Archive for the ‘Risk Appetite’ category

Risk Trajectory – Do you know which way your risk is headed?

July 25, 2016

Arrows

Which direction are you planning on taking?

  • Are you expecting your risk to grow faster than your capacity to bare risk?
  • Are you expecting your risk capacity to grow faster than your risk?
  • Or are you planning to keep growth of your risk and your capacity in balance?

If risk is your business, then the answer to this question is one of just a few statements that make up a basic risk strategy.

RISKVIEWS calls this the Risk Trajectory.  Risk Trajectory is not a permanent aspect of a businesses risk strategy.  Trajectory will change unpredictably and usually not each year.

There are four factors that have the most influence on Risk Trajectory:

  1. Your Risk Profile – often stated in terms of the potential losses from all risks at a particular likelihood (i.e. 1 in 200 years)
  2. Your capacity to bare risk – often stated in terms of capital
  3. Your preferred level of security (may be factored directly into the return period used for Risk Profile or stated as a buffer above Risk Profile)
  4. The likely rewards for accepting the risks in your Risk Profile

If you have a comfortable margin between your Risk Profile and your preferred level of security, then you might accept a risk trajectory of Risk Growing Faster than Capacity.

Or if the Likely Rewards seem very good, you might be willing to accept a little less security for the higher reward.

All four of the factors that influence Risk Trajectory are constantly moving.  Over time, anything other than carefully coordinated movements will result in occasional need to change trajectory.  In some cases, the need to change trajectory comes from an unexpected large loss that results in an abrupt change in your capacity.

For the balanced risk and capacity trajectory, you would need to maintain a level of profit as a percentage of the Risk Profile that is on the average over time equal to the growth in Risk Profile.

For Capacity to grow faster than Risk, the profit as a percentage of the Risk Profile would be greater than the growth in Risk Profile.

For Risk to grow faster than Capacity, Risk profile growth rate would be greater than the profit as a percentage of the Risk Profile.

RISKVIEWS would guess that all this is just as easy to do as juggling four balls that are a different and somewhat unpredictably different size, shape and weight when they come down compared to when you tossed them up.

 

Advertisements

Berkshire Hathaway Risk Appetite

March 20, 2015
“we are far more conservative in avoiding risk than most large insurers. For example, if the insurance industry should experience a $250 billion loss from some mega-catastrophe – a loss about triple anything it has ever experienced – Berkshire as a whole would likely record a significant profit for the year because of its many streams of earnings. We would also remain awash in cash and be looking for large opportunities in a market that might well have gone into shock. Meanwhile, other major insurers and reinsurers would be far in the red, if not facing insolvency.”
Warren Buffett, Berkshire Hathaway Letter to Shareholders, 2014
So Berkshire is prepared to pay out claims on an event that is three times as large as anything that has ever happened.
What are Berkshire’s competitors prepared for?
Here is an excerpt from the Swiss Re 2013 Annual Report:

Risk tolerance and limit framework

Swiss Re’s risk tolerance is an expression of the extent to which the Board of Directors has authorised the Group and Business Units’ executive management to assume risk. It represents the maximum amount of risk that Swiss Re is willing to accept within the constraints imposed by its capital and liquidity resources, its strategy, its risk appetite, and the regulatory and rating agency environment within which it operates. Risk tolerance criteria are specified for the Group and Business Units, as well as for the major legal entities.

A key responsibility of Risk Management is to ensure that Swiss Re’s risk tolerance is applied throughout the business. As part of this responsibility, Risk Management ensures that our risk tolerance targets are a key basis for our business planning processes. Furthermore, both our risk tolerance and risk appetite – the types and level of risk we seek to take within our risk tolerance – are clearly reflected in a limit framework across all risk categories. The limit framework is approved at the Group EC level through the Group Risk and Capital Committee. The individual limits are established through an iterative process to ensure that the overall framework complies with our Group-wide policies on capital adequacy and risk accumulation.

So they have a number but they are not saying what it is.  But they are telling us what they do with that number.

Now here is the Risk Limit Framework from the 2013 Partner Re annual report.

Partner Re

They have a number and here it is.  But look at how much more Buffet has disclosed.  He told that for Berkshire, an event that is three times the largest event experienced by the insurance industry, the loss would be significantly less than the earnings from the investments of Berkshire’s insurance and reinsurance companies plus the earnings of its non-insurance businesses.

Partner Re, whose disclosure is light years more specific than almost any other (re)insurer, is not quite so helpful.  It is good to know that they have the disclosed limits, but they have not provided any information to tell us how much that this adds up to in their mind.  If RISKVIEWS adds them up, these limits come to $21.5B.  Adding like that is the same as assuming that they all happen at once.  If we make the opposie assumption, that they are totally independent, we get a little more than $10B.  Partner Re’s capital is $7.5B.  So when they accept these risks, they must not think that it is likely to pay out their full limit, even on a fully diversified independent risk scenario.

So even with more specific disclosure than almost any other insurer, Partner Re has not revealed how they think of their risk appetite.

On the other hand, while Berkshire has given a better sense of their risk appetite, Buffett hasn’t revealed any number.

But this seems to RISKVIEWS to be real progress.  Perhaps some combination of these three disclosures would be the whole story of risk appetite at a (re) insurer.

We shall wait and see if somehow this evolution continues until investors and policyholders can get the information to understand how well prepared a (re) insurer is to pay its claims and remain in business in a extreme situation.

 

 

Top 10 RISKVIEWS Posts of 2014 – ORSA Heavily Featured

December 29, 2014

RISKVIEWS believes that this may be the best top 10 list of posts in the history of this blog.  Thanks to our readers whose clicks resulted in their selection.

  • Instructions for a 17 Step ORSA Process – Own Risk and Solvency Assessment is here for Canadian insurers, coming in 2015 for US and required in Europe for 2016. At least 10 other countries have also adopted ORSA and are moving towards full implementation. This post leads you to 17 other posts that give a detailed view of the various parts to a full ORSA process and report.
  • Full Limits Stress Test – Where Solvency and ERM Meet – This post suggests a link between your ERM program and your stress tests for ORSA that is highly logical, but not generally practiced.
  • What kind of Stress Test? – Risk managers need to do a better job communicating what they are doing. Much communications about risk models and stress tests is fairly mechanical and technical. This post suggests some plain English terminology to describe the stress tests to non-technical audiences such as boards and top management.
  • How to Build and Use a Risk Register – A first RISKVIEWS post from a new regular contributor, Harry Hall. Watch for more posts along these lines from Harry in the coming months. And catch Harry on his blog, http://www.pmsouth.com
  • ORSA ==> AC – ST > RCS – You will notice a recurring theme in 2014 – ORSA. That topic has taken up much of RISKVIEWS time in 2014 and will likely take up even more in 2015 and after as more and more companies undertake their first ORSA process and report. This post is a simple explanation of the question that ORSA is trying to answer that RISKVIEWS has used when explaining ORSA to a board of directors.
  • The History of Risk Management – Someone asked RISKVIEWS to do a speech on the history of ERM. This post and the associated new permanent page are the notes from writing that speech. Much more here than could fit into a 15 minute talk.
  • Hierarchy Principle of Risk Management – There are thousands of risks faced by an insurer that do not belong in their ERM program. That is because of the Hierarchy Principle. Many insurers who have followed someone’s urging that ALL risk need to be included in ERM belatedly find out that no one in top management wants to hear from them or to let them talk to the board. A good dose of the Hierarchy Principle will fix that, though it will take time. Bad first impressions are difficult to fix.
  • Risk Culture, Neoclassical Economics, and Enterprise Risk Management – A discussion of the different beliefs about how business and risk work. A difference in the beliefs that are taught in MBA and Finance programs from the beliefs about risk that underpin ERM make it difficult to reconcile spending time and money on risk management.
  • What CEO’s Think about Risk – A discussion of three different aspects of decision-making as practiced by top management of companies and the decision making processes that are taught to quants can make quants less effective when trying to explain their work and conclusions.
  • Decision Making Under Deep Uncertainty – Explores the concepts of Deep Uncertainty and Wicked Problems. Of interest if you have any risks that you find yourself unable to clearly understand or if you have any problems where all of the apparent solutions are strongly opposed by one group of stakeholders or another.

Too Much Risk

August 18, 2014

Risk Management is all about avoiding taking Too Much Risk.

And when it really comes down to it, there are only a few ways to get into the situation of taking too much risk.

  1. Misunderstanding the risk involved in the choices made and to be made by the organization
  2. Misunderstanding the risk appetite of the organization
  3. Misunderstanding the risk taking capacity of the organization
  4. Deliberately ignoring the risk, the risk appetite and/or the risk taking capacity

So Risk Management needs to concentrate on preventing these four situations.  Here are some thoughts regarding how Risk Management can provide that.

1. Misunderstanding the risk involved in the choices made and to be made by an organization

This is the most common driver of Too Much Risk.  There are two major forms of misunderstanding:  Misunderstanding the riskiness of individual choices and Misunderstanding the way that risk from each choice aggregates.  Both of these drivers were strongly in evidence in the run up to the financial crisis.  The risk of each individual mortgage backed security was not seriously investigated by most participants in the market.  And the aggregation of the risk from the mortgages was misunderestimated as well.  In both cases, there was some rationalization for the misunderstanding.  The Misunderstanding was apparent to most only in hindsight.  And that is most common for misunderstanding risks.  Those who are later found to have made the wrong decisions about risk were most often acting on their beliefs about the risks at the time.  This problem is particularly common for firms with no history of consistently and rigorously measuring risks.  Those firms usually have very experienced managers who have been selecting their risks for a long time, who may work from rules of thumb.  Those firms suffer this problem most when new risks are encountered, when the environment changes making their experience less valid and when there is turnover of their experienced managers.  Firms that use a consistent and rigorous risk measurement process also suffer from model induced risk blindness.  The best approach is to combine analysis with experienced judgment.

2.  Misunderstanding the risk appetite of the organization

This is common for organizations where the risk appetite has never been spelled out.  All firms have risk appetites, it is just that in many, many cases, no one knows what they are in advance of a significant loss event.  So misunderstanding the unstated risk appetite is fairly common.  But actually, the most common problem with unstated risk appetites is under utilization of risk capacity.  Because the risk appetite is unknown, some ambitious managers will push to take as much risk as possible, but the majority will be over cautious and take less risk to make sure that things are “safe”.

3.  Misunderstanding the risk taking capacity of the organization

 This misunderstanding affects both companies who do state their risk appetites and companies who do not.  For those who do state their risk appetite, this problem comes about when the company assumes that they have contingent capital available but do not fully understand the contingencies.  The most important contingency is the usual one regarding money – no one wants to give money to someone who really, really needs it.  The preference is to give money to someone who has lots of money who is sure to repay.  For those who do not state a risk appetite, each person who has authority to take on risks does their own estimate of the risk appetite based upon their own estimate of the risk taking capacity.  It is likely that some will view the capacity as huge, especially in comparison to their decision.  So most often the problem is not misunderstanding the total risk taking capacity, but instead, mistaking the available risk capacity.

4.  Deliberately ignoring the risk, the risk appetite and/or the risk taking capacity of the organization

A well established risk management system will have solved the above problems.  However, that does not mean that their problems are over.  In most companies, there are rewards for success in terms of current compensation and promotions.  But it is usually difficult to distinguish luck from talent and good execution in a business about risk taking.  So there is a great temptation for managers to deliberately ignore the risk evaluation, the risk appetite and the risk taking capacity of the firm.  If the excess risk that they then take produces excess losses, then the firm may take a large loss.  But if the excess risk taking does not result in an excess loss, then there may be outsized gains reported and the manager may be seen as highly successful person who saw an opportunity that others did not.  This dynamic will create a constant friction between the Risk staff and those business managers who have found the opportunity that they believe will propel their career forward.

So get to work, risk managers.

Make sure that your organization

  1. Understands the risks
  2. Articulates and understands the risk appetite
  3. Understands the aggregate and remaining risk capacity at all times
  4. Keeps careful track of risks and risk taking to be sure to stop any managers who might want to ignore the risk, the risk appetite and the risk taking capacity

Risk Appetite is the Boundary

June 18, 2014

Actually, it is two boundaries.

First, it is the boundary between Management and the Board with regard to risk.

  • If risk taking is within the risk appetite, then Management can tell the board about that activity after the fact.
  • If risk taking is outside the risk appetite, then Management needs to talk to the board in advance and get agreement with the risk taking plans.  (We say outside, rather than above, because for firms in the risk taking business, risk appetite should involve a minimum AND a maximum.)

 

Second, it is the boundary between everyday risk mitigation practices and extraordinary mitigations.

  • Everyday mitigations are the rules for accepting risk (underwriting) and the rules for trimming risk (ALM, hedging and reinsurance)
  • Extraordinary mitigations are those special actions that are taken when risk is seen to be out of acceptable bounds (stopping or limiting new risk taking, bulk divestitures or acquisitions of risks, capital raising, etc.)

Firms that struggle with naming their risk appetite might try to think of where these two boundaries lie.  And set their risk appetite to be near or even at those boundaries.

Full Limits Stress Test – Where Solvency and ERM Meet

April 25, 2014

We can know, looking back at last year, how much risk that an insurer was exposed to. And we can simply look at the balance sheet to see how much capital that they held. So that is the way we have tended to look at solvency. Backwards. Was the insurer solvent last year end? Not really useful information. Unless…

Head_On_Collision

That is, unless you make some potentially heroic assumptions about the future.  Not an unusual assumption.  Just that common assumption that the future will be just like the past.

That assumption is usually ok.  Let’s see.  In the past 15 years, it has been correct four or five times.  But is that good enough for solvency work – a system that might give the right answer a third of the time?!?

But there is a solution.  Regulators have led us right up to that solution but they haven’t yet dared to say what it is. Perhaps they do not know, or even that they are not thinking that the backward looking problem has two aspects.  We are making two of the heroic assumptions:

  1. We are assuming that the environment will be the same in the near future as the recent past.
  2. We are assuming that the company activity will be the same in the near future as the recent past.

The regulatory response to these two shaky assumptions is:

  1. Stress Scenarios
  2. Look forward using company plans

Solution 1 can help, but solution 2 can be significantly improved by using the ERM program and risk appetite.  You may have noticed that regulators have all said that ERM is very important.  And that Risk Appetite is a very, very important part of ERM.  But they have never, ever, explained why it is important.

Well, the true answer is that it can be important.  It can be the solution to one part of the backward looking problem.  The idea of looking forward with company plans is a step in the right direction.  But only a half step. The full step solution is the FULL LIMIT STRESS TEST.

That test looks forward to see how the company will operate based upon the risk appetite and limits that management has set.  ERM and risk appetite provide provide a specific vision of how much risk is allowed by management and the board.  The plan represents a target, but the risk appetite represents the most risk that the company is willing to take.

So the FULL LIMIT STRESS TEST would involve looking at the company with the assumption that it chooses to take the full amount of risk that the ERM program allows.  That can then be combined with the stress scenarios regarding the external environment.

Now the FULL LIMIT STRESS TEST will only actually use the risk appetite for firms that have a risk appetite and an ERM program that clearly functions to maintain the risk of he firm within the risk appetite.  For firms that do not have such a system in place, the FULL LIMIT STRESS TEST needs to substitute some large amount of growth of risk that is what industry experience tells us that can happen to a firm that has gone partially or fully out of control with regard to its risk taking.

That makes the connection between ERM and Solvency very substantial and realistic.

  • A firm with a good risk management program and tight limits and overall risk appetite will need the amount of capital that would support the planned functioning of the ERM program.  The overall risk appetite will place a limit on the degree to which ALL individual risk limits can be reached at the same time.
  • An otherwise similar firm with a risk management program and loose risk appetite will need to hold higher capital.
  • A similar firm with individual risk limits but no overall risk appetite will need to hold capital to support activity at the limit for every single risk.
  • A firm without a risk management program will need to hold capital to support the risks that history tells us that a firm with uncontrolled growth of risk might take on in a year.  A track record of informal control of risk growth cannot be used as a predictor of the range of future performance.  (It may be valuable to ask all firms to look at an uncontrolled growth scenario as well, but for firms with a good risk control process will be considered to prepare for that scenario with their ERM program.)
  • A firm without any real discipline of its risk management system will be treated similarly to a firm without an ERM program.

With this FULL LIMIT STRESS TEST, ERM programs will then be fully and directly connected to Solvency in an appropriate manner.

 

Reviewing Risk Appetite

November 19, 2013

[The material below is the work of an ad hoc IAA working group.  It was produced in 2011 but never completed or published.  RISKVIEWS is sharing so that this good work can be viewed.]

Risk appetite setting and its implication on business strategy. 

Risk appetite is a high-level view of the risks the organization is willing to accept in pursuit of value. When an insurer defines the optimal level of risk, a common view of the ultimate priority is to serve shareholder’s benefits. This will facilitate the decision on the types of risks and magnitudes of the risks to be taken that are consistent with business strategies and market situation. At the same time, the desired risk profile should satisfy the explicit and implicit constraints set by other parties such as regulators, rating agencies, policyholders, debt holders, senior management, and employees. Some external changes have also expedited the process. S&P has required a clear statement of risk appetite as a foundation of “strong” or “excellent” ERM rating. Solvency II also requires insurers to explicitly consider their risk appetite.

Risk appetite framework normally includes three levels.

Enterprise risk tolerance: The aggregate amount of risk the company is willing to take, expressed in terms of

  1. capital adequacy
  2. earnings volatility
  3. credit rating target

It represents the company’s long term target and shall be revised only if there are fundamental changes to the company’s financial profile, market situation and strategic objective. Risk appetite helps prevent default by preserving capital position. This is required by regulators, rating agencies, policyholders, and debtholders. These stakeholders show little or no interest in the upside from risk taking. On the other hand, shareholders are interested in the upside resulted from risk taking and low earnings volatility.

Risk appetite for each risk category: Enterprise risk tolerance needs to be allocated to risk appetite for specific risk categories and business activities. For example, selling life insurance policies or underwriting property and casualty risks. Or taking more market risk versus credit risk. By doing this, the company’s resources, like capital, can be allocated to the areas that the company feels comfortable with, or has competitive advantages.  When determining or updating risk appetite for different risk categories, in addition to considering the constraints set by enterprise risk tolerance, it should aim to maximize the risk-adjusted return of risk-taking activities.

Risk limit: Risk limits are the most granular level which is used for business operation. It translates enterprise risk tolerance and risk appetite for each risk category into risk monitoring measures. The consistency between risk limit and enterprise risk tolerance help the company realize its risk objective and maximize risk adjusted return.

Risk appetite not only protects value, but also creates value for the business. It helps senior management make informed decisions to maximize risk adjusted return for the shareholder. Ensuring the consistency between risk appetite and risk limits is very important. Both rating agencies and investors are concerned about whether risk appetite is properly aligned with the risk limits being set for business operation. A sound risk management practice requires risk appetite being integrated into business strategy and corporate culture.

Desired actions/features of risks management by category:

Ad Hoc

1. Unsystematic description of the company’s willingness to take risk. This could possibly be by an answer to investors, regulators or rating agencies’ inquiry and not fully linked with the company’s ability to take risk.

Basic

  1. The company has a formal statement of enterprise risk tolerance which has been approved by Board of Directors (BOD). The statement should at least include target credit rating, capital adequacy, earnings volatility, and attitude to operational risk such as reputation risk and legal risk.
  2. Risk appetite statement is incorporated in the risk management policy and will be reviewed annually by risk management committee and BOD.
  3. When making a strategic decision, the impact is sometimes checked against enterprise risk tolerances to make sure they are not breached.

Standard

  1. The company has a well established risk appetite framework which includes enterprise risk tolerance, risk appetite for each identified risk category and risk limits. Those are reviewed and approved by BOD and updated at least annually or in market turmoil.
  2. The risk appetite framework considers all the constraints the company faces and reflects key stakeholders’ risk preference. They include regulators both at group level and local level, shareholders, debtors, and management.
  3. There exists a consistent framework to align risk limits with enterprise risk tolerance. This is essential to make sure all the business decision is made within the company’s tolerance of risk.
  4. Integration of risk appetite and strategic planning. Risk appetite framework plays an active role in providing information about risk exposures of business activities and risk reward trade off. Asset allocation and product mix are the two key areas.
  5. The whole company is involved in risk appetite framework to facilitate risk identification and foster a healthy risk culture.

Advanced

  1. Risk appetite framework is integrated with all the business decision, including business operation constrained by risk limits and strategic decision to fit into enterprise risk tolerance. Strategic decisions include, but are not limited to strategic asset allocation, tactic asset allocation, new business planning, capital allocation, and risk management strategies.
  2. Performance measurement of management is linked to risk adjusted return or risk adjusted value.
  3. Effective and company wide education and communication of risk appetite framework are in place and regularly scheduled.
  4. Back testing of risk appetite framework is conducted to identify new risks, key assumption errors, and model errors.
  5. Risk appetite framework is considered more of strategic risk management than risk limit system.
  6. Risk appetite framework puts more efforts on emerging risks or risks hard to identify and quantify. Qualitative analysis becomes critical in corporate strategic decision.

%d bloggers like this: