Archive for the ‘Risk Identification’ category

Risk Identification – don’t just mail it in

January 9, 2014

ERM programs all start out with a suggestion that you must identify your risks.

Many folks take this as a trivial exercize.  But it is not.  There are two important reasons why not:

  1. Everyone has risks in the same major categories, but the way that those categories are divided into the action level is important.  All insurers have UNDERWRITING RISK.  But almost all insurers should be subdividing their UDERWRITING RISK into major subcategories, usually along the lines that they manage their insurance business.  Even the very smallest single line single state insurers sub divide their insurance business.  Risks should also be subdivided.
  2. Names are important.  Your key risks must have names that are consistent with how everyone in the company talks.

Best practice companies will take the process of updating very seriously.  They treat it as a discovery and validation process.

To read more about Risk identification, see the WillisWire post

(This is the first of a 14 part series about the ERM practices that are needed to support the new ORSA Process)

and the RISKVIEWS post

Identifying Risks

Controlling with a Cycle

April 3, 2013

Helsinki_city_bikes

No, not that kind of cycle… This kind:

CycleThis is a Risk Control Cycle.  It includes Thinking/Observing steps and Action Steps.  The only reason a sane organization would spend the time on the Assessing, Planning and Monitoring steps is so that they could be more effective with the Risk Taking, Mitigating and Responding steps.

A process capable of limiting losses can be referred to as a complete risk control process, which would usually include the following:

  • Identification of risks—with a process that seeks to find all risks inherent in a insurance product, investment instrument, or other situation, rather than simply automatically targeting “the usual suspects.”
  • Assess Risks – This is both the beginning and the end of the cycle.  As the end, this step is looking back and determining whether your judgment about the risk and your ability to select and manage risks is as good as you thought that it would be.  As the beginning, you look forward to form a new opinion about the prospects for risk and rewards for the next year.  For newly identified risks/opportunities this is the due diligence phase.
  • Plan Risk Taking and Risk Management – Based upon the risk assessment, management will make plans for how much of each risk that the organization will plan to accept and then how much of that risk will be transferred, offset and retained.  These plans will also include the determination of limits
  • Take Risks – organizations will often have two teams of individuals involved in risk taking.  One set will identify potential opportunities based upon broad guidelines that are either carried over from a prior year or modified by the accepted risk plan.  (Sales) The other set will do a more detailed review of the acceptability of the risk and often the appropriate price for accepting the risk.  (Underwriting)
  • Measuring and monitoring of risk—with metrics that are adapted to the complexity and the characteristics of the risk as well as Regular Reporting of Positions versus Limits/Checkpoints— where the timing needed to be effective depends on the volatility of the risk and the rate at which the insurer changes their risk positions. Insurers may report at a granular level that supports all specific decision making and actions on a regular schedule.
  • Regular risk assessment and dissemination of risk positions and loss experience—with a standard set of risk and loss metrics and distribution of risk position reports, with clear attention from persons with significant standing and authority in the organization.
  • Risk limits and standards—directly linked to objectives. Terminology varies widely, but many insurers have both hard “Limits” that they seek to never exceed and softer “Checkpoints” that are sometimes exceeded. Limits will often be extended to individuals within the organization with escalating authority for individuals higher in the organizational hierarchy.
  • Response – Enforcement of limits and policing of checkpoints—with documented consequences for limit breaches and standard resolution processes for exceeding checkpoints. Risk management processes such as risk avoidance for risks where the insurer has zero tolerance. These processes will ensure that constant management attention is not needed to assure compliance. However, occasional assessment of compliance is often practiced. Loss control processes to reduce the avoidable excess frequency and severity of claims and to assure that when losses occur, the extent of the losses is contained to the extent possible. Risk transfer processes, which are used when an insurer takes more risk than they wish to retain and where there is a third party who can take the risk at a price that is sensible after accounting for any counterparty risk that is created by the risk transfer process. Risk offset processes, which are used when insurer risks can be offset by taking additional risks that are found to have opposite characteristics. These processes usually entail the potential for basis risk because the offset is not exact at any time or because the degree of offset varies as time passes and conditions change, which is overcome in whole or in part by frequent adjustment to the offsetting positions. Risk diversification, which can be used when risks can be pooled with other risks with relatively low correlation. Risk costing / pricing, which involves maintaining the capability to develop appropriate views of the cost of holding a risk in terms of expected losses and provision for risk. This view will influence the risks that an insurer will take and the provisioning for losses from risks that the insurer has taken (reserves). This applies to all risks but especially to insurance risk management. Coordination of insurance profit/loss analysis with pricing with loss control (claims) with underwriting (risk selection), risk costing, and reserving, so that all parties within the insurer are aware of the relationship between emerging experience of the 
risks that the insurer has chosen to retain and the expectations that the insurer held when it chose to write and retain the risks.
  • Assess Risks – and the cycle starts again.

This is one of the seven ERM Principles for Insurers

Embedded Assumptions are Blind Spots

October 28, 2012

Embedded assumptions are dangerous. That is because we are usually unaware and almost always not concerned about whether those embedded assumptions are still true or not.

One embedded assumption is that looking backwards, at the last year end, will get us to a conclusion about the financial strength of a financial firm.

We have always done that.  Solvency assessments are always about the past year end.

But the last year end is over.  We already know that the firm has survived that time period.  What we really need to know is whether the firm will have the resources to withstand the next period. We assess the risks that the firm had at the last year end.  Without regard to whether the firm actually is still exposed to those risks.  When what we really need to know is whether the firm will survive the risks that it is going to be exposed to in the future.

We also apply standards for assessing solvency that are constant.  However, the ability of a firm to take on additional risk quickly varies significantly in different markets.  In 2006, financial firms were easily able to grow their risks at a high rate.  Credit and capital were readily available and standards for the amount of actual cash or capital that a counterparty would expect a financial firm to have were particularly low.

Another embedded assumption is that we can look at risk based upon the holding period of a security or an insurance contract.  What we fail to recognize is that even if every insurance contract lasts for only a short time, an insurer who regularly renews those contracts is exposed to risk over time in almost exactly the same way as someone who writes very long term contracts.  The same holds for securities.  A firm that typically holds positions for less than 30 days seems to have very limited exposure to losses that emerge over much longer periods.  But if that firm tends to trade among similar positions and maintains a similar level of risk in a particular class of risk, then they are likely to be all in for any systematic losses from that class of risks.  They are likely to find that exiting a position once those systematic losses start is costly, difficult and maybe impossible.

There are embedded assumptions all over the place.  Banks have the embedded assumptions that they have zero risk from their liabilities.  That works until some clever bank figures out how to make some risk there.

Insurers had the embedded assumption that variable products had no asset related risk.  That embedded assumption led insurers to load up with highly risky guarantees for those products.  Even after the 2001 dot com crash drove major losses and a couple of failures, companies still had the embedded assumption that there was no risk in the M&E fees.  The hedged away their guarantee risk and kept all of their fee risk because they had an embedded assumption that there was no risk there.  In fact, variable annuity writers faced massive DAC write-offs when the stock markets tanked.  There was a blind spot that kept them from seeing this risk.

Many commentators have mentioned the embedded assumption that real estate always rose in value.   In fact, the actual embedded assumption was that there would not be a nationwide drop in real estate values.  This was backed up by over 20 years of experience.  In fact, everyone started keeping detailed electronic records right after…… The last time when there was an across the board drop in home prices.

The blind spot caused it to take longer than it should have for many to notice that prices actually were falling nationally.  Each piece of evidence was fit in and around the blind spots.

So a very important job for the risk manager is to be able to identify all of the embedded assumptions / blind spots that prevail in the firm and set up processes to continually assess whether there is a danger lurking right there – hiding in a blind spot.

What Can You Control?

September 2, 2011

Framing is of vital importance in identifying risks.
Risks need to be framed in a way that you CAN actually control them.  If you say that your major risk is a drop in the stock market, then you are framing that risk as something that you cannot control.

If instead, if you frame it as a sudden drop in the value of your investments, then you are very highly in control of your risk.  You can choose your investments.  Your choice to manage the risk becomes a tractable risk reward trade-off.  You can buy hedges to mitigate the amount of your losses.

The same goes for Hurricanes or other acts of nature.  If you say that your risk is hurricanes, then you cannot control hurricanes and you are done.  The risk management committee can go home early.  But if you say that your risk is “damage caused by hurricanes”, suddenly you are in charge.  You have options and you have responsibilities.  You have the option to move some of your activities out of the path of hurricanes.  You have the option to make sure that the construction of your building can withstand some or all hurricanes and the concurrent storm surge.  You have the option of buying insurance to make sure that your damages are reimbursed.

So look at your list of risks.  Make sure that even if it says Hurricane, that you are treating it as a manageable risk.  As if it said “damage caused by hurricanes” that you can manage and you are not just throwing up your hands because you cannot stop a hurricane.

 

10 ERM Questions from an Investor – The Answer Key (1)

July 4, 2011

Riskviews was once asked by an insurance sector equity analyst for 10 questions that they could ask company CEOs and CFOs about ERM.  Riskviews gave them 10 but they were trick questions.  Each one would take an hour to answer properly.  Not really what the analyst wanted.

Here they are:

  1. What is the firm’s risk profile?
  2. How much time does the board spend discussing risk with management each quarter?
  3. Who is responsible for risk management for the risk that has shown the largest percentage rise over the past year?
  4. What outside the box risks are of concern to management?
  5. What is driving the results that you are getting in the area with the highest risk adjusted returns?
  6. Describe a recent action taken to trim a risk position?
  7. How does management know that old risk management programs are still being followed?
  8. What were the largest positions held by company in excess of risk the limits in the last year?
  9. Where have your risk experts disagreed with your risk models in the past year?
  10. What are the areas where you see the firm being able to achieve better risk adjusted returns over the near term and long term?

They never come back and asked for the answer key.  Here it is:

1.  The first step in real risk management is to be able to think of the firm from a risk point of view.  Any CEO can do that from a sales point of view and from a profits point of view.  They know that 40% of the revenues come from the pumpkin business in South Florida and 25% of the profits from the Frozen Beet Juice Pops product line.  Those statistics are a part of the sales profile and the profits profile.  A first step to having a real ERM system is for the CEO to have an equal command of the Risk Profile.  Any firm where the CEO does not have an equal command of risk as they do for sales does not have ERM yet.  So this question is first and most important.  The CEOs who are most likely to be unable to answer this question are the leaders of larger more complex companies.  The investor need to make sure that top management of those firms has actual command of all of the key issues regarding the firm and its business.  Risk really is a key issue.  A vague or slow answer to this question indicates that Risk has not really been an issue that the CEO has attended to.  That may work out fine for the company and the investors.  If they are lucky.

What’s Next?

March 25, 2011

Turbulent Times are Next.

At BusinessInsider.com, a feature from Guillermo Felices tells of 8 shocks that are about to slam the global economy.

#1 Higher Food Prices in Emerging Markets

#2 Higher Interest Rates and Tighter Money in Emerging Markets

#3 Political Crises in the Middle East

#4 Surging Oil Prices

#5 An Increase in Interest Rates in Developed Markets

#6 The End of QE2

#7 Fiscal Cuts and Sovereign Debt Crises

#8 The Japanese Disaster

How should ideas like these impact on ERM systems?  Is it at all reasonable to say that they should not? Definitely not.

These potential shocks illustrate the need for the ERM system to be reflexive.  The system needs to react to changes in the risk environment.  That would mean that it needs to reflect differences in the risk environment in three possible ways:

  1. In the calibration of the risk model.  Model assumptions can be adjusted to reflect the potential near term impact of the shocks.  Some of the shocks are certain and could be thought to impact on expected economic activity (Japanese disaster) but have a range of possible consequences (changing volatility).  Other shocks, which are much less certain (end of QE2 – because there could still be a QE3) may be difficult to work into model assumptions.
  2. With Stress and Scenario Tests – each of these shocks as well as combinations of the shocks could be stress or scenario tests.  Riskviews suggest that developing a handful of fully developed scenarios with 3 or more of these shocks in each would be the modst useful.
  3. In the choices of Risk Appetite.  The information and stress.scenario tests should lead to a serious reexamination of risk appetite.  There are several reasonable reactions – to simply reduce risk appetite in total, to selectively reduce risk appetite, to increase efforts to diversify risks, or to plan to aggressively take on more risk as some risks are found to have much higher reward.

The last strategy mentioned above (aggressively take on more risk) might not be thought of by most to be a risk management strategy.  But think of it this way, the strategy could be stated as an increase in the minimum target reward for risk.  Since things are expected to be riskier, the firm decides that it must get paid more for risk taking, staying away from lower paid risks.  This actually makes quite a bit MORE sense than taking the same risks, expecting the same reward for risks and just taking less risk, which might be the most common strategy selected.

The final consideration is compensation.  How should the firm be paying people for their performance in a riskier environment?  How should the increase in market risk premium be treated?

See Risk adjusted performance measures for starters.

More discussion on a future post.

ERM Events from Sim

March 12, 2011

SimErgy ERM Boot Camp
June 6-8, 2011
This practical hands-on program is designed to give participants tangible skills that can be applied immediately to successfully implement ERM. It uses a stimulating and dynamic combination of lectures, individual and group exercises, and case studies. The program is led by Sim Segal, FSA, CERA, and is based on his new book, Corporate Value of Enterprise Risk Management, his consulting experience, and his MBA/EMBA course at Columbia Business School.

The 10 Key ERM Criteria (Webinar)
May 25, 2011, 12:15pm – 1:15pm Eastern
A persistent issue in ERM is the lack of accepted ERM standards. This webinar presents 10 key criteria that define best practices and which can be used as a standard benchmark to evaluate the robustness of any ERM program. We will discuss common industry practices and evaluate them against each of these criteria. Speaker: Sim Segal, President, SimErgy Consulting

Five Keys to Successful Risk Identification (Webinar)
June 22, 2011, 12:15pm – 1:15pm Eastern
Risk identification is the first step in the ERM process cycle. Most assume that by now common practice must have evolved into best practice. However, this is not so. This webinar reveals the critical mistakes routinely made in risk identification that can derail the ERM process, and the five keys to successfully avoiding them. Speaker: Sim Segal, President, SimErgy Consulting

Risk Radio™
Thursdays, 12:15pm Eastern
SimErgy introduces an innovative medium for ERM discourse: a weekly radio program. Premiering March 31st, Risk Radio, airs Thursdays at 12:15pm Eastern. Hosted by SimErgy president Sim Segal, Risk Radio follows a talk radio format with 30 minutes of topical discussions on ERM. Occasional guests are featured and listeners may call in.

Also, See Sim’s new book at https://www.simergy.com/ermbook.html

ERM Fundamentals

January 21, 2011

You have to start somewhere.

My suggestion it that rather than starting with someone else’s idea of ERM, you start with what YOUR COMPANY is already doing.

In that spirit, I offer up these eight Fundamental ERM Practices.  So to follow my suggestion, you would start in each of these eight areas with a self assessment.  Identify what you already have in these eight areas.  THEN start to think about what to build.  If there are gaping holes, plan to fill those in with new practices.  If there are areas where your company already has a rich vein of existing practice build gently on that foundation.  Much better to use ERM to enhance existing good practice than to tear down existing systems that are already working.  Making significant improvement to existing good practices should be one of your lowest priorities.

  1. Risk Identification: Systematic identification of principal risks – Identify and classify risks to which the firm is exposed and understand the important characteristics of the key risks

  2. Risk Language: Explicit firm-wide words for risk – A risk definition that can be applied to all exposures, that helps to clarify the range of size of potential loss that is of concern to management and that identifies the likelihood range of potential losses that is of concern. Common definitions of the usual terms used to describe risk management roles and activities.

  3. Risk Measurement: What gets measured gets managed – Includes: Gathering data, risk models, multiple views of risk and standards for data and models.

  4. Policies and Standards: Clear and comprehensive documentation – Clearly documented the firm’s policies and standards regarding how the firm will take risks and how and when the firm will look to offset, transfer or retain risks. Definitions of risk-taking authorities; definitions of risks to be always avoided; underlying approach to risk management; measurement of risk; validation of risk models; approach to best practice standards.

  5. Risk Organization: Roles & responsibilities – Coordination of ERM through: High-level risk committees; risk owners; Chief Risk Officer; corporate risk department; business unit management; business unit staff; internal audit. Assignment of responsibility, authority and expectations.

  6. Risk Limits and Controlling: Set, track, enforce – Comprehensively clarifying expectations and limits regarding authority, concentration, size, quality; a distribution of risk targets

    and limits, as well as plans for resolution of limit breaches and consequences of those breaches.

  7. Risk Management Culture: ERM & the staff – ERM can be much more effective if there is risk awareness throughout the firm. This is accomplished via a multi-stage training program, targeting universal understanding of how the firm is addressing risk management best practices.

  8. Risk Learning: Commitment to constant improvement – A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses, both within the firm and from outside the firm.

It’s All Relative

November 7, 2010

Another way to differentiate risks and loss situations is to distinguish between systematic losses and losses where your firm ends up in the bottom quartile of worst losses.

You can get to that by way of having a higher concentration of a risk exposure than your peers.  Or else you can lose more in proportion to your exposure than your peers.

The reason it can be important to distinguish these situations is that there is some forgiveness from the market, from your customers and from your distributors if you lose money when everyone else is losing it.  But there is little sympathy for the firm that manages to lose much more than everyone else.

And worst of all is to lose money when no one else is losing it.

So perhaps you might want to go through each of your largest risk exposures and imagine how either of these three scenarios might hit you.

  • One company had a loss of 50% of capital during the credit crunch of the early 1990′s.  Their largest credit exposure was over 50% of capital and it went south.  Average recoveries were 60% to 80% in those days, but this default had a 10% recovery.  That 60% to 80% was an average, not a guaranteed recovery amount.  Most companies lost less than 5% of capital in that year.
  • Another company lost well over 25% of capital during the dot com bust.  They had concentrated in variable annuities.  No fancy guarantees, just guaranteed death benefits.  But their clientele was several years older than their average competitors.  And the difference in mortality rate was enough that they had losses that were much larger than their competitors, who were also not so concentrated in variable annuities.
  • Explaining their claims for Hurricane Katrina that were about 50% higher as a percent of their expected total claims, one insurer found that they had failed to reinsure a large commercial customer whose total loss from the hurricane made up almost 75% of the excess.  Had they followed their own retention rules on that one case, that excess would have been reduced by half.

So go over your risks.  Create scenarios for each major risk category that might send your losses far over the rest of the pack.  Then look for what needs to be done to prevent those extraordinary losses.

Identifying Risks

October 22, 2010

ERM programs all start out with a suggestion that you must identify your risks.

Risks should be identified within several major categories.  Here is a typical list of categories for an insurer:

  • Insurance Risks
    • Underwriting
    • Reserving
  • Investment RIsks
    • Interest
    • Credit
    • Equity
    • Foreign Exchange
  • Other Counterparty Risks
  • Operational Risks
    • Legal/Compliance
    • IT
    • Distribution
    • Human Resources
    • Operations
  • Strategic Risks
  • Group Risks

Sounds simple enough.  But there are two ways to do this that give very different results.

  1. Top Down
  2. Bottom Up

The bottom up process is urged by COSO and requires volumes of documentation and hours and hours of meetings and discussions.  The result is a list of as many as 100 or more risks for a major sized organization.  This process requires at least a year to accomplish.  However, at the end of that year, the top executives of the firm will find that the product may well not be ready for them to get any use out of it.

That is because risk identification and in fact risk management takes on very different character at different levels of the organization.  There almost needs to be three different risk management programs at any larger organization.  One that is oriented to the top management, one that is oriented to the middle management and one that is oriented to the supervisory levels.

The COSO type risk identification process is designed to serve the  supervisory and middle management.  The initial risk identification process is done at the supervisory level, which at a very large organization can mean hundreds of people.  The findings are eventually summarized and ranked, but the summary is at a level that is appropriate for middle management attention.

The top management is better served by a risk identification process that is more top down.  If top management is unable or unwilling to do the risk identification work themselves, then it can be a middle up process.

Regardless of how the process is started or ended, there will need to be guidelines for for the significance of risks.  A typical bottoms up risk identification can end up with well over 100 risks often as many as 200.

Prioritization is the second half of this basic risk management step.  And the prioritization will depend upon the significance of the risks and significance will be based upon a measurement of the risks.  Which is the second fundamental practice of ERM.

The thresholds should be established for significance of risks that should get board attention, a lower threshold that should get top management attention, then a lower threshold for middle management attention and a lower threshold for risks to get attention from supervisors.

None of the risks identified by the detailed bottoms up process are unimportant, but it is important to determine WHO they should be important to.

Risks can be mapped in a frequency severity matrix.

The third step of this practice is to classify the significant risks between those risks that are known by management to be well controlled and those that are less well controlled.

Immediate attention can then be focused on those risks that were shown to be of high significance and lower control, providing an immediate valuable product out of this very first stage of ERM.

This post is the first in a series to discuss the 8 ERM Fundamental Practices.  There is more material for starting ERM programs at Introduction to ERM.

Your Risks will Find you if you do not find them first

September 15, 2010

Latent Risks are those risks that you have that you are not aware of.
When you start out with a risk management program, you may find that you have many Latent Risks. One of the most important outcomes of the early stages of an ERM program is to drastically reduce the number of important Latent Risks. The “Enterprise” part of ERM means that you are making an effort to find and manage your previously Latent Risks no matter where they are in your organization.

Reality is that your Latent Risks will find you if you do not find them first.

The market is sometimes forgiving, especially if everyone misses some risk.  So avoiding risk management is, in effect, taking a bet  a bet that your competitors are not finding and dealing with their Latent Risks either.

The idea of Latent Risks is also important for existing ERM programs.  That is because the world keeps changing and firms will develop new risks and risks that they did identify earlier but dismissed as insignificant have now grown.  And those Latent Risks are the risks that are most likely to grow.  (see Risk & Light)

So it would be a good practice for firms with a well developed ERM program to regularly conduct a review of their Latent Risks to determine whether there are any that should be included more prominently in their ERM program.

Around the Corner Risk

August 19, 2010

That is where the risk manager really earns their money.

The risks that are coming straight down the road, well that is important to pay attention to them.  But those are the obvious risks.  I would not pay very much for help in avoiding serious accidents from those risks.

But those round the corner risks, that would be very valuable, to have someone who can help to make sure that those out of sight risks do not ruin things.

However, what any risk manager who has tried to focus attention on the Around the Corner Risks has learned is that attending to such risks is often seen as spoiling the game.

In the Black Swan, Nassim Taleb talks about the degree to which businesses are in effect selling out of the money puts and pocketing the risk premium as if it is pure profits.

And that is often the case.  Risk managers should extend their view to include analysis of the actual source of profits of the various endeavors of their firms.  Any place where the profits are larger than can be explained is a place where the firm might well be getting paid for selling those puts.

The risk manager needs to be able to take that analysis of sources of profits back to top management to have a frank discussion of those unexplained sources of profits.

In most cases, those situations are risks to the firm, either because they represent risk premium for out of the money puts or because they represent temporary inefficiencies.  The risk from the temporary inefficiencies is that if management mistakenly assumes that those inefficiencies are permanent, then the firm may over-invest in that activity.  That over-investment may then eventually lead to the creation of those our of the money puts as a way to sustain profits when the inefficiencies are extinguished by the market.

An example of this situation is the Variable Annuity market in the US.  In the early 1990′s firms were able to achieve good profits from this business largely because there were too few companies in the market.  Every market participant could show good profits and growth in this new market without resorting to price competition.  This situation attracted many additional insurers into the market, flattening the profitability.  The next phase in the market was to offer additional benefits to customers at prices below market cost.  These additional benefits were in the form of out of the money puts – guarantees against adverse experience of the investments underlying the product.  And the risk premium charged for these benefits was often booked as a profit.

One of the reasons for the confusion between risk premium and profit is the way in which we recognize profits on risks where the period of the risk occurrence is much longer than the period for financial reporting.

The analysis of source of profits can be a powerful tool to help risk managers to both see those around the corner risks and to communicate the possible around the corner risks before them become immanent.

It’s Usually the Second Truck

July 8, 2010

In many cases, companies survive the first bout of adversity.

It is the second bout that kills.

And more often than not, we are totally unprepared for that second hit.

Totally unprepared because of how we misunderstand statistics.

First of all, we believe that large loss events are unlikely and two large loss events are extremely unlikely.  So we decide not to prepare for the extremely unlikely event that we get hit by two large losses at the same time.  And in this case, “at the same time” may mean in subsequent years.  Some who look at correlation, only use an arbitrary calendar year split out of experience data.  So that they would consider losses in the third and fourth quarter to be happening at the same time but fourth quarter and first quarter of the next year would be considered different periods and therefore might show low correlations!

Second, we fail to deal with our reduced capacity immediately after a major loss event.  We still think of our capacity as it was before the first hit.  A part of our risk management plans for a major loss event should have been to immediately initiate a process to rationalize our risk exposures with our newly reduced capacity.  This may in part be due to the third issue.

Third, we misunderstand that the fact of the first event does not reduce the likelihood of the other risk events.  Those joint probabilities that made the dual event, no longer apply.  In fact, with the reduced capacity, the type of even that would incapacitate the firm has suddenly become much more likely.

Most companies that experience one large loss event do not experience a second shortly thereafter, but many companies that fail do.

So if your interest is to reduce the likelihood of failure, you should consider the two loss event situation as a scenario that you prepare for.

But those preparations will present a troubling alternative.  If, after the first major loss event, the actions needed include a sharp reduction in retained risk position, that will severely reduce the likelihood of growing back capacity.

Management is faced with a dilemma – that is two choices, neither of which are desirable.   But as with most issues in risk management, better to face those issues in advance and to make a reasoned plan, rather than looking away and hoping for the best.

But on further reflection, this issue can be seen to be one of over concentration in a single risk.  Some firms have reacted to this whole idea by setting their risk tolerance such that any one loss event will be limited to their excess capital.  Their primary strategy for this type of concentration risk is in effect a diversification strategy.

Risk Velocity

June 17, 2010

By Chris Mandel

Understand the probability of loss, adjusted for the severity of its impact, and you have a sure-fire method for measuring risk.

Sounds familiar and seems on point; but is it? This actuarial construct is useful and adds to our understanding of many types of risk. But if we had these estimates down pat, then how do we explain the financial crisis and its devastating results? The consequences of this failure have been overwhelming.

Enter “risk velocity,” or how quickly risks create loss events. Another way to think about the concept is in terms of “time to impact” a military phrase, a perspective that implies proactively assessing when the objective will be achieved. While relatively new in the risk expert forums I read, I would suggest this is a valuable concept to understand and more so to apply.

It is well and good to know how likely it is that a risk will manifest into a loss. Better yet to understand what the loss will be if it manifests. But perhaps the best way to generate a more comprehensive assessment of risk is to estimate how much time there may be to prepare a response or make some other risk treatment decision about an exposure. This allows you to prioritize more rapidly, developing exposures for action. Dynamic action is at the heart of robust risk management.

After all, expending all of your limited resources on identification and assessment really doesn’t buy you much but awareness. In fact awareness, from a legal perspective, creates another element of risk, one that can be quite costly if reasonable action is not taken in a timely manner. Not every exposure will result in this incremental risk, but a surprising number do.

Right now, there’s a substantial number of actors in the financial services sector who wish they’d understood risk velocity and taken some form of prudent action that could have perhaps altered the course of loss events as they came home to roost; if only.

More at Risk and Insurance

Common Terms for Severity

June 1, 2010

In the US, firms are required to disclose their risks.  This has led to an exercize that is particularly useless.  Firms obviously spend very little time on what they publish under this part of their financial statement.  Most firms seem to be using boilerplate language and a list of risks that is as long as possible.  It is clearly a totally compliance based CYA activity.  The only way that a firm could “lose” under this system is if they fail to disclose something that later creates a major loss.  So best to mention everything under the sun.  But when you look across a sector at these lists, you find a startling degree to which the risks actually differ.  That is because there is absolutely no standard that is applied to tell what is a risk and if something is a risk, how significant is it.  The idea of risk severity is totally missing.  

Bread Box

 

What would help would be a common set of terms for Severity of losses from risks.  Here is a suggestion of a scale for discussing loss severity for an individual firm: 

  1. A Loss that is a threat to earnings.  This level of risk could result in a loss that would seriously impair or eliminate earnings. 
  2. A Loss that could result in a significant reduction to capital.  This level of risk would result in a loss that would eliminate earnings and in addition eat into capital, reducing it by 10% to 20%
  3. A Loss that could result in severe reduction of business activity.  For insurers, this would be called “Going into Run-off”.  It means that the firm is not insolvent, but it is unable to continue doing new business.  This state often lasts for several years as old liabilities of the insurer are slowly paid of as they become due.  Usually the firm in this state has some capital, but not enough to make any customers comfortable trusting them for future risks. 
  4. A Loss that would result in the insolvency of the firm. 

Then in addition, for an entire sector or sub sector of firms: 

  1. Losses that significantly reduce earnings of the sector.  A few firms might have capital reductions.
  2. Losses that significantly impair capital for the sector.  A few firms might be run out of business from these losses.
  3. Losses that could cause a significant number of firms in the sector to be run out of business.  The remainder of the sector still has capacity to pick up the business of the firms that go into run-off.  A few firms might be insolvent. 
  4. Losses that are large enough that the sector no longer has the capacity to do the business that it had been doing.  There is a forced reduction in activity in the sector until capacity can be replaced, either internally or from outside funds.  A large number of firms are either insolvent or will need to go into run-off. 

These can be referred to as Class 1, Class 2, Class 3, Class 4 risks for a firm or for a sector.  

Class 3 and Class 4 Sector risks are Systemic Risks.  

Care should be taken to make sure that everyone understands that risk drivers such as equity markets, or CDS can possibly produce Class 1, Class 2, Class 3 or Class 4 losses for a firm or for a sector in a severe enough scenario.  There is no such thing as classifying a risk as always falling into one Class.  However, it is possible that at a point in time, a risk may be small enough that it cannot produce a loss that is more than a Class 1 event.  

For example, at a point in time (perhaps 2001), US sub prime mortgages were not a large enough class to rise above a Class 1 loss for any firms except those whose sole business was in that area.  By 2007, Sub Prime mortgage exposure was large enough that Class 4 losses were created for the banking sector.  

Looking at Sub Prime mortgage exposure in 2006, a bank should have been able to determine that sub primes could create a Class 1, Class 2, Class 3 or even Class 4 loss in the future.  The banks could have determined the situations that would have led to losses in each Class for their firm and determined the likelihood of each situation, as well as the degree of preparation needed for the situation.  This activity would have shown the startling growth of the sub prime mortgage exposure from a Class 1 to a Class 2 through Class 3 to Class 4 in a very short time period.  

Similarly, the prudential regulators could theoretically have done the same activity at the sector level.  Only in theory, because the banking regulators do not at this time collect the information needed to do such an exercize.  There is a proposal that is part of the financial regulation legislation to collect such information.  See CE_NIF.

Making Better Decisions using ERM

April 21, 2010

Max Rudolph provided a lecture on ERM for the University of Waterloo and the Waterloo Research institute in Insurance, Securities and Quantitative finance (WatRISQ).

Key Points:

ERM’s Role in Strategic Planning

  • Understanding the Risk Profile
  • Solutions are Unique
  • Using Quantitative and Qualitative Tools

ERM is Not:

  • A Checklist Exercize
  • A Rating Agency Exercize
  • Just About Risk Mitigation

Have You ever heard of the Financial Crisis?

And Much more…

Max Rudolph

LIVE from the ERM Symposium

April 17, 2010

(Well not quite LIVE, but almost)

The ERM Symposium is now 8 years old.  Here are some ideas from the 2010 ERM Symposium…

  • Survivor Bias creates support for bad risk models.  If a model underestimates risk there are two possible outcomes – good and bad.  If bad, then you fix the model or stop doing the activity.  If the outcome is good, then you do more and more of the activity until the result is bad.  This suggests that model validation is much more important than just a simple minded tick the box exercize.  It is a life and death matter.
  • BIG is BAD!  Well maybe.  Big means large political power.  Big will mean that the political power will fight for parochial interests of the Big entity over the interests of the entire firm or system.  Safer to not have your firm dominated by a single business, distributor, product, region.  Safer to not have your financial system dominated by a handful of banks.
  • The world is not linear.  You cannot project the macro effects directly from the micro effects.
  • Due Diligence for mergers is often left until the very last minute and given an extremely tight time frame.  That will not change, so more due diligence needs to be a part of the target pre-selection process.
  • For merger of mature businesses, cultural fit is most important.
  • For newer businesses, retention of key employees is key
  • Modelitis = running the model until you get the desired answer
  • Most people when asked about future emerging risks, respond with the most recent problem – prior knowledge blindness
  • Regulators are sitting and waiting for a housing market recovery to resolve problems that are hidden by accounting in hundreds of banks.
  • Why do we think that any bank will do a good job of creating a living will?  What is their motivation?
  • We will always have some regulatory arbitrage.
  • Left to their own devices, banks have proven that they do not have a survival instinct.  (I have to admit that I have never, ever believed for a minute that any bank CEO has ever thought for even one second about the idea that their bank might be bailed out by the government.  They simply do not believe that they will fail. )
  • Economics has been dominated by a religious belief in the mantra “markets good – government bad”
  • Non-financial businesses are opposed to putting OTC derivatives on exchanges because exchanges will only accept cash collateral.  If they are hedging physical asset prices, why shouldn’t those same physical assets be good collateral?  Or are they really arguing to be allowed to do speculative trading without posting collateral? Probably more of the latter.
  • it was said that systemic problems come from risk concentrations.  Not always.  They can come from losses and lack of proper disclosure.  When folks see some losses and do not know who is hiding more losses, they stop doing business with everyone.  None do enough disclosure and that confirms the suspicion that everyone is impaired.
  • Systemic risk management plans needs to recognize that this is like forest fires.  If they prevent the small fires then the fires that eventually do happen will be much larger and more dangerous.  And someday, there will be another fire.
  • Sometimes a small change in the input to a complex system will unpredictably result in a large change in the output.  The financial markets are complex systems.  The idea that the market participants will ever correctly anticipate such discontinuities is complete nonsense.  So markets will always be efficient, except when they are drastically wrong.
  • Conflicting interests for risk managers who also wear other hats is a major issue for risk management in smaller companies.
  • People with bad risk models will drive people with good risk models out of the market.
  • Inelastic supply and inelastic demand for oil is the reason why prices are so volatile.
  • It was easy to sell the idea of starting an ERM system in 2008 & 2009.  But will firms who need that much evidence of the need for risk management forget why they approved it when things get better?
  • If risk function is constantly finding large unmanaged risks, then something is seriously wrong with the firm.
  • You do not want to ever have to say that you were aware of a risk that later became a large loss but never told the board about it.  Whether or not you have a risk management program.

Visions from the Blind

February 11, 2010

On the same theme as Chief Ignorance Officer I was inspired by a review I just read of the book Invisible by Hughes de Montalembert.  That book tells the autobiography of an artist who is blinded 30 years earlier.  I was struck by the repeated references to things that the blind man was able to learn or notice that might not have been noticed by the sighted. 

So take that idea to risk management and you end up with a very simple but potentially highly powerful exercize.  The idea would be to see what you could learn about one of your risks if you totally exclude the information and anaylysis that you usually use – your eyesight. 

If you rely totally on rating agency opinions for credit analysis, try to see whether you could reach similar information by a process that does not refer in any way to the ratings. 

If you use a one year market consistent economic capital calculation to determine your capital adequacy, could you come to a similar conclusion about your security totally independently from the information and calculations of that model? 

If you develop your underwriting risk view based upon your firm’s experience over the past 15 years, what sort of assumptions would you need to apply to industry history to get to your opinion about your firm’s risk? 

Goldman Sachs famously decided to start hedging their sub prime exposures because an alternate analysis of their experience was just not as consistent with their primary information as it had been in the past.  Notice that they started out with a track record of previous such exercizes and an expectation for the degree of deviation from their different sources.  It is often the case with this alternate analysis that the absolute outcome might not be significant , but divergence in trend might be the key information that can lead to an avoidance of major loss. 

So think about how to put the blinders on to your usual way of looking at your risks.

Chief Ignorance Officer

February 10, 2010

Great piece from HBR “Wanted: Chief Ignorance Officer“by David Gray.

The idea is that person would protect the ability of the firm to be open minded.  To consider both options and adverse possibilities.  The CIO would be the person who does not ever believe the claims on the outside of the box.  They would be the person who breaks the new toy immediately because they hold it the wrong way (hopefully while still in the store.) The CIO would be the person who is not so sure even when “everyone knows” that there is no risk in that new and growing area.

The CIO would also remind everyone that just because they have more information about one alternative it is not necessarily the best choice.  Sometimes, the best choice is to go ahead with something that is not necessarily known for sure to work.

The CIO would also provide the childlike ability to see old things in a new light and possibly see new solutions for old problems that utilize tools that are right there on the worktable but that we always thought were only to be used for something else.

The CIO will be willing to try lots and lots of different solutions because they will not know in advance which one will work.

The CRO definitely should have a lieutenant who is their CIO.  Someone who will actually see the road ahead because they have not been down it so many times that they no longer look.

The Dirty Dozen

February 4, 2010

Guest Post from David Merkel

The Aleph Blog

I have been thinking about the the forces distorting the global economy.  In the long run, the distortions don’t matter, because economies are bigger than governments, and eventually economies prevail over governments.  Here are my dozen problems in the global economy.

1) China’s mercantilism — loans and currency.  The biggest distortionary force in the world now is China.  They encourage banks to loan to enterprises in order to force growth.  They keep their currency undervalued to favor exports over imports.  What was phrased to me as a grad student in development economics as a good thing is now malevolent.  The only bright side is that when it blows, it might take the Chinese Communist Party with it.

2) US Deficits, European Deficits — In one sense, this reminds me of the era of the Rothschilds; governments relied on borrowing because other methods of taxation raised little.  Well, this era is different.  Taxes are high, but not high enough for governments that are trying to create the unachievable “permanent prosperity.” In the process they substitute public for private leverage, and in the process add to the leverage of their societies as a whole.

3) The Eurozone is a mess — Greece, Portugal, Spain, etc.  I admit that I got it partially wrong, because I have always thought that political union is necessary in order to have a fiat currency.  I expected inflation to be the problem, and the real problem is deflation.  Will there be bailouts?  Will the troubled nations leave?  Will the untroubled nations leave that are the likely targets for bailout money?

4) Many entities that are affiliated with lending in the US Government, e.g., FDIC, GSEs, FHA are broke.  The government just doesn’t say that, because they can still make payments.

5) The US Government feels it has to “do something” — so it creates more lending programs that further socialize lending, leading to more dumb loans.

6) Residential real estate is still in the tank.  Residential delinquencies are at all-time highs.  Strategic default is rising.  The shadow inventory of homes that will come onto the market is large.  I’m not saying that prices will fall for housing; I am saying that it will be tough to get them to rise.

7) Commercial real estate — there is too much debt supporting commercial real estate, and too little equity.  There will be losses here; the only question is how deep the losses will go.

8 ) I have often thought that analyzing the strength of the states is a better measure for US economic strength, than relying on the statistics of the Federal Government.  The state economies are weak at present.  Part of that comes from the general macroeconomy, and part from the need to fund underfunded benefit plans.  Life is tough when you can’t print your own money.

9) The US, UK, and Japan are force feeding liquidity into their economies.  Thus the low short-term interest rates.  Also note the Federal Reserve owning MBS in bulk, bloating their balance sheet.

10) Yield greed.  The low short term interest rates touched off a competition to bid for risky debt.  The only question is when it will reverse.  Current yield levels do not fairly price likely default losses.

11) Most Western democracies are going into extreme deficits, because they can’t choose between economic stimulus and deficit reduction.  Political deadlock is common, because no one is willing to deliver any real pain to the populace, lest they not be re-elected.

12) Demographics is one of the biggest  pressures, but it is hidden.  Many of the European nations and Japan face shrinking populations.  China will be there also, in a decade.  Nations that shrink are less capable of carrying their debt loads.  In that sense, the US is in good shape, because we don’t discourage immigration.

From David Merkel

The Aleph Blog

This post is produced by David Merkel CFA, a registered representative of Finacorp Securities as an outside business activity. As such, Finacorp Securities does not review or approve materials presented herein. By viewing or participating in discussion on this blog, you understand that the opinions expressed within do not reflect the opinions or recommendations of Finacorp Securities, but are the opinions of the author and individual participants. Neither the information nor any opinion expressed constitutes a solicitation for the purchase or sale of any security or other instrument. Before investing, consider your investment objectives, risks, charges and expenses. Any purchase or sale activity in any securities instrument should be based upon your own analysis and conclusions. Past performance is not indicative of future results. Finacorp Securities is a member FINRA and SIPC.


Follow

Get every new post delivered to your Inbox.

Join 552 other followers

%d bloggers like this: