Archive for the ‘Execution Risk’ category

Risk Intelligence IV

March 20, 2019

Overcoming Biases

In a recent post, RISKVIEWS proposed that Risk Intelligence would overcome biases.  Here are some specifics…

Biases

  • Anchoring – too much reliance on first experience
  • Availability – overestimate likelihood of events that readily come to mind
  • Confirmation Bias – look for information that confirms bias
  • Endowment effect – overvalue what you already have
  • Framing effect – conclusion depends on how the question is phrased
  • Gambler’s Fallacy – Belief that future probabilities are impacted by past experience – reversion to mean
  • Hindsight bias – things seem to be predictable after they happen
  • Illusion of control – overestimate degree of control over events
  • Overconfidence – believe own answers are more correct
  • Status Quo bias – Expect things to stay the same
  • Survivorship bias – only look at the people who finished a process, not all who started
  • Ostrich Effect – Ignore negative information

Each of Education, Experience and Analysis should reduce all of these.

Experience should provide the feedback that most of these ideas are simply wrong.  The original work that started to identify these biases followed the standard psychology approach of excluding anyone with experience and would also prohibit anyone from trying any of the questions a second time.  So learning to identify and avoid these biases through experience has had limited testing.

Education for a risk manager should simply mention all of these biases directly and their adverse consequences.  Many risk managers receiving that education will ever after seek to avoid making those mistakes.

But some will be blinded by the perceptual biases and therefore resist abandoning their gut feel that actually follows the biases.

Analysis may provide the information to convince  some of these remaining holdouts.  Analysis, if done correctly, will follow the logic of economic rationality which is the metric that we used to identify the wrong decisions that were eventually aggregated as biases.

So there may still be some people who even in the face of:

  • Experience of less than optimal outcomes
  • Education that provides discussion and examples of the adverse impact of decision-making based upon the biases.
  • Analysis that provides numerical back-up for unbiased decision making

Will still want to trust their own gut to make decisions regarding risk.

You can probably weed out those folks in hiring.

During a Crisis – A Lesson from Fire Fighters

December 10, 2012

800px-FIRE_01

The fire cycle: “The action-cycle of a fire from birth to death follows a certain pattern.  The fire itself may vary in proportion from insignificance to conflagration, but regardless of its proportions, origin, propagation or rate of progression, the cycle or pattern of controlling it includes these phases:

1. the period between discovery and the transmittal of the alarm or alerting of the fire forces;

2. the period between receipt of alarm by the fire service and arrival of firemen at the scene of the fire; and, finally,

3. the period between arrival on the fire ground and final extinguishment of the fire itself.

It is important to fire fighting to make sure that the right things happen during each phase and that each step takes as little time as possible.  For the first phase, that means having fire detection equipment in place and working properly that produces a signal that will be noticed and conveyed to the fire forces.  In the second phase, the fire fighters need to be organized to respond appropriately to the alarm.  And the third phase includes the process of diagnosing the situation and taking the necessary steps to put out the fire.

That is a good process model for risk managers to contemplate.  Ask yourself and your staff:

  1. This is about the attitude and preparedness of company staff to accept that there may be a problem.  How long will it be before we know when an actual crisis hits the company?  How do our alarms work?  Are they all in functioning order?  Or will those closest to the problems delay notifying you of a potential problem?  Sometimes with fires and company crises, an alarm sounds and it is immediately turned off.  The presumption is that everything is normal and the alarm must be malfunctioning.  Or perhaps that the alarm is correct, but that it it calibrated to be too sensitive and there is not a significant problem.  As risk manager, you should urge everyone to err on the side of reporting every possible situation.  Better to have some extra responses than to have events, like fires, rage completely out of control before calling for help.
  2.  This is about the preparedness of risk management staff to begin to respond to a crisis.  One problem that many risk management programs face is that their main task seems to be measuring and reporting risk positions.  If that is what people believe is their primary function, then the risk management function will not attract any action oriented people.  If that is the case in your firm, then you as risk manager need to determine who are the best people to recruit as responders and build a rapport with them in advance of the next crisis so that when it happens, you can mobilize their help.  If the risk staff is all people who excel at measuring, then you also need to define their roles in an emergency – and have them practice those roles.   No matter what, you do not want to find out who will freeze in a crisis during the first major crisis of your tenure.  And freezing (rather than panic) is by far the most common reaction.  You need to find those few people whose reaction to a crisis is to go into a totally focuses active survival mode.
  3. This is about being able to properly diagnose a crisis and to execute the needed actions.  Fire Fighters need to determine the source of the blaze, wind conditions, evacuation status and many other things to make their plan for fighting the fire.  They usually need to form that plan quickly, mobilize and execute the plan effectively, making both the planned actions and the unplanned modifications happen as well as can be done.  Risk managers need to perform similar steps.  They need to understand the source of the problem, the conditions around the problem that are outside of the firm and the continuing involvement of company employees, customers and others.  While risk managers usually do not have to form their plan in minutes as fire fighters must, they do have to do so quickly.  Especially when there are reputational issues involved, swift and sure initial actions can make the world of difference.  And execution is key.  Getting this right means that the risk manager needs to know in advance of a crisis, what sorts of actions can be taken in a crisis and that the company staff has the ability to execute.  There is no sense planning to take actions that require the physical prowess  of Navy Seals if your staff are a bunch of ordinary office workers.  And recognizing the limitations of the rest of the world is important also.  If your crisis effects many others, they may not be able to provide the help from outside that you may have planned on.  If the crisis is unique to you, you need to recognize that some will question getting involved in something that they do not understand but that may create large risks for their organizations.

 

Rounding Up to Reduce Drift into Failure and Maintain Risk Karma

July 31, 2012

So what to do about Drift into Failure?

Think of DIF in simple math terms.  At every turn in the calculation, you are rounding down or truncating the values that you calculate.  With that process, your result will always be low.  Not always noticeably low but with a bias to be below the value that you would have calculated with carrying forward the value with all of the decimal points.

With a Risk Management or Safety system, it is the same thing.  If checking ten times will give a .9999 guaranty of safety, then nine times should be good enough.  If lubricating weekly produces no failures, how about lubricating every 9 days.  And so on.  If a hedge that is 98% effective works out fine most days, how about a hedge that is 96% effective.  A $5 million retention works, why not move it to $5.5 million.

In every case, the company rounds down.

So the practice that is needed to reduce DIF is to occasionally round up.  One year, try rounding up on half the risk systems.  Make the standards just a tiny bit tighter a few times.  Balance things that way.  Think of your firm as accumulating bad karma by allowing the shortcuts, the rounding down on the risk management and safety systems.  Protect the karma, by going the other way in the same sort of imperceptible small steps that are the evidence of the DIF.

Stop Drifting.   Join the Fight Against Bad Risk Karma Today.

The Risk of Paying too much Attention to your Experience

July 30, 2012

The Drift into Failure idea from the Safety Engineers is quite valuable.

One way that DIF occurs is when an organization listens too well to the feedback that they get from their safety system.

That is right, too much attention.  In the case of a remote risk, the feedback that you will get most days, most weeks, most months is NOTHING HAPPENS.

That is the feedback you are likely to get if you have a good loss prevention system or if you have none.

This ties to the DIF idea because organizations are always under pressure to do more with less.  To streamline and reduce costs.

So what happens?  In Safety and Risk Management, someone studies the risks of a situations and designs a risk mitigation system that reduces the frequency or severity of problem situations to an acceptable level.

Then, at some future time, the company management looks to reduce costs and/or staff.  This particular risk mitigation system looks like a prime candidate.  The company is spending time and money and there has never been a problem.  Doubtless, the same “nothing” could be achieved with less.  So the budget is cut, a position is elimated and they get by with less mitigation.

Then time pass and they collect the feedback, the experience with the reduced risk mitigation process.  And the experience tells them that they still have no problems.  The budget cutters are vindicated.  Things seem to be just fine with a less costly program.

If the risk here is highly remote, then this process might happen several times.

Which may eventually result in a very bad situation if the remote adverse event finally happens.  The company will be inadequately unprepared.  And no one made a clear decision to dilute the defense to an ineffective level.  They just kept making small decisions and eventually they drifted into failure.

And each step was validated by their experience.

During the Crisis

September 11, 2011

There are three Phases to Risk Management,

  • Preparation,
  • Crisis Management and
  • Picking up the pieces

During the Crisis, the most important thing is that you are able to assess the situation, choose the appropriate action and finally and most importantly ACT.

Many people are prone to freeze during a crisis.  They go into a daze because some main steady thing in their life is no longer there and working.

On the anniversary of 911, it is interesting to notice that an article A Survival Guide to Catastrophe from 2008 is the most popular article today at Time.com.

It tells the story of how several people escaped several famous catastrophes.  In each case, some of the people who died in those situations were frozen.

The human brain goes through three stages during a crisis: disbelief, deliberation and action.  The frozen people have stuck on the disbelief or deliberation stages.

That is where the Preparation phase is important.  With proper preparation, people can be taught to quickly identify the reality of the crisis and to know in advance their best options.  The purpose of the preparation is then to shorten the time to get to the third stage.  ACTION.  And to make sure that when you get there, you take the right action.

During the World Trade Center crisis, some people did act quickly, and climbed the stairs right up to the roof.  Others made the right choice and went down the stairs.

This Crisis Management thinking does not just refer to physical crises.  Financial firms are faced with financial crises.  In those situations, managers of the firm go through the exact same stages:  disbelief, deliberation and action.  They can get stuck in either of the first two stages until it is too late.  They can also choose the wrong action.

Much of risk management literature seems to be about the risk management things that are needed during the moderately risky, normal times.  But risk management is also needed in the midst of the crisis.  The risk mitigation tactics that work best in moderately risky, normal times may not even be available in a crisis.  There needs to be preparation for a possible crisis so that managers will promptly identify the crisis and know in advance the types of options that they may have and also know how to go about choosing the best options.

Firms that provide property insurance to disaster prone areas have learned that it is much more than good customer service to have claims people on the ground to start writing checks as soon as possible after the disaster.  Firms that trade in financial markets have learned, if they did not know already, that trading is not always continuous.

Whatever your firm does, the risk manager should be developing and training managers about crisis plans.

Decision Fatigue and Crisis Risk Management

August 31, 2011

In a recent New York TImes Magazine article, the problem of decision making fatigue is described.  The article says that people will generally tire of making decisions.  It sites studies of judges rulings on parole hearings.  Parolees who have the bad luck to have their case heard later in the day have much less chance of success was one example cited.

Another interesting aspect of decision fatigue was that once fatigued of decisions, people tended to narrow their decision making criteria.  Tired decision makers would eventually get down to a single factor driving their decisions.

The idea given of how to avoid decision fatigue is generally to avoid making too many decisions.

There are interesting implications for risk management.  RISKVIEWS has said many times that risk management means that sometimes the company will do something different then before they had risk management.  But since the company is not doing something different all of the time, each different situation requires a decision.  But all decisions are not of the same economic impact.

So a strategy for getting it right – or at least avoiding decision fatigue for the most important decisions is to make sure that a fresh decision maker is involved in the decisions of higher importance.

This idea may not mean making any change in the procedures of many companies.  It is not uncommon for decisions that involve larger amounts of money to require approval by a more senior person than the person who makes the lesser decisions.  It appears that is a good idea from a decision fatigue point of view.  Firms who seek to empower their employees by avoiding that sort of system may be playing russian roulette with their most important risk management decisions.

In a crisis, many decisions are needed in a short time.  That is perhaps one way of defining a crisis.  Things must be done differently.  The likelihood of decision fatigue in a crisis seems to be immense.

A solution to this is to reduce the number of decisions.  This can be accomplished by anticipating the decisions that may be needed and making the most likely decisions in advance.  It may well be that an advance decision made with an approximation of the situation may be better than a fatigued decision.  There still remains the decision of whether the advance decision is still applicable.  But if done right, the stress of decisions can be greatly reduced.

In addition, the narrowing of decision making criteria for fatigued decision makers is an interesting finding.  Many management information people report that they need to refine the information that they provide to single indicators, in some cases to red light/green light on/off indicators.

This seems to be clear indication of decision fatigue of senior managers.  While MI professionals will not usually be empowered to have an opinion on this, it seems that what is in order is for the top managers to make fewer decisions until they get to the point where they are no longer too fatigued to recognize the actual complexity of the decisions that they are making.

Momentum Risk

January 31, 2011

How many times have you heard this

If it isn’t broken don’t fix it.

As a risk manager, momentum risk is one of the most difficult risk to overcome.  (I wonder how many times on these posts I have claimed this?)

But this is the aspect of the Horizon disaster that led to millions and millions of barrels of oil spilling into the Gulf.  Before that the oil companies claimed that there had never been a failure of an oil rig in the Gulf.  So that was the Momentum assumption.  It had never failed so it never would fail.

Standing against that is the seemly endlessly negative point of view of the risk manager:

If anything can go wrong, it will.

Murphy‘s Law is usually taken as the ultimate statement of negative pessimism.  But instead you the risk manager need to use Murphy’s law as he did.  As a mantra to keep repeating to yourself as you look for ways to stress test a system.

Looking to engineering (Murphy was an engineer you know) for some thinking about stress to failure, we find this post:

When a component is subject to increasing loads it eventually fails.   It is comparatively easy to determine the point of failure of a component subject to a single tensile force. The strength data on the material identifies this strength.   However when the material is subject to a number of loads in different directions some of which are tensile and some of which are shear, then the determination of the point of failure is more complicated…

Some of your stress to failure tests will have to be tensile, some compressive, some shear, in different directions and in different combinations.  You should do this sort of testing to know the weakest points of your system.

But there is no guarantee that the system will fail at the weakest points either.  In fact, you may put in place methods to reduce stresses to those weakest points.  Remember that now elevates other points to be the new stresses.

And do not let Momentum thinking define your approach to likelihood of these stresses.  In physical systems, the engineer knows how the system is supposed to be used and can plan for the stresses of those uses.  But in many cases, the systems designed and tested by engineers are not used in the conditions planned for or even for the exact uses that the engineer anticipated.

Sound familiar?

Human systems are not so fixed as physical systems.  Humans react to the system that they are experiencing and adjust their actions according to the feedback that they are receiving from the system.  So human systems will almost always change as they are used.

Human systems will almost always change as they are used.

That is what makes it so much more difficult to be a risk manager for a financial firm than for a firm that deals mainly with physical risks.  As noted above the humans that interface with the physical risks system do change and adapt, but there are usually a larger portion of possibilities that are fixed by the constraints of the physical systems.

With financial risks, the idea of adapting and using a type of transaction or financial structure for alternate purposes has become the occupation of a large number of folks who command a large amount of resources.

So if, for example, you are using a particular type of derivative to accomplish a fairly straightforward risk management purpose, it is quite possible that the market for that instrument will suddenly be taken over by folks with lots and lots of money, fast computers and turnover averages in the thousands per week.  Their entry into a market will change pricing and the speed of changes in pricing and then one day, suddenly, they will decide, perhaps little by little, but possibly all at once, to abandon that trade and the market will snap to being something different still.

The same sort of thing happens in insurance, but at a different speed.  Lawyers are always out there looking to “perfect” an argument to create a new class of claimants against different businesses and their insurers. THis results in a sudden jump in claims costs.

Interestingly, the strategies for those two examples might be the exact opposite.  It might be best to move on from the market that is suddenly overtaken by high speed hedge fund traders.  But the only way to recover extra losses from a newly discovered and “perfected” cause of tort is to stay with the coverage.

But in all cases, the risk manager is faced with the problem of overcoming Momentum Risk.  Convincing others that something that is not broken needs attention and possibly even fixing.


It’s All Relative

November 7, 2010

Another way to differentiate risks and loss situations is to distinguish between systematic losses and losses where your firm ends up in the bottom quartile of worst losses.

You can get to that by way of having a higher concentration of a risk exposure than your peers.  Or else you can lose more in proportion to your exposure than your peers.

The reason it can be important to distinguish these situations is that there is some forgiveness from the market, from your customers and from your distributors if you lose money when everyone else is losing it.  But there is little sympathy for the firm that manages to lose much more than everyone else.

And worst of all is to lose money when no one else is losing it.

So perhaps you might want to go through each of your largest risk exposures and imagine how either of these three scenarios might hit you.

  • One company had a loss of 50% of capital during the credit crunch of the early 1990’s.  Their largest credit exposure was over 50% of capital and it went south.  Average recoveries were 60% to 80% in those days, but this default had a 10% recovery.  That 60% to 80% was an average, not a guaranteed recovery amount.  Most companies lost less than 5% of capital in that year.
  • Another company lost well over 25% of capital during the dot com bust.  They had concentrated in variable annuities.  No fancy guarantees, just guaranteed death benefits.  But their clientele was several years older than their average competitors.  And the difference in mortality rate was enough that they had losses that were much larger than their competitors, who were also not so concentrated in variable annuities.
  • Explaining their claims for Hurricane Katrina that were about 50% higher as a percent of their expected total claims, one insurer found that they had failed to reinsure a large commercial customer whose total loss from the hurricane made up almost 75% of the excess.  Had they followed their own retention rules on that one case, that excess would have been reduced by half.

