Did the Three Pigs have different Risk Tolerances?

Or did they just have a different view of the degree of risk in their environment?

By Alex Proimos from Sydney, Australia – Three Little Pigs

Think about it?  Is there any evidence that the first pig, whose house was made off straw, was fine with the idea of losing his house?  Not really.  More likely, he thought that the world was totally benign.  He thought that there was no way that his straw house wouldn’t be there tomorrow and the next day.  He was not tolerant of the risk of losing his house.  He just didn’t think it would happen.  But he was wrong.  It could and did happen.

The second pig used sticks instead of straw.  Did that mean that the second pig had less tolerance for risk than the first pig?  Probably not.  The second pig probably thought that a house of sticks was sturdy enough to withstand whatever the world would send against it.  This pig thought that the world was more dangerous than the first pig.  He needed sticks, rather than straw to make the house sturdy enough to last.  He also was wrong.  Sticks were not enough either.

That third pig has a house of bricks.  That probably cost much more than sticks or straw and took longer to build as well.  The third pig thought that the world was pretty dangerous for houses.  And he was right.  Bricks were sturdy enough to survive.  At least on the day that the wolf came by.

The problem here was not risk tolerance, but inappropriate parameters for the risk models of the first two pigs.  When they parameterized their models, the first pig probably put down zero for the number of wolves in the area.  After all, the first pig had never ever seen a wolf.  The second pig, may have put down 1 wolf, but when he went to enter the parameter for how hard could the wolf blow, he put down “not very hard”.  He had not seen a wolf either.  But he had heard of wolves.  He didn’t know about the wind speed of a full on wolf huff and puff.  His model told him that sticks could withstand whatever a wolf could do to his house.  When the third pig built his risk model, he answered that there were “many” wolves around.  And when he filled in the parameter for how hard the wolf could blow, he put “very”.  When he was a wee tiny pig, he had seen a wolf blow down a house built of sticks that had a straw roof.  He was afraid of wolves for a reason.

 

 

Advertisement

Too Much Logic

Someone recently told RISKVIEWS that before a company could start a project to revitalize their risk governance structures they MUST update their Risk Appetite and Tolerance.  Because everything in an ERM program flows from Risk Appetite and Tolerance.  That suggestion is likely to be too much logic to succeed.

What many organizations have found is that if they are not ready to update their Risk Appetite and Tolerance, there are two likely outcomes of an update project:

1. The update project will never be completed.
2. The update project will be completed but the organization will ignore the updated Risk Appetite and Tolerance.

An organization will make a change when the pain of continuing on the existing course exceeds the pain of change.  (paraphrased from Edgar Shein)

So if an organization is not yet thoroughly dissatisfied with their current Risk Appetite and Tolerance, then they are not likely to change.

So you can think of the ERM program as the combination of several subsystems:

• Governance – the people who have ERM responsibilities and their organizational positions – all the way up to the board.
• Measurement – the models and other methods used to measure risk
• Selection, Mitigation and Control – the processes that make up the every day activities of ERM
• Capital Management – the processes that control aggregate risk including the ORSA.
• Risk Reward Management – the processes that relate risk to prices and profits

When management of an organization is dissatisfied enough with any one of these sub systems, then they should undertake to revise/replace/improve those sub systems.

These sub systems are highly interconnected, so an improvement to one sub system is likely to increase dissatisfaction with another sub system.

For example, if the Governance sub system is not working.  People are not fulfilling their ERM related responsibilities which they may not really understand.  When this subsystem is set right,  people are aware of their ERM responsibilities and then they find out that some of the other sub systems do not provide sufficient support for them.  They get dissatisfied and urge an upgrade to another sub system.  And so on.

This might well result in a very different order for updating an ERM program than the logical order.

However, if the update follows the wave of dissatisfaction, the changes are much more likely to be fully adopted into ongoing company practice and to be effective.

By Malene Thyssen – Own work, CC BY-SA 3.0,https://commons.wikimedia.org/w/index.php?curid=651071

Risk Trajectory – Do you know which way your risk is headed?

Which direction are you planning on taking?

• Are you expecting your risk to grow faster than your capacity to bare risk?
• Are you expecting your risk capacity to grow faster than your risk?
• Or are you planning to keep growth of your risk and your capacity in balance?

If risk is your business, then the answer to this question is one of just a few statements that make up a basic risk strategy.

RISKVIEWS calls this the Risk Trajectory.  Risk Trajectory is not a permanent aspect of a businesses risk strategy.  Trajectory will change unpredictably and usually not each year.

There are four factors that have the most influence on Risk Trajectory:

1. Your Risk Profile – often stated in terms of the potential losses from all risks at a particular likelihood (i.e. 1 in 200 years)
2. Your capacity to bear risk – often stated in terms of capital
3. Your preferred level of security (may be factored directly into the return period used for Risk Profile or stated as a buffer above Risk Profile)
4. The likely rewards for accepting the risks in your Risk Profile

If you have a comfortable margin between your Risk Profile and your preferred level of security, then you might accept a risk trajectory of Risk Growing Faster than Capacity.

