At the most fundamental level, enterprise risk management can be understood as a control cycle. In an insurance company’s risk control cycle, management needs to first identify the key risks.
Management then decides the risk quantity they are willing to accept and retain. These decisions form the risk limits. It is then imperative to monitor the risk-taking throughout the year and react to actual situations that are revealed by the monitoring.
There are seven distinct steps in the typical risk control cycle:
Identify Risks – Choose which risks are the key controllable risks of the company
Assess – Examine what are the elements of the risks that need (or can be) controlled
Plan – Set the expectation for how much risk will be taken as an expected part of the plan and also the limits on how much more would be accepted and retained
Take Risks – Conduct the primary function of an insurance company
Mitigate – Take actions to keep the risks within limits
Monitor – Determine how risk positions compare to limits and report
Respond – Decide what actions to take if risk levels are significantly different from plan
Risk Control Cycle
The Complete Risk Control Process
A process capable of limiting losses can be referred to as a complete risk control process, which would usually include the following.
Identification of risks: The identified risks should be the main exposures which a company faces rather than an exhaustive list of all risks. The risk identification process must involve senior management and should consider the risk inherent in all insurance products underwritten. It must also take a broader view of overall risk. For example, large exposures to different investment instruments or other non-core risks must be considered. It is vital that this risk list is re-visited periodically rather than simply automatically targeting “the usual suspects”
Assess risks: This is both the beginning and the end of the cycle. At the beginning, you look forward to form a new opinion about the prospects for risk and rewards for the next year. At the end, management needs to assess how effective the control cycle has been. Did the selection process miss any key risks? Were limits set too high or perhaps too low? Were the breach processes effective?
Plan risk taking and risk management: Based upon the risk assessment, management will make plans for how much of each risk the organization will plan to accept and then how much of that risk will be transferred, offset and retained to manage the net risk position in line with defined risk limits
Take risks: Organizations will often start by identifying a list of potential risks to be taken based upon broad guidelines. This list is then narrowed down by selecting only risks which are aligned to overall corporate risk appetite. The final stage is deciding an appropriate price to be paid for accepting each risk (underwriting)
Measuring and monitoring of risk: With metrics or risk measures which capture the movement of the underlying risk position. These risk positions should be reported regularly and checked against limits and, in some cases, against lower checkpoints . The frequency of these checks should reflect the volatility of the risk and the rate at which the insurer changes their risk positions. Insurers may choose to report regularly at a granular level that supports all decision making and potential breach actions. The primary objective of this step is facilitating upwards reporting of risk through regular risk assessment and dissemination of risk positions and loss experience using a standard set of risk and loss metrics. These reports convey the risk output from the overall ERM framework and should receive the clear attention of persons with significant standing and authority in the organization. This allows for action to be taken which is the vital Respond stage in the risk control cycle
Risk limits and standards: Should be defined which are directly linked to objectives. Terminology varies widely, but many insurers have both hard “limits” that they seek to never exceed and softer “checkpoints” that are sometimes exceeded. Limit approval authority will often be extended to individuals within the organization with escalating amounts of authority for individuals higher in the organizational hierarchy. Limits ultimately need to be consistent with risk appetites, preferences and tolerances Additionally, there should be clear risk avoidance processes for risks where the insurer has zero tolerance. These ensure that constant management attention is not needed to assure compliance. A risk audit function is, however, often incorporated within the overall risk organization structure to provide an independent assessment of compliance.
Respond: Enforcement of limits and policing of checkpoints, with documented consequences for limit breaches and standard resolution processes for exceeding checkpoints. In some cases, the risk environment will have changed significantly from when the limits were set and the limits need to be reassessed. Some risks may be much more profitable than expected and risk limits can be raised, while other have become more expensive and/or riskier and limits need to be lowered
Assess risks: And the cycle starts again
The control cycle, and especially the risk appetite, tolerance and limit setting process can be the basis for a healthy discussion between management and the board.
Gaining the Greatest Benefit from the Risk Control Cycle
Ultimately, to get the most risk management benefit out of a risk control cycle, management must set limits at a level that matters and are tied to good measures of risk. These limits must be understood throughout the company and risk positions should be frequently and publicly reviewed so that any breaches can be identified.
But in addition to a policing function, the control cycle needs to include a learning element. With each pass through the cycle, management should gain some insight into the characteristics of their potential risks and associated mitigation alternatives, as well as the reactions of both to changes in the risk environment.
RISKVIEWS believes that this may be the best top 10 list of posts in the history of this blog. Thanks to our readers whose clicks resulted in their selection.
Instructions for a 17 Step ORSA Process– Own Risk and Solvency Assessment is here for Canadian insurers, coming in 2015 for US and required in Europe for 2016. At least 10 other countries have also adopted ORSA and are moving towards full implementation. This post leads you to 17 other posts that give a detailed view of the various parts to a full ORSA process and report.
What kind of Stress Test? – Risk managers need to do a better job communicating what they are doing. Much communications about risk models and stress tests is fairly mechanical and technical. This post suggests some plain English terminology to describe the stress tests to non-technical audiences such as boards and top management.
ORSA ==> AC – ST > RCS– You will notice a recurring theme in 2014 – ORSA. That topic has taken up much of RISKVIEWS time in 2014 and will likely take up even more in 2015 and after as more and more companies undertake their first ORSA process and report. This post is a simple explanation of the question that ORSA is trying to answer that RISKVIEWS has used when explaining ORSA to a board of directors.
The History of Risk Management – Someone asked RISKVIEWS to do a speech on the history of ERM. This post and the associated new permanent page are the notes from writing that speech. Much more here than could fit into a 15 minute talk.
Hierarchy Principle of Risk Management– There are thousands of risks faced by an insurer that do not belong in their ERM program. That is because of the Hierarchy Principle. Many insurers who have followed someone’s urging that ALL risk need to be included in ERM belatedly find out that no one in top management wants to hear from them or to let them talk to the board. A good dose of the Hierarchy Principle will fix that, though it will take time. Bad first impressions are difficult to fix.
Risk Culture, Neoclassical Economics, and Enterprise Risk Management– A discussion of the different beliefs about how business and risk work. A difference in the beliefs that are taught in MBA and Finance programs from the beliefs about risk that underpin ERM make it difficult to reconcile spending time and money on risk management.
What CEO’s Think about Risk– A discussion of three different aspects of decision-making as practiced by top management of companies and the decision making processes that are taught to quants can make quants less effective when trying to explain their work and conclusions.
Decision Making Under Deep Uncertainty– Explores the concepts of Deep Uncertainty and Wicked Problems. Of interest if you have any risks that you find yourself unable to clearly understand or if you have any problems where all of the apparent solutions are strongly opposed by one group of stakeholders or another.
We can know, looking back at last year, how much risk that an insurer was exposed to. And we can simply look at the balance sheet to see how much capital that they held. So that is the way we have tended to look at solvency. Backwards. Was the insurer solvent last year end? Not really useful information. Unless…
That is, unless you make some potentially heroic assumptions about the future. Not an unusual assumption. Just that common assumption that the future will be just like the past.
That assumption is usually ok. Let’s see. In the past 15 years, it has been correct four or five times. But is that good enough for solvency work – a system that might give the right answer a third of the time?!?
But there is a solution. Regulators have led us right up to that solution but they haven’t yet dared to say what it is. Perhaps they do not know, or even that they are not thinking that the backward looking problem has two aspects. We are making two of the heroic assumptions:
We are assuming that the environment will be the same in the near future as the recent past.
We are assuming that the company activity will be the same in the near future as the recent past.
The regulatory response to these two shaky assumptions is:
Stress Scenarios
Look forward using company plans
Solution 1 can help, but solution 2 can be significantly improved by using the ERM program and risk appetite. You may have noticed that regulators have all said that ERM is very important. And that Risk Appetite is a very, very important part of ERM. But they have never, ever, explained why it is important.
Well, the true answer is that it can be important. It can be the solution to one part of the backward looking problem. The idea of looking forward with company plans is a step in the right direction. But only a half step. The full step solution is the FULL LIMIT STRESS TEST.
That test looks forward to see how the company will operate based upon the risk appetite and limits that management has set. ERM and risk appetite provide provide a specific vision of how much risk is allowed by management and the board. The plan represents a target, but the risk appetite represents the most risk that the company is willing to take.
So the FULL LIMIT STRESS TEST would involve looking at the company with the assumption that it chooses to take the full amount of risk that the ERM program allows. That can then be combined with the stress scenarios regarding the external environment.
Now the FULL LIMIT STRESS TEST will only actually use the risk appetite for firms that have a risk appetite and an ERM program that clearly functions to maintain the risk of he firm within the risk appetite. For firms that do not have such a system in place, the FULL LIMIT STRESS TEST needs to substitute some large amount of growth of risk that is what industry experience tells us that can happen to a firm that has gone partially or fully out of control with regard to its risk taking.
That makes the connection between ERM and Solvency very substantial and realistic.
A firm with a good risk management program and tight limits and overall risk appetite will need the amount of capital that would support the planned functioning of the ERM program. The overall risk appetite will place a limit on the degree to which ALL individual risk limits can be reached at the same time.
An otherwise similar firm with a risk management program and loose risk appetite will need to hold higher capital.
A similar firm with individual risk limits but no overall risk appetite will need to hold capital to support activity at the limit for every single risk.
A firm without a risk management program will need to hold capital to support the risks that history tells us that a firm with uncontrolled growth of risk might take on in a year. A track record of informal control of risk growth cannot be used as a predictor of the range of future performance. (It may be valuable to ask all firms to look at an uncontrolled growth scenario as well, but for firms with a good risk control process will be considered to prepare for that scenario with their ERM program.)
A firm without any real discipline of its risk management system will be treated similarly to a firm without an ERM program.
With this FULL LIMIT STRESS TEST, ERM programs will then be fully and directly connected to Solvency in an appropriate manner.
This is a Risk Control Cycle. It includes Thinking/Observing steps and Action Steps. The only reason a sane organization would spend the time on the Assessing, Planning and Monitoring steps is so that they could be more effective with the Risk Taking, Mitigating and Responding steps.
A process capable of limiting losses can be referred to as a complete risk control process, which would usually include the following:
Identification of risks—with a process that seeks to find all risks inherent in a insurance product, investment instrument, or other situation, rather than simply automatically targeting “the usual suspects.”
Assess Risks – This is both the beginning and the end of the cycle. As the end, this step is looking back and determining whether your judgment about the risk and your ability to select and manage risks is as good as you thought that it would be. As the beginning, you look forward to form a new opinion about the prospects for risk and rewards for the next year. For newly identified risks/opportunities this is the due diligence phase.
Plan Risk Taking and Risk Management – Based upon the risk assessment, management will make plans for how much of each risk that the organization will plan to accept and then how much of that risk will be transferred, offset and retained. These plans will also include the determination of limits
Take Risks – organizations will often have two teams of individuals involved in risk taking. One set will identify potential opportunities based upon broad guidelines that are either carried over from a prior year or modified by the accepted risk plan. (Sales) The other set will do a more detailed review of the acceptability of the risk and often the appropriate price for accepting the risk. (Underwriting)
Measuring and monitoring of risk—with metrics that are adapted to the complexity and the characteristics of the risk as well as Regular Reporting of Positions versus Limits/Checkpoints— where the timing needed to be effective depends on the volatility of the risk and the rate at which the insurer changes their risk positions. Insurers may report at a granular level that supports all specific decision making and actions on a regular schedule.
Regular risk assessment and dissemination of risk positions and loss experience—with a standard set of risk and loss metrics and distribution of risk position reports, with clear attention from persons with significant standing and authority in the organization.
Risk limits and standards—directly linked to objectives. Terminology varies widely, but many insurers have both hard “Limits” that they seek to never exceed and softer “Checkpoints” that are sometimes exceeded. Limits will often be extended to individuals within the organization with escalating authority for individuals higher in the organizational hierarchy.
Response – Enforcement of limits and policing of checkpoints—with documented consequences for limit breaches and standard resolution processes for exceeding checkpoints. Risk management processes such as risk avoidance for risks where the insurer has zero tolerance. These processes will ensure that constant management attention is not needed to assure compliance. However, occasional assessment of compliance is often practiced. Loss control processes to reduce the avoidable excess frequency and severity of claims and to assure that when losses occur, the extent of the losses is contained to the extent possible. Risk transfer processes, which are used when an insurer takes more risk than they wish to retain and where there is a third party who can take the risk at a price that is sensible after accounting for any counterparty risk that is created by the risk transfer process. Risk offset processes, which are used when insurer risks can be offset by taking additional risks that are found to have opposite characteristics. These processes usually entail the potential for basis risk because the offset is not exact at any time or because the degree of offset varies as time passes and conditions change, which is overcome in whole or in part by frequent adjustment to the offsetting positions. Risk diversification, which can be used when risks can be pooled with other risks with relatively low correlation. Risk costing / pricing, which involves maintaining the capability to develop appropriate views of the cost of holding a risk in terms of expected losses and provision for risk. This view will influence the risks that an insurer will take and the provisioning for losses from risks that the insurer has taken (reserves). This applies to all risks but especially to insurance risk management. Coordination of insurance profit/loss analysis with pricing with loss control (claims) with underwriting (risk selection), risk costing, and reserving, so that all parties within the insurer are aware of the relationship between emerging experience of the risks that the insurer has chosen to retain and the expectations that the insurer held when it chose to write and retain the risks.
In essence, if ERM is to be implemented in a way which helps an entity get to where it wants to go, it needs to have a bias toward action which many applications currently lack. “The End of Enterprise Risk Management” David Martin and Michael Power
In 2007, Martin and Power argued that the regulatory based Enterprise Risk Management programs that were COSO based provided the illusion of control, without actually achieving anything. Now if you are an executive of a firm and you believe that things are being done just fine, thank you very much, then an ineffective ERM program is just what you want. But if you really want ERM, the something else is needed. Martin and Power suggest that the activities of ERM are focused much too much on activities that do not reault in actions to actually change the risks of the firm. This is a favorite topic of RISKVIEWS as well. See Beware the Risk Management Entertainment System.
RISKVIEWS always tells managers who are interested in developing ERM systems that if some part of an ERM program cannot be clearly linked to decisions to take actions that would not have been taken without ERM, then they are better off without that part of ERM.
Martin and Power go on to suggest that ERM that uses just one risk measure (usually VAR) is difficult to get right because of limitations of VAR. RISKVIEWS would add that an ERM program that uses only one risk measure, no matter what that measure is, will be prone to problems. See Law of Risk and Light.
It is very nice to find someone who says the same things that you say. Affirming. But even better to read something that you haven’t said. And Martin and Power provide that.
Finally, there is a call for risk management that is Reflexive. That reacts to the environment. Most ERM systems do not have this Reflexive element. Risk limits are set and risk positions are monitored most often assuming a static environment. The static environment presumption in a risk management system works if you are operating in an environment that changes fairly infrequently. In fact, it works best if the frequency of change to your environment is less then the frequency of your update to the risk factors that you use. That is, if your update includes studying the environment and majing environment driven changes.
RISKVIEWS has worked in ERM systems that were based upon risk assessment based upon “eternal” risk factors. Eternal Risk factors are assumed to be good “for all time”. The US RBC factors are such. Those factors are changed only when there is a belief that the prior factors were inadequate in representing the full range of risk “for all time”.
But firms would be better off looking at their risks in the light of a changing risk environment. Plural Rationality theory suggests that there are four different risk environments. If a company adopts this idea, then they need to look for signs that the environment is shifting and when it seems to be likely to be shifting, to consider how to change their risk acceptance and risk mitigation in the light of the expected new risk environment. The idea of repeatedly catching this wave and correctly shifting course is called Rational Adaptability.
So RISKVIEWS also strongly agrees with Martin and Powers that a risk management system needs to be reflexive.
In “The End of ERM” Martin and Powers really mean the end of static ERM that is not action oriented and not reflexive with the environment. With that RISKVIEWS can heartily agree.
Who knew that Will Rogers was a closet Risk Manager. He must have been because that is great risk management advise.
If you have too much of something – the first thing that you should do is to STOP ADDING to your position.
We do not yet have the full story, but it is pretty safe to guess that neither MF Global or JP Morgan followed that idea. It seems fairly obvious that at some point in time, the each had smaller positions that were already too big and then they ADDED to their positions.
The bank/hedge fund trading mentality suggests that the traders who really tener cojones will be able to keep raising the size of their position until the market breaks.
Insurance companies harbor the same mentality, except that they are never on the big win side of the bet. Insurers win small on any one bet. They win if there is no claim. But even with that lopsided situation does not stop insurers from loading up on bets where they already have too much.
So the answer is to invite WIll Rogers into your Limit protocol. When you are setting or reviewing your limits for the next period, set a new WILL ROGERS LIMIT. The new WILL ROGERS LIMIT (WRL) is the point where you automatically stop adding to your position if there has not been a discussion and an exception to the WRL.
And that is what risk management is all about. Just thinking ahead. It is not magic. Just listening to the great risk managers of the past.
The Yellow light was invented in 1920. Almost 100 years later. 85% of drivers have no idea what to do when they see one.
A risk management system needs yellow lights. Signals that automatically tell people to “Proceed with Caution”. These signals need to be sensitive to both outside changes in the risk environment and to inside decisions about risk.
In the outside world, the level of risk is changing all of the time. Everyone anywhere a hurricane zone knows the annual season for those storms. They make sure that they are prepared during that season and don’t worry so much in the off season. Most risks do not have clear regular seasons, like hurricanes. (And in fact hurricanes are not really completely bound by those rules either.)
A good risk management program needs to have a system that looks for the conditions that mean that it is hurricane season for each of the major risks. And it needs to have plans for what needs to to done in each part of the firm so that they “Proceed with Caution”. And the managers of the affected areas need to know those plans and their own roles. And there needs to be a Yellow (or Amber) light that flashes somewhere. And then the managers need to act, they need to execute the plans to Proceed with Caution.
The same thing applies to the other reason that might trigger a yellow light. That would be company actions. Most firms have risk limits. Some of those risk limits are “soft” limits. That means that the limit itself is a Yellow Light. Hitting the limit in these firms means that you must “Proceed with Caution”.
More commonly, the limits are HARD; either Red Lights, Cement Barriers or Brick Walls. A red Light risk limit, means that when you get to the limit, you must stop and wait for someone to tell you that you can proceed. A cement barrier risk limit means that you are prohibited from proceeding when you hit a limit. A brick wall risk limits means that if you hit the limit, you are likely to be terminated. In these three sorts of control systems, there are often informal Yellow Lights and occasionally formal caution signals. RISKVIEWS suggests that all firms that use HARD limits should create a formal Yellow Light system with a process that identifies an official Caution point along with suggestions or rules or plans of how to proceed when the Yellow Light goes on.
On the highway, Yellow Lights cause problems because there are really three different understandings. One group believes that it means “Speed Up to avoid the Red Light”, while another group thinks it means “Stop now and Avoid having to make an Emergency Stop when the Red Light comes on”.
The third group knows that what the Yellow Light really means is
Riskviews was once asked by an insurance sector equity analyst for 10 questions that they could ask company CEOs and CFOs about ERM. Riskviews gave them 10 but they were trick questions. Each one would take an hour to answer properly. Not really what the analyst wanted.
Here they are:
What is the firm’s risk profile?
How much time does the board spend discussing risk with management each quarter?
Who is responsible for risk management for the risk that has shown the largest percentage rise over the past year?
What outside the box risks are of concern to management?
What is driving the results that you are getting in the area with the highest risk adjusted returns?
Describe a recent action taken to trim a risk position?
How does management know that old risk management programs are still being followed?
What were the largest positions held by company in excess of risk the limits in the last year?
Where have your risk experts disagreed with your risk models in the past year?
What are the areas where you see the firm being able to achieve better risk adjusted returns over the near term and long term?
They never come back and asked for the answer key. Here it is:
This sounds like a “when did you stop beating your wife” type question. But it isn’t. In fact it is the opposite.
The wrong answer is “we didn’t have any positions in excess of limits. That answer indicates that the limits are not effective. They are too high or else, the company has a Berlin Wall type limit system – they shoot anyone who gets close. That sort of limit system discourages thoughtful risk taking. It insists on fearful risk taking. Everyone will be so afraid of getting near the limits that each person will invent their own checkpoint that is lower than the limit. They will stay below the checkpoint instead of the limit. The Berlin Wall type of limit system ends up encouraging everyone in the company to create their own checkpoints. It takes the decision making on risk out of top management hands.
The right answer is that the CEO knows that there have been breaches of the limits and knows why and knows what happened as a result of the breach. The breaches are not a problem is they are low in both frequency and severity.
Having a few breaches means that the people who are empowered to take risks are also looking to find the best opportunities for the firm and are making every effort to make good deals. They are working as hard as they can to win and they are sometimes a little over enthusiastic. The company has a system that finds these instances and communicates them all the way up to the top, which they should. Another reason why the CEO might say that there are no breaches is because the CEO is never told about the breaches.
And the consequences of breaches are important as well. One firm once told RISKVIEWS that whenever there was a breach of a limit that management reacted by raising the limit!!!
That is equivalent to having no limits. It might be a good result to raise the limit occasionally. But the main reaction to breaching a limit should be to work to get the situation back to within the limit. For market traded investments, the easiest option is to put on a hedge or to sell the position. For insurance risk, the option is to obtain reinsurance. Another reaction might be to cease to accept similar risks until that risk class is within the limit. Finally, there may be a reaction that is some sort of sanction on the person who caused the breach. In some cases the breach may be so significant and so clearly against the policies of the company that termination might be the sanction. That is an unusual situation. In some cases, a person is transfered either temporarily or permanently to a different position. In some cases, the sanction might be an adjustment to bonus. Most common is a reprimand.
The situations where the reaction is to raise the limit might be those where the limit breach was for a transaction that is clearly of exceedingly favorable prospects – one where the risk reward prospects are clearly superior.
In a company with a really vibrant risk management culture, the CEO might want to tell you a story as long and nuanced as the above. Give that CEO extra points.
Riskviews was once asked by an insurance sector equity analyst for 10 questions that they could ask company CEOs and CFOs about ERM. Riskviews gave them 10 but they were trick questions. Each one would take an hour to answer properly. Not really what the analyst wanted.
Here they are:
What is the firm’s risk profile?
How much time does the board spend discussing risk with management each quarter?
Who is responsible for risk management for the risk that has shown the largest percentage rise over the past year?
What outside the box risks are of concern to management?
What is driving the results that you are getting in the area with the highest risk adjusted returns?
Describe a recent action taken to trim a risk position?
How does management know that old risk management programs are still being followed?
What were the largest positions held by company in excess of risk the limits in the last year?
Where have your risk experts disagreed with your risk models in the past year?
What are the areas where you see the firm being able to achieve better risk adjusted returns over the near term and long term?
They never come back and asked for the answer key. Here it is:
There are a number of issues relating to this question. First of all, does the insurer ever trim a risk position? Some insurers are pure buy and hold. They never think to trim a position, on either side of their balance sheet. But it is quite possible that the CEO might know that terminology, but the CFO should. And if the insurer actually has an ERM program then they should have considered trimming positions at some point in time. If not, then they may just have so much excess capital that they never have felt that they had too much risk.
Another issue is whether the CEO and CFO are aware of risk position trimming. If they are not, that might indicate that their system works well and there are never situations that need to get brought to their attention about excess risks. Again, that is not such a good sign. It either means that their staff never takes and significant risks that might need trimming or else there is not a good communication system as a part of their ERM system.
Risks might need trimming if either by accident or on purpose, someone directly entered into a transaction, on either side of the balance sheet, that moved the company past a risk limit. That would never happen if there were no limits, if there is no system to check on limits or if the limits are so far above the actual expected level of activity that they are not operationally effective limits.
In addition, risk positions might need trimming for several other reasons. A risk position that was within the limit might have changed because of a changing environment or a recalibration of a risk model. Firms that operate hedging or ALM programs could be taking trimming actions at any time. Firms that use cat models to assess their risk might find their positions in excess of limits when the cat models get re-calibrated as they were in the first half of 2011.
And risk positions may need to be trimmed if new opportunities come along that have better returns than existing positions on the same risk. A firm that is expecting to operate near its limits might want to trim existing positions so that the new opportunity can be fit within the limits.
SO a firm with a good ERM program might be telling any of those stories in answer to the question.
Independence of the risk function is very important. But often, the wrong part of the risk function is made independent.
It is the RISK MEASUREMENT AND REPORTING part of the risk function that needs to be independent. If this part of the risk function is not independent of the risk takers, then you have the Nick Leeson risk – the risk that once you start to lose money that you will delay reporting the bad news to give yourself a little more time to earn back the losses, or the Jérôme Kerviel risk that you will simply understate the risk of what you are doing to allow you to enhance return on risk calculations and avoid pesky risk limits.
When Risk Reporting is independent, then the risk reports are much less likely to be fudged in the favor of the risk takers. They are much more likely to simply and factually report the risk positions. Then the risk management system either reacts to the risk information or not, but at least it has the correct information to make the decision on whether to act or not.
Many discussions of risk management suggest that there needs to be independence between the risk taking and the entire risk management function. This is a model for risk disaster, but a model that is very common in banking. Under this type of independence there will be a steady war. A war that it it likely that the risk management folks will lose. The risk takers are in charge of making money and the independent risk management folks are in charge of preventing that. The risk takers, since they bring in the bacon, will always be much more popular with management than the risk managers, who add to costs and detract from revenue.
Instead, the actual risk management needs to be totally integrated within the risk taking function. This will be resisted by any risk takers who have had a free ride to date. So the risk takers can decide what would be the least destructive way to stay within their risk limits. In a system of independent risk management, the risk managers are responsible for monitoring limit breaches and taking actions to unwind over limit situations. In many cases, there are quite heated arguments around those unwinding transactions.
Under the reporting only independence model, the risk taking area would have responsibility for taking the actions needed to stay within limits and resolving breaches to limits. (Most often those breaches are not due to deliberate violations of limits, but to market movements that cause breaches to limits to grow out of previously hedged positions.)
Ultimately, it would be preferable if the risk taking area would totally own their limits and the process to stay within those limits.
However, if the risk measurement and reporting is independent, then the limit breaches are reported and the decisions about what to do about any risk taking area that is not owning their limits is a top management decision, rather than a risk manager decision that sometimes gets countermanded by the top management.
The reality is that regulatory capital requirements, no matter how much we try to refine them, will always be a blunt tool. Certainly they should not create the wrong incentives, but we cannot micromanage firm behavior through regulatory capital requirements. There are diminishing returns to pursuing precision in regulatory capital requirements.
Terri Vaughan, NAIC
These remarks were made in Europe recently by the lead US regulator of the insurance industry. In Europe, there has never been a regulatory capital requirement that was risk related. But the Europeans have been making the discussion all about capital for about 10 years now in anticipation of their first risk based capital regime, Solvency II.
The European assumption is that if they follow as closely as possible the regulatory regime that has failed so spectacularly to control the banking system, Basel II, then everything will be under control.
The idea seems to be that if you concentrate, really concentrate, on measuring risk, then insurance company management will really take seriously the idea of managing risk. Of course, that conclusion is also based upon the assumption that if you really, really concentrate on measuring risk that you will get it right.
But the Law of Risk and Light tells us that our risk taking systems will lead us to avoid the risk in the light and to load up on the risk in the dark.
That means the risks that are properly measured by the risk based capital regulatory system will be managed.
But whatever risks that are not properly measured will come to predominate the system. The companies that take those risks will grow their business and their profits faster than the companies that do not take those poorly measured risks.
And if everyone is required to use the same expensive risk measurement system, very, very few will invest the additional money to create alternate measures that will see the flaws in the regulatory regime.
The banking system had a flaw. And many banks concentrated on risks that looked good in the flawed system but that were actually rotten.
What is needed instead is a system that concentrates on risk controlling. A firm first needs a risk appetite and second needs a system that makes sure that their risks stay within their appetite.
Under a regulatory risk capital system, the most common risk appetite is that a firm will maintain capital above the regulatory requirement. This represents a transfer of the duty of management and the board onto the regulator. They never need to say how much risk that they are willing to take. They say instead that they are in business to satisfy the regulator with regard to their risk taking.
The capital held by the firm should depend upon the firm’s risk appetite. The capital held should support the risk limits allowed by the board.
And the heart of the risk control system should be the processes that ensure that the risk stays within the limits.
And finally, the limits should not be a part of a game that managers try to beat. The limits need to be an extremely clear expression of the fundamental way that the firm wants to conduct business. So any manager that acts in a way that is contrary to the fundamental goals of the firm should not continue to have authority to direct the activities of the firm.
#2 Higher Interest Rates and Tighter Money in Emerging Markets
#3 Political Crises in the Middle East
#4 Surging Oil Prices
#5 An Increase in Interest Rates in Developed Markets
#6 The End of QE2
#7 Fiscal Cuts and Sovereign Debt Crises
#8 The Japanese Disaster
How should ideas like these impact on ERM systems? Is it at all reasonable to say that they should not? Definitely not.
These potential shocks illustrate the need for the ERM system to be reflexive. The system needs to react to changes in the risk environment. That would mean that it needs to reflect differences in the risk environment in three possible ways:
In the calibration of the risk model. Model assumptions can be adjusted to reflect the potential near term impact of the shocks. Some of the shocks are certain and could be thought to impact on expected economic activity (Japanese disaster) but have a range of possible consequences (changing volatility). Other shocks, which are much less certain (end of QE2 – because there could still be a QE3) may be difficult to work into model assumptions.
With Stress and Scenario Tests – each of these shocks as well as combinations of the shocks could be stress or scenario tests. Riskviews suggest that developing a handful of fully developed scenarios with 3 or more of these shocks in each would be the modst useful.
In the choices of Risk Appetite. The information and stress.scenario tests should lead to a serious reexamination of risk appetite. There are several reasonable reactions – to simply reduce risk appetite in total, to selectively reduce risk appetite, to increase efforts to diversify risks, or to plan to aggressively take on more risk as some risks are found to have much higher reward.
The last strategy mentioned above (aggressively take on more risk) might not be thought of by most to be a risk management strategy. But think of it this way, the strategy could be stated as an increase in the minimum target reward for risk. Since things are expected to be riskier, the firm decides that it must get paid more for risk taking, staying away from lower paid risks. This actually makes quite a bit MORE sense than taking the same risks, expecting the same reward for risks and just taking less risk, which might be the most common strategy selected.
The final consideration is compensation. How should the firm be paying people for their performance in a riskier environment? How should the increase in market risk premium be treated?
“The unprecedented scale of the earthquake and tsunami that struck Japan, frankly speaking, were among many things that happened that had not been anticipated under our disaster management contingency plans.” Japanese Chief Cabinet Secretary Yukio Edano.
In the past 30 days, there have been 10 earthquakes of magnitude 6 or higher. In the past 100 years, there have been over 80 earthquakes magnitude 8.0 or greater. The Japanese are reputed to be the most prepared for earthquakes. And also to experience the most earthquakes of any settled region on the globe. By some counts, Japan experiences 10% of all earthquakes that are on land and 20% of all severe earthquakes.
But where should they, or anyone making risk management decisions, draw the line in preparation?
In other words, what amount of safety are you willing to pay for in advance and what magnitude of loss event are you willing to say that you will have to live with the consequences.
That amount is your risk tolerance. You will do what you need to do to manage the risk – but only up to a certain point.
That is because too much security is too expensive, too disruptive.
You are willing to tolerate the larger loss events because you believe them to be sufficiently rare.
In New Zealand, that cost/risk trade off thinking allowed them to set a standard for retrofitting of existing structures of 1/3 of the standard for new buildings. But, they also allowed 20 years transition. Not as much of an issue now. Many of the older buildings, at least in Christchurch are gone.
But experience changes our view of frequency. We actually change the loss distribution curve in our minds that is used for decision making.
Risk managers need to be aware of these shifts. We need to recognize them. We want to say that these shifts represent shifts in risk appetite. But we need to also realize that they represent changes in risk perception. When our models do not move as risk perception moves, the models lose fundamental credibility.
In addition, when modelers do things like what some of the cat modeling firms are doing right now, that is moving the model frequency when people’s risk perceptions are not moving at all, they also lose credibility for that.
So perhaps you want scientists and mathematicians creating the basic models, but someone who is familiar with the psychology of risk needs to learn an effective way to integrate those changes in risk perceptions (or lack thereof) with changes in models (or lack thereof).
The idea of moving risk appetite and tolerance up and down as management gets more or less comfortable with the model estimations of risk might work. But you are still then left with the issue of model credibility.
What is really needed is a way to combine the science/math with the psychology.
Market consistent models come the closest to accomplishing that. The pure math/science folks see the herding aspect of market psychology as a miscalibration of the model. But they are just misunderstanding what is being done. What is needed is an ability to create adjustments to risk calculations that are applied to non-traded risks that allow for the combination of science & math analysis of the risk with the emotional component.
Then the models will accurately reflect how and where management wants to draw the line.
Risk Management has caused many people to substitute one four letter word for another. They will use the word RISK when they should be saying LOSS. And there is a world of difference between the two. It is the difference between the gleam in eye of the loving newly weds and the cry of the babe in the middle of the night. (Really dating myself there. That is one from a 1950’s movie.)
A RISK is a potential for a LOSS. The LOSS is the realization of that negative potential. A RISK is running across a busy street blindfolded. A LOSS is getting hit by a car while doing that.
All RISKs do not result in LOSSes and all LOSSes do not result from RISKs.
A RISK is putting a revolver with one bullet up to your head and pulling the trigger. A LOSS is the result of the chamber with the bullet being fired. A RISK without LOSS is when you pull the trigger and the hammer hits an empty chamber. A LOSS without RISK would be putting a revolver full of bullets up to your head and pulling the trigger.
So if someone asks you what you intend to do when your RISK limit is exceeded, you have choices. One of those choices is to ignore the breach and hope that you are fortunate. Those who make that decision and do not find that RISK turning into a LOSS will go down as RISK geniuses. Those who find themselves facing a LOSS that is larger than they can bare will be thought to be dunces.
Other choices involve the many ways that one can use to reduce the frequency or severity of the RISK, to bring it within your limit. But even if you do take those choices, your reduced RISK may still make a LOSS. If your evaluation of the RISK was correct, then the reduced RISK may not make a LOSS that exceeds your limit. But if your estimate of the RISK was incorrect and you have a LOSS, then the LOSS may be larger than your limit, even if you carefully followed procedures to reduce the RISK.
But if someone asks you what you intend to do when a LOSS exceeds your limit, that is an entirely different story. The choices there are few. The LOSS has happened. You should then (a) learn to live with the consequences of the LOSS that you were trying to avoid by setting the limit and (b) try to learn the cause of the loss that exceeds your limit and discern whether you can make changes that will help you to avoid such situations in the future.
Learning to live with the consequences of the LOSS may well mean adjusting your risk limits to the lower risk buffers that you may now have access to. The opposite of learning to live with the consequences is the destructive but common practice of “doubling down”. When a gambler “doubles down” after a loss they are hoping to make back their losses with their next bet. Traders are sometimes prone to this thinking. They conclude that such behavior is the only way to save their job after a large loss. Often such actions lead to the opposite consequence for the trader.
Learning from the LOSS means means tracking down whether the excess LOSS resulted from excess RISK taking, RISK measurement error or results from a predictable but highly unlikely event. The excess RISK taking can be from failure to follow procedures including the failure sited above to act once a breach of limit is found. Other failures can be seen from Jared Diamonds excellent analysis of failure.
However, when answering these questions, be aware that sometimes folks have started to use the word RISK when they should be using the word LOSS. One person recently was talking about their risk management program and went so far as to say “realization of the negative potential of a risk” when they meant LOSS.
In insurance companies, where “production” consists of risk assumption and risk accumulation, measuring a company’s risk capacity and risk capacity utilization is not as straightforward as in companies that manufacture widgets. Like industrial companies, insurance companies need to measure and manage their “production” or rather “risk” (accumulation) capacity.
The recent crisis has demonstrated that insurance companies need to measure and manage their risk capacity utilization in relation to the amount of risk capacity lest they become overextended. In insurance companies, risk capacity needs to be determined so as to satisfy:
Solvency concerns of policyholders, for which insurance strength ratings assigned by the leading independent rating agencies and A.M. Best are generally accepted as proxies. Shareholders are also interested in these ratings, which they view as indicators of companies’ ability to attract and retain customers and achieve their financial objectives.
Maintenance of regulatory Risk Based Capital (RBC) adequacy ratios sufficient to prevent regulators from intervening in company management.
Risk capacity is most commonly a measure of an insurance company’s ability to accumulate risk exposures, on a going concern basis, while meeting risk tolerance constraints of solvency-focused stakeholders (policyholders, rating agencies and regulators). Risk concerns of these stakeholders are generally expressed as confidence levels at which a company is capable of meeting particular standards of performance, (e.g. maximum probability of default, maintenance of the capital needed to support a target rating or RBC adequacy level) over a defined time horizon.
A company’s risk capacity is customarily measured by its available capital and its risk capacity utilization is measured by the amount of capital needed to meet the risk tolerance constraints of credit-sensitive stakeholders, given its present portfolio of risk exposures. In order to gain the confidence of investors and customers and to enjoy a viable future, an insurance company needs to understand how its strategic plan impacts the prospective utilization of its risk capacity, and therefore the adequacy of its capital in relation to its projected financial performance and growth aspirations.
To perform this assessment, a company needs to estimate its prospective risk capacity utilization (i.e. capital required) for executing its strategic plan. To perform this analysis, it needs to project its risk profile over a three to five years planning horizon (approximating going concern conditions), under growth assumptions embedded in its strategic plan. A properly constructed risk profile should enable a company to consider the impact of extreme conditions, often scenarios that include multiple catastrophes or financial crises, as well as the contribution of earnings retention to risk capacity. This basic strategic planning exercise, completed in a risk-aware framework will demonstrate the risk capital (and, thus, capacity utilization) required to execute the strategic plan.
Ideally, the required financial models should be capable of producing i) full distributions of financial outcomes rather than tail sections of these distributions, ii) elements of the balance sheet and P&L statements needed to calculate earnings, earnings volatility, downside risk from planned earning amounts in future periods, iii) calculations of RBC, and associated capital adequacy ratios, including A.M. Best’s capital adequacy ratio (BCAR) and iv) financial performance reports developed under multiple accounting standards, including statutory and GAAP or IFRS, or on an economic basis. These data are needed for management to explore how capital requirements and thus also risk capacity utilization respond to changes in risk strategy and business strategy.
The company’s risk profile can be derived from the aggregation of the distributions of financial results of individual lines or business segments based on the amount and volatility characteristics of exposures, limits assumed, applicable reinsurance treaties, and asset mix, over a three to five year time horizon so as to approximate going concern conditions.
The use of multi-year solvency analyses of companies’ risk profile, instead of a one year horizon required under the regulatory provisions of many jurisdictions, typically results in significantly higher estimates of risk capital requirements and risk capacity utilization than those obtained under the one year horizon. As a result, companies that rely primarily on one year solvency analyses to assess the adequacy of their capital tend to understate their capital requirements and are more likely to overextend themselves. Importantly, the underlying assumption that capital shortfalls could be covered as and when needed by raising capital from investors has been shown to be unrealistic during the recent financial crisis, highlighting what may be a fundamental flaw in the widely touted Solvency II framework.
Note: This article is abstracted from the “Risk Management and Business Strategy in P/C Insurance Companies” briefing paper published by Advisen (www.advisen.com) and available at the Corner Store.
To succeed as a “going concern”, an insurance company needs to conduct its business so as to:
• Maintain insurance strength ratings it needs to retain and attract policyholders
• Maintain a capital position deemed adequate by regulators
• Meet shareholders’ expectations for earnings level and stability.
The first two conditions call for a company to demonstrate that it will honor its promises to pay indemnification benefits promptly and fully, i.e. that it is and will remain solvent and have the capital on hand to continue to conduct ‘business as usual’ in the future. They call for a company to determine how much risk capital it needs to ensure its credit worthiness, in relation to risks that it assumes to execute its strategic plan.
The third condition calls for a company to sustain and even enhance its credibility with capital market investors, to support its market valuation, keep its cost of capital and thus also the cost of its risk capacity competitive. If the level and stability of its earnings did not meet the requirements of capital market investors, a company could lose investors’ support. This could cause its valuation multiples to decline and the cost of its capital and risk capacity to increase.
Together, these three conditions require a company to establish a capacity management framework (focused on insuring solvency and the quality of promises made to policyholders) aligned with its business strategy management process (focused on meeting shareholders’ expectations for financial performance). Note, however, that no such alignment can enable a company to create value for its shareholders unless the company is positioned to achieve a competitive advantage in attracting, serving and retaining customers. It thus behooves management always to verify that their company:
• Can achieve a competitive advantage based on superior risk insights, service capabilities, deal flow generation, cost of capital and operating efficiencies
• Provide products that attract, serve and retain customers
• Has the capital required to sustain the ratings it needs to compete and the willingness to assume the resulting performance volatility
• Has the organizational capabilities needed to manage and control underwriting, claim processing, investment and risk management activities
• Has the insights and processes needed to ensure pricing discipline and alignment of management and shareholders’ interests.
Based on such an explicit understanding of its strategic position and capabilities relative to its competitors’, alignment of risk capacity management and business strategy management calls for a company to integrate relevant strategy considerations outlined above in the components of its risk strategy, especially:
• Risk policy, specifying risks that will be assumed to accomplish financial objectives while meeting risk tolerance constraints of external stakeholders
• Risk appetite, defined as the amount of risk capacity that can be deployed/utilized in pursuit of its strategy in light of the company’s total risk capacity
• Risk limits, which reflect its risk policy and appetite for risk and control risk taking in the development and execution of its operating plans and budgets
Based on projections of financial results expected under a particular risk capacity deployment strategy and business strategy, embodied in a set of risk limits, a company can ascertain whether its plan can meet the return objectives and risk tolerances of its stakeholders. As needed, it can also seek to identify and assess alternative strategies that may provide superior trade-offs between risk and return that may call for changes in risk policy, risk appetite, risk limits and business strategy (the iterative process by which such enhancements can be identified and developed is shown on Figure 2).
Figure 1 displays how solvency risk concerns of policyholders and other credit-focused stakeholders and value risk concerns of shareholders, expressed as risk tolerance constraints, at stated confidence levels and over a defined time period, help to frame a company’s risk strategy. The components of the risk strategy (i.e. risk appetite, risk policy and risk limits) reflect boundaries set on the deployment of a company’s risk capacity by i) the amount of the (paid-up) capital available to support risk assumption and accumulation, and ii) the cost of this capital, generally measured by shareholders’ total return requirement (TSR).
Figure 2 demonstrates how a company can align its business strategy, risk capacity and risk strategy management processes to meet the solvency risk concerns of policyholders and the earnings (value) concerns of shareholders. It demonstrates the distinct places of risk capacity, risk appetite, risk policy, risk limits in the business strategy and risk strategy management processes and highlights the centrality of risk limits to the integration and alignment of these processes.
Managing conflicting agendas
Financial risks generated by, or in connection with, the issuance of insurance contracts manifest themselves in the volatilities of a company’s operating cash-flows and reported earnings that are of concern to i) policyholders and other stakeholders with an interest in its credit worthiness and solvency (rating agencies and regulators) and ii) shareholders with a focus on risk to the value of their investment. These two groups of stakeholders have conflicting views about how a company can best address their risk concerns.
Policyholders, as the most senior creditors, view increases in capital as added protection and a natural protection against the risk of default by a company. By contrast, risk to value for shareholders caused by the volatility of financial results cannot be remedied efficiently by addition of capital (i.e. increases in risk capacity). First, other things being equal, an increase in capital would need to be very large to generate enough income to mitigate earnings volatility sufficiently. Second, such increase would so dilute returns that it would undermine rather than support valuation multiples. Consequently, shareholders look to insurance companies to manage and control the volatility of their cash-flows and earnings through development and implementation of appropriate risk policies designed to limit the volatility of their financial results.
In addition, however, shareholders also concern themselves with declines in relative valuation multiples. Such declines result generally from the incidence of strategic risks, i.e. events that reduce a company’s future earnings or revenue growth prospects by causing i) its competitive position to erode or ii) changes in its operating environment that undermine the viability of its business model. Shareholders expect companies to support their valuation multiples and protect them from strategic risks by i) building flexibility and real options in their strategies, ii) transferring or avoiding risks that cannot be mitigated, iii) pursuing strategies that can support their expectations for profitability and growth.
Conclusion
Based on the framework for integration of risk management and business strategy outlined above, an insurance company could develop a road-map to:
• Align its business strategy with the risk tolerances of its stakeholders as well as the amount and cost of its risk capacity
• Develop the decision frameworks and analytical capabilities needed to integrate its risk and business strategy management processes
By following such a road-map, an insurance company could develop and execute business and risk strategies that enhance its financial performance and its relative market valuation.
Note: This article is abstracted from the “Risk Management and Business Strategy in P/C Insurance Companies” briefing paper published by Advisen (www.advisen.com) and available at the Corner Store.
My suggestion it that rather than starting with someone else’s idea of ERM, you start with what YOUR COMPANY is already doing.
In that spirit, I offer up these eight Fundamental ERM Practices. So to follow my suggestion, you would start in each of these eight areas with a self assessment. Identify what you already have in these eight areas. THEN start to think about what to build. If there are gaping holes, plan to fill those in with new practices. If there are areas where your company already has a rich vein of existing practice build gently on that foundation. Much better to use ERM to enhance existing good practice than to tear down existing systems that are already working. Making significant improvement to existing good practices should be one of your lowest priorities.
Risk Identification: Systematic identification of principal risks – Identify and classify risks to which the firm is exposed and understand the important characteristics of the key risks
Risk Language: Explicit firm-wide words for risk – A risk definition that can be applied to all exposures, that helps to clarify the range of size of potential loss that is of concern to management and that identifies the likelihood range of potential losses that is of concern. Common definitions of the usual terms used to describe risk management roles and activities.
Risk Measurement: What gets measured gets managed – Includes: Gathering data, risk models, multiple views of risk and standards for data and models.
Policies and Standards: Clear and comprehensive documentation – Clearly documented the firm’s policies and standards regarding how the firm will take risks and how and when the firm will look to offset, transfer or retain risks. Definitions of risk-taking authorities; definitions of risks to be always avoided; underlying approach to risk management; measurement of risk; validation of risk models; approach to best practice standards.
Risk Organization: Roles & responsibilities – Coordination of ERM through: High-level risk committees; risk owners; Chief Risk Officer; corporate risk department; business unit management; business unit staff; internal audit. Assignment of responsibility, authority and expectations.
Risk Limits and Controlling: Set, track, enforce – Comprehensively clarifying expectations and limits regarding authority, concentration, size, quality; a distribution of risk targets
and limits, as well as plans for resolution of limit breaches and consequences of those breaches.
Risk Management Culture: ERM & the staff – ERM can be much more effective if there is risk awareness throughout the firm. This is accomplished via a multi-stage training program, targeting universal understanding of how the firm is addressing risk management best practices.
Risk Learning: Commitment to constant improvement – A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses, both within the firm and from outside the firm.
A New York Times Magazine article on Jamie Dimon, now CEO of JP Morgan Chase Bank, tells that he once set a risk limit for Travelers…
Losses from a once in a hundred year storm could not exceed a quarter’s earnings.
For the quantifiable risks that banks and insurers have aplenty, that is exactly how a risk limit needs to read. It must state a frequency (once in a hundred or 1%) and a severity (one quarter’s earnings).
That sort of simple clarity seems to escape most financial firms. Probably that is because they have little experience with the frequency part of that statement.
Think of this analogy. You are sitting there in an office building deciding what to set as the speed limit for a new transportation system. That system has newly designed roads and vehicles. You do not know the tolerances of either the roads or the vehicles. You have been a passenger on test runs, but during that test, you were not shown the speeds that the vehicle was going.
What might make sense in that situation, would be for the person being asked to make the decisions on speed limits to be told what speed that they had been going on the long straight-aways, on the gradual curves, the sharp curves and how long it took to stop the vehicle at various speeds. In addition, more trips, more experience, should be undertaken and the speed of the vehicle should be noted under various weather conditions as well as types of roads.
Polls often reveal that the most common shortfall of ERM development is in the area of Risk Tolerance and Risk Appetite. In many cases, that shortfall is due to the inexperience of management and boards with the frequency information.
There is no shortcut to getting that experience. But there are simple exercizes that can be undertaken to look at prior experiences and tell the story of just how fast the firm was going and how severe the weather was.
The best such exercize is to look backwards in time over the recent past as well as to famously adverse periods in the more remote past. For each of those situations, the backwards looking frequency can be assigned. This is done by looking at the current risk model and determining the frequency that is aligned with the level of gains losses that were experienced in general. That frequency is analogous to the weather. Then the risk analyst can look at the firm’s own gain or loss experience and the frequency that the model could attribute to that size gain or loss.
Once a firm has some comfort with frequency, they can write a real risk appetite statement.
And after that, they can go through an exercize each year of deciding what frequency to assign to the experience of the year’s gains and losses.
One of the reasons that many firms have not yet set a risk tolerance seems to be that management is afraid that the Risk Tolerance will then take over the company and they will no longer be able to make major decisions because of the risk tolerance.
I imagine the picture of a large sumo wrestler with the name “risk tolerance” sitting in the corner of the executive conference room. It would be really smart to avoid making risk tolerance unhappy.
But that is not really the case. Risk Tolerance is not going to sit on you if you make the wrong decision. Risk Tolerance is not going to actively insist that you make a decision that you know is wrong.
Risk Tolerance is more like the little brother that tags along behind you. You know that if you do anything little brother will tell Mom.
Risk Tolerance is a commitment to acting as your own little brother. Telling on yourself if you take on risk that goes beyond a certain pre-agreed upon point.
Then it is up to you to convince the higher authority that your risk taking was appropriate for whatever reason that you have.
In addition, Risk Tolerance should not be carved in stone. Risk Tolerance should be written on the white board in Erasable marker. You should not expect to clean that board every week. But the option will always be there to walk up to the board and wipe it clean.
That does not mean that every time that it is inconvenient that the Risk Tolerance should be changed. But it does mean that as the world changes, you should be sure that you Risk Tolerance still means what you intended it to mean when it was set.
Otherwise, you are in danger of having it turn into a Sumo Wrestler in the corner.
Who should have responsibility for risk management?
Is it the CRO? Is it the Business Unit Heads? Is it everyone? or is it the CEO (As Buffet suggests)?
My answer to those questions is YES. Definitely.
You see, there is plenty of risk to go around.
The CEO should be responsible for the Firm Killing Risks. He/She should be the sole person who is able to commit the firm to an action that creates or adds to a firm killing risk position. He/She should have control systems in place so that they know that no one else is taking and Firm Killing Risks. He/She should be in a constant dialog with the board about these risks and the necessity for the risks as well as the plans for managing those sorts of risks.
At the other end of the spectrum, there are the Bad Day Risks. Everyone should be responsible for their share of the Bad Day Risks.
And somewhere in the middle are the risks that the CRO and Business Unit Heads should be managing. Those might be the Bad Quarter Risks or the Bad Year Risks.
As the good book says, “To each according to his ability”. That is how Risk Management responsibility should be distributed.
In many cases, companies survive the first bout of adversity.
It is the second bout that kills.
And more often than not, we are totally unprepared for that second hit.
Totally unprepared because of how we misunderstand statistics.
First of all, we believe that large loss events are unlikely and two large loss events are extremely unlikely. So we decide not to prepare for the extremely unlikely event that we get hit by two large losses at the same time. And in this case, “at the same time” may mean in subsequent years. Some who look at correlation, only use an arbitrary calendar year split out of experience data. So that they would consider losses in the third and fourth quarter to be happening at the same time but fourth quarter and first quarter of the next year would be considered different periods and therefore might show low correlations!
Second, we fail to deal with our reduced capacity immediately after a major loss event. We still think of our capacity as it was before the first hit. A part of our risk management plans for a major loss event should have been to immediately initiate a process to rationalize our risk exposures with our newly reduced capacity. This may in part be due to the third issue.
Third, we misunderstand that the fact of the first event does not reduce the likelihood of the other risk events. Those joint probabilities that made the dual event, no longer apply. In fact, with the reduced capacity, the type of even that would incapacitate the firm has suddenly become much more likely.
Most companies that experience one large loss event do not experience a second shortly thereafter, but many companies that fail do.
So if your interest is to reduce the likelihood of failure, you should consider the two loss event situation as a scenario that you prepare for.
But those preparations will present a troubling alternative. If, after the first major loss event, the actions needed include a sharp reduction in retained risk position, that will severely reduce the likelihood of growing back capacity.
Management is faced with a dilemma – that is two choices, neither of which are desirable. But as with most issues in risk management, better to face those issues in advance and to make a reasoned plan, rather than looking away and hoping for the best.
But on further reflection, this issue can be seen to be one of over concentration in a single risk. Some firms have reacted to this whole idea by setting their risk tolerance such that any one loss event will be limited to their excess capital. Their primary strategy for this type of concentration risk is in effect a diversification strategy.
Discussions with senior executives have suggested that decision signals from ERM would be more credible and that ERM would be a more effective management process if ERM frameworks were shown to:
Align performance metrics with management’s performance measurement philosophy
Integrate ERM into daily management activities
The following two sections discuss these issues and suggest action steps that insurance companies should take to establish ERM as a more robust and valuable management process.
1. Aligning performance metrics with management’s performance measurement philosophy
To provide useful guideposts for business decisions, the risk adjusted performance measurement framework supporting ERM needs to reflect senior management’s views regarding alignment of responsibilities and performance metrics. Alignment is ensured by i) matching of the structure of the financial management reports to the boundaries of business segment, ii) accurate attribution of capital, premium revenues, investment income and expenses to business segments and iii) segregation in financial reports of the results associated with the current period from the impact of business written in prior years.
This alignment ensures appropriate distinctions between results of current and past decisions and a sharp focus on differences in drivers of performance.
In practice, leading companies are making explicit decisions about the design and features of the financial performance measures they develop by developing customized answers to questions such as the following:
Are business segments to be evaluated on a stand alone basis or in a portfolio context (i.e. after attribution of a capital credit for diversification)?
Are business segments to be evaluated as if assets they earned risk free, duration matched investment income? Or the average rate of return on the investment portfolio?
Are business segments to be evaluated in relation to their ‘consumption” of economic capital? Regulatory capital? Rating agency capital?
Should individual business segments bear the cost of “excess” or “stranded” capital?
Should performance benchmarks vary across business segments, in line with differences in the volatility of their total risk? Or differences in exposure/premium leverage across lines? Or differences in contribution to corporate debt capacity?
How granular does such reporting need to be?
Should performance metrics be developed in a policy/underwriting year framework? Would such metrics need to be reconciled with metrics based on fiscal year GAAP reported numbers?
How should the period performance of the in-force (or liabilities run off) be measured and separated from the performance of the “new business”? To what extent and how should the performance of “renewal” policies be separated from that of policies written for new customers in property, casualty companies?
Should the performance reporting framework provide only period measures of performance or should it be extended to capture the longer term economic value of insurance contracts, such as the change in the embedded value of the business?
Should the performance reporting framework be extended to incorporate stochastic performance metrics such as Earnings@Risk or Embedded Value@Risk?
Leading ERM practitioners, especially in Europe, have found that the usefulness, but also the complexity and cost of risk adjusted performance metrics are determined by the desired level of granularity in reporting, and design decisions in i) risk measurement,
ii) capital measurement and, iii) financial reporting. The availability and quality of risk and financial data determine to a significant degree the level of granularity that can be built to support ERM.
In my experience, success in establishing ERM is highly dependent on the level of effort that companies devote to designing a reporting framework that the organization can understand and embrace intuitively, without having to be trained in advanced financial or risk topics. Setting out to develop the most rigorous and actuarially correct framework is likely to result in poor acceptance by operating managers.
2. Integrating ERM into daily management activities
Many senior executives recognize that establishing an ERM process is an obligation that cannot be avoided in today’s environment. They also have a strong intuitive sense that the science of risk measurement and analysis offered by the actuarial profession and other specialists in risk does not yet provide robust answers to many important questions that are asked by people who manage the operations of insurance companies day by day. Differences in perspectives between executives in the corporate center and the managers of business units hamper the effectiveness of ERM. Bridging these differences is a major challenge to the establishment of ERM. This challenge is rooted in fundamental differences in the roles and responsibilities of these actors.
Corporate center executives who operate under oversight of the Board of Directors are highly sensitive to risk concerns of shareholders. It is natural for these executives to take an aggregate view of risk, across the business portfolio. They contribute to corporate performance by making i) strategic risk management decisions in connection with capacity deployment, reinsurance and asset allocation, ii) operational risk management decisions principally in connection with the management of shared services. Their most important risk decisions, related to capital allocation, involve significant strategic risks.
By contrast, business unit managers have a different outlook. They are typically more focused on meeting the needs of policyholders. They are more likely to view risk as stemming from products and customers. From their point of view risk management starts with product design, underwriting and pricing decisions, control of risk accumulations and concentrations, product mix and customer mix. With regards to operational risk, their activity places them on the front line to control the “execution risks” elements of operational risk. Business unit managers tend to view requests for support of ERM as distractions from serving policyholders and accomplishing their goals. They believe that they help protect shareholders from value loss by focusing on establishing and maintaining a competitive advantage.
The CFO of a very large insurance group confided to me recently that aligning the perspectives of executives at the corporate center with that of business managers was a challenge of great importance. He expressed the view that results from risk models cannot be used simplistically and that experience and business judgment are needed to guide decisions. Caution and prudence are especially important in interpreting decision signals when model results appear unstable or when complexity makes it difficult to recognize possible biases. He had become interested in using a combination of approaches to develop reliable insights into strategy and risk dynamics in his company. He was particularly focused on finding ways to bring these insights to bear on the daily activities of employees who manage risk accumulation, risk mitigation and risk transfer activities, on both sides of the balance sheet. In his judgment, borne out by other discussions and my experience with clients, ERM comes to life and creates value best when a top down framework initiated by senior management is embraced bottom up throughout the organization.
Consistent with these considerations, ERM appears to work best in companies in which operating managers have “bought in” ERM and embraced the perspective it provides. In many of these companies, one observes that:
Risk management responsibility is owned by operating managers
Product definitions and investment boundaries are clear and matched to explicit risk limits
Policies and procedures have been co-developed with operating personnel
Product approval and risk accumulation are subject to oversight by the central ERM unit
Risk and value governance are integrated through a committee with authority to adjudicate decisions about trade-offs between risks and returns
Compliance and exceptions are subject to review by senior management
It is important to observe that none of the considerations discussed in the two sections of this note are about the technical components of risk management. Rather, they define a context for accountability, empowerment and appropriate limitations on the activities of people who run day to day operation in insurance companies.
The Wall Street Journal reported today that banks are again very actively doing significant amounts of end out the quarter clean-up that is otherwise known as “window dressing“.
This is a practice that works well, allowing banks to hold capital (figured on their quarter end balance sheets) that is much lower than the risk levels that they are using to create their profits. This makes them look safer to investors in addition to boosting their ROE.
And while it probably is within the rules of Basel II, it violates the underlying idea behind Pillar 1 and Pillar 3.
The idea behind Pillar 1 is that the banks should hold capital for their risks. This window dressing practice clearly illustrates one of the major logical flaws in the application of Pillar 1.
To understand the flaw, you need to think for a minute about what the capital is for. It is not actually for the risks that the bank held during the quarter, nor is it mostly for the risks that happen to be on the balance sheet as of the end of the quarter. It is primarily to protect the bank in the event of losses form the risks that the banks will be exposed to during the next quarter. The beginning of quarter balance sheet is being used as a proxy for the risks over the coming quarter.
For a firm that has a highly disciplined risk management process, it would actually make more sense for the firm to hold capital for the RISK LIMITS that it has extended for the coming quarter. That would be a firm where you could rely upon them to keep their risks within their risk limits for the most part. This makes more sense than holding capital for some arbitrary point in time. The window dressing proves that point better than any possible theoretical argument. Besides being the wrong idea, it is subject to easy manipulation.
For firms that are not disciplined in keeping their risks within their risk limits, something higher than the level of capital on their risk limits would be the logical level. For these firms it would make sense to keep track of the degree to which they exceed their limits (at maximum) and charge them for capital at a level above that. Say for example 200%. So if a firm exceeds its risk limits by 10% at maximum in a quarter, their capital for the next quarter would be 120% of the capital needed to support their risk limits for the following quarter.
This check on risk discipline would have several benefits. It moves the easy possibility of manipulation away from the capital level. The “legal” window dressing would have to be replaced by fraudulent manipulation of risk reports to fix the capital level. In addition, disclosure of the degree to which a bank exceeds its risk limit could be disclosed under Pillar 3 and then investors and counterpraties could give their reaction to a bank that cannot control its risks exposures.
In addition, this same logic could be applied to insurers under Solvency II. There is no reason why insurance regulators need to follow the flawed logic of the banking regulators.
Addendum: Above I say that the window dressing works well. That is only partly true. Sometimes, it does not work at all. And banks can become stuck with risks and losses from those risks that are far larger than what they had been disclosing. That happens when markets freeze up.
You see, if many banks are doing the same sorts of window dressing, they all run the risk that there will be too many sellers and not enough buyers for those couple of days at the end of the quarter. Or maybe just for that one night. And the freeze is likeliest when the losses are about tho strike.
So in reality, window dressing is not a good plan if you believe that things can ever go poorly.
Is your ALM system a risk management system or is ALM a process at your firm for managed risk taking?
It appears that banks and insurers both use the term ALM to refer to the process that they use with interest rate change risk. But in general, banks are using ALM as a part of a managed risk taking system, while insurers are most often using ALM as a risk management system.
The difference is in the acceptable targets. Insurers most often have a target for matching of assets and liabilities to within a 0.50 tolerance in difference in duration for example. The tolerance is most often justified as a practical consideration, allowing the managers of the ALM system to avoid making too many expensive small moves and to gently steer the portfolio into the matched situation.
Banks will have a much larger mismatch allowance. A part of the basic business of banks is to borrow funds short term and to lend them long term. There is a significant duration mismatch embedded into their business model. The ALM managers are there to make sure that the interest rate risk does not grow beyond those tolerances. The bank should be setting the limit for mismatch to a level of loss that they can afford.
It is fascinating that for the most part, insurers who are generally buy and hold risk takers are unwilling to take advantage of the generally upward sloping yield curve in anywhere near the level that banks are. Insurers tend to look at their risks as good risks and bad risks and to avoid any exposure to the bad risks if possible. Interest rate change risk is seen as a bad risk, probably because (a) there us no underwriting, no selection involved and (b) the risk is totally uncontrollable.
Insurers like risks where they can develop an expertise of underwriting the risk, selecting the better risks over the worse risks. Interest rate risk, at least within economies has no specific risk component. If there was underwriting involved, that underwriting would be trying to figure out the forces that drive interest rates up and down. And that is very difficult to do.
The interest rate change risk is totally uncontrollable because there is no claims management. There is a major subjective, personal element in the form of the central bankers setting the rates at the short end. The rates at the long end are driven by both supply and demand as well as by inflation assumptions. So to get interest rates risht, one would need to read the minds of the central bankers, predict the need for funding and the amount of capital available at various rate levels for various terms as well as the expectations of the market for inflation. Good luck.
There is another difference between banks and insurers that perhaps explains the difference in strategies. THe banks are usually able to get their money on a short term basis, paying the low short term interest rates. Insurers, on the other hand usually get their funds for a longer term. They may not always need to promise a long term interest rate, but they usually want to keep their customers for the long term, so they want to make plans to pay interest rates at a level consistent with long term.
And if you follow yield curves over time, you will notice that the steepest and most reliable part of the yield curve is at the very short end of the curve. At the middle of the curve, there is not always an upward slant that is large enough to justify the risk of a significant mismatch, not is it reliable enough to build your business off of it.
So maybe the two segments have it right for their situations. Banks can have their managed risk taking system while insurers need their risk management system.
Enterprise risk management experts, and surely even many neophytes, are fairly adept at identifying exposures and events that can impede their organizations. What is much more difficult is measuring the potentially adverse impact of risks, making this the biggest X factor in the ERM process.
Consequently, it is quite challenging to determine how much risk exposure an organization can “tolerate”—that is, the extent of adverse risk impact a company can absorb so that the attainment of its goals will not be jeopardized.
It is equally difficult to assess a company’s “threshold” to absorb these risk consequences—that is, the cross-over points beyond which significant strategic and operational changes need to be made.
What Might Your Stakeholders Do?
TRIGGERS:
Financial Outcomes: impact on capital and earnings
Business Line inadequacy: products and features, service
Business Misconduct and reputational impairment: putting future viability at risk
REACTIONS:
Customers or producers might cease doing business with firm or reduce volume
Investors might sell stock lowering the price in the process
Board might replace management or reduce compensation
Lenders might charge a higher price for capital
Rating agencies might downgrade
Institutional customers might not be permitted to do business with firm
As a result, it is likely that many organizations are exposed to risks that would materially compromise not only their current course but their very existence. In fact, the events of the last two years have dramatically highlighted this exposure, and many firms have been greatly harmed. Just ask AIG and Lehman Brothers. Measurement of risk impact—both quantitative and qualitative—is clearly the most critical endeavor to perform accurately in determining an organization’s tolerance for risk. It is possible for each element of the risk measurement and reporting process to be flawed, as they are often performed in a vacuum—the result can be too narrow and theoretical in scope. The quantifying component of risk measurement is built upon mathematics and modeling, utilizing:
A series of approximations and assumptions.
Identification of elements/variables to measure.
Determination of the relationship between the various risk factors and the outcomes they might jeopardize
The qualifying component, however, is often built on psychology—its effect on decision-making and the “emotional intelligence” of the individuals making judgments on risk. Consider the following:
People work on problems they think they can solve, and they avoid those they don’t think they can solve—due to complexity or political reasons. Elements in the latter category won’t be addressed.
They are slow and cautious in reacting to new information and reluctant to admit ignorance or mistaken assumptions. Solutions to risk mitigation may exist, but might not be implemented without inordinate study—paralysis by analysis.
They look at fewer as opposed to more perspectives, possibly missing a better solution.
They often place greater value on what they themselves have created than on what others have done, and may well miss out on higher-order thinking generated by a group and on the critical perspectives of others.
The ERM Symposium is now 8 years old. Here are some ideas from the 2010 ERM Symposium…
Survivor Bias creates support for bad risk models. If a model underestimates risk there are two possible outcomes – good and bad. If bad, then you fix the model or stop doing the activity. If the outcome is good, then you do more and more of the activity until the result is bad. This suggests that model validation is much more important than just a simple minded tick the box exercize. It is a life and death matter.
BIG is BAD! Well maybe. Big means large political power. Big will mean that the political power will fight for parochial interests of the Big entity over the interests of the entire firm or system. Safer to not have your firm dominated by a single business, distributor, product, region. Safer to not have your financial system dominated by a handful of banks.
The world is not linear. You cannot project the macro effects directly from the micro effects.
Due Diligence for mergers is often left until the very last minute and given an extremely tight time frame. That will not change, so more due diligence needs to be a part of the target pre-selection process.
For merger of mature businesses, cultural fit is most important.
For newer businesses, retention of key employees is key
Modelitis = running the model until you get the desired answer
Most people when asked about future emerging risks, respond with the most recent problem – prior knowledge blindness
Regulators are sitting and waiting for a housing market recovery to resolve problems that are hidden by accounting in hundreds of banks.
Why do we think that any bank will do a good job of creating a living will? What is their motivation?
We will always have some regulatory arbitrage.
Left to their own devices, banks have proven that they do not have a survival instinct. (I have to admit that I have never, ever believed for a minute that any bank CEO has ever thought for even one second about the idea that their bank might be bailed out by the government. They simply do not believe that they will fail. )
Economics has been dominated by a religious belief in the mantra “markets good – government bad”
Non-financial businesses are opposed to putting OTC derivatives on exchanges because exchanges will only accept cash collateral. If they are hedging physical asset prices, why shouldn’t those same physical assets be good collateral? Or are they really arguing to be allowed to do speculative trading without posting collateral? Probably more of the latter.
it was said that systemic problems come from risk concentrations. Not always. They can come from losses and lack of proper disclosure. When folks see some losses and do not know who is hiding more losses, they stop doing business with everyone. None do enough disclosure and that confirms the suspicion that everyone is impaired.
Systemic risk management plans needs to recognize that this is like forest fires. If they prevent the small fires then the fires that eventually do happen will be much larger and more dangerous. And someday, there will be another fire.
Sometimes a small change in the input to a complex system will unpredictably result in a large change in the output. The financial markets are complex systems. The idea that the market participants will ever correctly anticipate such discontinuities is complete nonsense. So markets will always be efficient, except when they are drastically wrong.
Conflicting interests for risk managers who also wear other hats is a major issue for risk management in smaller companies.
People with bad risk models will drive people with good risk models out of the market.
Inelastic supply and inelastic demand for oil is the reason why prices are so volatile.
It was easy to sell the idea of starting an ERM system in 2008 & 2009. But will firms who need that much evidence of the need for risk management forget why they approved it when things get better?
If risk function is constantly finding large unmanaged risks, then something is seriously wrong with the firm.
You do not want to ever have to say that you were aware of a risk that later became a large loss but never told the board about it. Whether or not you have a risk management program.
In October 2008, Alan Greenspan had the following exchange during testimony before a Congressional committee:
Representative HENRY WAXMAN (Committee Chairman, Democrat, 30th District of California): You found a flaw in the reality…
Mr. GREENSPAN: Flaw in the model that I perceived is a critical functioning structure that defines how the world works, so to speak.
Rep. WAXMAN: In other words, you found that your view of the world, your ideology was not right. It was not working.
Mr. GREENSPAN: How it – precisely. That’s precisely the reason I was shocked, because I’ve been going for 40 years or more with very considerable evidence that it was working exceptionally well.
One of the things in that model was an assumption that the self interest of the bankers was a more important factor in containing their risks than regulations.
But the evidence that self interest is insufficient to control excessive risk taking is all around us and has been for many, many years. It takes a massive amount of selective blindness to ignore it.
All it takes it to take your car out of the driveway and drive on the roads. Driving involves risk management decision making. For one thing, almost everyone drives a car that is capable of traveling much faster than the speed limit. And the speed limits are only very occasionally enforced. So it is an individual risk management decision of how fast to drive a car.
Now, I happen to live in an area of the New York City suburbs where many of the folks who work on Wall Street firms live. And the evidence is all around. Many drivers do not put long term safety self interest above short term time advantage of speeding. In many cases, they are deliberately trying to take advantage of the folks who are trying to be safe and driving extra recklessly under the assumption that they will not run into someone who is driving as recklessly as they are.
Now it is quite possible that none of the reckless drivers are Wall Street executives. But the reckless drivers are all people. And the readily available evidence with 50 years or more of accident statistics to back up shows that self interest is NOT sufficient motivation for safety.
Perhaps economists and especially central bankers do not own cars.
To the rest of us who do, the theory seems to be from another planet. The people that are risk takers and the people who drive safely are two different sets of people.
Perhaps we will look back at 2009 and recall that it is the turning point year for Risk Management. The year that boards ans management and regulators all at once embraced ERM and really took it to heart. The year that many, many firms appointed their first ever Chief Risk Officer. They year when they finally committed the resources to build the risk capital model of the entire firm.
On the other hand, it might be recalled as the false spring of ERM before its eventual relegation to the scrapyard of those incessant series of new business management fads like Management by Objective, Managerial Grid, TQM, Process Re-engineering and Six Sigma.
The Financial Crisis was in part due to risk management. Put a helmet on a kid on a bicycle and they go faster down that hill. And if the kid really doesn’t believe in helmets and they fail to buckle to chin strap and the helmet blows off in the wind, so much the better. The wind in the hair feels exhilarating.
The true test of whether the top management is ready to actually DO risk management is whether they are expecting to have to vhange some of their decisions based upon what their risk assessment process tells them.
The dashboard metaphor is really a good way of thinking about risk management. A reasonable person driving a car will look at their dashboard periodically to check on their speed and on the amount of gas that they have in the car. That information will occasionally cause them to do something different than what they might have otherwise done.
Regulatory concentration on Risk Management is. on the whole, likely to be bad for firms. While most banks were doing enough risk management to satisfy regulators, that risk management was not relevant to stopping or even slowing down the financial crisis.
Firms will tend to load up on risks that are not featured by their risk assessment system. A regulatory driven risk management system tends to be fixed, while a real risk management system needs to be nimble.
Compliance based risk management makes as much sense for firms as driving at the speed limit regardless of the weather, road conditions or the conditions of the car’s breaks and steering.
Many have urged that risk management is as much about opportunities as it is about losses. However, that is then usually followed by focusing on the opportunities and downplaying the importance of loss controlling.
Preventing a dollar of loss is just as valuable to the firm as adding a dollar of revenue. A risk management loss controlling system provides management with a methodology to make that loss prevention a reliable and repeatable event. Excess revenue has much more value if it is reliable and repeatable. Loss control that is reliable and repeatable can have the same value.
Getting the price right for risks is key. I like to think of the right price as having three components. Expected losses. Risk Margin. Margin for expenses and profits. The first thing that you have to decide about participating in a market for a particular type of risk is whether the market in sane. That means that the market is realistically including some positive margin for expenses and profits above a realistic value for the expected losses and risk margin.
Most aspects of the home real estate and mortgage markets were not sane in 2006 and 2007. Various insurance markets go through periods of low sanity as well.
Risk management needs to be sure to have the tools to identify the insane markets and the access to tell the story to the real decision makers.
Finally, individual risks or trades need to be assessed and priced properly. That means that the insurance premium needs to provide a positive margin for expenses and profits above the realistic provision for expected losses and a reasonable margin for risk.
There were two big hits to insurers in 2009. One was the continuing problems to AIG from its financial products unit. The main lesson from their troubles ought to be TANSTAAFL. There ain’t no such thing as a free lunch. Selling far out of the money puts and recording the entire premium as a profit is a business model that will ALWAYS end up in disaster.
The other hit was to the variable annuity writers. In their case, they were guilty of only pretending to do risk management. Their risk limits were strange historical artifacts that had very little to do with the actual risk exposures of the firm. The typical risk limits for a VA writer were very low risk retained from equities if the potential loss was due to an embedded guarantee and no limit whatsoever for equity risk that resulted in drops in basic M&E revenue. A typical VA hedging program was like a homeowner who insured every item of his possessions from fire risk, but who failed to insure the house!
So insurers should end the year of 2009 thinking about whether they have either of those two problems lurking somewhere in their book of business.
Are there any “far out of the money” risks where no one is appropriately aware of the large loss potential ?
Are there parts of the business where risk limits are based on tradition rather than on risk?
This may not be your corporate policy. But you should be clear to all whether your risk limits are hard, soft or gigantic.
A Hard risk limit is one where there just may be a rock and a snake for the violator. Violations of limits are not expected to happen in a system with hard risk limits. So maybe no one knows what the consequences are. In systems with very hard limits, a system of “checkpoints” may develop that are actually soft limits that help managers to avoid coming too close to the hard limits. These firms may have rules like “violations of limits must be reported to the board at the very next meeting”. In addition, there may be a hard requirement to reverse or offset the actions that led to the violation within some short period of time, sometimes something like 72 hours.
A Soft risk limit is very much the opposite. Violation of a soft risk limit might most often result in raising the limit. Or violations may simply be allowed to stand without any special notice or attempt to reverse. A more diciplined soft limit system may track the number of violations and use the count of violations as an indication of potential issues.
A Gigantic risk limit is very common. There is no need to decide whether a Gigantic risk limit is hard or soft, because there is little chace that the firm will ever approach the limit. Gigantic limits are often 200% or more than expected positions. Commonly, Gigantic limits are are found in formal investment policies of firms or funds. These are deliberately set so high that they will not get in the way of day to day operations of the investment managers, even if they want to make significant changes to the make-up of the fund. Unfortunately, many firms have not yet realized that these policy limits are not useful risk limits. But they do save money on snakes.
The use of derivatives and risk management processes to control risk was very successful in changing the risk management Landscape.
But that change has been in the same vein as the changes to forest management practices that saw us eliminating the small forest fires only to find that the only fires that we then had were the fires that were too big to control. Those giant forest fires were out of control from the start and did more damage than 10 years of small fires.
The geography of the world from a risk management view is represented by this picture:
The ball represents the state of the world. Taking a risk is represented by moving the ball one direction or the other. If the ball goes over the top and falls down the sides, then that is a disaster.
So risk managers spend lots of time trying to measure the size of the valley and setting up processes and procedures so that the firm does not get up to the top of the valley onto one of the peaks, where a good stiff wind might blow the firm into the abyss.
The tools for risk management, things like derivatives with careful hedging programs now allowed firms to take almost any risk imaginable and to “fully” offset that risk. The landscape was changed to look like this:
Managers believed that the added risk management bars could be built as high as needed so that any imagined risk could be taken. In fact, they started to believe that the possibility of failure was not even real. They started to think of the topology of risk looking like this:
Notice that in this map, there is almost no way to take a big enough risk to fall off the map into disaster. So with this map of risk in mind, company managers loaded up on more and more risk.
But then we all learned that the hedges were never really perfect. (There is no profit possible with a perfect hedge.) And in addition, some of the hedge counterparties were firms who jumped right to the last map without bothering to build up the hedging walls.
And we also learned that there was actually a limit to how high the walls could be built. Our skill in building walls had limits. So it was important to have kept track of the gross amount of risk before the hedging. Not just the small net amount of risk after the hedging.
Now we need to build a new view of risk and risk management. A new map. Some people have drawn their new map like this:
They are afraid to do anything. Any move, any risk taken might just lead to disaster.
Others have given up. They saw the old map fail and do not know if they are ever again going to trust those maps.
They have no idea where the ball will go if they take any risks.
So we risk managers need to go back to the top map again and revalidate our map of risk and start to convince others that we do know where the peaks are and how to avoid them. We need to understand the limitations to the wall building version of risk management and help to direct our firms to stay away from the disasters.
Riskviews was dormant from April to July 2009 and restarted as a forum for discussions of risk and risk management. You may have missed some of these posts from shortly after the restart…
I bought my current house 11 years ago. The area where it is located was then in the middle of a long drought. There was never any rain during the summer. Spring rains were slight and winter snow in the mountains that fed the local rivers was well below normal for a number of years in a row. The newspapers started to print stories about the levels of the reservoirs – showing that the water was slightly lower at the end of each succeeding summer. One year they even outlawed watering the lawns and everyone’s grass turned brown.
Then, for no reason that was ever explained, the drought ended. Rainy days in the spring became common and one week it rained for six days straight.
Every system has a capacity. When the capacity of a system is exceeded, there will be a breakdown of the system of some type. The breakdown will be a non-linearity of performance of the system.
For example, the ground around my house has a capacity for absorbing and running off water. When it rained for six days straight, that capacity was exceeded, some of the water showed up in my basement. The first time that happened, I was shocked and surprised. I had lived in the house for 5 years and there had never been a hint of water in the basement. I cleaned up the effects of the water and promptly forgot about it. I put it down to a 1 in 100 year rainstorm. In other parts of town, streets had been flooded. It really was an unusual situation.
When it happened again the very next spring, this time after just 3 days of very, very heavy rain. The flooding in the local area was extreme. People were driven from their homes and they turned the high school gymnasium into a shelter for a week or two.
It appeared that we all had to recalibrate our models of rainfall possibilities. We had to realize that the system we had for dealing with rainfall was being exceeded regularly and that these wetter springs were going to continue to exceed the system. During the years of drought, we had built more and more in low lying areas and in ways that we might not have understood at the time, we altered to overall capacity of the system by paving over ground that would have absorbed the water.
For me, I added a drainage system to my basement. The following spring, I went into my basement during the heaviest rains and listened to the pump taking the water away.
I had increased the capacity of that system. Hopefully the capacity is now higher than the amount of rain that we will experience in the next 20 years while I live here.
Financial firms have capacities. Management generally tries to make sure that the capacity of the firm to absorb losses is not exceeded by losses during their tenure. But just like I underestimated the amount of rain that might fall in my home town, it seems to be common that managers underestimate the severity of the losses that they might experience.
Writers of liability insurance in the US underestimated the degree to which the courts would assign blame for use of a substance that was thought to be largely benign at one time that turned out to be highly dangerous.
In other cases, though it was the system capacity that was misunderstood. Investors miss-estimated the capacity of internet firms to productively absorb new cash from the investors. Just a few years earlier, the capacity of Asian economies to absorb investors cash was over-estimated as well.
Understanding the capacity of large sectors or entire financial systems to absorb additional money and put it to work productively is particularly difficult. There are no rules of thumb to tell what the capacity of a system is in the first place. Then to make it even more difficult, the addition of cash to a system changes the capacity.
Think of it this way, there is a neighborhood in a city where there are very few stores. Given the income and spending of the people living there, an urban planner estimates that there is capacity for 20 stores in that area. So with encouragement of the city government and private investors, a 20 store shopping center is built in an underused property in that neighborhood. What happens next is that those 20 stores employ 150 people and for most of those people, the new job is a substantial increase in income. In addition, everyone in the neighborhood is saving money by not having to travel to do all of their shopping. Some just save money and all save time. A few use that extra time to work longer hours, increasing their income. A new survey by the urban planner a year after the stores open shows that the capacity for stores in the neighborhood is now 22. However, entrepreneurs see the success of the 20 stores and they convert other properties into 10 more stores. The capacity temporarily grows to 25, but eventually, half of the now 30 stores in the neighborhood go out of business.
This sort of simple micro economic story is told every year in university classes.
It clearly applies to macroeconomics as well – to large systems as well as small. Another word for these situations where system capacity is exceeded is systemic risk. The term is misleading. Systemic risk is not a particular type of risk, like market or credit risk. Systemic risk is the risk that the system will become overloaded and start to behave in severely non-linear manner. One severe non-linear behavior is shutting down. That is what the interbank lending did in 2008.
In 2008, many knew that the capacity of the banking system had been exceeded. They knew that because they knew that their own bank’s capacity had been exceeded. And they knew that the other banks had been involved in the same sort of business as them. There is a name for the risks that hit everyone who is in a market – systematic risks. Systemic risks are usually Systematic risks that grow so large that they exceed the capacity of the system. The third broad category of risk, specific risks, are not an issue, unless a firm with a large amount of specific risk that exceeds their capacity is “too big to fail”. Then suddenly specific risk can become systemic risk.
So everyone just watched when the sub prime systematic risk became a systemic risk to the banking sector. And watch the specific risk to AIG lead to the largest single firm bailout in history.
Many have proposed the establishment of a systemic risk regulator. What that person would be in charge of doing would be to identify growing systematic risks that could become large enough to become systemic problems. THen they are responsible to taking or urging actions that are intended to diffuse the systematic risk before it becomes a systemic risk.
A good risk manager has a systemic risk job as well. THe good risk manager needs to pay attention to the exact same things – to watch out for systematic risks that are growing to a level that might overwhelm the capacity of the system. The risk manager’s responsibility is then to urge their firm to withdraw from holding any of the systematic risk. Stories tell us that happened at JP Morgan and at Goldman. Other stories tell us that didn’t happen at Bear or Lehman.
So the moral of this is that you need to watch not just your own capacity but everyone else’s capacity as well if you do not want stories told about you.
Survival. That is what you really want to know. When the Board meeting ends, the last thing that they should hear is management assuring them that the company will be in business still when the next meeting is due to be held.
S
But it really is not in terms of bankruptcy, or even regulatory take-over. If your firm is in the assurance business, then the company does not necessarily need to go that far. There is usually a point, that might be pretty far remote from bankruptcy, where the firm loses confidence of the market and is no longer able to do business. And good managers know exactly where that point lies.
S
So S is the likelihood of avoiding that point of no return. It is a percentage. Some might cry that no one will understand a percentage. That they need dollars to understand. But VAR includes a percentage as well. Just because no one says the percentage, that does not mean it is there. It actually means that no one is even bothering to try to help people to understand what VAR is. The VAR nuber is really one part of a three part sentence:
The 99% VAR over one-year is $67.8 M. By itself, VAR does not tell you whether the firm has trouble. If the VAR doubles from one period to the next, is the firm in trouble? The answer to that cannot be determined without further information.
S
Survival is the probability that, given the real risks of the firm and the real capital of the firm, the firm will sustain a loss large enough to put an end to their business model. If your S is 80%, then there is about 50% chance that your firm will not survive three years!But if your S is 95%, then there is a 50-50 chance that your firm will last at least 13 years. This arithmetic is why a firm, like an insurer, that makes long term promises, need to have a very high S. An S of 95% does not really seem high enough.
S
Survival is something that can be calculated with the existing VAR model. Instead of focusing on a arbitrary probability, the calculation instead focuses on the loss that management feels is enough to put them out of business. S can be recalculated after a proposed share buy back or payment of dividends. S responds to management actions and assists management decisions.
If your board asks how much risk you are taking, try telling them the firm has a 98.5% Survival probability. That might actually make more sense to them than saying that the firm might lose as much as $523 M at a 99% confidence interval over one year.
As we look at the financial system and contemplate what makes sense going forward, it should be important to think through what we plan to do with losses going forward.
There are at least seven possibilities. As a matter of public policy, we should be discussing where the attachment should be for each layer of losses. Basel 2 tries to set the attachment for the fourth layer from the bottom, without directly addressing the three layers below.
So for major loss scenarios, we should have a broad idea of how we expect the losses to be distributed. Recent practices have focused on just a few of these layers, especially the counterparty layer. The “skin in the game” idea suggests that the counterparties, when they are intermediaries, should have some portion of the losses. Other counterparties are the folks who are taking the risks via securitizations and hedging transactions.
However, we do not seem to be discussing a public policy about the degree to which the first layer, the borrowers, needs to absorb some of the losses. In all cases, absorbing some of the losses means that that layer really needs to have the capacity to absorb those losses. Assigning losses to a layer with no resources is not an useful game. Having resources means having valuable collateral or dependable income that can be used to absorb the loss. It could also mean having access to credit to pay the loss, though hopefully we have learned that access to credit today is not the same as access to credit when the loss comes due.
+ + + +
This picture might be a useful one for risk managers to use as well to clarify things about how losses will be borne that are being taken on by their firm. The bottom layer does not have to be a borrower, it can also be an insured.
This might be a good way to talk about losses with a board. Let them know for different frequency/severity pairs who pays what. This discussion could be a good part of a discussion on Risk Appetite and Risk Limits as well as a discussion of the significance of each different layer to the risk management program of the firm.
The “skin in the game” applies at the corporate level as well. If you are the reinsurer or another counterparty, you might want to look at this diagram for each of your customers to make sure that they each have enough “skin” where it counts.
The above was the title of a conference in London that I attended this week. Here are some random take-aways:
Sometimes it makes sense to think of risk indicators instead of risk limits.
Should MVM reflect diversification? But who’s diversification?
Using a Risk and Control Self Assessment as the central pillar to an Operational Risk program
Types of Operational Losses: Financial, Reputation, Opportunity, Inefficiency
Setting low thresholods for risk indicators/KRIs provides an early warning of the development of possible problems
Is your risk profile stable? Important question to consider.
Number of employees correlates to size of operational risk losses. May be a simple way to start thinking about how to assign different operational risk capital to different operations. Next variable might be experience level of employees – might be total experience or task specific experience. If a company goes into a completely new business, there are likely to be operational issues if they do not hire folks with experience from other firms.
Instead of three color indicators, use four – Red, Orange(Amber), Yellow, Green. Allows for elevating situations out of green without raising alarm.
Should look at CP33
Controls can encourage more risk taking. (See John Adams work on seatbelts)
Disclosures of safety margin in capital held might create market expectations that would make it impossible to actually use those margins as a buffer without market repercussions.
Serious discussions about a number of ways that firms want to deviate from using pure market values. Quite a shift from the discussions I heard 2 -3 years ago when strict adherence to market values was a cornerstone of good financial and risk management. As Solvency 2 is getting closer to reality, firms are discovering some ways that the MTM regime would fundamentally change the insurance business. People are starting to wonder how important it is to adhere to MTM for situations where liquidity needs are very low, for example.
For the same reason that a dieter needs a calorie limit. There are lots and lots of fad diets out there. Cottege Cheese diets, grapefruit diets, low carb, low fat, liquid. And they might work, but only if you follow them exactly, with absolutely no deviation. If you want to make some substitution, many diets do not have any way to help you to adapt. Calories provide two things that are desparately needed to make a diet work. Common currency for substitutions and a metric that can b applied to things not contemplated in the design of the diet.
So if you do a calorie counting diet, you can easily substitute one food for another with the same calorie count. If some new food becomes available, you do not have to wait for the author of the diet book to come up with a new edition and hope that it includes the new food. All you need to do is find out how much calories the new food has.
The aggregate risk limit serves the exact same role role for an insurer. There may be an economic capital of other comprehensive risk measure as the limit. That risk measure is the common currency. That is the simple genius of VaR as a risk metric. Before the invention of VaR by JP Morgan, every risk limit was stated in a different currency. Premiums for one, PML for another percentages of total assets for a third. But the VaR thinking was to look at everything via its distribution of gains and losses. Using a single point on that distribution. That provided the common currency for risk.
The same approach provided the method to consistently deal with any new risk opportunity that comes along.
So once an insurer has the common currency and ability to place new opportunities on the same risk basis as existing activities, then you have something that can work just like calories do for dieters.
So all that is left is to figure out how many calories – or how much risk – should make up the diet.
Riskviews 