Hierarchy Principle of Risk Management

The purpose of ERM is NOT to try to elevate all risk decisions to the highest possible level, but to master discerning the best level for making each risk decision and for getting the right information to the right person in time to make a good risk decision.

This is the Hierarchy Principle as it applies to ERM.  It is one of the two or three most important principles of ERM.  Why then, might you ask, haven’t we ever heard about it before, even from RISKVIEWS.

But most insurers follow the hierarchy principle for managing their Underwriting process for risk acceptance of their most important risks.  

You could argue that many of the most spectacular losses made by banks have been in situations where they did not follow the hierarchy principle.  

• Nick Leeson at Barings Bank was taking risks at a size that should have been decided (and rejected) by the board.
• Jerome Kerviel at Soc Gen was doing the same.
• The London Whale at JP Morgan is also said to have done that.  

On the other hand, Jon Corzine was taking outsized risks that eventually sank MF Global with the full knowledge and approval of the board.  Many people suggest that the CRO should have stopped that.  But RISKVIEWS believes that the Hierarchy Principle was satisfied.  

ERM is not and cannot be held responsible for bad decisions that are made at the very top of the firm, unless the risk function was providing flawed information that supported those decisions.  If, as happened at MF Global, the board and top management were making risk decisions with their eyes fully open and informed by the risk function, then ERM worked as it should.  

ERM does not prevent mistakes or bad judgment.

What ERM does that is new is that

1. it works to systematically determine the significance of all risk decisions, 
2. it ranks the significance and uses that information, along with other information such as risk velocity and uncertainty, to determine a recommendation of the best level to make decisions about each risk,
3. it assesses the ability of the firm to absorb losses and the potential for losses within the risks that are being held by the firm at any point in time,
4. it works with management and the board to craft a risk appetite statement that links the loss absorbing capacity of the firm with the preferences of management and the board for absorbing losses.

ERM does not manage the firm.  ERM helps management to manage the risks of the firm mainly by providing information about the risks.  

So why have we not heard about this Hierarchy Principle before?  

For many years, ERM have been fighting to get any traction, to have a voice.  The Hierarchy Principle complicates the message, so was left out by many early CROs and other pioneers.  A few were pushing for the risk function to be itself elevated as high as possible and they did not want to limit the risk message, deeming everything about risk to be of highest importance. But RISKVIEWS believes that it was mostly because the Hierarchy Principle is pretty fundamental to business management and is usually not explicitly stated anywhere else, even though it is applied almost always.

ERM now receives a major push from regulators, to a large extent from the ORSA.  In writing, the regulators do not require that ERM elevate all risk decisions.  But in practice, they are seeing some insurers who have been elevating everything and the regulators are adopting those examples as their standard for best in class.  

Just one more way that the regulatory support for ERM will speed its demise.  If regulators advocate for consistent violation of the Hierarchy principle, then ERM will be seen mainly as a wasteful burden.  

 

Advertisement

Align Risk Management with Strategic Goals

The Project Management Institute says that projects are 20% more successful if they seek to support company strategic goals rather than project specific goals as their primary focus.

That sounds like something that may be an extremely important idea to bring into risk management.

Risk Management should focus primarily upon company strategic goals rather than specific risk goals.

How does that sound to you?  Riskviews imagines that at least some readers are immediately reacting that this idea will not work because the company does not have a strategic goal that would support their function.

And that sounds like a major insight about organizational engagement in and support for risk management.  If risk management does not directly support one or more of the strategic goals of the firm, that speaks volumes about what will happen when there is a conflict between something that IS aligned with the strategic goals and risk management.

The story of MF Global is an extreme example of this conflict.  The management (read CEO) actions of MF Global were totally outside of the agreed upon risk appetite.  The CRO brought that to the board attention and the board decided that those actions supported the goals of the organization, while adherence to the risk appetite was of lesser importance.  The CRO left and the actions eventually led to the destruction of the firm.

Here is an example of the Mission and Vision Statements of an insurer

Mission Statement Providing financial security by keeping our promises.

Vision Statement To build a thriving financial services organization that stands the test of time.

Risk management definitely has plenty of room in that firm to align with the mission and vision of the firm.  “keeping our promises” and “standing the test of time” are both clearly statements about how the organization intends to handle risk.  The mission and vision of that firm cannot be met without risk management.

Here is the mission and vision statements of JP Morgan Chase

“At JPMorgan Chase, we want to be the best financial services company in the world. Because of our great heritage and excellent platform, we believe this is within our reach.”

“To provide unparalleled service to our clients by empowering them with strong analytical insights that enable them to more effectively manage their human assets.

It is not clear to Riskviews whether or not risk management activities are called for at all with that mission and vision statement.

So if you are wondering what might happen when there is a conflict between risk management and a business activity look to your firm’s mission, vision and strategic objectives.  If you do not see risk management there, you have your answer well in advance of any future conflict.

10 ERM Questions from an Investor – The Answer Key (2)

Riskviews was once asked by an insurance sector equity analyst for 10 questions that they could ask company CEOs and CFOs about ERM.  Riskviews gave them 10 but they were trick questions.  Each one would take an hour to answer properly.  Not really what the analyst wanted.

Here they are:

1. What is the firm’s risk profile?
2. How much time does the board spend discussing risk with management each quarter?
3. Who is responsible for risk management for the risk that has shown the largest percentage rise over the past year?
4. What outside the box risks are of concern to management?
5. What is driving the results that you are getting in the area with the highest risk adjusted returns?
6. Describe a recent action taken to trim a risk position?
7. How does management know that old risk management programs are still being followed?
8. What were the largest positions held by company in excess of risk the limits in the last year?
9. Where have your risk experts disagreed with your risk models in the past year?
10. What are the areas where you see the firm being able to achieve better risk adjusted returns over the near term and long term?

They never come back and asked for the answer key.  Here it is:

2.  One of the large banks that is no longer with us had, on paper, a complete ERM system with a board risk committee that they reviewed their risk reports with every quarter.  But in 2007, when the financial markets were starting to crack up, their board risk committee had not met for more than six months.  The answer to this question is the difference between a pretend ERM system and a real risk system.  The time spent should be proportionate to the complexity of the risk positions of the firm.  For the banks with risk positions that are so complex that they feel that they cannot possibly find enough paper to disclose them, there needs to be much more board time spent, since investors are relying on board oversight rather than market discipline to police the risk taking.  Ask Bernie what you can get away with if there is no disclosure and no oversight.

Many CEOs will tell you that the board has always spent plenty of time talking about risk.  This might be true.  But the standard now is for boards to have a formal risk committee.  Boards that have simply added risk to the Audit committee’s agenda ends up short changing either audit or risk or both.  The Audit Committee had a full plate before the Risk responsibility was added.

And for a larger complex firm, a single annual risk briefing on risk is definitely not sufficient.  For a firm with an ERM program, the board needs to review the risk profile, both actual and planned for each year, approve the risk appetite, approve the ERM Framework and policies of the firm, review the risk limits and be informed of each breach of the limits or policies of the firm.  If the firm has an economic capital model, the model results need to be presented to the board risk committee each year and updated quarterly. Risks associated with anything new that the company is doing would be presented as well.

