Archive for the ‘Governence’ category

Hierarchy Principle of Risk Management

September 8, 2014

The purpose of ERM is NOT to try to elevate all risk decisions to the highest possible level, but to master discerning the best level for making each risk decision and for getting the right information to the right person in time to make a good risk decision.

This is the Hierarchy Principle as it applies to ERM.  It is one of the two or three most important principles of ERM.  Why then, might you ask, haven’t we ever heard about it before, even from RISKVIEWS.

But most insurers follow the hierarchy principle for managing their Underwriting process for risk acceptance of their most important risks.  

You could argue that many of the most spectacular losses made by banks have been in situations where they did not follow the hierarchy principle.  

  • Nick Leeson at Barings Bank was taking risks at a size that should have been decided (and rejected) by the board.
  • Jerome Kerviel at Soc Gen was doing the same.
  • The London Whale at JP Morgan is also said to have done that.  

On the other hand, Jon Corzine was taking outsized risks that eventually sank MF Global with the full knowledge and approval of the board.  Many people suggest that the CRO should have stopped that.  But RISKVIEWS believes that the Hierarchy Principle was satisfied.  

ERM is not and cannot be held responsible for bad decisions that are made at the very top of the firm, unless the risk function was providing flawed information that supported those decisions.  If, as happened at MF Global, the board and top management were making risk decisions with their eyes fully open and informed by the risk function, then ERM worked as it should.  

ERM does not prevent mistakes or bad judgment.

What ERM does that is new is that

  1. it works to systematically determine the significance of all risk decisions, 
  2. it ranks the significance and uses that information, along with other information such as risk velocity and uncertainty, to determine a recommendation of the best level to make decisions about each risk,
  3. it assesses the ability of the firm to absorb losses and the potential for losses within the risks that are being held by the firm at any point in time,
  4. it works with management and the board to craft a risk appetite statement that links the loss absorbing capacity of the firm with the preferences of management and the board for absorbing losses.

ERM does not manage the firm.  ERM helps management to manage the risks of the firm mainly by providing information about the risks.  

So why have we not heard about this Hierarchy Principle before?  

For many years, ERM have been fighting to get any traction, to have a voice.  The Hierarchy Principle complicates the message, so was left out by many early CROs and other pioneers.  A few were pushing for the risk function to be itself elevated as high as possible and they did not want to limit the risk message, deeming everything about risk to be of highest importance. But RISKVIEWS believes that it was mostly because the Hierarchy Principle is pretty fundamental to business management and is usually not explicitly stated anywhere else, even though it is applied almost always.

ERM now receives a major push from regulators, to a large extent from the ORSA.  In writing, the regulators do not require that ERM elevate all risk decisions.  But in practice, they are seeing some insurers who have been elevating everything and the regulators are adopting those examples as their standard for best in class.  

Just one more way that the regulatory support for ERM will speed its demise.  If regulators advocate for consistent violation of the Hierarchy principle, then ERM will be seen mainly as a wasteful burden.  

 

Align Risk Management with Strategic Goals

June 7, 2012

The Project Management Institute says that projects are 20% more successful if they seek to support company strategic goals rather than project specific goals as their primary focus.

That sounds like something that may be an extremely important idea to bring into risk management.

Risk Management should focus primarily upon company strategic goals rather than specific risk goals.

How does that sound to you?  Riskviews imagines that at least some readers are immediately reacting that this idea will not work because the company does not have a strategic goal that would support their function.

And that sounds like a major insight about organizational engagement in and support for risk management.  If risk management does not directly support one or more of the strategic goals of the firm, that speaks volumes about what will happen when there is a conflict between something that IS aligned with the strategic goals and risk management.

The story of MF Global is an extreme example of this conflict.  The management (read CEO) actions of MF Global were totally outside of the agreed upon risk appetite.  The CRO brought that to the board attention and the board decided that those actions supported the goals of the organization, while adherence to the risk appetite was of lesser importance.  The CRO left and the actions eventually led to the destruction of the firm.

Here is an example of the Mission and Vision Statements of an insurer

Mission Statement

Providing financial security by keeping our promises.

Vision Statement

To build a thriving financial services organization that stands the test of time.