So go over your risks.  Create scenarios for each major risk category that might send your losses far over the rest of the pack.  Then look for what needs to be done to prevent those extraordinary losses.

On The Top of My List

August 28, 2010

I finished a two hour presentation on how to get started with ERM and was asked what were my top 3 things to keep in mind and top 3 things to avoid.

Here’s what I wish I had said:

Top three hings to keep in mind when starting an ERM Program:

  1. ERM must have a clear objective to be successful.  That objective should reflect both the view of management and the board about the amount of risk in the current environment as well as the direction that the company is headed in terms of the future target of risk as compared to capacity.  And finally, the objective for ERM must be compatible with the other objectives of the firm.  It must be reasonably possible to accomplish both the ERM objective and the growth and profit objectives of the firm at the same time.
  2. ERM must have someone who is committed to accomplishing the objective of ERM for the firm.  That person also must have the authority within the firm to resolve most conflicts between the ERM development process and the other objectives of the firm. And they must have access to the CEO to be able to resolve any conflicts that they do not have the authority to resolve personally.
  3. Exactly what you do first is much less important than the fact that you start doing something to develop an ERM program.   Doing something that involves actually managing risk and reporting the activity is a better choice than a long term developmental project.  It is not optimal for the firm to commit to ERM, to identify resources for that process and then to have those people and ERM disappear from  sight for a year or more to develop the ERM system.  Much better to start giving everyone in management of the firm some ideas of what ERM looks and feels like.  Recognize that one product that you are building is confidence in ERM.

Things to Avoid:

  1. Valuing ERM retrospectively taking into account only experienced gains and losses.  (see ERM Value)  A good ERM program changes the likelihood of losses, but in any short period of time actual losses are a matter of chance.  On the other hand, if your ERM programs works to a limit for losses from an individual transaction, then it IS a failure if the firm has losses above that amount for individual transactions.
  2. Starting out on ERM development with the idea that ERM is only correct if it validates existing company decisions.  New risk evaluation systems will almost always find one or more major decisions that expose the company to too much risk in some way. At least they will if the evaluation system is Comprehensive.
  3. Letting ERM routines substitute for critical judgment.  Some of the economic carnage of the Global Financial Crisis was perpetuated by firms where their actions were supported by risk management systems that told them that everything was ok.  But Risk managers need to be humble.

But in fact, I did get some of these out. So next time, I will be prepared.

Risk Managers MUST be Humble

July 3, 2010

Once you think of it, it seems obvious.  Risk Managers need humility.

If you are dealing with any killer physical risk, there are two types of people who work close to that risk, the humble and the dead.

Being humble means that you never lose sight of the fact that RISK may at any time rise up in some new and unforeseen way and kill you or your firm.

Risk managers should read the ancient Greek story of Icarus.

Risk managers without humility will suffer the same fate.

Humility means remembering that you must do every step in the risk management process, every time.  The World Cup goalkeeper Robert Green who lets an easy shot bounce off of his hands and into the goal has presumed that they do not need to consciously attend to the mundane task of catching the ball.  They can let their reflexes do that and their mind can move on to the task of finding the perfect place to put the ball next.

But they have forgotten their primary loss prevention task and are focusing on their secondary offense advancement task.

The risk managers with humility will be ever watchful.  They will be looking for the next big unexpected risk.  They will not be out there saying how well that they are managing the risks, they will be more concerned about the risks that they are unprepared for.

Risk managers who are able to say that they have done all that can be done, who have taken all reasonable precautions, who can help their firm to find the exact right level and mix of risks to optimize the risk reward of the firm are at serious risk of having the wax holding their feathers melt away and of falling to earth.

Managing Operational Risk

June 13, 2010

By Jean-Pierre Berliet

Discussions with senior executives have suggested that decision signals from ERM would be more credible and that ERM would be a more effective management process if ERM were shown to support management of operational risk

Operational risk comprises two different types of risks: execution risk and strategic risk.

These two categories of operational risk are important to policyholders and shareholders because they can reduce both the insurance strength and the value of insurance companies.

Strategic risk stems from external changes that can undermine the profitability and growth expectations of a company’s business model and strategy, and therefore have a significant impact on its value. Execution risk originates in internal failures to manage the operations of a company competently, with the needed level of foresight, prudence, risk awareness, and preparedness. Execution and strategic risks impact insurance companies differently and, as a result, call for distinct mitigation strategies.

Execution risks

Although financial risks are the primary determinant of the volatility of financial results of insurance companies, execution risks can also cause material adverse deviations from expected financial results

Execution risks include, for example,   economic losses resulting from i) delays in alleviating adverse consequences of changes in the volume of activity (mismanagement), ii) events that can interrupt business operations whether man made or natural (lack of preparedness), and iii) failures in controls that cause economic losses, create liabilities or damage the company’s reputation (market conduct, regulatory compliance, bad faith in claim management, fraud, IT security, etc..).

Execution risks reduce current financial performance and company valuation. Company valuation is reduced because i) investors often view negative earnings  deviations as predictors of future decline in profitability and ii) performance volatility can derail the execution of a company’s growth strategy

Execution risks are relatively easy to identify, if not to mitigate for company management. Although stochastic modeling tools and event databases could be used to simulate the impact of execution risks on financial performance, and fine tune mitigation strategies, undertaking such modeling is very costly, and may be of limited value. Company management has fiduciary obligations to set in place processes designed to avoid executions risks, establish post event recovery procedures, and to ensure compliance.

Both policyholders and shareholders need to note that

  • Execution risks can impact financial performance significantly in the year or period of occurrence but may have a more or less pronounced impact on performance in subsequent periods and company valuation, depending on the availability of recovery strategies and the preparedness of a company.
  • The impact of execution risks on a company’s market value can be derived from estimated adjustments to free cash flow projections.  This is particularly significant in connection with risk events that erode a company’s competitive advantage or damage its reputation. Such events can reduce the market value of a company significantly by reducing its volume of business or its pricing flexibility.

Management processes and management action, not capital, are the natural remedy for execution risks. Board of Directors or Audit Committees of such boards have become increasingly involved in exercising oversight of execution risks and their management by operating executives.

Strategic Risks

Strategic risks can undermine the economic viability of the business model and future financial performance of insurance companies. They can have a significant adverse effect on i) a company’s insurance ratings and the credit worthiness of its debt and ii) its market capitalization. Strategic risks can cause otherwise solvent companies to lose a substantial share of their market value in a short time, provoke legal action by disgruntled shareholders, inflict serious economic losses to Directors, senior executives and other employees, and induce potential raiders to attempt a take over.

Strategic risks are also very important to policyholders, (especially those who have bought protection against slowly emerging liabilities or policies that provide indemnification benefits in the form of annuity payments), because strategic risks that undermine the ability of companies to earn formerly expected returns also reduce the credit worthiness of these companies. Strategic risks stem from external changes in the regulations, institutional arrangements, competition, technology or demand that can erode the competitive advantage of an insurance company and its ability to operate credibly and profitably as a going concern in the future.

Strategic risks do not receive as much attention as they should because they are difficult to identify and assess, and are often viewed as “uncontrollable”. At any point in time, it can be very difficult to assess whether a quantum change in any element of strategic risks is close to happening. When such a change occurs, however, its impact on future performance can cause a swift decline in the market values of a company.

To identify and manage strategic risks, companies need to:

  • Conduct and challenge a periodic defensibility analysis of their business model and competitive advantage
  • Monitor market developments for emerging trends with potential adverse effects (loss of business to competitors, emergence of new risk transfer technologies or product innovations, regulatory developments, etc.)
  • Develop appropriate responses to adverse developments through adjustment in capabilities, redeployment of capacity, change in composition and level of service provided, industry level lobbying of lawmakers and regulators, sponsorship of and participation in industry associations, etc…
  • Communicate reasons for and objectives of needed changes to both customers and shareholders.
  • Integrate the planned strategic response into action plans, budgets and objectives of business units

Insurance companies need to include in ERM a process that provides consistent and updateable insights into strategic risks to which they are exposed. Because the insurance industry has been highly regulated, many insurance companies have not developed deep strategy development and assessment skills. It will be a challenge at first for such companies to establish strategic risk assessment frameworks powerful enough to yield robust insights but simple enough to be user friendly.