Does that sound like anything other than a full committee?  So your follow up question, if the CEO gives a vague answer is to ask about whether the board reviewed each of the items listed in the preceding paragraph in the past year.

Back to that former bank.  Their risk reports showed a massive build up in risk in violation of board approved limits.

And the board risk committee saved time by not meeting during the period of that run up in risk.

10 ERM Questions from an Investor – The Answer Key (1)

Riskviews was once asked by an insurance sector equity analyst for 10 questions that they could ask company CEOs and CFOs about ERM.  Riskviews gave them 10 but they were trick questions.  Each one would take an hour to answer properly.  Not really what the analyst wanted.

Here they are:

1. What is the firm’s risk profile?
2. How much time does the board spend discussing risk with management each quarter?
3. Who is responsible for risk management for the risk that has shown the largest percentage rise over the past year?
4. What outside the box risks are of concern to management?
5. What is driving the results that you are getting in the area with the highest risk adjusted returns?
6. Describe a recent action taken to trim a risk position?
7. How does management know that old risk management programs are still being followed?
8. What were the largest positions held by company in excess of risk the limits in the last year?
9. Where have your risk experts disagreed with your risk models in the past year?
10. What are the areas where you see the firm being able to achieve better risk adjusted returns over the near term and long term?

They never come back and asked for the answer key.  Here it is:

1.  The first step in real risk management is to be able to think of the firm from a risk point of view.  Any CEO can do that from a sales point of view and from a profits point of view.  They know that 40% of the revenues come from the pumpkin business in South Florida and 25% of the profits from the Frozen Beet Juice Pops product line.  Those statistics are a part of the sales profile and the profits profile.  A first step to having a real ERM system is for the CEO to have an equal command of the Risk Profile.  Any firm where the CEO does not have an equal command of risk as they do for sales does not have ERM yet.  So this question is first and most important.  The CEOs who are most likely to be unable to answer this question are the leaders of larger more complex companies.  The investor need to make sure that top management of those firms has actual command of all of the key issues regarding the firm and its business.  Risk really is a key issue.  A vague or slow answer to this question indicates that Risk has not really been an issue that the CEO has attended to.  That may work out fine for the company and the investors.  If they are lucky.

Systemic Risk, Financial Reform, and Moving Forward from the Financial Crisis

A second series of essays from the actuarial profession about the financial crisis.  Download them  HERE.

A Tale of Two Density Functions
By Dick Joss

The Systemic Risk of Risk Capital (Or the "No Matter What" Premise)
By C. Frytos &I.Chatzivasiloglou

Actuaries and Assumptions
By Jonathan Jacobs

Managing Financial Crises, Today and Beyond
By Vivek Gupta

What Did We Learn from the Financial Crisis?
By Shibashish Mukherjee

Financial Reform: A Legitimate Function of Government
By John Wiesner

The Economy and Self-Organized Criticality
By Matt Wilson

Systemic Risk Arising from a Financial System that Required Growth in a World with Limited Oil Supply
By Gail Tverberg

Managing Systemic Risk in Retirement Systems
By Minaz Lalani

Worry About Your Own Systemic Risk Exposures
By Dave Ingram

Systemic Risk as Negative Externality
By Rick Gorvette

Who Dares Oppose a Boom?
By David Merkel

Risk Management and the Board of Directors–Suggestions for Reform
By Richard Leblanc

Victory at All Costs
By Tim Cardinal and Jin Li

The Financial Crisis: Why Won't We Use the F(raud) Word?
By Louise Francis

PerfectSunrise–A Warning Before the Perfect Storm
By Max Rudolph

Strengthening Systemic Risk Regulation
By Alfred Weller

It's Securitization Stupid
By Paul Conlin

I Want You to Feel Your Pain
By Krzysztof Ostaszewski

Federal Reform Bill and the Insurance Industry
By David Sherwood

Risk Management Success

Many people struggle with clearly identifying how to measure the success of their risk management program.

But they really are struggling with is either a lack of clear objectives or with unobtainable objectives.

Because if there are clear and obtainable objectives, then measuring success means comparing performance to those objectives.

The objectives need to be framed in terms of the things that risk management concentrates upon – that is likelihood and severity of future problems.

The objectives need to be obtainable with the authority and resources that are given to the risk manager.  A risk manager who is expected to produce certainty about losses needs to either have unlimited authority or unlimited budget to produce that certainty.

The most difficult part of judging the success of a risk management program is when those programs are driven by assessments of risk that end up being totally insufficient.  But again the real answer to this issue is authority and budget.  If the assumptions of the model are under the control of the risk manager, that is totally under the risk manager’s control, then the risk manager would be prudent to incorporate significant amounts of margin either into the model or into the processes that use the model for model risk.  But then the risk manager is incented to make the model as conservative as their imagination can make it.  The result will be no business – it will all look too risky.

So a business can only work if the model assumptions are the join responsibility of the risk manager and the business users.

But there are objectives for a risk management program that can be clear and obtainable.  Here are some examples:

1. The Risk Management program will be compliant with regulatory and/or rating agency requirements
2. The Risk Management program will provide the information and facilitate the process for management to maintain capital at the most efficient level for the risks of the firm.
3. The Risk Management program will provide the information and facilitate the process for management to maintain profit margins for risk (pricing in insurance terms) at a level consistent with corporate goals.
4. The Risk Management program will provide the information and facilitate the process for management to maintain risk exposures to within corporate risk tolerances and appetites.
5. The Risk Management program will provide the information and facilitate the process for management and the board to set and update goals for risk management and return for the organization as well as risk tolerances and appetites at a level and form consistent with corporate goals.
6. The Risk Management program will provide the information and facilitate the process for management to avoid concentrations and achieve diversification that is consistent with corporate goals.
7. The Risk Management program will provide the information and facilitate the process for management to select strategic alternatives that optimize the risk adjusted returns of the firm over the short and long term in a manner that is consistent with corporate goals.
8. The Risk Management program will provide information to the board and for public distribution about the risk management program and about whether company performance is consistent with the firm goals for risk management.

Note that the firm’s goals for risk management are usually not exactly the same as the risk management program’s goals.  The responsibility for achieving the risk management goals is shared by the management team and the risk management function.

Goals for the risk management program that are stated like the following are the sort that are clear, but unobtainable without unlimited authority and/or budget as described above:

X1  The Risk Management program will assure that the firm maintains profit margins for risk at a level consistent with corporate goals.

X2  The Risk Management program will assure that the firm maintains risk exposures to within corporate risk tolerances and appetites so that losses will not occur that are in excess of corporate goals.

X3  The Risk Management program will assure that the firm avoids concentrations and achieve diversification that is consistent with corporate goals.

X4  The Risk Management program will assure that the firm selects strategic alternatives that optimize the risk adjusted returns of the firm over the short and long term in a manner that is consistent with corporate goals.

The worst case situation for a risk manager is to have the position in a firm where there are no clear risk management goals for the organization (item 4 above) and where they are judged on one of the X goals but which one that they will be judged upon is not determined in advance.

Unfortunately, this is exactly the situation that many, many risk managers find themselves in.

Integrating ERM and Value Based Management

from Jean-Pierre Berliet

The global financial crisis has reduced the market capitalization and price to book ratios of property/casualty insurance companies dramatically. According to a study published by Bank of America Merrill Lynch in August 2009, the S&P P/C index was trading at a 1.0 price/book ratio at that time, sharply down from a 1.4 average over the last three years and a 1.6 over the last 20 years. The updated historical valuations report published in August 2010 indicates that the S&P P/C index was trading at a 1.1 price/book ratio at that time. Excluding Progressive, companies in the Merrill Lynch index were trading then at an average price/book ratio of .89. This data suggests that the industry lost credibility with investors in 2008-2009 and has failed so far to persuade them that it is positioned to resume growing profitably in an uncertain rate environment.

Ironically, the crisis started just a few years after rating agencies began to include an assessment of the effectiveness of enterprise risk management (ERM) in their rating decisions and after they had given most insurers passing grades or above. It is clear now that ERM did not prevent a number of insurance companies from overextending themselves. Investors have concluded that risk management failed broadly and is disconnected from business strategy. They are justified in wondering whether risk management frameworks and processes of insurance companies will be more effective in the present lower volume and lower rate environment. Under such expected market conditions, investors are concerned that companies might lack discipline and write business at inadequate rates in order to achieve their premium volume objectives.

More generally, investors are concerned that strategic planning frameworks of many insurance companies are “expected value” focused, and are thus myopic about risk. In addition, investors are also aware that design weaknesses of ERM frameworks cause many executives i) to distrust “ex-post” decision signals provided by risk adjusted management performance metrics and ii) often to ignore resulting decision signals to redeploy capital or optimize asset allocation and reinsurance strategies. The existence of significant weaknesses in strategic planning and ERM frameworks and management processes explains why establishing tight and credible linkages between ERM and business strategy decisions is problematic and why ex-post measurement of risk adjusted performance is not viewed by investors as helpful. Just like the cleaning up of risks that manifested themselves, such as catastrophes and investment losses, ex-post risk management accomplishes only little, too late, and at great cost.

To respond to concerns of investors, insurance companies need to make their strategic planning and ERM frameworks capable of addressing credibly, and in a mutually consistent manner, the risk management issues raised and business strategy decisions impacted by the asymmetrical distribution of the financial results of insurance businesses. Investors believe, in particular, that risk management would create more value if i) risk insights guided the management and deployment of a company’s risk capacity “ex-ante”, that is before insurance policies were bound or investment decisions were made, and ii) strategy decisions about risk assumption and accumulations always took into consideration the adequacy of insurance rates and changes in market volume

These considerations call for the integration of value and risk governance frameworks and management processes in insurance companies. In the absence of such integration, there will be an enduring disconnect between strategy and risk management, and neither value based management (VBM) nor ERM will be credible or effective.

To be effective, the integration framework must recognize that, in insurance businesses, the cost of risk is known only after contracts have expired and related liabilities have run off. This unique peculiarity of loss costs, the raw material of insurance businesses, makes ex-post risk management a contradiction in terms. It places risk issues at the core of strategy development and execution. To achieve the needed integration of ERM and VBM, insurance companies must be careful to develop and establish distinct but tightly aligned:

• Governance frameworks for VBM and ERM, that specify the respective roles and responsibilities of the Board of Directors, external advisers, and Senior Management with regard to the development and approval of a company’s business mission and strategic plan, including i) the evaluation of risk return trade-offs, ii) the setting of financial objectives, iii) the oversight of strategy execution, and iv) accountability for results
• Managerial frameworks and processes capable of ensuring alignment of business strategy and risk management decisions across risk types, operational activities and products or markets.

Risk management must not be an afterthought in insurance businesses. An insurance company needs to establish “ex-ante” risk management as an essential foundation for the effective integration of its VBM and ERM frameworks. Ex-ante risk management is based on the observation that, together, risk assumption and accumulation functions in insurance companies are analogous to production in industrial companies. A properly designed risk management framework that supports “ex-ante” management of risk exposure accumulations should help an insurance company:

• Achieve loss costs and earnings volatility advantages
• Reduce both the amount and the cost of the capital they require
• Support effective development and execution of its business strategy

Such possibilities make “ex-ante” risk management concepts and tools and risk capacity management as important to business strategies of insurance companies as scale, equipment and machinery specialization, flexible automation and outsourcing, i.e. production strategy elements, are to business strategies of industrial companies. Notably, ex-ante risk management requires insurance companies to develop and use insights about risks that can provide a competitive advantage. Unlike cost reduction, product or service enhancements or pricing initiatives, risk insights and the underlying ability to compete on analytics, cannot be easily or rapidly duplicated by competitors. They can thus enable insurance companies to achieve more enduring margin improvements and escape for a while the strategic stalemate conditions under which they operate in many businesses.

To restore their credibility, insurance companies need to persuade investors that “ex-ante” risk management will support effective strategy implementation and drive risk capacity deployment, thereby improving financial performance. To accomplish the required alignment of risk capacity management, risk taking and business strategy management, companies need to establish the following three distinct but tightly integrated frameworks for:

• Measuring and assessing risk capacity utilization
• Addressing financial risk concerns of external stakeholders
• Deploying and leveraging risk capacity.

Integration of these frameworks would be effected through development of risk limits by line of business and business segment. Such risk limits would provide an insurance company a means to i) drive and control the deployment of its risk capacity toward uses that are projected to meet the return expectations and risk tolerances of its external stakeholders, ii) develop performance metrics needed to assess risk and return trade-offs of alternative strategies and align risk capacity management and business strategies and iii) improve risk capacity utilization and enhance financial performance.

To establish and use these frameworks, insurance companies need to integrate risk insights that emerge at the intersection of actuarial analysis, underwriting expertise, strategy analysis and financial simulation.

Jean-Pierre Berliet

(203) 247-6448

jpberliet@att.net

February 14, 2011

Note: This article is abstracted from the “Risk Management and Business Strategy in P/C Insurance Companies” briefing paper published by Advisen (www.advisen.com) and available at the Corner Store.

Increasing the Valuation of P/C Insurance Companies

From JP Berliet

The financial crisis demonstrated that risk management had not been working effectively in many insurance companies. As a result, investors lost confidence and reduced their exposure to the industry, thereby causing valuations of companies to decline more than market averages and their cost of capital to increase.

In addition, continuing weakness in the economic environment have been exacerbating pressures on premium rates and competition in most lines. These factors are leading investors to expect that the financial performance of many companies is unlikely to improve in the short term or might even decline, thereby generating additional pressures on valuations. At present, insurance companies thus face a double challenge to:

• Identify and pursue opportunities to enhance their intrinsic value by increasing profitability and growth
• Restore the confidence of investors, to reduce their cost of capital and convert financial results into higher company valuations.