Risk management definitely has plenty of room in that firm to align with the mission and vision of the firm.  “keeping our promises” and “standing the test of time” are both clearly statements about how the organization intends to handle risk.  The mission and vision of that firm cannot be met without risk management.

Here is the mission and vision statements of JP Morgan Chase

“At JPMorgan Chase, we want to be the best financial services company in the world. Because of our great heritage and excellent platform, we believe this is within our reach.”
“To provide unparalleled service to our clients by empowering them with strong analytical insights that enable them to more effectively manage their human assets.

It is not clear to Riskviews whether or not risk management activities are called for at all with that mission and vision statement.

So if you are wondering what might happen when there is a conflict between risk management and a business activity look to your firm’s mission, vision and strategic objectives.  If you do not see risk management there, you have your answer well in advance of any future conflict.

10 ERM Questions from an Investor – The Answer Key (2)

July 6, 2011

Riskviews was once asked by an insurance sector equity analyst for 10 questions that they could ask company CEOs and CFOs about ERM.  Riskviews gave them 10 but they were trick questions.  Each one would take an hour to answer properly.  Not really what the analyst wanted.

Here they are:

  1. What is the firm’s risk profile?
  2. How much time does the board spend discussing risk with management each quarter?
  3. Who is responsible for risk management for the risk that has shown the largest percentage rise over the past year?
  4. What outside the box risks are of concern to management?
  5. What is driving the results that you are getting in the area with the highest risk adjusted returns?
  6. Describe a recent action taken to trim a risk position?
  7. How does management know that old risk management programs are still being followed?
  8. What were the largest positions held by company in excess of risk the limits in the last year?
  9. Where have your risk experts disagreed with your risk models in the past year?
  10. What are the areas where you see the firm being able to achieve better risk adjusted returns over the near term and long term?

They never come back and asked for the answer key.  Here it is:

2.  One of the large banks that is no longer with us had, on paper, a complete ERM system with a board risk committee that they reviewed their risk reports with every quarter.  But in 2007, when the financial markets were starting to crack up, their board risk committee had not met for more than six months.  The answer to this question is the difference between a pretend ERM system and a real risk system.  The time spent should be proportionate to the complexity of the risk positions of the firm.  For the banks with risk positions that are so complex that they feel that they cannot possibly find enough paper to disclose them, there needs to be much more board time spent, since investors are relying on board oversight rather than market discipline to police the risk taking.  Ask Bernie what you can get away with if there is no disclosure and no oversight.

Many CEOs will tell you that the board has always spent plenty of time talking about risk.  This might be true.  But the standard now is for boards to have a formal risk committee.  Boards that have simply added risk to the Audit committee’s agenda ends up short changing either audit or risk or both.  The Audit Committee had a full plate before the Risk responsibility was added.

And for a larger complex firm, a single annual risk briefing on risk is definitely not sufficient.  For a firm with an ERM program, the board needs to review the risk profile, both actual and planned for each year, approve the risk appetite, approve the ERM Framework and policies of the firm, review the risk limits and be informed of each breach of the limits or policies of the firm.  If the firm has an economic capital model, the model results need to be presented to the board risk committee each year and updated quarterly. Risks associated with anything new that the company is doing would be presented as well.

Does that sound like anything other than a full committee?  So your follow up question, if the CEO gives a vague answer is to ask about whether the board reviewed each of the items listed in the preceding paragraph in the past year.

Back to that former bank.  Their risk reports showed a massive build up in risk in violation of board approved limits.

And the board risk committee saved time by not meeting during the period of that run up in risk.

10 ERM Questions from an Investor – The Answer Key (1)

July 4, 2011

Riskviews was once asked by an insurance sector equity analyst for 10 questions that they could ask company CEOs and CFOs about ERM.  Riskviews gave them 10 but they were trick questions.  Each one would take an hour to answer properly.  Not really what the analyst wanted.

Here they are:

  1. What is the firm’s risk profile?
  2. How much time does the board spend discussing risk with management each quarter?
  3. Who is responsible for risk management for the risk that has shown the largest percentage rise over the past year?
  4. What outside the box risks are of concern to management?
  5. What is driving the results that you are getting in the area with the highest risk adjusted returns?
  6. Describe a recent action taken to trim a risk position?
  7. How does management know that old risk management programs are still being followed?
  8. What were the largest positions held by company in excess of risk the limits in the last year?
  9. Where have your risk experts disagreed with your risk models in the past year?
  10. What are the areas where you see the firm being able to achieve better risk adjusted returns over the near term and long term?

They never come back and asked for the answer key.  Here it is:

1.  The first step in real risk management is to be able to think of the firm from a risk point of view.  Any CEO can do that from a sales point of view and from a profits point of view.  They know that 40% of the revenues come from the pumpkin business in South Florida and 25% of the profits from the Frozen Beet Juice Pops product line.  Those statistics are a part of the sales profile and the profits profile.  A first step to having a real ERM system is for the CEO to have an equal command of the Risk Profile.  Any firm where the CEO does not have an equal command of risk as they do for sales does not have ERM yet.  So this question is first and most important.  The CEOs who are most likely to be unable to answer this question are the leaders of larger more complex companies.  The investor need to make sure that top management of those firms has actual command of all of the key issues regarding the firm and its business.  Risk really is a key issue.  A vague or slow answer to this question indicates that Risk has not really been an issue that the CEO has attended to.  That may work out fine for the company and the investors.  If they are lucky.

Systemic Risk, Financial Reform, and Moving Forward from the Financial Crisis

April 22, 2011

A second series of essays from the actuarial profession about the financial crisis.  Download them  HERE.

A Tale of Two Density Functions
By Dick Joss

The Systemic Risk of Risk Capital (Or the "No Matter What" Premise)
By C. Frytos &I.Chatzivasiloglou

Actuaries and Assumptions
By Jonathan Jacobs

Managing Financial Crises, Today and Beyond
By Vivek Gupta

What Did We Learn from the Financial Crisis?
By Shibashish Mukherjee

Financial Reform: A Legitimate Function of Government
By John Wiesner

The Economy and Self-Organized Criticality
By Matt Wilson

Systemic Risk Arising from a Financial System that Required Growth in a World with Limited Oil Supply
By Gail Tverberg

Managing Systemic Risk in Retirement Systems
By Minaz Lalani

Worry About Your Own Systemic Risk Exposures
By Dave Ingram

Systemic Risk as Negative Externality
By Rick Gorvette

Who Dares Oppose a Boom?
By David Merkel

Risk Management and the Board of Directors–Suggestions for Reform
By Richard Leblanc

Victory at All Costs
By Tim Cardinal and Jin Li

The Financial Crisis: Why Won't We Use the F(raud) Word?
By Louise Francis

PerfectSunrise–A Warning Before the Perfect Storm
By Max Rudolph

Strengthening Systemic Risk Regulation
By Alfred Weller

It's Securitization Stupid
By Paul Conlin

I Want You to Feel Your Pain
By Krzysztof Ostaszewski

Federal Reform Bill and the Insurance Industry
By David Sherwood

Risk Management Success

March 8, 2011

Many people struggle with clearly identifying how to measure the success of their risk management program.

But they really are struggling with is either a lack of clear objectives or with unobtainable objectives.

Because if there are clear and obtainable objectives, then measuring success means comparing performance to those objectives.

The objectives need to be framed in terms of the things that risk management concentrates upon – that is likelihood and severity of future problems.

The objectives need to be obtainable with the authority and resources that are given to the risk manager.  A risk manager who is expected to produce certainty about losses needs to either have unlimited authority or unlimited budget to produce that certainty.

The most difficult part of judging the success of a risk management program is when those programs are driven by assessments of risk that end up being totally insufficient.  But again the real answer to this issue is authority and budget.  If the assumptions of the model are under the control of the risk manager, that is totally under the risk manager’s control, then the risk manager would be prudent to incorporate significant amounts of margin either into the model or into the processes that use the model for model risk.  But then the risk manager is incented to make the model as conservative as their imagination can make it.  The result will be no business – it will all look too risky.

So a business can only work if the model assumptions are the join responsibility of the risk manager and the business users.

But there are objectives for a risk management program that can be clear and obtainable.  Here are some examples:

  1. The Risk Management program will be compliant with regulatory and/or rating agency requirements
  2. The Risk Management program will provide the information and facilitate the process for management to maintain capital at the most efficient level for the risks of the firm.
  3. The Risk Management program will provide the information and facilitate the process for management to maintain profit margins for risk (pricing in insurance terms) at a level consistent with corporate goals.
  4. The Risk Management program will provide the information and facilitate the process for management to maintain risk exposures to within corporate risk tolerances and appetites.
  5. The Risk Management program will provide the information and facilitate the process for management and the board to set and update goals for risk management and return for the organization as well as risk tolerances and appetites at a level and form consistent with corporate goals.
  6. The Risk Management program will provide the information and facilitate the process for management to avoid concentrations and achieve diversification that is consistent with corporate goals.
  7. The Risk Management program will provide the information and facilitate the process for management to select strategic alternatives that optimize the risk adjusted returns of the firm over the short and long term in a manner that is consistent with corporate goals.
  8. The Risk Management program will provide information to the board and for public distribution about the risk management program and about whether company performance is consistent with the firm goals for risk management.

Note that the firm’s goals for risk management are usually not exactly the same as the risk management program’s goals.  The responsibility for achieving the risk management goals is shared by the management team and the risk management function.

Goals for the risk management program that are stated like the following are the sort that are clear, but unobtainable without unlimited authority and/or budget as described above:

X1  The Risk Management program will assure that the firm maintains profit margins for risk at a level consistent with corporate goals.

X2  The Risk Management program will assure that the firm maintains risk exposures to within corporate risk tolerances and appetites so that losses will not occur that are in excess of corporate goals.

X3  The Risk Management program will assure that the firm avoids concentrations and achieve diversification that is consistent with corporate goals.

X4  The Risk Management program will assure that the firm selects strategic alternatives that optimize the risk adjusted returns of the firm over the short and long term in a manner that is consistent with corporate goals.

The worst case situation for a risk manager is to have the position in a firm where there are no clear risk management goals for the organization (item 4 above) and where they are judged on one of the X goals but which one that they will be judged upon is not determined in advance.

Unfortunately, this is exactly the situation that many, many risk managers find themselves in.

Integrating ERM and Value Based Management

February 15, 2011

from Jean-Pierre Berliet

The global financial crisis has reduced the market capitalization and price to book ratios of property/casualty insurance companies dramatically. According to a study published by Bank of America Merrill Lynch in August 2009, the S&P P/C index was trading at a 1.0 price/book ratio at that time, sharply down from a 1.4 average over the last three years and a 1.6 over the last 20 years. The updated historical valuations report published in August 2010 indicates that the S&P P/C index was trading at a 1.1 price/book ratio at that time. Excluding Progressive, companies in the Merrill Lynch index were trading then at an average price/book ratio of .89. This data suggests that the industry lost credibility with investors in 2008-2009 and has failed so far to persuade them that it is positioned to resume growing profitably in an uncertain rate environment.

Ironically, the crisis started just a few years after rating agencies began to include an assessment of the effectiveness of enterprise risk management (ERM) in their rating decisions and after they had given most insurers passing grades or above. It is clear now that ERM did not prevent a number of insurance companies from overextending themselves. Investors have concluded that risk management failed broadly and is disconnected from business strategy. They are justified in wondering whether risk management frameworks and processes of insurance companies will be more effective in the present lower volume and lower rate environment. Under such expected market conditions, investors are concerned that companies might lack discipline and write business at inadequate rates in order to achieve their premium volume objectives.

More generally, investors are concerned that strategic planning frameworks of many insurance companies are “expected value” focused, and are thus myopic about risk. In addition, investors are also aware that design weaknesses of ERM frameworks cause many executives i) to distrust “ex-post” decision signals provided by risk adjusted management performance metrics and ii) often to ignore resulting decision signals to redeploy capital or optimize asset allocation and reinsurance strategies. The existence of significant weaknesses in strategic planning and ERM frameworks and management processes explains why establishing tight and credible linkages between ERM and business strategy decisions is problematic and why ex-post measurement of risk adjusted performance is not viewed by investors as helpful. Just like the cleaning up of risks that manifested themselves, such as catastrophes and investment losses, ex-post risk management accomplishes only little, too late, and at great cost.

