Archive for the ‘Risk Culture’ category

Risk Intelligence IV

March 20, 2019

Overcoming Biases

In a recent post, RISKVIEWS proposed that Risk Intelligence would overcome biases.  Here are some specifics…

Biases

  • Anchoring – too much reliance on first experience
  • Availability – overestimate likelihood of events that readily come to mind
  • Confirmation Bias – look for information that confirms bias
  • Endowment effect – overvalue what you already have
  • Framing effect – conclusion depends on how the question is phrased
  • Gambler’s Fallacy – Belief that future probabilities are impacted by past experience – reversion to mean
  • Hindsight bias – things seem to be predictable after they happen
  • Illusion of control – overestimate degree of control over events
  • Overconfidence – believe own answers are more correct
  • Status Quo bias – Expect things to stay the same
  • Survivorship bias – only look at the people who finished a process, not all who started
  • Ostrich Effect – Ignore negative information

Each of Education, Experience and Analysis should reduce all of these.

Experience should provide the feedback that most of these ideas are simply wrong.  The original work that started to identify these biases followed the standard psychology approach of excluding anyone with experience and would also prohibit anyone from trying any of the questions a second time.  So learning to identify and avoid these biases through experience has had limited testing.

Education for a risk manager should simply mention all of these biases directly and their adverse consequences.  Many risk managers receiving that education will ever after seek to avoid making those mistakes.

But some will be blinded by the perceptual biases and therefore resist abandoning their gut feel that actually follows the biases.

Analysis may provide the information to convince  some of these remaining holdouts.  Analysis, if done correctly, will follow the logic of economic rationality which is the metric that we used to identify the wrong decisions that were eventually aggregated as biases.

So there may still be some people who even in the face of:

  • Experience of less than optimal outcomes
  • Education that provides discussion and examples of the adverse impact of decision-making based upon the biases.
  • Analysis that provides numerical back-up for unbiased decision making

Will still want to trust their own gut to make decisions regarding risk.

You can probably weed out those folks in hiring.

Top 10 RISKVIEWS Posts of 2014 – ORSA Heavily Featured

December 29, 2014

RISKVIEWS believes that this may be the best top 10 list of posts in the history of this blog.  Thanks to our readers whose clicks resulted in their selection.

  • Instructions for a 17 Step ORSA Process – Own Risk and Solvency Assessment is here for Canadian insurers, coming in 2015 for US and required in Europe for 2016. At least 10 other countries have also adopted ORSA and are moving towards full implementation. This post leads you to 17 other posts that give a detailed view of the various parts to a full ORSA process and report.
  • Full Limits Stress Test – Where Solvency and ERM Meet – This post suggests a link between your ERM program and your stress tests for ORSA that is highly logical, but not generally practiced.
  • What kind of Stress Test? – Risk managers need to do a better job communicating what they are doing. Much communications about risk models and stress tests is fairly mechanical and technical. This post suggests some plain English terminology to describe the stress tests to non-technical audiences such as boards and top management.
  • How to Build and Use a Risk Register – A first RISKVIEWS post from a new regular contributor, Harry Hall. Watch for more posts along these lines from Harry in the coming months. And catch Harry on his blog, http://www.pmsouth.com
  • ORSA ==> AC – ST > RCS – You will notice a recurring theme in 2014 – ORSA. That topic has taken up much of RISKVIEWS time in 2014 and will likely take up even more in 2015 and after as more and more companies undertake their first ORSA process and report. This post is a simple explanation of the question that ORSA is trying to answer that RISKVIEWS has used when explaining ORSA to a board of directors.
  • The History of Risk Management – Someone asked RISKVIEWS to do a speech on the history of ERM. This post and the associated new permanent page are the notes from writing that speech. Much more here than could fit into a 15 minute talk.
  • Hierarchy Principle of Risk Management – There are thousands of risks faced by an insurer that do not belong in their ERM program. That is because of the Hierarchy Principle. Many insurers who have followed someone’s urging that ALL risk need to be included in ERM belatedly find out that no one in top management wants to hear from them or to let them talk to the board. A good dose of the Hierarchy Principle will fix that, though it will take time. Bad first impressions are difficult to fix.
  • Risk Culture, Neoclassical Economics, and Enterprise Risk Management – A discussion of the different beliefs about how business and risk work. A difference in the beliefs that are taught in MBA and Finance programs from the beliefs about risk that underpin ERM make it difficult to reconcile spending time and money on risk management.
  • What CEO’s Think about Risk – A discussion of three different aspects of decision-making as practiced by top management of companies and the decision making processes that are taught to quants can make quants less effective when trying to explain their work and conclusions.
  • Decision Making Under Deep Uncertainty – Explores the concepts of Deep Uncertainty and Wicked Problems. Of interest if you have any risks that you find yourself unable to clearly understand or if you have any problems where all of the apparent solutions are strongly opposed by one group of stakeholders or another.

Risk Culture, Neoclassical Economics, and Enterprise Risk Management

September 22, 2014

Pyramid_of_Capitalist_System copyFinancial regulators, rating agencies and many commentators have blamed weak Risk Culture for many of the large losses and financial company failures of the past decade. But their exposition regarding a strong Risk Culture only goes as far as describing a few of the risk management practices of an organization and falls far short of describing the beliefs and motivations that are at the heart of any culture. This discussion will present thinking about how the fundamental beliefs of Neo Classical Economics clash with the recommended risk practices and how the beliefs that underpin Enterprise Risk Management are fundamentally consistent with the recommended risk management practices but differ significantly from Neo Classical Economics beliefs.

Hierarchy Principle of Risk Management

September 8, 2014

The purpose of ERM is NOT to try to elevate all risk decisions to the highest possible level, but to master discerning the best level for making each risk decision and for getting the right information to the right person in time to make a good risk decision.

This is the Hierarchy Principle as it applies to ERM.  It is one of the two or three most important principles of ERM.  Why then, might you ask, haven’t we ever heard about it before, even from RISKVIEWS.

But most insurers follow the hierarchy principle for managing their Underwriting process for risk acceptance of their most important risks.  

You could argue that many of the most spectacular losses made by banks have been in situations where they did not follow the hierarchy principle.  

  • Nick Leeson at Barings Bank was taking risks at a size that should have been decided (and rejected) by the board.
  • Jerome Kerviel at Soc Gen was doing the same.
  • The London Whale at JP Morgan is also said to have done that.  

On the other hand, Jon Corzine was taking outsized risks that eventually sank MF Global with the full knowledge and approval of the board.  Many people suggest that the CRO should have stopped that.  But RISKVIEWS believes that the Hierarchy Principle was satisfied.  

ERM is not and cannot be held responsible for bad decisions that are made at the very top of the firm, unless the risk function was providing flawed information that supported those decisions.  If, as happened at MF Global, the board and top management were making risk decisions with their eyes fully open and informed by the risk function, then ERM worked as it should.  

ERM does not prevent mistakes or bad judgment.

What ERM does that is new is that

  1. it works to systematically determine the significance of all risk decisions, 
  2. it ranks the significance and uses that information, along with other information such as risk velocity and uncertainty, to determine a recommendation of the best level to make decisions about each risk,
  3. it assesses the ability of the firm to absorb losses and the potential for losses within the risks that are being held by the firm at any point in time,
  4. it works with management and the board to craft a risk appetite statement that links the loss absorbing capacity of the firm with the preferences of management and the board for absorbing losses.

ERM does not manage the firm.  ERM helps management to manage the risks of the firm mainly by providing information about the risks.  

So why have we not heard about this Hierarchy Principle before?  

For many years, ERM have been fighting to get any traction, to have a voice.  The Hierarchy Principle complicates the message, so was left out by many early CROs and other pioneers.  A few were pushing for the risk function to be itself elevated as high as possible and they did not want to limit the risk message, deeming everything about risk to be of highest importance. But RISKVIEWS believes that it was mostly because the Hierarchy Principle is pretty fundamental to business management and is usually not explicitly stated anywhere else, even though it is applied almost always.

ERM now receives a major push from regulators, to a large extent from the ORSA.  In writing, the regulators do not require that ERM elevate all risk decisions.  But in practice, they are seeing some insurers who have been elevating everything and the regulators are adopting those examples as their standard for best in class.  

Just one more way that the regulatory support for ERM will speed its demise.  If regulators advocate for consistent violation of the Hierarchy principle, then ERM will be seen mainly as a wasteful burden.  

 

Risk Culture and Enterprise Risk Management (1/2 Day Seminar)

September 2, 2014

Afternoon of September 29 – at the ERM Symposium #ERMSYM

Bad risk culture has been blamed as the ultimate source of problems that have caused gigantic losses and corporate failures in the past 10 years. But is that a helpful diagnosis of the cause of problems or just a circular discussion? What is risk culture anyway? Is it a set of practices that a company can just adopt or does culture run deeper than that? How does risk culture vary between countries and continents? How do risk cultures go bad and can they be fixed? This is, of course, a discussion of the human side of Enterprise Risk Management. 

This half-day seminar (1 – 4:30 p.m.) will draw together materials from business organizational theorists, anthropologists, regulators, rating agencies, investors, corporations, insurers and auditors to help define risk culture and diagnose problem causes. The objective is to provide the attendees with multiple perspectives on risk culture to help them to survive and thrive within the potentially multiple risk cultures that they find themselves operating alongside – or against. In addition, the speakers will draw upon their own experiences and observations to provide a number of practical examples of how risk cultures can and do go wrong. This discussion may help you to identify the signs of devolving risk culture if they start to appear in your organization. Finally, the difficult topic of fixing a bad risk culture will be discussed. That part of the discussion will help attendees to attain a realistic perspective on that extremely difficult process. 

The seminar will be presented by three speakers from very diverse backgrounds. Andrew Bent, Risk Coordinator for Suncor Energy Inc. has also worked in multiple levels of government in New Zealand and Canada. Bent has co-authored several articles and papers on strategic risk assessment and the use of root cause analysis in risk management. Carol Clark is Senior Policy Advisor at the Federal Reserve Bank of Chicago where she has most recently been focused on operational risk issues associated with high speed trading. Her research has been published in the Journal of Payment Systems Law, the Federal Reserve Bank of Chicago’s Chicago Fed Letter and Economic Perspectives as well as Euromoney Books. Dave Ingram is Executive Vice President at Willis Re where he advises insurers on ERM practices. Ingram has worked extensively with both Life and Property and Casualty insurers on various aspects of risk management over the past 30 years. He has recently co-authored a series of articles and papers on risk culture and has had a number of experiences with the risk cultures of over 200 insurers.

Speakers: 
Andrew Bent, ARM-E, ARM-P, CCSA, CRMA, Risk Coordinator, Suncor Energy
Carol Clark, Senior Policy Advisor, Federal Reserve Bank of Chicago 
David Ingram, CERA, PRM, EVP, Willis Re

Registration

Too Much Risk

August 18, 2014

Risk Management is all about avoiding taking Too Much Risk.

And when it really comes down to it, there are only a few ways to get into the situation of taking too much risk.

  1. Misunderstanding the risk involved in the choices made and to be made by the organization
  2. Misunderstanding the risk appetite of the organization
  3. Misunderstanding the risk taking capacity of the organization
  4. Deliberately ignoring the risk, the risk appetite and/or the risk taking capacity

So Risk Management needs to concentrate on preventing these four situations.  Here are some thoughts regarding how Risk Management can provide that.

1. Misunderstanding the risk involved in the choices made and to be made by an organization

This is the most common driver of Too Much Risk.  There are two major forms of misunderstanding:  Misunderstanding the riskiness of individual choices and Misunderstanding the way that risk from each choice aggregates.  Both of these drivers were strongly in evidence in the run up to the financial crisis.  The risk of each individual mortgage backed security was not seriously investigated by most participants in the market.  And the aggregation of the risk from the mortgages was misunderestimated as well.  In both cases, there was some rationalization for the misunderstanding.  The Misunderstanding was apparent to most only in hindsight.  And that is most common for misunderstanding risks.  Those who are later found to have made the wrong decisions about risk were most often acting on their beliefs about the risks at the time.  This problem is particularly common for firms with no history of consistently and rigorously measuring risks.  Those firms usually have very experienced managers who have been selecting their risks for a long time, who may work from rules of thumb.  Those firms suffer this problem most when new risks are encountered, when the environment changes making their experience less valid and when there is turnover of their experienced managers.  Firms that use a consistent and rigorous risk measurement process also suffer from model induced risk blindness.  The best approach is to combine analysis with experienced judgment.

2.  Misunderstanding the risk appetite of the organization

This is common for organizations where the risk appetite has never been spelled out.  All firms have risk appetites, it is just that in many, many cases, no one knows what they are in advance of a significant loss event.  So misunderstanding the unstated risk appetite is fairly common.  But actually, the most common problem with unstated risk appetites is under utilization of risk capacity.  Because the risk appetite is unknown, some ambitious managers will push to take as much risk as possible, but the majority will be over cautious and take less risk to make sure that things are “safe”.

3.  Misunderstanding the risk taking capacity of the organization

 This misunderstanding affects both companies who do state their risk appetites and companies who do not.  For those who do state their risk appetite, this problem comes about when the company assumes that they have contingent capital available but do not fully understand the contingencies.  The most important contingency is the usual one regarding money – no one wants to give money to someone who really, really needs it.  The preference is to give money to someone who has lots of money who is sure to repay.  For those who do not state a risk appetite, each person who has authority to take on risks does their own estimate of the risk appetite based upon their own estimate of the risk taking capacity.  It is likely that some will view the capacity as huge, especially in comparison to their decision.  So most often the problem is not misunderstanding the total risk taking capacity, but instead, mistaking the available risk capacity.