Or if the Likely Rewards seem very good, you might be willing to accept a little less security for the higher reward.

All four of the factors that influence Risk Trajectory are constantly moving.  Over time, anything other than carefully coordinated movements will result in occasional need to change trajectory.  In some cases, the need to change trajectory comes from an unexpected large loss that results in an abrupt change in your capacity.

For the balanced risk and capacity trajectory, you would need to maintain a level of profit as a percentage of the Risk Profile that is on the average over time equal to the growth in Risk Profile.

For Capacity to grow faster than Risk, the profit as a percentage of the Risk Profile would be greater than the growth in Risk Profile.

For Risk to grow faster than Capacity, Risk profile growth rate would be greater than the profit as a percentage of the Risk Profile.

RISKVIEWS would guess that all this is just as easy to do as juggling four balls that are a different and somewhat unpredictably different size, shape and weight when they come down compared to when you tossed them up.

Berkshire Hathaway Risk Appetite

“we are far more conservative in avoiding risk than most large insurers. For example, if the insurance industry should experience a $250 billion loss from some mega-catastrophe – a loss about triple anything it has ever experienced – Berkshire as a whole would likely record a significant profit for the year because of its many streams of earnings. We would also remain awash in cash and be looking for large opportunities in a market that might well have gone into shock. Meanwhile, other major insurers and reinsurers would be far in the red, if not facing insolvency.”

Warren Buffett, Berkshire Hathaway Letter to Shareholders, 2014

So Berkshire is prepared to pay out claims on an event that is three times as large as anything that has ever happened.

What are Berkshire’s competitors prepared for?

Here is an excerpt from the Swiss Re 2013 Annual Report:

Risk tolerance and limit framework

Swiss Re’s risk tolerance is an expression of the extent to which the Board of Directors has authorised the Group and Business Units’ executive management to assume risk. It represents the maximum amount of risk that Swiss Re is willing to accept within the constraints imposed by its capital and liquidity resources, its strategy, its risk appetite, and the regulatory and rating agency environment within which it operates. Risk tolerance criteria are specified for the Group and Business Units, as well as for the major legal entities.

A key responsibility of Risk Management is to ensure that Swiss Re’s risk tolerance is applied throughout the business. As part of this responsibility, Risk Management ensures that our risk tolerance targets are a key basis for our business planning processes. Furthermore, both our risk tolerance and risk appetite – the types and level of risk we seek to take within our risk tolerance – are clearly reflected in a limit framework across all risk categories. The limit framework is approved at the Group EC level through the Group Risk and Capital Committee. The individual limits are established through an iterative process to ensure that the overall framework complies with our Group-wide policies on capital adequacy and risk accumulation.

So they have a number but they are not saying what it is.  But they are telling us what they do with that number.

Now here is the Risk Limit Framework from the 2013 Partner Re annual report.

They have a number and here it is.  But look at how much more Buffet has disclosed.  He told that for Berkshire, an event that is three times the largest event experienced by the insurance industry, the loss would be significantly less than the earnings from the investments of Berkshire’s insurance and reinsurance companies plus the earnings of its non-insurance businesses.

Partner Re, whose disclosure is light years more specific than almost any other (re)insurer, is not quite so helpful.  It is good to know that they have the disclosed limits, but they have not provided any information to tell us how much that this adds up to in their mind.  If RISKVIEWS adds them up, these limits come to $21.5B.  Adding like that is the same as assuming that they all happen at once.  If we make the opposie assumption, that they are totally independent, we get a little more than $10B.  Partner Re’s capital is $7.5B.  So when they accept these risks, they must not think that it is likely to pay out their full limit, even on a fully diversified independent risk scenario.

So even with more specific disclosure than almost any other insurer, Partner Re has not revealed how they think of their risk appetite.

On the other hand, while Berkshire has given a better sense of their risk appetite, Buffett hasn’t revealed any number.

But this seems to RISKVIEWS to be real progress.  Perhaps some combination of these three disclosures would be the whole story of risk appetite at a (re) insurer.

We shall wait and see if somehow this evolution continues until investors and policyholders can get the information to understand how well prepared a (re) insurer is to pay its claims and remain in business in a extreme situation.

 

 

Top 10 RISKVIEWS Posts of 2014 – ORSA Heavily Featured

RISKVIEWS believes that this may be the best top 10 list of posts in the history of this blog.  Thanks to our readers whose clicks resulted in their selection.