To respond to concerns of investors, insurance companies need to make their strategic planning and ERM frameworks capable of addressing credibly, and in a mutually consistent manner, the risk management issues raised and business strategy decisions impacted by the asymmetrical distribution of the financial results of insurance businesses. Investors believe, in particular, that risk management would create more value if i) risk insights guided the management and deployment of a company’s risk capacity “ex-ante”, that is before insurance policies were bound or investment decisions were made, and ii) strategy decisions about risk assumption and accumulations always took into consideration the adequacy of insurance rates and changes in market volume

These considerations call for the integration of value and risk governance frameworks and management processes in insurance companies. In the absence of such integration, there will be an enduring disconnect between strategy and risk management, and neither value based management (VBM) nor ERM will be credible or effective.

To be effective, the integration framework must recognize that, in insurance businesses, the cost of risk is known only after contracts have expired and related liabilities have run off. This unique peculiarity of loss costs, the raw material of insurance businesses, makes ex-post risk management a contradiction in terms. It places risk issues at the core of strategy development and execution. To achieve the needed integration of ERM and VBM, insurance companies must be careful to develop and establish distinct but tightly aligned:

  • Governance frameworks for VBM and ERM, that specify the respective roles and responsibilities of the Board of Directors, external advisers, and Senior Management with regard to the development and approval of a company’s business mission and strategic plan, including i) the evaluation of risk return trade-offs, ii) the setting of financial objectives, iii) the oversight of strategy execution, and iv) accountability for results
  • Managerial frameworks and processes capable of ensuring alignment of business strategy and risk management decisions across risk types, operational activities and products or markets.

Risk management must not be an afterthought in insurance businesses. An insurance company needs to establish “ex-ante” risk management as an essential foundation for the effective integration of its VBM and ERM frameworks. Ex-ante risk management is based on the observation that, together, risk assumption and accumulation functions in insurance companies are analogous to production in industrial companies. A properly designed risk management framework that supports “ex-ante” management of risk exposure accumulations should help an insurance company:

  • Achieve loss costs and earnings volatility advantages
  • Reduce both the amount and the cost of the capital they require
  • Support effective development and execution of its business strategy

Such possibilities make “ex-ante” risk management concepts and tools and risk capacity management as important to business strategies of insurance companies as scale, equipment and machinery specialization, flexible automation and outsourcing, i.e. production strategy elements, are to business strategies of industrial companies. Notably, ex-ante risk management requires insurance companies to develop and use insights about risks that can provide a competitive advantage. Unlike cost reduction, product or service enhancements or pricing initiatives, risk insights and the underlying ability to compete on analytics, cannot be easily or rapidly duplicated by competitors. They can thus enable insurance companies to achieve more enduring margin improvements and escape for a while the strategic stalemate conditions under which they operate in many businesses.

To restore their credibility, insurance companies need to persuade investors that “ex-ante” risk management will support effective strategy implementation and drive risk capacity deployment, thereby improving financial performance. To accomplish the required alignment of risk capacity management, risk taking and business strategy management, companies need to establish the following three distinct but tightly integrated frameworks for:

  • Measuring and assessing risk capacity utilization
  • Addressing financial risk concerns of external stakeholders
  • Deploying and leveraging risk capacity.

Integration of these frameworks would be effected through development of risk limits by line of business and business segment. Such risk limits would provide an insurance company a means to i) drive and control the deployment of its risk capacity toward uses that are projected to meet the return expectations and risk tolerances of its external stakeholders, ii) develop performance metrics needed to assess risk and return trade-offs of alternative strategies and align risk capacity management and business strategies and iii) improve risk capacity utilization and enhance financial performance.

To establish and use these frameworks, insurance companies need to integrate risk insights that emerge at the intersection of actuarial analysis, underwriting expertise, strategy analysis and financial simulation.

Jean-Pierre Berliet

(203) 247-6448

jpberliet@att.net

February 14, 2011

Note: This article is abstracted from the “Risk Management and Business Strategy in P/C Insurance Companies” briefing paper published by Advisen (www.advisen.com) and available at the Corner Store.


Follow

Get every new post delivered to your Inbox.

Join 724 other followers

%d bloggers like this: