In the ever-evolving arena of risk management, the imperative for continuous learning stands out as a cornerstone for maintaining relevance and resilience. The belief that “Continuous Learning is Critical to Adapting in an Evolving Risk Landscape” encapsulates the need for organizations to perpetually enhance their risk management capabilities in response to dynamic external and internal variables.
Strategic Importance of Continuous Learning
Continuous learning in risk management goes beyond mere training and development; it involves an organizational commitment to the ongoing enhancement of knowledge, skills, and practices. This belief is grounded in the understanding that the risk landscape is not static. New risks emerge, existing risks evolve, and the tools and methodologies for managing risks advance. Organizations that embed continuous learning into their risk management framework are better equipped to adapt their strategies effectively and efficiently.
Practical Applications and Benefits
Implementing continuous learning can take many forms, from structured training programs and workshops to fostering a culture of inquiry and feedback among employees. For instance, in the financial services sector, continuous learning involves staying abreast of the latest regulatory changes, technological advancements, and market trends. This proactive approach not only prepares organizations to handle emerging risks but also enables them to leverage new opportunities for risk mitigation and value creation.
In addition to the continuous improvement that comes with the risk control cycle, companies should include a deliberate risk-learning process as part of their ERM program.
Here in the RISKVIEWS blog, numerous examples highlight how organizations that prioritize continuous learning exhibit enhanced adaptability and improved risk response mechanisms. These organizations routinely assess their risk management practices and seek out innovations in risk assessment and mitigation strategies, thus maintaining a competitive edge.
Cultivating a Proactive Risk Culture
The integration of continuous learning into risk management requires a shift from a reactive to a proactive risk culture. It demands that all organizational members—from executives to frontline staff—engage in regular learning activities and share insights across departments. This collaborative learning environment supports the development of a more holistic understanding of risk across the organization.
Conclusion and Next Steps
“Continuous Learning is Critical to Adapting in an Evolving Risk Landscape” is not just a guideline but a strategic imperative for modern businesses. Organizations committed to continuous learning are more agile, responsive, and resilient in the face of uncertainties.
In our next post, we will delve into the second Risk Culture Belief: “Transparency with Stakeholders Builds Trust and Enhances Risk Management“. We will explore how openness in communication and operations forms the backbone of trust and effective risk management. Join us as we continue to explore how these foundational beliefs shape robust risk management strategies.
Welcome to our RISKVIEWS blog series on the 30 Risk Culture Beliefs, a comprehensive exploration of the core principles that should guide any organization’s approach to effective risk management. Over the course of this series, we will delve deep into each belief, unpacking their significance and practical implications for businesses, especially those in high-stakes industries like finance and insurance.
Risk management is often viewed through the narrow lens of mitigation and compliance. However, these 30 Risk Culture Beliefs challenge us to see risk management as a multifaceted tool that not only safeguards but also strategically enhances organizational capabilities. From fostering a proactive risk-aware culture to aligning risk management with corporate strategy, these beliefs serve as pillars that support robust decision-making frameworks.
Each blog post in this series will focus on a single belief, breaking down how it influences organizational behavior, decision-making, and strategic planning. We aim to provide insights into how these beliefs can be integrated into the daily operations of a company, influencing everything from the boardroom to the front lines. By understanding and implementing these principles, organizations can transform their risk management practices from reactive protocols to strategic assets.
We are thinking of these beliefs as a menu, rather than as a prescription. We would not expect any one company to adopt all 30. If fact, you might find that some of them might be a little contradictory. Each company’s risk management culture will consist of a different set of choices from this list with different hierarchy of importance for the chosen beliefs within the organization. Some of the beliefs might be directed towards the entire company while others are focused towards the executive management team and some are pointed at the risk management staff and CRO.
Our journey through the 30 Risk Culture Beliefs will equip you with the knowledge to foster a culture that embraces calculated risks, promotes transparency, and improves resilience. Whether you are a risk management professional, a business leader, or just keen on enhancing your organization’s approach to risk, this series will offer valuable perspectives that can be tailored to your needs.
Join us as we explore how these foundational beliefs can shape risk-conscious strategies that not only protect but also propel organizations towards sustainable growth and stability. Stay tuned for our first post, where we will begin with the belief that “Continuous Learning is Critical to Adapting to an Evolving Risk Landscape,” setting the stage for a thoughtful and proactive approach to enterprise risk management.
In a recent post, RISKVIEWS proposed that Risk Intelligence would overcome biases. Here are some specifics…
Anchoring – too much reliance on first experience
Availability – overestimate likelihood of events that readily come to mind
Confirmation Bias – look for information that confirms bias
Endowment effect – overvalue what you already have
Framing effect – conclusion depends on how the question is phrased
Gambler’s Fallacy – Belief that future probabilities are impacted by past experience – reversion to mean
Hindsight bias – things seem to be predictable after they happen
Illusion of control – overestimate degree of control over events
Overconfidence – believe own answers are more correct
Status Quo bias – Expect things to stay the same
Survivorship bias – only look at the people who finished a process, not all who started
Ostrich Effect – Ignore negative information
Each of Education, Experience and Analysis should reduce all of these.
Experience should provide the feedback that most of these ideas are simply wrong. The original work that started to identify these biases followed the standard psychology approach of excluding anyone with experience and would also prohibit anyone from trying any of the questions a second time. So learning to identify and avoid these biases through experience has had limited testing.
Education for a risk manager should simply mention all of these biases directly and their adverse consequences. Many risk managers receiving that education will ever after seek to avoid making those mistakes.
But some will be blinded by the perceptual biases and therefore resist abandoning their gut feel that actually follows the biases.
Analysis may provide the information to convince some of these remaining holdouts. Analysis, if done correctly, will follow the logic of economic rationality which is the metric that we used to identify the wrong decisions that were eventually aggregated as biases.
So there may still be some people who even in the face of:
Experience of less than optimal outcomes
Education that provides discussion and examples of the adverse impact of decision-making based upon the biases.
Analysis that provides numerical back-up for unbiased decision making
Will still want to trust their own gut to make decisions regarding risk.
Please find a new permanent page on RISKVIEWS – The History of Risk Management. It is a simple list of major historical events that are important to Risk Management and ERM as it is practiced today. This list was compiled with the help of INARM.
Risk Management development has not followed a particularly straight line. Practices have been adopted, ignored, misused. Blow up have happened. Some of those blow ups are mentioned on another page in RISKVIEWS – Risk Management Failures.
But Risk Managers have learned from those blow ups and the next generation of Risk Management programs incorporated those learnings.
The most important thing to know about risk management that we have learned from history is that risk management must be practiced in earnest. No amount of good talks or fancy charts will take the place of roll up your sleeves and do it risk management. Promoting that sort of Risk Management is the objective of this Blog.
Nor from a policy, nor from a speech, nor from a mission statement nor a value statement.
Like all of corporate culture, Risk Culture comes from experiences. Risk Culture comes from experiences with risk. Corporate Culture is fundamentally the embedded, unspoken assumptions that underlie behaviors and decisions of the management and staff of the firm. Risk Culture is fundamentally the embedded, unspoken assumptions and beliefs about risk that underlie behaviors and decisions of the management and staff of the firm.
Corporate culture is formed initially when a company is first started. The new company tries an approach to risk, usually based upon the prior experiences of the first leaders of the firm. If those approaches are successful, then they become the Risk Culture. If they are unsuccessful, then the new company often just fails.
In his book, Fooled by Randomness, Nassim Taleb points out that there is a survivor bias involved here. Some of the companies that survive the early years are managing their risk correctly and some are simply lucky. Taleb tells the story of mutual fund managers who either beat the market or not each year. Looking back over 5 years, a fund manager who was one of 30 out of 1000 who beat the market every one of those five years might believe that their performance and therefore their ability was far above average. However, Taleb points out that if whether a manager beat the market or not each year was determined by a coin toss, statistics tells us to expect 31 to beat the market.
That was for a situation where we assume that the good results were likely 50% of the time. For risk management, the event that is being managed is often a 1/100 likelihood. There is a 95% chance of avoiding a 1/100 loss in any five year period, just by showing up with average risk management. That makes it fairly likely that poor risk management can be easily overcome by just a little bit of luck.
So by the natural process of experience, Risk Culture is formed based upon what worked in the past.
In banks and hedge funds and other financial firms where risk taking is a fundamental part of the business, the Risk Culture often supports those who take risks and win. Regardless of whether the amount of risk is within limits or tolerances or risk appetite.
You see, all of those ideas (limits, tolerances, appetites) are based upon an opinion about the future. And the winner just has a different opinion about the future of his/her risk. The fact that the winner’s opinion proves itself as experience shows that the bad outcome that those worrying risk people said was the future is not the case. When the winner suddenly makes a bad call (see London Whale), that shows that their ability to see the future better than the risk department’s models may be done. You see, there are very very few people who can keep the perspective needed to consistently beat the market. (RISKVIEWS thinks that the fall off might well follow an exponential decay pattern as predicted by statistics!)
The current ideas of a proper Risk Culture (see FSB consultation paper) are doubtless not what most firms set up as their initial response to risk. That paper focuses on four specific aspects of Risk Culture.
Tone from the top: The board of directors11 and senior management are the starting point for setting the financial institution’s core values and risk culture, and their behaviour must reflect the values being espoused. As such, the leadership of the institution should systematically develop, monitor, and assess the culture of the financial institution.
Accountability: Successful risk management requires employees at all levels to understand the core values of the institutions’ risk culture and its approach to risk, be capable of performing their prescribed roles, and be aware that they are held accountable for their actions in relation to the institution’s risk-taking behaviour. Staff acceptance of risk-related goals and related values is essential.
Effective challenge: A sound risk culture promotes an environment of effective challenge in which decision-making processes promote a range of views, allow for testing of current practices, and stimulate a positive, critical attitude among employees and an environment of open and constructive engagement.
Incentives: Performance and talent management should encourage and reinforce maintenance of the financial institution’s desired risk management behaviour. Financial and non-financial incentives should support the core values and risk culture at all levels of the financial institution.
(These descriptions are quotes from the paper)
These practices are supported by the Risk Culture for a few very new firms. As well as a very few other firms (and we will mention why that is in a few paragraphs). But for at least 80 percent of financial firms, these items, if they are happening, are not at all supported by the Risk Culture. The true Risk Culture of a successful firm has evolved based upon the original choices of the firm and the decisions and actions taken by the firm that have been successful over the life of the firm.
These aspects of Risk Culture are a part of one of the three layers of culture (see Edgar Schein, The Corporate Culture Survival Guide). He calls those layers:
Artifacts
Espoused Values
Shared Assumptions
The four aspects of Risk Culture featured by the FSB can all be considered to be “artifacts”. Those are the outward signs of the culture, but not the whole thing. Espoused Values are the Memos, policies, speeches, mission and value statements.
Coercion from outside the organization, such as through regulator edict, can force management to change the Espoused Values. But the real culture will ignore those values. Those outside edicts can force behaviors, just as prison guards can force prisoners to certain behaviors. But as soon as the guards are not looking, the existing behavioral standards based upon the shared assumptions will re-emerge.
When the insiders, including top management of an organization, want to change the culture, they are faced with a difficult and arduous task.
In his book, The Halo Effect: … and the Eight Other Business Delusions That Deceive Managers, author Phil Rosenzweig discusses the following 8 delusions about success:
1. Halo Effect: Tendency to look at a company’s overall performance and make attributions about its culture, leadership, values, and more.
2. Correlation and Causality: Two things may be correlated, but we may not know which one causes which.
3. Single Explanations: Many studies show that a particular factor leads to improved performance. But since many of these factors are highly correlated, the effect of each one is usually less than suggested.
4. Connecting the Winning Dots: If we pick a number of successful companies and search for what they have in common, we’ll never isolate the reasons for their success, because we have no way of comparing them with less successful companies.
5. Rigorous Research: If the data aren’t of good quality, the data size and research methodology don’t matter.
6. Lasting Success: Almost all high-performing companies regress over time. The promise of a blueprint for lasting success is attractive but unrealistic.
7. Absolute Performance: Company performance is relative, not absolute. A company can improve and fall further behind its rivals at the same time.
8. The Wrong End of the Stick: It may be true that successful companies often pursued highly focused strategies, but highly focused strategies do not necessarily lead to success.
9. Organizational Physics: Company performance doesn’t obey immutable laws of nature and can’t be predicted with the accuracy of science – despite our desire for certainty and order.
A good risk manager will notice that all 8 of these delusions have a flip side that applies to risk analysis and risk management.
a. Bad results <> Bad Culture – there are may possible reasons for poor results. Culture is one possible reason for bad results, but by far not the only one.
b. Causation and Correlation – actually this one need not be flipped. Correlation is the most misunderstood statistic. Risk managers would do well to study and understand what valuable and reliable uses that there are for correlation calculations. They are very likely to find few.
c. Single explanations – are sometimes completely wrong (see c. above), they can be the most important of several causes, they can be the correct and only reason for a loss, or a correct but secondary reason. Scapegoating is a process of identifying a single explanation and quickly moving on. Often without much effort to determine which of the four possibilities above applies to the scapegoat. Scapegoats are sometimes chosen that make the loss event appear to be non-repeatable, therefore requiring no further remedial action.
d. Barn door solutions – looking backwards and finding the activities that seemed to lead to the worst losses at the companies that failed can provide valuable insights or it can lead to barn door solutions that fix past problems but have no impact on future situations.
e. Data Quality – same exact issue applies to loss analysis. GIGO
f. Regression to the mean – may be how you describe what happens to great performing companies, but for most firms, entropy is the force that they need to be worried about. A firm does not need to sport excellent performance to experience deteriorating results.
g. Concentration risk – should be what a risk manager sees when strategy is too highly concentrated.
h. Uncertainty prevails – precision does not automatically come from expensive and complicated models.
This is a Risk Control Cycle. It includes Thinking/Observing steps and Action Steps. The only reason a sane organization would spend the time on the Assessing, Planning and Monitoring steps is so that they could be more effective with the Risk Taking, Mitigating and Responding steps.
A process capable of limiting losses can be referred to as a complete risk control process, which would usually include the following:
Identification of risks—with a process that seeks to find all risks inherent in a insurance product, investment instrument, or other situation, rather than simply automatically targeting “the usual suspects.”
Assess Risks – This is both the beginning and the end of the cycle. As the end, this step is looking back and determining whether your judgment about the risk and your ability to select and manage risks is as good as you thought that it would be. As the beginning, you look forward to form a new opinion about the prospects for risk and rewards for the next year. For newly identified risks/opportunities this is the due diligence phase.
Plan Risk Taking and Risk Management – Based upon the risk assessment, management will make plans for how much of each risk that the organization will plan to accept and then how much of that risk will be transferred, offset and retained. These plans will also include the determination of limits
Take Risks – organizations will often have two teams of individuals involved in risk taking. One set will identify potential opportunities based upon broad guidelines that are either carried over from a prior year or modified by the accepted risk plan. (Sales) The other set will do a more detailed review of the acceptability of the risk and often the appropriate price for accepting the risk. (Underwriting)
Measuring and monitoring of risk—with metrics that are adapted to the complexity and the characteristics of the risk as well as Regular Reporting of Positions versus Limits/Checkpoints— where the timing needed to be effective depends on the volatility of the risk and the rate at which the insurer changes their risk positions. Insurers may report at a granular level that supports all specific decision making and actions on a regular schedule.
Regular risk assessment and dissemination of risk positions and loss experience—with a standard set of risk and loss metrics and distribution of risk position reports, with clear attention from persons with significant standing and authority in the organization.
Risk limits and standards—directly linked to objectives. Terminology varies widely, but many insurers have both hard “Limits” that they seek to never exceed and softer “Checkpoints” that are sometimes exceeded. Limits will often be extended to individuals within the organization with escalating authority for individuals higher in the organizational hierarchy.
Response – Enforcement of limits and policing of checkpoints—with documented consequences for limit breaches and standard resolution processes for exceeding checkpoints. Risk management processes such as risk avoidance for risks where the insurer has zero tolerance. These processes will ensure that constant management attention is not needed to assure compliance. However, occasional assessment of compliance is often practiced. Loss control processes to reduce the avoidable excess frequency and severity of claims and to assure that when losses occur, the extent of the losses is contained to the extent possible. Risk transfer processes, which are used when an insurer takes more risk than they wish to retain and where there is a third party who can take the risk at a price that is sensible after accounting for any counterparty risk that is created by the risk transfer process. Risk offset processes, which are used when insurer risks can be offset by taking additional risks that are found to have opposite characteristics. These processes usually entail the potential for basis risk because the offset is not exact at any time or because the degree of offset varies as time passes and conditions change, which is overcome in whole or in part by frequent adjustment to the offsetting positions. Risk diversification, which can be used when risks can be pooled with other risks with relatively low correlation. Risk costing / pricing, which involves maintaining the capability to develop appropriate views of the cost of holding a risk in terms of expected losses and provision for risk. This view will influence the risks that an insurer will take and the provisioning for losses from risks that the insurer has taken (reserves). This applies to all risks but especially to insurance risk management. Coordination of insurance profit/loss analysis with pricing with loss control (claims) with underwriting (risk selection), risk costing, and reserving, so that all parties within the insurer are aware of the relationship between emerging experience of the risks that the insurer has chosen to retain and the expectations that the insurer held when it chose to write and retain the risks.
86% of a group of college students say that they are better looking than their classmates
19% of people think that they belong to the richest 1% of the population
82% of people say they are in the top 30% of Safe Drivers
80% of students think they will finish in the top half of their class
In a confidence-intervals task, where subjects had to judge quantities such as the total egg production of the U.S. or the total number of physicians and surgeons in the Boston Yellow Pages, they expected an error rate of 2% when their real error rate was 46%.
68% of lawyers in civil cases believe that their side will win
81% of new business owners think their business will succeed, but also say that 61% of the businesses like theirs will fail
But on the other hand,
A test of 25,000 predictions by weather forecasters found no overconfidence
We all know what is different about weather forecasters. The make predictions regularly with confidence intervals attached AND they always get feedback about how good that their forecast actually was.
So the Overconfidence effect, that is seen by psychologists as one of the most reliable of biases in decision making, is merely the effect of under training in developing opinions about confidence intervals.
This conclusion leads directly to a very important suggestion for risk managers. Of course risk managers are trying to act like weather forecasters. But they are often faced with an audience who are overconfident – they believe that their ability to manage the risks of the firm will result in much better outcomes than is actually likely.
But the example of weather forecasters seems to show that the ability to realistically forecast confidence intervals can be learned by a feedback process. Risk managers should make sure that in advance of every forecast period that they make the model for frequency and severity of losses are widely known. And then at the end of every forecast period that they show how actual experience does or does not confirm the forecast.
Many risk models allow for a prediction of the likelihood of every single exact dollar gain or loss that is seen to be possible. So at the end of each period, when the gain or loss for that period is known, the risk manager should make a very public review of the likelihoods that were predicted for the level of gain or loss that actually occurred.
This sort of process is performed by the cat modelers. After every major storm, they go through a very public process of discovering what the model said was the likelihood of the size loss that the storm produced.
The final step is to decide whether or not to recalibrate the model as a result of the storm.
Steve Covey called it Sharpening the Saw. A good risk management program will be continually learning. The school of hard knocks is an extremely expensive teacher. It is much better to audit the course by observing the experiences of others and learning from them. The effective risk management program will be actively working to audit the courses of others experiences.
With that in mind, Risk Management magazine has devoted the May 2011 issue to learning from the Honshu earthquake. There are four articles that review some key aspects of the Japanese experience as it appears right now.
Nuclear Safety – the problems at the Fukushima Daiichi reactor came from the multiple events that struck. The safety provisions were sufficient for the earthquake, but not for the tsunami. There are specific questions raised in the article here about the specific design of the reactor cooling system. But a greater question is the approach to providing for extreme events. The tsunami was greater than any on the historical record. Should it be necessary to prepare for adverse events that are significantly worse than the worst that has ever happened? If so, how much worse is enough? Do we even have a way to talk about this important question?
Building Codes – the conclusion here is that Japanese building codes worked fairly well. Many larger buildings were still standing after both the quake and the tsunami. Christchurch did not fare as well. But New Zealand codes were thought to be very strict. However, the fault that was responsible for the earthquake there was only discovered recently. So Christchurch was not thought to be in a particularly quake prone area. As they overhaul the building codes in NZ, they do not expect to get much argument from strengthening the codes significantly in the Canterbury region. The question is whether any other places will learn from Christchurch’s example and update their codes?
Supply Chain – the movement over the past 10 years or more has been to “just-in-time” supply chain management. What is obvious now is that the tighter that the supply chain is strung, the more that it is susceptible to disruption – the riskier that it is. What we are learning is that great efficiency can bring great risk. We need to look at all of our processes to see whether we have created risks without realizing through our efforts to improve efficiency.
Preparedness – ultimately, our learnings need to be turned into actions. Preparedness is one set of actions that we should consider. The Risk Magazine focuses on making a point about the interconnectedness of all society now. They say “Even a simple sole proprietorship operating a company in rural South Dakota can be negatively affected by political and social unrest in Egypt.” We risk managers need to be aware of what preparedness means for each of our vulnerabilities and the degree to which we have reached a targeted stage of readiness.
Whenever there is a major crisis anywhere in the world, risk managers should review the experience to see what they can learn. They can look for parallels to their business. Can systems at their firm withstand similar stresses? What preparedness would create enough resilience? What did they learn from their adversity?
My suggestion it that rather than starting with someone else’s idea of ERM, you start with what YOUR COMPANY is already doing.
In that spirit, I offer up these eight Fundamental ERM Practices. So to follow my suggestion, you would start in each of these eight areas with a self assessment. Identify what you already have in these eight areas. THEN start to think about what to build. If there are gaping holes, plan to fill those in with new practices. If there are areas where your company already has a rich vein of existing practice build gently on that foundation. Much better to use ERM to enhance existing good practice than to tear down existing systems that are already working. Making significant improvement to existing good practices should be one of your lowest priorities.
Risk Identification: Systematic identification of principal risks – Identify and classify risks to which the firm is exposed and understand the important characteristics of the key risks
Risk Language: Explicit firm-wide words for risk – A risk definition that can be applied to all exposures, that helps to clarify the range of size of potential loss that is of concern to management and that identifies the likelihood range of potential losses that is of concern. Common definitions of the usual terms used to describe risk management roles and activities.
Risk Measurement: What gets measured gets managed – Includes: Gathering data, risk models, multiple views of risk and standards for data and models.
Policies and Standards: Clear and comprehensive documentation – Clearly documented the firm’s policies and standards regarding how the firm will take risks and how and when the firm will look to offset, transfer or retain risks. Definitions of risk-taking authorities; definitions of risks to be always avoided; underlying approach to risk management; measurement of risk; validation of risk models; approach to best practice standards.
Risk Organization: Roles & responsibilities – Coordination of ERM through: High-level risk committees; risk owners; Chief Risk Officer; corporate risk department; business unit management; business unit staff; internal audit. Assignment of responsibility, authority and expectations.
Risk Limits and Controlling: Set, track, enforce – Comprehensively clarifying expectations and limits regarding authority, concentration, size, quality; a distribution of risk targets
and limits, as well as plans for resolution of limit breaches and consequences of those breaches.
Risk Management Culture: ERM & the staff – ERM can be much more effective if there is risk awareness throughout the firm. This is accomplished via a multi-stage training program, targeting universal understanding of how the firm is addressing risk management best practices.
Risk Learning: Commitment to constant improvement – A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses, both within the firm and from outside the firm.
However, it is wrong headed to ever expect that it will fall into a simple set of repeatable practices.
That is because of the nature of RISK.
Risk has a way of changing and adapting to your risk management strategies. Risk is like water looking for the weak seam to flow through and produce a leak. Water is not being an evil conscious entity, that is just the nature of water. And that is the nature of risk as well. It will adapt and change and will find the cracks in your risk management system.
But there is a solution for risk managers. They must manage their system so that it is flexible and adaptable. To do that they must be on a constant learning path. Learning about how risk has adapted, learning about how others have adapted their risk management systems and learning about how others failed to successfully adapt while also learning from their own successes and failures.
This is the exact same sort of process that a firm must undertake if it is to be successful with marketing in the long run. But in many cases, management expects that some sort of limited FIXED defense will work for risk management. The sort of defensive thinking that produced the famous Maginot Line. And we all know how well that worked.
Risk learning sometimes needs a mantra to make sure that it keeps happening. Riskviews suggests the risk learning mantra:
Inside, Outside, Backwards, Forwards
Inside means looking to learn from your own successes and failures.
Outside means looking at others experiences.
Backwards means looking at past experiences.
Forwards means looking into the future for what might be needed.
Risk Learning is another of Riskview’s favorite topics. There are already 35 posts that have been tagged as relating to Risk Learning.
Global ERM Webinars – January 12 – 14 (CPD credits)
We are pleased to announce the fourth global webinars on risk management. The programs are a mix of backward and forward looking subjects as our actuarial colleagues across the globe seek to develop the science and understanding of the factors that are likely to influence our business and professional environment in the future. The programs in each of the three regions are a mix of technical and qualitative dissertations dealing with subjects as diverse as regulatory reform, strategic and operational risks, on one hand, and the modeling on tail risks and implied volatility surfaces, on the other. For the first time, and in keeping with our desire to ensure a global exchange of information, each of the regional programs will have presentations from speakers from the other two regions on subjects that have particular relevance to their markets.
“put all your eggs in one basket. and then watch that basket”
It seems impossible on first thought to think of that as a view consistent with risk management. But Carnegie was phenomenally successful. Is it possible that he did that flaunting risk management?
Garry Kasparov – World Chess Champ (22 years) put it this way…
“You have to rely on your intuition. My intuition was wrong very few times.”
George Soros has said that he actually gets an ache in his back when the market is about to turn, indicating that he needs to abruptly change his strategy.
Soros, Kasparov, Carnegie are not your run of the mill punters. They each had successful runs for many years.
My theory of their success is that the intuition of Kasparov actually does take into account much more than the long hard careful consideration of a middling chess master. Carnegie and Soros also knew much more about their markets than any other person alive in their time.
While they may not have consciously been following the rules, they were actually incorporating all of the drivers of those rules into their decisions. Most of those rules are actually “heuristics” or shortcuts that work as long as things are what they have been but are not of much use when things are changing. In fact, those rules may be what is getting one into trouble during shifts in the world.
Risk models embody an implicit set of rules about how the market work. Those models fail when the market fails to conform to the rules embedded in the model. That is when things change, when your thinking needs to transcend the heuristics.
So where does that leave the risk manager?
The insights of the ultra successful types that are cited above can be seen to refute the risk management approach, OR they can be seen as a goal for risk managers.
The basket that Carnegie was putting all of his eggs into was steel. His insight about steel was correct, but his statement about eggs and baskets is not particularly applicable to situations less transformational than steel. It is the logic that many applied during the dot com boom, much to their regret in 2001/2002.
The risk manager should look at statements and positions like those above as levels of understanding to strive for. If the risk managers work starts and remains a gigantic mass of data and risk positions without ever reaching any insights about the underlying nature of the risks that are at play, then something is missing.
Perhaps the business that the risk manager works for is one that by choice and risk tolerance insists on plodding about the middle of the pack in risk.
But the way that the risk manager can add the most value is when they are able to provide the insights about the baskets that can handle more eggs. And can start to have intuitions about risks that are reliable and perhaps are accompanied by unmistakable physical side effects.
Usually risk managers do not think of themselves as being at war. But a risk manager is facing a number of foes. And failure to succeed against those foes can result in the end of the enterprise. So maybe the risk manager can learn from The Art of War.
Sun Tzu’s The Art of War has 11 chapters. Each of these topics can be seen to have a lesson for risk managers.
Laying Plans explores the five fundamental factors that define a successful outcome (the Way, seasons, terrain, leadership, and management). By thinking, assessing and comparing these points you can calculate a victory, deviation from them will ensure failure. Remember that war is a very grave matter of state. The risk manager of course needs plans. Remember that risk management is a grave matter for the enterprise.
Waging War explains how to understand the economy of war and how success requires making the winning play, which in turn, requires limiting the cost of competition and conflict. Risk management does not run on an unlimited budget. In some cases risk managers have not completed their preparations because they have gone forward as if they could spend whatever it took to fulfill their vision for risk management. Of course risk management spending needs to be at a sensible level for the enterprise. Excessive risk management spending can harm an enterprise just as much as an unexpected loss.
Attack by Stratagem defines the source of strength as unity, not size, and the five ingredients that you need to succeed in any war. The risk manager succeeds best if they are able to get the entire organization to support the risk management efforts, not just a large corporate risk management department.
Tactical Dispositions explains the importance of defending existing positions until you can advance them and how you must recognize opportunities, not try to create them. The risk manager needs to build organizational strength to support risk management opportunistically. A risk management program that does not wait for the right opportunities will create internal enemies and will then be fighting both the external risks as well as the internal enemies.
Energy explains the use of creativity and timing in building your momentum. The risk manager also needs to be creative and needs to build momentum. The best risk management program fits well with the culture of the organization. That fit will need to be developed by creatively combining the ideas of risk management with the written and unwritten parts of the organizational imperatives.
Weak Points & Strong explains how your opportunities come from the openings in the environment caused by the relative weakness of your enemy in a given area. Quite often the risk manager will know the right thing to do but will not be able to execute except at extreme danger to their position in the firm. The openings for a risk manager to make the moves that will really lake a difference in the future of the firm come infrequently and without warning. The Risk manager must be looking at these openings and be ready and able to act.
Maneuvering explains the dangers of direct conflict and how to win those confrontations when they are forced upon you. Some thing that the risk managers job is the direct conflict with the important people in the firm who would put the firm in an excessively risky position. This in inadvisable
Variation in Tactics focuses on the need for flexibility in your responses. It explains how to respond to shifting circumstances successfully. Risk Management tactics will be the most successful if they are alligned with the actual risk environment. SeePlural Rationalities and ERM.
The Army on the March describes the different situations in which you find yourselves as you move into new enemy territories and how to respond to them. Much of it focuses on evaluating the intentions of others. Rational Adaptability is the process of assessing the risk environment and selecting the risk management strategy that will work best for the environment.
Terrain looks at the three general areas of resistance (distance, dangers, and barriers) and the six types of ground positions that arise from them. Each of these six field positions offer certain advantages and disadvantages. The risk environment has four main stages, Boom, Bust, Moderate and Uncertain.
The Nine Situations describe nine common situations (or stages) in a campaign, from scattering to deadly, and the specific focus you need to successfully navigate each of them. Companies must determine their risk taking strategy and their risk appetite by looking at the risk environment as well as at their risk taking capacity.
The Attack by Fire explains the use of weapons generally and the use of the environment as a weapon specifically. It examines the five targets for attack, the five types of environmental attack, and the appropriate responses to such attack.
The Use of Spies focuses on the importance of developing good information sources, specifically the five types of sources and how to manage them.
In any given risk environment, companies holding a risk perspective and following an ERM program aligned with external circumstances will fare best.
In order to thrive under all future risk regimes, a firm ideally would follow a strategy of Rational Adaptability. This involves three key steps: 1. Discernment of changes in risk regime, 2. Willingness to shift risk perspective, and 3. Ability to modify ERM program. The difference between Rational Adaptability and the process of “natural selection” where firm go through a “natural” process of change of risk attitude and risk strategy is conscious recognition of the validity of differing risk perspectives and proactive implementation of changes in strategy. Individuals often find it difficult to change their risk perspective. Therefore, a company that wishes to adopt Rational Adaptability must ensure that its key decision-makers represent a diversity of risk perspectives.
Furthermore, the corporate culture and the managers themselves must value each of the risk perspectives for its contributions to the firm’s continued success. An insurance company is best served by drawing on the respective expertise of underwriters, actuaries, accountants, contract attorneys and claims experts—and members of one discipline should not feel slighted when the expertise of another discipline is called upon. Similarly, any firm that wishes to optimize its success under each of the various risk regimes should have Maximizers, Conservators, Managers and Pragmatists among its senior management; and those who hold any one of these risk perspectives should acknowledge that there are times when another perspective should take the lead. The CEO must exercise judgment and restraint, shifting among strategies as needed and shifting responsibilities among the management team as required.
Rational Adaptability recognizes that during Boom Times, risk really does present significant opportunities—and it is appropriate to empower the Profit Maximizers, focusing ERM efforts on Risk Trading to ensure that risks are correctly priced using a consistent firm-wide metric. When the environment is Moderate, the firm employing Rational Adaptability will give additional authority to its Risk Reward Managers, examining the results of their modeling and using these to reevaluate long-term strategies. And in times of Recession, a firm following Rational Adaptability shifts its focus to Conservation: tightening underwriting standards and placing special emphasis on firm-wide risk identification and risk control. Resisting the pull of his or her own personal risk perspective, the CEO must be willing to listen—and act—when others in the firm warn that the company’s risk management strategy is getting a little too concentrated on one and possibly not the optimal risk attitude and risk strategy.
Yet in each risk regime, there are companies following strategies that are not well aligned with the environment. Some of these firms muddle along with indifferent results and survive until their preferred environment comes back. Others sustain enough damage that they do not survive; some change their risk perspective and ERM program to take advantage of the new environment. Meanwhile, new firms enter the market with risk perspectives and ERM programs that are aligned with the current environment. Since many of the poorly aligned firms shrink, die out or change perspective— and since new firms tend to be well-aligned with the current risk regime—the market as a whole adjusts to greater alignment with the risk environment via a process of “natural selection.”
Latent Risks are those risks that you have that you are not aware of.
When you start out with a risk management program, you may find that you have many Latent Risks. One of the most important outcomes of the early stages of an ERM program is to drastically reduce the number of important Latent Risks. The “Enterprise” part of ERM means that you are making an effort to find and manage your previously Latent Risks no matter where they are in your organization.
Reality is that your Latent Risks will find you if you do not find them first.
The market is sometimes forgiving, especially if everyone misses some risk. So avoiding risk management is, in effect, taking a bet a bet that your competitors are not finding and dealing with their Latent Risks either.
The idea of Latent Risks is also important for existing ERM programs. That is because the world keeps changing and firms will develop new risks and risks that they did identify earlier but dismissed as insignificant have now grown. And those Latent Risks are the risks that are most likely to grow. (see Risk & Light)
So it would be a good practice for firms with a well developed ERM program to regularly conduct a review of their Latent Risks to determine whether there are any that should be included more prominently in their ERM program.
If something happens more or less the same way for any extended period of time, the normal reaction of humans is consider that phenomena as constant and to largely filter it out. We do not then even try to capture new information about changes to that phenomena because our senses tell us that that input is “pure noise” with no signal. Hence the famous story about boiling frogs. Which may or may not be actually true about frogs, but it definitely reveals something about the way that humans take in information about the world.
But things can and do actually change. Even things that are more or less the same for a very long time.
In the book, “This Time It’s Different”, the authors state that
“The median inflation rates before World War I were well below those of the more recent period: 0.5% per annum for 1500 – 1799 and 0.71% for 1800 – 1913, in contrast with 5% for 1914 – 2006.”
Imagine that. Inflation averaged below 0.75% for about 300 years. Since there is no history of extended periods of negative inflation, to get an average that low, there must be a very low standard deviation as well. Inflation at a level of 3 or 4% is probably a one in a million situation. Or so intelligent financial analysts before WWI must have thought that they could make plans without any concern for inflation.
But in the years following WWI, governments found a new way to default on their debts, especially their internal debts. Reinhart and Rogoff point out that almost all of the discussion by economists regarding sovereign default is about external debt. But they show that internal debt is very important to the situations of sovereign defaults. Countries with high levels of internal debt and low external debt will usually not default, but countries with high levels of both internal and external debt will often default.
So as we contemplate the future of the aging western economies, we need to be careful that we do not exclude the regime changes that could occur. And which regime changes that we should be concerned about becomes clearer when we look at all of the entitlements to retirees as debt (is there any effective difference between debt and these obligations?). When we do that we see that there are quite a few western nations with very, very large internal debt. And many of those countries have indexed much of that debt, taking the inflation option off of the table.
Reinhart and Rogoff also point out the sovereign default is usually not about ability to pay, it is about willingness to make the sacrifices that repayment of debt would entail.
So Risk Managers need to think about possible drastic regime changes, in addition to the seemingly highly unlikely scenario that the future will be more or less like the past.
Google the term crippled epistemology and you get lots of articles and blog posts about extremists and fanatics and also some blog posts BY the extremists and fanatics.
Crippled epistemology means that someone cannot see the truth.
Daniel Patrick Moynahan is reported as saying “Everyone is entitled to his own opinion, but not his own facts.”
But there are just too many facts. Any one person cannot attend to ALL of the facts. They must filter the facts, choose the facts that are more important. We all filter the facts that we pay attention to.
But sometimes, those filters become too strong. Things went along in a certain pattern for a length of time, so we filtered out of our consideration many of those things that either failed to evidence any variability or that had totally predictable variability.
Those filters take on the aspect of a crippling epistemology. Our approach to knowledge keeps us from understanding what is actually happening.
Sounds pretty esoteric. But in fact it is one of the most important issues in risk management.
We need to have systems that work on a real time basis to provide the information that drives our risk decisions. But we must be careful that that expensive and impressive risk information system does not actually obscure the information that we really need.
For the investors in sub prime mortgages prior to 2007, they had developed an epistemology, an approach to their knowledge of the markets. Ultimately that epistemology crippled them, because it did not allow them to see the real underlying weakness to that market.
So a very important step to be performed periodically for risk managers is an Epistemology Review. Making sure that the risk systems actually are capturing the needed information about the risks of the firm.
Understand the probability of loss, adjusted for the severity of its impact, and you have a sure-fire method for measuring risk.
Sounds familiar and seems on point; but is it? This actuarial construct is useful and adds to our understanding of many types of risk. But if we had these estimates down pat, then how do we explain the financial crisis and its devastating results? The consequences of this failure have been overwhelming.
Enter “risk velocity,” or how quickly risks create loss events. Another way to think about the concept is in terms of “time to impact” a military phrase, a perspective that implies proactively assessing when the objective will be achieved. While relatively new in the risk expert forums I read, I would suggest this is a valuable concept to understand and more so to apply.
It is well and good to know how likely it is that a risk will manifest into a loss. Better yet to understand what the loss will be if it manifests. But perhaps the best way to generate a more comprehensive assessment of risk is to estimate how much time there may be to prepare a response or make some other risk treatment decision about an exposure. This allows you to prioritize more rapidly, developing exposures for action. Dynamic action is at the heart of robust risk management.
After all, expending all of your limited resources on identification and assessment really doesn’t buy you much but awareness. In fact awareness, from a legal perspective, creates another element of risk, one that can be quite costly if reasonable action is not taken in a timely manner. Not every exposure will result in this incremental risk, but a surprising number do.
Right now, there’s a substantial number of actors in the financial services sector who wish they’d understood risk velocity and taken some form of prudent action that could have perhaps altered the course of loss events as they came home to roost; if only.
Sometimes quants who get involved with building new economic capital models have the opinion that their work will reveal the truth about the risks of the group and that the best approach is to just let the truth be told and let the chips fall where they may.
Then they are completely surprised that their project has enemies within management. And that those enemies are actively at work undermining the credibility of the model. Eventually, the modelers are faced with a choice of adjusting the model assumptions to suit those enemies or having the entire project discarded because it has failed to get the confidence of management.
But that situation is actually totally predictable.
That is because it is almost a sure thing that the first comprehensive and consistent look at the group’s risks will reveal winners and losers. And if this really is a new way of approaching things, one or more of the losers will come as a complete surprise to many.
The easiest path for the managers of the new loser business is to undermine the model. And it is completely natural to find that they will usually be completely skeptical of this new model that makes their business look bad. It is quite likely that they do not think that their business takes too much risk or has too little profits in comparison to their risk.
In the most primitive basis, I saw this first in the late 1970’s when the life insurer where I worked shifted from a risk approach that allocated all capital in proportion to reserves to one that recognized the insurance risk as well as the investment risk as two separate factors. The term insurance products suddenly were found to be drastically underpriced. Of course, the product manager of that product was an instant enemy of the new approach and was able to find many reasons why capital shouldn’t be allocated to insurance risk.
The same sorts of issues had been experienced by firms when they first adopted nat cat models and shifted from a volatility risk focus to a ruin risk focus.
What needs to be done to diffuse these sorts of issues, is that steps must be taken to separate the message from the messenger. There are 2 main ways to accomplish this:
The message about the new level of risks needs to be delivered long before the model is completed. This cannot wait until the model is available and the exact values are completely known. Management should be exposed to broad approximations of the findings of the model at the earliest possible date. And the rationale for the levels of the risk needs to be revealed and discussed and agreed long before the model is completed.
Once the broad levels of the risk are accepted and the problem areas are known, a realistic period of time should be identified for resolving these newly identified problems. And appropriate resources allocated to developing the solution. Too often the reaction is to keep doing business and avoid attempting a solution.
That way, the model can take its rightful place as a bringer of light to the risk situation, rather than the enemy of one or more businesses.
There you will find information regarding over 30 sources for ERM reading and learning along with several lists of additional books and articles that were borrowed from several sources.
Please feel free to leave your comments about how helpful you found any of these books and papers. Also, if there is a good resource missing, please leave information in a comment and it will soon be added.
Any volunteers who are willing to add to the posts to include all of the ERM sources that are being used for ERM education would be welcomed.
There has always been an issue with TRUTH with regard to risk. At least there is when dealing with SOME PEOPLE.
The risk analyst prepares a report about a proposal that shows the new proposal in a bad light. The business person who is the champion of the proposal questions the TRUTH of the matter. An unprepared analyst can easily get picked apart by this sort of attack. If it becomes a true showdown between the business person and the analyst, in many companies, the business person can find a way to shed enough doubt on the TRUTH of the situation to win the day.
The preparation needed by the analyst is to understand that there is more than one TRUTH to the matter of risk. I can think of at least four points of view. In addition, there are many, many different angles and approaches to evaluating risk. And since risk analysis is about the future, there is no ONE TRUTH. The preparation needed is to understand ALL of the points of view as well many of the different angles and approaches to analysis of risk.
The four points of view are:
Mean Reversion – things will have their ups and downs but those will cancel out and this will be very profitable.
History Repeats – we can understand risk just fine by looking at the past.
Impending Disaster – anything you can imagine, I can imagine something worse.
Unpredictable – we can’t know the future so why bother trying.
Each point of view will have totally different beliefs about the TRUTH of a risk evaluation. You will not win an argument with someone who has one belief by marshalling facts and analysis from one of the other beliefs. And most confusing of all, each of these beliefs is actually the TRUTH at some point in time.
For periods of time, the world does act in a mean reverting manner. When it does, make sure that you are buying on the dips.
Other times, things do bounce along within a range of ups and downs that are consistent with some part of the historical record. Careful risk taking is in order then.
And as we saw in the fall of 2008 in the financial markets there are times when every day you wake up and wish you had sold out of your risk positions yesterday.
But right now, things are pretty unpredictable with major ups and downs coming with very little notice. Volatility is again far above historical ranges. Best to keep your exposures small and spread out.
So understand that with regard to RISK, TRUTH is not quite so easy to pin down.
The ERM Symposium is now 8 years old. Here are some ideas from the 2010 ERM Symposium…
Survivor Bias creates support for bad risk models. If a model underestimates risk there are two possible outcomes – good and bad. If bad, then you fix the model or stop doing the activity. If the outcome is good, then you do more and more of the activity until the result is bad. This suggests that model validation is much more important than just a simple minded tick the box exercize. It is a life and death matter.
BIG is BAD! Well maybe. Big means large political power. Big will mean that the political power will fight for parochial interests of the Big entity over the interests of the entire firm or system. Safer to not have your firm dominated by a single business, distributor, product, region. Safer to not have your financial system dominated by a handful of banks.
The world is not linear. You cannot project the macro effects directly from the micro effects.
Due Diligence for mergers is often left until the very last minute and given an extremely tight time frame. That will not change, so more due diligence needs to be a part of the target pre-selection process.
For merger of mature businesses, cultural fit is most important.
For newer businesses, retention of key employees is key
Modelitis = running the model until you get the desired answer
Most people when asked about future emerging risks, respond with the most recent problem – prior knowledge blindness
Regulators are sitting and waiting for a housing market recovery to resolve problems that are hidden by accounting in hundreds of banks.
Why do we think that any bank will do a good job of creating a living will? What is their motivation?
We will always have some regulatory arbitrage.
Left to their own devices, banks have proven that they do not have a survival instinct. (I have to admit that I have never, ever believed for a minute that any bank CEO has ever thought for even one second about the idea that their bank might be bailed out by the government. They simply do not believe that they will fail. )
Economics has been dominated by a religious belief in the mantra “markets good – government bad”
Non-financial businesses are opposed to putting OTC derivatives on exchanges because exchanges will only accept cash collateral. If they are hedging physical asset prices, why shouldn’t those same physical assets be good collateral? Or are they really arguing to be allowed to do speculative trading without posting collateral? Probably more of the latter.
it was said that systemic problems come from risk concentrations. Not always. They can come from losses and lack of proper disclosure. When folks see some losses and do not know who is hiding more losses, they stop doing business with everyone. None do enough disclosure and that confirms the suspicion that everyone is impaired.
Systemic risk management plans needs to recognize that this is like forest fires. If they prevent the small fires then the fires that eventually do happen will be much larger and more dangerous. And someday, there will be another fire.
Sometimes a small change in the input to a complex system will unpredictably result in a large change in the output. The financial markets are complex systems. The idea that the market participants will ever correctly anticipate such discontinuities is complete nonsense. So markets will always be efficient, except when they are drastically wrong.
Conflicting interests for risk managers who also wear other hats is a major issue for risk management in smaller companies.
People with bad risk models will drive people with good risk models out of the market.
Inelastic supply and inelastic demand for oil is the reason why prices are so volatile.
It was easy to sell the idea of starting an ERM system in 2008 & 2009. But will firms who need that much evidence of the need for risk management forget why they approved it when things get better?
If risk function is constantly finding large unmanaged risks, then something is seriously wrong with the firm.
You do not want to ever have to say that you were aware of a risk that later became a large loss but never told the board about it. Whether or not you have a risk management program.
is a new paper by Alice Underwood and Dave Ingram that explores the link between the ideas of Plural Rationalities from anthropology and the people whose actions lead to the insurance cycle.
There is an interaction between the market and the people who make the decisions within insurers that is shown to create the insurance cycle.
Better insurer performance during the various stages of the insurance cycle can be obtained by better understanding these dynamics, studying the market with this understanding in mind and making choices that take advantage of that understanding.
This paper will be presented at the 2010 ERM Symposium in Chicago April 12 – 14.
When I was a kid in the 1960’s, I was sick and tired of how much time on TV and movies was taken up with stories of WWII. Didn’t my parent’s generation get it? WWII was ancient history. It was done. Move on. Join the real world that was happening now.
From that statement, you can tell that I am a Boomer. But I am already sick and tired of how much ink and TV and movies and Web time is devoted to the passing of the world as the Boomers remember the golden age of our youth. Gag me. Am I going to have to hear this the entire rest of my life? Get over it. Move on. Live in the current world.
Risk managers need to carefully convey that message to the folks who run their companies as well. What ever way the world was in the “Glory Days” of the CEO or Business Unit manager’s career, things are different. Business is different. Risks are different. Strategies and companies must adapt. Adapt, Burn Out or Fade Away are the choices. Better to Adapt.
I saw this happen once before in my career. Interest rates steadily rose from the late 1940’s through the early 1980’s. A business strategy that emphasized amassing cash, locking in a return promise and investing it in interest bearing instruments could show a steady growth in profits almost every single year without too much difficulty. Then suddenly in the mid-1980’s that didn’t work anymore. Interest rates went down more than up for a decade and have since stayed low. Firms either adapted, burned out or faded away.
We have just concluded a (thankfully) brief period of massive financial destruction and are in an uncertain period. When we come out of this uncertainty, some of the long held strategies of firms will not work. Risks will be different.
The risk manager needs to be one of the voices that helps to make sure that this is recognized.
In addition, the risk manager needs to recognize that one or many of the risk models that were used to assess risk in past periods will no longer work well. The risk manager needs to stand ready to adapt or fade away.
And the models need to be calibrated to the new world, not the old. Calibrating to include the worst of the recent past might seem like prudent risk management, but it may well not be realistic. If the world reverts to a reasonable growth pattern, the next such event may well not happen for 75 years. Does your firm really need to avoid exposures to the sorts of things that lost money in 2008 for 75 years? Or would that mean forgoing most of the business opportunities of that period?
Getting the correct answers to those questions will mean the different between Growth, burn out or fading away for your firm.
On the same theme as Chief Ignorance Officer I was inspired by a review I just read of the book Invisible by Hughes de Montalembert. That book tells the autobiography of an artist who is blinded 30 years earlier. I was struck by the repeated references to things that the blind man was able to learn or notice that might not have been noticed by the sighted.
So take that idea to risk management and you end up with a very simple but potentially highly powerful exercize. The idea would be to see what you could learn about one of your risks if you totally exclude the information and anaylysis that you usually use – your eyesight.
If you rely totally on rating agency opinions for credit analysis, try to see whether you could reach similar information by a process that does not refer in any way to the ratings.
If you use a one year market consistent economic capital calculation to determine your capital adequacy, could you come to a similar conclusion about your security totally independently from the information and calculations of that model?
If you develop your underwriting risk view based upon your firm’s experience over the past 15 years, what sort of assumptions would you need to apply to industry history to get to your opinion about your firm’s risk?
Goldman Sachs famously decided to start hedging their sub prime exposures because an alternate analysis of their experience was just not as consistent with their primary information as it had been in the past. Notice that they started out with a track record of previous such exercizes and an expectation for the degree of deviation from their different sources. It is often the case with this alternate analysis that the absolute outcome might not be significant , but divergence in trend might be the key information that can lead to an avoidance of major loss.
So think about how to put the blinders on to your usual way of looking at your risks.
The idea is that person would protect the ability of the firm to be open minded. To consider both options and adverse possibilities. The CIO would be the person who does not ever believe the claims on the outside of the box. They would be the person who breaks the new toy immediately because they hold it the wrong way (hopefully while still in the store.) The CIO would be the person who is not so sure even when “everyone knows” that there is no risk in that new and growing area.
The CIO would also remind everyone that just because they have more information about one alternative it is not necessarily the best choice. Sometimes, the best choice is to go ahead with something that is not necessarily known for sure to work.
The CIO would also provide the childlike ability to see old things in a new light and possibly see new solutions for old problems that utilize tools that are right there on the worktable but that we always thought were only to be used for something else.
The CIO will be willing to try lots and lots of different solutions because they will not know in advance which one will work.
The CRO definitely should have a lieutenant who is their CIO. Someone who will actually see the road ahead because they have not been down it so many times that they no longer look.
The Risk Management Quotes page of Riskviews has consistently been the most popular part of the site. Since its inception, the page has received almost 2300 hits, more than twice the next most popular part of the site.
The quotes are sometimes actually about risk management, but more often they are statements or questions that risk managers should keep in mind.
They have been gathered from a wide range of sources, and most of the authors of the quotes were not talking about risk management, at least they were not intending to talk about risk management.
The list of quotes has recently hit its 100th posting (with something more than 100 quotes, since a number of the posts have multiple quotes.) So on that auspicous occasion, here are my favotites:
Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. Douglas Adams
“when the map and the territory don’t agree, always believe the territory” Gause and Weinberg – describing Swedish Army Training
When you find yourself in a hole, stop digging.-Will Rogers
“The major difference between a thing that might go wrong and a thing that cannot possibly go wrong is that when a thing that cannot possibly go wrong goes wrong it usually turns out to be impossible to get at or repair” Douglas Adams
“A foreign policy aimed at the achievement of total security is the one thing I can think of that is entirely capable of bringing this country to a point where it will have no security at all.”– George F. Kennan, (1954)
“THERE ARE IDIOTS. Look around.” Larry Summers
the only virtue of being an aging risk manager is that you have a large collection of your own mistakes that you know not to repeat Donald Van Deventer
Philip K. Dick “Reality is that which, when you stop believing in it, doesn’t go away.”
Everything that can be counted does not necessarily count; everything that counts cannot necessarily be counted. Albert Einstein
“Perhaps when a man has special knowledge and special powers like my own, it rather encourages him to seek a complex explanation when a simpler one is at hand.” Sherlock Holmes (A. Conan Doyle)
The fact that people are full of greed, fear, or folly is predictable. The sequence is not predictable. Warren Buffett
“A good rule of thumb is to assume that “everything matters.” Richard Thaler
“The technical explanation is that the market-sensitive risk models used by thousands of market participants work on the assumption that each user is the only person using them.” Avinash Persaud
There are more things in heaven and earth, Horatio,
Than are dreamt of in your philosophy.
W Shakespeare Hamlet, scene v
When Models turn on, Brains turn off Til Schuermann
You might have other favorites. Please let us know about them.
Here are New Decade Resolutions for firms to adopt who are looking to be prepared for another decade
Attention to risk management by top management and the board. The past decade has been just one continuous lesson that losses can happen from any direction. This is about the survival of the firm. Survival must not be delegated to a middle manager. It must be a key concern for the CEO and board.
Action oriented approach to risk. Risk reports are made to point out where and what actions are needed. Management expects to and does act upon the information from the risk reports.
Learning fromown losses and from the losses of others. After a loss, the firm should learn not just what went wrong that resulted in the loss, but how they can learn from their experience to improve their responses to future situations both similar and dissimilar. Two different areas of a firmshouldn’t have to separately experience a problem to learn the same lesson. Competitor losses should present the exact same opportunity to improve rather than a feeling of smug superiority.
Forwardlooking risk assessment. Painstaking calibration of risk models to past experience is only valuable for firms that own time machines. Risk assessment needs to be calibrated to the future.
Skeptical of common knowledge. The future will NOT be a repeat of the past. Any risk assessment that is properly calibrated to the future is only one one of many possible results. Look back on the past decade’s experience and remember how many times risk models needed to be recalibrated. That recalibration experience should form the basis for healthy skepticism of any and all future risk assessments.
Drivers of risks will be highlighted and monitored. Key risk indicators is not just an idea for Operational risks that are difficult to measure directly. Key risk indicators should be identified and monitored for all important risks. Key risk indicators need to include leading and lagging indicators as well as indicators from information that is internal to the firm as well as external.
Adaptable. Both risk measurement and risk managementwill not be designed after the famously fixed Ligne Maginot that spectacularly failed the French in 1940. The ability needs to be developed and maintained to change focus of risk assessment and to change risk treatment methods on short notice without major cost or disruption.
Scope will be clear for risk management. I have personally favored a split between risk of failure of the firm strategy and risk of losses within the form strategy, with only the later within the scope of risk management. That means that anything that is potentially loss making except failure of sales would be in the scope of risk management.
Focus on the largest exposures. All of the details of execution of risk treatment will come to naught if the firm is too concentrated in any risk that starts making losses at a rate higher than expected. That means that the largest exposures need to be examined and re-examined with a “no complacency” attitude. There should never be a large exposure that is too safe to need attention. Big transactions will also get the same kind of focus on risk.
Perhaps we will look back at 2009 and recall that it is the turning point year for Risk Management. The year that boards ans management and regulators all at once embraced ERM and really took it to heart. The year that many, many firms appointed their first ever Chief Risk Officer. They year when they finally committed the resources to build the risk capital model of the entire firm.
On the other hand, it might be recalled as the false spring of ERM before its eventual relegation to the scrapyard of those incessant series of new business management fads like Management by Objective, Managerial Grid, TQM, Process Re-engineering and Six Sigma.
The Financial Crisis was in part due to risk management. Put a helmet on a kid on a bicycle and they go faster down that hill. And if the kid really doesn’t believe in helmets and they fail to buckle to chin strap and the helmet blows off in the wind, so much the better. The wind in the hair feels exhilarating.
The true test of whether the top management is ready to actually DO risk management is whether they are expecting to have to vhange some of their decisions based upon what their risk assessment process tells them.
The dashboard metaphor is really a good way of thinking about risk management. A reasonable person driving a car will look at their dashboard periodically to check on their speed and on the amount of gas that they have in the car. That information will occasionally cause them to do something different than what they might have otherwise done.
Regulatory concentration on Risk Management is. on the whole, likely to be bad for firms. While most banks were doing enough risk management to satisfy regulators, that risk management was not relevant to stopping or even slowing down the financial crisis.
Firms will tend to load up on risks that are not featured by their risk assessment system. A regulatory driven risk management system tends to be fixed, while a real risk management system needs to be nimble.
Compliance based risk management makes as much sense for firms as driving at the speed limit regardless of the weather, road conditions or the conditions of the car’s breaks and steering.
Many have urged that risk management is as much about opportunities as it is about losses. However, that is then usually followed by focusing on the opportunities and downplaying the importance of loss controlling.
Preventing a dollar of loss is just as valuable to the firm as adding a dollar of revenue. A risk management loss controlling system provides management with a methodology to make that loss prevention a reliable and repeatable event. Excess revenue has much more value if it is reliable and repeatable. Loss control that is reliable and repeatable can have the same value.
Getting the price right for risks is key. I like to think of the right price as having three components. Expected losses. Risk Margin. Margin for expenses and profits. The first thing that you have to decide about participating in a market for a particular type of risk is whether the market in sane. That means that the market is realistically including some positive margin for expenses and profits above a realistic value for the expected losses and risk margin.
Most aspects of the home real estate and mortgage markets were not sane in 2006 and 2007. Various insurance markets go through periods of low sanity as well.
Risk management needs to be sure to have the tools to identify the insane markets and the access to tell the story to the real decision makers.
Finally, individual risks or trades need to be assessed and priced properly. That means that the insurance premium needs to provide a positive margin for expenses and profits above the realistic provision for expected losses and a reasonable margin for risk.
There were two big hits to insurers in 2009. One was the continuing problems to AIG from its financial products unit. The main lesson from their troubles ought to be TANSTAAFL. There ain’t no such thing as a free lunch. Selling far out of the money puts and recording the entire premium as a profit is a business model that will ALWAYS end up in disaster.
The other hit was to the variable annuity writers. In their case, they were guilty of only pretending to do risk management. Their risk limits were strange historical artifacts that had very little to do with the actual risk exposures of the firm. The typical risk limits for a VA writer were very low risk retained from equities if the potential loss was due to an embedded guarantee and no limit whatsoever for equity risk that resulted in drops in basic M&E revenue. A typical VA hedging program was like a homeowner who insured every item of his possessions from fire risk, but who failed to insure the house!
So insurers should end the year of 2009 thinking about whether they have either of those two problems lurking somewhere in their book of business.
Are there any “far out of the money” risks where no one is appropriately aware of the large loss potential ?
Are there parts of the business where risk limits are based on tradition rather than on risk?
The use of derivatives and risk management processes to control risk was very successful in changing the risk management Landscape.
But that change has been in the same vein as the changes to forest management practices that saw us eliminating the small forest fires only to find that the only fires that we then had were the fires that were too big to control. Those giant forest fires were out of control from the start and did more damage than 10 years of small fires.
The geography of the world from a risk management view is represented by this picture:
The ball represents the state of the world. Taking a risk is represented by moving the ball one direction or the other. If the ball goes over the top and falls down the sides, then that is a disaster.
So risk managers spend lots of time trying to measure the size of the valley and setting up processes and procedures so that the firm does not get up to the top of the valley onto one of the peaks, where a good stiff wind might blow the firm into the abyss.
The tools for risk management, things like derivatives with careful hedging programs now allowed firms to take almost any risk imaginable and to “fully” offset that risk. The landscape was changed to look like this:
Managers believed that the added risk management bars could be built as high as needed so that any imagined risk could be taken. In fact, they started to believe that the possibility of failure was not even real. They started to think of the topology of risk looking like this:
Notice that in this map, there is almost no way to take a big enough risk to fall off the map into disaster. So with this map of risk in mind, company managers loaded up on more and more risk.
But then we all learned that the hedges were never really perfect. (There is no profit possible with a perfect hedge.) And in addition, some of the hedge counterparties were firms who jumped right to the last map without bothering to build up the hedging walls.
And we also learned that there was actually a limit to how high the walls could be built. Our skill in building walls had limits. So it was important to have kept track of the gross amount of risk before the hedging. Not just the small net amount of risk after the hedging.
Now we need to build a new view of risk and risk management. A new map. Some people have drawn their new map like this:
They are afraid to do anything. Any move, any risk taken might just lead to disaster.
Others have given up. They saw the old map fail and do not know if they are ever again going to trust those maps.
They have no idea where the ball will go if they take any risks.
So we risk managers need to go back to the top map again and revalidate our map of risk and start to convince others that we do know where the peaks are and how to avoid them. We need to understand the limitations to the wall building version of risk management and help to direct our firms to stay away from the disasters.
Riskviews was dormant from April to July 2009 and restarted as a forum for discussions of risk and risk management. You may have missed some of these posts from shortly after the restart…
I bought my current house 11 years ago. The area where it is located was then in the middle of a long drought. There was never any rain during the summer. Spring rains were slight and winter snow in the mountains that fed the local rivers was well below normal for a number of years in a row. The newspapers started to print stories about the levels of the reservoirs – showing that the water was slightly lower at the end of each succeeding summer. One year they even outlawed watering the lawns and everyone’s grass turned brown.
Then, for no reason that was ever explained, the drought ended. Rainy days in the spring became common and one week it rained for six days straight.
Every system has a capacity. When the capacity of a system is exceeded, there will be a breakdown of the system of some type. The breakdown will be a non-linearity of performance of the system.
For example, the ground around my house has a capacity for absorbing and running off water. When it rained for six days straight, that capacity was exceeded, some of the water showed up in my basement. The first time that happened, I was shocked and surprised. I had lived in the house for 5 years and there had never been a hint of water in the basement. I cleaned up the effects of the water and promptly forgot about it. I put it down to a 1 in 100 year rainstorm. In other parts of town, streets had been flooded. It really was an unusual situation.
When it happened again the very next spring, this time after just 3 days of very, very heavy rain. The flooding in the local area was extreme. People were driven from their homes and they turned the high school gymnasium into a shelter for a week or two.
It appeared that we all had to recalibrate our models of rainfall possibilities. We had to realize that the system we had for dealing with rainfall was being exceeded regularly and that these wetter springs were going to continue to exceed the system. During the years of drought, we had built more and more in low lying areas and in ways that we might not have understood at the time, we altered to overall capacity of the system by paving over ground that would have absorbed the water.
For me, I added a drainage system to my basement. The following spring, I went into my basement during the heaviest rains and listened to the pump taking the water away.
I had increased the capacity of that system. Hopefully the capacity is now higher than the amount of rain that we will experience in the next 20 years while I live here.
Financial firms have capacities. Management generally tries to make sure that the capacity of the firm to absorb losses is not exceeded by losses during their tenure. But just like I underestimated the amount of rain that might fall in my home town, it seems to be common that managers underestimate the severity of the losses that they might experience.
Writers of liability insurance in the US underestimated the degree to which the courts would assign blame for use of a substance that was thought to be largely benign at one time that turned out to be highly dangerous.
In other cases, though it was the system capacity that was misunderstood. Investors miss-estimated the capacity of internet firms to productively absorb new cash from the investors. Just a few years earlier, the capacity of Asian economies to absorb investors cash was over-estimated as well.
Understanding the capacity of large sectors or entire financial systems to absorb additional money and put it to work productively is particularly difficult. There are no rules of thumb to tell what the capacity of a system is in the first place. Then to make it even more difficult, the addition of cash to a system changes the capacity.
Think of it this way, there is a neighborhood in a city where there are very few stores. Given the income and spending of the people living there, an urban planner estimates that there is capacity for 20 stores in that area. So with encouragement of the city government and private investors, a 20 store shopping center is built in an underused property in that neighborhood. What happens next is that those 20 stores employ 150 people and for most of those people, the new job is a substantial increase in income. In addition, everyone in the neighborhood is saving money by not having to travel to do all of their shopping. Some just save money and all save time. A few use that extra time to work longer hours, increasing their income. A new survey by the urban planner a year after the stores open shows that the capacity for stores in the neighborhood is now 22. However, entrepreneurs see the success of the 20 stores and they convert other properties into 10 more stores. The capacity temporarily grows to 25, but eventually, half of the now 30 stores in the neighborhood go out of business.
This sort of simple micro economic story is told every year in university classes.
It clearly applies to macroeconomics as well – to large systems as well as small. Another word for these situations where system capacity is exceeded is systemic risk. The term is misleading. Systemic risk is not a particular type of risk, like market or credit risk. Systemic risk is the risk that the system will become overloaded and start to behave in severely non-linear manner. One severe non-linear behavior is shutting down. That is what the interbank lending did in 2008.
In 2008, many knew that the capacity of the banking system had been exceeded. They knew that because they knew that their own bank’s capacity had been exceeded. And they knew that the other banks had been involved in the same sort of business as them. There is a name for the risks that hit everyone who is in a market – systematic risks. Systemic risks are usually Systematic risks that grow so large that they exceed the capacity of the system. The third broad category of risk, specific risks, are not an issue, unless a firm with a large amount of specific risk that exceeds their capacity is “too big to fail”. Then suddenly specific risk can become systemic risk.
So everyone just watched when the sub prime systematic risk became a systemic risk to the banking sector. And watch the specific risk to AIG lead to the largest single firm bailout in history.
Many have proposed the establishment of a systemic risk regulator. What that person would be in charge of doing would be to identify growing systematic risks that could become large enough to become systemic problems. THen they are responsible to taking or urging actions that are intended to diffuse the systematic risk before it becomes a systemic risk.
A good risk manager has a systemic risk job as well. THe good risk manager needs to pay attention to the exact same things – to watch out for systematic risks that are growing to a level that might overwhelm the capacity of the system. The risk manager’s responsibility is then to urge their firm to withdraw from holding any of the systematic risk. Stories tell us that happened at JP Morgan and at Goldman. Other stories tell us that didn’t happen at Bear or Lehman.
So the moral of this is that you need to watch not just your own capacity but everyone else’s capacity as well if you do not want stories told about you.
Not listening to your CRO – having him too low down the management chain;
Hiring a CEO who “doesn’t want to hear bad news”;
Not linking the Board tolerance for risk to the risk management practices of the company;
Having the CRO report to the CFO instead of to the CEO or Board, i.e., not having a system of checks and balances in place regarding risk practices;
The board not leading the risk management charge;
Not communicating the risk management goals;
Not driving the risk management culture down to the lower levels of the organization;
Ignorance is not Bliss
Not doing your own risk evaluations;
Not expecting the unexpected;
Overreacting to risks that turn out to be harmless;
Don’t shun the risk you understand, only to jump into a risk you don’t understand;
Failure to pay attention to actual risk exposure in the context of risk appetite;
Using outsider view of how much capital the firm should hold uncritically;
Cocksureness
Believing your risk model;
The opinion held by the majority is not always the right one;
There can be several logical, but contradictive explanations for one sequence of events, and logical doesn’t mean true;
We do not have perfect information about the future, or even the past and present;
Don’t use old normal assumptions to model in the new normal;
Arrogance of quantifying the unquantifiable;
Not believing your risk model – waiting until you have enough evidence to prove the risk is real;
Not Seeing the Big Picture
Making major changes without heavy involvement of Risk Management;
Conflict of interest: not separating risk taking and risk management;
Disconnection of strategy and risk management: Allocating capital blindly without understanding the risk-adjusted value creation;
One of the biggest mistakes has to be thinking that you can understand the risks of an enterprise just by looking at the components of risk and “adding them up” – the complex interactions between factors are what lead to real enterprise risk;
Looking at risk using one single measure;
Measuring and reporting risks is the same as managing risks;
Risk can always be measured;
Fixation on Structure
Thinking that ERM is about meetings and org charts and capital models and reports;
Think and don’t check boxes;
Forgetting that we are here to protect the organization against risks;
Don’t let an ERM process become a tick-box exercise;
Not taking a whole company view of risk management;
Nearsightedness
Failing to seize historic opportunities for reform, post crisis;
Failure to optimize the corporate risk-return profile by turning risk into opportunity where appropriate;
Don’t be a stop sign. Understand the risks AND REWARDS of a proposal before venturing an opinion;
Talking about ERM but never executing on anything;
Waiting until ratings agencies or regulatory requirements demand better ERM practices before doing anything;
There is no obstacle so difficult that, with sufficient thought, cannot be turned into an opportunity;
No opportunity so assured that, with insufficient thought, cannot be turned into a disaster;
Do not confuse trauma with learning;
Using a consistent discipline to search for opportunities where you are paid to accept risk in the context of the entire entity will move you toward an optimized position. Just as important is using that discipline to avoid “opportunities” where this is not the case.
undertake positive NPV projects
risk comes along with these projects and should be priced in the NPV equation
the price of risk is the lesser of the external cost of disposal (e.g., hedging) or the cost of retention “in the context of the entire entity”;
also hidden in these words is the need to look at the marginal impact on the entity of accepting the risk. Am I better off after this decision than I was before? A silo NPV may not give the same answer for all firms/individuals;
What is important is the optimization journey, understanding it as a goal we will never achieve;
More Skin in the Game
Misalign the incentives;
Most people will act based on their financial incentives, and that certainly happened (and continues to happen) over the past couple of years. Perhaps we could include one saying that no one is peer reviewing financial incentives to make sure they don’t increase risk elsewhere in the system;
Not tying risk management practices to compensation;
Not aligning risk management goals with compensation;
Your firm’s Risk Profile is a function of two things, the Opportunities for risk taking and your capabilities. Using your capabilities, you will choose from your opportunities for risk to get your gross risk exposures. Then your capabilities will again take over and treat your risks to bring them to the net risks.
So your capabilities make two contributions to risk management.
A firm with strong capabilities will find the best opportunities from the choices that the firm has based upon its access to sourcing risks. Those opportunities will have the most favorable risk reward potential.
Then the strong capabilities will seek to trim the risk through risk treatment, giving up as little return as possible while offsetting or otherwise reducing returns as much as possible.
A firm that wants to increase its capabilities has three choices: Acquiring, Partnering or Training.
Risk capabilities can be Acquired in bulk by acquiring a firm with good capabilities, or by hiring one risk professional at a time. With Partnering, the firm gets help from the partner who could be a consulting firm or an intermediary. By using Training to acquire capabilities, the firm seeks to add capabilities to existing staff.
Each possibility has different short and long term costs and each has different levels of dependability and time to start up.
Many, many good questions and good ideas at the RISK USA conference in New York. Here is a brief sampling:
Risk managers are spending more time showing different constituencies that they really are managing risk.
May want to change the name to “Enterprise Uncertainty Management”
Two risk managers explained how their firms did withdraw from the mortgage market prior to the crisis and what sort of thinking by their top management supported that strategy
Now is the moment for risk management – we are being asked for our opinion on a wide range of things – we need to have good answers
Availability of risk management talent is an issue. At both the operational level and the board level.
Risk managers need to move to doing more explaining after better automating the calculating
Group think is one of the major barriers of good risk management
Regulators tend to want to save too many firms. Need to have a middle path that allows a different sort of resolution of a troubled firm than bankrupcy.
Collateral will not be a sufficient solution to risks of derivatives. Collateral covers only 30 – 50% of risk
No one has ever come up with a theory for the level of capital for financial firms. Basel II is based upon the idea of keeping capital at about the same level as Basel I.
Disclosure of Stress tests of major banks last Spring was a new level of transparency.
Banking is risky.
Systemic Risk Regulation is impossibly complicated and doomed to failure.
Systemic Risk Regulation can be done. (Two different speakers)
In Q2 2007, the Fed said that the sub-prime crisis is contained. (let’s put them in charge)
Having a very good system for communicating was key to surviving the crisis. Risk committees met 3 times per day 7 days per week in fall 2008.
Should have worked out in advance what do do after environmental changes shifted exposures over limits
One firm used ratings plus 8 additional metrics to model their credit risk
Need to look through holdings in financial firms to their underlying risk exposures – one firm got red of all direct exposure to sub prime but retained a large exposure to banks with large sub prime exposure
Active management of counterparties and information flow to decision makers of the interactions with counter parties provided early warning to problems
Several speakers said that largest risk right now is regulatory changes
One speaker said that the largest Black Swan was another major terrorist attack
Next major systemic risk problem will be driven primarily by regulators/exchanges
Some of structured markets will never come back (CDO squareds)
Regret is needed to learn from mistakes
No one from major firms actually went physically to the hottest real estate markets to get an on the ground sense of what was happening there – it would have made a big difference – Instead of relying solely on models.
Discussions of these and other ideas from the conference will appear here in the near future.
You can read what he has to say about it. I just wanted to pass along the term “Glass Box.”
A Glass Box Risk Model is one that is exactly the opposit of a Black Box. With a Black Box Model, you have no idea what is going on inside. WIth a Glass Box, you can see everything inside.
Something is needed, however, in addition to transparency, and that is clarity. To use the physical metaphor further, the glass box could easily be crammed with so, so much complicated stuff that it is only transparent in name. The complexity acts as a shroud that keeps real transparency from happening.
I would suggest that argues for separability of parts of the risk model. The more different things that one tries to cram into a single model, the less likely that it is separable or truely transparent.
That probably argues against any of the elegance that modelers sometimes prize. More code is probably preferable to less if that makes things easier to understand.
For example, I give away my age, but I stopped being a programmer about the time when actuaries took up APL. But I heard from everyone who ever tried to assign maintenance of an APL program to someone other than the developer, that APL was a totally elegant but totally opaque programming language.
But I would suggest that the Glass Box should be the ideal for which we strive with our models.
The British dominance of the world scene was largely seen to have ended with WWI. However, that decline was not really an absolute decline in wealth, it was really mostly just a relative decline. Other countries, especially the US rose in wealth faster than the UK.
That story begins to hint at the ELEPHANT in the room. That elephant is the relative per capita wealth of the people in China, India, and the other emerging economies.
We have entered a period of equalization of personal wealth between the have-nots and the haves. That will be a very disruptive process in the Have countries. It may go gradually with small slow changes or it may go rapidly through a series of big jumps.
But what we will see will be a series of shocks like the dot com bubble and the current financial crisis. At the end of each shock, the PPP per capita wealth of the rising economies will be the same as at the start or more likely higher and the PPP per capital wealth of the Have economies will be lower.
This will happen largely via shocks because there is extreme amounts of resistance to the process on the part of the Have economies. This resistance took the form of excessive leverage in recent times. People were unwilling to accept the fact that their PPP income was dropping, so that they borrowed to keep their lifestyle at the level that they felt that they are entitled to.
So discussions about deficits are really about how the US will handle the coming change in distribution of the wealth of the world. If we simply choose to resist the change and try to bring things back to “normal” by government or personal deficit spending, then eventually we will have to pay through devaluation of our currency and if we persist, those funding our debt will cut us off.
It is hard to imagine our political process coming to the conclusion that we need to rethink our financial strategies in the light of the changing world financial order. That thinking has to come from outside the political process and eventually find its way in.
So the Emerging Risks scenario is for the long term decline of the income of the Have economies accomplished through a long series of financial system shocks accompanies by growing government deficits and declining credit quality for the government debt of the developed nations. At the same time, the successful “emerging market” economies become the dominant economic players and their people gradually risk in PPP income to match up with the PPP income of the “developed” nations for people who still do the same or comparable work. That income equalization will include some significant increase in overall wealth, but not enough to maintain the incomes of the developed countries during this process.
So if this is the emerging risk scenario. the questions are:
1. How would your firm fare in this scenario if no specific advance planning or anticipation is done?
2. Are there any things that your firm might do differently if you thought that this scenario was somewhat likely?
3. Assuming that this scenario occurs, what is the cost benefit of those actions? i.e. do they make sense in that scenario?
4. Are there any ways to track secondary signs that this scenario might be coming to be?
This Christmas season, when you don’t know what to get the one you love because they already have a Nintendo Wii, iPod Touch or Beatles Rock Band, why not give them the gift of voluntary risk management guidelines, the ISO 31000 Risk Management – Principles and Guidelines.
Imagine the joy Christmas morning when your loved one unwraps the guidelines (even though it is branded ISO it is not a certifiable standard) and looks at the table of contents, unsure which chapter to read first: 1) Scope; 2) Terms and definitions; 3) Principles; 4) Framework; and 5) Process. Oh, I would go straight to the Process chapter myself.
And ISO 31000 does not require batteries or recharging either. It will not break and does not contain any small, dangerous parts or toxic paints. It is way friendlier than COSO ERM (well so is a pit bull actually) and unlike other fun toys you might get his season, ISO 31000 will harmonize principles, framework and processes. Oh Joy!
For more information, check out this article at Strategic Risk
ERM is like the defense in football. You would no more think of fielding a football team without a defensive squad then you would think of running a financial firm without ERM. On the football field, if a team went out without any defensive players, they would doubtless be scored upon over and over again.
A financial firm without an ERM program would experience losses that were higher than what they wanted.
The ERM program can learn something from the football defenders. The defenders, even when they do show up, cannot get by doing the exact same thing over and over again. The offensive of the other team would quickly figure out that they were entirely predictable and take them apart. The defenders need to shift and compensate for the changes in the environment and in the play of the other team.
Banks with compliance oriented static ERM programs found this out in the financial crisis. Their ERM program consisted of the required calculation of VaR using the required methods. If you look at what happened in the crisis, many banks did not show any increase in VaR almost right up until the markets froze. That is because the clever people at the origination end of the banks knew exactly how the ERM folks were going to calculate the VaR and they waltzed their fancy new CDO products right around the static defense of the ERM crew at the bank.
They knew that the ERM squad would not look into the quality of the underlying credit that went into the CDOs as long as those CDOs had the AAA stamp of approval from the rating agencies. The ERM models worked very well off of the ratings and the banks had drastically cut back on their staff of credit analysts anyway.
They also knew that the spot on the gain and loss curve where the VaR would be calculated was fixed in advance. As long as their new creation passed the VaR test at that one point, nobody was going to look any further.
So what would the football coach do if their defense kept doing the same thing over and over while the other team ran around them all game? Would the coach decide to play the next season without a defense? Or would he retrain and restaff his defense with new players who would move around and adapt and shift to different strategies as the game went along.
And that is what ERM needs to do. ERM needs to make sure that it does not get stuck in a rut. Because any predictable rut will not work for long. The marketplace and perhaps some within their own companies will find a way around them and defeat their purpose.
On April 7 2009, the Financial Times published an article written by Nassim Taleb called Ten Principles for a Black Swan Free World. Let’s look at them one at a time…
3. People who were driving a school bus blindfolded (and crashed it) should never be given a new bus. The economics establishment (universities, regulators, central bankers, government officials, various organisations staffed with economists) lost its legitimacy with the failure of the system. It is irresponsible and foolish to put our trust in the ability of such experts to get us out of this mess. Instead, find the smart people whose hands are clean.
Since I cannot claim to have completely clean hands, I will simply point to the writings of Hyman Minsky. His Financial Instability Hypothesis describes how a financial system goes to the extremes of leverage that creates a crash like what we just experienced. He wrote this in the 1980’s and early 1990’s and then did not feel that there was much chance of the extreme part of that cycle happening any time soon. He thought that the Fed had enough of a handle on the financial system to keep things from getting to a blow up state.
However, he did mention that with the advent of sources of debt and leverage and money outside of the traditional financial system, that if those elements grew enough then they could be the source of a severe problem.
How prescient.
In addition to reading what Minsky wrote, we should also be studying the thinking of those who totally avoided the sub prime securities that caused so much problems for so many very large financial institutions or who were in but got out in time to avoid fatal damages.
Those are often the people with the common sense that we should be using as the basis for the way forward.
Risk management programs need to have a deliberate risk learning function, where insights are developed from the firm’s losses and near misses as well as from others losses and near misses.
In this crisis, we should all seek to learn from those who were not enticed into the web of false knowledge about the riskiness of the sub prime securities. One of the most interesting that I hear at the time when the markets were seizing up was that those who had escaped were too unsophisticated to have gotten into that market.
I spoke to one of those severely unsophisticated people on the buy side and he said that he never did spend too much time looking into the CDOs. He said that he knew what the spreads were on straight mortgage backed securities. And he had some idea of how many additional people were getting a slice in the creation of the CDOs. And then he knew that the CDOs were promising higher yields for the same credit rating as the straight mortgage backed securities. At that point, he was sure that something did not add up and he moved on to look at other things where the numbers did add up. I guess he was just too unsophisticated to understand the stochastic calculus needed to explain how 2-1-1-1 = 3.
But his illustrates the issue with stand alone risk analysis. Compared to what? Last spring, there was quite a bit of concern raised when it was reported that 18 people had died from Swine Flu. That sounds VERY BAD. But Compared to What? Later stories revealed that seasonal flu is on the average responsible for 30,000 deaths in the US. That breaks down to an average of 82 per day annually, or more during the flu season if you reflect the fact that there is little flu in the summer months. No one was ever willing to say whether the 18 deaths were in addition to the 82 expected or if they were just a part of that total.
The chart below suggests that Swine flu is significantly less deadly than the seasonal flu. However, what it fails to reveal is that Swine Flu is highly transmissable because there is very little immunity in the population. So even with a very low fatality rate per infection, with a very high infection rate, expectations now are for more than twice as many deaths from the Swine Flu than from the seasonal flu.
For many years, being aware of the issue I tried to make a comparison whenever I presented a risk assessment. Most commonly, I used a comparison to the risk in a common stock portfolio. Was the risk I was assessing more or less risky than the stocks. I would compare both the average return, the standard deviation of returns as well as the tail risk. If appropriate, I would make that comparison for one year as well as for many years.
But I now realize that was not the best choice. Experience in the past year reveals that many people did not really have a good idea of how risky the stock market is. Many risk models would have pegged the 2008 37% drop in the S&P as a 1/250 year event or worse, even though there have now been similar levels of loss three times in the last 105 years on a calendar year basis and more if you look within calendar years.
The chart above was made before the end of the year. By the end of the year, 2008 fell back into the 30% to 40% return column. But if your hypothesis had been that a loss that large was a 1/200 event, the likelihood of one occurrence in a 105 year period is only about 31%. Much more likely to see none (60%). Two occurrences only about 8% of the time. Three or more, only about 1% of the time. So it seems that a 1/200 return period hypothesis has about a 99% likelihood of being incorrect. If you assume a return period of 1/50 years, that would make the three observations a 75th percentile event.
So that is a fundamental issue in communicating risk. Is there really some risk that we really know – so that we can use it as a standard of comparison?
The article on Custard Creams was brought to my attention by Johann Meeke. He says that he will continue to live dangerously with his biscuits.
This is the 10 year anniversary of the publication of the book Dow 36000. Right now, the Dow is actually below the level of the Dow of 10 years ago.
Bret Arends writes about the lessons that two market crashes might have brought to investors in the Wall Street Journal.
Here are some thoughts on his seven lessons from the point of view of a risk manager, rather than an investor.
1. Don’t forget dividends
Dividends are the hard cash part of stock returns. As a risk managers, we need to keep in mind the difference between the real hard cash elements of the risks that we evaluate as opposed to the models and market values.
2. Watch Out for Inflation
Inflation creates two major concerns for a risk manager. The first is of course the concern of whether you have taken rising costs into account properly in the evaluation of multi period risks. The second goes the other direction. Because of inflation, the over conservative risk manager is a danger to his organization because she might just keep the business from growing enough to keep up with inflation. A constant cycle of cost cutting to keep costs in line is not a viable long term strategy for a company.
3. Don’t Overestimate Long Term Stock Returns.
The risk manager needs to keep reminding management of things like this. Once someone pointed out that long term stock market average returns, even if you got them right, were misleading anyway because some part of that long run average was built up in a period when PE grew to historical highs. So te starting point matters. The same logic will apply to other financial series. The starting point matters.
4. Volatility Matters
You have to live through the short term to get to the long term. The fact that your firm can afford the volatility does not mean that the board will keep the same management through what seems to them to be excessive volatility. It is only the regulators who are focused on ruin only. Watch your volatility. Have conversations with your board about volatility. Understand their volatility tolerance, both on a relative and on an absolute basis.
5. Price Matters.
Risk managers need to focus both on controlling losses and on optimizing returns on risk. So the prices of your risks does matter. Some would argue that you only need to get a better return for risk that the market you are in (i.e. that risk reward is purely relative to the market), but just like volatility, the risk manager needs to understand the degree to which her board cares about absolute return and how much they care about relative return.
6. Don’t Hurry.
Even more than investing, risk management needs careful thought. That is why risk management is so very unlikely in a bank trading area where there is tremendous pressure to keep up with the frenetic pace of the trading desks. If you are a risk manager in any other situation, you need to learn to insist on being given enough time to get your analysis correct. If you are that risk manager on the trading desk, that is when you must have that authority to unwind things that turn out, when you take the time, after the fact, to be much worse than advertized by the trader.
7. Don’t Forget Your Lifeboats.
The first thing that a risk manager needs to know is the exact situations where his firm will need a life boat. Then he has to make sure that there are enough lifeboats and finally she must carefully watch for distant signs that the storm that will swamp the ship is on the horizon. A firm that wants to survive for the long term will give its risk manager some leeway for false alarms, so that they are sure to be ready for the real thing.
How does a company react to a major setback or loss event?
In his book, The Survivor’s Club, Ben Sherwood talks of several common reactions that people have to a near death situation..
Some want things to be like they were before. They want the experience to be forgotten completely.
Some are willing to accept some memory of the crisis, but do not want to remember the really bad parts – the uncertainty of survival, the struggle and the unpleasantness. They want to white wash their memory.
Others will always make it a joke – never allowing their crisis to be taken serious by anyone around them.
Some turn the event into a heroic story, often painting themselves or sometimes another as the hero.
Others consider themselves veterans of a war against adversity or perhaps graduates of a particularly difficult course from the school of hard knocks.
Many companies that were among the first wave of serious practitioners of ERM had survived a near death experience. They had been over concentrated in one of the long list of major hits to the insurance and financial systems over the past 10 years.
At every single one of these firms, managers who lived through those days of uncertainty, when they were going through the darkest days and perhaps went home more than once not knowing if their employer would open again in the morning all have the exact same mantra “NEVER AGAIN“.
To these firms, there is no question about whether they will take ERM seriously the next time that things get tough. That is because at these firms, ERM is not some sort of management buzz word, it is the logical path to accomplishing their key goal for the future “NEVER AGAIN“.
They do not struggle to develop an agenda for their Risk Committee meetings. They know how to focus on the real risk and risk management issues that are life and death. They will make sure that they are aware of their concentrations, that all of their risk mitigation strategies are working and if not they will not hesitate to make changes so that they will be effective. They are always on the lookout for the next change in the environment that means that yesterday’s rules are out the window and are ready to take those actions that might put them enough ahead of the crowd to miss the next big loss event. This is because they are clear about why they do all of this, “NEVER AGAIN“.
So these firms fall into the fifth group – the graduates of the school of hard knocks. What they learned is that risk management is really important.
Other firms went through those same events and did not have that near death experience. Most of those firms had one of the other four reactions to their losses. They want to forget about it as quickly as possible. They create a whitewashed history. They create a heroic story that has as its base the idea that they will always be the survivors.
They went to the school of hard knocks, passed the course and may not have really learned anything.
Riskviews 