Guide to ERM: Risk Limits and Controls

At the most fundamental level, enterprise risk management can be understood as a control cycle. In an insurance company’s risk control cycle, management needs to first identify the key risks.

Management then decides the risk quantity they are willing to accept and retain. These decisions form the risk limits. It is then imperative to monitor the risk-taking throughout the year and react to actual situations that are revealed by the monitoring.

Photo by Ann H on Pexels.com

The Risk Control Cycle

There are seven distinct steps in the typical risk control cycle:

1. Identify Risks – Choose which risks are the key controllable risks of the company
2. Assess – Examine what are the elements of the risks that need (or can be) controlled
3. Plan – Set the expectation for how much risk will be taken as an expected part of the plan and also the limits on how much more would be accepted and retained
4. Take Risks – Conduct the primary function of an insurance company
5. Mitigate – Take actions to keep the risks within limits
6. Monitor – Determine how risk positions compare to limits and report
7. Respond – Decide what actions to take if risk levels are significantly different from plan

Risk Control Cycle

The Complete Risk Control Process

A process capable of limiting losses can be referred to as a complete risk control process, which would usually include the following.

• Identification of risks: The identified risks should be the main exposures which a company faces rather than an exhaustive list of all risks. The risk identification process must involve senior management and should consider the risk inherent in all insurance products underwritten. It must also take a broader view of overall risk. For example, large exposures to different investment instruments or other non-core risks must be considered. It is vital that this risk list is re-visited periodically rather than simply automatically targeting “the usual suspects”
• Assess risks: This is both the beginning and the end of the cycle. At the beginning, you look forward to form a new opinion about the prospects for risk and rewards for the next year. At the end, management needs to assess how effective the control cycle has been. Did the selection process miss any key risks? Were limits set too high or perhaps too low? Were the breach processes effective?
• Plan risk taking and risk management: Based upon the risk assessment, management will make plans for how much of each risk the organization will plan to accept and then how much of that risk will be transferred, offset and retained to manage the net risk position in line with defined risk limits
• Take risks: Organizations will often start by identifying a list of potential risks to be taken based upon broad guidelines. This list is then narrowed down by selecting only risks which are aligned to overall corporate risk appetite. The final stage is deciding an appropriate price to be paid for accepting each risk (underwriting)
• Measuring and monitoring of risk: With metrics or risk measures which capture the movement of the underlying risk position. These risk positions should be reported regularly and checked against limits and, in some cases, against lower checkpoints . The frequency of these checks should reflect the volatility of the risk and the rate at which the insurer changes their risk positions. Insurers may choose to report regularly at a granular level that supports all decision making and potential breach actions. The primary objective of this step is facilitating upwards reporting of risk through regular risk assessment and dissemination of risk positions and loss experience using a standard set of risk and loss metrics. These reports convey the risk output from the overall ERM framework and should receive the clear attention of persons with significant standing and authority in the organization. This allows for action to be taken which is the vital Respond stage in the risk control cycle
• Risk limits and standards: Should be defined which are directly linked to objectives. Terminology varies widely, but many insurers have both hard “limits” that they seek to never exceed and softer “checkpoints” that are sometimes exceeded. Limit approval authority will often be extended to individuals within the organization with escalating amounts of authority for individuals higher in the organizational hierarchy. Limits ultimately need to be consistent with risk appetites, preferences and tolerances Additionally, there should be clear risk avoidance processes for risks where the insurer has zero tolerance. These ensure that constant management attention is not needed to assure compliance. A risk audit function is, however, often incorporated within the overall risk organization structure to provide an independent assessment of compliance.
• Respond: Enforcement of limits and policing of checkpoints, with documented consequences for limit breaches and standard resolution processes for exceeding checkpoints. In some cases, the risk environment will have changed significantly from when the limits were set and the limits need to be reassessed. Some risks may be much more profitable than expected and risk limits can be raised, while other have become more expensive and/or riskier and limits need to be lowered
• Assess risks: And the cycle starts again

The control cycle, and especially the risk appetite, tolerance and limit setting process can be the basis for a healthy discussion between management and the board.

Gaining the Greatest Benefit from the Risk Control Cycle

Ultimately, to get the most risk management benefit out of a risk control cycle, management must set limits at a level that matters and are tied to good measures of risk. These limits must be understood throughout the company and risk positions should be frequently and publicly reviewed so that any breaches can be identified.

But in addition to a policing function, the control cycle needs to include a learning element. With each pass through the cycle, management should gain some insight into the characteristics of their potential risks and associated mitigation alternatives, as well as the reactions of both to changes in the risk environment.

Advertisement

You have to show up

Woody Allen’s adage that 80% of success is showing up is particularly difficult for some managers to take to heart regarding risk management.

When risk management is successful, there is no bell that rings.  There are no fireworks.  Usually, a successful risk management moment is evidenced by a lack of big surprises.

But most days, big surprises do not happen anyway.

So if risk managers want to be appreciated for their work, they have to do much more than just show up.  They need to build up the story around what a very good day looks like.

• One such story would be that a very good day might happen when the world experiences a major catastrophe.  A catastrophe that is in the wheel house of the firm.  And because of a good risk management process, the firm finds that its losses are manageable within its capacity to handle losses.
• In 2011, there were major earthquakes in New Zealand, Japan and Chile.  One reinsurer reported that they had exposures in all three zones but that they were still able to show a (very small) profit for the year.  They credited that result to a risk management process that had them limiting their exposure to any one zone.  A risk manager could work up a story of events like that happening (multi event stress scenarios) and preview the benefits of ERM.

With such stories in mind, when that big day comes when “Nothing Happens”, the risk managers can be ready to take credit!

But to do that, they need to be sure to show up.

 

Works if Small, Fails if Large

by David Merkel, The Aleph Blog

The Wall Street Journal had an article on risk control that had the attitude of “here are some silver bullets.” Ugh. When will journalists learn that there are no simple solutions to portfolio management?

“Risk-allocation turns 50 years of portfolio theory on its head.”

Ain’t true. Modern Portfolio Theory is garbage, but so is this. So volatility is more stable than returns. Volatility can be up or down, and you want to buy volatile asset classes that have gotten trashed. You won’t do it because you are scared, but that is part of why you aren’t a good investor. Good investors make the “pain trades.”

Here’s the question to ask: What would happen if everybody did this? Unlike share-weighted indexing, not all strategies can be applied by everyone at the same time. I have written about risk parity before:

Against Risk Parity
Against Risk Parity, Redux

So long as there are few using the strategy, it may work well, but it will not scale because volatility does not match the proportion of assets available to be purchased. The same is true of “risk control” and “risk budgeting” strategies. They will be “flashes in the pan;” there is no necessary reason why they will work. There is no such thing as risk, but there are risks.

Avoid faddish ideas as described in the WSJ article. Far better to focus on what risks you face in the investment markets, and choose assets that will not be affected by those risks,or, might even benefit from them.

Using volatility as a guide to investing will fail if it gets large enough, and during bull markets, it will be forgotten. Non-scalable strategies work if there is a barrier to entry, and there is no barrier here. Thus I see no long term value in the strategies proposed.

Where Do You Hide?

US Hurricane Risk

The lines on the graph represent the paths of the 50 most deadly US hurricanes on record.  The numbers on the lines are the number of deaths.

One important thing to notice is that there is nowhere on the eastern or southern coasts of the US coast that has not experienced deadly hurricanes.

That suggests two strategies for dealing with hurricane risk for an individual.

1. Avoiding it by moving well inside the lines.
2. Building up a residential system that is resilient to the forces of hurricanes.

The first strategy is suspect until you study the risks of those areas.  The area just outside the lines includes the New Madrid fault and an area that has experienced major inland windstorms, hailstorms and floods in the recent past.   So there is no guarantee of safety by risk avoidance.

That leaves resilience as the best bet.  Resilience will involve learning about safety measures, setting a risk tolerance and finding out how strong of a storm fits within the risk tolerance.

In Japan, they set their risk tolerance to be that they would not accept a risk of a storm that is within the range of all past experience.  They thought of that as a zero risk tolerance.  They learned on 311 that their actual risk tolerance (storms within the historical observations) and their notional risk tolerance (zero) were not the same thing.

For an insurer or a business, there are very different options.  Diversification and insurance/reinsurance may be chosen instead of resiliency.

Trimming Risk Positions – 10 ERM Questions from Investors – The Answer Key (6)

Riskviews was once asked by an insurance sector equity analyst for 10 questions that they could ask company CEOs and CFOs about ERM.  Riskviews gave them 10 but they were trick questions.  Each one would take an hour to answer properly.  Not really what the analyst wanted.

Here they are:

1. What is the firm’s risk profile?
2. How much time does the board spend discussing risk with management each quarter?
3. Who is responsible for risk management for the risk that has shown the largest percentage rise over the past year?
4. What outside the box risks are of concern to management?
5. What is driving the results that you are getting in the area with the highest risk adjusted returns?
6. Describe a recent action taken to trim a risk position?
7. How does management know that old risk management programs are still being followed?
8. What were the largest positions held by company in excess of risk the limits in the last year?
9. Where have your risk experts disagreed with your risk models in the past year?
10. What are the areas where you see the firm being able to achieve better risk adjusted returns over the near term and long term?

They never come back and asked for the answer key.  Here it is:

There are a number of issues relating to this question.  First of all, does the insurer ever trim a risk position?  Some insurers are pure buy and hold.  They never think to trim a position, on either side of their balance sheet.  But it is quite possible that the CEO might know that terminology, but the CFO should.  And if the insurer actually has an ERM program then they should have considered trimming positions at some point in time.  If not, then they may just have so much excess capital that they never have felt that they had too much risk.

Another issue is whether the CEO and CFO are aware of risk position trimming.  If they are not, that might indicate that their system works well and there are never situations that need to get brought to their attention about excess risks.  Again, that is not such a good sign.  It either means that their staff never takes and significant risks that might need trimming or else there is not a good communication system as a part of their ERM system.

Risks might need trimming if either by accident or on purpose, someone directly entered into a transaction, on either side of the balance sheet, that moved the company past a risk limit.  That would never happen if there were no limits, if there is no system to check on limits or if the limits are so far above the actual expected level of activity that they are not operationally effective limits.

In addition, risk positions might need trimming for several other reasons.  A risk position that was within the limit might have changed because of a changing environment or a recalibration of a risk model.  Firms that operate hedging or ALM programs could be taking trimming actions at any time.  Firms that use cat models to assess their risk might find their positions in excess of limits when the cat models get re-calibrated as they were in the first half of 2011.

And risk positions may need to be trimmed if new opportunities come along that have better returns than existing positions on the same risk.  A firm that is expecting to operate near its limits might want to trim existing positions so that the new opportunity can be fit within the limits.

SO a firm with a good ERM program might be telling any of those stories in answer to the question.

ERM Questions for US Insurers

By Max Rudolph

A.M. Best added a Supplemental Rating Questionnaire (SRQ) for insurers at the end of 2010. While it will provide interesting information that will aid the analyst develop questions for a face-to-face meeting, the mainly checklist format will limit its value. A better option would be for a company to utilize this SRQ to develop an internal risk management report that could be presented to the board and external stakeholders much as insurers generate an investment management report. The A.M. Best checklist could be a by-product of this process. A.M. Best’s statement that “each company’s need for ERM is different” is absolutely correct. Organizations with complex and varied product mixes should spend their time understanding both the silo risks and the interactions between those silos. Going into 2006 insurers (and rating agencies) did not have leading indicators in place to monitor housing prices, yet that proved to be the driver leading to the financial crisis. There is little in this questionnaire that is forward looking toward new and emerging risks.

Concentration

The questionnaire does not do enough to focus on concentration of exposures. No credit is awarded for a diversified group of independent risks. There is also no mention of counterparty risk with reinsurers. The financial crisis left reinsurers ever more entangled, and if one ever experiences financial difficulties a contagion effect could drag quite a few down with them. If that happens there is no reason to think that insurers would not batten down the hatches as banks did with their loan portfolios. Insurers should have a contingency plan for this possibility, along with performing other stress tests and board discussions.

Key Risk Indicators

The questionnaire refers to reporting risk metrics. This should be more specific. Financial statements do a pretty good job of reporting lagging indicators such as revenue and net income. What would be more useful when managing risk are leading indicators. What metric can I look at today to anticipate future revenue? Keeping track of metrics such as agent retention, applications received, or unemployment will allow the line manager to better understand the business line and the risk manager to better identify potential risks. Today, many insurers are developing this process but it is still evolving.

Risk Culture

In the risk culture section of the questionnaire, terms such as risk/return measures and reporting risk jump out at me. Not all risks can be measured, and many can’t be measured accurately. That does not mean they can’t, and certainly does not mean they should not, be managed. Examples would include the likelihood and severity of civil unrest around the world. It is not important to judge precisely how likely these events might be, but it is important to think about how you might react if such an event does occur. Options are generally limited after an event occurs, and time is often the critical factor. Reporting risk means many things to many people. It would be preferred to have a dialogue about risks, using a written report as a starting point.

Identifying Risks

In the Risk Identification/Measurement/Monitoring section of the questionnaire, A.M. Best asks “Who is the most responsible for identifying material risks to the company’s financial position?” This seems to be a no-win question, as no matter who is listed shortcomings will be associated with it. If you list the CEO, then the CRO is short-changed. If you list the CRO, the line managers wonder what their role is. Perhaps a better question would be to ask who is responsible for consolidating risks and looking at them holistically, scanning for emerging risks as well. It will be interesting to see what A.M. Best does with the table considering the largest potential threats to financial strength. There is no consistent approach to estimated potential impact. Two companies with the exact same exposure to a risk might report vastly different dollar figures. The higher number might be generated by the organization that better understands the risk.

Economic Capital

The most interesting question to me would be to ask how independent of results are the modelers? Who do they report to? How is their bonus determined? My perception is that there is subtle pressure put on modelers to hit certain results and that they should understand their models well enough to know which levers to pull that won’t raise a warning flag. At this point there is no audit requirement for an economic capital model.

Forward Looking

Missing in this questionnaire, as well as the NAIC’s Risk Focused Examinations, is a view of the future. In my opinion, if there is not an immediate solvency issue then the most interesting question is what could impair this organization in the future. For many insurance firms this will be related to selling profitable products and being flexible. It is hard to find distribution without giving away either options or returns. Consolidation in the insurance industry is likely. How many companies have considered their competitive position is their competitors merge? For distressed firms it is rarely a previously managed risk that takes them down. What environmental scanning is being done? What Risks are you Worried about Today? Risks that could be included in this type of analysis would be considered stress tests by many, but how many organizations would share more than they think their competitors are sharing? Here are some risks to ponder, along with their unintended consequences, in no order.

• Low interest rate environment is replaced by an inflationary shock
• A new competitor enters the insurance market with a known and trusted brand and new distribution channel (WalMart comes to mind)
• A reinsurer becomes insolvent due to investment losses, stressing other reinsurers.
• The insurance industry experiences higher trending mortality, with a flurry of 30-50 deaths due to obesity
• Climate change results in changing weather patterns, with more volatile weather and crop patterns
• A consolidator enters the industry, generating economies of scale that reduce potential returns by 2%.
• Infrastructure around the world ends its useful lifetime and is not replaced.
• Water wells are drilled in developed countries by farmers and local communities to access an aquifer.

Warning: The information provided in this newsletter is the opinion of Max Rudolph and is provided for general information only. It should not be considered investment advice. Information from a variety of sources should be reviewed and considered before decisions are made by the individual investor. My opinions may have already changed, so you don’t want to rely on them. Good luck! Warning: The information provided in this newsletter is the opinion of Max Rudolph and is provided for general information only. It should not be considered investment advice. Information from a variety of sources should be reviewed and considered before decisions are made by the individual investor. My opinions may have already changed, so you don’t want to rely on them. Good luck!

The Year in Risk – 2010

It is very difficult to strike the right note looking backwards and talking about risk and risk management.  The natural tendency is to talk about the right and wrong “picks”.  The risks that you decided not to hedge or reinsure that did not develop losses and the ones that you did offload that did show losses.

But if we did that, we would be falling into exactly the same trap that makes it almost impossible to keep support for risk management over time.  Risk Management will fail if it becomes all about making the right risk “picks”.

There are other important and useful topics that we can address.  One of those is the changing risk environment over the year. In addition, we can try to assess the prevailing views of the risk environment throughout the year.

VIX is an interesting indicator of the prevailing market view of risk throughout the year.  VIX is in indicator of the price of insurance against market volatility.  The price goes up when the market believes that future volatility will be higher or alternately when the market is simply highly uncertain about the future.

Uncertain is the word used most throughout the year to represent the economic situation.  But one insight that you can glean from looking at VIX over a longer time period is that volatility in 2010 was not historically high.

If you look at the world in terms of long term averages, a single regime view of the world, then you see 2010 as an above average year for volatility.  But if instead of a single regime world, you think of a multi regime world, then 2010 is not unusual for the higher volatility regimes.

So for stocks, the VIX indicates that 2010 was a year when market opinions were for a higher volatility risk environment.  Which is about the same as the opinion in half of the past 20 years.

That is what everyone believed.

Here is what happened:

	Return
December	6.0%
November	-0.4%
October	3.5%
September	8.7%
August	-5.3%
July	6.8%
Jun	-5.2%
May	-8.3%
April	1.3%
March	5.8%
February	2.8%
January	-3.8%
Average	1.0%
Std Dev	5.6%

That looks pretty volatile.  And comparing to the past several years, we see below that 2010 was just a little less actually volatile than 2008 and 2009.  So we are still in a regime of high volatility.

So we can conclude that 2010 was a year of both high expected and high actual volatility.

If an exercize like this is repeated each year for each important risk, eventually insights of the possibilities for both expectations and actual risk levels can be formed and strategies and tactics developed for different combinations.

The other thing that we should do when we look back at a year is to note how the year looked in the artificial universe of our risk model.

For example, when many folks looked back at 2008 stock market results in early 2009, many risk manager had to admit that their models told them that 2008 was a 1 in 250 to 1 in 500 year.  That did not quite seem right, especially since losses of that size had occurred two or three times in the past 125 years.

What many risk managers decided to do was to change the (usually unstated) assumption that things had permanently changed and that the long term experience with those large losses was not relevant. Once they did that, the risk models were recalibrated and 2008 became something like a 1 in 75 to 1 in 100 year event.

For the stock market, the 15.1% total return was not unusual and causes no concern for recalibration.

But there are many other risks, particularly when you look at general insurance risks, that had higher than expected claims.  Some were frequency driven and some were severity driven.  Here is a partial list:

• Queensland flood
• December snowstorms (Europe & US)
• Earthquakes (Haiti, Chile, China, New Zealand)
• Iceland Volcano

Munich Re estimates that 2010 will go down as the sixth worst year for amount of general insurance claims paid for disasters.

Each insurer and reinsurer can look at their losses and see, in the aggregate and for each peril separately, what their models would assign as likelihood for 2010.

The final topic for the year in risk is Systemic Risk.  2010 will go down as the year that we started to worry about Systemic Risk.  Regulators, both in the US and globally are working on their methods for inoculating the financial markets against systemic risk.  Firms around the globe are honing their arguments for why they do not pose a systemic threat so that they can avoid the extra regulation that will doubtless befall the firms that do.

Riskviews fervently hopes that those who do work on this are very open minded.  As Mark Twain once said,

“History does not repeat itself, but it does rhyme.”

And for Systemic Risk, my hope is that the resources and necessary drag from additional regulation are applied, not to prevent an exact repeat of the recent events, while recognizing the possibility of rhyming as well as what I would think would be the most likely systemic issue – that financial innovation will bring us an entirely new way to bollocks up the system next time.

Happy New Year!

A Wealth of Risk Management Research

The US actuarial profession has produced and/or sponsored quite a number of risk management research projects.  Here are links to the reports:  A Study of International Solvency Regimes

Determinants of Insurers’ Reputational Risk

2010 Emerging Risks Survey

Reflecting Risk in Pricing Survey Report

Potential Impact of Pandemic Influenza on the U.S. Health Insurance Industry

2009 Emerging Risks Survey

Exploration of Reputational Risk from the Perspective of a Variety of Stakeholders

Policyholder Behavior in the Tail Risk Management Section Working Group UL with Secondary Guarantee 2009 Survey Results

Enterprise Risk Management (ERM) Practice as Applied to Health Insurers, Self-Insured Plans, and Health Finance Professionals

A New Approach for Managing Operational Risk: Addressing the Issues Underlying the 2008 Global Financial Crisis

Policyholder Behavior in the Tail Joint Risk Management Section Working Group Variable Annuity Guaranteed Benefits 2009 Survey Results

The Financial Crisis and Lessons for Insurers

Corporate Reputational Risk and ERM: An Analysis from the Perspective of Various Stakeholders

Emerging Risks Survey

Policyholder Behavior in the Tail Risk Management Section Working Group UL with Secondary Guarantee 2008 Survey Results

Copula Phase Transitions Report

Economic Capital: Correlation Matrices and Other Techniques–A Survey and Discussion

Policyholder Behavior in the Tail Risk Management Section Working Group Variable Annuity Guaranteed Benefits 2007 & 2008 Survey Results

Risk Based Capital Covariance Project

Application of Structural Equation Modeling to the Linkage of Risk Management, Capital Management and Financial Management for the Insurance Industry

Risk Management Terminology

Linkage of Risk Management, Capital Management and Financial Management

Policyholder Behavior in the Tail Project–Annuity Lapse Modeling

Enterprise Risk Management for Property–Casualty Insurance Companies

Policyholder Behavior in the Tail Risk Management Section Working Group Variable Annuity Guaranteed Benefits Survey Results

It’s All Relative

Another way to differentiate risks and loss situations is to distinguish between systematic losses and losses where your firm ends up in the bottom quartile of worst losses.

You can get to that by way of having a higher concentration of a risk exposure than your peers.  Or else you can lose more in proportion to your exposure than your peers.

The reason it can be important to distinguish these situations is that there is some forgiveness from the market, from your customers and from your distributors if you lose money when everyone else is losing it.  But there is little sympathy for the firm that manages to lose much more than everyone else.

And worst of all is to lose money when no one else is losing it.

So perhaps you might want to go through each of your largest risk exposures and imagine how either of these three scenarios might hit you.

• One company had a loss of 50% of capital during the credit crunch of the early 1990’s.  Their largest credit exposure was over 50% of capital and it went south.  Average recoveries were 60% to 80% in those days, but this default had a 10% recovery.  That 60% to 80% was an average, not a guaranteed recovery amount.  Most companies lost less than 5% of capital in that year.
• Another company lost well over 25% of capital during the dot com bust.  They had concentrated in variable annuities.  No fancy guarantees, just guaranteed death benefits.  But their clientele was several years older than their average competitors.  And the difference in mortality rate was enough that they had losses that were much larger than their competitors, who were also not so concentrated in variable annuities.
• Explaining their claims for Hurricane Katrina that were about 50% higher as a percent of their expected total claims, one insurer found that they had failed to reinsure a large commercial customer whose total loss from the hurricane made up almost 75% of the excess.  Had they followed their own retention rules on that one case, that excess would have been reduced by half.

So go over your risks.  Create scenarios for each major risk category that might send your losses far over the rest of the pack.  Then look for what needs to be done to prevent those extraordinary losses.

The Insurance Cycle

Nobody doubts that the insurance cycle is created by people.  So it makes sense to study people to understand the insurance cycle.

The Human Dynamics of the Cycle and Implications for Insurers

is a new paper by Alice Underwood and Dave Ingram that explores the link between the ideas of Plural Rationalities from anthropology and the people whose actions lead to the insurance cycle.

There is an interaction between the market and the people who make the decisions within insurers that is shown to create the insurance cycle.

Better insurer performance during the various stages of the insurance cycle can be obtained by better understanding these dynamics, studying the market with this understanding in mind and making choices that take advantage of that understanding.

This paper will be presented at the 2010 ERM Symposium in Chicago April 12 – 14.