The “Risk Management and Business Strategy in P/C Insurance Companies” briefing paper outlines an approach that insurance companies can use to meet this double challenge.

To enhance their intrinsic values, insurance companies need to develop sharper risk insights that they can use to:

• Achieve loss costs and earnings volatility advantages relative to their competitors
• Reduce both the amount and the cost of the capital they require
• Identify and pursue opportunities to grow profitably.

Success in these areas is unlikely to be sufficient, however, to restore investors’ confidence in companies in which governance and management process weaknesses cause investors to discount expected financial results more heavily. The briefing paper implies that the crisis caused the valuation of many companies to suffer from such discounts, including:

• Governance discounts reflecting imbalance in addressing solvency risk concerns of customers, creditors and regulators relative to value risk concerns of shareholders
• Credibility discounts resulting from misalignment of companies’ risk management and business management processes and strategies
• Resilience discounts due to the opaqueness of financial statements and business strategies, which prevent investors to assess a company’s risk of financial distress.

To reduce governance, credibility and resilience discounts imposed by investors, insurance companies need to restore investors’ confidence by remedying underlying weaknesses in their risk and value management frameworks.

The following sections suggest how insurance companies should go about this as well as enhancing their intrinsic value, thereby creating for shareholders value enhancements that compound each other.

Increasing intrinsic value

Insurance companies can use data about risk exposures and analytics to develop and implement underwriting, pricing, claim settlement and renewal strategies that provide an economic advantage relative to competitors and increase their intrinsic value by:

• Achieving favorable risk selection, i.e. building portfolios with lower expected losses and lower loss volatility
• Reducing the capital required to support risk assumption activities
• Lowering their cost of capital.

Since risk insights are not directly observable, they cannot be easily duplicated by competitors and can provide a more sustainable competitive advantage than improvements in products or service that can be readily emulated. Risk insights can help companies achieve margin increases that increase their intrinsic value. However, strategies that increase financial performance and intrinsic value will not necessarily increase company valuations and realized returns for shareholders. For valuations and realized returns to increase, intrinsic value enhancements need to be seen by investors as consistent with their investment objectives and risk tolerance.

Establishment and maintenance of the risk data infrastructure, analytical tools, decisions rules and reporting mechanisms required for companies to compete on analytics is arduous, slow and costly, but can lead to value creation breakthrough and opportunities for continuing growth. Conversely, companies that do not set out on this path should expect to be trapped in strategic stalemates and to experience declining financial performance. There are few less stark choices for Management and Board of Directors to contemplate.

Reducing governance discounts

Shareholders of insurance companies lost billions of dollars in value as a result of the financial crisis. They doubt that risk management fixes and tightening of prudential regulations can address their concerns about risks to the value of their investment in insurance companies. From their point of view, these fixes and tighter regulations appear to be designed to address risks of insurance businesses that can cause insolvency and are of primary concerns to customers, other creditors and regulators.

Investors believe that many of the weaknesses in risk governance frameworks and risk management revealed by the crisis result from:

• Failure effectively to manage differences in risk concerns of shareholders and other stakeholders
• Misalignment of risk tolerances, risk policies, risk limits and risk management strategies
• Management By Objectives frameworks, policies and processes that rest on aggressive, but inappropriate, performance targets and generate moral hazard.

Investors readily conclude that these weaknesses are likely to continue to hamper the financial performance of many insurance companies and that they need to impose a “risk governance” penalty on companies’ results and prospects when assessing their value.

Even though the existence and magnitude of this risk governance discount have not been formally confirmed by research, observations of investors’ response to the crisis suggest that this discount has been contributing significantly to the relative decline in the valuation of insurance companies. The associated valuation penalty should not be expected to decrease until risk management becomes demonstrably more central to strategy development and execution and is seen to address value risk concerns of shareholders more effectively.

In companies where risk management has been a peripheral, compliance driven activity, the needed change in perspective and management processes will be challenging.

Reducing credibility discounts

The crisis demonstrated that there were significant disconnects between insurance companies’ risk assessment capabilities and their business decisions. It revealed that, in many if not even most companies, risk management frameworks:

• Focus predominantly on financial risks and the resulting solvency risk concerns of customers, rating agencies and regulators, customarily over a one year horizon
• Are designed to assess and ensure a company’s capital adequacy but not to help manage its cost of capital
• Are not capable of integrating the impact of operational risks and strategic risks that can expose shareholders to significant losses in the value of their holdings
• Assume that companies can raise funds in the capital market as needed to support their ratings and continue writing business on competitive terms
• Understate the amount of capital required to support a company’s value as a going concern
• Ignore systemic risk.

Investors understand that these weaknesses of risk and management frameworks prevent insurance companies to meet the risk tolerance concerns of their stakeholders, especially shareholders. They have lost confidence and have been adding a significant penalty, in the form of an implicit “credibility discount” to the terms on which they now make capital available to companies.

Insurance companies need to address each of the weaknesses identified above. It will take some time, probably years, for companies to demonstrate that the required framework and process enhancements improve risk and business management decisions, consistently. Insurance companies that do will benefit from a reduction of their credibility discount that will enhance their valuation.

Reducing resilience discounts

Companies that need to raise capital during a financial crisis can suffer crippling losses in value through dilution of shareholders interests and can become vulnerable as acquisition targets. Companies can rapidly lose their ability to control their destiny, especially if and when investors lose confidence and impose a “resilience discount” on their valuations. Companies are not defenseless, however, because they can bolster their inherent resilience in anticipation of potential crises by:

• Maintaining enough capital to remain solvent and protect their ratings under conceivable stress scenarios, at a high confidence level. Ideally, they should ensure that their capital is large enough to provide i) a buffer against the incidence of risks that are difficult to measure or unknown and ii) a strategic reserve to take advantage of unforeseen opportunities (e.g. acquisitions)
• Achieving a high valuation and a sustained record of meeting shareholders’ return expectations. This creates a virtuous circle in which a higher valuation earned as a reward for good financial performance mitigates the resilience discount, thereby increasing valuation further. Companies with a sustained record of good performance have the credibility needed to raise capital on acceptable terms when markets recover. Meanwhile, companies without such a record and credibility may not be able to do so or may have to accept more onerous terms.

It is thus important for an insurance company to:

• Demonstrate that it can be relied on to achieve shareholders’ earnings expectations, while also meeting their earnings volatility constraint

• Increase the transparency of its risk, capital and strategy decisions.

Doing so will help an insurance company persuade investors that it is resilient and, over time, reduce its resilience discount.

Conclusion

Although risk is the primary driver of value creation in insurance businesses, risk can also destroy value. Ideally, management must balance these opposing effects of risk.

The “Risk Management and Business Strategy” briefing lays out how a company should accomplish a desirable balance between risk and return by:

• Focusing its risk governance framework and risk management processes on meeting both the solvency risk concerns of customers, creditors, rating agencies and regulators as well as the critical value risk concerns of shareholders
• Using analytics to develop tools that lead to sharper risk insights, tighter alignment of risk and business decisions and strategies that increase its financial performance and valuation.

In the aftermath of the crisis, however, insurance companies are facing skeptical investors, many of whom have lost confidence in the industry. To overcome this skepticism and get the full valuation benefit from strategies that increase their intrinsic value, insurance companies need to:

• Meet shareholders’ return expectations and risk tolerance constraints consistently, by utilizing risk insights from well developed risk management frameworks and processes that can integrate Enterprise Risk Management and Value Based Management more tightly
• Correct weaknesses in governance frameworks, management processes and capabilities that are perceived as creating risks for investors.

Insurance companies can regain investors’ confidence, and might shorten the time needed to do so by using the framework presented in the briefing to develop their priorities and action plan. Once progress is demonstrated, reductions in investors’ discounts will increase the companies’ valuation multiples and compound returns from enhancements in intrinsic value for shareholders.

Jean-Pierre Berliet

(203) 247-6448

jpberliet@att.net

Survival of the Firm is not Mandatory

Is that idea really understood by top management and the board?

Does the board leave every meeting certain that the firm will still be in business when the next scheduled board meeting comes around?  How did they get to that certainty?

Can management tell them the likelihood that the firm will experience a fatal loss and how much that likelihood has changed since the previous board meetings?

Can management tell them exactly what sorts of events could put the firm out of business?  Have they discussed the sorts of “highly unlikely” events that might take the firm down if they suddenly did happen?

Those are, of course, the conversations that the board might well demand to have if they really understood that Survival is not Mandatory.

Responsibility for Risk Management

Who should have responsibility for risk management?

Is it the CRO? Is it the Business Unit Heads? Is it everyone? or is it the CEO (As Buffet suggests)?

My answer to those questions is YES. Definitely.

You see, there is plenty of risk to go around.

The CEO should be responsible for the Firm Killing Risks. He/She should be the sole person who is able to commit the firm to an action that creates or adds to a firm killing risk position. He/She should have control systems in place so that they know that no one else is taking and Firm Killing Risks. He/She should be in a constant dialog with the board about these risks and the necessity for the risks as well as the plans for managing those sorts of risks.

At the other end of the spectrum, there are the Bad Day Risks. Everyone should be responsible for their share of the Bad Day Risks.

And somewhere in the middle are the risks that the CRO and Business Unit Heads should be managing. Those might be the Bad Quarter Risks or the Bad Year Risks.

As the good book says, “To each according to his ability”. That is how Risk Management responsibility should be distributed.

Reconciling Risk Concerns

From Jean-Pierre Berliet

Discussions with senior executives have suggested that decision signals from ERM would be more credible and that ERM would be a more effective management process if ERM were shown to reconcile the risk concerns of policyholders and shareholders.

Creditors, including policyholders, and rating agencies or regulators whose mission it is to protect creditors, and shareholders are all interested in the financial health of an insurer, but in different ways. Creditors want to be assured that an insurance company will be able to honor its obligations fully and in a timely manner. For creditors, the main risk question is: what is the risk of the business? This is another way to ask whether the company will remain solvent.

Shareholders, however, are interested in the value of the business as a going concern, in how much this value might increase and by how much it might decline. For shareholders, the main risk question is: what is the risk to the business? Shareholders are interested in what ERM can do to increase and protect the value of their investment in a company. While both creditors and shareholders are interested in the tail of the distribution of financial results, as an indicator of solvency risk, shareholders are also very interested in the mean of these financial results and their volatility, which could have an adverse impact on the value of their investment.

Policyholders and shareholders’ views are different but not incompatible: a company could not stay in business if it were not able to persuade regulators that it will remain solvent and should be allowed to keep its license, or obtain from rating agencies a rating suitable for the business it writes.  Its value to investors would be significantly impaired..

Insurers recognize that the main drivers of their risk profile are financial risks, including insurance risk accumulations and concentrations, and the related market risk associated with their investment activities. They understand that resulting risks are best controlled at the point of origination through appropriate controls on underwriting and pricing and through reinsurance and asset allocation strategies that limit the volatility of financial outcomes. Stochastic modeling is being used more broadly by companies to understand how such risks accumulate, interact and develop over time and to evaluate strategies that enhance the stability of outcomes. Capital adequacy is the ultimate defense against severe risk “surprises” from insurance and investment activities. It is of interest to policyholders who want to be certain to collect on their claims, but also to shareholders who want assurance that a company can be viewed as a going concern that will write profitable business in the future.

Methodologies used by rating agencies on behalf of creditors describe in detail how the rating process deals with the three main drivers of a company’s financial position and of the volatility (risk) of this position. In response to rating agency concerns, insurance companies focus on determining how much “economic capital” they need to remain solvent, as a first step toward demonstrating the adequacy of their capital. Analyses they perform involve calculation of the losses they can suffer under scenarios that combine the impact of all the risks to which they are exposed. This “total risk” approach and the related focus on extreme loss scenarios (“high severity/low frequency” scenarios) are central to addressing creditors’ concerns.

To address the solvency concerns of creditors, rating agencies and regulators and the value risk of shareholders, insurance companies need to know their complete risk profile and to develop separate risk metrics for each group of constituents. Knowledge of this risk profile enables them to identify the distinct risk management strategies that they need to maintain high ratings while also protecting the value of their shareholders’ investment. Leading ERM companies have become well aware of this requirement and no longer focus solely on tail scenarios to develop their risk management strategies.

(more…)

LIVE from the ERM Symposium

(Well not quite LIVE, but almost)

The ERM Symposium is now 8 years old.  Here are some ideas from the 2010 ERM Symposium…

• Survivor Bias creates support for bad risk models.  If a model underestimates risk there are two possible outcomes – good and bad.  If bad, then you fix the model or stop doing the activity.  If the outcome is good, then you do more and more of the activity until the result is bad.  This suggests that model validation is much more important than just a simple minded tick the box exercize.  It is a life and death matter.
• BIG is BAD!  Well maybe.  Big means large political power.  Big will mean that the political power will fight for parochial interests of the Big entity over the interests of the entire firm or system.  Safer to not have your firm dominated by a single business, distributor, product, region.  Safer to not have your financial system dominated by a handful of banks.
• The world is not linear.  You cannot project the macro effects directly from the micro effects.
• Due Diligence for mergers is often left until the very last minute and given an extremely tight time frame.  That will not change, so more due diligence needs to be a part of the target pre-selection process.

• For merger of mature businesses, cultural fit is most important.
• For newer businesses, retention of key employees is key

• Modelitis = running the model until you get the desired answer
• Most people when asked about future emerging risks, respond with the most recent problem – prior knowledge blindness
• Regulators are sitting and waiting for a housing market recovery to resolve problems that are hidden by accounting in hundreds of banks.
• Why do we think that any bank will do a good job of creating a living will?  What is their motivation?
• We will always have some regulatory arbitrage.
• Left to their own devices, banks have proven that they do not have a survival instinct.  (I have to admit that I have never, ever believed for a minute that any bank CEO has ever thought for even one second about the idea that their bank might be bailed out by the government.  They simply do not believe that they will fail. )
• Economics has been dominated by a religious belief in the mantra “markets good – government bad”
• Non-financial businesses are opposed to putting OTC derivatives on exchanges because exchanges will only accept cash collateral.  If they are hedging physical asset prices, why shouldn’t those same physical assets be good collateral?  Or are they really arguing to be allowed to do speculative trading without posting collateral? Probably more of the latter.
• it was said that systemic problems come from risk concentrations.  Not always.  They can come from losses and lack of proper disclosure.  When folks see some losses and do not know who is hiding more losses, they stop doing business with everyone.  None do enough disclosure and that confirms the suspicion that everyone is impaired.
• Systemic risk management plans needs to recognize that this is like forest fires.  If they prevent the small fires then the fires that eventually do happen will be much larger and more dangerous.  And someday, there will be another fire.
• Sometimes a small change in the input to a complex system will unpredictably result in a large change in the output.  The financial markets are complex systems.  The idea that the market participants will ever correctly anticipate such discontinuities is complete nonsense.  So markets will always be efficient, except when they are drastically wrong.
• Conflicting interests for risk managers who also wear other hats is a major issue for risk management in smaller companies.
• People with bad risk models will drive people with good risk models out of the market.
• Inelastic supply and inelastic demand for oil is the reason why prices are so volatile.
• It was easy to sell the idea of starting an ERM system in 2008 & 2009.  But will firms who need that much evidence of the need for risk management forget why they approved it when things get better?
• If risk function is constantly finding large unmanaged risks, then something is seriously wrong with the firm.
• You do not want to ever have to say that you were aware of a risk that later became a large loss but never told the board about it.  Whether or not you have a risk management program.

Concentration of Power Risk

 

Guest Post from Max J. Rudolph, FSA CERA CFA MAAA

Rudolph Financial Consulting

A risk that we never talk about has become the elephant in the room. Some would call this ego risk, but at most institutions decision making occurs primarily at only the highest levels. It has been a year since I wrote a financial essay titled Does Your Company Need a Chief Skeptical Officer? I don’t think it has gotten any better. This is not due to poor goal setting. These senior officers believe they are doing what is best for their firm. Unfortunately, all of us tend to fall in love with our best ideas. We see that when we invest, where we hold losers far too long. When a manager has worked hard for a long period of time to develop an opportunity it can gain such momentum that it can’t be stopped no matter how poor the idea or the timing for the idea is. Many companies continued to write loans that previously had been securitized while liquidity in this market dried up. Others threw good money after bad on commercial real estate properties while existing properties were sitting vacant. There are very few companies that have instilled this skepticism in their risk culture. Berkshire Hathaway is one, where both Warren Buffett and Charlie Munger are comfortable in their own views and are encouraged to say what they think to each other. It will be interesting to see if this culture extends to the next generation of leaders at this highly successful firm. One way to ensure this is to practice consistent pricing discipline. When an opportunity comes about, the same financial analysis should always occur. This will include setting risk appetite, hurdle rates, and capital. It will not include having the CEO override the discussion.

There is no momentum to create this type of culture. Perhaps it should be developed at the board level with independent ERM experts providing the process and bringing in specific topic experts to anonymously consider these risks.

Warning: The information provided in this Post is the opinion of Max Rudolph and is provided for general information only. It should not be considered investment advice. Information from a variety of sources should be reviewed and considered before decisions are made by the individual investor. My opinions may have already changed, so you don’t want to rely on them. Good luck!

©2009 Rudolph Financial Consulting, LLC

Crisis Pre-Nuptial

What is the reaction of your firm going to be in the event of a large loss or other crisis? 

If you are responsible for risk management, it is very much in your interest to enter into a Crisis Pre-Nuptial. 

The Crisis Pre-Nuptial has two important components. 

1. A protocol for management actions in the event of the crisis.  There is likely a need for there to be a number of these protocols.   These protocols can be extremely valuable, their value will most likely far exceed the entire cost of a risk management function.  Their value comes because they eliminate two major problems that firms face in the event of a crisis or large loss.  First is the deer in the headlights problem – the delay when no one is sure what to do and who is to do it.  That delay can mean that corrective actions are much less effective or much more expensive or both.  Second is the opposite, that too many people take actions, but that the actions are conflicting.  This again increasses costs and decreases effectiveness.  Just as with severe medical emergencies, prompt corrective actions are almost always more likely to have the most favorable results. 
2. Setting up an expectation that the crises and losses either are or are not an expected part of the risks that the firm is taking.  If the firm is taking high risks, but does not expect to ever experience losses, then there is a major disconnect between the two.  Just as a marital pre-nuptial agreement is a conscious acknowledgement that marriages sometimes end in divorce, a Crisis Pre-Nuptial is an acknowledgement that normal business activity sometimes involves losses and crises. 

Risk managers who have a Crisis Pre-Nuptial in place might, just might, have a better chance to survive with their job in tact after a crisis or large loss. 

And if someday, investors and/or boards come to the realization that firms that plan for rainy days are, in the long run, going to be more valuable, the information that is in the Crisis pre-nuptial could be very important information for them.

Lessons for Insurers (1)

In late 2009,  the The CAS, CIA, and the SOA’s Joint Risk Management Section funded a research report about the Financial Crisis.  This report featured nine key Lessons for Insurers.  Riskviews will comment on those lessons individually…

1. The success of ERM hinges on a strong risk management culture which starts at the top of
a company.

This seems like a very simple statement that is made over and over again by most observers.  But why is it important and why is it very often lacking?

First, what does it mean that there is a “strong risk management culture”?

A strong risk management culture is one where risk considerations make a difference when important decisions are made PERIOD

When a firm first adopts a strong risk management culture, managers will find that there will be clearly identifiable decisions that are being made differently than previously.  After some time, it will become more and more difficult for management to notice such distinctions because as risk management becomes more and more embedded, the specific impact of risk considerations will become a natural inseparable part of corporate life.

Next, why is it important for this to come from the top?  Well, we are tying effective risk management culture to actual changes in DECISIONS and the most important decisions are made by top management.  So if risk management culture is not there at the top, then the most important decisions will not change.  If the risk management culture had started to grow in the firm,

when middle managers see that top management does not let risk considerations get in their way, then fewer and fewer decisions will be made with real consideration risk.

Finally, why is this so difficult?  The answer to that is straight forward, though not simple.  The cost of risk management is usually a real and tangible reduction of income.  The benefit of risk management is probabilistic and intangible.  Firms are compared each quarter to their peers.

If peer firms are not doing risk management, then their earnings will appear higher in most periods.

Banks that suffered in the current financial crisis gave up 10 years of earnings!  But the banks that in fact correctly shied away from the risks that led to the worst losses were seen as poor performers in the years leading up to the crisis.

So what will change this?  Only investors will ultimately change this.  Investors who recognize that in many situations, they have been paying un-risk adjusted multiples for earnings that have a large component of risk premiums for low frequency, high severity risks.

They are paying multiples, in many cases where they should be taking discounts!

Lessons for Insurers (1)

Lessons for Insurers (2)

Lessons for Insurers (3)

Lessons for Insurers (4)

Lessons for Insurers (5)

Lessons for Insurers (6)

New Decade Resolutions

Here are New Decade Resolutions for firms to adopt who are looking to be prepared for another decade

1. Attention to risk management by top management and the board.  The past decade has been just one continuous lesson that losses can happen from any direction. This is about the survival of the firm.  Survival must not be delegated to a middle manager.  It must be a key concern for the CEO and board.
2. Action oriented approach to risk.  Risk reports are made to point out where and what actions are needed.  Management expects to and does act upon the information from the risk reports.
3. Learning from own losses and from the losses of others.  After a loss, the firm should learn not just what went wrong that resulted in the loss, but how they can learn from their experience to improve their responses to future situations both similar and dissimilar.  Two different areas of a firm shouldn’t have to separately experience a problem to learn the same lesson. Competitor losses should present the exact same opportunity to improve rather than a feeling of smug superiority.
   
4. Forwardlooking risk assessment. Painstaking calibration of risk models to past experience is only valuable for firms that own time machines.  Risk assessment needs to be calibrated to the future. 
   
5. Skeptical of common knowledge. The future will NOT be a repeat of the past.  Any risk assessment that is properly calibrated to the future is only one one of many possible results.  Look back on the past decade’s experience and remember how many times risk models needed to be recalibrated.  That recalibration experience should form the basis for healthy skepticism of any and all future risk assessments.

6. Drivers of risks will be highlighted and monitored.  Key risk indicators is not just an idea for Operational risks that are difficult to measure directly.  Key risk indicators should be identified and monitored for all important risks.  Key risk indicators need to include leading and lagging indicators as well as indicators from information that is internal to the firm as well as external. 
   
7. Adaptable. Both risk measurement and risk management will not be designed after the famously fixed Ligne Maginot that spectacularly failed the French in 1940.  The ability needs to be developed and maintained to change focus of risk assessment and to change risk treatment methods on short notice without major cost or disruption. 
   
8. Scope will be clear for risk management.  I have personally favored a split between risk of failure of the firm strategy and risk of losses within the form strategy, with only the later within the scope of risk management.  That means that anything that is potentially loss making except failure of sales would be in the scope of risk management. 
   
9. Focus on  the largest exposures.  All of the details of execution of risk treatment will come to naught if the firm is too concentrated in any risk that starts making losses at a rate higher than expected.  That means that the largest exposures need to be examined and re-examined with a “no complacency” attitude.  There should never be a large exposure that is too safe to need attention.   Big transactions will also get the same kind of focus on risk. 
   

Live Ammunition

Are you working with live ammunition with your risk management program?

What I mean is, when the risk models and the risk reports show a problem, is the reaction to promptly fix the problem, or is the reaction to start a study of the problem?

The question really is whether the risk management information streams are considered primary information for managing the firm or are they secondary systems?

If the reaction to an indication of a problem from the risk management systems is to initiate a study, then the implied presumption is that the real information systems say that everything is ok, and this secondary system says not. So we need to check this out.

Many commentators about risk management have been calling for “RISK” to be given authority. What I think that means is that RISK would be empowered to act when the risk management system tells of a problem. RISK would order that something be bought or sold or whatever to fix the problem.

I think that the presumption there is that there is no possibility that anyone other than RISK would actually ever act upon a warning from the risk management systems. So if risk management is to be taken seriously, then it must be for RISK to do that.

Well, wouldn’t it be much better if the risk management information was considered to be a primary information source for the folks who actually run the businesses? Think about it. If you run a bus company and want the drivers to stay within the speed limit, do you put someone in the back of the bus with a speedometer and a break pedal who will step on the brake whenever the bus starts to go too fast? Or do you train the bus driver to use the brake pedal herself?

Risk Management needs to be everyone’s job. If the CEO of the firm is not willing to hold business managers responsible for risk, then he really does not want risk management.

The job of RISK is not to over ride the bus drivers, it is to make sure that the speedometers and brakes work right, that the acceleration pedal does not stick down and that the driver is well trained in how to interpret the speedometer and use the brakes in the right way. RISK keeps the CEO and the Board informed about the effectiveness of the risk management system and helps top management to understand the risk reward choices that they are faced with when the major decisions about the firm’s future are being made.

Violator of Risk Limit

 

This may not be your corporate policy.  But you should be clear to all whether your risk limits are hard, soft or gigantic. 

A Hard risk limit is one where there just may be a rock and a snake for the violator.  Violations of limits are not expected to happen in a system with hard risk limits.  So maybe no one knows what the consequences are.  In systems with very hard limits, a system of “checkpoints” may develop that are actually soft limits that help managers to avoid coming too close to the hard limits.  These firms may have rules like “violations of limits must be reported to the board at the very next meeting”.  In addition, there may be a hard requirement to reverse or offset the actions that led to the violation within some short period of time, sometimes something like 72 hours. 

A Soft risk limit is very much the opposite.  Violation of a soft risk limit might most often result in raising the limit.  Or violations may simply be allowed to stand without any special notice or attempt to reverse.  A more diciplined soft limit system may track the number of violations and use the count of violations as an indication of potential issues. 

A Gigantic risk limit is very common.  There is no need to decide whether a Gigantic risk limit is hard or soft, because there is little chace that the firm will ever approach the limit.  Gigantic limits are often 200% or more than expected positions.  Commonly, Gigantic limits are are found in formal investment policies of firms or funds.  These are deliberately set so high that they will not get in the way of day to day operations of the investment managers, even if they want to make significant changes to the make-up of the fund.  Unfortunately, many firms have not yet realized that these policy limits are not useful risk limits.  But they do save money on snakes.

Register Now for Global ERM Webinar

2010 Webinar Now Open for Registrations

Learn how to cut to the core of ERM and identify those elements your strategic plan cannot live without. Gain confidence in your knowledge on ERM by attending this can’t-miss worldwide webcast.

The Casualty Actuarial Society (CAS), The Faculty and Institute of Actuaries (UK), Joint Risk Management Section(JRMS), the Institute of Actuaries of Japan (IAJ), the Institute of Actuaries of Australia(IAAust) and The Society of Actuaries (SOA) present the Global Best Practices in ERM for Insurers and Reinsurers Webcast.

December 1, 2009 Session times vary depending upon location. Speakers from three different regions (Asia Pacific, Europe and North and South America) will provide their own unique perspective on four topics affecting ERM around the world:

Value Creation vs. Systemic Risk Consider some of the concerns around systemic risk and the drivers of value creation that have come under close attention by virtue of their links to systemic risk. The Asia Pacific Region will include a discussion of pension schemes.

Different approaches to ERM and Capital Models Learn how different stakeholders including insurers, banks, regulators and rating agencies are approaching the development of an ERM / ECM framework.

Economic Capital Models Focus on the processes associated with designing, calibrating, validating and the updating of internal models based on bringing new information and intelligence as they arise.

Governance, Strategic Risk and Operational Risk Discuss issues such as ERM governance, tools and techniques to assess strategic and operational risks and their integration into an overall ERM framework.

NEW THIS YEAR! Earn up to 18.0 Continuing Professional Development credits by participating in all four sessions in each region! And with each session presented in at either a basic or advanced level, there is no reason to miss this important global event.

Learn more.

Register today for the Global Best Practices in ERM for Insurers and Reinsurers Webcast.

The Future of Risk Management – Conference at NYU November 2009

Some good and not so good parts to this conference.  Hosted by Courant Institute of Mathematical Sciences, it was surprisingly non-quant.  In fact several of the speakers, obviously with no idea of what the other speakers were doing said that they were going to give some relief from the quant stuff.

Sad to say, the only suggestion that anyone had to do anything “different” was to do more stress testing.  Not exactly, or even slightly, a new idea.  So if this is the future of risk management, no one should expect any significant future contributions from the field.

There was much good discussion, but almost all of it was about the past of risk management, primarily the very recent past.

Here are some comments from the presenters:

• Banks need regulator to require Stress tests so that they will be taken seriously.
• Most banks did stress tests that were far from extreme risk scenarios, extreme risk scenarios would not have been given any credibility by bank management.
• VAR calculations for illiquid securities are meaningless
• Very large positions can be illiquid because of their size, even though the underlying security is traded in a liquid market.
• Counterparty risk should be stress tested
• Securities that are too illiquid to be exchange traded should have higher capital charges
• Internal risk disclosure by traders should be a key to bonus treatment.  Losses that were disclosed and that are within tolerances should be treated one way and losses from risks that were not disclosed and/or that fall outside of tolerances should be treated much more harshly for bonus calculation purposes.
• Banks did not accurately respond to the Spring 2009 stress tests
• Banks did not accurately self assess their own risk management practices for the SSG report.  Usually gave themselves full credit for things that they had just started or were doing in a formalistic, non-committed manner.
• Most banks are unable or unwilling to state a risk appetite and ADHERE to it.
• Not all risks taken are disclosed to boards.
• For the most part, losses of banks were < Economic Capital
• Banks made no plans for what they would do to recapitalize after a large loss.  Assumed that fresh capital would be readily available if they thought of it at all.  Did not consider that in an extreme situation that results in the losses of magnitude similar to Economic Capital, that capital might not be available at all.
• Prior to Basel reliance on VAR for capital requirements, banks had a multitude of methods and often used more than one to assess risks.  With the advent of Basel specifications of methodology, most banks stopped doing anything other than the required calculation.
• Stress tests were usually at 1 or at most 2 standard deviation scenarios.
• Risk appetites need to be adjusted as markets change and need to reflect the input of various stakeholders.
• Risk management is seen as not needed in good times and gets some of the first budget cuts in tough times.
• After doing Stress tests need to establish a matrix of actions that are things that will be DONE if this stress happens, things to sell, changes in capital, changes in business activities, etc.
• Market consists of three types of risk takers, Innovators, Me Too Followers and Risk Avoiders.  Innovators find good businesses through real trial and error and make good gains from new businesses, Me Too follow innovators, getting less of gains because of slower, gradual adoption of innovations, and risk avoiders are usually into these businesses too late.  All experience losses eventually.  Innovators losses are a small fraction of gains, Me Too losses are a sizable fraction and Risk Avoiders often lose money.  Innovators have all left the banks.  Banks are just the Me Too and Avoiders.
• T-Shirt – In my models, the markets work
• Most of the reform suggestions will have the effect of eliminating alternatives, concentrating risk and risk oversight.  Would be much safer to diversify and allow multiple options.  Two exchanges are better than one, getting rid of all the largest banks will lead to lack of diversity of size.
• Problem with compensation is that (a) pays for trades that have not closed as if they had closed and (b) pay for luck without adjustment for possibility of failure (risk).
• Counter-cyclical capital rules will mean that banks will have much more capital going into the next crisis, so will be able to afford to lose much more.  Why is that good?
• Systemic risk is when market reaches equilibrium at below full production capacity.  (Isn’t that a Depression – Funny how the words change)
• Need to pay attention to who has cash when the crisis happens.  They are the potential white knights.
• Correlations are caused by cross holdings of market participants – Hunts held cattle and silver in 1908’s causing correlations in those otherwise unrelated markets.  Such correlations are totally unpredictable in advance.
• National Institute of Financa proposal for a new body to capture and analyze ALL financial market data to identify interconnectedness and future systemic risks.
• If there is better information about systemic risk, then firms will manage their own systemic risk (Wanna Bet?)
• Proposal to tax firms based on their contribution to gross systemic risk.
• Stress testing should focus on changes to correlations
• Treatment of the GSE Preferred stock holders was the actual start of the panic.  Leahman a week later was actually the second shoe to drop.
• Banks need to include variability of Vol in their VAR models.  Models that allowed Vol to vary were faster to pick up on problems of the financial markets.  (So the stampede starts a few weeks earlier.)
• Models turn on, Brains turn off.

Monty Python on governance, risk, and compliance

Guest Post from Riskczar

I read too much about what GRC needs or what ERM needs but far too often suggestions read like my favourite Monty Python skit (a lot of easier said than done steps):

Alan	Well, last week we showed you how to become a gynecologist. And this week on ‘How to do it’ we’re going to show you how to play the flute …but first, here’s Jackie to tell you all how to rid the world of all known diseases.
Jackie	Hello, Alan.
Alan	Hello, Jackie.
Jackie	Well, first of all become a doctor and discover a marvellous cure for something, and then, when the medical profession really starts to take notice of you, you can jolly well tell them what to do and make sure they get everything right so there’ll never be any diseases ever again.
Alan	Thanks, Jackie. Great idea. How to play the flute. (picking up a flute) Well here we are. You blow there and you move your fingers up and down here.

So when I read very articulate comments like these from the blog Corporate Integrity, it makes me think of how you play the flute:

Risk management does not happen in a vacuum … The board and management have to clearly define and communicate the culture of risk taking, acceptance, tolerance, and appetite. … Once a proper culture of risk management is defined – including risk tolerance, and appetite – this gets established and communicated through policies and procedures.

… organizations need to establish an enterprise committee to initiate a collaboration on defining, communicating, and managing a culture of risk in their environment. The goal is to define and communicate a culture of risk, establish it in policy and procedures, and monitor adherence to staying within boundaries of risk tolerance and appetite.

Again, easier said than done. I am not criticizing this approach, I actually agree 100% with what he writes, it’s just very difficult to execute.

Telling someone how to play the flute is not the same as teaching him or her how to play the flute, which take a lot of time, patience and practice. And telling business leaders or organizations what boards and committees need to do is not the same a getting buy in, getting them to do it and being successful at it.