4.  Deliberately ignoring the risk, the risk appetite and/or the risk taking capacity of the organization

A well established risk management system will have solved the above problems.  However, that does not mean that their problems are over.  In most companies, there are rewards for success in terms of current compensation and promotions.  But it is usually difficult to distinguish luck from talent and good execution in a business about risk taking.  So there is a great temptation for managers to deliberately ignore the risk evaluation, the risk appetite and the risk taking capacity of the firm.  If the excess risk that they then take produces excess losses, then the firm may take a large loss.  But if the excess risk taking does not result in an excess loss, then there may be outsized gains reported and the manager may be seen as highly successful person who saw an opportunity that others did not.  This dynamic will create a constant friction between the Risk staff and those business managers who have found the opportunity that they believe will propel their career forward.

So get to work, risk managers.

Make sure that your organization

  1. Understands the risks
  2. Articulates and understands the risk appetite
  3. Understands the aggregate and remaining risk capacity at all times
  4. Keeps careful track of risks and risk taking to be sure to stop any managers who might want to ignore the risk, the risk appetite and the risk taking capacity

Key Ideas of ERM

July 24, 2014

For a set of activities to be called ERM, they must satisfy ALL of these Key Ideas…

  1. Transition from Evolved Risk Management to planned ERM
  2. Comprehensive – includes ALL risks
  3. Measurement – on a consistent basis allows ranking and…
  4. Aggregation – adding up the risks to know total
  5. Capital – comparing sum of risks to capital – can apply security standard to judge
  6. Hierarchy – decisions about risks are made at the appropriate level in the organization – which means information must be readily available

Risk management activities that do not satisfy ALL Key Ideas may well be good and useful things that must be done, but they are not, by themselves ERM.

Many activities that seek to be called ERM do not really satisfy ALL Key Ideas.  The most common “fail” is item 2, Comprehensive.  When risks are left out of consideration, that is the same as a measurement of zero.  So no matter how difficult to measure, it is extremely important to really, really be Comprehensive.

But it is quite possible to “fail” on any of the other Key Ideas.

The Transition idea usually “fails” when the longest standing traditional risk management practices are not challenged to come up to ERM standards that are being applied to other risks and risk management activities.

Measurement “fails” when the tails of the risk model are not of the correct “fatness“.  Risks are significantly undervalued.

Aggregation “fails” when too much independence of risks is assumed.  Most often ignored is interdependence caused by common counter parties.

Capital “fails” when the security standard is based upon a very partial risk model and not on a completely comprehensive risk model.

Hierarchy “fails” when top management and/or the board do not personally take responsibility for ERM.  The CRO should not be an independent advocate for risk management, the CRO should be the agent of the power structure of the firm.

In fact Hierarchy Failure is the other most common reason for ERM to fail.

Risk Culture gets the Blame

March 18, 2014

Poor Risk Culture has been often blamed for some of the headline corporate failures of the past several years.  Regulators and rating agencies have spoken out about what they would suggest as important elements of a strong risk culture and the following 10 elements all show up on more than one of those lists:

1.      Risk Governance – involvement of the board in risk management

2.      Risk Appetite – clear statement of the risk that the organization would be willing to accept

3.      Compensation – incentive compensation does not conflict with goals of risk management

4.      Tone at the Top – board and top management are publically vocal in support of risk management

5.      Accountability – Individuals are held accountable for violations of risk limits

6.      Challenge – it is acceptable to publically disagree with risk assessments

7.      Risk Organization – individuals are assigned specific roles to facilitate the risk management program, including a lead risk officer

8.      Broad communication /participation in RM – risk management is everyone’s job and everyone knows what is happening

9.      RM Linked to strategy – risk management program is consistent with company strategy and planning considers risk information

10.    Separate Measurement and Management of risk – no one assesses their own performance regarding risk and risk management

Those are all good things for a firm to do to make it more likely for their risk management to succeed, but this list hardly makes up a Risk Culture.

Crowd

The latest WillisWire post in the ERM Practices series talks about Risk Culture from the perspective of the fundamental beliefs of the people in the organization about risk.

And RISKVIEWS has made over 50 posts about various aspects of risk culture.

Risk Culture Posts in RISKVIEWS

What if there are no clocks?

March 17, 2014

RISKVIEWS recently told someone that the idea of a Risk Control Cycle was quite simple.  In fact, it is just as simple as making an appointment and keeping it.

But what if you are in a culture that has no clocks?

Bahnsteiguhr[1]

Imagine how difficult the conversation might be about an appointment for 9:25 tomorrow morning.

That is the situation for companies who want to learn about adopting a risk control cycle who have no tradition of measuring risk.

The companies who have dutifully followed a regulatory imperative to install a capital model may think that they have a risk measurement system.  But that system is like a clock that they only look at once per month.  Not very helpful for making and keeping appointments.

Risk control needs to be done with risk measures that are available frequently.  That probably will mean that the risk measure that is most useful for risk control might not be as spectacularly accurate as a capital model.  The risk control process needs a quick measure of risk that can be available every week or at least every month.  Information at the speed of your business decision making process.

But none of us are really in a culture where there are no clocks.  Instead, we are in cultures where we choose not to put any clocks up on the walls.  We choose not to set times for our appointments.

I found that if you have a goal, that you might not reach it. But if you don’t have one, then you are never disappointed. And I gotta tell ya… it feels phenomenal.

from the movie Dodgeball

Whose Job is it to do ERM?

January 28, 2014

“We are not big enough to need ERM.” says the smaller company CEO.  “So we all do it together.”

But what is everyone’s job, is no one’s responsibility.  No one is held accountable for how or even whether ERM functions actually happen.

If a company wants to have ERM, then they must make assignments – assignments to individuals.

This process, these assignments, are what RISKVIEWS calls Risk Organization.  Everyone does not need the same Risk Organization, but everyone who is serious about ERM needs to clearly assigning responsibility for the risk identification, measurement and management of risks.

This week’s post on the WillisWire series on ERM Practices is about Risk Organization:

This is Part 4 of a 14 part series on the ERM practices that support an ORSA. The other pieces in that series so far are:

Risk Measurement

RISKVIEWS has also posted discussions of Risk Organization.  Here are a few examples:

Building Risk Culture is a two legged beast

January 13, 2014

RISKVIEWS is reading about Business Organizational Culture – particularly the Corporate Culture Survival Guide by Edgar Shein.

Shein suggests that culture has three aspects:  Artifacts, Espoused Values and Underlying Assumptions.  Artifacts are what you can easily see happening. Espoused Values are public statements about what is wanted, things like policies and mission statements. Underlying Assumptions are the part of culture that is difficult (not impossible) to discern and very time consuming to change.  These are the things that really determine the choices and decisions of the firm.

Shein suggests that culture is formed as a new company has the successes that cause it to survive and thrive.  The initial culture is a combination of the vision and rules of the founder along with the learned values from those early experiences.

He says that culture change comes about when the Underlying Assumptions no longer seem to work and people can feel motivated to learn new approaches that if they succeed, become the new Underlying Assumptions.

To me, RISK seems particularly difficult for this process.  Most new ventures are founded with a willful disregard for RISK.  So it is relatively rare for a newer firm to have a healthy respect for risk.

In addition, the result of good risk management is a reduction in the likelihood of the experience of undesirable adverse events (UAEs).  That is also the outcome from LUCK.  In both cases, the indication of good results is a LACK of bad experience.

The Risk Culture develops as the firm experiences adverse outcomes and then only if they learn that a risk management process can reduce the likelihood that they will experience UAEs.  Otherwise, the Underlying Assumption will be that whatever the firm is doing is just right to avoid those UAEs.  Sort of like the sports star who failed to shave before the game where they scored 2 goals, so they forever after deliberately do not shave on the day of a game.

Building or Changing a Risk Culture, in my opinion, involves teaching the idea that a deliberate and comprehensive risk management process can accomplish the reduction in likelihood of UAEs.

The students may be very responsive after a major adverse experience.  Otherwise, the Risk Culture Builder needs to depend on stories of other companies that succeed and fail to avoid the major adverse experiences.

The Risk Culture Builder must be prepared to turn every experience of the organization and of other organizations into stories that support the formation of a positive Risk Culture. But it takes an extremely good story teller to create motivation to adopt a healthy Risk Culture from stories of other companies.

Risk Management is actually more about managing tendencies than actual management of UAEs.  Which is one of the things that makes Risk Culture Building particularly difficult.  Most people will judge the Risk Culture successes in terms of the actual losses experienced.  Meaning, if there are losses, then risk management is not worth the trouble.

Risk Management will only result in near zero losses if the risk tolerance is near zero.  And then only if the risk manager is given the nearly unlimited budget that it takes to actually eliminate most risk.

Instead, what can be expected from Risk Management, that is from a tendency to reduce frequency and/or severity of UAEs is loss experience that is better than those who do not practice risk management on the average, over time, when adjusted for differences in the inherent risk profile of the different organizations.

In building and reinforcing the risk culture, the Risk Culture Builder needs to be ready to explain how well (or poorly) that the company is succeeding with that.

Because ultimately, those stories, the stories of how the risk management program is succeeding or how the lack of risk management has failed are an extremely important leg of the risk culture building process.

The other leg (risk management culture is a two legged beast), is the story of how the risk management program needs to work to support achievement of the risk appetite.  That story needs to be told, not in terms of explaining the parts of a risk management framework, but instead that story is about the outcomes to be expected.

So for both legs, or both stories, the Risk Culture Builder needs to have a clear idea in mind of how the results of risk management will be demonstrable.

And that is another story.

You actually have to run on the treadmill . . .

December 19, 2013

Yes, that is right. Just buying a treadmill has absolutely no health benefits.

Treadmill

And in the same vein, just creating a risk management system does not provide any benefit. You actually have to activate that system and pay attenion to the signals that it sends. 

And you can count on the risk management system being disruptive.  In fact, if it is not disruptive, then you should shut it down. 

The risk management system is a waste of time and money if it just stays out of the way and you end up doing exactly what you would have done without it.  But, in at least 2/3 of the companies that claim to be running a risk management system, they have trouble coming up with even one story of how they changed what they were planning to do because of the risk management system.

Usually, in a company that is really running a risk management system, the stories of the impact of risk management are of major clashes. 

Risk management is a control system that focuses on three things:

  • Riskiness of accepted risks
  • Volume of accepted risks
  • Return from accepted risks

The disruptions caused by an actual active risk management system fall into those three categories:

  • Business that would have been accepted prior to risk management system is now deemed to be unacceptable because it is too risky.  Rejection of business or mitigation of the excess risk is now required. 
  • Growth of risky business that may not have been restricted before the risk management system is now seen to be excessive.  Rejection of business or mitigation of the excess risk is now required. 
  • Return from business where the risk was not previously measured is now seen to be inadequate compared to the risk involved.  Business emphasis is now shifted to alternatives with a better return for risk. 

Some firms will find the disruptions less than others, but there will almost always be disruptions. 

The worst case scenario for a new risk management system is that the system is implemented and then when a major potentially disruptive situation arises, an exception to the new risk management system is granted.  That is worst case because those major disruptive situations are actually where the risk management system pays for itself.  If the risk management only applies to minor business decisions, then the company will experience all of the cost of the system but very little of the benefits.

Collective Approaches to Risk in Business: An Introduction to Plural Rationality Theory

December 18, 2013

New Paper Published by the NAAJ
http://www.tandfonline.com/doi/abs/10.1080/10920277.2013.847781#preview

This article initiates a discussion regarding Plural Rationality Theory, which began to be used as a tool for understanding risk 40 years ago in the field of social anthropology. This theory is now widely applied and can provide a powerful paradigm to understand group behaviors. The theory has only recently been utilized in business and finance, where it provides insights into perceptions of risk and the dynamics of firms and markets. Plural Rationality Theory highlights four competing views of risk with corresponding strategies applied in four distinct risk environments. We explain how these rival perspectives are evident on all levels, from roles within organizations to macro level economics. The theory is introduced and the concepts are applied with business terms and examples such as company strategy, where the theory has a particularly strong impact on risk management patterns. The principles are also shown to have been evident in the run up to—and the reactions after—the 2008 financial crisis. Traditional “risk management” is shown to align with only one of these four views of risk, and the consequences of that singular view are discussed. Additional changes needed to make risk management more comprehensive, widely acceptable, and successful are introduced.

Co-Author is Elijah Bush, author of German Muslim Converts: Exploring Patterns of Islamic Integration.

Risk Culture doesn’t come from a memo

December 16, 2013

Nor from a policy, nor from a speech, nor from a mission statement nor a value statement.

Like all of corporate culture, Risk Culture comes from experiences.  Risk Culture comes from experiences with risk.  Corporate Culture is fundamentally the embedded, unspoken assumptions that underlie behaviors and decisions of the management and staff of the firm.  Risk Culture is fundamentally the embedded, unspoken assumptions and beliefs about risk that underlie behaviors and decisions of the management and staff of the firm.

Corporate culture is formed initially when a company is first started.  The new company tries an approach to risk, usually based upon the prior experiences of the first leaders of the firm.  If those approaches are successful, then they become the Risk Culture.  If they are unsuccessful, then the new company often just fails.

In his book, Fooled by Randomness, Nassim Taleb points out that there is a survivor bias involved here.  Some of the companies that survive the early years are managing their risk correctly and some are simply lucky.  Taleb tells the story of mutual fund managers who either beat the market or not each year.  Looking back over 5 years, a fund manager who was one of 30 out of 1000 who beat the market every one of those five years might believe that their performance and therefore their ability was far above average.  However, Taleb points out that if whether a manager beat the market or not each year was determined by a coin toss, statistics tells us to expect 31 to beat the market.

That was for a situation where we assume that the good results were likely 50% of the time.  For risk management, the event that is being managed is often a 1/100 likelihood.  There is a 95% chance of avoiding a 1/100 loss in any five year period, just by showing up with average risk management.  That makes it fairly likely that poor risk management can be easily overcome by just a little bit of luck.

So by the natural process of experience, Risk Culture is formed based upon what worked in the past.

In banks and hedge funds and other financial firms where risk taking is a fundamental part of the business, the Risk Culture often supports those who take risks and win.  Regardless of whether the amount of risk is within limits or tolerances or risk appetite.

You see, all of those ideas (limits, tolerances, appetites) are based upon an opinion about the future.  And the winner just has a different opinion about the future of his/her risk.  The fact that the winner’s opinion proves itself as experience shows that the bad outcome that those worrying risk people said was the future is not the case.  When the winner suddenly makes a bad call (see London Whale), that shows that their ability to see the future better than the risk department’s models may be done.  You see, there are very very few people who can keep the perspective needed to consistently beat the market.  (RISKVIEWS thinks that the fall off might well follow an exponential decay pattern as predicted by statistics!)

The current ideas of a proper Risk Culture (see FSB consultation paper) are doubtless not what most firms set up as their initial response to risk. That paper focuses on four specific aspects of Risk Culture.

  • Tone from the top: The board of directors11 and senior management are the starting point for setting the financial institution’s core values and risk culture, and their behaviour must reflect the values being espoused. As such, the leadership of the institution should systematically develop, monitor, and assess the culture of the financial institution.
  • Accountability: Successful risk management requires employees at all levels to understand the core values of the institutions’ risk culture and its approach to risk, be capable of performing their prescribed roles, and be aware that they are held accountable for their actions in relation to the institution’s risk-taking behaviour. Staff acceptance of risk-related goals and related values is essential.
  • Effective challenge: A sound risk culture promotes an environment of effective challenge in which decision-making processes promote a range of views, allow for testing of current practices, and stimulate a positive, critical attitude among employees and an environment of open and constructive engagement.
  • Incentives: Performance and talent management should encourage and reinforce maintenance of the financial institution’s desired risk management behaviour. Financial and non-financial incentives should support the core values and risk culture at all levels of the financial institution.

(These descriptions are quotes from the paper)

These practices are supported by the Risk Culture for a few very new firms.  As well as a very few other firms (and we will mention why that is in a few paragraphs).  But for at least 80 percent of financial firms, these items, if they are happening, are not at all supported by the Risk Culture.  The true Risk Culture of a successful firm has evolved based upon the original choices of the firm and the decisions and actions taken by the firm that have been successful over the life of the firm.

These aspects of Risk Culture are a part of one of the three layers of culture (see Edgar Schein, The Corporate Culture Survival Guide).  He calls those layers:

  • Artifacts
  • Espoused Values
  • Shared Assumptions

The four aspects of Risk Culture featured by the FSB can all be considered to be “artifacts”.  Those are the outward signs of the culture, but not the whole thing.  Espoused Values are the Memos, policies, speeches, mission and value statements.

Coercion from outside the organization, such as through regulator edict, can force management to change the Espoused Values.  But the real culture will ignore those values.  Those outside edicts can force behaviors, just as prison guards can force prisoners to certain behaviors.  But as soon as the guards are not looking, the existing behavioral standards based upon the shared assumptions will re-emerge.

When the insiders, including top management of an organization, want to change the culture, they are faced with a difficult and arduous task.

That will be the topic of the next post.

ERM on WillisWire

December 3, 2013

Risk Management: Adaptability is Key to Success

swiss-army-knife_645x400

There is no single approach to risk management that will work for all risks nor, for any one risk, is there any one approach to risk management that will work for all times. Rational adaptability is the strategy of altering … Continue reading →


Resilience for the Long Term

Resilient Sprout in Drought

In 1973, CS Holling, a biologist, argued that the “Equilibrium” idea of natural systems that was then popular with ecologists was wrong.He said that natural systems went through drastic, unpredictable changes – such systems were “profoundly affected by random events”.  … Continue reading →


Management is Needed: Not Incentive Compensation

Bizman in Tie

Many theoreticians and more than a few executives take the position that incentive compensation is a powerful motivator. It therefore follows that careful crafting of the incentive compensation program is all that it takes to get the most out of a … Continue reading →


A Gigantic Risk Management Entertainment System

game-controller-in-room_645x400

As video gaming has become more and more sophisticated, and as the hardware to support those games has become capable of playing movies and other media, video game consoles have now become “Entertainment Systems”.  Continue reading →


Panel at ERM Symposium: ERM for Financial Intermediaries

SS Meaning of Risk Mgmt  77408059 April 23 12

Insurance company risk managers need to recognize that traditional activities like underwriting, pricing and reserving are vitally important parts of managing the risks of their firm. Enterprise risk management (ERM) tends to focus upon only two or three of the … Continue reading →


ERM Symposium Panel: Actuarial Professional Risk Management

SS Risk Button - Blank Keys  53606569 April 23

In just a few days, actuaries will be the first group of Enterprise Risk Management (ERM) professionals to make a commitment to specific ERM standards for their work. In 2012, the Actuarial Standards Board passed two new Actuarial Standards of … Continue reading →


Has the Risk Profession Become a Spectator Sport?

The 2013 ERM Symposium goes back to Chicago this year after a side trip to DC for 2012. This is the 11th year for the premier program for financial risk managers. Continue reading →


What to Do About Emerging Risks…

snake-hatching_645x400

WillisWire has on several occasions featured opinions from a large number of our contributors about what might be the next emerging risk in various sectors. But what can be done once you have identified an emerging risk? Continue reading →


U.S. Insurers Need to Get Ready for ORSA

paperwork

Slowly, but surely, and without a lot of fanfare, U.S. insurance regulators have been orchestrating a sea change in their interaction with companies over solvency.  Not as dramatic as Solvency II in Europe, but the U.S. changes are actually happening … Continue reading →


Resiliency vs. Fragility

TREES_645_400(2)

Is there really a choice?  Who would choose to be Fragile over Resilient? Continue reading →

– See more at: http://blog.willis.com/author/daveingram/#sthash.xxAR1QAP.dpuf

Reviewing Board Level Engagement and Commitment to ERM

November 26, 2013

[The material following is the work of an ad hoc IAA working group.  It was produced in 2011 but never completed or published.  RISKVIEWS is sharing so that this good work can be viewed.]

Board

Make a seat at the table

July 5, 2013

The report of the Parliamentary Commission on Banking Standards titled “Changing banking for good” makes many bold statements about what is wrong with banking but stays very much in the area of timid when making recommendations for changes.  Most of which seem very much like the exercize of “rearranging the deck chairs on the Titanic”.  Take, for instance, the recommendation for changing from an Approved Persons Regime to a Senior Persons Regime.  You will need to read this carefully.  It seems just like the purposeless retitling that has been applied to the FSA.

So what sort of change could make a difference?  How about this:

Banks have been found guilty of taking advantage of a one sided option.  This option grants huge gains to shareholders and employees if risky behavior pays off and has limited downside in the case of a blow up of the risks undertaken.  Much energy has gone into seeking to make sure that there is going to be ANY downside in the future, since in the recent past, governments around the globe tended to rescue the investors and many of the employees of the banks that lost the worst.

One of the reasons that banks have become so very risky can be summed up in one word, LEVERAGE.  So a simple step that would cause the whole culture at the bank to immediately swing around towards the caution that seems desired would be to give the providers of debt capital a seat (or several) in the board of directors.  Then number of seats going to bondholders would be proportionate to the proportion of capital provided by the bondholders.  The bondholder seats on the board could be capped at 1 less than a majority for a bank that was leveraged at a higher level.  Or they might be set according to the percentage of net income before the cost of debt servicing that is theirs.  That perhaps makes the most sense, since the riskiest firms are pledging the highest percentage of their income to their debt servicing.

The risk committee of the board could be chaired by one of these bondholder directors.  For firms above a certain percentage of debt financing (perhaps half way to the 49% position described above) the Risk Committee chair could have the power of the Veto as wielded by the Tribune of the Plebs in ancient Rome.

The bondholders would not want to harm the company, but they would have a very strong interest to keep the bank from making any of those highly risky decisions that would wipe out the debtholders stake in the firm.  It only makes sense that if the majority of the earnings of the firm are going to service debt, that the debtholders should be calling the shots.

The idea that a company exists only to enrich the shareholders is a fiction created by university writers in the last 50 years, and has no basis in law or custom.  It was created because it simplified the mathematical models that the financial economists wanted to build.  The model caught on because company management found it to be a convenient way to justify increasing their compensation.

Because, for the large part, bondholders were protected by government bailouts, they have largely continued to fund banks.  But the only way to rationally justify the continual funding of the opaque, highly risky banking enterprises via debt with almost no upside and plenty of possible downside is with a belief that bailouts will continue and will continue to protect bondholders.

If however, bondholders ever became convinced that their money really was at risk, and with the current structure, they would never learn how much at risk (see London Whale and MF Global stories and see if you can find any material disclosures of these risks), then they would either require a much higher spread that actually represented a risk premium for the uncertainty involved in bank risk or a seat at the table.

Delusions about Success and Failure

April 8, 2013

In his book, The Halo Effect: … and the Eight Other Business Delusions That Deceive Managers, author Phil Rosenzweig discusses the following 8 delusions about success:

1. Halo Effect: Tendency to look at a company’s overall performance and make attributions about its culture, leadership, values, and more.

2. Correlation and Causality: Two things may be correlated, but we may not know which one causes which.

3. Single Explanations: Many studies show that a particular factor leads to improved performance. But since many of these factors are highly correlated, the effect of each one is usually less than suggested.

4. Connecting the Winning Dots: If we pick a number of successful companies and search for what they have in common, we’ll never isolate the reasons for their success, because we have no way of comparing them with less successful companies.

5. Rigorous Research: If the data aren’t of good quality, the data size and research methodology don’t matter.

6. Lasting Success: Almost all high-performing companies regress over time. The promise of a blueprint for lasting success is attractive but unrealistic.

7. Absolute Performance: Company performance is relative, not absolute. A company can improve and fall further behind its rivals at the same time.

8. The Wrong End of the Stick: It may be true that successful companies often pursued highly focused strategies, but highly focused strategies do not necessarily lead to success.

9. Organizational Physics: Company performance doesn’t obey immutable laws of nature and can’t be predicted with the accuracy of science – despite our desire for certainty and order.

By Julian Voss-Andreae (Own work) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0)%5D, via Wikimedia Commons

A good risk manager will notice that all 8 of these delusions have a flip side that applies to risk analysis and risk management.

a.  Bad results <> Bad Culture – there are may possible reasons for poor results.  Culture is one possible reason for bad results, but by far not the only one.

b.  Causation and Correlation – actually this one need not be flipped.  Correlation is the most misunderstood statistic.  Risk managers would do well to study and understand what valuable and reliable uses that there are for correlation calculations.  They are very likely to find few.

c.  Single explanations  – are sometimes completely wrong (see c. above), they can be the most important of several causes, they can be the correct and only reason for a loss, or a correct but secondary reason.  Scapegoating is a process of identifying a single explanation and quickly moving on.  Often without much effort to determine which of the four possibilities above applies to the scapegoat.  Scapegoats are sometimes chosen that make the loss event appear to be non-repeatable, therefore requiring no further remedial action.

d.  Barn door solutions – looking backwards and finding the activities that seemed to lead to the worst losses at the companies that failed can provide valuable insights or it can lead to barn door solutions that fix past problems but have no impact on future situations.

e.  Data Quality – same exact issue applies to loss analysis.  GIGO

f.  Regression to the mean – may be how you describe what happens to great performing companies, but for most firms, entropy is the force that they need to be worried about.  A firm does not need to sport excellent performance to experience deteriorating results.

g.  Concentration risk – should be what a risk manager sees when strategy is too highly concentrated.

h.  Uncertainty prevails – precision does not automatically come from expensive and complicated models.

What Do Your Threats Look Like?

December 6, 2012

Severe and intense threats are usually associated with dramatic weather events, terrorist attacks, earthquakes, nuclear accidents and such like.  When one of these types of threats is thought to be immanent, people will often cooperate with a cooperative ERM scheme, if one is offered.  But when the threat actually happens, there are four possible responses:  cooperation with disaster plan, becoming immobilized and ignoring the disaster, panic and anti-social advantage taking.  Disaster planning sometimes goes no further than developing a path for people with the first response.  A full disaster plan would need to take into account all four reactions.  Plans would be made to deal with the labile and panicked people and to prevent the damage from the anti-social.  In businesses, a business continuity or disaster plan would fall into this category of activity.

When businesses do a first assessment, risks are often displayed in four quadrants: Low Likelihood/Low Severity; Low Likelihood/High Severity; High Likelihood/Low Severity; and High Likelihood/High Severity.  It is extremely difficult to survive if your risks are High Likelihood/High Severity, so few businesses find that they have risks in that quadrant.  So businesses usually only have risks in this category that are Low Likelihood.

Highly Cooperative mode of Risk Management means that everyone is involved in risk management because you need everyone to be looking out for the threats.  This falls apart quickly if your threats are not Severe and Intense because people will question the need for so much vigilance.

Highly Complex threats usually come from the breakdown of a complex system of some sort that you are counting upon.  For an insurer, this usually means that events that they thought had low interdependency end up with a high correlation.  Or else a new source of large losses emerges from an existing area of coverage.  Other complex threats that threaten the life insurance industry include the interplay of financial markets and competing products, such as happened in the 1980’s when money market funds threatened to suck all of the money out of insurers, or in the 1990’s the variable products that decimated the more traditional guaranteed minimum return products.

In addition, financial firms all create their own complex threat situations because they tend to be exposed to a number of different risks.  Keeping track of the magnitude of several different risk types and their interplay is itself a complex task.  Without very complex risk evaluation tools and the help of trained professionals, financial firms would be flying blind.  But these risk evaluation tools themselves create a complex threat.

Highly Organized mode of Risk Management means that there are many very different specialized roles within the risk management process.  May have different teams doing risk assessment, risk mitigation and assurance, for each separate threat.  This can only make sense when the rewards for taking these risks is large because this mode of risk management is very expensive.

Highly Unpredictable Threats are common during times of transition when a system is reorganizing itself.  “Uncertain” has been the word most often used in the past several years to describe the current environment.  We just are not sure what will be hitting us next.  Neither the type of threat, the timing, frequency or severity is known in advance of these unpredictable threats.

Businesses operating in less developed economies will usually see this as their situation.  Governments change, regulations change, the economy dips and weaves, access to resources changes abruptly, wars and terrorism are real threats.

Highly Adaptable mode of Risk Management means that you are ready to shift among the other three modes at any time and operate in a different mode for each threat.  The highly adaptable mode of risk management also allows for quick decisions to abandon the activity that creates the threat at any time.  But taking up new activities with other unique threats is less of a problem under this mode.  Firms operating under the highly adaptive mode usually make sure that their activities do not all lead to a single threat and that they are highly diversified.

Benign Threats are things that will never do more than partially reduce earnings.  Small stuff.  Not good news, but not bad enough to lose any sleep over.

Low Cooperation mode of Risk Management means that individuals within their firm can be separately authorized to undertake activities that expand the threats to the firm.  The individuals will all operate under some rules that put boundaries around their freedom, but most often these firms police these rules after the action, rather than with a process that prevents infractions.  At the extreme of low cooperation mode of risk management, enforcement will be very weak.

For example, many banks have been trying to get by with a low cooperation mode of ERM.  Risk Management is usually separate and adversarial.  The idea is to allow the risk takers the maximum degree of freedom.  After all, they make the profits of the bank.  The idea of VaR is purely to monitor earnings fluctuations.  The risk management systems of banks had not even been looking for any possible Severe and Intense Threats.  As their risk shifted from a simple “Credit” or “Market” to very complex instruments that had elements of both with highly intricate structures there was not enough movement to the highly organized mode of risk management within many banks.  Without the highly organized risk management, the banks were unable to see the shift of those structures from highly complex threats to severe and intense threats. (Or the risk staff saw the problem, but were not empowered to force action.)  The low cooperation mode of risk management was not able to handle those threats and the banks suffered large losses or simply collapsed.

Tug of War Between Intertwined Roles

December 3, 2012

Tug

A question posed to RISKVIEWS:

Do you have a clear distinction between “What’s Risk vs What’s Actuarial?”  It seems that the roles of Risk Management and Actuarial are utterly intertwined and overlapping, thus causing utter confusion, within the company of my employ. While we have internally agreed to a segregation of duties over two years ago, the organization has barely moved forward to align itself accordingly.

Any attempt I have made to seek external guidance has not resulted in any definitive clarity. In response to the question “What’s Risk vs What’s Actuarial?”, most consultants offer “it depends on the company”. Solvency II guidance seems to indiscriminately interchange, say, risk management function (risk management is everyone’s job) with Risk Management Department.

I should clarify – when I refer to Actuarial, I am referring to “all four legs of the actuarial stool” – namely, Pricing, Modeling/Projections, Valuation, and Experience Studies.

In fact, it really does depend upon the company.  That is because actuarial roles are extremely broad in some companies and very narrow in others.

The four legs of the actuarial stool referenced, “Pricing, Modeling/Projections, Valuation, and Experience Studies” are in fact a moderately broad definition.  In the most narrowly drawn situations, the actuarial role is limited solely to situations where an actuarial opinion is required by law or regulation.  In companies that define the actuarial role in that manner, there is almost no overlap with the Risk function.

But Risk can be defined differently in different companies as well.  In some companies, the definition of the Risk function takes in only what is needed to get capital relief from regulators or rating agencies.  Or to satisfy other requirements of the same audiences.

In companies where both the Actuarial and Risk roles are broadly defined, there is great potential for overlap.

  • The Actuarial Function in these firms will include not only “Pricing, Modeling/Projections, Valuation, and Experience Studies” but may also have a role in broad financial oversight and or broad risk oversight.  In fact, RISKVIEWS worked for two insurers with such a broad definition of the actuarial function.
  • A broadly defined Risk function in these firms will overlap most clearly with those last two roles.  With the installation of a separate Risk function, it seems clear that the broad risk oversight once performed by the Actuarial function needs to be surrendered.  But there are Risk aspects of all five of the other functions listed.
    • Pricing – A strong Risk function will want to make sure that pricing is appropriate for the risks of the activities
    • Modeling/Projections – A strong Risk function will want to perform stress tests that are in fact simple projections.
    • Valuation – Since the definition of the capital of the firm is totally dependent upon the valuation of the liabilities of the firm and the Risk function usually has a major role regarding capital adequacy, a strong Risk function will have a high interest in Valuation of Liabilities.
    • Experience Analysis – The process that has been developed by actuaries to update Liabilities from year to year includes the collection and analysis of quite a large amount of information about the emerging experience of the firm.  This information is also used in Pricing.  And should be a main part of the information needed to evaluate the risks of the firm.  Which makes this area of high importance to Risk.
    • Broad Financial Oversight – Actuaries in many insurers have already lost this role to CFOs years ago.  But in the cases where they have not, the CRO becomes a new challenger with the idea that Risk should oversee the strategic risk and capital budgeting processes.

Some of the conflict is a matter of competition between the leader of a “new” function within the firm and the leader of an “old” function.  The firms where this conflict is the worst would be the firms where there is a broadly defined Actuarial and Risk function.  The development of a new Risk function in these firms can be interpreted as Actuarial losing influence.  This perception would add to the conflict and to the confusion.  Risk will want to control its own destiny, so would naturally want to control much of what had “always” been Actuarial.  Actuarial would not want to lose any responsibility and may therefore seek to maintain parallel activities even where Risk is now performing a former Actuarial function.

At the other extreme, a number of companies see the very high degree of overlap between the Actuarial function and the Risk function and have named their Chief Actuary to be their Chief Risk Officer.  The success of that approach will depend upon the degree to which the Chief Actuary is willing to appropriately prioritize the activities needed to support the new responsibilities.  In these cases, the conflict described above between Risk and Actuarial will take place, but a large part of it will be inside the Chief Actuary / CRO’s head.

The End of ERM

October 16, 2012

In essence, if ERM is to be implemented in a way which helps an entity get to where it wants to go, it needs to have a bias toward action which many applications currently lack.   “The End of Enterprise Risk Management”  David Martin and Michael Power

In 2007, Martin and Power argued that the regulatory based Enterprise Risk Management programs that were COSO based provided the illusion of control, without actually achieving anything.  Now if you are an executive of a firm and you believe that things are being done just fine, thank you very much, then an ineffective ERM program is just what you want.  But if you really want ERM, the something else is needed.  Martin and Power suggest that the activities of ERM are focused much too much on activities that do not reault in actions to actually change the risks of the firm.  This is a favorite topic of RISKVIEWS as well.  See Beware the Risk Management Entertainment System

RISKVIEWS always tells managers who are interested in developing ERM systems that if some part of an ERM program cannot be clearly linked to decisions to take actions that would not have been taken without ERM, then they are better off without that part of ERM. 

Martin and Power go on to suggest that ERM that uses just one risk measure (usually VAR) is difficult to get right because of limitations of VAR.  RISKVIEWS would add that an ERM program that uses only one risk measure, no matter what that measure is, will be prone to problems.  See Law of Risk and Light. 

It is very nice to find someone who says the same things that you say.  Affirming.  But even better to read something that you haven’t said.  And Martin and Power provide that. 

Finally, there is a call for risk management that is Reflexive.  That reacts to the environment.  Most ERM systems do not have this Reflexive element.  Risk limits are set and risk positions are monitored most often assuming a static environment.  The static environment presumption in a risk management system works if you are operating in an environment that changes fairly infrequently.  In fact, it works best if the frequency of change to your environment is less then the frequency of your update to the risk factors that you use.  That is, if your update includes studying the environment and majing environment driven changes. 

RISKVIEWS has worked in ERM systems that were based upon risk assessment based upon “eternal” risk factors.  Eternal Risk factors are assumed to be good “for all time”.  The US RBC factors are such.  Those factors are changed only when there is a belief that the prior factors were inadequate in representing the full range of risk “for all time”. 

But firms would be better off looking at their risks in the light of a changing risk environment.  Plural Rationality theory suggests that there are four different risk environments.  If a company adopts this idea, then they need to look for signs that the environment is shifting and when it seems to be likely to be shifting, to consider how to change their risk acceptance and risk mitigation in the light of the expected new risk environment.  The idea of repeatedly catching this wave and correctly shifting course is called Rational Adaptability

So RISKVIEWS also strongly agrees with Martin and Powers that a risk management system needs to be reflexive. 

In “The End of ERM” Martin and Powers really mean the end of static ERM that is not action oriented and not reflexive with the environment.  With that RISKVIEWS can heartily agree.

Conflicts about Risk

December 14, 2011

The headline reads:

Corzine Ignored Warnings from Chief Risk Officer

This story reveals several things about the nature of risk and the CRO job.

First, the nature of risk.  Risk is always about the future.  There will always be disagreements about the level of risk.  True disagreements.  People believing completely different things.  And it is the future we are talking about.  No one KNOWS for certain about the future.  And also, risk is potential for loss.  In many cases, even after the fact, no one can know how much risk that there was.  A severe adverse event that had a likelihood of 10% might not happen in the coming year.  Another equally severe event with a 0.1% likelihood migh happen.  Exposure to the 10% event was certainly riskier than an equal sized exposure to the 0.1% event.  Even if the less risky exposure produced a loss while the more risky exposure did not.

So the fact that the MF Global position produced a large, firm ending loss does not prove that the CRO was right.

In fact, what other stories reveal is that the board thought that the positions were more risky than Corzine.  And that is pretty typical of what you will see at financial services firms.  The top executives generally have the opinion that the environment is somewhat less risky than the board sees it while the non-executive employees generally see much, much more risk that either the executives or the board.

This tends to create exactly the dynamic that played out at MF Global where the CEO ignored the CRO warnings and the board very slightly restricted the CEO.

About the CRO

Many people forget that the Chief Risk Officer is usually not independent of the CEO.  If there is a company where the CEO does not think that they are totally responsible for risk, then the CRO will not have enough power or influence with the board to remedy that problem.  And if a CEO is aware that they are responsible for company results, good or bad, then clearly the job of the CRO, for better or for worse, is to execute the risk strategy of the CEO.  NOT to critique that policy to the board.

RISKVIEWS tends to think of the risk appetite as the expression of the objective of the risk management system.  The CRO should not be setting their own objective.  So at MF Global, if the risk appetite was expressed as some sort of broad statement about corporate security, then the conflict became what is described above – a disagreement about the calibration of the risk model.

But the story says that the board approved some of the positions and disapproved a proposal to increase those positions even more that was made by the CEO.  That makes it sound like there was a risk appetite and that the board, even if they did not say it in advance, knew when it was exceeded.

So the CROs job is not to stand in judgment of both the CEO and the Board.  The CROs job is to work within the risk appetite of the board.

Charging into the Valley of Death

August 16, 2011

Half a league, half a league,
Half a league onward,
All in the valley of Death
Rode the six hundred.
“Forward, the Light Brigade!
“Charge for the guns!” he said:
Into the valley of Death
Rode the six hundred.

From Charge of the Light Brigade, by Alfred, Lord Tennyson

 In about 30 minutes, over 2/3 of the British Light Brigade were slaughtered in 1854.  Horsemen with swords charged cannon and rifles and grapeshot.   Tennyson made it sound grand and brave and somehow an admirable thing.  But Tennyson points out the the fact that it made no sense to do what they were doing – that the soldiers knew it.

“Forward, the Light Brigade!”
Was there a man dismay’d?
Not tho’ the soldier knew
Someone had blunder’d:
Theirs not to make reply,
Theirs not to reason why,
Theirs but to do and die:
Into the valley of Death
Rode the six hundred.

Military schools have used the story of the charge as an example of what can go wrong when intelligence is weak at the command center and when orders are ambiguous.

The Earl of Cardigan who was in command, reported to Parliament:

But what, my Lord, was the feeling and what the bearing of those brave men who returned to the position. Of each of these regiments there returned but a small detachment, two-thirds of the men engaged having been destroyed? I think that every man who was engaged in that disastrous affair at Balaklava, and who was fortunate enough to come out of it alive, must feel that it was only by a merciful decree of Almighty Providence that he escaped from the greatest apparent certainty of death which could possibly be conceived.

You might ask what this might have to do with Risk Management?

While the willingness to follow orders might have appealed to the Victorian English, those are not the sort of folks that you want handling risk.  Following orders that are that far wrong is not what you want someone doing with the  risks to your firm’s existence.

You want people in both your risk management area and in the front line areas where there is the most risk taking to be the sorts who question authority when they do not understand why a new order makes sense.

Risk needs to be attended to at both the center and the fringes.  And thoughtfully attended to.  When the risk seems high to someone, that should be a signal to reconsider.

Incorporating Risk into Planning and Strategy

May 31, 2011

Risk has traditionally been a minor part of strategy discussions in many firms.

Usually you get it out of the way at the very start with a Strengths, Weaknesses, Opportunities and Threats (SWOT) discussion.  As quickly as possible, the planners shift into concentrating on discussion of Opportunities.  That is what they are there for anyway – Opportunities.

Utility theory and the business education that flows from utility theory suggests very little consideration of risk.  Not none at all, but very little.  Opportunities where the gains from the expected opportunities exceed the losses from the expected threats are considered good.  That is one spot where risk creeps in.  In addition, risk might be also reflected as an externality – the capital required by a regulator or ratings agency.

Financial economics came along and offered a more complicated view of risk.  Instead of using a fuzzily determined present value of risk from utility theory, Financial Economics substitutes the market cost of risk.

Risk management suggests a completely different and potentially contradictory approach.

The risk management approach to bringing risk into planning and strategy is to make risk appetite central to strategy selection.  The internal risk appetite becomes the constraint instead of the external capital constraint.  For firms that were using that external capital constraint as a key factor in planning, this could be an easy switch.  But often is actually is not.

The boards and management of most firms have failed to choose their own risk appetite constraint.

Riskviews believes that this is because the folks who have spent their entire careers under and external constraint system are ill equipped to set their own limits.  They do not have the experience with trial and error of setting risk appetite unlike the long experience that they have with most of their other management decisions.  For most management decisions, they came up through the management ranks watching their predecessors make good and bad decisions and succeed or fail.  When they reached their current positions, they had a lifetime of experience with most of the types of decisions that they need to make.

Now risk managers and regulators and rating agencies and consultants tell them that they need to make an entirely new decision about risk appetite, and then lever all of their other important decisions off of that one decision.  And when they look back upon their education and experience there was no mention at all of this risk appetite stuff.

And as the discussion at the start of this post states, the business education did not include risk appetite either.

But there are other ways that risk can be incorporated into the planning and strategy.

  • Risk Profile.  A part of the statement of the impact that the plan will have on the company should be a before and after risk profile.  This will show how the plan either grows the larger risks of the firm or diversifies those risks.   Risk cannot be fully described by any one number and therefore there is not one single pie chart that is THE risk profile of the firm.  The risk profile should be presented so that it shows the key aspects of risk that are the consequences of the plan – intended or unintended.  That may mean showing the geographic risk profile, the product by product risk profile, the risk profile by distribution system or the risk profile by risk type.  By looking at these risk profiles, the planners will naturally be drawn to the strengths and weaknesses of the risk aspects of the plan.  They will see the aspects of risk that are growing rapidly and therefore need extra attention from a control perspective.  And even if there are none of those reactions, the exposure to the risk information will eventually lead to a better understanding of risk and a drift towards more risk aware planning.
  • Risk management view of gains and losses.  Planning usually starts with a review of recent experience.  The risk managers can prepare a review of the prior year that describes the experience for each risk in terms of the exceedence probability from the risk models.  This could lead to a discussion of the model calibration and possibly to either better credibility for the risk model or a different calibration that can be more credible.
  • Risk Controls review.  Each risk operated within a control system.  The above review of recent experience should include discussion of whether the control systems worked as expected or not.
  • Risk Pricing review.  The review of gains and losses can also be done as a review of the risk margins compared to the risks for each major business or product or risk type.  Comparison to a neutral index could be considered as well.  With this review, the question of whether the returns of the firm were a result of taking more risk or from better selection and management of the risks taken should be addressed.

Some management groups will be much more interested in one or another of these approaches.  The risk manager must seek to find the approach to discussing risk that fits management’s interests for risk to become a part of planning and strategy.  Without that match, any discussions of risk that take place to satisfy regulatory or rating agency pressures will be largely perfunctory.

 

Getting Independence Right

May 11, 2011

Independence of the risk function is very important.  But often, the wrong part of the risk function is made independent.

It is the RISK MEASUREMENT AND REPORTING part of the risk function that needs to be independent.  If this part of the risk function is not independent of the risk takers, then you have the Nick Leeson risk – the risk that once you start to lose money that you will delay reporting the bad news to give yourself a little more time to earn back the losses, or the Jérôme Kerviel risk that you will simply understate the risk of what you are doing to allow you to enhance return on risk calculations and avoid pesky risk limits.

When Risk Reporting is independent, then the risk reports are much less likely to be fudged in the favor of the risk takers.  They are much more likely to simply and factually report the risk positions.  Then the risk management system either reacts to the risk information or not, but at least it has the correct information to make the decision on whether to act or not.

Many discussions of risk management suggest that there needs to be independence between the risk taking and the entire risk management function.  This is a model for risk disaster, but a model that is very common in banking.  Under this type of independence there will be a steady war.  A war that it it likely that the risk management folks will lose.  The risk takers are in charge of making money and the independent risk management folks are in charge of preventing that.  The risk takers, since they bring in the bacon, will always be much more popular with management than the risk managers, who add to costs and detract from revenue.

Instead, the actual risk management needs to be totally integrated within the risk taking function.  This will be resisted by any risk takers who have had a free ride to date.  So the risk takers can decide what would be the least destructive way to stay within their risk limits.  In a system of independent risk management, the risk managers are responsible for monitoring limit breaches and taking actions to unwind over limit situations.  In many cases, there are quite heated arguments around those unwinding transactions.

Under the reporting only independence model, the risk taking area would have responsibility for taking the actions needed to stay within limits and resolving breaches to limits.  (Most often those breaches are not due to deliberate violations of limits, but to market movements that cause breaches to limits to grow out of previously hedged positions.)

Ultimately, it would be preferable if the risk taking area would totally own their limits and the process to stay within those limits.

However, if the risk measurement and reporting is independent, then the limit breaches are reported and the decisions about what to do about any risk taking area that is not owning their limits is a top management decision, rather than a risk manager decision that sometimes gets countermanded by the top management.

Risk Policy

March 14, 2011

by Jean-Pierre Berliet

A risk policy specifies which risks a company will be willing to assume and which risks it will not. The risk policy of an insurance company focuses on:

  • creating and protecting shareholders’ value from the volatility of its financial results, and
  • containing the impact of this volatility on the cost of its capital and thus also, the cost of its risk capacity

Since insurance contracts involve assumption of insurance and investment risks, risk policies of insurance companies must include distinct insurance and investment components.

Insurance risk policy

To develop its insurance risk policy, a company needs to takes into account its ability to establish and sustain a competitive advantage by leveraging superior capabilities (e.g. underwriting expertise, claim management, risk management, etc.).  It must evaluate the attractiveness of individual insurance markets based on analysis and assessment of key factors that shape business strategy, including:

  • Market structure and characteristics (size in premium revenue, number of accounts, distribution of exposures by location, industry, etc.)
  • Revenue growth potential
  • Business acquisition and underwriting expenses
  • Changes in customer needs and value perceptions
  • Assessment of relative competitive positions
  • Loss frequency and severity, and expected loss ratio
  • Correlations with macro economic factors (e.g., inflation and GDP growth rates), and other markets served by the company.
  • Systemic insurance risk
  • Availability, cost  and anticipated use of reinsurance

Insurance companies can use data available from public and private sources (e.g., brokers) to estimate the level and volatility of revenues and earnings associated with specific exposure types, i.e. to develop an “ex-ante” assessment of the risks it considers accumulating. The underlying loss distributions can then be used to develop estimates of i) capital intensity, ii)  the impact of the accumulation of specific exposures on the company’s risk profile, iii) the utilization of its risk capacity and iv) financial performance under alternative risk policies. In every situation, there is a need to verify that a company’s capital and earnings base are sufficient relative to limits written and the probable maximum loss of the portfolio to protect the company’s ratings and ensure the viability of the company as a going concern.

Investment risk policy

The investment risk policy needs to address the following two effects of investment value volatility that might cause:

  • The absolute market value of invested assets to fall in a given time period, thereby reducing available capital and risk capacity
  • Changes in the market value of invested assets relative to the value of liabilities that increase the volatility of the company’s capital position, thereby  also increasing the probability of downgrading, or of intervention by regulators in company management

These effects of investment value volatility are addressed through reinsurance and asset strategies that contain the volatility of net assets. Insurance companies determine the extent and manner in which these strategies can be optimized, and supplemented in certain cases by arrangement of back-up lines of credit, through analysis of the volatility of their cash flows, taking into consideration the execution of their strategy, the potential liquidity and value volatility of their invested assets and the payment patterns of their liabilities. Note that liabilities of insurance companies, unlike bank demand deposits and overnight funding, are a source of relatively stable funding. Many companies take investment positions that take advantage of this relative illiquidity to create value.

The objective of an investment risk policy is to guide management in ascertaining when, to what extent and how a company should deviate from investing in a portfolio that replicates its liabilities. Its investment risk policy, at a minimum, should specify:

  • Which asset classes are permissible, by type, rating class, liquidity, etc.
  • Which risk types may be assumed to enhance returns, given a company’s risk capacity (e.g. interest rate, credit, inflation, currency, beta, idiosyncratic, liquidity, etc.)
  • How much of the assets may be invested in alternative assets, including illiquid positions (e.g. venture capital, real estate, hedge funds, funds of funds, etc.)
  • Guidelines for diversification within and between asset classes
  • How much volatility in investment income and portfolio value is consistent with the  respective solvency and value risk tolerances of the company’s stakeholders
  • Guidelines for using hedging strategies, and controlling counterparty risk

To develop this policy, a company needs to simulate the impact of alternative guidelines in relation to liabilities and the risk capital consumed, assess their contribution to economic objectives, and identify the range of acceptable asset allocations and strategies. Ultimately, the policy should provide a framework within which a company can determine how much of its return to seek through investment in risk-free instruments, or instruments that provide extra “market return” (beta) or even additional skill-based returns (alpha).

Revision of risk policy

Although it is widely recognized that an insurance company needs to develop its risk policy when it starts operating, there is no consensus on how often an established company needs to revise its risk policy.

Many insurance companies review their risk policy when they are contemplating an acquisition or entering a new business. Because such decisions can have a significant impact on their risk profile, companies often perform detailed pro-forma actuarial analyses to develop the risk insights they need before making a commitment. However, when no significant change in business portfolio is contemplated, insurance executives are often reluctant to invest time to revisit their company’s risk policy.

The recent crisis suggests, however, that there is hardly any activity of greater importance to the survival and success of insurance companies.

Jean-Pierre Berliet

(203) 247-6448

jpberliet@att.net

February 14, 2011

Note: This article is abstracted from the “Risk Management and Business Strategy in P/C Insurance Companies” briefing paper published by Advisen (www.advisen.com) and available at the Corner Store.

Risk Management Success

March 8, 2011

Many people struggle with clearly identifying how to measure the success of their risk management program.

But they really are struggling with is either a lack of clear objectives or with unobtainable objectives.

Because if there are clear and obtainable objectives, then measuring success means comparing performance to those objectives.

The objectives need to be framed in terms of the things that risk management concentrates upon – that is likelihood and severity of future problems.

The objectives need to be obtainable with the authority and resources that are given to the risk manager.  A risk manager who is expected to produce certainty about losses needs to either have unlimited authority or unlimited budget to produce that certainty.

The most difficult part of judging the success of a risk management program is when those programs are driven by assessments of risk that end up being totally insufficient.  But again the real answer to this issue is authority and budget.  If the assumptions of the model are under the control of the risk manager, that is totally under the risk manager’s control, then the risk manager would be prudent to incorporate significant amounts of margin either into the model or into the processes that use the model for model risk.  But then the risk manager is incented to make the model as conservative as their imagination can make it.  The result will be no business – it will all look too risky.

So a business can only work if the model assumptions are the join responsibility of the risk manager and the business users.

But there are objectives for a risk management program that can be clear and obtainable.  Here are some examples:

  1. The Risk Management program will be compliant with regulatory and/or rating agency requirements
  2. The Risk Management program will provide the information and facilitate the process for management to maintain capital at the most efficient level for the risks of the firm.
  3. The Risk Management program will provide the information and facilitate the process for management to maintain profit margins for risk (pricing in insurance terms) at a level consistent with corporate goals.
  4. The Risk Management program will provide the information and facilitate the process for management to maintain risk exposures to within corporate risk tolerances and appetites.
  5. The Risk Management program will provide the information and facilitate the process for management and the board to set and update goals for risk management and return for the organization as well as risk tolerances and appetites at a level and form consistent with corporate goals.
  6. The Risk Management program will provide the information and facilitate the process for management to avoid concentrations and achieve diversification that is consistent with corporate goals.
  7. The Risk Management program will provide the information and facilitate the process for management to select strategic alternatives that optimize the risk adjusted returns of the firm over the short and long term in a manner that is consistent with corporate goals.
  8. The Risk Management program will provide information to the board and for public distribution about the risk management program and about whether company performance is consistent with the firm goals for risk management.

Note that the firm’s goals for risk management are usually not exactly the same as the risk management program’s goals.  The responsibility for achieving the risk management goals is shared by the management team and the risk management function.

Goals for the risk management program that are stated like the following are the sort that are clear, but unobtainable without unlimited authority and/or budget as described above:

X1  The Risk Management program will assure that the firm maintains profit margins for risk at a level consistent with corporate goals.

X2  The Risk Management program will assure that the firm maintains risk exposures to within corporate risk tolerances and appetites so that losses will not occur that are in excess of corporate goals.

X3  The Risk Management program will assure that the firm avoids concentrations and achieve diversification that is consistent with corporate goals.

X4  The Risk Management program will assure that the firm selects strategic alternatives that optimize the risk adjusted returns of the firm over the short and long term in a manner that is consistent with corporate goals.

The worst case situation for a risk manager is to have the position in a firm where there are no clear risk management goals for the organization (item 4 above) and where they are judged on one of the X goals but which one that they will be judged upon is not determined in advance.

Unfortunately, this is exactly the situation that many, many risk managers find themselves in.

Second Step to a New ERM Program

March 1, 2011

Everyone knows the first step – Identify your risks.

But what should you do SECOND?  The list of ERM practices is long.  Riskviews uses an eight item list of ERM Fundamentals to point the way to early ERM developments.

And you want to make sure that you avoid Brick Walls and Touring Bikes.

But the Second Step is not a practice of ERM.  The Second Step is to identify the motivation for risk management.  As mentioned in another post, there are three main motivations:  Compliance, Capital Adequacy and Decision making.

If Compliance is the motivation, then the ERM development process will be to obtain or develop a checklist of items that must be completed to achieve compliance and to work to put something in place for each of those items that will create the ability to check off that item.

If Capital Adequacy is the motivation, then building an Economic Capital model is the main task that is needed for ERM development.

If Decision making is the motivation, then the process becomes somewhat more involved.  Start with identifying the risk attitude of the firm.  Knowing the risk attitude of the firm, the risk management strategy can then be selected.  Each of the ERM Fundamentals can then be implemented in a way that is adapted to the risk strategy.

This process has been described in the post Risk Attitudes and the New ERM Program.

But knowing the motivation is key.  A newly appointed risk management officer might have fallen in love with literature describing the Risk Steering strategy of ERM.  They would set up a big budget for capital modeling and start to set up risk committees and write rules and policy statements…..

And then hit a brick wall.

That is because they did not clearly identify the motivation for their appointment to be the risk management officer.  The term ERM actually means something totally different to different folks.  Usually one of the three motivations:  Compliance, Capital Adequacy, or Decision Making.

A company that is primarily motivated by Capital Adequacy will have minimal interest in any of the active parts of the ERM practices.  A company motivated by compliance will want to know that each and every step in their ERM process satisfies a requirement.  Talking about enhanced decision making as the reason for steps in the ERM development process will either confuse or even anger management of these companies.

The reaction to a mismatch of ERM program to motivation is similar to someone who booked a cruise for their vacation and found themselves on a cross country biking tour.

Most modern cruise ships feature the following facilities:

  • Casino – Only open when the ship is in open sea
  • Spa
  • Fitness center
  • Shops – Only open when ship is in open sea
  • Library
  • Theatre with Broadway style shows
  • Cinema
  • Indoor and/or outdoor swimming pool
  • Hot tub
  • Buffet restaurant
  • Lounges
  • Gym
  • Clubs

Keep that contrast in mind when you are making your plans for a new ERM system.

Dealing with Crisis

February 24, 2011

Risk management has two important phases.  The first phase is Between Crises (BC) and the second phase is During Crises (DC).  The skills and activities needed for these two phases are totally different.  This post will talk about the DC phase.

During the Crisis, the concentration of the risk manager must shift to survival.  Much has been made of the famous saying from Baron Rothchild

“Buy when there’s blood in the streets, even if the blood is your own.

But Rothchild famously made his own luck by arranging that he was the first to know the outcome of the battle of Waterloo.  And when the crisis hits, that is what you will hope that you, or your predecessor did before the crisis – make some of that sort of luck.

One of the things that often happens is that the organization will seem to shift right out from under you.  The norms and objectives that you thought were agreed are no longer in place.  You will be judged by a set of rules that are being written right now.

An old (1938) article by Robert Merton, SOCIAL STRUCTURE AND ANOMIE, suggests that there are five ways that people can react to situations where they are unhappy with how the rules and norms are working:

  1. Conformity
  2. Innovation
  3. Ritualism
  4. Retreat
  5. Rebellion

Conformity means that they simply continue to operate under the old rules and norms as if nothing has happened.  In many cases, risk managers act as if this is the only possibility however.

Innovation means that they try to come up with a new way to solve their problem within the same structure that was in place.  Innovation may or may not work and if it does not work, then one of the other responses will be next. Often the risk manager is trying to innovate the way out of the crisis.

Ritualism means that they start to go through the motions of following the old rules, even though there is a strong sense that those rules no longer work as that had been working.  Things get more rigid and hierarchical.  Stepping on the wrong person’s toes has become a more significant infraction than it had been.

Retreat means that the organization freezes.  In some cases, it is the CEO who retreats, simply disappearing from the scene and lines of authority become blurry.

Rebellion means that the old rules and norms of the company are overthrown and new rules and norms replace the old quite rapidly.  This is most often accompanied by major management personnel changes.  But sometimes not.

The risk manager needs to be aware of these possibilities and make plans accordingly.

ERM Fundamentals

January 21, 2011

You have to start somewhere.

My suggestion it that rather than starting with someone else’s idea of ERM, you start with what YOUR COMPANY is already doing.

In that spirit, I offer up these eight Fundamental ERM Practices.  So to follow my suggestion, you would start in each of these eight areas with a self assessment.  Identify what you already have in these eight areas.  THEN start to think about what to build.  If there are gaping holes, plan to fill those in with new practices.  If there are areas where your company already has a rich vein of existing practice build gently on that foundation.  Much better to use ERM to enhance existing good practice than to tear down existing systems that are already working.  Making significant improvement to existing good practices should be one of your lowest priorities.

  1. Risk Identification: Systematic identification of principal risks – Identify and classify risks to which the firm is exposed and understand the important characteristics of the key risks

  2. Risk Language: Explicit firm-wide words for risk – A risk definition that can be applied to all exposures, that helps to clarify the range of size of potential loss that is of concern to management and that identifies the likelihood range of potential losses that is of concern. Common definitions of the usual terms used to describe risk management roles and activities.

  3. Risk Measurement: What gets measured gets managed – Includes: Gathering data, risk models, multiple views of risk and standards for data and models.

  4. Policies and Standards: Clear and comprehensive documentation – Clearly documented the firm’s policies and standards regarding how the firm will take risks and how and when the firm will look to offset, transfer or retain risks. Definitions of risk-taking authorities; definitions of risks to be always avoided; underlying approach to risk management; measurement of risk; validation of risk models; approach to best practice standards.

  5. Risk Organization: Roles & responsibilities – Coordination of ERM through: High-level risk committees; risk owners; Chief Risk Officer; corporate risk department; business unit management; business unit staff; internal audit. Assignment of responsibility, authority and expectations.

  6. Risk Limits and Controlling: Set, track, enforce – Comprehensively clarifying expectations and limits regarding authority, concentration, size, quality; a distribution of risk targets

    and limits, as well as plans for resolution of limit breaches and consequences of those breaches.

  7. Risk Management Culture: ERM & the staff – ERM can be much more effective if there is risk awareness throughout the firm. This is accomplished via a multi-stage training program, targeting universal understanding of how the firm is addressing risk management best practices.

  8. Risk Learning: Commitment to constant improvement – A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses, both within the firm and from outside the firm.

Risk Management Culture

December 31, 2010

To date Riskviews has featured discussions of issues relating to Risk Culture 27 times.  While we talk about the Eight ERM Fundamentals, Culture is THE ERM FUNDAMENTAL.

While Standard & Poor’s uses this category to include a variety of practices including governance, disclosure and risk appetite, here we mean solely the manner that people outside of the risk management department are brought into the risk management process in a firm.

Decisions need to be made regarding who to get involved in doing and then who else to tell about the objectives and plans and activities of risk management in the firm.

Some companies do this on a need to know basis, involving only those who must get involved to make things work and only telling those who have an active role.

At the opposite extreme are firms who say that risk management is everyone’s job and who therefore work very hard to make sure that everyone understands everything that is going on.

The firms in the first group are focused on efficiency.  Management usually believes that everyone must stay focused upon their own primary responsibilities.  A select few are given responsibility for risk management activities and everyone else is kept out of the way.  Knowledge of the risk management work in these firms is usually restricted to top management and line management only in the situations where the risk management efforts need to be integrated into the operational unit’s activities.

The firms in the second group believe that risk management is everyone’s job because crippling risks can take many forms, both currently known and unknown.  And that these risks can emanate from any part of the firm.  They do not believe that just because there has never been a large problem from one activity, that there never can be.

For the first type of firm, risk management culture means that risk management is one of those things that separates the cognoscenti from the rest of the firm.  Risk management culture means keeping those in the know up to date on everything that is important about risk and risk management.  Each one of the restricted group must take a major responsibility to join in this activity.

For the second type of firm. there will be a totally different type of activity supporting risk management culture.  That will involve training sessions and informational newsletters.  One firm holds an annual conference about risk management and allows anyone at the supervisory level and above in the firm to attend.  Another firm puts an ERM related message on the intranet home page and changes that message at least once per week.

The second type of firm will welcome input from anyone to their ERM processes.

Risk Language

November 27, 2010

This is one of the eight Fundamental ERM practices. These practices are the foundations of a new ERM program.

Risk Language is not commonly recognized in most ERM literature as a fundamental practice.  But all you need to do is to talk with a management team that has a common risk language and another who does not and it is difficult to see why it is not.  The management with the common language can much more often articulate a common vision of risk management and especially of risk appetite.  The objectives of the ERM program of a firm without a common risk language are usually not understood similarly by more than a tiny handful of people.

When hearing the story of ERM at a firm it seems to be a much more likely explanation for the firm without the common language that their ERM program exists mostly for the purpose of entertaining outsiders than for impacting the management of the firm.

At the earliest stage of development of an ERM program, the lack of a language should become apparent.  Ask any two managers what they think is meant by an unacceptably large loss and you are likely to get as many different answers as you have answerers.

Ask that same set of people what would be an acceptable level of sales or profits and they will all usually be able to clearly state the company goals for the current year.

So the objective in this area as it is with measurement is to put risk on the same footing as sales and profits, to give it the same clarity and unanimity of understanding and purpose.

There are several steps to gaining a risk language for a firm.

  1. Existing Risk Terms – Making a collection of existing risk terminology used commonly in different parts of the company is a good first step.  Notice where different parts of the company have different terms for one idea and other places where people have different meanings for the same term.  Those conflicts need to be resolved so that there is one main set of terms used within the company for those ideas.
  2. Standard Risk terms – It is not necessary that each firm adopts an entire vocabulary about risk from outside the firm.  But on the same token, there are a wide variety of standardized terms for risk.  Take a look at Risk Glossary, for example.  A good first step would be to take a short list of terms from a source like that and start to make sure that everyone starts to learn those terms.
  3. New Risk Terms – As ERM grows within the company, new terminology will develop for particular ideas.  Some of that terminology will emanate from the risk department and some will come from the executives as they seek to repeat things that they hear at the risk committee meetings.  For some time, everyone needs to be deliberate about the process of coining new terminology.  Conscious that one way of saying something seems to “stick” better than another.  Encourage the formation of this vocabulary.

Besides forming this new vocabulary, it is extremely important that both the risk staff and the other managers who are members of risk committees make sure to use the new risk terminology inn their everyday work.  Language is naturally built by usage, not by dictionaries.

One last thought… ERM practice is a combination of some very expensive things and very simple things.  In general, the largest firms can afford the very expensive things more easily while the simple things are usually executed much more effectively in small firms.  This is one of the simple things.

 

Responsibility for Risk Management

July 28, 2010

Who should have responsibility for risk management?

Is it the CRO? Is it the Business Unit Heads? Is it everyone? or is it the CEO (As Buffet suggests)?

My answer to those questions is YES. Definitely.

You see, there is plenty of risk to go around.

The CEO should be responsible for the Firm Killing Risks. He/She should be the sole person who is able to commit the firm to an action that creates or adds to a firm killing risk position. He/She should have control systems in place so that they know that no one else is taking and Firm Killing Risks. He/She should be in a constant dialog with the board about these risks and the necessity for the risks as well as the plans for managing those sorts of risks.

At the other end of the spectrum, there are the Bad Day Risks. Everyone should be responsible for their share of the Bad Day Risks.

And somewhere in the middle are the risks that the CRO and Business Unit Heads should be managing. Those might be the Bad Quarter Risks or the Bad Year Risks.

As the good book says, “To each according to his ability”. That is how Risk Management responsibility should be distributed.

Risk Managers MUST be Humble

July 3, 2010

Once you think of it, it seems obvious.  Risk Managers need humility.

If you are dealing with any killer physical risk, there are two types of people who work close to that risk, the humble and the dead.

Being humble means that you never lose sight of the fact that RISK may at any time rise up in some new and unforeseen way and kill you or your firm.

Risk managers should read the ancient Greek story of Icarus.

Risk managers without humility will suffer the same fate.

Humility means remembering that you must do every step in the risk management process, every time.  The World Cup goalkeeper Robert Green who lets an easy shot bounce off of his hands and into the goal has presumed that they do not need to consciously attend to the mundane task of catching the ball.  They can let their reflexes do that and their mind can move on to the task of finding the perfect place to put the ball next.

But they have forgotten their primary loss prevention task and are focusing on their secondary offense advancement task.

The risk managers with humility will be ever watchful.  They will be looking for the next big unexpected risk.  They will not be out there saying how well that they are managing the risks, they will be more concerned about the risks that they are unprepared for.

Risk managers who are able to say that they have done all that can be done, who have taken all reasonable precautions, who can help their firm to find the exact right level and mix of risks to optimize the risk reward of the firm are at serious risk of having the wax holding their feathers melt away and of falling to earth.

Winners and Losers

June 14, 2010

Sometimes quants who get involved with building new economic capital models have the opinion that their work will reveal the truth about the risks of the group and that the best approach is to just let the truth be told and let the chips fall where they may.

Then they are completely surprised that their project has enemies within management.  And that those enemies are actively at work undermining the credibility of the model.  Eventually, the modelers are faced with a choice of adjusting the model assumptions to suit those enemies or having the entire project discarded because it has failed to get the confidence of management.

But that situation is actually totally predictable.

That is because it is almost a sure thing that the first comprehensive and consistent look at the group’s risks will reveal winners and losers.  And if this really is a new way of approaching things, one or more of the losers will come as a complete surprise to many.

The easiest path for the managers of the new loser business is to undermine the model.  And it is completely natural to find that they will usually be completely skeptical of this new model that makes their business look bad.  It is quite likely that they do not think that their business takes too much risk or has too little profits in comparison to their risk.

In the most primitive basis, I saw this first in the late 1970’s when the life insurer where I worked shifted from a risk approach that allocated all capital in proportion to reserves to one that recognized the insurance risk as well as the investment risk as two separate factors.  The term insurance products suddenly were found to be drastically underpriced.  Of course, the product manager of that product was an instant enemy of the new approach and was able to find many reasons why capital shouldn’t be allocated to insurance risk.

The same sorts of issues had been experienced by firms when they first adopted nat cat models and shifted from a volatility risk focus to a ruin risk focus.

What needs to be done to diffuse these sorts of issues, is that steps must be taken to separate the message from the messenger.  There are 2 main ways to accomplish this:

  1. The message about the new level of risks needs to be delivered long before the model is completed.  This cannot wait until the model is available and the exact values are completely known.  Management should be exposed to broad approximations of the findings of the model at the earliest possible date.  And the rationale for the levels of the risk needs to be revealed and discussed and agreed long before the model is completed.
  2. Once the broad levels of the risk  are accepted and the problem areas are known, a realistic period of time should be identified for resolving these newly identified problems.   And appropriate resources allocated to developing the solution.  Too often the reaction is to keep doing business and avoid attempting a solution.

That way, the model can take its rightful place as a bringer of light to the risk situation, rather than the enemy of one or more businesses.

Lessons for Insurers (6)

May 25, 2010

In late 2008, the The CAS, CIA, and the SOA’s Joint Risk Management Section funded a research report about the Financial Crisis. This report featured nine key Lessons for Insurers. Riskviews will comment on those lessons individually…

6. Insurers must pay special attention to high growth/profit areas in their companies, as these are often the areas from which the greatest risks emanate.

All high growth areas are not risk problems, but almost all risk problems come from areas of high growth.

And high growth areas present several special problems for effective risk management.

  1. High growth in the financial services field usually results when a firm has a new product or service or territory.  There is almost always a deficit of experience and data about the riskiness of the new area.  Uncertainty rules.
  2. In new high growth areas, pricing can be far off the mark at the outset.  If the initial experience is benign, then the level of pricing can become firmly set in the minds of the distributors, the market and the management.  When adverse experience starts to undermine the pricing, it may be initially dismissed as an anomaly, a temporary loss.  It may be very difficult to determine the real situation.
  3. If risk resources were included in the plan for the high growth activity, they were probably not increased when the growth started to exceed expectations.  As growth occurs, the risk resources are most often held at the level called for in the initial plan.  Any additional resources that are applied to the growing area are needed to support the higher level of activity.  Often this is simply a natural caution about increasing expenses in what may well be a temporary situation.  This caution is often justified as growth ebbs.  But in the situations where growth does not wane, a major mismatch between risk resources and business activity develops.
  4. There is usually a political problem within the firm.  The management of the highest growth area are most likely the current corporate heroes.  It is very highly unlikely that the CRO will have as much clout within the organization as the heroes.  The only solution to this issue is support from the CEO for the importance of risk.
  5. Risk efforts need to be seen not as “business prevention” but as a partner with the business in getting it right.  This is difficult to accomplish unless risk is involved from the outset.  If the business gets going and growing with procedures that are questionable from a risk perspective, then it is quite possible that changing those procedures might well hurt the growth of the area.  Risk needs to be involved form the outset so that appropriate procedures and execution of those procedures does not become a growth issue later on.

This is the most difficult and important area for the risk management of the firm.  The business needs to be able to take chances in new areas where good growth is possible.  The Risk function needs to be able to help these new activities to have the chance to succeed.

At the same time, the organization needs to be protected from the sort of corner cutting that leads to growth through drastically under-priced risks.

It is a delicate balancing act that requires a high degree of political skill as well as good business judgment about when to dig in the heels and when to let go.

Lessons for Insurers (1)

Lessons for Insurers (2)

Lessons for Insurers (3)

Lessons for Insurers (4)

Lessons for Insurers (5)

Lessons for Insurers (6)

The LORD and Risk Management

May 14, 2010

Great post by Jos Berkemeijer

Check it out.

Will History Repeat?

May 10, 2010

In the 1980’s a dozen or more firms in the US and Canadian Life Insurance sector created and used what were commonly called required surplus systems.  Dale Hagstrom wrote a paper that was published in 1981, titled Insurance Company Growth .  That paper described the process that many firms used of calculating what Dale called Augmented Book Profits.  An Augmented Book Profit later came to be called Distributable Earnings in insurance company valuations.  If you download that paper, you will see on page 40, my comments on Dale’s work where I state that my employer was using the method described by Dale.

In 1980, in the first work that I was able to affix my newly minted MAAA, I documented the research into the risks of Penn Mutual Life Insurance Company that resulted in the recommendation of the Required Surplus, what we would now call the economic capital of the firm.  By the time that Dale’s paper was published in 1981, I had documented a small book of memos that described how the company would use a capital budgeting process to look at the capital utilized by each line of business and each product.  I was the scribe, the ideas come mostly from the Corporate Actuary, Henry B. Ramsey. We created a risk and profit adjusted new business report that allowed us to show that with each new product innovation, our agents immediately shifted sales into the most capital intensive or least profitable product.  It also showed that more and more capital was being used by the line with the most volatile short term profitability.  Eventually, the insights about risk and return caused a shift in product design and pricing that resulted in a much more efficient use of capital.

Each year, throughout the 1980’s, we improved upon the risk model each year, refining the methods of calculating each risk.  Whenever the company took on a new risk a committee was formed to develop the new required surplus calculation for that risk.

In the middle of the decade, one firm, Lincoln National, published the exact required surplus calculation process used by their firm in the actuarial literature.

By the early 1990’s, the rating agencies and regulators all had their own capital requirements built along the same lines.

AND THEN IT HAPPENED.

Companies quickly stopped allocating resources to the development and enhancement of their own capital models.  By the mid-1990’s, most had fully adopted the rating agency or regulatory models in the place of their own internal models.

When a new risk came around, everyone looked into how the standard models would treat the new risk.  It was common to find that the leading writers of a new risk were taking the approach that if the rating agency and regulatory capital models did not assess any capital to the new risk, then there was NO RISK TO THE FIRM.

Companies wrote more and more of risks such as the guaranteed minimum benefits for variable annuities and did not assess any risk capital to those risks.  It took the losses of 2001/2002 for firms to recognize that there really was risk there.

Things are moving rapidly in the direction of a repeat of that same exact mistake.  With the regulators and rating agencies more and more dictating the calculations for internal capital models and proscribing the ERM programs that are needed, things are headed towards the creation of a risk management regime that focuses primarily on the management of regulatory and rating agency perception of risk management and away from the actual management of risks.

This is not what anyone in the risk management community wants.  But once the regulatory and rating agency visions of economic capital and ERM systems are fully defined, the push will start to limit activity in risk evaluation and risk management to just what is in those visions – away from the true evaluation of and management of the real risks of the firm.

It will be clear that it is more expensive to pursue the elusive and ever changing “true risk” than to satisfy the fixed and closed ended requirements that anyone can read.  Budgets will be slashed and people reassigned.

Will History Repeat?

Risk Impact Thresholds

May 3, 2010

Tipping the ERM Scale Toward Survival

By MICHAEL A. COHEN

Enterprise risk management experts, and surely even many neophytes, are fairly adept at identifying exposures and events that can impede their organizations. What is much more difficult is measuring the potentially adverse impact of risks, making this the biggest X factor in the ERM process.

Consequently, it is quite challenging to determine how much risk exposure an organization can “tolerate”—that is, the extent of adverse risk impact a company can absorb so that the attainment of its goals will not be jeopardized.

It is equally difficult to assess a company’s “threshold” to absorb these risk consequences—that is, the cross-over points beyond which significant strategic and operational changes need to be made.

What Might Your Stakeholders Do?

TRIGGERS:

  • Financial Outcomes: impact on capital and earnings
  • Business Line inadequacy: products and features, service
  • Business Misconduct and reputational impairment: putting future viability at risk

REACTIONS:

  • Customers or producers might cease doing business with firm or reduce volume
  • Investors might sell stock lowering the price in the process
  • Board might replace management or reduce compensation
  • Lenders might charge a higher price for capital
  • Rating agencies might downgrade
  • Institutional customers might not be permitted to do business with firm

As a result, it is likely that many organizations are exposed to risks that would materially compromise not only their current course but their very existence. In fact, the events of the last two years have dramatically highlighted this exposure, and many firms have been greatly harmed. Just ask AIG and Lehman Brothers.  Measurement of risk impact—both quantitative and qualitative—is clearly the most critical endeavor to perform accurately in determining an organization’s tolerance for risk.  It is possible for each element of the risk measurement and reporting process to be flawed, as they are often performed in a vacuum—the result can be too narrow and theoretical in scope.  The quantifying component of risk measurement is built upon mathematics and modeling, utilizing:

  • A series of approximations and assumptions.
  • Identification of elements/variables to measure.
  • Determination of the relationship between the various risk factors and the outcomes they might jeopardize

The qualifying component, however, is often built on psychology—its effect on decision-making and the “emotional intelligence” of the individuals making judgments on risk. Consider the following:

  • People work on problems they think they can solve, and they avoid those they don’t think they can solve—due to complexity or political reasons. Elements in the latter category won’t be addressed.
  • They are slow and cautious in reacting to new information and reluctant to admit ignorance or mistaken assumptions. Solutions to risk mitigation may exist, but might not be implemented without inordinate study—paralysis by analysis.
  • They look at fewer as opposed to more perspectives, possibly missing a better solution.
  • They often place greater value on what they themselves have created than on what others have done, and may well miss out on higher-order thinking generated by a group and on the critical perspectives of others.

(more…)

Five Stages of Rapid Decline

April 22, 2010

Jim Collins wrote the popular book “Good to Great” at the peak of the Dot Com boom.  His latest book is titled “How the mighty Fall” and features the five stages of rapid decline:

Stage 1: Hubris Born of Success

Stage 2: Undisciplined Pursuit of More

Stage 3: Denial of Risk and Peril

Stage 4: Grasping for Salvation

Stage 5: Capitulation to Irrelevance or Death

Strategic failure of a firm – which could come from a hubris fueled rapid decline or simply a shift of your customers when you are not paying enough attention is really a risk that for most firms dwarfs the risks that are measurable and that are managed through the techniques of quantitative risk management.

According to a study conducted by Royal Dutch Shell the average life expectancy of Fortune 500 firms is 40 to 50 years.  That implies a 2% to 2.5% average annual failure rate.

Firms that are holding capital for measurable risks at a 1/200 level are pretending to protect their firm at a 0.5% annual failure rate.

But are quantitative risk management programs focusing too much resources on the things that can be measured and creating the Hubris, the false sense of invulnerability that is number one on the list above.

Certainly at some banks and some insurers that was the case.

Once you are convinced that you “know how to control risk” you are likely to go for it – the Undisciplined pursuit of More of the second item.  Even if quantitative risk management is doing most of what is needed, successful risk management can and will lead to Hubris and undisciplined growth.

Of course, sooner or later that lack of discipline will result in a misstep.  And here is where risk management needs to be ready to make it real.  The most common reaction to a problem in this situation is to assume that (a) this is not real, (b) this could not be happening to us – we are too good for this and when the bad news persists and grows in size and scope (c) this will turn around soon, it is only a temporary blip.  Those attitudes result in waiting too long to start doing anything.  That is where risk management must be ready to step in again with realisim and good plans for what to do next.

Unless risk management is caught up in the Hubris and Denial.

So try to make your move, risk managers, before it is to volunteer as a pall bearer.

Making Better Decisions using ERM

April 21, 2010

Max Rudolph provided a lecture on ERM for the University of Waterloo and the Waterloo Research institute in Insurance, Securities and Quantitative finance (WatRISQ).

Key Points:

ERM’s Role in Strategic Planning

  • Understanding the Risk Profile
  • Solutions are Unique
  • Using Quantitative and Qualitative Tools

ERM is Not:

  • A Checklist Exercize
  • A Rating Agency Exercize
  • Just About Risk Mitigation

Have You ever heard of the Financial Crisis?

And Much more…

Max Rudolph

LIVE from the ERM Symposium

April 17, 2010

(Well not quite LIVE, but almost)

The ERM Symposium is now 8 years old.  Here are some ideas from the 2010 ERM Symposium…

  • Survivor Bias creates support for bad risk models.  If a model underestimates risk there are two possible outcomes – good and bad.  If bad, then you fix the model or stop doing the activity.  If the outcome is good, then you do more and more of the activity until the result is bad.  This suggests that model validation is much more important than just a simple minded tick the box exercize.  It is a life and death matter.
  • BIG is BAD!  Well maybe.  Big means large political power.  Big will mean that the political power will fight for parochial interests of the Big entity over the interests of the entire firm or system.  Safer to not have your firm dominated by a single business, distributor, product, region.  Safer to not have your financial system dominated by a handful of banks.
  • The world is not linear.  You cannot project the macro effects directly from the micro effects.
  • Due Diligence for mergers is often left until the very last minute and given an extremely tight time frame.  That will not change, so more due diligence needs to be a part of the target pre-selection process.
  • For merger of mature businesses, cultural fit is most important.
  • For newer businesses, retention of key employees is key
  • Modelitis = running the model until you get the desired answer
  • Most people when asked about future emerging risks, respond with the most recent problem – prior knowledge blindness
  • Regulators are sitting and waiting for a housing market recovery to resolve problems that are hidden by accounting in hundreds of banks.
  • Why do we think that any bank will do a good job of creating a living will?  What is their motivation?
  • We will always have some regulatory arbitrage.
  • Left to their own devices, banks have proven that they do not have a survival instinct.  (I have to admit that I have never, ever believed for a minute that any bank CEO has ever thought for even one second about the idea that their bank might be bailed out by the government.  They simply do not believe that they will fail. )
  • Economics has been dominated by a religious belief in the mantra “markets good – government bad”
  • Non-financial businesses are opposed to putting OTC derivatives on exchanges because exchanges will only accept cash collateral.  If they are hedging physical asset prices, why shouldn’t those same physical assets be good collateral?  Or are they really arguing to be allowed to do speculative trading without posting collateral? Probably more of the latter.
  • it was said that systemic problems come from risk concentrations.  Not always.  They can come from losses and lack of proper disclosure.  When folks see some losses and do not know who is hiding more losses, they stop doing business with everyone.  None do enough disclosure and that confirms the suspicion that everyone is impaired.
  • Systemic risk management plans needs to recognize that this is like forest fires.  If they prevent the small fires then the fires that eventually do happen will be much larger and more dangerous.  And someday, there will be another fire.
  • Sometimes a small change in the input to a complex system will unpredictably result in a large change in the output.  The financial markets are complex systems.  The idea that the market participants will ever correctly anticipate such discontinuities is complete nonsense.  So markets will always be efficient, except when they are drastically wrong.
  • Conflicting interests for risk managers who also wear other hats is a major issue for risk management in smaller companies.
  • People with bad risk models will drive people with good risk models out of the market.
  • Inelastic supply and inelastic demand for oil is the reason why prices are so volatile.
  • It was easy to sell the idea of starting an ERM system in 2008 & 2009.  But will firms who need that much evidence of the need for risk management forget why they approved it when things get better?
  • If risk function is constantly finding large unmanaged risks, then something is seriously wrong with the firm.
  • You do not want to ever have to say that you were aware of a risk that later became a large loss but never told the board about it.  Whether or not you have a risk management program.

Surprise, Surprise

April 5, 2010

If any of you heard me give the luncheon talk last year at the ERM Symposium, you will have to mark your calendars to attend a follow-up session on the same topic this year.  This year, Michael Thompson will be doing most of the talking.

That topic is the application of Plural Rationalities (aka Cultural Theory) to risk management.

Over the year since I gave that speech I have been working with Michael Thompson, one of the original authors of the Cultural Theory book, to explain the ways that the ideas from anthropology help to explain and can help to plan for the various experiences.

The key idea is called Surprise!  That is the name for what happens when someone expects one thing and another happens.  Thompson will be explaining how Surprise is a key driver of how people experience the risk environment.

In addition, I will be discussing an agent based model called The Surprise Game that demonstrates the dynamics of a system that runs under the rules of Plural Rationalities.

Thompson will wrap up with a discussion of the Clumsy solutions that have been found to be the answer to the puzzle of the world of risk.

So if I caught anyone’s interest last year at lunch with my smiley faces, come back this year for some serious discussion of the four part world of Plural Rationalities.

Wednesday, April 14, 2010

10:00–11:15 a.m. Concurrent Sessions 5B

Is ERM Ethical?

March 14, 2010

Or more properly, must ERM be based upon an ethical position?

If so, is it possible that the ethical position that underlies many ERM programs is different from the ethical system of the firm?

One school of ethics, Utilitarianism, suggests that we should pursue the “greatest good for the greatest number”.   Unknown to many who subscribe to this ethical school, Utilitarianism is a close cousin to Hedonism, that has the famous motto “Eat, Drink and be Merry for Tomorrow we may Die”.

In fact Adam Smith provides a direct link between those two mottoes with his invisible hand.  If each individual follows the Hedonism rule, then the Utilitarianism objective will be met according to Smith.

Risk Management is based more on an Epicurean ethic. Philosophical Epicureans are not the art and wine connoisseurs of popular definition.  They pursue tranquility that is achieved through banishment of fear.

Epicureans observed that indiscriminate indulgence sometimes resulted in negative consequences. Some experiences were therefore rejected out of hand, and some unpleasant experiences endured in the present to ensure a better life in the future. The summum bonum, or greatest good, to Epicurus was prudence, exercised through moderation and caution. (Wikipedia)

Interestingly, Thomas Jefferson spoke of himself as a Epicurean.  The arguments between factions expressed in the Federalist Papers among other places among the US founders was in part an argument between Utilitarians and Epicureans.

And that is the same argument that plays itself out between Risk Management and business leaders in today’s firms.  Some Risk Managers would argue that Risk Management is Ethical whilst their opponents are simply greedy.  But looking behind the surface of that argument reveals that there are simply two different ethical schools.

Risk Managers need to find the common ground and show the value of their ethic to the Utilitarian/Capitalist school of ethics.  Not an easy sale.  But as a result of the Financial Crisis, more and more folks are coming to doubt the ultimate infallibility of that Invisible Hand.  Epicurean thought is gaining traction.

Chief Risk Scape Goat

February 22, 2010

There are repeated calls from the bank risk management community for more “AUTHORITY” for Chief Risk Officers.  Most recently by the European Bank Supervisors.  In their report of “High Level Principles for Risk Management” they actually call for a CRO that is totally independent of the hierarchy of the bank – reporting directly to the board.

This is a perfect solution – but not to the problem that they are addressing.  It is a solution to the problem of CEO responsibility for risk and risk management.  If a bank follows the EBS suggestion and makes the CRO totally independent of the CEO, then the CEO clearly no longer has any responsibility for risk, risk management or even losses.

So the CEO is responsible for gains and the CRO is responsible for losses.

Seems like a sweet arrangement for the CEO.  Not so sweet for the Bank.

There are several possible outcomes, but only one likely one.  The likely one is that the CRO will get this position and then will be totally ignored until the time comes to find someone responsible for a bad outcome and then the CRO will be toast.  The CEO just bought a free pass for bad results.

The desired outcome is not much better.  The desired outcome is that there will be a constant fight between the CEO and the 99% of the organization that works for him/her and the CRO with his/her 200 strong risk department.  The CEO will not have to listen to the CRO.  The CRO will need to decide how often to take his/her arguments up to the board.  The CRO is given “authority”.

But what is really needed is not to have a more powerful cop.  What is needed is for the entire organization to have a role in keeping the enterprise in business.  That will not be accomplished by making one person solely responsible.  Unless that one person is the CEO.

Chief Ignorance Officer

February 10, 2010

Great piece from HBR “Wanted: Chief Ignorance Officer“by David Gray.

The idea is that person would protect the ability of the firm to be open minded.  To consider both options and adverse possibilities.  The CIO would be the person who does not ever believe the claims on the outside of the box.  They would be the person who breaks the new toy immediately because they hold it the wrong way (hopefully while still in the store.) The CIO would be the person who is not so sure even when “everyone knows” that there is no risk in that new and growing area.

The CIO would also remind everyone that just because they have more information about one alternative it is not necessarily the best choice.  Sometimes, the best choice is to go ahead with something that is not necessarily known for sure to work.

The CIO would also provide the childlike ability to see old things in a new light and possibly see new solutions for old problems that utilize tools that are right there on the worktable but that we always thought were only to be used for something else.

The CIO will be willing to try lots and lots of different solutions because they will not know in advance which one will work.

The CRO definitely should have a lieutenant who is their CIO.  Someone who will actually see the road ahead because they have not been down it so many times that they no longer look.

Lessons for Insurers (1)

January 11, 2010

In late 2009,  the The CAS, CIA, and the SOA’s Joint Risk Management Section funded a research report about the Financial Crisis.  This report featured nine key Lessons for Insurers.  Riskviews will comment on those lessons individually…

1. The success of ERM hinges on a strong risk management culture which starts at the top of
a company.

This seems like a very simple statement that is made over and over again by most observers.  But why is it important and why is it very often lacking?

First, what does it mean that there is a “strong risk management culture”?

A strong risk management culture is one where risk considerations make a difference when important decisions are made PERIOD

When a firm first adopts a strong risk management culture, managers will find that there will be clearly identifiable decisions that are being made differently than previously.  After some time, it will become more and more difficult for management to notice such distinctions because as risk management becomes more and more embedded, the specific impact of risk considerations will become a natural inseparable part of corporate life.

Next, why is it important for this to come from the top?  Well, we are tying effective risk management culture to actual changes in DECISIONS and the most important decisions are made by top management.  So if risk management culture is not there at the top, then the most important decisions will not change.  If the risk management culture had started to grow in the firm,

when middle managers see that top management does not let risk considerations get in their way, then fewer and fewer decisions will be made with real consideration risk.

Finally, why is this so difficult?  The answer to that is straight forward, though not simple.  The cost of risk management is usually a real and tangible reduction of income.  The benefit of risk management is probabilistic and intangible.  Firms are compared each quarter to their peers.

If peer firms are not doing risk management, then their earnings will appear higher in most periods.

Banks that suffered in the current financial crisis gave up 10 years of earnings!  But the banks that in fact correctly shied away from the risks that led to the worst losses were seen as poor performers in the years leading up to the crisis.

So what will change this?  Only investors will ultimately change this.  Investors who recognize that in many situations, they have been paying un-risk adjusted multiples for earnings that have a large component of risk premiums for low frequency, high severity risks.

They are paying multiples, in many cases where they should be taking discounts!

Lessons for Insurers (1)

Lessons for Insurers (2)

Lessons for Insurers (3)

Lessons for Insurers (4)

Lessons for Insurers (5)

Lessons for Insurers (6)

New Decade Resolutions

January 1, 2010

Here are New Decade Resolutions for firms to adopt who are looking to be prepared for another decade

  1. Attention to risk management by top management and the board.  The past decade has been just one continuous lesson that losses can happen from any direction. This is about the survival of the firm.  Survival must not be delegated to a middle manager.  It must be a key concern for the CEO and board.
  2. Action oriented approach to risk.  Risk reports are made to point out where and what actions are needed.  Management expects to and does act upon the information from the risk reports.
  3. Learning from own losses and from the losses of others.  After a loss, the firm should learn not just what went wrong that resulted in the loss, but how they can learn from their experience to improve their responses to future situations both similar and dissimilar.  Two different areas of a firm shouldn’t have to separately experience a problem to learn the same lesson. Competitor losses should present the exact same opportunity to improve rather than a feeling of smug superiority.
  4. Forwardlooking risk assessment. Painstaking calibration of risk models to past experience is only valuable for firms that own time machines.  Risk assessment needs to be calibrated to the future. 
  5. Skeptical of common knowledge. The future will NOT be a repeat of the past.  Any risk assessment that is properly calibrated to the future is only one one of many possible results.  Look back on the past decade’s experience and remember how many times risk models needed to be recalibrated.  That recalibration experience should form the basis for healthy skepticism of any and all future risk assessments.

  6. Drivers of risks will be highlighted and monitored.  Key risk indicators is not just an idea for Operational risks that are difficult to measure directly.  Key risk indicators should be identified and monitored for all important risks.  Key risk indicators need to include leading and lagging indicators as well as indicators from information that is internal to the firm as well as external. 
  7. Adaptable. Both risk measurement and risk management will not be designed after the famously fixed Ligne Maginot that spectacularly failed the French in 1940.  The ability needs to be developed and maintained to change focus of risk assessment and to change risk treatment methods on short notice without major cost or disruption. 
  8. Scope will be clear for risk management.  I have personally favored a split between risk of failure of the firm strategy and risk of losses within the form strategy, with only the later within the scope of risk management.  That means that anything that is potentially loss making except failure of sales would be in the scope of risk management. 
  9. Focus on  the largest exposures.  All of the details of execution of risk treatment will come to naught if the firm is too concentrated in any risk that starts making losses at a rate higher than expected.  That means that the largest exposures need to be examined and re-examined with a “no complacency” attitude.  There should never be a large exposure that is too safe to need attention.   Big transactions will also get the same kind of focus on risk. 

Live Ammunition

December 13, 2009

Are you working with live ammunition with your risk management program?

What I mean is, when the risk models and the risk reports show a problem, is the reaction to promptly fix the problem, or is the reaction to start a study of the problem?

The question really is whether the risk management information streams are considered primary information for managing the firm or are they secondary systems?

If the reaction to an indication of a problem from the risk management systems is to initiate a study, then the implied presumption is that the real information systems say that everything is ok, and this secondary system says not. So we need to check this out.

Many commentators about risk management have been calling for “RISK” to be given authority. What I think that means is that RISK would be empowered to act when the risk management system tells of a problem. RISK would order that something be bought or sold or whatever to fix the problem.

I think that the presumption there is that there is no possibility that anyone other than RISK would actually ever act upon a warning from the risk management systems. So if risk management is to be taken seriously, then it must be for RISK to do that.

Well, wouldn’t it be much better if the risk management information was considered to be a primary information source for the folks who actually run the businesses? Think about it. If you run a bus company and want the drivers to stay within the speed limit, do you put someone in the back of the bus with a speedometer and a break pedal who will step on the brake whenever the bus starts to go too fast? Or do you train the bus driver to use the brake pedal herself?

Risk Management needs to be everyone’s job. If the CEO of the firm is not willing to hold business managers responsible for risk, then he really does not want risk management.

The job of RISK is not to over ride the bus drivers, it is to make sure that the speedometers and brakes work right, that the acceleration pedal does not stick down and that the driver is well trained in how to interpret the speedometer and use the brakes in the right way. RISK keeps the CEO and the Board informed about the effectiveness of the risk management system and helps top management to understand the risk reward choices that they are faced with when the major decisions about the firm’s future are being made.

You may have missed these . . .

November 22, 2009

Riskviews was dormant from April to July 2009 and restarted as a forum for discussions of risk and risk management.  You may have missed some of these posts from shortly after the restart…

Crafting Risk Policy and Processes

From Jawwad Farid

Describes different styles of Risk Policy statements and warns against creating unnecessary bottlenecks with overly restrictive policies.

A Model Defense

From Chris Mandel

Suggests that risk models are just a tool of risk managers and therefore cannot be blamed.

No Thanks, I have enough “New”

Urges thinking of a risk limit for “new” risks.

The Days After – NEVER AGAIN

Tells how firms who have survived a near death experience approach their risk management.

Whose Loss is it?

Asks about who gets what shares of losses from bad loans and suggests that shares havedrifted over time and should be reconsidered.

How about a Risk Diet?

Discusses how an aggregate risk limit is better than silo risk limits.

ERM: Law of Unintended Consequences

From Neil Bodoff

Suggests that accounting changes will have unintended consequences.

Lessons from a Bull Market that Never Happened

Translates lessons learned from the 10 year bull market that was predicted 10 years ago from investors to risk managers.

Choosing the Wrong Part of the Office

From Neil Bodoff

Suggests that by seeking tobe risk managers, actuaries are choosing the wrong part of the office.

Random Numbers

Some comments on how random number generators might be adapted to better reflect the variability of reality.


%d bloggers like this: