The CRO is making a list and checking it twice

“You never said that you wanted me to do that”  is an answer that managers often get when they point out a shortfall in performance.  And in many cases it is actually true.  As a rule, some of us tend to avoid too much writing things down.  And that is also true when it comes to risk management

That is where ERM policies come in.  The ERM policy is a written agreement between various managers in a company and the board documenting expectations regarding risk management.

But too many people mistake a detailed procedure manual for a policy statement.  Often a policy statement can be just a page or two.

For Risk Management there are several places where firms tend to “write it down”:

• ERM Policy – documents that the firm is committed to an enterprise wide risk management system and that there are broad roles for the board and for management.  This policy is usually approved by the board.  The ERM Policy should be reviewed annually, but may not be changed but every three to five years.
• ERM Framework – this is a working document that lists many of the details of how the company plans to “do” ERM.  When an ERM program is new, this document many list many new things that are being done.  Once a program is well established, it will need no more or no less documentation than other company activities.  RISKVIEWS usually recommends that the ERM Framework would include a short section relating to each of the risk management practices that make up a Risk Management System.
• Risk Appetite & Tolerance Statement – may be separate from the above to highlight its importance and the fact that it is likely to be more variable than the Policy statement, but not as detailed as the Framework.
• Separate Risk Policies for major risk categories – almost all insurers have an investment policy.  Most insurers should consider writing policies for insurance risk.  Some firms decide to write operational risk policies as well.  Very few have strategic risk policies.
• Policies for Hedging, Insurance and/or Reinsurance – the most powerful risk management tools need to have clear uses as well as clear lines of decision-making and authority.
• Charter for Risk Committees – Some firms have three or more risk committees.  On is a board committee, one is at the executive level and the third is for more operational level people with some risk management responsibilities.  It is common at some firms for board committees to have charters.  Less so for committees of company employees.  These can be included in the ERM Framework, rather than as separate documents.
• Job Description for the CRO – Without a clear job description many CROs have found that they become the scapegoat for whatever goes wrong, regardless of their actual authority and responsibilities before hand.

With written policies in place, the board can hold management accountable.  The CEO can hold the CRO responsible and the CRO is able to expect that may hands around the company are all sharing the risk management responsibilities.

More on ERM Policies on WillisWire.

http://blog.willis.com/2015/01/erm-in-practice-risk-policies-and-standards/

http://blog.willis.com/2014/02/erm-practices-policies-and-standards/

 

Advertisement

Trimming Risk Positions – 10 ERM Questions from Investors – The Answer Key (6)

Riskviews was once asked by an insurance sector equity analyst for 10 questions that they could ask company CEOs and CFOs about ERM.  Riskviews gave them 10 but they were trick questions.  Each one would take an hour to answer properly.  Not really what the analyst wanted.

Here they are:

1. What is the firm’s risk profile?
2. How much time does the board spend discussing risk with management each quarter?
3. Who is responsible for risk management for the risk that has shown the largest percentage rise over the past year?
4. What outside the box risks are of concern to management?
5. What is driving the results that you are getting in the area with the highest risk adjusted returns?
6. Describe a recent action taken to trim a risk position?
7. How does management know that old risk management programs are still being followed?
8. What were the largest positions held by company in excess of risk the limits in the last year?
9. Where have your risk experts disagreed with your risk models in the past year?
10. What are the areas where you see the firm being able to achieve better risk adjusted returns over the near term and long term?

They never come back and asked for the answer key.  Here it is:

There are a number of issues relating to this question.  First of all, does the insurer ever trim a risk position?  Some insurers are pure buy and hold.  They never think to trim a position, on either side of their balance sheet.  But it is quite possible that the CEO might know that terminology, but the CFO should.  And if the insurer actually has an ERM program then they should have considered trimming positions at some point in time.  If not, then they may just have so much excess capital that they never have felt that they had too much risk.

Another issue is whether the CEO and CFO are aware of risk position trimming.  If they are not, that might indicate that their system works well and there are never situations that need to get brought to their attention about excess risks.  Again, that is not such a good sign.  It either means that their staff never takes and significant risks that might need trimming or else there is not a good communication system as a part of their ERM system.

Risks might need trimming if either by accident or on purpose, someone directly entered into a transaction, on either side of the balance sheet, that moved the company past a risk limit.  That would never happen if there were no limits, if there is no system to check on limits or if the limits are so far above the actual expected level of activity that they are not operationally effective limits.

In addition, risk positions might need trimming for several other reasons.  A risk position that was within the limit might have changed because of a changing environment or a recalibration of a risk model.  Firms that operate hedging or ALM programs could be taking trimming actions at any time.  Firms that use cat models to assess their risk might find their positions in excess of limits when the cat models get re-calibrated as they were in the first half of 2011.

And risk positions may need to be trimmed if new opportunities come along that have better returns than existing positions on the same risk.  A firm that is expecting to operate near its limits might want to trim existing positions so that the new opportunity can be fit within the limits.

SO a firm with a good ERM program might be telling any of those stories in answer to the question.

It’s All Relative

Another way to differentiate risks and loss situations is to distinguish between systematic losses and losses where your firm ends up in the bottom quartile of worst losses.

You can get to that by way of having a higher concentration of a risk exposure than your peers.  Or else you can lose more in proportion to your exposure than your peers.

The reason it can be important to distinguish these situations is that there is some forgiveness from the market, from your customers and from your distributors if you lose money when everyone else is losing it.  But there is little sympathy for the firm that manages to lose much more than everyone else.

And worst of all is to lose money when no one else is losing it.

So perhaps you might want to go through each of your largest risk exposures and imagine how either of these three scenarios might hit you.

• One company had a loss of 50% of capital during the credit crunch of the early 1990’s.  Their largest credit exposure was over 50% of capital and it went south.  Average recoveries were 60% to 80% in those days, but this default had a 10% recovery.  That 60% to 80% was an average, not a guaranteed recovery amount.  Most companies lost less than 5% of capital in that year.
• Another company lost well over 25% of capital during the dot com bust.  They had concentrated in variable annuities.  No fancy guarantees, just guaranteed death benefits.  But their clientele was several years older than their average competitors.  And the difference in mortality rate was enough that they had losses that were much larger than their competitors, who were also not so concentrated in variable annuities.
• Explaining their claims for Hurricane Katrina that were about 50% higher as a percent of their expected total claims, one insurer found that they had failed to reinsure a large commercial customer whose total loss from the hurricane made up almost 75% of the excess.  Had they followed their own retention rules on that one case, that excess would have been reduced by half.

So go over your risks.  Create scenarios for each major risk category that might send your losses far over the rest of the pack.  Then look for what needs to be done to prevent those extraordinary losses.

ERM only has value to those who know that the future is uncertain.

Businesses have three key needs.

First they need to have a product or service that people will buy. They need revenues.

Second they need to have the ability to provide that product or service at a cost less than what their customers will pay. They need profits.

Once they have revenues and profits, their business is a valuable asset. So third, they need to have a system to avoid losing that asset because of unforeseen adverse experience. They need risk management.

So Risk Management is the third most important need of a firm.

And there is often a conflict between risk management and the other two goals. Risk management will sometimes say that a business activity that produces revenue is too risky and must be curtailed or modified in such a way that it produces less revenues. Risk Management often costs money or otherwise depresses profits. For example, an insurance policy covering fire of a building owned by the firm will cost money and depress profits.

So Risk Management needs to defend its value to the firm. Many risk management proponents have been asked to tell the value added of their activities. This is difficult to explain. Not because risk management does not have a value, but because the cost of risk management in terms of reduced revenues or increased costs are usually tangible and definite, while the benefits are probabilistic. Often the person asking the question is looking for a traditional spreadsheet answer that shows two columns adding up and perhaps the difference between the two is the benefit of risk management.

It does not work that way. For Risk Management to have value, one must understand that the future is uncertain. The value of risk management comes from the way that it shapes that uncertainty.

The next time you are asked about the value of risk management, ask the questioner what value they would put on the airbags and seat belts in their car. If they have no uncertainty about their ability to avoid accidents, then they will put a zero value on the safety devices – the personal risk management systems. If they resist answering, ask them if they will agree to have them removed for $20? Or for $2000? What value do they place on that risk management?

Most people will agree that the demise of a company is less serious than the demise of a person, but it is not difficult to see that there is some value to activities that increase the chance that a company will not expire in the next business cycle or windstorm.

So risk management decreases the uncertainty about the survival of the firm. There is a way to quantitatively value that reduction in uncertainty and compare it to the reduced revenues or increased costs of the risk management activities.

The Need for Speed

One of the causes for the financial crisis is the very high speed trading operations. There are several reasons that is true.

First, the high speed transaction oriented operations needs to eliminate any reflection or analysis on the part of the trading firms. There is simply no time for this. If the transactions need any analysis to support them, then that analysis must be outsourced. This is the driver behind the idea that credit risk, which for most of financial history has been seen to be a risk that required careful analysis and reflection, became a traded commodity. Banks started to merge market and credit risk and do away with their credit research staffs. This is one of the most common issues cited in explaining the crisis. Banks failure to do their own credit analysis on the sub prime loans. The lack of scrutiny led directly to the liar loans – since no one was looking at the loan applications there was no need to take any effort to make them correct.

Second, models of these risks need to be closed form models that can run instantly. More robust and complex monte carlo models that might capture the nuances of the risks were just not practical given the time frame. Monte Carlo models take too long to develop and too long to run. With a few simplifying assumptions, the need for Monte Carlo models can be eliminated and a closed form model that runs in seconds developed. The simplifying assumptions also allow the daily updating of these models. This process makes sense if and only if you believe that market prices generally reflect all information, so a closed form model that mostly just replicates and extends market prices is all that you need anyway. This approach to modeling risk makes it almost completely impossible to detect changes in the underlying risks. All users of this approach will always go over the cliff together – and they did.

Third, the speed of transactions means that there is turnover of the risks held during the year. This turnover may be 5 or 10 or 20 or 50 times. This business can easily be seen to be very, very low profit margin since capital is generally only held on the amount of risk at any one time. However, when the crisis hit, the banks were unable to continue to roll their inventory of risks and they piled up in amounts 5 or 10 times their past average holding.

Maybe MTM isn’t exactly what is needed?

Everyone (except corporate boards and managers) seem to agree that short term incentive compensation is one of the key drivers for the excessive risk taking that led to the financial crisis. In an earlier post, it is suggested that one of the reasons is that accounting is less reliable in the short term.

Perhaps the problem is Mark-to-Market accounting. While it is an extremely important discipline to know the market value of positions, MTM has a misleading presumption. In effect, MTM treats a position that has been closed by sale on the day that the financials are set exactly the same as an open position.

Short term compensation based upon such accounting allows traders and managers to take credit for open positions AS IF THEY HAD CLOSED THEM. And I mean truly closed them by Risk Transfer, not simply Risk Offset. This means that the firm settles with the trader for something that the trader has not yet done and that there is no sure indication that the trader could actually accomplish.

That is because the MTM value may or may not be the amount of cash that the trader could get for their position, especially if you include the requirement that the risk is actually really and totally off the books, not simply offset. To know the actual cash equivalent and the difference between that cash equivalent and the MTM value, a firm would need to study each market to understand the trend and liquidity.

This issue is particularly important when valuing the custom non-exchange traded derivatives. Practice is to value those contracts by a replication process, using market traded instruments. There is no attempt to assign any illiquidity premium. This accounting practice is one of the fundamental supports to the practice of trading off market. During the height of the sub prime crisis, it was found that there was no market at all for some of these securities and the MTM process produced completely sham values. Sham because the real clearing value for the securities was much lower than the values that the holders wanted to report.

The difference between the next trade and especially a trade of the size of the position valued and the last trade regardless of the size of the trade is the issue here. And the problem is with treating completely closed positions exactly the same as open positions, by valuing them both as realistic cash equivalents.

Finally, there is the issue of continuing risk. A totally closed (transferred or expired) position has no capital requirement. An open position SHOULD have a capital requirement. Even an OFFSET position should have a capital requirement based upon the basis risk, the counterparty risk.

This discussion reveals an additional risk – the clearing risk.

So the value of the open position needs to reflect one level of clearing risk and the capital needs to reflect a much larger amount of clearing risk.

Bad Label leads to Bad Thinking

How many times have you heard the term “Risk Transfer” to refer to a risk mitigation action such as hedging or (re)insurance? It is used in text books and articles about risk management. But, be careful, that labeling is bad and it could just lead to bad decisions.

That is because risks are rarely actually “transferred” to another party. If they were actually transferred, then the consequences would be theirs and theirs alone. However, in most hedging and (re)insurance situations, the risk is usually just “offset”. There are two common terms that are used to refer to the real differences between risk transfer and risk offset.

Those terms are counterparty risk and basis risk. If the risk had been transferred, then there would be no counterparty risk, the risk would BELONG to the other party. In fact, the risk does not belong to them, it still belongs to you. You have paired the risk with an offsetting obligation from the counterparty and you are as safe from loss due to the risk as the counterparty is secure. If the counterparty fails to pay their obligation to you, then you still have the risk and experience the entire loss.

And also, because you have not really transferred the risk, there is a possibility that their payment to you will not be a perfect match to the loss in timing or amount or both. The risk offset might be triggered by a different event than your obligation. For example, the trigger for CDS to actually pay-off are not exactly tied to missed bondholder obligations so the spreads on CDS for a distressed bond may move slightly differently than the actual bond spreads, even though they moved very similarly when the bond was not distressed. A hedging strategy based upon market sensitivities (greeks) is only as good of a fit with the hedged risk as the models used to calculate the greeks.

But this bad terminology is not harmless. If you execute a risk offset and tell others that it is a risk transfer, then they might be quite happy to treat the gains as fully realized. They will not inquire about the offsetting positions, because the bad terminology implies that there are none. When in fact, in any case of risk offset, it should be import to monitor and communicate the risk offsets, highlighting the counterparty risk and tracking the potential emergence of basis risk.

Learnings from the Financial Crisis (3)

Gone is not always gone – another of the underpinnings of the market risk business is the constant of trading of risks. However, in the case of sub prime, some of the counterparties in these trades were very intimately related to the banks that sold the risky securities. Sometimes, they were investment funds that were sold by to bank customers; sometimes the banks lent the money to the same party that bought the security. Sometimes, the bank kept the security and bought protection from a counterparty. In each of these types of situations, banks found that they ended up needing to take back some of all of the risks that they thought that they had laid off. Insurers can learn that they need to keep relationships clear. The banking model has long suffered from the idea that they were a relationship business and they would try to do as much business as possible with the customers who they have the best relationships with. Insurers need to be constantly aware of this trap that creates more and sometimes cloudy concentration risk. Both net and gross risks need to be tracked and attended to.

One simple reason for this part of the problem is the terminology that risk managers use. Usually hedging transactions are called Risk Transfers. But in fact, they are almost never a real transfer of risk. Usually they would more appropriately be called Risk Offsets. This sloppy terminology supports sloppy thinking. And the high speed of a trading business left no time for reflection, so the misrepresentation was left totally unchallenged.

Now good risk managers knew the truth and so were concerned with counterparty risk and basis risk as well as contract risk. But in the end, the largest risk turned out to be reputation risk. Banks were usually unable to take the hit to their reputation that walking away from their closely or even semi related counterparties. Especially when those counterparties were funded with customer money.

Lessons from the Financial Crisis (2)

It must be ok if everyone else is doing it – Banks were unwilling to miss out and not take part of this lucrative idea. In the past insurers have been caught up in this approach to business as well. The presence of a well respected firm in a market does not make that market good for everyone.

THis factor was so strong that one bank CEO suggested that if he did not allow his bank to continue in the lucrative sub prime business, that he would start to lose key employees and eventually would lose his job to someone who would participate in that business.

That must be one of the last stages of a bubble, when markets become so profitable that many feel that they have to participate.

In this case, the very low interest rates and spreads for almost any other type of risk helped to feed the situation. The sub prime market was one of the only place where there was any spread to be had.

And a major flaw with the “everyone is doing it” motivation is that some things only work if a small fraction of the market is doing it and fall apart when everyone jumps on.

Just like the ferry. A few people can stand on the edge looking at the shore, but if everyone on the ferry stands along that same edge and looks, the boat may dip and might even capsize.