A number of companies that have already implemented comprehensive  frameworks to manage financial risks have begun addressing operational risks more formally. They believe that the introduction in operations management of specific risk management control components will create value by:

  • Enhancing the level and the stability of their financial results
  • Reducing the probability of serious value losses caused execution risks and strategic risks.

The establishment of operational effective risk management frameworks and processes within ERM is of critical importance to all constituents of insurance companies.

©Jean-Pierre Berliet

Berliet Associates, LLP

(203) 247 6448

jpberliet@att.net

May 22, 2010

Stress to Failure

May 28, 2010

It is clear and obvious that BP and the US government regulators were not at all prepared for failure of a deep water oil rig in the Gulf.

What would have helped them is a procedure that I have heard Dave Sandberg describe many times that is used at his employer, Allianz.

Stress to Failure.

  1. Whenever something new is proposed, they require that a demonstration is prepared that shows the type of stress that will cause complete failure. That test provides them with several pieces of very valuable information: It helps to put a boundry around the situations under which it will NOT fail. This is the green (and yellow) zone for the new project. They can then evaluate the expected return and volatility of return in those scenarios.
  2. It allows an estimate of the likelihood of success vs. failure of the project.  This can be seen by looking at the type of situation that causes failure and the likelihood of that situation.  However, caution should be applied to not put too much weight on this likelihood estimate if the failure type of even has never before happened.  Human nature may well be biased towards underestimating adversity. 
  3. It allows for planning for the failure event.  This is where the BP folks and Transocean as well as the Minerals Management Service failed.  They clearly had no plan for the failure event.  It sounds like they were able to convince themselves that any failure event was so remote in likelihood that there was no need to plan for one. 
  4. Understanding the true weaknesses of the system.  If you do not know how to break it, then perhaps you do not understand the system. 

This is an idea our of engineering and probably we could learn much by studying how they have used the idea.

Your Mother Should Know

April 29, 2010

Something as massive as the current financial crisis is much too large to have one or two or even three simple drivers.  There were many, many mistakes made by many different people.

My mother, who was never employed in the financial world,  would have cautioned against many of those mistakes.

When I was 16, I had some fine arguments with my mother about the girls that I was dating. My mother did not want me dating any girls that she did not want me to marry.

That was absolutely silly, I argued. I was years and years away from getting married. That was a concern for another time. My mother knew that in those days, “shotgun marriages” were common, a sudden unexpected change that triggered a long-term commitment. Well, as it happened, even without getting a shotgun involved, five years later I got married to a girl that I started dating when I was 16.

There are two different approaches to risk that firms in the risk-taking business use. One approach is to assume that they can and will always be able to trade away risks at will. The other approach is to assume that any risks will be held by the firm to maturity. If the risk managers of the firms with the risk-trading approach would have listened to their mothers, they would have treated those traded risks as if they might one day hold those risks until maturity. In most cases, the risk traders can easily offload their risks at
will. Using that approach, they can exploit little bits of risk insight to trade ahead of market drops. But when the news reveals a sudden unexpected adverse turn, the trading away option often disappears. In fact, using the trading option will often result in locking in more severe losses than what might eventually occur. And in the most extreme situations, trading just freezes up and there is not even the option to get out with an excessive loss.

So the conclusion here is that, at some level, every entity that handles risks should be assessing what would happen if they ended up owning the risk that they thought they would only have temporarily. This would have a number of consequences. First of all, it could well stop the idea of high speed trading of very, very complex risks. If these risks are too complex to evaluate fully during the intended holding period, then perhaps it would be better for all if the trading just did not happen so very quickly. In the case of the recent subprime-related issues, banks often had very different risk analysis requirements for trading books of risks vs. their banking book of risks. The banking (credit mostly) risks required intense due diligence or underwriting.  The trading book only had to be run through models, where the assignment of assumptions was not required to be based upon internal analysis.

From 2008 . . .

Risk Management: The Current Financial Crisis, Lessons Learned and Future Implications

Lots more great stuff there.  Check it out.

LIVE from the ERM Symposium

April 17, 2010

(Well not quite LIVE, but almost)

The ERM Symposium is now 8 years old.  Here are some ideas from the 2010 ERM Symposium…

  • Survivor Bias creates support for bad risk models.  If a model underestimates risk there are two possible outcomes – good and bad.  If bad, then you fix the model or stop doing the activity.  If the outcome is good, then you do more and more of the activity until the result is bad.  This suggests that model validation is much more important than just a simple minded tick the box exercize.  It is a life and death matter.
  • BIG is BAD!  Well maybe.  Big means large political power.  Big will mean that the political power will fight for parochial interests of the Big entity over the interests of the entire firm or system.  Safer to not have your firm dominated by a single business, distributor, product, region.  Safer to not have your financial system dominated by a handful of banks.
  • The world is not linear.  You cannot project the macro effects directly from the micro effects.
  • Due Diligence for mergers is often left until the very last minute and given an extremely tight time frame.  That will not change, so more due diligence needs to be a part of the target pre-selection process.
  • For merger of mature businesses, cultural fit is most important.
  • For newer businesses, retention of key employees is key
  • Modelitis = running the model until you get the desired answer
  • Most people when asked about future emerging risks, respond with the most recent problem – prior knowledge blindness
  • Regulators are sitting and waiting for a housing market recovery to resolve problems that are hidden by accounting in hundreds of banks.
  • Why do we think that any bank will do a good job of creating a living will?  What is their motivation?
  • We will always have some regulatory arbitrage.
  • Left to their own devices, banks have proven that they do not have a survival instinct.  (I have to admit that I have never, ever believed for a minute that any bank CEO has ever thought for even one second about the idea that their bank might be bailed out by the government.  They simply do not believe that they will fail. )
  • Economics has been dominated by a religious belief in the mantra “markets good – government bad”
  • Non-financial businesses are opposed to putting OTC derivatives on exchanges because exchanges will only accept cash collateral.  If they are hedging physical asset prices, why shouldn’t those same physical assets be good collateral?  Or are they really arguing to be allowed to do speculative trading without posting collateral? Probably more of the latter.
  • it was said that systemic problems come from risk concentrations.  Not always.  They can come from losses and lack of proper disclosure.  When folks see some losses and do not know who is hiding more losses, they stop doing business with everyone.  None do enough disclosure and that confirms the suspicion that everyone is impaired.
  • Systemic risk management plans needs to recognize that this is like forest fires.  If they prevent the small fires then the fires that eventually do happen will be much larger and more dangerous.  And someday, there will be another fire.
  • Sometimes a small change in the input to a complex system will unpredictably result in a large change in the output.  The financial markets are complex systems.  The idea that the market participants will ever correctly anticipate such discontinuities is complete nonsense.  So markets will always be efficient, except when they are drastically wrong.
  • Conflicting interests for risk managers who also wear other hats is a major issue for risk management in smaller companies.
  • People with bad risk models will drive people with good risk models out of the market.
  • Inelastic supply and inelastic demand for oil is the reason why prices are so volatile.
  • It was easy to sell the idea of starting an ERM system in 2008 & 2009.  But will firms who need that much evidence of the need for risk management forget why they approved it when things get better?
  • If risk function is constantly finding large unmanaged risks, then something is seriously wrong with the firm.
  • You do not want to ever have to say that you were aware of a risk that later became a large loss but never told the board about it.  Whether or not you have a risk management program.

When your Parachute Doesn’t Open

February 16, 2010

Do you have a plan for what to do when your parachute doesn’t open?

Well, if you do not, pay attention.  Here is a 6 step checklist for what to do:

  1. Signal your Buddy.
  2. Get close with your Buddy.
  3. Link your arms through his/her straps.
  4. Open his/her chute.
  5. Let your Buddy steer the chute.
  6. Suggest that he/she look for an extra soft place to land (water).

There now.  Don’t you feel safer?

You say you do not parachute jump?  So what good it this?

Well, you must see that this is really good advice that can be applied to many situations.  Not just parachute jumping.

1.  Signal Your Buddy – this step might just be the most difficult.  That is because it requires two very different things.  First, you must recognize that you have a serious and potentially fatal problem.  You must be able to make that decision before it is too late.  So you probably need to have thought ahead to know how serious of a problem just might be terminal.  Second, you have to have a buddy in sight to be signaled.  If you are an individual working in risk management in a firm, you need to know in advance who is going to be your buddy in case of emergency.  This applies to entire firms as well.  The firm needs to know who they will go to when they might be in terminal trouble.

2.  Get Close with your Buddy – Troubled times are when you find out who your real buddies are.  Your fair weather friends will not be interested in getting close to you when you are in trouble.  This is the real definition of a Buddy.  Someone who is willing to be next you you then.  You need to realize that now and decide whether you have any real buddies.  If you are prarchute jumping, you need to figure that out on the ground, not in the air.  If you are managing risks, perhaps you are at the wrong firm if you look around and you do not know who your buddy is.  A firm with a good risk management program will more than encourage buddies, it will require them.  And it will foster a culture of mutual responsibility, not everyone for themselves. It needs to be a firmwide expectation that you can count on several potential buddies when a real problem crops up.

3.  Link your arms through his/her straps – for parachuting, holding on is not sufficient, the g-force that will hit when the chute opens with two people and one chute will rip you apart.  Also in risk management, the committment to the Buddy needs to be very firm.  All too often risk managers get blamed for inproper risk appetites, even when they had explicitly warned against the exact event that is causing the problem.  Many risk managers will sorely need to have someone who will remind management that the risk manager was not the one at fault. 

4.  Open his/her chute.  This is the key step for both the diver and the risk manager.  And it needs to be said and repeated and rehearshed.  The reason that the risk management might be of value to the organization is that it causes the organization to contemplate doing some things differently.  When there is severe troubles, the risk manager needs to be able to clearly call for action and the organization needs to be prepared to take that action, either by directly empowering the risk manager or through a cultural committment to real action based upon risk information.  The Buddy system described here might be a good way to create the possibility of quick action with some checks and balances in the event of severe threats.  The empowerment to action might require the agreement of the buddy. 

5.  Let your Buddy steer the chute.  This item on the checklist is there to acknowledge that the person who loses the chute might just be a little (or a lot) shook up and therefore might have somewhat impaired judgment.  The same might be true in the event of a disaster to the firm.  The buddy and the firm in general needs to look out for any actions that are of the nature of “doubling down” to recover past losses.  There must be a recognition that the best thing to do now can best be determined by looking at likely futures rather than the past. 

6.  Suggest that he/she look for an extra soft place to land (water).  The parachute will often not work exactly as planned when it carries two.  So the person steering needs to be particularly diligent to look for a softer than usual place to land.  So to with a risk management emergency.  It might be desirable to end up in a slightly more secure position than normal minimum standards after a major problem.  It will make everyone feel better.  The hardest story to tell is when a firm has had a major loss but was not able to really put on the brakes so is not sure if or how much further loss will be happening.  Both need to help with looking for that soft place to land.

Crisis Pre-Nuptial

January 21, 2010

What is the reaction of your firm going to be in the event of a large loss or other crisis? 

If you are responsible for risk management, it is very much in your interest to enter into a Crisis Pre-Nuptial

The Crisis Pre-Nuptial has two important components. 

  1. A protocol for management actions in the event of the crisis.  There is likely a need for there to be a number of these protocols.   These protocols can be extremely valuable, their value will most likely far exceed the entire cost of a risk management function.  Their value comes because they eliminate two major problems that firms face in the event of a crisis or large loss.  First is the deer in the headlights problem – the delay when no one is sure what to do and who is to do it.  That delay can mean that corrective actions are much less effective or much more expensive or both.  Second is the opposite, that too many people take actions, but that the actions are conflicting.  This again increasses costs and decreases effectiveness.  Just as with severe medical emergencies, prompt corrective actions are almost always more likely to have the most favorable results. 
  2. Setting up an expectation that the crises and losses either are or are not an expected part of the risks that the firm is taking.  If the firm is taking high risks, but does not expect to ever experience losses, then there is a major disconnect between the two.  Just as a marital pre-nuptial agreement is a conscious acknowledgement that marriages sometimes end in divorce, a Crisis Pre-Nuptial is an acknowledgement that normal business activity sometimes involves losses and crises. 

Risk managers who have a Crisis Pre-Nuptial in place might, just might, have a better chance to survive with their job in tact after a crisis or large loss. 

And if someday, investors and/or boards come to the realization that firms that plan for rainy days are, in the long run, going to be more valuable, the information that is in the Crisis pre-nuptial could be very important information for them.

Best Risk Management Quotes

January 12, 2010

The Risk Management Quotes page of Riskviews has consistently been the most popular part of the site.  Since its inception, the page has received almost 2300 hits, more than twice the next most popular part of the site.

The quotes are sometimes actually about risk management, but more often they are statements or questions that risk managers should keep in mind.

They have been gathered from a wide range of sources, and most of the authors of the quotes were not talking about risk management, at least they were not intending to talk about risk management.

The list of quotes has recently hit its 100th posting (with something more than 100 quotes, since a number of the posts have multiple quotes.)  So on that auspicous occasion, here are my favotites:

  1. Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so.  Douglas Adams
  2. “when the map and the territory don’t agree, always believe the territory” Gause and Weinberg – describing Swedish Army Training
  3. When you find yourself in a hole, stop digging.-Will Rogers
  4. “The major difference between a thing that might go wrong and a thing that cannot possibly go wrong is that when a thing that cannot possibly go wrong goes wrong it usually turns out to be impossible to get at or repair” Douglas Adams
  5. “A foreign policy aimed at the achievement of total security is the one thing I can think of that is entirely capable of bringing this country to a point where it will have no security at all.”– George F. Kennan, (1954)
  6. “THERE ARE IDIOTS. Look around.” Larry Summers
  7. the only virtue of being an aging risk manager is that you have a large collection of your own mistakes that you know not to repeat  Donald Van Deventer
  8. Philip K. Dick “Reality is that which, when you stop believing in it, doesn’t go away.”
  9. Everything that can be counted does not necessarily count; everything that counts cannot necessarily be counted.  Albert Einstein
  10. “Perhaps when a man has special knowledge and special powers like my own, it rather encourages him to seek a complex explanation when a simpler one is at hand.”  Sherlock Holmes (A. Conan Doyle)
  11. The fact that people are full of greed, fear, or folly is predictable. The sequence is not predictable. Warren Buffett
  12. “A good rule of thumb is to assume that “everything matters.” Richard Thaler
  13. “The technical explanation is that the market-sensitive risk models used by thousands of market participants work on the assumption that each user is the only person using them.”  Avinash Persaud
  14. There are more things in heaven and earth, Horatio,
    Than are dreamt of in your philosophy.
    W Shakespeare Hamlet, scene v
  15. When Models turn on, Brains turn off  Til Schuermann

You might have other favorites.  Please let us know about them.

New Decade Resolutions

January 1, 2010

Here are New Decade Resolutions for firms to adopt who are looking to be prepared for another decade

  1. Attention to risk management by top management and the board.  The past decade has been just one continuous lesson that losses can happen from any direction. This is about the survival of the firm.  Survival must not be delegated to a middle manager.  It must be a key concern for the CEO and board.
  2. Action oriented approach to risk.  Risk reports are made to point out where and what actions are needed.  Management expects to and does act upon the information from the risk reports.
  3. Learning from own losses and from the losses of others.  After a loss, the firm should learn not just what went wrong that resulted in the loss, but how they can learn from their experience to improve their responses to future situations both similar and dissimilar.  Two different areas of a firm shouldn’t have to separately experience a problem to learn the same lesson. Competitor losses should present the exact same opportunity to improve rather than a feeling of smug superiority.
  4. Forwardlooking risk assessment. Painstaking calibration of risk models to past experience is only valuable for firms that own time machines.  Risk assessment needs to be calibrated to the future. 
  5. Skeptical of common knowledge. The future will NOT be a repeat of the past.  Any risk assessment that is properly calibrated to the future is only one one of many possible results.  Look back on the past decade’s experience and remember how many times risk models needed to be recalibrated.  That recalibration experience should form the basis for healthy skepticism of any and all future risk assessments.

  6. Drivers of risks will be highlighted and monitored.  Key risk indicators is not just an idea for Operational risks that are difficult to measure directly.  Key risk indicators should be identified and monitored for all important risks.  Key risk indicators need to include leading and lagging indicators as well as indicators from information that is internal to the firm as well as external. 
  7. Adaptable. Both risk measurement and risk management will not be designed after the famously fixed Ligne Maginot that spectacularly failed the French in 1940.  The ability needs to be developed and maintained to change focus of risk assessment and to change risk treatment methods on short notice without major cost or disruption. 
  8. Scope will be clear for risk management.  I have personally favored a split between risk of failure of the firm strategy and risk of losses within the form strategy, with only the later within the scope of risk management.  That means that anything that is potentially loss making except failure of sales would be in the scope of risk management. 
  9. Focus on  the largest exposures.  All of the details of execution of risk treatment will come to naught if the firm is too concentrated in any risk that starts making losses at a rate higher than expected.  That means that the largest exposures need to be examined and re-examined with a “no complacency” attitude.  There should never be a large exposure that is too safe to need attention.   Big transactions will also get the same kind of focus on risk. 

You may not be able to Grow out if it

December 21, 2009

Growth does not always mean excessive risk, but excessive risk is almost always associated with high growth.

Growth has a way of masking problems.  Things are changing and it is often very difficult to understand whether the changes are just a lag in reporting the good things that come from healthy growth or if they are leading indicators of major problems.

The firm needs to grow risk management analysis and attention along with highest growth activities.  That needs to be demanded from the top.  No middle or even high level risk officer will ever have the authority to slow down the part of the company that is growing the best.  Firms need to have CEO commitment to extra risk analysis of the fastest growing business.

The firm needs to establish its operational capacity for handling growth.  The most common reaction to unexpected growth is to delay hiring additional staff (along with delaying adding additional risk staff as mentioned above).  After more delay and more growth, the business might seem much more profitable than expected.  Some of that excess profitability is coming from the understaffing.  Some of the profitability might be coming from mistakes in recordkeeping due to the understaffing.  A sudden delayed effort to fix the under staffing will most often hurt more than it helps in the short run.

And what is most likely to be shortchanged in an understaffed growing situation  Why it is quality control and recordkeeping.  So if there is a growing problem it is very hard to notice it.

So what to do?

Every great mistake has a halfway

moment, a split second when it can be

recalled and perhaps remedied.

Pearl Buck

Part of the process of planning for each new thing that might grow, if it is as successful as is hoped, needs to be to determine where that halfway moment might be.

MARTA – Risk Management… beyond mitigation

November 9, 2009

Submitted by Antony Marcano

From his Blog Testingreflections.com

In a previous rant about the misuse of the term mitigate in the context of risk management I listed the following strategies (I call them MARTA) for managing a given risk:

  • Mitigate – Reduce the severity of its impact
  • Avoid – Don’t do the thing that makes the risk possible
  • Reduce – Make the risk less likely to happen
  • Transfer – Move the impact of the problem to another party (e.g. insure such as paid insurance or outsource with penalties for failure)
  • Accept – Do nothing or set aside budget to cope with the impact

I recently found myself having to explain this and used the analogy of crossing a busy road with fast-moving cars. What’s the risk? Well, you might get hit by a car.

This will probably be more useful if you take a moment to think of a busy road with fast moving traffic that you know of and then use each of the above strategies to identify different ways of managing the risk. What factors would be significant in deciding on which strategy (or combination of strategies) was the way to go?

Ok, now that you’ve had a chance to think about it, here is what I came up with:

  • Mitigate – Walk down the street until I can find a section of the road where there is a 20mph speed restriction. (This is mitigation because I’m not necessarily making it any less likely that I’m hit, but if I am hit the ‘impact’ is reduced – i.e. I’ll probably live – albeit with injury).
  • Avoid – I could simply not cross the street, by deciding that whatever is on the other side simply isn’t that important or I could use an underground subway (which of course has other risks associated with it depending on the area you’re in).
  • Reduce – Find a stretch of road where there are fewer cars – reducing the probability of being hit by a car.
  • Transfer – Get someone else to cross the street, maybe someone more skilled at crossing the road than me.
  • Accept – Now, if it was a busy street, I wouldn’t ‘accept’ the risk. But, if the road allowed for lots of visibility and there were very few cars and there were speed bumps slowing the traffic down to 10mph then I might just accept the risk.

The person I explained this to found this to be a useful exercise in understanding my views on risk management – beyond mitigation. Hope you find this way of explaining it useful too.

» Antony Marcano’s blog

Capabilities

November 2, 2009

Your firm’s Risk Profile is a function of two things, the Opportunities for risk taking and your capabilities.  Using your capabilities, you will choose from your opportunities for risk to get your gross risk exposures. Then your capabilities will again take over and treat your risks to bring them to the net risks.

So your capabilities make two contributions to risk management.

A firm with strong capabilities will find the best opportunities from the choices that the firm has based upon its access to sourcing risks.  Those opportunities will have the most favorable risk reward potential.

Then the strong capabilities will seek to trim the risk through risk treatment, giving up as little return as possible while offsetting or otherwise reducing returns as much as possible.

A firm that wants to increase its capabilities has three choices:  Acquiring, Partnering or Training.

Risk capabilities can be Acquired in bulk by acquiring a firm with good capabilities, or by hiring one risk professional at a time.  With Partnering, the firm gets help from the partner who could be a consulting firm or an intermediary.  By using Training to acquire capabilities, the firm seeks to add capabilities to existing staff.

Each possibility has different short and long term costs and each has different levels of dependability and time to start up.

An Al-Chet for Risk Managers:

October 8, 2009

From James McCallum

I was not strong enough to stand up to my boss

I put selfish gain ahead of ethical considerations

I falsified or hid data to conceal results

I failed to be objective

My risk model was too subjective

I ignored warning signs

I was in over my head

I did not understand all the risk factors

I failed to get an outside opinion

I was beholden to monetary gain

I was victim to group think

I placed institutional interest before ethical considerations

I failed to admit I was wrong

I was not honest with regulators

I was not honest with shareholders

I looked the other way

I failed to act

I conveniently overlooked infractions

I turned a blind eye to irregularities

I made exemptions

I did not understand the depth of the problem

I know there are many more.

Please help me to uncover, understand, make right and overcome.

Shalom

From

Audit, Risk & Controls Community Blog

ERM Role in Implementing a Winning Acquisition Strategy (2)

October 8, 2009

From Mike Cohen

Part 2

(Part 1)

Execution of an Acquisition Strategy Goes Through Several Stages and Involves Many and Varied Complex, Interrelated Business Issues (they must be performed well, and there are numerous junctures where things can go awry … suggesting that many potential risks need to be addressed, and more effectively than they typically are)

– Defining the business case

Considering the corporate strategy and the resulting (ideally enhanced) business model

* Fit vs. conflict

* Synergies; potential synergies are frequently overstated

* Diversification

– Assessing market opportunities and competitive dynamics

* Products

* Distribution

* Markets/segments

* Brand/reputation

– Financial impact

* Earnings

* Capital

* Economic value

* Assessment of an appropriate price

– Investments

* Asset classes

* Loss positions

* Liquidity

– Operational fit (or problematically, the need to ‘fix’ the target’s operations)

* Technology

* Administration

* Core competencies

– Integrating the target: melding the two organizations so that they can perform effectively together, while mitigating risk, volatility and confusion to the greatest extent possible

Q: Is an acquisition strategy a core competency of your company … can you execute such a transaction successfully?

Due Diligence Performed on any Acquisition Target: A Critical Activity on the Strategic and Tactical Levels

– Valuation, impact on future financial results

– Management/staff

– Profitability of new (potential), existing business

– Competitive market position; product management, distribution capabilities

– Synergies: strategic, operational, financial, market/product/distribution

– Investments

– Expense structure (opportunities for increasing efficiency and/or cost reduction)

– Technological capabilities or possible lack of fit

– Contractual obligations

– Areas of risk or uncertainty

Many acquisitions are viewed retrospectively as failures. A lack of accurate evaluation of/objectivity about prospective acquisition targets (using ‘rose-colored glasses’ leads many (most?) acquirers to have unrealizable goals for their transactions, and as a consequence the end results (strategic, financial or otherwise) do not meet expectations.  There is a considerable level of risk to the acquirer if the due diligence process is not conducted with sufficient accuracy and objectivity.

Evaluating the Capabilities of an Organization to Execute Successful Acquirer: Being a successful acquirer requires a number of skills and mind-sets:

– Knowing one’s own corporate vision, mission, strategy and operating model, and how  acquisitions complement them

– Having a disciplined approach: evaluating fit, paying an appropriate price based on economic value, both current and future

– Performing careful, accurate and objective due diligence on the target company and management counterparts … caveat emptor!

– Executing timely, well planned and orchestrated integration activities focus on achieving a favorable operational model and attaining a satisfactory level of cost savings; a number of  companies that acquired positive reputations as acquirers were in fact poor at integrating their acquisition(s), causing their organizations to implode

– Managing the staffs and corporate cultures sensitively. There is considerable amount of research that identifies human resource related issues as the most prevalent causes for acquisition failure; personalities (egos), conflicting management styles and cultures, and different compensation structures are all too common. Proactive conflict resolution is critical to steer the resulting entity past these pratfalls. Open and continuous communication is critical.

The General Lack of Success from Acquisitions is Attributed to Mismanaging One or More Critical Aspects of the Transaction with Material Risk

Strategy

– Incompatible cultures

– Incompatible business models

– Synergy non-existent or overestimated

Due Diligence

– Acquirer overpaid

– Foreseeable problems overlooked

– Acquired firm too unhealthy

– Overlooking aspects of the target where excessive divestiture or liquidation might be required

Implementation

– Inability to manage target

– Inability to implement change

– Clash of management styles/egos

Conclusion

An acquisition is arguably the most difficult business endeavor a company can undertake. This report discussed a considerable number of elements involved in acquisition activity; they are all complex, and there are many junctures in the process where a number of these elements can go awry or reach adverse conclusions, either derailing transactions that could have otherwise been successful or ‘proving’ the efficacy of transactions that upon closer scrutiny could not have succeeded and should have been avoided.

Studies of acquisition activity across all industries (not just insurance) have consistently  found that approximately two-thirds of these transactions yielded unsatisfactory results. One could observe that this is not surprising, as there are so many steps along the way that can turn into insurmountable roadblocks. Considering the myriad of factors that must be performed well, it is clear than sound, pragmatic risk management throughout the process and beyond is critical in order for acquisition activity to succeed

ERM Role in Implementing a Winning Acquisition Strategy

October 4, 2009

From Mike Cohen

Part 1 (of 2)

“Winning bids are made by winning bidders”
Author Unknown

“Is there such a dynamic as The Winners’ Curse?”
Richard H. Thaler

Is an acquisition strategy a positive endeavor for an insurance company? Is it a strategy necessary for the survival of some companies? In these difficult times, even for companies that have a track record of success in this arena, is an acquisition the answer? This report explores the various thought processes that companies go through when they consider an acquisition strategy, explores what activities need to take place in order for an acquisition to be seen as successful, and reflects on the role of enterprise risk management in improving the likelihood of success.

Success: According to Whom?

A property isn’t valued on the same terms by a buyer and a seller. Buyers and sellers are trying to accomplish different things relative to their particular situations:                                                                   – The buyer is trying to enhance his business (ideally strategically, not just financially … although improving one’s financial position at this point time looks very appealing!); on what criteria will the buyer’s acquisition be viewed a success?                                                                                                        – The seller is trying to either raise capital or increase focus; on what terms will the seller’s divestiture be viewed a success?

What can buyers and sellers do to increase their respective chances of success? What role can/should ERM play in these transactions?

Acquisitions as an Element of Corporate Strategy: Various Perspectives

What is the mind–set companies have as they consider acquisition activity?

“We see the opportunity to make suitable acquisitions at the right price as just another way of meeting our corporate objectives”

“We see acquisitions as crucial to achieving our objectives”

“We are an acquisition specialist”

“Our strategy is to make acquisitions and then integrate them effectively”

Which is of these approaches is right for you, if any … and, if so, under what circumstances? Given that acquisition activity in the aggregate has an uneven track record of success, how can acquirers improve their likelihood of success? Have the myriad of risks involved in such complicate endeavors not been understood and dealt with effectively, causing the majority of acquisitions to fall short of expectations?

Companies’ conversations with rating agencies have often revealed ‘curious’ expectations of acquisition activity:

“The deal is ‘fully priced,’ but we did not overpay”

“The deal will work because there is overlap”

“The deal will work because there is no overlap”

“Cultures are similar despite apparent differences”

“Although not accretive, it’s non-dilutive”

“Growth & profit objectives will be met through synergies”

Enhancing an Organization’s Business Model, in General and via Acquisition, to Better Meet Goals and Objectives

Can an Acquisition Be a Driver of Positive Change?

Existing business model   Clear business case for an acquisition  Enhanced business model

A well respected expert on business strategy and planning, Russell L. Ackoff, presented the concept of ‘idealized design” …  the best conceived business model a company can put into place. Does an acquisition help a company make its business model more effective? For this to happen, it must be supportive of the following:

– Mission, Vision: Is the acquisition consistent with the company’s strategic direction?
– Profitability: EPS, ROE, EVA; is the acquisition accretive to financial results, and if not when will it be? Are there dynamics/risks that could prevent attainment of the stated financial objectives?
– Competitive dynamics: Will additional market share provide the ability to dictate competitive terms? Given how fragmented the life insurance industry is, can the largest companies (as large as they are) alter competitive dynamics more in their favor? Does the acquisition enable the company to compete more strongly against powerful competitors?
– Market share: Are economics of scale gained? Is less desirable (unfavorably priced) business being acquired? As said, since most insurance business segments are so fragmented, even after decades of consolidation activity, does market share even matter?
– Is a company’s business profile materially enhanced?
– Is favorable diversification gained? Is focus lost?

Does an Acquisition Make a Company a More Successful Competitor?

– Expanding distribution
– Expanding geographic coverage
– Achieving business growth, scale
– Acquiring/enhancing functional capabilities
– Increasing profits and capital

To be continued …

No Thanks, I have enough “New”

September 24, 2009

It seems sad when 75 year old businesses go bust.  They had something that worked for several generations of managers, employees and investors.  And now they are gone.  How could that be?

There are two ways that old businesses can come to their demise.  They can do it because they stick to what they know and their product or service  (usually) slowly goes out of fashion.  Usually slowly, because all but the most ossified large successful companies can adapt enough to keep going for quite some time, even when faced by competition with a better business model/product or service.  Think of the US auto industry slowly declining for 40 years.

The second way is a quick demise. This usually happens after the old company chooses to completely embrace something completely new.  If their historic business is in decline, many large old firms are on the look out for that new transformational thing.  The mistake that they sometimes make is to be in much too much of a hurry. They want to apply their size advantage to the new thing and start getting economies of scale in addition to early adopter advantages.

The failure rate of new business is very, very high.  A big business that jumps to putting a large amount of its resources into the new business will be transforming a solid longstanding business effectively into a start-up.  But rarely do the big businesses in restart mode deliver anything like start-up returns.  So investors bare the risks of of the start-up with the returns only slightly higher than long term averages.

This is a clear example of when the CEO needs to be the risk manager.  The established firm needs to have a limit for “New” businesses.  The plan for the new business should reflect an orderly transition between the franchise business and what MAY become the new franchise.  This requires the CEO to have a time frame in mind that is appropriate for a business that may have existed before he/she was born and that, if the risks are managed well, should exist long after they are gone.

There are good underlying reasons why the “New” needs to be limited for a company with long term survival plans.  “New” involves several risks that a well established firm may have mastered a generation ago and have relegated to the corporate unconscious.

The first is execution risk.  The established firm will doubtless be excellent at execution of its franchise business.  But the “New” will doubtless require different execution.  An example of this from the insurance industry, when US Life Insurers started into the equity linked products, man of them experienced severe execution problems.  Their traditional products involved collecting cash and putting it into their general fund.  They only provided annual information to their customers if any.  Their administrative systems and procedures were set up within an environment that was not particularly time sensitive.  The money was in the right place, their accounting could catch up “whenever”.   With the new equity linked products, exacting execution was important.  Money was not left in the general fund of the insurer but needed to be transferred to the investment manager within three days of receipt.  So insurers adapted to this new world by getting to the accounting and cash transfers “whenever” but crediting the customer with the performance of their chosen equity fund within the legal 3 day limit.  This worked out fine with small timing delays creating some small gains and some small losses for the insurers.  But the extended bull market of the late 1990’s made for a repeated loss because the delay of processing and cash transfer meant that the insurer was commonly backdating to a lower purchase price for the shares than what they paid.  Some large old insurers who had jumped into this new world with both feet were losing millions to this simple execution risk.  In addition, for those who were slow to fix things, they got hit on the way down as well.  When the Internet bubble popped, there were many, many calls for customer funds to be taken out of the equity funds.  Slow processing meant that they paid out at a higher rate than what they received from their delayed transactions with the investment funds.

The insurers had a well established set of operational procedures that actually put them at a disadvantage compared to start-ups in the same business.

The second is the “unknown” risk.  A firm that has been operating for many years is often very familiar with the risks of its franchise business.  In fact, their approach to risk management for that business may well be so ingrained, that it is no longer considered a high priority.  It just happens.  And the risk management systems that have been in place may work well with little active top management attention.  These organizations are usually not very well positioned to be able to notice and prepare for the new unknown risks that the new business will have.

The third is the “Unknowable”.  For a new activity, product or business, you just cannot tell what the periodicity of loss events or the severity of those events.  That was one of the mistakes in the sub prime market  The mortgage market has about a 15 year periodicity.  Since a large percentage of people operating in the sub prime space were not in that market the last time there was a downturn, they had no personal experience with the normal cycle of losses in the mortgage market.  Then there was the unknowable impact of the new mortgage products and the drastic expansion into sub prime.  It was just unknowable what would be the periodicity and severity of losses in the “new” mortgage market.

So the point is that these things that are observed about the prior “new” things can be learned and extrapolated to future “new” things.

But the solution is not to never do anything “new”, it is to keep the “new” reasonable in proportion to the rest of the organization, to put limits on “new” just like there are limits on any other major aspect of risk.

Project Risk Management

September 11, 2009

A Guest Post from Johann Meeke

Why do most projects overrun on time or cost?

Perhaps it’s because sane people are involved. One of the components of sanity is optimism. (It’s why we are happy to get out of bed each morning – because we think things will be okay). Sane people, trying to anticipate the problems ahead, on a new venture, will most often believe things will be good … and that bad things can be dealt with!

When is a risk a threat and when is it an opportunity?

Imagine you commissioned a new bridge. The week before opening the constructor tells you that it needs to be delayed by 48 hours. Do you cancel the whole project … or just wait 48 hours?  What happens if they come to you and say they can open it early by 24 hours. Do you declare the project a failure? Of course not. But this is the point about project risk. The very essence of what we mean by risk needs to be reflected on. Now the nature of risk is much more uncertain.

Contrast this to an incident where the bridge is built but collapses through poor workmanship. Now there is no doubt about the nature of risk. It’s very clear.

Projects present a particular form of challenge to the risk manager. Firstly, the definition of risk needs to more balanced. Secondly, the processes used to identify and evaluate risk need to be specifically considered and finally the risk mitigation techniques require tailored consideration.

Typically projects have three main risk variables:

  • Price – will you make a profit by building/delivering for less cost that you can eventually sell it for. (Or will you be on budget).
  • Performance – will it work to customer specification, over its entire life (or life of contract obligations)
  • Programme – will you complete on time.

All these variables interact in a positive and negative way. You could deliver early but might have to sacrifice performance and price (by compromising spec or putting more resource, i.e. cost, into the project). You could delay the programme (a negative) by reducing costs (normally a positive).

What is actually happening is a trade-off between threat and opportunity in a manner that’s doesn’t happen so directly in most others areas of risk management.

For example, installing automatic sprinklers in a factory doesn’t provide a direct opportunity to earn more profit. It might protect the profit you have projected. But as can be seen above, trading off programme and performance risk, on a project, might lead to directly increased profits (because costs have been reduced through less overtime working for example).

The reason this point has been concentrated on is because there is a strong tendency to assume project risk management is just like any other form of risk management – with just a few more time and cost constraints.

So what are the main differences in managing risk?

Well, for this article we will ignore those risks that can be subject to some form of preconception e.g. building site health and safety where normal safeguards should be applied. Let’s instead focus on the unique aspects.

Risk identification

By definition a project is a new thing. Whether developing a new product, building a new factory or installing a new IT system – it will never have been done before, under quite the same circumstances. You may have built a similar factory nearby, but the ground conditions will be different, the neighbours, the weather, key staff might have left and so it goes on.

In short, you can learn from the past but the future consists of potentially significant new elements. Therefore, whilst you can rely on checklists and lessons learned you will also have to consider the unknowns that have never been encountered in quite the permutation you will come across. For this reason, some form of multi-disciplinary “brainstorming” or scenario envisaging should take place. This will allow you to comprehensively explore the future and how it might manifest itself. The multidisciplinary approach allows quick identification of risks that arise through a combination of circumstance or that might fall through gaps.

Risk Assessment

Determining downside threat without also calculating upside opportunity would make a project risk management exercise like a car with brakes but no engine. For example, considering the costs of project overrun will give one view of management action – however, looking at the potential benefits of delivering early (e.g. improved cash flow, availability of staff for other projects, project bonuses etc.) will give a completely different emphasis. Blending the upside/downside trade-offs between performance, programme and price is the very essence of good project management.

Risk  Treatment or Mitigation

Dealing with risk here is more than ensuring compliance. It is about having the correct upside and downside KPI’s. it’s about integrated contract negotiation with proper project monitoring. It is about mitigation that starts at the bid phase with clear contracts and a thorough understanding of what needs to be done, by whom and by when. It’s about having the right staff and material, when and where needed. In short, it’s a whole world of complex interactions requiring experience and skill, underpinned by robust processes.

Some concluding thoughts

How does one tell a good project risk management process from a mediocre one?

Perhaps the most obvious indicator is where the risk management starts when the project starts. In reality it should have started at the bid or inception phase.

On other occasions it has actually occurred at the bid phase – but has never been integrated into the project plan after contract start.

But perhaps the best indicator of all is a bit more personal. Most project risk assessments are de-humanised. It’s the modern way as we search for the commanding heights of objectivity. But imagine the effect of an excellent project manager versus an average one. Would it affect timings, costings, relationships. You bet. If your project risk management hasn’t even assessed this most obvious of risks then I suggest it is back to the drawing board.

Multi dimensional Risk Management

August 28, 2009

Many ERM programs are one dimensional. They look at VaR or they look at Economic Capital. The Multi-dimensional Risk manager consider volatility, ruin, and everything in between. They consider not only types of risk that are readily quantifiable, but also those that may be extremely difficult to measure. The following is a partial listing of the risks that a multidimensional risk manager might examine:
o Type A Risk – Short-term volatility of cash flows in one year
o Type B Risk – Short-term tail risk of cash flows in one year
o Type C Risk – Uncertainty risk (also known as parameter risk)
o Type D Risk – Inexperience risk relative to full multiple market cycles
o Type E Risk – Correlation to a top 10
o Type F Risk – Market value volatility in one year
o Type G Risk – Execution risk regarding difficulty of controlling operational losses
o Type H Risk – Long-term volatility of cash flows over five or more years
o Type J Risk – Long-term tail risk of cash flows over 5 five years or more
o Type K Risk – Pricing risk (cycle risk)
o Type L Risk – Market liquidity risk
o Type M Risk – Instability risk regarding the degree that the risk parameters are stable

Many of these types of risk can be measured using a comprehensive risk model, but several are not necessarily directly measurable. But the muilti dimensional risk manager realizes that you can get hurt by a risk even if you cannot measure it.

VaR is not a Bad Risk Measure

August 24, 2009

VaR has taken a lot of heat in the current financial crisis. Some go so far as to blame the financial crisis on VaR.

But VaR is a good risk measure. The problem is with the word RISK. You see, VaR has a precise definition, RISK does not. There is no way that you could possible measure an ill defined idea as RISK with a precise measure.

VaR is a good measure of one aspect of RISK. Is measures volatility of value under the assumption that the future will be like the recent past. If everyone understands that is what VaR does, then there is no problem.

Unfortunately, some people thought that VaR measured RISK period. What I mean is that they were led to believe that VaR was the same as RISK. In that context VaR (and any other single metric) is a failure. VaR is not the same as RISK.

That is because RISK has many aspects. Here is one partial list of the aspects of risk:

Type A Risk – Short Term Volatility of cash flows in 1 year
Type B Risk – Short Term Tail Risk of cash flows in 1 year
Type C Risk – Uncertainty Risk (also known as parameter risk)
Type D Risk – Inexperience Risk relative to full multiple market cycles
Type E Risk – Correlation to a top 10
Type F Risk – Market value volatility in 1 year
Type G Risk – Execution Risk regarding difficulty of controlling operational losses
Type H Risk – Long Term Volatility of cash flows over 5 or more years
Type J Risk – Long Term Tail Risk of cash flows over 5 years or more
Type K Risk – Pricing Risk (cycle risk)
Type L Risk – Market Liquidity Risk
Type M Risk – Instability Risk regarding the degree that the risk parameters are stable
(excerpted from Risk & Light)

VaR measures Type F risk only.


%d bloggers like this: