Archive for the ‘Risk Learning’ category

The History of Risk Management

August 28, 2014

Please find a new permanent page on RISKVIEWS – The History of Risk Management.  It is a simple list of major historical events that are important to Risk Management and ERM as it is practiced today.  This list was compiled with the help of INARM

Risk Management development has not followed a particularly straight line.  Practices have been adopted, ignored, misused.  Blow up have happened.  Some of those blow ups are mentioned on another page in RISKVIEWS – Risk Management Failures

But Risk Managers have learned from those blow ups and the next generation of Risk Management programs incorporated those learnings. 

The most important thing to know about risk management that we have learned from history is that risk management must be practiced in earnest.  No amount of good talks or fancy charts will take the place of roll up your sleeves and do it risk management.  Promoting that sort of Risk Management is the objective of this Blog. 

 

 

Advertisements

Ingram Looks into ERM – Eight short articles.

December 17, 2013

The magazine of the Society of Actuaries published eight short essays on a variety of ERM topics.

Making Risk Models Collaborative   With our risk models, we make the contribution of managers to the risk management of the company disappear into the mist of probabilities. And then we wonder why so many managers are opposed to “letting a model run the company.”

We Must Legitimize Uncertainty   In a post to the Harvard Business Review blog, “American CEO’s should Stop Complaining about Uncertainty,” Jonathan Berman points out that while African companies are able to cope with their uncertain environment, American CEOs mostly just complain.  Americans must legitimize the Uncertain environment and study how mest to cope.

Finding a Safe Place New ERM and Old School goals for risk management all seek to keep the company safe.

ERM and the Hierarchy of Corporate Needs  The reason that ERM is not given the degree of priority that its proponents desire is that its proponents want is that it is at best third in the hierarchy of corporate needs.

Help Wanted: Risk Tolerance  It is a rare company that can create a risk appetite statement if they do not already have years of experience with the measure of risk that will be used.

What should you do at a Yellow Light?  Companies need to plan in advance what should be happening when their risk reports indicates that they are entering into risky territory.

Are you Sure about that?  Frequently, we ignore the fact that our risk models do NOT produce infomation about our risks that are all consistently reliable.  Yet we still add those numbers to gether as if they were on the exact same basis. 

Creating a Risk Management Culture – Risk Management needs to be embedded into the corporate culture, just as expense management was embedded thirty years ago. 

 

Risk Culture doesn’t come from a memo

December 16, 2013

Nor from a policy, nor from a speech, nor from a mission statement nor a value statement.

Like all of corporate culture, Risk Culture comes from experiences.  Risk Culture comes from experiences with risk.  Corporate Culture is fundamentally the embedded, unspoken assumptions that underlie behaviors and decisions of the management and staff of the firm.  Risk Culture is fundamentally the embedded, unspoken assumptions and beliefs about risk that underlie behaviors and decisions of the management and staff of the firm.

Corporate culture is formed initially when a company is first started.  The new company tries an approach to risk, usually based upon the prior experiences of the first leaders of the firm.  If those approaches are successful, then they become the Risk Culture.  If they are unsuccessful, then the new company often just fails.

In his book, Fooled by Randomness, Nassim Taleb points out that there is a survivor bias involved here.  Some of the companies that survive the early years are managing their risk correctly and some are simply lucky.  Taleb tells the story of mutual fund managers who either beat the market or not each year.  Looking back over 5 years, a fund manager who was one of 30 out of 1000 who beat the market every one of those five years might believe that their performance and therefore their ability was far above average.  However, Taleb points out that if whether a manager beat the market or not each year was determined by a coin toss, statistics tells us to expect 31 to beat the market.

That was for a situation where we assume that the good results were likely 50% of the time.  For risk management, the event that is being managed is often a 1/100 likelihood.  There is a 95% chance of avoiding a 1/100 loss in any five year period, just by showing up with average risk management.  That makes it fairly likely that poor risk management can be easily overcome by just a little bit of luck.

So by the natural process of experience, Risk Culture is formed based upon what worked in the past.

In banks and hedge funds and other financial firms where risk taking is a fundamental part of the business, the Risk Culture often supports those who take risks and win.  Regardless of whether the amount of risk is within limits or tolerances or risk appetite.

You see, all of those ideas (limits, tolerances, appetites) are based upon an opinion about the future.  And the winner just has a different opinion about the future of his/her risk.  The fact that the winner’s opinion proves itself as experience shows that the bad outcome that those worrying risk people said was the future is not the case.  When the winner suddenly makes a bad call (see London Whale), that shows that their ability to see the future better than the risk department’s models may be done.  You see, there are very very few people who can keep the perspective needed to consistently beat the market.  (RISKVIEWS thinks that the fall off might well follow an exponential decay pattern as predicted by statistics!)

The current ideas of a proper Risk Culture (see FSB consultation paper) are doubtless not what most firms set up as their initial response to risk. That paper focuses on four specific aspects of Risk Culture.

  • Tone from the top: The board of directors11 and senior management are the starting point for setting the financial institution’s core values and risk culture, and their behaviour must reflect the values being espoused. As such, the leadership of the institution should systematically develop, monitor, and assess the culture of the financial institution.
  • Accountability: Successful risk management requires employees at all levels to understand the core values of the institutions’ risk culture and its approach to risk, be capable of performing their prescribed roles, and be aware that they are held accountable for their actions in relation to the institution’s risk-taking behaviour. Staff acceptance of risk-related goals and related values is essential.
  • Effective challenge: A sound risk culture promotes an environment of effective challenge in which decision-making processes promote a range of views, allow for testing of current practices, and stimulate a positive, critical attitude among employees and an environment of open and constructive engagement.
  • Incentives: Performance and talent management should encourage and reinforce maintenance of the financial institution’s desired risk management behaviour. Financial and non-financial incentives should support the core values and risk culture at all levels of the financial institution.

(These descriptions are quotes from the paper)

These practices are supported by the Risk Culture for a few very new firms.  As well as a very few other firms (and we will mention why that is in a few paragraphs).  But for at least 80 percent of financial firms, these items, if they are happening, are not at all supported by the Risk Culture.  The true Risk Culture of a successful firm has evolved based upon the original choices of the firm and the decisions and actions taken by the firm that have been successful over the life of the firm.

These aspects of Risk Culture are a part of one of the three layers of culture (see Edgar Schein, The Corporate Culture Survival Guide).  He calls those layers:

  • Artifacts
  • Espoused Values
  • Shared Assumptions

The four aspects of Risk Culture featured by the FSB can all be considered to be “artifacts”.  Those are the outward signs of the culture, but not the whole thing.  Espoused Values are the Memos, policies, speeches, mission and value statements.

Coercion from outside the organization, such as through regulator edict, can force management to change the Espoused Values.  But the real culture will ignore those values.  Those outside edicts can force behaviors, just as prison guards can force prisoners to certain behaviors.  But as soon as the guards are not looking, the existing behavioral standards based upon the shared assumptions will re-emerge.

When the insiders, including top management of an organization, want to change the culture, they are faced with a difficult and arduous task.

That will be the topic of the next post.

Delusions about Success and Failure

April 8, 2013

In his book, The Halo Effect: … and the Eight Other Business Delusions That Deceive Managers, author Phil Rosenzweig discusses the following 8 delusions about success:

1. Halo Effect: Tendency to look at a company’s overall performance and make attributions about its culture, leadership, values, and more.

2. Correlation and Causality: Two things may be correlated, but we may not know which one causes which.

3. Single Explanations: Many studies show that a particular factor leads to improved performance. But since many of these factors are highly correlated, the effect of each one is usually less than suggested.

4. Connecting the Winning Dots: If we pick a number of successful companies and search for what they have in common, we’ll never isolate the reasons for their success, because we have no way of comparing them with less successful companies.

5. Rigorous Research: If the data aren’t of good quality, the data size and research methodology don’t matter.

6. Lasting Success: Almost all high-performing companies regress over time. The promise of a blueprint for lasting success is attractive but unrealistic.

7. Absolute Performance: Company performance is relative, not absolute. A company can improve and fall further behind its rivals at the same time.

8. The Wrong End of the Stick: It may be true that successful companies often pursued highly focused strategies, but highly focused strategies do not necessarily lead to success.

9. Organizational Physics: Company performance doesn’t obey immutable laws of nature and can’t be predicted with the accuracy of science – despite our desire for certainty and order.

By Julian Voss-Andreae (Own work) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0)%5D, via Wikimedia Commons

A good risk manager will notice that all 8 of these delusions have a flip side that applies to risk analysis and risk management.

a.  Bad results <> Bad Culture – there are may possible reasons for poor results.  Culture is one possible reason for bad results, but by far not the only one.

b.  Causation and Correlation – actually this one need not be flipped.  Correlation is the most misunderstood statistic.  Risk managers would do well to study and understand what valuable and reliable uses that there are for correlation calculations.  They are very likely to find few.

c.  Single explanations  – are sometimes completely wrong (see c. above), they can be the most important of several causes, they can be the correct and only reason for a loss, or a correct but secondary reason.  Scapegoating is a process of identifying a single explanation and quickly moving on.  Often without much effort to determine which of the four possibilities above applies to the scapegoat.  Scapegoats are sometimes chosen that make the loss event appear to be non-repeatable, therefore requiring no further remedial action.

d.  Barn door solutions – looking backwards and finding the activities that seemed to lead to the worst losses at the companies that failed can provide valuable insights or it can lead to barn door solutions that fix past problems but have no impact on future situations.

e.  Data Quality – same exact issue applies to loss analysis.  GIGO

f.  Regression to the mean – may be how you describe what happens to great performing companies, but for most firms, entropy is the force that they need to be worried about.  A firm does not need to sport excellent performance to experience deteriorating results.

g.  Concentration risk – should be what a risk manager sees when strategy is too highly concentrated.

h.  Uncertainty prevails – precision does not automatically come from expensive and complicated models.

Controlling with a Cycle

April 3, 2013

Helsinki_city_bikes

No, not that kind of cycle… This kind:

CycleThis is a Risk Control Cycle.  It includes Thinking/Observing steps and Action Steps.  The only reason a sane organization would spend the time on the Assessing, Planning and Monitoring steps is so that they could be more effective with the Risk Taking, Mitigating and Responding steps.

A process capable of limiting losses can be referred to as a complete risk control process, which would usually include the following:

  • Identification of risks—with a process that seeks to find all risks inherent in a insurance product, investment instrument, or other situation, rather than simply automatically targeting “the usual suspects.”
  • Assess Risks – This is both the beginning and the end of the cycle.  As the end, this step is looking back and determining whether your judgment about the risk and your ability to select and manage risks is as good as you thought that it would be.  As the beginning, you look forward to form a new opinion about the prospects for risk and rewards for the next year.  For newly identified risks/opportunities this is the due diligence phase.
  • Plan Risk Taking and Risk Management – Based upon the risk assessment, management will make plans for how much of each risk that the organization will plan to accept and then how much of that risk will be transferred, offset and retained.  These plans will also include the determination of limits
  • Take Risks – organizations will often have two teams of individuals involved in risk taking.  One set will identify potential opportunities based upon broad guidelines that are either carried over from a prior year or modified by the accepted risk plan.  (Sales) The other set will do a more detailed review of the acceptability of the risk and often the appropriate price for accepting the risk.  (Underwriting)
  • Measuring and monitoring of risk—with metrics that are adapted to the complexity and the characteristics of the risk as well as Regular Reporting of Positions versus Limits/Checkpoints— where the timing needed to be effective depends on the volatility of the risk and the rate at which the insurer changes their risk positions. Insurers may report at a granular level that supports all specific decision making and actions on a regular schedule.
  • Regular risk assessment and dissemination of risk positions and loss experience—with a standard set of risk and loss metrics and distribution of risk position reports, with clear attention from persons with significant standing and authority in the organization.
  • Risk limits and standards—directly linked to objectives. Terminology varies widely, but many insurers have both hard “Limits” that they seek to never exceed and softer “Checkpoints” that are sometimes exceeded. Limits will often be extended to individuals within the organization with escalating authority for individuals higher in the organizational hierarchy.
  • Response – Enforcement of limits and policing of checkpoints—with documented consequences for limit breaches and standard resolution processes for exceeding checkpoints. Risk management processes such as risk avoidance for risks where the insurer has zero tolerance. These processes will ensure that constant management attention is not needed to assure compliance. However, occasional assessment of compliance is often practiced. Loss control processes to reduce the avoidable excess frequency and severity of claims and to assure that when losses occur, the extent of the losses is contained to the extent possible. Risk transfer processes, which are used when an insurer takes more risk than they wish to retain and where there is a third party who can take the risk at a price that is sensible after accounting for any counterparty risk that is created by the risk transfer process. Risk offset processes, which are used when insurer risks can be offset by taking additional risks that are found to have opposite characteristics. These processes usually entail the potential for basis risk because the offset is not exact at any time or because the degree of offset varies as time passes and conditions change, which is overcome in whole or in part by frequent adjustment to the offsetting positions. Risk diversification, which can be used when risks can be pooled with other risks with relatively low correlation. Risk costing / pricing, which involves maintaining the capability to develop appropriate views of the cost of holding a risk in terms of expected losses and provision for risk. This view will influence the risks that an insurer will take and the provisioning for losses from risks that the insurer has taken (reserves). This applies to all risks but especially to insurance risk management. Coordination of insurance profit/loss analysis with pricing with loss control (claims) with underwriting (risk selection), risk costing, and reserving, so that all parties within the insurer are aware of the relationship between emerging experience of the 
risks that the insurer has chosen to retain and the expectations that the insurer held when it chose to write and retain the risks.
  • Assess Risks – and the cycle starts again.

This is one of the seven ERM Principles for Insurers

A Cure for Overconfidence

May 30, 2011

“FACTS FROM THE INTERNET”

  • 86% of a group of college students say that they are better looking than their classmates
  • 19% of people think that they belong to the richest 1% of the population
  • 82% of people say they are in the top 30% of Safe Drivers
  • 80% of students think they will finish in the top half of their class
  • In a confidence-intervals task, where subjects had to judge quantities such as the total egg production of the U.S. or the total number of physicians and surgeons in the Boston Yellow Pages, they expected an error rate of 2% when their real error rate was 46%.
  • 68% of lawyers in civil cases believe that their side will win
  • 81% of new business owners think their business will succeed, but also say that 61% of the businesses like theirs will fail

But on the other hand,

  • A test of 25,000 predictions by weather forecasters found no overconfidence

We all know what is different about weather forecasters.  The make predictions regularly with confidence intervals attached AND they always get feedback about how good that their forecast actually was.

So the Overconfidence effect, that is seen by psychologists as one of the most reliable of biases in decision making, is merely the effect of under training in developing opinions about confidence intervals.

This conclusion leads directly to a very important suggestion for risk managers.  Of course risk managers are trying to act like weather forecasters.  But they are often faced with an audience who are overconfident – they believe that their ability to manage the risks of the firm will result in much better outcomes than is actually likely.

But the example of weather forecasters seems to show that the ability to realistically forecast confidence intervals can be learned by a feedback process.  Risk managers should make sure that in advance of every forecast period that they make the model for frequency and severity of losses are widely known.  And then at the end of every forecast period that they show how actual experience does or does not confirm the forecast.

Many risk models allow for a prediction of the likelihood of every single exact dollar gain or loss that is seen to be possible.  So at the end of each period, when the gain or loss for that period is known, the risk manager should make a very public review of the likelihoods that were predicted for the level of gain or loss that actually occurred.

This sort of process is performed by the cat modelers.  After every major storm, they go through a very public process of discovering what the model said was the likelihood of the size loss that the storm produced.

The final step is to decide whether or not to recalibrate the model as a result of the storm.

Overconfidence can be cured by experience.

Learning from Disaster – The Honshu Earthquake

May 17, 2011

Steve Covey called it Sharpening the Saw.  A good risk management program will be continually learning.  The school of hard knocks is an extremely expensive teacher.  It is much better to audit the course by observing the experiences of others and learning from them.  The effective risk management program will be actively working to audit the courses of others experiences.

With that in mind, Risk Management magazine has devoted the May 2011 issue to learning from the Honshu earthquake.  There are four articles that review some key aspects of the Japanese experience as it appears right now.

  • Nuclear Safety – the problems at the Fukushima Daiichi reactor came from the multiple events that struck.  The safety provisions were sufficient for the earthquake, but not for the tsunami.  There are specific questions raised in the article here about the specific design of the reactor cooling system.  But a greater question is the approach to providing for extreme events.  The tsunami was greater than any on the historical record.  Should it be necessary to prepare for adverse events that are significantly worse than the worst that has ever happened?  If so, how much worse is enough?  Do we even have a way to talk about this important question?
  • Building Codes – the conclusion here is that Japanese building codes worked fairly well.  Many larger buildings were still standing after both the quake and the tsunami.  Christchurch did not fare as well.  But New Zealand codes were thought to be very strict.  However, the fault that was responsible for the earthquake there was only discovered recently.  So Christchurch was not thought to be in a particularly quake prone area.  As they overhaul the building codes in NZ, they do not expect to get much argument from strengthening the codes significantly in the Canterbury region.  The question is whether any other places will learn from Christchurch’s example and update their codes?
  • Supply Chain – the movement over the past 10 years or more has been to “just-in-time” supply chain management.  What is obvious now is that the tighter that the supply chain is strung, the more that it is susceptible to disruption – the riskier that it is.   What we are learning is that great efficiency can bring great risk.  We need to look at all of our processes to see whether we have created risks without realizing through our efforts to improve efficiency.
  • Preparedness – ultimately, our learnings need to be turned into actions.  Preparedness is one set of actions that we should consider.  The Risk Magazine focuses on making a point about the interconnectedness of all society now.  They say “Even a simple sole proprietorship operating a company in rural South Dakota can be negatively affected by political and social unrest in Egypt.”  We risk managers need to be aware of what preparedness means for each of our vulnerabilities and the degree to which we have reached a targeted stage of readiness.
Whenever there is a major crisis anywhere in the world, risk managers should review the experience to see what they can learn.  They can look for parallels to their business.  Can systems at their firm  withstand similar stresses?  What preparedness would create enough resilience?  What did they learn from their adversity?

%d bloggers like this: