plan – Set the expectation for how much risk will be taken as an expected part of the plan and also the limits on how much more would be accepted and retained
Take Risks – Conduct the primary function of an insurance company
Mitigate – Take actions to keep the risks within limits
Monitor – Determine how risk positions compare to limits and report
Respond – Decide what actions to take if risk levels are significantly different from plan
Risk Control Cycle
The Complete Risk Control Process
A process capable of limiting losses can be referred to as a complete risk control process, which would usually include the following.
Identification of risks: The identified risks should be the main exposures which a company faces rather than an exhaustive list of all risks. The risk identification process must involve senior management and should consider the risk inherent in all insurance products underwritten. It must also take a broader view of overall risk. For example, large exposures to different investment instruments or other non-core risks must be considered. It is vital that this risk list is re-visited periodically rather than simply automatically targeting “the usual suspects”
Assess risks: This is both the beginning and the end of the cycle. At the beginning, you look forward to form a new opinion about the prospects for risk and rewards for the next year. At the end, management needs to assess how effective the control cycle has been. Did the selection process miss any key risks? Were limits set too high or perhaps too low? Were the breach processes effective?
Plan risk taking and risk management: Based upon the risk assessment, management will make plans for how much of each risk the organization will plan to accept and then how much of that risk will be transferred, offset and retained to manage the net risk position in line with defined risk limits
Take risks: Organizations will often start by identifying a list of potential risks to be taken based upon broad guidelines. This list is then narrowed down by selecting only risks which are aligned to overall corporate risk appetite. The final stage is deciding an appropriate price to be paid for accepting each risk (underwriting)
Measuring and monitoring of risk: With metrics or risk measures which capture the movement of the underlying risk position. These risk positions should be reported regularly and checked against limits and, in some cases, against lower checkpoints . The frequency of these checks should reflect the volatility of the risk and the rate at which the insurer changes their risk positions. Insurers may choose to report regularly at a granular level that supports all decision making and potential breach actions. The primary objective of this step is facilitating upwards reporting of risk through regular risk assessment and dissemination of risk positions and loss experience using a standard set of risk and loss metrics. These reports convey the risk output from the overall ERM framework and should receive the clear attention of persons with significant standing and authority in the organization. This allows for action to be taken which is the vital Respond stage in the risk control cycle
Risk limits and standards: Should be defined which are directly linked to objectives. Terminology varies widely, but many insurers have both hard “limits” that they seek to never exceed and softer “checkpoints” that are sometimes exceeded. Limit approval authority will often be extended to individuals within the organization with escalating amounts of authority for individuals higher in the organizational hierarchy. Limits ultimately need to be consistent with risk appetites, preferences and tolerances Additionally, there should be clear risk avoidance processes for risks where the insurer has zero tolerance. These ensure that constant management attention is not needed to assure compliance. A risk audit function is, however, often incorporated within the overall risk organization structure to provide an independent assessment of compliance.
Respond: Enforcement of limits and policing of checkpoints, with documented consequences for limit breaches and standard resolution processes for exceeding checkpoints. In some cases, the risk environment will have changed significantly from when the limits were set and the limits need to be reassessed. Some risks may be much more profitable than expected and risk limits can be raised, while other have become more expensive and/or riskier and limits need to be lowered
Assess risks: And the cycle starts again
The control cycle, and especially the risk appetite, tolerance and limit setting process can be the basis for a healthy discussion between management and the board.
Gaining the Greatest Benefit from the Risk Control Cycle
Ultimately, to get the most risk management benefit out of a risk control cycle, management must set limits at a level that matters and are tied to good measures of risk. These limits must be understood throughout the company and risk positions should be frequently and publicly reviewed so that any breaches can be identified.
But in addition to a policing function, the control cycle needs to include a learning element. With each pass through the cycle, management should gain some insight into the characteristics of their potential risks and associated mitigation alternatives, as well as the reactions of both to changes in the risk environment.
Risk Identification is widely acknowledged at the very first step in forming a new ERM program. What is not so widely known is that the risk identification process needs to be repeated and refreshed to keep ERM alive. In this regard, ERM is like a lawn. Initially, the ground is prepared, it is seeded and fertilized and watered until a bed of green grass emerges. But the lawn will eventually deteriorate if it is not reseeded and fertilized and weeded and watered regularly. Repeating the risk identification process is one of the key steps to keeping the ERM program alive and green!
Companies considering the risk identification process should be aware that it is not a solution in itself and can only add value if the results are used as the first step in a risk control cycle.
This is an iterative process that refines managements’ understanding of the exposures that it is managing, and measures the effectiveness of the mitigation strategies employed in controlling risk:
For the risk identification process to be effective it is essential that senior management is directly involved from the outset. Regulators may give little or less credibility to an ORSA report if this ownership of ERM isn’t in place.
A brainstorming session involving the leaders of all risk taking functions across the business provides an effective starting point in compiling a list of significant risks.
This often results in a list containing 30 or more risks; if the process involves a broad range of people at many levels in the organization, it is not uncommon to have a list of 100 to 150 risks.
By considering each risk individually and quantifying its potential impact on the business, management can work towards a shorter list of high priority risks which should be the starting point of the risk control cycle.
Risk Control Cycle
Step 1: Identify All Significant Risks
Risks must be identified in order to:
>Ensure that the full range of significant risks is encompassed within the risk management process >Develop processes to measure exposure to those risks >Begin to develop a common language for risk management with the company
Some companies prefer to start with a comprehensive but generic list of risks. The company should then aim to select its own list by considering the following criteria:
Relevance to the insurer’s activities
Impact on the insurers financial condition
Ability to manage separately from other risks
The risk output from the ERM program may be used in strategic capital allocation decisions within the on-going business planning process.
The final “risk list” should be checked for completeness and consistency with this intended use. A final check can be done by looking at the lists once separated into categories. Most risks can be classified into one of several categories.
For example:
Underwriting Risk
Market Risk
Operational Risk
Credit/Default Risk
Management can review the range of risks that appear in each category to make sure that they are satisfied with the degree to which they have addressed key exposures within each major category.
The remaining steps in the risk identification process are then used to narrow down this initial risk list to a set of high priority risks that can be the focus of ERM discussions among and with senior management and ultimately with the board.
Step 2: Understand Each Risk Exposure
It is necessary to develop a broad understanding of each of the risks selected from Step 1; this includes determining whether the risk is driven by internal or external events.
In some situations, it may prove helpful to actually plot the exact sequence of events leading to a loss situation. This could result in the identification of intermediate intervention points where losses can be prevented or limited.
Existing risk measurement and control processes should be documented, and if the loss sequence has been plotted, the location of each control process in the sequence can be identified.
The final step in understanding the risks is to study recent events related to risks, including loss events, successful risk control or mitigation, and near misses both in the wider world and inside the company. Such events should be studied and lessons can be learned and shared.
Step 3: Evaluate
The next step in the risk identification process is to evaluate the potential impact of each risk. This involves:
>Estimating the frequency of loss events, e.g., low, medium, and high >Estimating potential severity of loss events, e.g., low, medium, and high >Considering offsetting factors to limit frequency or severity of losses and understand potential control processes
Some insurers also include an additional aspect of the risks, velocity, which is defined as the rate at which the risk can develop into a major loss situation
Step 4: Prioritize
The evaluations of risk frequency, severity, and velocity from Step 3 are then combined into a single factor and the risks ranked.
The risks are ranked according to a combined score incorporating all three assessments. The ranking starts with the risk with the worst combination of frequency, severity, and velocity scores.
From this ranked list of risks, 10 to 15 risks are chosen to be the key risk list that will be the focus of senior management discussions. From that list, ultimately 4 – 6 risks are chosen to feature with the board.
This need not be a complex or time consuming task. Often a simple heat map approach provides an effective way for management to identify their highest priority risks:
The rest of the risks should not be ignored. Those risks may ultimately be addressed at another level within the insurer.
Regulatory Emphasis
Regulators have developed Own Risk and Solvency Assessment (ORSA) regimes which require re/insurers to demonstrate their use of appropriate enterprise risk management (ERM) practices to support their ability to meet prospective solvency requirements over the business planning period.
Regulators are providing only high-level guidelines and will expect companies to decide what “appropriate” means for them. There are a number of common threads linking the ORSA guidelines; one of these is the fundamental importance of risk identification.
ORSA Guidance Manual
This ORSA process is being applied in all parts of the globe. In the U.S., the National Association of Insurance Commissioners (NAIC) ORSA Guidance Manual names risk identification as one of the five key aspects of the insurer’s ERM program that should be described in the ORSA report.
That document provides a definition for risk identification and prioritization:
[a] process that is key to the organization; responsibility for this activity is clear; the risk management function is responsible for ensuring that the process is appropriate and functioning properly at all organizational levels
For the EU, the Solvency II ORSA requires that solo undertakings provide:
[a] qualitative description of risks [and] should subject the identified risks to a sufficiently wide range of stress test / scenario analyses to provide an adequate basis for the assessment of overall solvency needs.
In the case of groups, the ORSA should adequately identify, measure, monitor, manage and report all group specific risks.
Insurance Core Principles (ICP)
The risk identification process is key to all insurers, not just those required to prepare an ORSA. This wider relevance is underlined by the Financial Stability Board’s endorsement of the International Association of Insurance Supervisors (IAIS) Insurance Core Principles (ICPs); ICP 16 highlights the importance of ERM as a process of identifying, assessing, measuring, monitoring, controlling and mitigating risks.
Perhaps the most attractive feature of the risk identification process is its low cost, high-impact introduction to risk management that builds upon the existing infrastructure and risk knowledge in the company.
It does not require a large commitment to capital expenditures and, if done appropriately, will provide a valuable first step in rolling out risk management across the company.
The ICPs are guidance for the insurance regulators in all jurisdictions. The ORSA, or an equivalent process with an equally odd name, may well be eventually adopted in all countries.
The Joint Risk Management Section of the Canadian Institute of Actuaries, the Casualty Actuarial Society, and the Society of Actuaries is overseeing an online survey to help understand individual risk managers’ perspectives on emerging risks. We value your insights and invite you to participate in this annual survey. Please complete this survey by Nov. 23rd. It should take about 15 minutes to complete. We hope you will share your thoughts and experiences in comment boxes. Responses from more than one risk manager within the same company are encouraged. All responses are anonymous. Thanks to the SOA Reinsurance and Financial Reporting Sections for supporting this research. If you have questions about the survey, please contact Jan Schuh at jschuh@soa.org.
Woody Allen’s adage that 80% of success is showing up is particularly difficult for some managers to take to heart regarding risk management.
When risk management is successful, there is no bell that rings. There are no fireworks. Usually, a successful risk management moment is evidenced by a lack of big surprises.
But most days, big surprises do not happen anyway.
So if risk managers want to be appreciated for their work, they have to do much more than just show up. They need to build up the story around what a very good day looks like.
One such story would be that a very good day might happen when the world experiences a major catastrophe. A catastrophe that is in the wheel house of the firm. And because of a good risk management process, the firm finds that its losses are manageable within its capacity to handle losses.
In 2011, there were major earthquakes in New Zealand, Japan and Chile. One reinsurer reported that they had exposures in all three zones but that they were still able to show a (very small) profit for the year. They credited that result to a risk management process that had them limiting their exposure to any one zone. A risk manager could work up a story of events like that happening (multi event stress scenarios) and preview the benefits of ERM.
With such stories in mind, when that big day comes when “Nothing Happens”, the risk managers can be ready to take credit!
RISKVIEWS believes that this may be the best top 10 list of posts in the history of this blog. Thanks to our readers whose clicks resulted in their selection.
Instructions for a 17 Step ORSA Process– Own Risk and Solvency Assessment is here for Canadian insurers, coming in 2015 for US and required in Europe for 2016. At least 10 other countries have also adopted ORSA and are moving towards full implementation. This post leads you to 17 other posts that give a detailed view of the various parts to a full ORSA process and report.
What kind of Stress Test? – Risk managers need to do a better job communicating what they are doing. Much communications about risk models and stress tests is fairly mechanical and technical. This post suggests some plain English terminology to describe the stress tests to non-technical audiences such as boards and top management.
ORSA ==> AC – ST > RCS– You will notice a recurring theme in 2014 – ORSA. That topic has taken up much of RISKVIEWS time in 2014 and will likely take up even more in 2015 and after as more and more companies undertake their first ORSA process and report. This post is a simple explanation of the question that ORSA is trying to answer that RISKVIEWS has used when explaining ORSA to a board of directors.
The History of Risk Management – Someone asked RISKVIEWS to do a speech on the history of ERM. This post and the associated new permanent page are the notes from writing that speech. Much more here than could fit into a 15 minute talk.
Hierarchy Principle of Risk Management– There are thousands of risks faced by an insurer that do not belong in their ERM program. That is because of the Hierarchy Principle. Many insurers who have followed someone’s urging that ALL risk need to be included in ERM belatedly find out that no one in top management wants to hear from them or to let them talk to the board. A good dose of the Hierarchy Principle will fix that, though it will take time. Bad first impressions are difficult to fix.
Risk Culture, Neoclassical Economics, and Enterprise Risk Management– A discussion of the different beliefs about how business and risk work. A difference in the beliefs that are taught in MBA and Finance programs from the beliefs about risk that underpin ERM make it difficult to reconcile spending time and money on risk management.
What CEO’s Think about Risk– A discussion of three different aspects of decision-making as practiced by top management of companies and the decision making processes that are taught to quants can make quants less effective when trying to explain their work and conclusions.
Decision Making Under Deep Uncertainty– Explores the concepts of Deep Uncertainty and Wicked Problems. Of interest if you have any risks that you find yourself unable to clearly understand or if you have any problems where all of the apparent solutions are strongly opposed by one group of stakeholders or another.
Firms that have existed for any length of time are likely to have risk management. Some of it was there from the start and the rest evolved in response to experiences. Much of it is very efficient and effective while some of the risk management is lacking in either efficiency of effectiveness. But some of the risk management that they might need is either missing or totally ineffective. It is somewhat hard to know, because risk management is rarely a major subject of discussion at the firm. Risk management happens in the background. It may be done without thinking. It may be done by people who do not know why they are doing it. Some risks of the firm are very tightly controlled while others are not. But the different treatment is not usually a conscious decision. The importance of risk management differs greatly in the minds of different people in the firm and sometimes the actions taken to reduce risk actually work against the desired strategy of the firm. The proponents of carefully managed risk may be thought of as the business prevention department and they are commonly found to be at war with the business expansion department.
Enterprise Risk Management (ERM) is an approach to risk management that provides three key advantages over traditional, ad hoc, evolved risk management. Those advantages are:
Transparency
Discipline
Alignment
ERM takes risk management out of the background and makes it an open and transparent primary activity of the firm. ERM does not push any particular approach to risk, but it does promote openly discussing and deciding and documenting and communicating the approach to each major risk. The risk appetite and tolerances are decided and spoken out loud and in advance in an ERM process, rather than in arrears (and after a major loss) as is more often the case with a traditional risk management program.
Transparency is like the math teacher you had in high school who insisted that you show your work. Even if you were one of those super bright math geeks who could just do it all in your head and immediately write down the correct answer. When you wrote down all of the steps, it was transparent to the math teacher that you really did know what you were doing. Transparency means the same sort of thing with ERM. It means showing your work. If you do not like having to slow down and show your work, you will not like ERM.
ERM is based upon setting up formal risk control cycles. A control cycle is a discipline for assuring that the risk controlling process takes place. A discipline, in this context, is a repeatable process that if you consistently follow the process you can expect that the outcomes from that process will be more reliable and consistent.
A pick-up sports team may or may not have talent, but it is guaranteed not to have discipline. A school team may have a little talent or a lot and some school teams have some discipline as well. A professional sports team usually has plenty of talent. Often professional teams also have some discipline. The championship sports teams usually have a little more talent than most teams (it is extremely difficult in most sports to have lots more talent than average), but they usually have much more discipline than the teams in the lower half of the league. Discipline allows the team to consistently get the best out of their most talented players. Discipline in ERM means that the firm is more likely to be able to expect to have the risks that they want to have.
ERM is focused on Enterprise Risks. In RISKVIEWS mind, Enterprise Risks are those risks that could result in losses that would require the firm to make major, unexpected changes to plans or that would disrupt the firm (without necessarily causing losses) in such a way that the firm cannot successfully execute the plans. Enterprise Risks need to be a major consideration in setting plans. Through discussions of Risk Appetite and Tolerance and returns for risks and the costs of risk mitigations, ERM provides a focus on alignment of the risk management with the strategic objectives of the firm.
To use another sports analogy, picture the football huddle where the quarterback says “ok. Everyone run their favorite play!” Without ERM, that is what is happening, at least regarding ERM at some companies.
Alignment feeds off of the Transparency of ERM and Discipline provides the payback for the Alignment.
The purpose of ERM is NOT to try to elevate all risk decisions to the highest possible level, but to master discerning the best level for making each risk decision and for getting the right information to the right person in time to make a good risk decision.
This is the Hierarchy Principle as it applies to ERM. It is one of the two or three most important principles of ERM. Why then, might you ask, haven’t we ever heard about it before, even from RISKVIEWS.
But most insurers follow the hierarchy principle for managing their Underwriting process for risk acceptance of their most important risks.
You could argue that many of the most spectacular losses made by banks have been in situations where they did not follow the hierarchy principle.
Nick Leeson at Barings Bank was taking risks at a size that should have been decided (and rejected) by the board.
Jerome Kerviel at Soc Gen was doing the same.
The London Whale at JP Morgan is also said to have done that.
On the other hand, Jon Corzine was taking outsized risks that eventually sank MF Global with the full knowledge and approval of the board. Many people suggest that the CRO should have stopped that. But RISKVIEWS believes that the Hierarchy Principle was satisfied.
ERM is not and cannot be held responsible for bad decisions that are made at the very top of the firm, unless the risk function was providing flawed information that supported those decisions. If, as happened at MF Global, the board and top management were making risk decisions with their eyes fully open and informed by the risk function, then ERM worked as it should.
ERM does not prevent mistakes or bad judgment.
What ERM does that is new is that
it works to systematically determine the significance of all risk decisions,
it ranks the significance and uses that information, along with other information such as risk velocity and uncertainty, to determine a recommendation of the best level to make decisions about each risk,
it assesses the ability of the firm to absorb losses and the potential for losses within the risks that are being held by the firm at any point in time,
it works with management and the board to craft a risk appetite statement that links the loss absorbing capacity of the firm with the preferences of management and the board for absorbing losses.
ERM does not manage the firm. ERM helps management to manage the risks of the firm mainly by providing information about the risks.
So why have we not heard about this Hierarchy Principle before?
For many years, ERM have been fighting to get any traction, to have a voice. The Hierarchy Principle complicates the message, so was left out by many early CROs and other pioneers. A few were pushing for the risk function to be itself elevated as high as possible and they did not want to limit the risk message, deeming everything about risk to be of highest importance. But RISKVIEWS believes that it was mostly because the Hierarchy Principle is pretty fundamental to business management and is usually not explicitly stated anywhere else, even though it is applied almost always.
ERM now receives a major push from regulators, to a large extent from the ORSA. In writing, the regulators do not require that ERM elevate all risk decisions. But in practice, they are seeing some insurers who have been elevating everything and the regulators are adopting those examples as their standard for best in class.
Just one more way that the regulatory support for ERM will speed its demise. If regulators advocate for consistent violation of the Hierarchy principle, then ERM will be seen mainly as a wasteful burden.
The 2013 ERM Symposium goes back to Chicago this year after a side trip to DC for 2012. This is the 11th year for the premier program for financial risk managers. April 23 and 24th.
This year’s program has been developed around the theme, ERM: A Critical Self-Reflection, which asks:
Has the risk profession become a spectator sport? One in which we believe we are being proactive, yet not necessarily in the right areas.
For the most significant headlines during the past year, how was the risk management function involved?
Since the financial crisis, has there been genuine learning and changes to how risk management functions operate?
What are the lessons that have been learned and how are they shaping risk management today? If not, why?
Does risk management have a seat at the table, at the correct table?
Are risk managers as empowered as they should be?
Is risk management asking the right questions?
Is risk management as involved in decision making and value creation as it should be, at inception of ideas and during follow through?
On Wednesday, April 24 Former FDIC Chairman Sheila Bair will be the featured luncheon speaker
Sheila C. Bair served as the 19th chairman of the Federal Deposit Insurance Corporation for a five-year term, from June 2006 through July 2011. Bair has an extensive background in banking and finance in a career that has taken her from Capitol Hill to academia to the highest levels of government. Before joining the FDIC in 2006, she was the dean’s professor of financial regulatory policy for the Isenberg School of Management at the University of Massachusetts-Amherst since 2002.
The ERM Symposium and seminars bring together ERM knowledge from the insurance, energy and financial sectors. Now in its 11th year, this premier global conference on ERM will offer: sessions featuring top risk management experts; seminars on hot ERM issues; ERM research from leading universities; exhibitors demonstrating their ERM services. This program has been developed jointly by the Casualty Actuarial Society (CAS), the Professional Risk management International Association (PRMIA) and the Society of Actuaries (SOA).
Riskviews will be a speaker at three sessions out of more than 20 offered:
Regulatory Reform: Responding to Complexity with Complexity – Andrew Haldane, executive director of Financial Stability at the Bank of England, recently made a speech at the Federal Reserve Bank of Kansas City’s Jackson Hole Economic Policy Symposium titled “The Dog and the Frisbee” warning that the growing complexity of markets and banks cannot be controlled with increasingly complex regulations. In fact, by attempting to solve the problem of complexity with additional complexity created by increased regulation, we may be missing the mark—perhaps simpler metrics and human judgment may be superior. Furthermore, in attempting to solve a complex problem with additional complexity, we may not have clearly defined or understand the problem. How does ERM fit into the solutions arsenal? Are there avenues left unexplored? Is ERM adding or minimizing complexity?
We are drowning in data, but can’t hope to track all the necessary variables, nor understand all or even the most important linkages. Given the wealth of data available, important signals may be lost in the overall “noise.”
Unintended consequences maybe lost/hidden in the maze of complexity thereby magnifying the potential impact of future events.
The importance of key variables changes throughout time and from situation to situation, so it’s not possible to predict in advance which ones will matter most in the next crisis.
We experience relatively few new crises that are mirror images of prior crises, so we really have limited history to learn how to prevent or to cure them.
Complex rules incent companies and individuals to “manage to the rules” and seek arbitrage, perhaps seeding the next crisis.
Actuarial Professional Risk Management – The new actuarial standards for Risk Evaluation and Risk Treatment bring new help and new issues to actuaries practicing in the ERM field. For new entrants, the standards are good guidelines for preparing comprehensive analyses and reports to management. For more experienced practitioners, the standards lay out expectations for a product worthy of the highly-qualified actuary. However, meeting the standards’ expectations is not easy. This session focuses on clarifying key aspects of the standards.
Enterprise Risk Management in Financial Intermediation – This session provides a framework for thinking about the rapidly evolving, some would say amorphous, subject of ERM, especially as applied at financial institutions and develops seven principles of ERM and considers their (mis)application in a variety of organizational settings. The takeaways are both foundational and practical.
A. Risk management is a key part of our corporate management. Its task is not only to safeguard the Group’s financial strength in order to satisfy our obligations to clients and create sustained value for our shareholders, but also to protect Munich Re’s reputation. We achieve these objectives through global risk management encompassing all areas of our operations. (Munich Re)
B. The financial crisis has demonstrated the importance of a strong and independent risk management function, as well as the need for an integrated approach to assessing and controlling risks. To this end, we further enhanced our risk management by establishing a more robust governance process, intensifying our risk oversight and strengthening our liquidity management. (Swiss Re)
C. We employ an enterprise-wide approach to all risk taking and risk management activities globally. The enterprise risk management framework sets out policies and standards of practice related to risk governance, risk identification and monitoring, risk measurement, and risk control and mitigation. In order to ensure that we can effectively execute our risk management we continuously invest to attract and retain qualified risk professionals, and to build and maintain the necessary processes, tools and systems. (Manulife Financial)
D. Management believes that effective risk management is of primary importance to the success of Goldman Sachs. Accordingly, we have a comprehensive risk management process to monitor, evaluate and manage the principal risks we assume in conducting our activities.
E. AEGON’s risk management and control systems are designed to ensure that these risks are managed as effectively and efficiently as possible. For AEGON, risk management involves:
· Understanding which risks the company is able to underwrite;
· Assessing the risk-return trade-off associated with these risks;
· Establishing limits for the level of exposure to a particular risk or combination of risks; and Measuring and monitoring risk exposures and actively managing the company’s overall risk and solvency positions.
F. The mission of Zurich’s Enterprise Risk Management is to promptly identify, measure, manage, report and monitor risks that affect the achievement of our strategic, operational and financial objectives. This includes adjusting the risk profile in line with the Group’s stated risk tolerance to respond to new threats and opportunities in order to optimize returns.
G. QBE’s risk management strategy is underpinned by a number of robust processes which are aimed at reducing uncertainty and volatility and avoiding unwelcome surprises. Risks are subject to rigorous identification and evaluation throughout the business management cycle.
H. The management of risk is a core skill supporting the Group’s ability to offer both sustainable risk transfer solutions to its clients and attractive returns to shareholders. The management and identification of risk is the day to day responsibility of many of our staff and is a feature of all our business activities. (Amlin)
I. Diversification is used as a tool to reduce the Group’s overall insurance risk profile by spreading exposures, thereby reducing the volatility of results. QBE’s approach is to diversify insurance risk, both by product and geographically.
J. The Group employs a comprehensive risk management framework to identify, assess, manage and monitor the risks arising as a result of operating the business. The framework includes a comprehensive suite of risk policies, procedures, measurement, reporting and monitoring techniques and a series of stress tests and scenario analyses to ensure that the Group’s risk exposures are managed appropriately. (RSA)
The good news for risk managers is that times have been tough, so that company management is listening more and more to your message.
The bad news for risk managers is that times have been tough, so there is not much budget for anyone, let alone an area where there is no hope of new revenue generation.
So risk managers are being asked to do more and more with less and less.
Here are some tips for how to manage to meet expectations without crashing the budget:
Identify the area or activity that now has the most expensive risk oversight process. Identify the reason for that expense and make sure that a) there really is a need for that much oversight, b) if so, that the profit margins of the activity support the expense of the oversight and c) if there is a way that the riskiest 20% of that activity produces a high proportion of the profits. Can a shift in the risk acceptance criteria or the risk limits make a drastic change in oversight needs without a drastic change in profitability?
Get more people involved in risk management. This seems counter to the idea of decreasing costs of risk management, but in fact it can work well. Study the things that the risk management staff is spending time on and determine which of those activities can be transfered to the business unit staff who can do the oversight on a very part time basis. Your risk management staff can then shift to periodic review of their activities instead. This should be promoted as a natural evolution of risk management. Ultimately, the business units should be managing their own risk anyway.
Find out which risk reports are not being used and eliminate them. Constructing management information reports can be a very time consuming part of your staff’s time. Some of those reports are hopefully being relied upon for major decisions, but there may be some that just sit unread in the in boxes.
Reduce staff support for risk management in areas where activity levels are falling. It is very important that risk management be ramped up with volumes and just as important that it be seen to ramp down with volumes.
Leverage outside resources. In fat times, you may be declining free support from vendors and other business partners. In lean times, they may be even more happy to provide their support. Just make sure that the help that they give supports your needs.
Reduce frequency of time consuming model runs for risks that just do not change that much from run to run or that change proportionately with volumes of business. See recent post on model accuracy.
Expand your own personal capacity by delegating more of the matters that have become more routine. There is a natural tendency for the leader to be involved in everything that is new and important. Sometimes, you forget to transfer those responsibilities to someone on your staff or even someone outside your staff once you are sure that it is up and going smoothly. Let go. Make sure that you have the time that will be needed to take up the next new thing. Lean times will not last forever and you need to be available to pay attention to the thing that will pull your firm forward into the next stage of robust growth.
These are all the sorts of things that every manager in your firm should be thinking about. Risk managers should be doing the same sorts of thinking. You and your function are another natural part of the business environment of the firm. You will not be immune from the pressures of business, nor should you expect to be.
In a recent post, RISKVIEWS stated six key parts to ERM. These six ideas can act as the outline for describing an ERM Program. Here is how they could be used:
1. Risks need to be diversified. There is no risk management if a firm is just taking one big bet.
REPORT: Display the risk profile of the firm. Discuss how the firm has increased or decreased diversification within each risk and between risks in the recent past. Discuss how this is a result of deliberate risk and diversification related choices of the firm, rather than just a record of what happened as a result of other totally unrelated decisions.
2. Firm needs to be sure of the quality of the risks that they take. This implies that multiple ways of evaluating risks are needed to maintain quality, or to be aware of changes in quality. There is no single source of information about quality that is adequate.
REPORT: Display the risk quality of the firm. Discuss how the firm has increased or decreased risk quality in the recent past and the reasons for those changes. Discuss how risk quality is changing in the marketplace and how the firm maintains the quality of the risks that are chosen.
3. A control cycle is needed regarding the amount of risk taken. This implies measurements, appetites, limits, treatment actions, reporting, feedback.
REPORT: The control cycle will be described in terms of who is responsible for each step as well as the plans for remediation should limits be breached. A record of breaches should also be shown. (Note that a blemish-less record might be a sign of good control or it might simply mean that the limits are ineffectively large.) Emerging risks should have their own control cycle and be reported as well.
4. The pricing of the risks needs to be adequate. At least if you are in the risk business like insurers, for risks that are traded. For risks that are not traded, the benefit of the risk needs to exceed the cost in terms of potential losses.
REPORT: For General Insurance, this means reporting combined ratio. In addition, it is important to show how risk margins are similar to market risk margins. Note that products with combined ratios over 100% may or may not be profitable if the reserves do not include a discount for interest. This is accomplished by mark-to-market accounting for investment risks. Some insurance products have negative value when marked to market (all-in assets and liabilities) because they are sold with insufficient risk margins. This should be clearly reported, as well as the reasons for that activity.
5. The firm needs to manage its portfolio of risks so that it can take advantage of the opportunities that are often associated with its risks. This involves risk reward management.
REPORT: Risk reward management requires determining return on risk for all activities as well as a planning process that starts with projections of such and a conscious choice to construct a portfolio of risks. This process has its own control cycle. The reporting for this control cycle should be similar to the process described above. This part of the report needs to explain how management is thinking about the diversification benefits that potentially exist from the range of diverse risks taken.
6. The firm needs to provision for its retained risks appropriately, in terms of set asides (reserves or technical provisions) for expected losses and capital for excess losses.
REPORT: Losses can be shown in four layers, expected losses, losses that decrease total profits, losses that exceed gains from other sources but that are less than capital and losses that exceed capital. The likelihood of losses in each of those four layers should be described as well as the reasons for material changes. Some firms will choose to report their potential losses in two layers, expected losses, losses that reach a certain likelihood (usually 99.5% in a year or similar likelihood). However, regulators should have a high interest in the nature and potential size of those losses in excess of capital. The determination of the likelihood of losses in each of the four layers needs to reflect the other five aspects of ERM and when reporting on this aspect of ERM, discussion of how they are reflected would be in order.
Actuarial Review of Enterprise Risk Management Practices –
A Working Group formed by The Enterprise and Financial Risks Committee of the IAA has started working on a white paper to be titled: “Actuarial Review of Enterprise Risk Management Practices”. We are seeking volunteers to assist with writing, editing and research.
This project would set out a systematic process for actuaries to use when evaluating risk management practices. Actuaries in Australia are now called to certify risk management practices of insurers and that the initial reaction of some actuaries was that they were somewhat unprepared to do that. This project would produce a document that could be used by actuaries and could be the basis for actuaries to propose to take on a similar role in other parts of the world. Recent events have shown that otherwise comparable businesses can differ greatly in the effectiveness of their risk management practices. Many of these differences appear to be qualitative in character and centered on management processes. Actuaries can take a role to offer opinion on process quality and on possible avenues for improvement. More specifically, recent events seem likely to increase emphasis on what the supervisory community calls Pillar 2 of prudential supervision – the review of risk and solvency governance. In Solvency II in Europe, a hot topic is the envisaged requirement for an ‘Own Risk and Solvency Assessment’ by firms and many are keen to see actuaries have a significant role in advising on this. The International Association of Insurance Supervisors has taken up the ORSA requirement as an Insurance Core Principle and encourages all regulators to adopt as part of their regulatory structure. It seems an opportune time to pool knowledge.
The plan is to write the paper over the next six months and to spend another six months on comment & exposure prior to finalization. If we get enough volunteers the workload for each will be small. This project is being performed on a wiki which allows many people to contribute from all over the world. Each volunteer can make as large or as small a contribution as their experience and energy allows. People with low experience but high energy are welcome as well as people with high experience.
Volunteers are needed to help to make this into a real resource. Over 200 books, articles and papers have been identified as possible resources ( http://ermbooks.wordpress.com/lists-of-books/ )
Posts to this website give a one paragraph summary of a resource and identify it within several classification categories. 15 examples of posts with descriptions and categorizations can be found on the site.
Volunteers are needed to (a) identify additional resources and (b) write 1 paragraph descriptions and identify classifications.
If possible, we are hoping that this site will ultimately contain information on the reading materials for all of the global CERA educational programs. So help from students and/or people who are developing CERA reading lists is solicited.
Participants will be given author access to the ermbooks site. Registration with wordpress at www.wordpress.com is needed prior to getting that access.
Please contact Dave Ingram if you are interested in helping with this project.
If you really want to have Enterprise Risk Management, then you must at all times abandon all presumptions. You must make sure that all of the things to successfully manage risks are being done, and done now, not sometime in the distant past.
A pilot of an aircraft will spend over an hour checking things directly and reviewing other people’s checks. The pilot will review:
the route of flight
weather at the origin, destination, and enroute.
the mechanical status of the airplane
mechanical issues that may have been improperly logged.
the items that may have been fixed just prior to the flight to make certain that system works
the flight computer
the outside of the airplane for obvious defects that may have been overlooked
the paperwork
the fuel load
the takeoff and landing weights to make sure that they are within limits for the flight
Most of us do not do anything like this when we get into our cars to drive. Is this overkill? You decide.
When you are expecting to fly somewhere and there is a last minute delay because of something that seems like it should have really been taken care of, that is likely because the pilot finds something that someone might normally PRESUME was ok that was not.
Personally, as someone who takes lots and lots of flights, RISKVIEWS thinks that this is a good process. One that RISKVIEWS would recommend to be used by risk managers.
THE NO PRESUMPTION APPROACH TO RISK MANAGEMENT
Here are the things that the Pilot of the ERM program needs to check before taking off on each flight.
1. Risks need to be diversified. There is no risk management if a firm is just taking one big bet.
2. Firm needs to be sure of the quality of the risks that they take. This implies that multiple ways of evaluating risks are needed to maintain quality, or to be aware of changes in quality. There is no single source of information about quality that is adequate.
3. A control cycle is needed regarding the amount of risk taken. This implies measurements, appetites, limits, treatment actions, reporting, feedback
4. The pricing of the risks needs to be adequate. At least if you are in the risk business like insurers, for risks that are traded. For risks that are not traded, the benefit of the risk needs to exceed the cost in terms of potential losses.
5. The firm needs to manage its portfolio of risks so that it can take advantage of the opportunities that are often associated with its risks. This involves risk reward management.
6. The firm needs to provision for its retained risks appropriately, in terms of set asides (reserves) for expected losses and capital for excess losses.
A firm ultimately needs all six of these things. Things like a CRO, or risk committees or board involvement are not on this list because those are ways to get these six things.
The Risk Manager needs to take a NO PRESUMPTIONS approach to checking these things. Many of the problems of the financial crisis can be traced back to presumptions that one or more of these six things were true without any attempt to verify.
Riskviews was once asked by an insurance sector equity analyst for 10 questions that they could ask company CEOs and CFOs about ERM. Riskviews gave them 10 but they were trick questions. Each one would take an hour to answer properly. Not really what the analyst wanted.
Here they are:
What is the firm’s risk profile?
How much time does the board spend discussing risk with management each quarter?
Who is responsible for risk management for the risk that has shown the largest percentage rise over the past year?
What outside the box risks are of concern to management?
What is driving the results that you are getting in the area with the highest risk adjusted returns?
Describe a recent action taken to trim a risk position?
How does management know that old risk management programs are still being followed?
What were the largest positions held by company in excess of risk the limits in the last year?
Where have your risk experts disagreed with your risk models in the past year?
What are the areas where you see the firm being able to achieve better risk adjusted returns over the near term and long term?
They never come back and asked for the answer key. Here it is:
There are a number of issues relating to this question. First of all, does the insurer ever trim a risk position? Some insurers are pure buy and hold. They never think to trim a position, on either side of their balance sheet. But it is quite possible that the CEO might know that terminology, but the CFO should. And if the insurer actually has an ERM program then they should have considered trimming positions at some point in time. If not, then they may just have so much excess capital that they never have felt that they had too much risk.
Another issue is whether the CEO and CFO are aware of risk position trimming. If they are not, that might indicate that their system works well and there are never situations that need to get brought to their attention about excess risks. Again, that is not such a good sign. It either means that their staff never takes and significant risks that might need trimming or else there is not a good communication system as a part of their ERM system.
Risks might need trimming if either by accident or on purpose, someone directly entered into a transaction, on either side of the balance sheet, that moved the company past a risk limit. That would never happen if there were no limits, if there is no system to check on limits or if the limits are so far above the actual expected level of activity that they are not operationally effective limits.
In addition, risk positions might need trimming for several other reasons. A risk position that was within the limit might have changed because of a changing environment or a recalibration of a risk model. Firms that operate hedging or ALM programs could be taking trimming actions at any time. Firms that use cat models to assess their risk might find their positions in excess of limits when the cat models get re-calibrated as they were in the first half of 2011.
And risk positions may need to be trimmed if new opportunities come along that have better returns than existing positions on the same risk. A firm that is expecting to operate near its limits might want to trim existing positions so that the new opportunity can be fit within the limits.
SO a firm with a good ERM program might be telling any of those stories in answer to the question.
Riskviews was once asked by an insurance sector equity analyst for 10 questions that they could ask company CEOs and CFOs about ERM. Riskviews gave them 10 but they were trick questions. Each one would take an hour to answer properly. Not really what the analyst wanted.
Where have your risk experts disagreed with your risk models in the past year?
What are the areas where you see the firm being able to achieve better risk adjusted returns over the near term and long term?
They never come back and asked for the answer key. Here it is:
1. The first step in real risk management is to be able to think of the firm from a risk point of view. Any CEO can do that from a sales point of view and from a profits point of view. They know that 40% of the revenues come from the pumpkin business in South Florida and 25% of the profits from the Frozen Beet Juice Pops product line. Those statistics are a part of the sales profile and the profits profile. A first step to having a real ERM system is for the CEO to have an equal command of the Risk Profile. Any firm where the CEO does not have an equal command of risk as they do for sales does not have ERM yet. So this question is first and most important. The CEOs who are most likely to be unable to answer this question are the leaders of larger more complex companies. The investor need to make sure that top management of those firms has actual command of all of the key issues regarding the firm and its business. Risk really is a key issue. A vague or slow answer to this question indicates that Risk has not really been an issue that the CEO has attended to. That may work out fine for the company and the investors. If they are lucky.
Risk has traditionally been a minor part of strategy discussions in many firms.
Usually you get it out of the way at the very start with a Strengths, Weaknesses, Opportunities and Threats (SWOT) discussion. As quickly as possible, the planners shift into concentrating on discussion of Opportunities. That is what they are there for anyway – Opportunities.
Utility theory and the business education that flows from utility theory suggests very little consideration of risk. Not none at all, but very little. Opportunities where the gains from the expected opportunities exceed the losses from the expected threats are considered good. That is one spot where risk creeps in. In addition, risk might be also reflected as an externality – the capital required by a regulator or ratings agency.
Financial economics came along and offered a more complicated view of risk. Instead of using a fuzzily determined present value of risk from utility theory, Financial Economics substitutes the market cost of risk.
Risk management suggests a completely different and potentially contradictory approach.
The risk management approach to bringing risk into planning and strategy is to make risk appetite central to strategy selection. The internal risk appetite becomes the constraint instead of the external capital constraint. For firms that were using that external capital constraint as a key factor in planning, this could be an easy switch. But often is actually is not.
The boards and management of most firms have failed to choose their own risk appetite constraint.
Riskviews believes that this is because the folks who have spent their entire careers under and external constraint system are ill equipped to set their own limits. They do not have the experience with trial and error of setting risk appetite unlike the long experience that they have with most of their other management decisions. For most management decisions, they came up through the management ranks watching their predecessors make good and bad decisions and succeed or fail. When they reached their current positions, they had a lifetime of experience with most of the types of decisions that they need to make.
Now risk managers and regulators and rating agencies and consultants tell them that they need to make an entirely new decision about risk appetite, and then lever all of their other important decisions off of that one decision. And when they look back upon their education and experience there was no mention at all of this risk appetite stuff.
And as the discussion at the start of this post states, the business education did not include risk appetite either.
But there are other ways that risk can be incorporated into the planning and strategy.
Risk Profile. A part of the statement of the impact that the plan will have on the company should be a before and after risk profile. This will show how the plan either grows the larger risks of the firm or diversifies those risks. Risk cannot be fully described by any one number and therefore there is not one single pie chart that is THE risk profile of the firm. The risk profile should be presented so that it shows the key aspects of risk that are the consequences of the plan – intended or unintended. That may mean showing the geographic risk profile, the product by product risk profile, the risk profile by distribution system or the risk profile by risk type. By looking at these risk profiles, the planners will naturally be drawn to the strengths and weaknesses of the risk aspects of the plan. They will see the aspects of risk that are growing rapidly and therefore need extra attention from a control perspective. And even if there are none of those reactions, the exposure to the risk information will eventually lead to a better understanding of risk and a drift towards more risk aware planning.
Risk management view of gains and losses. Planning usually starts with a review of recent experience. The risk managers can prepare a review of the prior year that describes the experience for each risk in terms of the exceedence probability from the risk models. This could lead to a discussion of the model calibration and possibly to either better credibility for the risk model or a different calibration that can be more credible.
Risk Controls review. Each risk operated within a control system. The above review of recent experience should include discussion of whether the control systems worked as expected or not.
Risk Pricing review. The review of gains and losses can also be done as a review of the risk margins compared to the risks for each major business or product or risk type. Comparison to a neutral index could be considered as well. With this review, the question of whether the returns of the firm were a result of taking more risk or from better selection and management of the risks taken should be addressed.
Some management groups will be much more interested in one or another of these approaches. The risk manager must seek to find the approach to discussing risk that fits management’s interests for risk to become a part of planning and strategy. Without that match, any discussions of risk that take place to satisfy regulatory or rating agency pressures will be largely perfunctory.
In some situations, things go better if you can explain them in plain language. In others, having lots and lots of unintelligible pseudo scientific jargon is what is needed.
If your situation is the former and someone wants to know about risk management, tell them
PaPaTaCom
That is short for:
Plan Ahead
Pay Attention
Take Action
Communicate
Really, that is what is involved in risk management. Saying it is very, very simple. Doing it is difficult.
Plan Ahead means that you need to know in advance how much risk you expect to take and how much mor or less than that you are willing to take. Very easy to say, but not very easy to do. But maybe if you just say it in plain language like this, instead of calling it risk appetite and risk tolerance, folks will understand and do that.
Pay Attention means that you need to know at all times, how much risk you are actually taking and how that compares to your plan. It means that you really do know what your risks are and what your plan is.
Take Action means that if your plan says that you active manage your risks as you go along, that you actually do that. If your risk positions grow much faster or much slower than your plan, that you do something about that also. Take action means that you never just sit there unless that is what you planned to do. (See Risk Management Entertainment System)
Communicate means that everyone tells each other what is planned, what the find when they are paying attention and what they do when they are taking action.
All of the fancy words around risk management are all a long winded and complicated way to say these four simple ideas.
But if your risks are complicated, as many, many organizations’ risk are, then this is only simple to say but never simple to do.
If your risks produce troublesome losses infrequently, it is very difficult to tell how much risk that you can or want to take. It is also difficult to tell what your risk actually is at any point in time. It is difficult to know whether to do something or not. And so it sometimes seems like there is nothing that needs to be communicated.
If your risks are complicated and variable, then it is also difficult. Knowing how much risk that you have been taking is slippery. Knowing how much you might want to take is difficult and paying attention, that is measuring, is also tricky. Taking actions might just fix one aspect of a risk and expose you to large dose of another aspect (see Risk and Light). So what exactly do you communicate?
So these simple words do not help too very much. Because even if you can tell the boss that risk management is easy to describe, you will be in big trouble when it is not easy to do.
So this is perhaps another one of those posts that you might have been better of if you did not read……
But what should you do SECOND? The list of ERM practices is long. Riskviews uses an eight item list of ERM Fundamentals to point the way to early ERM developments.
And you want to make sure that you avoid Brick Walls and Touring Bikes.
But the Second Step is not a practice of ERM. The Second Step is to identify the motivation for risk management. As mentioned in another post, there are three main motivations: Compliance, Capital Adequacy and Decision making.
If Compliance is the motivation, then the ERM development process will be to obtain or develop a checklist of items that must be completed to achieve compliance and to work to put something in place for each of those items that will create the ability to check off that item.
If Capital Adequacy is the motivation, then building an Economic Capital model is the main task that is needed for ERM development.
If Decision making is the motivation, then the process becomes somewhat more involved. Start with identifying the risk attitude of the firm. Knowing the risk attitude of the firm, the risk management strategy can then be selected. Each of the ERM Fundamentals can then be implemented in a way that is adapted to the risk strategy.
This process has been described in the post Risk Attitudes and the New ERM Program.
But knowing the motivation is key. A newly appointed risk management officer might have fallen in love with literature describing the Risk Steering strategy of ERM. They would set up a big budget for capital modeling and start to set up risk committees and write rules and policy statements…..
And then hit a brick wall.
That is because they did not clearly identify the motivation for their appointment to be the risk management officer. The term ERM actually means something totally different to different folks. Usually one of the three motivations: Compliance, Capital Adequacy, or Decision Making.
A company that is primarily motivated by Capital Adequacy will have minimal interest in any of the active parts of the ERM practices. A company motivated by compliance will want to know that each and every step in their ERM process satisfies a requirement. Talking about enhanced decision making as the reason for steps in the ERM development process will either confuse or even anger management of these companies.
The reaction to a mismatch of ERM program to motivation is similar to someone who booked a cruise for their vacation and found themselves on a cross country biking tour.
Most modern cruise ships feature the following facilities:
Casino – Only open when the ship is in open sea
Spa
Fitness center
Shops – Only open when ship is in open sea
Library
Theatre with Broadway style shows
Cinema
Indoor and/or outdoor swimming pool
Hot tub
Buffet restaurant
Lounges
Gym
Clubs
Keep that contrast in mind when you are making your plans for a new ERM system.
In insurance companies, where “production” consists of risk assumption and risk accumulation, measuring a company’s risk capacity and risk capacity utilization is not as straightforward as in companies that manufacture widgets. Like industrial companies, insurance companies need to measure and manage their “production” or rather “risk” (accumulation) capacity.
The recent crisis has demonstrated that insurance companies need to measure and manage their risk capacity utilization in relation to the amount of risk capacity lest they become overextended. In insurance companies, risk capacity needs to be determined so as to satisfy:
Solvency concerns of policyholders, for which insurance strength ratings assigned by the leading independent rating agencies and A.M. Best are generally accepted as proxies. Shareholders are also interested in these ratings, which they view as indicators of companies’ ability to attract and retain customers and achieve their financial objectives.
Maintenance of regulatory Risk Based Capital (RBC) adequacy ratios sufficient to prevent regulators from intervening in company management.
Risk capacity is most commonly a measure of an insurance company’s ability to accumulate risk exposures, on a going concern basis, while meeting risk tolerance constraints of solvency-focused stakeholders (policyholders, rating agencies and regulators). Risk concerns of these stakeholders are generally expressed as confidence levels at which a company is capable of meeting particular standards of performance, (e.g. maximum probability of default, maintenance of the capital needed to support a target rating or RBC adequacy level) over a defined time horizon.
A company’s risk capacity is customarily measured by its available capital and its risk capacity utilization is measured by the amount of capital needed to meet the risk tolerance constraints of credit-sensitive stakeholders, given its present portfolio of risk exposures. In order to gain the confidence of investors and customers and to enjoy a viable future, an insurance company needs to understand how its strategic plan impacts the prospective utilization of its risk capacity, and therefore the adequacy of its capital in relation to its projected financial performance and growth aspirations.
To perform this assessment, a company needs to estimate its prospective risk capacity utilization (i.e. capital required) for executing its strategic plan. To perform this analysis, it needs to project its risk profile over a three to five years planning horizon (approximating going concern conditions), under growth assumptions embedded in its strategic plan. A properly constructed risk profile should enable a company to consider the impact of extreme conditions, often scenarios that include multiple catastrophes or financial crises, as well as the contribution of earnings retention to risk capacity. This basic strategic planning exercise, completed in a risk-aware framework will demonstrate the risk capital (and, thus, capacity utilization) required to execute the strategic plan.
Ideally, the required financial models should be capable of producing i) full distributions of financial outcomes rather than tail sections of these distributions, ii) elements of the balance sheet and P&L statements needed to calculate earnings, earnings volatility, downside risk from planned earning amounts in future periods, iii) calculations of RBC, and associated capital adequacy ratios, including A.M. Best’s capital adequacy ratio (BCAR) and iv) financial performance reports developed under multiple accounting standards, including statutory and GAAP or IFRS, or on an economic basis. These data are needed for management to explore how capital requirements and thus also risk capacity utilization respond to changes in risk strategy and business strategy.
The company’s risk profile can be derived from the aggregation of the distributions of financial results of individual lines or business segments based on the amount and volatility characteristics of exposures, limits assumed, applicable reinsurance treaties, and asset mix, over a three to five year time horizon so as to approximate going concern conditions.
The use of multi-year solvency analyses of companies’ risk profile, instead of a one year horizon required under the regulatory provisions of many jurisdictions, typically results in significantly higher estimates of risk capital requirements and risk capacity utilization than those obtained under the one year horizon. As a result, companies that rely primarily on one year solvency analyses to assess the adequacy of their capital tend to understate their capital requirements and are more likely to overextend themselves. Importantly, the underlying assumption that capital shortfalls could be covered as and when needed by raising capital from investors has been shown to be unrealistic during the recent financial crisis, highlighting what may be a fundamental flaw in the widely touted Solvency II framework.
Note: This article is abstracted from the “Risk Management and Business Strategy in P/C Insurance Companies” briefing paper published by Advisen (www.advisen.com) and available at the Corner Store.
Over the years, Riskviews has seen many risk management systems that are developed by people, usually auditors, from the COSO guide to ERM. What is most commonly seen is that COSO based ERM system has a few characteristics in common:
They usually take at least a year to implement phase 1. By the end of that year, no actual improvements or changes to actual risk treatment activities take place. The most common product of that year’s efforts is a risk register.
The risk register usually contains at least 100 risks. Many of these systems have closer to 200 risks identified.
Top management is completely baffled about why they need to spend their time paying any attention to such activity. If you ask them anything about risk or risk management at the end of the year, you will often find that they cannot recall anything specific about the process.
The COSO process seems to be totally a Loss Controlling approach to ERM. This approach would appeal to companies and managers of companies who have the Conservator risk attitude. Riskviews has found that a small minority of insurance company management have the Conservator risk attitude and that almost zero insurance firms are managed with a Conservator risk approach. That is another way of saying that COSO does not fit well with insurance company management approaches.
ISO 31000 is new risk management standard that was developed from the Australia/New Zealand standards that have been used and improved over the past 15 years. The following post gives a discussion of the differences between the two.
ISO 31000 does not clearly fall into the Loss Controlling category of ERM approach. It seems to seek to be in the Risk Steering camp. Which makes it much more applicable to insurers, many of which are managed with the Manager risk approach.
Riskviews main complaint about ISO 31000 is with the degree to which it emphasizes endless process over actual risk treatment action.
ISO 31000 encourages firms to adopt what Riskviews calls a Risk Management Entertainment System. Sadly, this is not a joke. Many firms will proudly present a show and tell about their reports and meetings and org charts and policy statements when asked about ERM and be flummoxed when asked about any actual risk treatment that is taking place and where it fits into the risk management system.
That is a major problem with detailed prescriptive systems like ISO 31000. While that document says nearly all the right things, the people who pick it up and seek to apply it quite often do not get the sense of what is IMPORTANT and what is less important in developing an ERM system.
In fact, what is actually IMPORTANT is that ERM helps management to focus on the important risks of the firm and making the right moves so that exposures to those risks are of the size that they would choose. Human beings have limitations and those limitations would suggest that these important risks need to number less than 10 if they are really going to get top management attention.
And in practice, the people who implement COSO and ISO 31000 risk management systems often miss that most important objective.
‘No institution, including our own, should be too big too fail’. Jamie Dimon
‘We did eat our own cooking – and we choked on it’. Brian Moynihan
So it is said that if you know your enemies and know yourself, you can win a hundred battles without a single loss. If you only know yourself, but not your opponent, you may win or may lose. If you know neither yourself nor your enemy, you will always endanger yourself. Sun Tzu
“We focus on risk before we focus on return. The best investors do not target return. They focus first on risk.” Seth Klarman
Barings was always described as this wake up call that nobody would ever forget, but the fact is, only lip service was ever played to the fact that risk management needed to improve Nick Leeson (in 2009)
Information about causation, even if imperfect, is powerful. It is ignored in the frequentist approach at a great loss for the risk manager. Organizing one’s understanding about how the world might work into a coherent and tractable analytical probabilistic framework is not an easy task. Ricardo Rebonato
Fill your bowl to the brim and it will spill. Lao Tzu
The essential problem is that our models—both risk models and economic models—as complex as they have become, are still too simple to capture the full array of critical variables that govern global economic reality. Alan Greenspan
Economies are in greatest peril not when investors willfully take crazy financial risks but when no one seems to perceive risk and the need to insulate the economy from it. Nicole Gelinas
“What one does see, again and again, in the history of financial crises is that when an accident is waiting to happen, it eventually does.” Reinhart & Rogoff
We are pleased to announce the fourth global webinar on enterprise risk management. The programs are a mix of backward and forward looking subjects as our actuarial colleagues across the globe seek to develop the science and understanding of the factors that are likely to influence our business and professional environment in the future. The programs in each of the three regions are a mix of technical and qualitative dissertations dealing with subjects as diverse as regulatory reform, strategic and operational risks, on one hand, and the modeling on tail risks and implied volatility surfaces, on the other. For the first time, and in keeping with our desire to ensure a global exchange of information, each of the regional programs will have presentations from speakers from the other two regions on subjects that have particular relevance to their markets.
For more information and to register: http://www.soa.org/professional-development/event-calendar/event-detail/erm-economic/2011-01-12/default.aspx
That’s how many different pageviews there have been of Riskviews in the first year of operation as a blog. The best month in that first year was the last month, July 2010.
Thanks. This will continue.
Riskviews is one of 141 million blogs operating on the web. Riskviews has stayed on its theme of Risk and Risk Management. There were approximately 4 new posts per week over that first year. Thanks to the many people who provided guest posts and especially to the “Regular Contributors”
To celebrate this first anniversary of the start of the blog, I decided to feature one post from each month of that first year:
All Things Being Equal (January 2010) Talks about the danger that arises because the “standard assumptions” are rarely stated, let alone tested for validity.
Burn out, Fade Away …or Adapt (February 2010) The landscape of risk keeps changing. Risk management needs to be adaptable if the firm is going to survive over the long run.
Is ERM Ethical? (March 2010) Tries to tie risk management and other points of view commonly found within firms to different schools of ethics, rather to “right and wrong”.
Window Dressing (May 2010) Suggests an alternative basis for determining regulatory capital.
Regulatory Risk Management (June 2010) The extreme pitfalls of a high degree of regulatory involvement in risk management.
Crippling Epistemology (July 2010) Be careful that that expensive and impressive risk information system do not actually obscure the information needed to make risk decisions.
There are four different Risk Attitudes that are found among business managers:
Conservators who are concerned that the environment is extremely risky and they must be very careful.
Maximizers who believe that the environment is fairly benign and that they need to take risk to be rewarded.
Managers who believe that the environment is risky but can be managed with the help of experts.
Pragmatists who do not know whether things are risky or not because they do not believe that anyone can know the future.
Now you are tasked with creating a new ERM program for your firm and how can you use knowledge of these Risk Attitudes to help you?
The first thing to do is to recognize which of those four attitudes predominates in the decision-making of your firm.
This question is a little tricky, because that is not the same thing as the Risk Attitude of the head of the firm in all cases. Good leaders may choose a path for their firm that is based upon the capacities and circumstances of the firm, even if they might prefer a different strategy if they were blessed with unlimited resources and no constraints.
But in the end, you can look at the decisions of the firm over a period of time and discern which Risk Attitude is driving firm decisions and orient the new ERM program to the predominant Risk Attitude.
If the predominant risk attitude is Conservator, then the first place to take your ERM program is to worst case losses. The risk management system can be based upon a series of stress tests, where the stresses are worst cases. The exposure to these worst cases can be added up and reported regularly. A limit system can be established based upon these worst case exposures to make sure that the exposure does not accidentally get any higher. Hedging and reinsurance programs should be considered to reduce the extent of these losses. Risk management decisions will always be made with loss potential in mind.
If the predominant risk attitude is Maximizer, then the risk management system should be focused on sales. The risk reports will be risk weighted sales reports. In addition, they should clearly show the amount of profit margin in the sales so that the risk weighted sales can easily be compared to the profit margin. Maximizers will want to make sure that the company is getting paid for the risk that it takes. Note that there are two kinds of Maximizers. Those who believe that you can lose a dollar per thousand and make it up on volume and those who believe that a sale without a profit is not a sale. Stay away from the first type. A company run by them will not last long. Risk management decisions will always be made with revenue in mind.
If the predominant risk attitude is Manager, then the risk management system will sooner or later be based upon an Economic Capital Model. As the model is built, you can start to build the systems and reports that will work off of the model for capital budgeting, product pricing, risk reward monitoring and risk adjusted incentive compensation. The Managers will very much want to form a risk tolerance for the firm and to base the risk limits off of the tolerance and to create a process for monitoring those limits. Risk adjusted return is the banner for Managers.
If the predominant risk attitude is Pragmatist, then the risk management system will need to focus first on the spread of risk. Reports will show the degree to which the firm holds very different risks. Otherwise, risk reports will need to be flexible. The Pragmatists will be irregularly be changing their minds about what they think might be most important to pay attention to about risk. And whatever is the important topic of the moment, the risk reports need to be there to probe very deeply into that topic. Pragmatists will want a deep dive on the hot risk topic of the day and will have a very hands on approach to decision making about that issue.
Sounds confusing. But get it wrong and you will find that the key decision makers will quickly lose interest. Imagine putting the information desired by the Conservators in front of a Maximizer. Or putting the details desired by a Pragmatist in front of a Manager who wants things summarized into neat packets of information. Get it wrong and you are done for.
It is easy to blame CROs (Chief Risk Officers) and ERM (Enterprise Risk Management) for the impact of the crisis on companies, but such blame is often unfair and disingenuous. In few companies did CROs have the power to prevent the execution of strategies that, although fraught with risk, were pursued to deliver on investor profit expectations and management incentive targets.
The primary objective of crisis mitigation must be to realign risk exposures with risk bearing capital and to improve capital adequacy. Realigning exposures with capital (and implied “risk capacity”) enhances insurance strength ratings and the confidence of investors and customers. Without such confidence, a company’s business and franchise would erode rapidly.
In response to the present crisis, many companies improved capital adequacy by (a) cutting expenses, (b) decreasing dividend payments, (c) discontinuing share repurchase programs, and (d) selling assets and non-strategic operating subsidiaries, all to preserve or increase capital. There are few buyers during a crisis, however, and so divestitures and asset sales are at lower prices than in normal times (e.g. sale of HSB Group by AIG) and are therefore very expensive sources of capital.
Realignment strategies also involve retrenchment from businesses with substandard returns on capital. Typical outcomes are: (a) sales of blocks of business and renewal rights, (b) cessation of certain coverage types, (c) sales of entire subsidiaries, (d) changes in underwriting limits, terms, and exclusions, (e) reinsurance strategies, etc. ERM risk analysis models provide a basis for assessing the relationship between capital needs and value contributions of various businesses. Without that assessment, it is hard to align risk exposures with available capital.
Estimates of capital requirements based on risk measures over a one-year horizon (typical of solvency regulations) are not credible during a crisis because they assume that fresh “recovery” capital can be raised. Rating agencies, regulators, and investors, however, know that many solvent companies cannot raise fresh capital during a crisis. Capital is only adequate if it can sustain the company’s operations on a “going concern” basis in the absence of access to recovery capital, but with credit for capital generated internally.
Companies need robust insights from ERM to assess their capital needs (on or off balance sheet, including contingent capital) and to develop effective mitigation strategies. Their ERM must:
Measure capital consumption by activity and risk type
Identify the relative value creation of individual businesses, with appropriate recognition for differences in risk
Demonstrate the impact and future value creation of alternative retrenchment strategies
Through such ERM informed views of capital utilization, capital adequacy, and value creation, insurance companies can chart effective strategies to restore their capital adequacy and mitigate the impact of crises.
In the recent post, Rational Adaptability, four types of ERM programs are mentioned. One of those four types of ERM is Diversification.
The fourth type of ERM program focuses on Diversification.
Modern practitioners may not agree that a program of Diversification IS in any sense a risk management program. But in fact it has been one of the most successful risk management programs.
Think about it. Dollar Cost Averaging is fundamentally a Diversification based risk management program. The practitioner is admitting that at any point in time, they do not know which risk is better or worse than another. So they rebalance to eliminate the concentration that has crept into their portfolio.
A diversification risk strategy would also mean taking very different risks. Firms that focus on a true Diversification strategy will be regularly moving into entirely new businesses. They are not seeking the mathematical diversification of the Managers with their Risk Steering that tries to take advantage of similar risks that are not totally correlated. Firms that follow the Diversification strategy want risks that are totally unrelated. Soap and machine parts. Their business choices may seem totally insane to the tidy Managers.
Diversification can be shown to provide two benefits for the firm that practices it. First, they will seek to avoid having too much at risk in any one situation or company. So avoiding concentration is their prime directive. Second, there is an upside benefit as well. Since they are involved in many different markets, they feel that they are likely to be in at least one and possibly two hot products or markets at any one time. Unsuccessful practitioners of this strategy will find that they have found a way to buy into different risks that are all duds at the same time.
The practitioners of this strategy will also tend to adopt the same sort of approach to the day to day work of their risk management program. That would be the “high attention, low delegation” approach. The conglomerates that operate in this manner will have frequent meetings between the managers and the people at the top of the conglomerate, possibly even with the top person. Warren Buffett (Berkshire Hathaway) and Jack Welsh (GE) are two examples of this high touch style as is Hank Greenberg (AIG).
Seems pretty simple. Mix it up and pay attention.
A few firms have managed to combine the high tech economic capital modeling approach with a Diversification ERM system. In those firms, they have strict concentration limits requiring that at most a small percentage of their economic capital ever be from any one risk. One such firm will never take on any large amount of any one risk unless they are able to grow all of their other risks.
It seems that Solvency II is perfectly designed to reproduce the conditions that led US banks to believe that they were impervious to risks. They and the regulators believed that they knew what they were doing with regard to Risks and Risk Management.
In 2004, the US Federal Reserve allowed investment banks to cut their capital levels by 2/3, tripling their potential leverage! Not to worry, they knew how to manage risk.
European insurers are all being told that they need to have economic capital models to manage risks. A few firms have had these models for more than five years now. Those models tell us that those firms can reduce their capital by a third or more.
But everyone leaves out of their thinking two important things that will always happen.
The first is called the Peltzman effect by economists. John Adams calls it the Risk Thermostat effect. In both cases, it means that when people feel risk decreasing due to safety measures, they often respond by increasing the riskiness of their behaviors. So the success of Solvency II will make some firms feel safer and some of them will take additional risks because of that.
The second effect is what I call the Law of Risk and Light. That says that you will accumulate risks wherever you are not looking out for them. So anywhere that there is a flaw in the Economic Capital model, the activity that accentuates that flaw will look like the best, most desirable business to be in.
But read Maggid’s post. He provides some actual analysis to support his argument.
In the recent post, Rational Adaptability, four types of ERM programs are mentioned. One of those four types of ERM is Risk Steering.
If you ask most actuaries who are involved in ERM, they would tell you that Risk Steering IS Enterprise Risk Management.
Standard & Poor’s calls this Strategic Risk Management:
SRM is the Standard & Poor’s term for the part of ERM that focuses on both the risks and returns of the entire firm. Although other aspects of ERM mainly focus on limiting downside, SRM is the process that will produce the upside, which is where the real value added of ERM lies. The insurer who is practicing SRM will use their risk insights and take a portfolio management approach to strategic decision making based on analysis that applies the same measure for each of their risks and merges that with their chosen measure of income or value. The insurer will look at the possible combinations of risks that it can take and the earnings that it can achieve from the different combinations of risks taken, reinsured, offset, and retained. They will undertake to optimize their risk-reward result from a very quantitative approach.
For life insurers, that will mean making strategic trade-offs between products with credit, interest rate, equity and insurance risks based on a long-term view of risk-adjusted returns of their products, choosing which to write, how much to retain and which to offset. They will set limits that will form the boundaries for their day-to-day decision-making. These limits will allow them to adjust the exact amount of these risks based on short-term fluctuations in the insurance and financial markets.
For non-life insurers, SRM involves making strategic trade-offs between insurance, credit (on reinsurance ceded) and all aspects of investment risk based on a long-term view of risk-adjusted return for all of their choices. Non-life SRM practitioners recognize the significance of investment risk to their total risk profile, the degree or lack of correlation between investment and insurance risks, and the fact that they have choices between using their capacity to increase insurance retention or to take investment risks.
Risk Steering is very similar to Risk Trading, but at the Total Firm level. At that macro level, management will leverage the risk and reward information that comes from the ERM systems to optimize the risk reward mix of the entire portfolio of insurance and investment risks that they hold. Proposals to grow or shrink parts of the business and choices to offset or transfer different major portions of the total risk positions can be viewed in terms of risk adjusted return. This can be done as part of a capital budgeting / strategic resource allocation exercize and can be incorporated into regular decision making. Some firms bring this approach into consideration only for major ad hoc decisions on acquisitions or divestitures and some use it all of the time.
There are several common activities that may support the macro level risk exploitation:
Economic Capital. Realistic risk capital for the actual risks of the company is calculated for all risks and adjustments are made for the imperfect correlation of the risks. Identification of the highest concentration of risk as well as the risks with lower correlation to those higher concentration risks is the risk information that can be exploited. Insurers will find that they have a competitive advantage in adding risks to those areas with lower correlation to their largest risks. Insurers should be careful to charge something above their “average” risk margin for risks that are highly correlated to their largest risks. In fact, at the macro level as with the micro level, much of the exploitation results from moving away from averages to specific values for sub classes.
Capital Budgeting. The capital needed to fulfill proposed business plans is projected based on the economic capital associated with the plans. Acceptance of strategic plans includes consideration of these capital needs and the returns associated with the capital that will be used. Risk exploitation as described above is one of the ways to optimize the use of capital over the planning period.
Risk Adjusted Performance Measurement (RAPM). Financial results of business plans are measured on a risk-adjusted basis. This includes recognition of the economic capital that is necessary to support each business as well as the risk premiums and loss reserves for multi-period risks such as credit losses or casualty coverages.
Risk Adjusted Compensation. An incentive system that is tied to the risk exploitation principles is usually needed to focus attention away from other non-risk adjusted performance targets such as sales or profits. In some cases, the strategic choice with the best risk adjusted value might have lower expected profits with lower volatility. That will be opposed strongly by managers with purely profit related incentives. Those with purely sales based incentives might find that it is much easier to sell the products with the worst risk adjusted returns. A risk adjusted compensation situation creates the incentives to sell the products with the best risk adjusted returns.
A fully operational risk steering program will position a firm in a broad sense similarly to an auto insurance provider with respect to competitors. There, the history of the business for the past 10 years has been an arms race to create finer and finer pricing/underwriting classes. As an example, think of the underwriting/pricing class of drivers with brown eyes. In a commodity situation where everyone uses brown eyes to define the same pricing/underwriting class, the claims cost will be seen by all to be the same at $200. However, if the Izquierdo Insurance Company notices that the claims costs for left-handed, brown-eyed drivers are 25% lower than for left handed drivers, and then they can divide the pricing/underwriting into two groups. They can charge a lower rate for that class and a higher rate for the right handed drivers. Their competitors will generally lose all of their left handed customers to Izquierdo, and keep the right handed customers. Izquierdo will had a group of insureds with adequate rates, while their competitors might end up with inadequate rates because they expected some of the left-handed people in their group and got few. Their average claims costs go up and their rates may be inadequate. So Izquierdo has exploited their knowledge of risk to bifurcate the class, get good business and put their competitors in a tough spot.
Risk Steering can be seen as a process for finding and choosing the businesses with the better risk adjusted returns to emphasize in firm strategic plans. Their competitors will find that their path of least resistance will be the businesses with lower returns or higher risks.
JP Morgan in the current environment is showing the extreme advantage of macro risk exploitation. In the subprime driven severe market situation, JP Morgan has experienced lower losses than other institutions and in fact has emerged so strong on a relative basis that they have been able to purchase several other major financial institutions when their value was severely distressed. And by the way, JP Morgan was the firm that first popularized VaR in the early 1990’s, leading the way to the development of modern ERM. However, very few banks have taken this approach. Most banks have chosen to keep their risk information and risk management local within their risk silos.
This is very much an emerging field for non-financial firms and may prove to be of lower value to them because of the very real possibility that risk and capital is not the almost sole constraint on their operations that it is within financial firms as discussed above.
The VBM process helps companies compare the value contribution of alternative strategies and select a course that would increase company value,
Weaknesses in its VBM process can prevent an insurance company from restoring its risk capacity through earnings retention or the raising of additional capital. Such weaknesses thereby limit its ability to resume growing and recover from a crisis
Access to capital is a critical strategic advantage during a financial crisis.
Companies with a strong reputation for value creation can raise new “recovery” capital without excessive shareholder dilution (e.g. Goldman Sachs). Others find it more difficult, or impossible, to access the public market. This makes them vulnerable to inroads by competitors or unsolicited tender offers. The primary purpose of VBM frameworks and processes is to ensure that companies consistently meet investor value creation expectations and survive crises.
VBM frameworks help managers compare alternatives, so that they can direct capital towards uses that would support the achievement of a sustainable competitive advantage, and also create value. This is challenging in the insurance industry because competitors can duplicate innovations in product features, service delivery, or operational effectiveness in relatively short times and can redirect capital at the stroke of a pen. Such competitive dynamics call for companies to compete by developing organizational capabilities that (a) are tougher to duplicate by competitors and (b) provide a pricing or cost advantage based on service quality, underwriting insights, investment performance, and risk and capital management
Because risk drives capital utilization in insurance businesses, the integration of ERM and VBM frameworks is required in order to develop strategies and plans that meet value expectations. Integration rests on (a) superior insights into risk exposures and capital consumption and (b) consistent risk metrics at the level of granularity needed to achieve a loss ratio advantage (possibly on the same level of granularity as loss ratios are calculated). In practice, these insights and metrics lead to decisions to reject businesses and strategies that will not create value. They provide a foundation for:
Measuring capital utilization by line, by market, and in aggregate
Driving a superior, more disciplined underwriting process
Optimizing product features
Maintaining pricing discipline through the underwriting cycle
Pricing options and guarantees embedded in products fairly
Controlling risk accumulation, by client and distribution channel
Managing the composition of the book of business
Driving marketing and distribution activities
Optimizing risk and capital management strategies
Achieving superior shareholder returns is critical for a company to earn investor trust and maintain access to affordable capital. Having access to capital during a financial crisis may well be the ultimate indicator of success for a company’s VBM framework.
Anecdotal evidence suggests that insurance companies that consistently trade at significant premiums over book value have such insights about risk and maintain a highly disciplined approach to writing business.
The present crisis has increased the cost of capital dramatically, but not equally for all insurers. Capital remains most affordable to those with a strong record of value creation and adequate capital as a result of good risk management. Conversely, it has become prohibitive for those with a lesser record of value creation and who lost credibility as stewards of shareholders’ interests. The latter are at risk of forced mergers or liquidation, which may be punishment for not integrating ERM and VBM processes more effectively.
Once you think of it, it seems obvious. Risk Managers need humility.
If you are dealing with any killer physical risk, there are two types of people who work close to that risk, the humble and the dead.
Being humble means that you never lose sight of the fact that RISK may at any time rise up in some new and unforeseen way and kill you or your firm.
Risk managers should read the ancient Greek story of Icarus.
Risk managers without humility will suffer the same fate.
Humility means remembering that you must do every step in the risk management process, every time. The World Cup goalkeeper Robert Green who lets an easy shot bounce off of his hands and into the goal has presumed that they do not need to consciously attend to the mundane task of catching the ball. They can let their reflexes do that and their mind can move on to the task of finding the perfect place to put the ball next.
But they have forgotten their primary loss prevention task and are focusing on their secondary offense advancement task.
The risk managers with humility will be ever watchful. They will be looking for the next big unexpected risk. They will not be out there saying how well that they are managing the risks, they will be more concerned about the risks that they are unprepared for.
Risk managers who are able to say that they have done all that can be done, who have taken all reasonable precautions, who can help their firm to find the exact right level and mix of risks to optimize the risk reward of the firm are at serious risk of having the wax holding their feathers melt away and of falling to earth.
There you will find information regarding over 30 sources for ERM reading and learning along with several lists of additional books and articles that were borrowed from several sources.
Please feel free to leave your comments about how helpful you found any of these books and papers. Also, if there is a good resource missing, please leave information in a comment and it will soon be added.
Any volunteers who are willing to add to the posts to include all of the ERM sources that are being used for ERM education would be welcomed.
There have been many definitions of ERM. Most suffer from the “too many words” syndrome. They are too long, making it likely that a casual reader will suffer reading fatigue before completing and therefore will decide that the topic is too complicated to be useful.
Here is a try at a very crisp definition:
ERM is a system for enhancing decision making under uncertainty that requires consideration of ALL of the risks of the enterprise.
And also for plain “Risk Management”
Risk Management is a system for enhancing decision making under uncertainty that focuses on risks as well as returns.
Fundamentally linking ERM and Risk Management to decision making is important, vitally important. Otherwise funders of ERM programs will be quickly disenchanted with the expensive staffs and systems needed to support a Risk Management Entertainment System.
All ERM and Risk Management activities should be judged in terms of how well they support important decisions.
The important decisions that can be supported by ERM and Risk Management are many. Primary among them are:
How much risk should the company take?
How best to transition from the risk level that the company is taking to the risk level that the company should be taking?
How to assure that the company takes no more risk than it should take?
Which Risks should the company take?
How best to transition from the risks that the company is taking to the risks that the company should be taking?
How to manage the likelihood that the company will fall short of its earnings targets?
If a firm already has complete processes in place to make all of those decisions, then it already has ERM. With the rising calls for ERM from regulators, rating agencies and boards, those firms will need to make sure that they can fully articulate the processes that they use to make those decisions.
If, on the other hand, a firm generally makes one or several of those decisions by default, as a fallout from other decisions or on a totally flexible basis as it happens in response to various market forces or on a purely momentum based process that ultimately relies upon some past decisions that may or may not have been made with any concern for risk; then future development of ERM could be vitally important.
The support that ERM provides to all of these decisions is of the nature of an eyes open approach to risk. This general theme is perhaps the reason why ERM often seems to be a massive management information exercize.
But management information about risk is the means to supporting risk focused decision making, not the ends.
In late 2008, the The CAS, CIA, and the SOA’s Joint Risk Management Section funded a research report about the Financial Crisis. This report featured nine key Lessons for Insurers. Riskviews will comment on those lessons individually…
6. Insurers must pay special attention to high growth/profit areas in their companies, as these are often the areas from which the greatest risks emanate.
All high growth areas are not risk problems, but almost all risk problems come from areas of high growth.
And high growth areas present several special problems for effective risk management.
High growth in the financial services field usually results when a firm has a new product or service or territory. There is almost always a deficit of experience and data about the riskiness of the new area. Uncertainty rules.
In new high growth areas, pricing can be far off the mark at the outset. If the initial experience is benign, then the level of pricing can become firmly set in the minds of the distributors, the market and the management. When adverse experience starts to undermine the pricing, it may be initially dismissed as an anomaly, a temporary loss. It may be very difficult to determine the real situation.
If risk resources were included in the plan for the high growth activity, they were probably not increased when the growth started to exceed expectations. As growth occurs, the risk resources are most often held at the level called for in the initial plan. Any additional resources that are applied to the growing area are needed to support the higher level of activity. Often this is simply a natural caution about increasing expenses in what may well be a temporary situation. This caution is often justified as growth ebbs. But in the situations where growth does not wane, a major mismatch between risk resources and business activity develops.
There is usually a political problem within the firm. The management of the highest growth area are most likely the current corporate heroes. It is very highly unlikely that the CRO will have as much clout within the organization as the heroes. The only solution to this issue is support from the CEO for the importance of risk.
Risk efforts need to be seen not as “business prevention” but as a partner with the business in getting it right. This is difficult to accomplish unless risk is involved from the outset. If the business gets going and growing with procedures that are questionable from a risk perspective, then it is quite possible that changing those procedures might well hurt the growth of the area. Risk needs to be involved form the outset so that appropriate procedures and execution of those procedures does not become a growth issue later on.
This is the most difficult and important area for the risk management of the firm. The business needs to be able to take chances in new areas where good growth is possible. The Risk function needs to be able to help these new activities to have the chance to succeed.
At the same time, the organization needs to be protected from the sort of corner cutting that leads to growth through drastically under-priced risks.
It is a delicate balancing act that requires a high degree of political skill as well as good business judgment about when to dig in the heels and when to let go.
I had occasion recently to search the Basel website to try to document the history of their involvement in risk management.
The oldest document that is still available there that has the term Risk Management in its title is July 1994, Risk Management Guidelines for Derivatives. That matches up with my impression that modern risk management can be traced back to the efforts of banks and banking supervisors to contain the risks associated with derivatives trading that had lead to several blow-ups in the early 1990’s.
But the first real classic is the next oldest document on the Basel website, Principles for the management of interest rate risk, from September 1997. That document clearly lays out the structure and process for a full scale risk management system. If you take that link, it will tell that the 1997 document has been superceded. But if you look at the 2004 update and the 1997 original, you will see that they have added lots of details and lost most of the clarity to the original. So if you want trees, take the 2004 version, if you want forest, like me, you would prefer the original 1997 version.
What I particularly liked about the original is that it really wasn’t about interest rate risk at all. It really captured the essence of risk management and applied that essence to interest rate risk. Therefore, I believe that the document can easily be used as a guide to building a risk management system for any risk.
The document is built around 1o Principles:
The role of the board and senior management
Principle 1: In order to carry out its responsibilities, the board of directors in a bank should approve strategies and policies with respect to interest rate risk management and ensure that senior management takes the steps necessary to monitor and control these risks. The board of directors should be informed regularly of the interest rate risk exposure of the bank in order to assess the monitoring and controlling of such risk.
Principle 2: Senior management must ensure that the structure of the bank’s business and the level of interest rate risk it assumes are effectively managed, that appropriate policies and procedures are established to control and limit these risks, and that resources are available for evaluating and controlling interest rate risk.
Principle 3: Banks should clearly define the individuals and/or committees responsible for managing interest rate risk and should ensure that there is adequate separation of duties in key elements of the risk management process to avoid potential conflicts of interest. Banks should have risk measurement, monitoring and control functions with clearly defined duties that are sufficiently independent from position-taking functions of the bank and which report risk exposures directly to senior management and the board of directors. Larger or more complex banks should have a designated independent unit responsible for the design and administration of the bank’s interest rate risk measurement, monitoring and control functions.
Policies and procedures
Principle 4: It is essential that banks’ interest rate risk policies and procedures be clearly defined and consistent with the nature and complexity of their activities. These policies should be applied on a consolidated basis and, as appropriate, at the level of individual affiliates, especially when recognising legal distinctions and possible obstacles to cash movements among affiliates.
Principle 5: It is important that banks identify the risks inherent in new products and activities and ensure these are subject to adequate procedures and controls before being introduced or undertaken. Major hedging or risk management initiatives should be approved in advance by the board or its appropriate delegated committee.
Measurement and monitoring system
Principle 6: It is essential that banks have interest rate risk measurement systems that capture all material sources of interest rate risk and that assess the effect of interest rate changes in ways that are consistent with the scope of their activities. The assumptions underlying the system should be clearly understood by risk managers and bank management.
Principle 7: Banks must establish and enforce operating limits and other practices that maintain exposures within levels consistent with their internal policies.
Principle 8: Banks should measure their vulnerability to loss under stressful market conditions – including the breakdown of key assumptions – and consider those results when establishing and reviewing their policies and limits for interest rate risk.
Principle 9: Banks must have adequate information systems for measuring, monitoring, controlling and reporting interest rate exposures. Reports must be provided on a timely basis to the bank’s board of directors, senior management and, where appropriate, individual business line managers.
Internal controls
Principle 10: Banks must have an adequate system of internal controls over their interest rate risk management process. A fundamental component of the internal control system involves regular independent reviews and evaluations of the effectiveness of the system and, where necessary, ensuring that appropriate revisions or enhancements to internal controls are made. The results of such reviews should be available to the relevant supervisory authorities.
I would generalize these with very simple editing. Here is Generalized Principle 1:
Principle 1: In order to carry out its responsibilities, the board of directors in a firm should approve strategies and policies with respect to risk management and ensure that senior management takes the steps necessary to monitor and control these risks. The board of directors should be informed regularly of the risk exposure of the firm in order to assess the monitoring and controlling of such risk.
This was done by simply deleting 2 instances of the words “interest rate” and exchanging the word “firm” for the word “bank”.
This mindless editing can be done to almost every one of the 10 principles and the result is not just usable, but is a very clear and basic guideline for any risk management program.
The new CARE report has been posted to the IAA website this week.CARE_EN
It raises a point that must be fairly obvious to everyone that you just cannot manage risks without looking at them from multiple angles.
Or at least it should now be obvious. Here are 8 different angles on risk that are discussed in the report and my quick take on each:
MARKET CONSISTENT VALUE VS. FUNDAMENTAL VALUE – Well, maybe the market has it wrong. Do your own homework in addition to looking at what the market thinks. If the folks buying exposure to US mortgages had done fundamental evaluation, they might have noticed that there were a significant amount of sub prime mortgages where the Gross mortgage payments were higher than the Gross income of the mortgagee.
ACCOUNTING BASIS VS. ECONOMIC BASIS – Some firms did all of their analysis on an economic basis and kept saying that they were fine as their reported financials showed them dying. They should have known in advance of the risk of accounting that was different from their analysis.
REGULATORY MEASURE OF RISK – vs. any of the above. The same logic applies as with the accounting. Even if you have done your analysis “right” you need to know how important others, including your regulator will be seeing things. Better to have a discussion with the regulator long before a problem arises. You are just not as credible in the middle of what seems to be a crisis to the regulator saying that the regulatory view is off target.
SHORT TERM VS. LONG TERM RISKS – While it is really nice that everyone has agreed to focus in on a one year view of risks, for situations that may well extend beyond one year, it can be vitally important to know how the risk might impact the firm over a multi year period.
KNOWN RISK AND EMERGING RISKS – the fact that your risk model did not include anything for volcano risk, is no help when the volcano messes up your business plans.
EARNINGS VOLATILITY VS. RUIN – Again, an agreement on a 1 in 200 loss focus is convenient, it does not in any way exempt an organization from risks that could have a major impact at some other return period.
VIEWED STAND-ALONE VS. FULL RISK PORTFOLIO – Remember, diversification does not reduce absolute risk.
CASH VS. ACCRUAL – This is another way of saying to focus on the economic vs the accounting.
Read the report to get the more measured and complete view prepared by the 15 actuaries from US, UK, Australia and China who participated in the working group to prepare the report.
In the 1980’s a dozen or more firms in the US and Canadian Life Insurance sector created and used what were commonly called required surplus systems. Dale Hagstrom wrote a paper that was published in 1981, titled Insurance Company Growth . That paper described the process that many firms used of calculating what Dale called Augmented Book Profits. An Augmented Book Profit later came to be called Distributable Earnings in insurance company valuations. If you download that paper, you will see on page 40, my comments on Dale’s work where I state that my employer was using the method described by Dale.
In 1980, in the first work that I was able to affix my newly minted MAAA, I documented the research into the risks of Penn Mutual Life Insurance Company that resulted in the recommendation of the Required Surplus, what we would now call the economic capital of the firm. By the time that Dale’s paper was published in 1981, I had documented a small book of memos that described how the company would use a capital budgeting process to look at the capital utilized by each line of business and each product. I was the scribe, the ideas come mostly from the Corporate Actuary, Henry B. Ramsey. We created a risk and profit adjusted new business report that allowed us to show that with each new product innovation, our agents immediately shifted sales into the most capital intensive or least profitable product. It also showed that more and more capital was being used by the line with the most volatile short term profitability. Eventually, the insights about risk and return caused a shift in product design and pricing that resulted in a much more efficient use of capital.
Each year, throughout the 1980’s, we improved upon the risk model each year, refining the methods of calculating each risk. Whenever the company took on a new risk a committee was formed to develop the new required surplus calculation for that risk.
In the middle of the decade, one firm, Lincoln National, published the exact required surplus calculation process used by their firm in the actuarial literature.
By the early 1990’s, the rating agencies and regulators all had their own capital requirements built along the same lines.
AND THEN IT HAPPENED.
Companies quickly stopped allocating resources to the development and enhancement of their own capital models. By the mid-1990’s, most had fully adopted the rating agency or regulatory models in the place of their own internal models.
When a new risk came around, everyone looked into how the standard models would treat the new risk. It was common to find that the leading writers of a new risk were taking the approach that if the rating agency and regulatory capital models did not assess any capital to the new risk, then there was NO RISK TO THE FIRM.
Companies wrote more and more of risks such as the guaranteed minimum benefits for variable annuities and did not assess any risk capital to those risks. It took the losses of 2001/2002 for firms to recognize that there really was risk there.
Things are moving rapidly in the direction of a repeat of that same exact mistake. With the regulators and rating agencies more and more dictating the calculations for internal capital models and proscribing the ERM programs that are needed, things are headed towards the creation of a risk management regime that focuses primarily on the management of regulatory and rating agency perception of risk management and away from the actual management of risks.
This is not what anyone in the risk management community wants. But once the regulatory and rating agency visions of economic capital and ERM systems are fully defined, the push will start to limit activity in risk evaluation and risk management to just what is in those visions – away from the true evaluation of and management of the real risks of the firm.
It will be clear that it is more expensive to pursue the elusive and ever changing “true risk” than to satisfy the fixed and closed ended requirements that anyone can read. Budgets will be slashed and people reassigned.
Many people would put reputation risk at the top of their list of the most important risks to their firms.
However, their very next conclusion is that since a good reputation is something that you either have or you do not, then it is not very manageable. By thinking of Reputation Risk as a cliff, there seems to be very little to monitor or manage. There are several problems with this view. First of all, reputations can be destroyed in many ways. Think of a reputation as a glass and a spill of water from the glass as a busted reputation. The glass can be made to overflow all at once with one big pour of water from a large pitcher, or it can be made to overflow by a long slow steady set of small drips.
Usually hits to the reputation are caused by problems that come from other risks that the organization faces. Each risk of the firm should be examined and the degree to which a reputation problem might arise from the risk identified. Moderate risks that have a significant potential reputational hit probably should be elevated to be treated among the major risks.
The incidence of the small hits to reputation can and should be tracked. The impact of these events upon the reputation also can and should be monitored. They are monitored by constantly checking with customers and potantial customers about the reputation of the firm.
So if these hits to reputation are tracked, then actions to improve reputation can be undertaken and efforts redoubled when these hits reach a critical level. This means figuring out the ways to take the water back out of the glass.
Also, the other major way to manage reputation risk is to plan ahead for the response to major reputational problems. One of the major differences between situations where firms have been devastated by reputation damaging events and firms that have quickly recovered from similar events is the degree to which the firm has a rapid and sure-footed response to the event. These types of repsonses can only come from advance planning and preparation. That is not to say that a firm must anticipate every possible reputation damaging event. However, it is important to anticipate a wide range of events. The anticipation and advance planning may prove to provide the exact plan for a specific event that comes up, but more likely what the exercize will provide is some experience in formulating the types of responses needed. Managers who have participated in these exercizes will be more likely to perform as needed when the real reputation hit happens.
Finally, there is one type of reputation risk that is real, but is used often as a red herring to distract risk managers from the main reputational risks as described above. This is the risk from an undeserved blow to reputation from the mdeia, regulators or courts. This is something that can and should be anticipated, but should not be an excuse for not anticipating the other and usually much more likely reputation risks that can come from within the firm.
Riskviews 