• Instructions for a 17 Step ORSA Process – Own Risk and Solvency Assessment is here for Canadian insurers, coming in 2015 for US and required in Europe for 2016. At least 10 other countries have also adopted ORSA and are moving towards full implementation. This post leads you to 17 other posts that give a detailed view of the various parts to a full ORSA process and report.
• Full Limits Stress Test – Where Solvency and ERM Meet – This post suggests a link between your ERM program and your stress tests for ORSA that is highly logical, but not generally practiced.
• What kind of Stress Test? – Risk managers need to do a better job communicating what they are doing. Much communications about risk models and stress tests is fairly mechanical and technical. This post suggests some plain English terminology to describe the stress tests to non-technical audiences such as boards and top management.
• How to Build and Use a Risk Register – A first RISKVIEWS post from a new regular contributor, Harry Hall. Watch for more posts along these lines from Harry in the coming months. And catch Harry on his blog, http://www.pmsouth.com
• ORSA ==> AC – ST > RCS – You will notice a recurring theme in 2014 – ORSA. That topic has taken up much of RISKVIEWS time in 2014 and will likely take up even more in 2015 and after as more and more companies undertake their first ORSA process and report. This post is a simple explanation of the question that ORSA is trying to answer that RISKVIEWS has used when explaining ORSA to a board of directors.
• The History of Risk Management – Someone asked RISKVIEWS to do a speech on the history of ERM. This post and the associated new permanent page are the notes from writing that speech. Much more here than could fit into a 15 minute talk.
• Hierarchy Principle of Risk Management – There are thousands of risks faced by an insurer that do not belong in their ERM program. That is because of the Hierarchy Principle. Many insurers who have followed someone’s urging that ALL risk need to be included in ERM belatedly find out that no one in top management wants to hear from them or to let them talk to the board. A good dose of the Hierarchy Principle will fix that, though it will take time. Bad first impressions are difficult to fix.
• Risk Culture, Neoclassical Economics, and Enterprise Risk Management – A discussion of the different beliefs about how business and risk work. A difference in the beliefs that are taught in MBA and Finance programs from the beliefs about risk that underpin ERM make it difficult to reconcile spending time and money on risk management.
• What CEO’s Think about Risk – A discussion of three different aspects of decision-making as practiced by top management of companies and the decision making processes that are taught to quants can make quants less effective when trying to explain their work and conclusions.
• Decision Making Under Deep Uncertainty – Explores the concepts of Deep Uncertainty and Wicked Problems. Of interest if you have any risks that you find yourself unable to clearly understand or if you have any problems where all of the apparent solutions are strongly opposed by one group of stakeholders or another.

Too Much Risk

Risk Management is all about avoiding taking Too Much Risk.

And when it really comes down to it, there are only a few ways to get into the situation of taking too much risk.

1. Misunderstanding the risk involved in the choices made and to be made by the organization
2. Misunderstanding the risk appetite of the organization
3. Misunderstanding the risk taking capacity of the organization
4. Deliberately ignoring the risk, the risk appetite and/or the risk taking capacity

So Risk Management needs to concentrate on preventing these four situations.  Here are some thoughts regarding how Risk Management can provide that.

1. Misunderstanding the risk involved in the choices made and to be made by an organization

This is the most common driver of Too Much Risk.  There are two major forms of misunderstanding:  Misunderstanding the riskiness of individual choices and Misunderstanding the way that risk from each choice aggregates.  Both of these drivers were strongly in evidence in the run up to the financial crisis.  The risk of each individual mortgage backed security was not seriously investigated by most participants in the market.  And the aggregation of the risk from the mortgages was misunderestimated as well.  In both cases, there was some rationalization for the misunderstanding.  The Misunderstanding was apparent to most only in hindsight.  And that is most common for misunderstanding risks.  Those who are later found to have made the wrong decisions about risk were most often acting on their beliefs about the risks at the time.  This problem is particularly common for firms with no history of consistently and rigorously measuring risks.  Those firms usually have very experienced managers who have been selecting their risks for a long time, who may work from rules of thumb.  Those firms suffer this problem most when new risks are encountered, when the environment changes making their experience less valid and when there is turnover of their experienced managers.  Firms that use a consistent and rigorous risk measurement process also suffer from model induced risk blindness.  The best approach is to combine analysis with experienced judgment.

2.  Misunderstanding the risk appetite of the organization

This is common for organizations where the risk appetite has never been spelled out.  All firms have risk appetites, it is just that in many, many cases, no one knows what they are in advance of a significant loss event.  So misunderstanding the unstated risk appetite is fairly common.  But actually, the most common problem with unstated risk appetites is under utilization of risk capacity.  Because the risk appetite is unknown, some ambitious managers will push to take as much risk as possible, but the majority will be over cautious and take less risk to make sure that things are “safe”.

3.  Misunderstanding the risk taking capacity of the organization

 This misunderstanding affects both companies who do state their risk appetites and companies who do not.  For those who do state their risk appetite, this problem comes about when the company assumes that they have contingent capital available but do not fully understand the contingencies.  The most important contingency is the usual one regarding money – no one wants to give money to someone who really, really needs it.  The preference is to give money to someone who has lots of money who is sure to repay.  For those who do not state a risk appetite, each person who has authority to take on risks does their own estimate of the risk appetite based upon their own estimate of the risk taking capacity.  It is likely that some will view the capacity as huge, especially in comparison to their decision.  So most often the problem is not misunderstanding the total risk taking capacity, but instead, mistaking the available risk capacity.

4.  Deliberately ignoring the risk, the risk appetite and/or the risk taking capacity of the organization

A well established risk management system will have solved the above problems.  However, that does not mean that their problems are over.  In most companies, there are rewards for success in terms of current compensation and promotions.  But it is usually difficult to distinguish luck from talent and good execution in a business about risk taking.  So there is a great temptation for managers to deliberately ignore the risk evaluation, the risk appetite and the risk taking capacity of the firm.  If the excess risk that they then take produces excess losses, then the firm may take a large loss.  But if the excess risk taking does not result in an excess loss, then there may be outsized gains reported and the manager may be seen as highly successful person who saw an opportunity that others did not.  This dynamic will create a constant friction between the Risk staff and those business managers who have found the opportunity that they believe will propel their career forward.

So get to work, risk managers.

Make sure that your organization

1. Understands the risks
2. Articulates and understands the risk appetite
3. Understands the aggregate and remaining risk capacity at all times
4. Keeps careful track of risks and risk taking to be sure to stop any managers who might want to ignore the risk, the risk appetite and the risk taking capacity

Risk Appetite is the Boundary

Actually, it is two boundaries.

First, it is the boundary between Management and the Board with regard to risk.

• If risk taking is within the risk appetite, then Management can tell the board about that activity after the fact.
• If risk taking is outside the risk appetite, then Management needs to talk to the board in advance and get agreement with the risk taking plans.  (We say outside, rather than above, because for firms in the risk taking business, risk appetite should involve a minimum AND a maximum.)

 

Second, it is the boundary between everyday risk mitigation practices and extraordinary mitigations.

• Everyday mitigations are the rules for accepting risk (underwriting) and the rules for trimming risk (ALM, hedging and reinsurance)
• Extraordinary mitigations are those special actions that are taken when risk is seen to be out of acceptable bounds (stopping or limiting new risk taking, bulk divestitures or acquisitions of risks, capital raising, etc.)

Firms that struggle with naming their risk appetite might try to think of where these two boundaries lie.  And set their risk appetite to be near or even at those boundaries.

Full Limits Stress Test – Where Solvency and ERM Meet

We can know, looking back at last year, how much risk that an insurer was exposed to. And we can simply look at the balance sheet to see how much capital that they held. So that is the way we have tended to look at solvency. Backwards. Was the insurer solvent last year end? Not really useful information. Unless…

That is, unless you make some potentially heroic assumptions about the future.  Not an unusual assumption.  Just that common assumption that the future will be just like the past.

That assumption is usually ok.  Let’s see.  In the past 15 years, it has been correct four or five times.  But is that good enough for solvency work – a system that might give the right answer a third of the time?!?

But there is a solution.  Regulators have led us right up to that solution but they haven’t yet dared to say what it is. Perhaps they do not know, or even that they are not thinking that the backward looking problem has two aspects.  We are making two of the heroic assumptions:

1. We are assuming that the environment will be the same in the near future as the recent past.
2. We are assuming that the company activity will be the same in the near future as the recent past.

The regulatory response to these two shaky assumptions is:

1. Stress Scenarios
2. Look forward using company plans

Solution 1 can help, but solution 2 can be significantly improved by using the ERM program and risk appetite.  You may have noticed that regulators have all said that ERM is very important.  And that Risk Appetite is a very, very important part of ERM.  But they have never, ever, explained why it is important.

Well, the true answer is that it can be important.  It can be the solution to one part of the backward looking problem.  The idea of looking forward with company plans is a step in the right direction.  But only a half step. The full step solution is the FULL LIMIT STRESS TEST.

That test looks forward to see how the company will operate based upon the risk appetite and limits that management has set.  ERM and risk appetite provide provide a specific vision of how much risk is allowed by management and the board.  The plan represents a target, but the risk appetite represents the most risk that the company is willing to take.

So the FULL LIMIT STRESS TEST would involve looking at the company with the assumption that it chooses to take the full amount of risk that the ERM program allows.  That can then be combined with the stress scenarios regarding the external environment.

Now the FULL LIMIT STRESS TEST will only actually use the risk appetite for firms that have a risk appetite and an ERM program that clearly functions to maintain the risk of he firm within the risk appetite.  For firms that do not have such a system in place, the FULL LIMIT STRESS TEST needs to substitute some large amount of growth of risk that is what industry experience tells us that can happen to a firm that has gone partially or fully out of control with regard to its risk taking.

That makes the connection between ERM and Solvency very substantial and realistic.

• A firm with a good risk management program and tight limits and overall risk appetite will need the amount of capital that would support the planned functioning of the ERM program.  The overall risk appetite will place a limit on the degree to which ALL individual risk limits can be reached at the same time.
• An otherwise similar firm with a risk management program and loose risk appetite will need to hold higher capital.
• A similar firm with individual risk limits but no overall risk appetite will need to hold capital to support activity at the limit for every single risk.
• A firm without a risk management program will need to hold capital to support the risks that history tells us that a firm with uncontrolled growth of risk might take on in a year.  A track record of informal control of risk growth cannot be used as a predictor of the range of future performance.  (It may be valuable to ask all firms to look at an uncontrolled growth scenario as well, but for firms with a good risk control process will be considered to prepare for that scenario with their ERM program.)
• A firm without any real discipline of its risk management system will be treated similarly to a firm without an ERM program.

With this FULL LIMIT STRESS TEST, ERM programs will then be fully and directly connected to Solvency in an appropriate manner.

 

Reviewing Risk Appetite

[The material below is the work of an ad hoc IAA working group.  It was produced in 2011 but never completed or published.  RISKVIEWS is sharing so that this good work can be viewed.]

Risk appetite setting and its implication on business strategy. 

Risk appetite is a high-level view of the risks the organization is willing to accept in pursuit of value. When an insurer defines the optimal level of risk, a common view of the ultimate priority is to serve shareholder’s benefits. This will facilitate the decision on the types of risks and magnitudes of the risks to be taken that are consistent with business strategies and market situation. At the same time, the desired risk profile should satisfy the explicit and implicit constraints set by other parties such as regulators, rating agencies, policyholders, debt holders, senior management, and employees. Some external changes have also expedited the process. S&P has required a clear statement of risk appetite as a foundation of “strong” or “excellent” ERM rating. Solvency II also requires insurers to explicitly consider their risk appetite.

Risk appetite framework normally includes three levels.

Enterprise risk tolerance: The aggregate amount of risk the company is willing to take, expressed in terms of

1. capital adequacy
2. earnings volatility
3. credit rating target

It represents the company’s long term target and shall be revised only if there are fundamental changes to the company’s financial profile, market situation and strategic objective. Risk appetite helps prevent default by preserving capital position. This is required by regulators, rating agencies, policyholders, and debtholders. These stakeholders show little or no interest in the upside from risk taking. On the other hand, shareholders are interested in the upside resulted from risk taking and low earnings volatility.

Risk appetite for each risk category: Enterprise risk tolerance needs to be allocated to risk appetite for specific risk categories and business activities. For example, selling life insurance policies or underwriting property and casualty risks. Or taking more market risk versus credit risk. By doing this, the company’s resources, like capital, can be allocated to the areas that the company feels comfortable with, or has competitive advantages.  When determining or updating risk appetite for different risk categories, in addition to considering the constraints set by enterprise risk tolerance, it should aim to maximize the risk-adjusted return of risk-taking activities.

Risk limit: Risk limits are the most granular level which is used for business operation. It translates enterprise risk tolerance and risk appetite for each risk category into risk monitoring measures. The consistency between risk limit and enterprise risk tolerance help the company realize its risk objective and maximize risk adjusted return.

Risk appetite not only protects value, but also creates value for the business. It helps senior management make informed decisions to maximize risk adjusted return for the shareholder. Ensuring the consistency between risk appetite and risk limits is very important. Both rating agencies and investors are concerned about whether risk appetite is properly aligned with the risk limits being set for business operation. A sound risk management practice requires risk appetite being integrated into business strategy and corporate culture.

Desired actions/features of risks management by category:

Ad Hoc

1. Unsystematic description of the company’s willingness to take risk. This could possibly be by an answer to investors, regulators or rating agencies’ inquiry and not fully linked with the company’s ability to take risk.

Basic

1. The company has a formal statement of enterprise risk tolerance which has been approved by Board of Directors (BOD). The statement should at least include target credit rating, capital adequacy, earnings volatility, and attitude to operational risk such as reputation risk and legal risk.
2. Risk appetite statement is incorporated in the risk management policy and will be reviewed annually by risk management committee and BOD.
3. When making a strategic decision, the impact is sometimes checked against enterprise risk tolerances to make sure they are not breached.

Standard

1. The company has a well established risk appetite framework which includes enterprise risk tolerance, risk appetite for each identified risk category and risk limits. Those are reviewed and approved by BOD and updated at least annually or in market turmoil.
2. The risk appetite framework considers all the constraints the company faces and reflects key stakeholders’ risk preference. They include regulators both at group level and local level, shareholders, debtors, and management.
3. There exists a consistent framework to align risk limits with enterprise risk tolerance. This is essential to make sure all the business decision is made within the company’s tolerance of risk.
4. Integration of risk appetite and strategic planning. Risk appetite framework plays an active role in providing information about risk exposures of business activities and risk reward trade off. Asset allocation and product mix are the two key areas.
5. The whole company is involved in risk appetite framework to facilitate risk identification and foster a healthy risk culture.

Advanced

1. Risk appetite framework is integrated with all the business decision, including business operation constrained by risk limits and strategic decision to fit into enterprise risk tolerance. Strategic decisions include, but are not limited to strategic asset allocation, tactic asset allocation, new business planning, capital allocation, and risk management strategies.
2. Performance measurement of management is linked to risk adjusted return or risk adjusted value.
3. Effective and company wide education and communication of risk appetite framework are in place and regularly scheduled.
4. Back testing of risk appetite framework is conducted to identify new risks, key assumption errors, and model errors.
5. Risk appetite framework is considered more of strategic risk management than risk limit system.
6. Risk appetite framework puts more efforts on emerging risks or risks hard to identify and quantify. Qualitative analysis becomes critical in corporate strategic decision.

Does Anyone Care about Risk Appetite?

RISKVIEWS got a private comment on the Risk Portfolio post. The comment can be summed up by the title above.

And if you think about the insights about ERM from the Plural Rationality discussion, you might echo that question.

If your risk attitude is what we call MAXIMIZER, then you will believe that you should be able to accept as much adequately priced risk as you can find.

If your risk attitude is what we call CONSERVATOR, then you will believe that you should mostly accept only risks that are very similar to what you write already, to what you are comfortable with.  You might fear that setting an appetite would improperly encourage folks to take more risk even it it does not really fit that very stringent criteria.

If your risk attitude is what we call PRAGMATIST, then you will believe that it is a waste of time to set down a rule like that in advance.  How would you know what the opportunities will be in the future?  You might easily want to accept much more or much less.  You would think that it is a waste of time to worry about such an unknowable issue.

Only the companies that are driven by what we call the MANAGERS would embrace the risk appetite idea.  They would say that you must have a risk appetite for your ERM program to have any meaning.  Many regulators have the same MANAGER risk attitude.  They agree with the fundamental idea of ERM, with the idea that risk managers are needed to assist insurance company managers, to assess risks and to make sure that the insurer does not take too much risk.  The risk managers should also be able to help the top management of the company to select the corporate strategic balance, reflecting the best combination of risks to optimize the risk reward balance of the company.

And MANAGERS will do the best for the company when they manage the risks of the firm during times of moderate volatility.  Then their choices of risks will likely perform just as their models will predict.  However in times when opportunities are best, the MANAGERS will doubtless hold the company back from the sort of gains in profitable business that the MAXIMIERS will achieve in the companies that they run.  And in times when the red ink is running all over, the MANAGERS will urge insufficient caution and will see larger losses than their models would indicate.

In the sort of uncertain times that we have lived with for 5 years now, the MANAGER’s models will not be able to adequately point the way either.  Results will languish or bounce unexpectedly.

But it is just not true that nobody cares about Risk Appetite.

Driver of a Statement of Risk Tolerance

Many, many firms struggle with developing good statements of Risk Tolerance.  This is startling because a regulators and rating agencies alike say that good risk management requires a statement of Risk Tolerance.

For this post, Risk Tolerance will be used to mean the amount of risk that an organization might choose to retain after risk mitigation.  The term Risk Appetite, which is often used interchangably will be used to mean the amount of risk that and organization plans to take, usually an amount less than the Risk Tolerance.

An analogy might be to the speed of a car.  A particular driver in a particular car might be able to tolerate going 80 miles per hour on a highway that is well lit and that has little traffic.  But tonight,  they only plan to go 70 miles per hour on this trip.

Others use these terms to mean something else.  Riskviews does not have an opinion about the value of these other definitions.

To form a good risk tolerance statement, the management of a company needs just two things – (1) to identify what adverse event they will base their tolerance upon and (2) the likelihood of that adverse event at their tolerance level.

Alternately, a risk tolerance statement can be built upon something that is itself tied directly to some likelihood, like a risk capital value at a 1/200 loss or the top speed of a car that is implicitly tied to an (unstated) level of likelihood of an accident.

But that unstated likelihood for the car speed is really the key to understanding why risk tolerance is so difficult for many, many managers.

You see, most people who drive a car will develop a tolerance for speed over time as they get experience with driving.  They each have an internal mechanism that tells them that they have reached a speed that “feels” too dangerous.  It is that roller coaster flip in the gut when the car barely holds the road on a tight turn.  That adrenaline rush that comes right after the near accident.  They are not calculating probabilities there, but their resulting tolerance could be seen to be calibrated to some safety margin that varies by individual.

But the problem is that some company managers are trying to form a risk tolerance for their company before they have any experience driving with a speedometer, in effect.  That is because risks that a company takes are not always obvious to the management.  And even when individual risks are well known, their aggregation usually is not, to any degree of precision.

So the thing that is missing for most managers is the experiential feel for their risk.  Before setting a risk tolerance, they need to drive around with one eye on the speedometer of their company.  That is with continual awareness of the amount of risk that the company is taking.  They will need to do this for a multi year period so that they will see when their knuckles go white.

Waiting for this experience may not be the be the best approach, it would probably be better to look backwards at the risk level for the past 5 to 10 years of company history.  For managers who have been there long enough, they have a good feel for when the company had much worse results than desired.  The risk tolerance can be set by working from that worst year and figuring out how close to that situation that the company management is comfortable getting in the future.

Now to do this, it is much easier to simply pick a likelihood number.  The number then defines the risk calculation.  The risk would be the amount of loss that is expected at that likelihood value given the company plans for risk taking as well as the actual risks taken.

Then to build up that experience, managers need to look at the comparison between the risk and the capital or between the risk and the earnings of the company over their recent past and immediate future.

One thing to look for is how the actual risk taken to the plan.  In some companies, a goal is set in terms of premium dollars written.  But in some years, the premium goal is met, but the business written is actually much riskier than the plan.  This may be the reason behind the bad experiences that the company has experienced.  If that is the case, then the company needs to look to strengthen risk control practices before worrying about risk tolerance. 

In the example above, the company risk number was smaller than the surplus number in all years except year 4.  Company management agrees that they were too exposed to a major loss that year.  So they have set their risk tolerance to their risk measure at 90% of surplus.  With tolerance set at that level, every other year was within tolerance.

This is the best way for management to set a risk tolerance.  Based upon experience, just like a person’s driving speed tolerance is based upon their driving experiences.

ERM Mission Statements

From the Annual Reports:

A.     Risk management is a key part of our corporate management. Its task is not only to safeguard the Group’s financial strength in order to satisfy our obligations to clients and create sustained value for our shareholders, but also to protect Munich Re’s reputation. We achieve these objectives through global risk management encompassing all areas of our operations. (Munich Re)

B.     The financial crisis has demonstrated the importance of a strong and independent risk management function, as well as the need for an  integrated approach to  assessing and controlling  risks. To this end, we further enhanced our risk management by establishing a more robust governance process, intensifying our risk oversight and strengthening our  liquidity management. (Swiss Re)

C.     We employ an enterprise-wide approach to all risk taking and risk management activities globally. The enterprise risk management framework sets out policies and standards of practice related to risk governance, risk identification and monitoring, risk measurement, and risk control and mitigation. In order to ensure that we can effectively execute our risk management we continuously invest to attract and retain qualified risk professionals, and to build and maintain the necessary processes, tools and systems. (Manulife Financial)

D.    Management believes that effective risk management is of primary importance to the success of Goldman Sachs. Accordingly, we have a comprehensive risk management process to monitor, evaluate and manage the principal risks we assume in conducting our activities.

E.     AEGON’s risk management and control systems are designed to ensure that these risks are managed as effectively and efficiently as possible. For AEGON, risk management involves:
·      Understanding which risks the company is able to underwrite;
·      Assessing the risk-return trade-off associated with these risks;
·      Establishing limits for the level of exposure to a particular risk or combination of risks; and Measuring and monitoring risk exposures and actively managing the company’s overall risk and solvency positions.

F.     The mission of Zurich’s Enterprise Risk Management is to promptly identify, measure, manage, report and monitor risks that affect the achievement of our strategic, operational and financial objectives. This includes adjusting the risk profile in line with the Group’s stated risk tolerance to respond to new threats and opportunities in order to optimize returns.

G.     QBE’s risk management strategy is underpinned by a number of robust processes which are aimed at reducing uncertainty and volatility and avoiding unwelcome surprises. Risks are subject to rigorous identification and evaluation throughout the business management cycle.

H.    The management of risk is a core skill supporting the Group’s ability to offer both sustainable risk transfer solutions to its clients and attractive returns to shareholders. The management and identification of risk is the day to day responsibility of many of our staff and is a feature of all our business activities. (Amlin)

I.      Diversification is used as a tool to reduce the Group’s overall insurance risk profile by spreading exposures, thereby reducing the volatility of results. QBE’s approach is to diversify insurance risk, both by product and geographically.

J.      The Group employs a comprehensive risk management framework to identify, assess, manage and monitor the risks arising as a result of operating the business. The framework includes a comprehensive suite of risk policies, procedures, measurement, reporting and monitoring techniques and a series of stress tests and scenario analyses to ensure that the Group’s risk exposures are managed appropriately. (RSA)

You need to know how much risk you’ve been taking first

Everyone struggles with choosing a risk appetite.  But that is the first mistake.  Risk appetite will not be singular.  Risk Appetite is plural.  It refers to any aspect of risk that goes beyond what you will comfortably accept.

In the paper Risk and Light, it mentions a number of aspects of risk:

• Type A Risk – Short Term Volatility of cash flows in 1 year
• Type B Risk – Short Term Tail Risk of cash flows in 1 year
• Type C Risk – Uncertainty Risk (also known as parameter risk)
• Type D Risk – Inexperience Risk relative to full multiple market cycles
• Type E Risk – Correlation to a top 10
• Type F Risk – Market value volatility in 1 year
• Type G Risk – Execution Risk regarding difficulty of controlling operational losses
• Type H Risk – Long Term Volatility of cash flows over 5 or more years
• Type J Risk – Long Term Tail Risk of cash flows over 5 years or more
• Type K Risk – Pricing Risk (cycle risk)
• Type L Risk – Market Liquidity Risk
• Type M Risk – Instability Risk regarding the degree that the risk parameters are stable

It is quite possible that a full risk appetite would could address each of these aspects of risk and more.

But a more difficult hurdle is the fact that in many cases risk exposure is not consciously known.  In some cases, that is because of a confusion between RISK and LOSS.  Some of that is because of the overuse of the word risk.  In many situations, risk is used to mean an expected loss.

But for risk appetite, it is never the expected loss or even the actual losses that is of concern for a risk appetite.  The risk that matters is the potential for future loss.

But to have any idea of how much risk that a person or a firm might be comfortable with, they need to have experience with risk.  To have an  articulate risk appetite, that experience must have been quantified.

How much was the risk exposure last year?  How much was it the previous year?

And when we try to think of how much risk, we need to recognize that risk has many aspects that may need to be quantified.  Risk is complicated.  It does not reside in a single number.

Why would we think that it did?  Try to name anything important that can be represented with a single number.  Can you represent your car with a single number?  Can you represent your brother with a single number?  Can you represent a book with a single number?  Risk is a potential for future loss, that potential has many more possibilities than an existing physical object.  The object needs to represented by many different numbers.

But not all of the aspects of risk are ultimately important in most situations.

But before anyone or any business can form a risk appetite, they need to identify the characteristics of risk that are most important to them and then they need to build an experience base.  They need to know how much risk that they have taken in the past.  They need to know how much they can get paid for taking the risk.  They need to know when they were at risk of having their lights put out.

Better to have this experience in real time.  But second best is to work backwards into the past.

Faced with real information, matched up to real experience, then the stories of how to create a risk attitude will then start to make sense.

But up til then, it just won’t mean anything.

Risk Appetite and Risk Attitude

Riskczar writes about differing risk appetites this week.

I want to introduce a nuance to his discussion.  He mentions that his risk appetite is less than both his brother and his significant other.

The Risk Doctor presents a view of risk attitude that tracks directly with what Trevor calls differing risk appetites.  They both look at it as a spectrum of higher risk appetites to lower.  David suggests that anyone with a higher risk appetite has one risk attitude while someone with a lower risk appetite has another risk attitude.  Which is consistent with the digestive term appetite that is used.

However, another way of looking at this is possible and is suggested by the Plural Rationalities approach to risk that is often featured here on Riskviews.

With the Plural Rationalities approach, it is suggested that folks with an apparent higher risk appetite may well simply perceive that there is less risk than someone with a lower risk appetite.  The people who perceive that risk is very high are called Conservators.  The people who perceive that risk is very low are called Maximizers and the people who perceive that risk is moderate are called Managers. Finally Plural Rationalities suggests that there is a fourth risk attitude that is possessed by folks who just do not think that they can know how risky that something really is.  They are called Pragmatists.

These Pragmatists do not fit onto the spectrum of risk appetites.  However, plenty of these people exist.  They are the undecideds in the polls about risk.  They do not feel that the future is highly predictable, so they choose not to try.  They therefore seem to be less convinced about likelihood of favorable outcomes as well.  Or lack of likelihoods either.  Lottery tickets are appealing to some Pragmatists.  Pragmatists may take on situations that are seen to be high risk by the Conservators and pass up on situations that are seen as low risk to the Maximizers.  Pragmatists are also often frustrating to the Managers because they fail to follow the logical conclusions reached by the Managers.

But Pragmatists are well suited for the situation that seems to have settled over many economies in the world in the recent past.  The Uncertain economy.  Modern economics does not even officially have that as a phase of an economic system, though some economists have repeatedly described the current situation with that exact word.  Their approach the the Uncertain economy is to try to get it to change into one of the other stages that they do think that they understand.

So the Maximizers and Conservators are not choosing more risk or less risk as the Rational Expectations theory suggests, they are actually believing that the world is less risky (Maximizers) or more risky(Conservators).

They are not acting irrationally, they are acting according to their own rationality.

This would be irrational, except for the fact that in some periods of time, they are correct.

Once they start to notice that their view of risk is no longer correct, slowly but surely they eventually change their risk attitude to adjust to the current reality.

This process explains the market cycles without having to assume irrationalities.  Instead we need to acknowledge Plural Rationalities.

Changing Risk Tolerance

One of the reasons that many firms have not yet set a risk tolerance seems to be that management is afraid that the Risk Tolerance will then take over the company and they will no longer be able to make major decisions because of the risk tolerance.

I imagine the picture of a large sumo wrestler with the name “risk tolerance” sitting in the  corner of the executive conference room.  It would be really smart to avoid making risk tolerance unhappy.

But that is not really the case.  Risk Tolerance is not going to sit on you if you make the wrong decision.  Risk Tolerance is not going to actively insist that you make a decision that you know is wrong.

Risk Tolerance is more like the little brother that tags along behind you.  You know that if you do anything little brother will tell Mom.

Risk Tolerance is a commitment to acting as your own little brother.  Telling on yourself if you take on risk that goes beyond a certain pre-agreed upon point.

Then it is up to you to convince the higher authority that your risk taking was appropriate for whatever reason that you have.

In addition, Risk Tolerance should not be carved in stone.  Risk Tolerance should be written on the white board in Erasable marker.  You should not expect to clean that board every week.  But the option will always be there to walk up to the board and wipe it clean.

That does not mean that every time that it is inconvenient that the Risk Tolerance should be changed.  But it does mean that as the world changes, you should be sure that you Risk Tolerance still means what you intended it to mean when it was set.

Otherwise, you are in danger of having it turn into a Sumo Wrestler in the corner.