Whether it’s the regulatory landscape, organizational culture, or market conditions, the context in which an organization operates significantly influences its approach to managing risks. Context shapes every aspect of the risk management process, from identifying potential risks to implementing effective mitigation strategies. In the world of risk management, understanding the context is not just important—it’s essential.
Why Context Matters
Internal and External Environment: The context includes both internal factors, such as an organization’s structure and culture, and external factors, such as economic conditions, technological advancements, and regulatory requirements. These factors affect how risks are perceived, prioritized, and addressed.
Risk Perception and Evaluation: Different stakeholders may perceive the same risk differently based on their individual perspectives and experiences. For example, a risk that seems minor to a financial analyst might be considered significant by a safety officer. Understanding the context helps ensure that all relevant viewpoints are considered in the risk evaluation process.
Risk Mitigation Strategies: The effectiveness of risk mitigation strategies often depends on the specific circumstances surrounding a risk. For example, a strategy that works well in a stable market might be ineffective in a volatile one. Contextual awareness enables organizations to choose and adapt strategies that are appropriate for their particular situation.
Frameworks and Perspectives in Contextual Risk Management
Several frameworks and perspectives highlight the importance of context in risk management:
ISO 31000 Risk Management Framework: This framework emphasizes tailoring risk management to the organization’s context, considering both internal and external factors to ensure the effectiveness of risk management processes.
COSO ERM Framework: The COSO framework highlights the alignment of risk management with an organization’s strategy and performance, underscoring the importance of context in identifying and assessing risks.
Regulatory Requirements: Compliance with industry-specific regulations shapes the risk management context. For example, financial institutions must adhere to Basel III standards, which dictate specific risk management practices.
Organizational Culture: The culture of an organization, including its risk appetite and tolerance, influences how risks are managed. A strong risk culture fosters proactive risk management and open communication about risks.
Stakeholder Expectations: Understanding the expectations of various stakeholders, such as investors, customers, and employees, helps ensure that risk management aligns with their interests and concerns.
Technological Context: The rapid pace of technological change introduces new risks and opportunities. Organizations must consider their technological landscape, including cybersecurity threats and digital transformation initiatives, in their risk management strategies.
Incorporating Context into Risk Management
To effectively incorporate context into risk management, organizations can follow these steps:
Conduct a Contextual Analysis: Start by analyzing both the internal and external environment to identify factors that influence risk management. This includes assessing the regulatory landscape, market conditions, organizational culture, and technological advancements.
Engage Stakeholders: Involve stakeholders from different areas of the organization and external partners to gather diverse perspectives on risks and their potential impact. This helps ensure a comprehensive understanding of the context.
Tailor Risk Management Processes: Adapt risk identification, assessment, and mitigation processes to fit the specific context. This might involve using different risk assessment tools or modifying risk criteria based on the organization’s objectives and environment.
Monitor Changes in Context: Continuously monitor changes in the internal and external environment that could affect the organization’s risk profile. Stay agile and be prepared to adjust risk management strategies as the context evolves.
Communicate Contextual Insights: Share insights about the context and its implications for risk management with relevant stakeholders. Clear communication helps ensure that everyone understands the rationale behind risk management decisions.
Review and Update: Regularly review and update risk management practices to ensure they remain relevant and effective in the current context. This includes revising risk policies, procedures, and mitigation strategies as needed.
Conclusion
In conclusion, context is a critical factor in risk management decision-making. A deep understanding of the internal and external environment enables organizations to develop and implement risk management strategies that are tailored to their specific circumstances. By embracing a contextual approach, organizations can enhance their resilience, adaptability, and overall effectiveness in managing risks.
This post was created with a CustomGPT designed by RISKVIEWS. The GPT is called Risk Personalities Engine. To learn more about the Risk Personalities Engine. visit this page on the RISKVIEWS blog.
Over the past several years, an anthropologist (Thompson), a control engineer (Beck) and an actuary (Ingram) have formed an unlikely collaboration that has resulted in countless discussions among the three of us along with several published (and posted) documents.
Our work was first planned in 2018. One further part of what was planned is still under development — the application of these ideas to economic thinking. This is previewed in document (2) below, where it is presented as Institutional Evolutionary Economics.
Here are abstracts and links to the existing documents:
Model Governance and Rational Adaptability in Enterprise Risk Management, January 2020, AFIR-ERM section of the International Actuarial Association. The problem context here is what has been called the “Insurance Cycle”. In this cycle we recognize four qualitatively different risk environments, or seasons of risk. We address the use of models for supporting an insurer’s decision making for enterprise risk management (ERM) across all four seasons of the cycle. In particular, the report focuses expressly on: first, the matter of governance for dealing with model risk; and, second, model support for Rational Adaptability (RA) at the transitions among the seasons of risk. This latter examines what may happen around the turning points in the insurance cycle (any cycle, for that matter), when the risk of a model generating flawed foresight will generally be at its highest.
Modeling the Variety of Decision Making, August 2021, Joint Risk Management Section. The four qualitatively different seasons of risk call for four distinctly different risk-coping decision rules. And if exercising those strategies is to be supported and informed by a model, four qualitatively different parameterizations of the model are also required. This is the variety of decision making that is being modeled. Except that we propose and develop in this work a first blueprint for a fifth decision-making strategy, to which we refer as the adaptor. It is a strategy for assisting the process of RA in ERM and navigating adaptively through all the seasons of risk, insurance cycle after insurance cycle. What is more, the variety of everyday risk-coping decision rules and supporting models can be substituted by a single corresponding rule and model whose parameters vary (slowly) with time, as the model tracks the seasonal business and risk transitions.
The Adaptor Emerges, December 2021, The Actuary Magazine, Society of Actuaries. The adaptor strategy focuses on strategic change: on the chops and changes among the seasons of risk over the longer term. The attention of actuaries coping with everyday risk is necessarily focused on the short term. When the facts change qualitatively, as indeed they did during the pandemic, mindsets, models, and customary everyday rules must be changed. Our adaptor indeed emerged during the pandemic, albeit coincidentally, since such was already implied in RA for ERM.
An Adaptor Strategy for Enterprise Risk Management, April 2022, Risk Management Newsletter, Joint Risk Management Section. In our earlier work (2009-13), something called the “Surprise Game” was introduced and experimented with. In it, simulated businesses are obliged to be surprised and shaken into eventually switching their risk-coping decision strategies as the seasons of risk undergo qualitative seasonal shifts and transitions. That “eventually” can be much delayed, with poor business performance accumulating all the while. In control engineering, the logic of the Surprise Game is closely similar to something called cascade control. We show how the adaptor strategy is akin to switching the “autopilot” in the company driving seat of risk-coping, but ideally much more promptly than waiting (and waiting) for any eventual surprise to dawn on the occupant of the driving seat.
An Adaptor Strategy for Enterprise Risk Management(Part 2), July 2022, Risk Management Newsletter, Joint Risk Management Section. Rather than its switching function, the priority of the adaptor strategy should really be that of nurturing the human and financial resources in the makeup of a business — so that the business can perform with resilience, season in, season out, economic cycle after economic cycle. The nurturing function can be informed and supported by an adaptor “dashboard”. For example, the dashboard can be designed to alert the adaptor to the impending loss or surfeit of personnel skilled in implementing any one of the four risk-coping strategies of RA for ERM. We cite evidence of such a dashboard from both the insurance industry and an innovation ecosystem in Linz, Austria.
Adaptor Exceptionalism:Structural Change & Systems Thinking, March 2022, RISKVIEWS, Here we link Parts 1 and 2 of the Risk Management Newsletter article ((4) and (5) above). When we talk of “when the facts change, we change our mindsets”, we are essentially talking about structural change in a system, most familiarly, the economy. One way of grasping the essence of this, hence the essence of the invaluable (but elusive) systemic property of resilience, is through the control engineering device of a much simplified model of the system with a parameterization that changes relatively slowly over time — the adaptor model of document (2) above, in fact. This work begins to show how the nurturing function of the adaptor strategy is so important for the achievement of resilient business performance.
Adaptor Strategy: Foresight, May 2022, RISKVIEWS. This is a postscript to the two-part Newsletter article and, indeed, its linking technical support material of document (6). It identifies a third possible component of an adaptor strategy: that of deliberately probing the uncertainties in business behaviour and its surrounding risk environment. This probing function derives directly from the principle of “dual adaptive control” — something associated with systems such as guided missiles. Heaven forbid: that such should be the outcome of a discussion between the control engineer, the actuary, and the anthropologist!
Still to be completed is the full exposition of Institutional Evolutionary Economics that is previewed in Section 1 of Modeling the Variety of Decision Making (Item 2 above).
In 1952, Harry Markowitz wrote the article “Portfolio Selection” which became the seed for the theory called Modern Portfolio Theory. Modern Portfolio Theory (MPT) promises a path to follow to achieve the maximum return for a given level of risk for an investment portfolio.
It is not clear who first thought to apply the MPT ideas to a portfolio of risks in an insurer. In 1974, Gustav Hamilton of Sweden’s Statsforetag proposed the “risk management circle” to describe the interaction of all elements in the risk management process, including assessment, control, financing and communication. In 1979, Randell Brubaker wrote about “Profit Maximization for a multi line Property/Liability Company.” Since then, the idea of risk and reward optimization has become to many the actual definition of ERM.
In 2005, Standard & Poor’s called the process “Strategic Risk Management”.
“Strategic Risk Management is the Standard & Poor’s term for the part of ERM that focuses on both the risks and returns of the entire firm. Although other aspects of ERM mainly focus on limiting downside, SRM is the process that will produce the upside, which is where the real value added of ERM lies.“
The Risk Reward Management process is nothing more or less than looking at the expected reward and loss potential for each major profit-making activity of an insurer and applying the Modern Portfolio Management ideas of portfolio optimization to that risk and reward information.
At the strategic level, insurers will leverage the risk and reward knowledge that comes from their years of experience in the insurance markets as well as from their enterprise risk management (ERM) systems to find the risks where their company’s ability to execute can produce better average risk-adjusted returns. They then seek to optimize the risk/reward mix of the entire portfolio of insurance and investment risks that they hold. There are two aspects of this optimization process. First is the identification of the opportunities of the insurer in terms of expected return for the amount of risk. The second aspect is the interdependence of the risks. A risk with low interdependency with other risks may produce a better portfolio result than another risk with a higher stand alone return on risk but higher interdependence.
Proposals to grow or shrink parts of the business and choices to offset or transfer different major portions of the total risk positions can be viewed in terms of risk-adjusted return. This can be done as part of a capital budgeting/strategic resource allocation exercise and can be incorporated into regular decision-making. Some firms bring this approach into consideration only for major ad hoc decisions on acquisitions or divestitures and some use it all the time.
There are several common activities that may support the macro- level risk exploitation.
Economic Capital Economic capital (EC) is often calculated with a comprehensive risk model consistently for all of the actual risks of the company. Adjustments are made for the imperfect correlation of the risks. Identification of the highest-concentration risks as well as the risks with lower correlation to the highest-concentration risks is risk information that can be exploited. Insurers may find that they have an advantage when adding risks to those areas with lower correlation to their largest risks if they have the expertise to manage those risks as well as they manage their largest risks.
Risk-adjusted product pricing Another part of the process to manage risk reward involves the Consideration principle. Product pricing is “risk-adjusted” using one of several methods. One such method is to look at expected profits as a percentage of EC resulting in an expected return-to-risk capital ratio. Another method reflects the cost of capital associated with the economic capital of the product as well as volatility of expected income. The cost of capital is determined as the difference between the price to obtain capital and the rate of investment earnings on capital held by the insurer. Product profit projections then will show the pure profit as well as the return for risk of the product. Risk-adjusted value added is another way of approaching risk-adjusted pricing.
Capital budgeting The capital needed to fulfill proposed business plans is projected based on the economic capital associated with the plans. Acceptance of strategic plans includes consideration of these capital needs and the returns associated with the capital that will be used. Risk exploitation as described above is one of the ways to optimize the use of capital over the planning period. The allocation of risk capital is a key step in this process.
Risk-adjusted performance measurement (RAPM) Financial results of business plans are measured on a risk-adjusted basis. This includes recognition of the cost of holding the economic capital that is necessary to support each business as reflected in risk-adjusted pricing as well as the risk premiums and loss reserves for multi-period risks such as credit losses or casualty coverages. This should tie directly to the expectations of risk- adjusted profits that are used for product pricing and capital budgeting. Product pricing and capital budgeting form the expectations of performance. Risk-adjusted performance measurement means actually creating a system that reports on the degree to which those expectations are or are not met.
For non-life insurers, Risk Reward Management involves making strategic trade-offs between insurance, credit (on reinsurance ceded) and all aspects of investment risk based on a long-term view of risk-adjusted return for all of their choices.
Insurers that do not practice Risk Reward Management usually fail to do so because they do not have a common measurement basis across all of their risks. The decision of many insurers to develop economic capital models provides a powerful tool that can be used as the common risk measure for this process. Economic capital is most often the metric used to define risk in the risk/reward equation of insurers.
Some insurers choose not to develop an EC model and instead rely upon rating agency or regulatory capital formulas. The regulatory and rating agency capital formulas are by their nature broad market estimates of the risk capital of the insurer. These formulae will over-state the capital needs for some of the insurer’s activity and understate the needs for others. The insurer has the specific data about their own risks and can do a better job of assessing their risks than any outsider could ever do. In some cases, insurers took high amounts of catastrophe exposure or embedded guarantee and option risks, which were not penalized in the generic capital formulas. In the end, some insurers found that they had taken much more risk than their actual loss tolerance or capacity.
Risk Reward Management provides insurers with the framework to take full advantage of the power of diversification in their risk selection. They will look at their insurance and investment choices based on the impact, after diversification, on their total risk/reward profile. These insurers will also react to the cycles in risk premium that exist for all of their different insurance risks and for all of their investment risks in the context of their total portfolio.
Sales of most insurance company products result in an increase in the amount of capital needed by the business due to low or negative initial profits and the need to support the new business with Economic Capital. After the year of issue, most insurance company products will show annual releases of capital both due to the earnings of the product as well as the release of supporting capital that is no longer needed due to terminations of prior coverages. The net capital needs of a business arise when growth (new sales less terminations) is high and/or profits are low and capital is released when growth is low and/or profits are high.
The definition of the capital needs for a product is the same as the definition of distributable earnings for an entire business: projected earnings less the increase in Economic Capital. The capital budgeting process will then focus on obtaining the right mix of short and long term returns for the capital that is needed for each set of business plans.
Both new and existing products can be subjected to this capital budgeting discipline. A forecast of capital usage by a new product can be developed and used as a factor in deciding which of several new products to develop. In considering new and existing products, capital budgeting may involve examining historic and projected financial returns.
This multi year view of capital usage does in fact apply to non-life products where the claims are not fully settled in the calendar year of issue.
Pitfalls of Risk Reward Management
In theory, optimization processes can be shown to produce the best results for practitioners. And for periods of time when fluctuations of experience are moderate and fall comfortably within the model parameters, continual fine tuning and higher reliance on the modeled optimization recommendations produce ever growing rewards for the expert practitioner. However, model errors and uncertainties are magnified when management relies upon the risk model to lever up the business. And at some point, the user of complex risk models will see that levering up their business seems to be a safe and profitable way to operate. When volatility shifts into a less predictable and/or higher level, the highly levered company can find it self quickly in major trouble.
Even without major deviations of experience, the Risk Reward Management principles can lead to major business disruptions. When an insurer makes a major change in its risk profile through an acquisition or divestiture of a large part of their business, the capital allocation of all other activities may shift drastically. Strict adherence to theory can whipsaw businesses as the insurer makes large changes in business.
Insurers need to be careful to use the risk model information to inform strategic decisions without overreliance and abdication of management judgment. Management should also push usage of risk and reward thinking throughout the organization. The one assumption that seems to cause the most trouble is correlation. The saying goes that “in a crisis, all correlations go to one”. If the justification for a major strategic decision is that correlations are far from one, management should take note of the above saying and prepare accordingly. In addition, management should study the variability of correlations over time. They will find that correlations are often highly unreliable and this should have a major impact on the way that they are used in the Risk Reward Management process.
Larger organizations with mature ERM programs tend to have evolved a short list of major risk management specific roles; many of which are part-time additions to already full time positions, while some are full time risk management only roles. Smaller organizations tend to need an ERM operation with all part-timers. We will call the former “Group ERM” programs and the latter “Company ERM”.
The organizing process always begins with two roles – the senior sponsor and the risk officer. During the developmental phase, these two roles are very similar to those of Executive Sponsor and Project Manager as defined for normal project management[1]. The Executive Sponsor initiates a project and gets appropriate resources and budget for the project. The Project Manager runs the project on a day-to-day basis. During implementation, the Project Manager will keep the Executive Sponsor informed of progress and setbacks. When problems are outside of the Project Manager’s authority, the Executive Sponsor will help by bringing in assistance or removing blockages from outside of the project team.
Chief Risk Officer
The risk officer role that was the project manager for the initial development of a new ERM function will usually grow into a senior management role with the title of Chief Risk Officer (CRO).
The CRO differs from organization to organization, but generally have some or all of these responsibilities:
Head the Risk Management Function
Chair the Risk Committee
Report to the Board on ERM
Report to shareholders on risk and capital management
Communicate risk and risk management matters to other stakeholders including rating agencies, employees, regulators
Each of these will be discussed in following sections of this chapter.
The Chief Risk Officer may report directly to the CEO or, more often to the Chief Financial Officer. Or else, the CRO role is handled by another senior officer such as the Internal Auditor, or, in an insurer, the Chief Underwriting Officer or Chief Actuary.
The CRO has a wide variety of roles. First and foremost, the CRO provides leadership and vision for the organization’s ERM program. They must have a clear idea of the ERM objectives and the ability to direct a diverse group of employees throughout the organization, most of whom do not officially report to the CRO, to follow that vision. The CRO is the point person in establishing and updating the ERM Framework, the ERM Policies and the Risk Appetite/Tolerance/Limit system. This requires the CRO to understand the degree to which formal documents and processes fit with the organization’s culture. The CRO is always the champion of intelligent risk management – risk management that fits the objectives, needs and budget of the organization. The CRO may be the owner of the Enterprise Risk Model or that model may be owned by the Chief Actuary.
The CRO will lead the discussion that leads to the formation and updating of the Risk Appetite and Tolerance. This discussion will be based upon a single risk metric that is common to all risks; in countries that have adopted Solvency II, that single metric for insurers is almost always related to capital. This is a source of conflict between the regulatory process and the management culture, especially in for-profit insurers, because otherwise, the preference for risk metric would likely be tied to earnings shortfalls rather than capital.
The CRO is the leader of value added risk management. That means using the information from the ERM system to help the growth of the firm’s risk adjusted value. That requires some version of risk-adjusted financial results for various business units, territories and/or products. The risk-adjustment is most often made based on Economic Capital either via a cost-of-capital adjustment to earnings, or through the reliance on a return on risk capital ratio.
The CRO is the champion for the Value Added ERM, a major part of the implementation, as well as in explaining the idea and the results to stakeholders. A major step in that process is the development and implementation of the analytic platform for Economic Capital Allocation. The CRO may be responsible to perform analysis of risk-adjusted plan proposals and act as a resource to business units for developing risk-adjusted proposals. As time progresses, the CRO will also work with the CFO to provide monitoring of plan vs. actual performance.
The CRO’s wide range of responsibilities means that there is no single route to the position. A Canadian survey[2] of twenty-one CROs found that, in their opinion, CROs needed to be skilled in Math, Finance, Communication and Accounting.
Management Risk Committee
Most organizations form one or more risk management committees with a major role in the ERM framework. There are three main reasons: To provide support and assistance for the CRO, to help keep the ERM process realistic (i.e. Intelligent ERM above); and, to direct the application of resources for ERM activities that are outside of the risk management department.
Most often, the Risk Committee will focus first on the ERM reports to the board, reviewing the draft reports prepared by the risk management department for quality assurance, to make sure that the CRO will be able to tell the story that goes with the report, and that both the CRO and the risk committee members can answer any questions raised by the ERM report. The Risk Committee is the nexus of Risk Culture for the organization – each area of the organization that has a major role in risk taking and risk management is usually represented on the risk committee.
The exact responsibilities of the Risk Committee will vary by organization. The four most common and most important responsibilities are:
Setting Risk Appetite and Tolerance
Approving Risk framework and policies
Allocating Risk Appetite & Setting Risk Limits
Setting standards for risk assessment and economic capital
The Risk Committee is usually responsible for setting (or recommending for approval by the board) the Risk Appetite and Tolerance for the organization. This is a difficult and often tentative process the first time; mainly because the Risk Committee, like most of the management team, has little experience with the concepts behind Risk Appetite and Tolerance, and is wary about possibly making a mistake that will end up damaging the organization. Once an initial Risk Appetite and Tolerance are set, making adjustments for early imperfections and updates for changing plans and circumstances become much more routine exercises.
The Risk committee usually approves the Risk Framework and Risk Policies – in some cases, they are recommended for approval to the Board. These will lay out the responsibilities of the CRO, Risk Committee, Risk Owners and ERM Department. The Risk Committee should review these documents to make sure that they agree with the suggested range of responsibilities and authorities of the CRO. The new responsibilities and authorities of the CRO are often completely new activities for an organization, or, they may include carving some responsibilities and authorities out of existing positions. The Risk Committee members are usually top managers within the organization who will need to work with the CRO, not just in the Risk Committee context, but also in the ways that the CRO’s new duties overlap with their business functions. The committee members will also be concerned with the amount of time and effort that will be required of the Risk Owners, who for the most part will either be the Risk Committee members or their senior lieutenants.
In some organizations, the allocation of Risk Appetite and setting of risk limits is done in the planning process; but most often, only broad conclusions are reached and the task of making the detailed decisions is left to the Risk Committee. For this, the Risk Committee usually relies upon detailed work performed by the Risk Department or the Risk Owners. The process is usually to update projections of risk capital requirements to reflect the final planning decisions and then to adjust Risk Appetite for each business unit or risk area and recommend limits that are consistent with the Risk Appetite.
Many ERM programs have legacy risk assessment and economic capital calculation standards that may or may not be fully documented. As regulatory processes have intruded into risk assessment, documentation and eventually consistency are required. In addition, calls for consistency of risk assessment often arise when new products or new risks are being considered. These discussions can end up being as much political as they are analytical, since the decision of what processes and assumptions make a risk assessment consistent with existing products and risks often determines whether the new activity is viable. And since the Risk Committee members are usually selected for their position within the organization’s hierarchy, rather than their technical expertise, they are the right group to resolve the political aspects of this topic.
Other topics that may be of concern to the Risk Committee include:
Monitoring compliance with limits and policies
Reviewing risk decisions
Monitoring risk profile
Proposing risk mitigation actions
Coordinate the risk control processes
Identify emerging risks
Discussing the above with the Board of Directors as agreed
Larger organizations often have two or more risk committees – most common is to have an executive risk committee made up of most or all of the senior officers and a working risk committee whose members are the people responsible for implementing the risk framework and policies. In other cases, there are separate risk committees for major risk categories, which sometimes predate the ERM program.
Risk Owners
Many organizations assign a single person the responsibility for each major risk. Going beyond an organizational chart, a clear organizational structure includes documented responsibilities and clear decision making and escalation procedures. Clarity on roles and responsibilities—with regard to oversight and decision-making—contributes to improvement capability and expertise to meet the changing needs of the business[3].
Specifically, the Risk Owner is the person who organizationally resides in the business and is responsible for making sure that the risk management is actually taking place as risks are taken, which most of ten should the most effective way to manage a risk.
The Risk Owner’s role varies considerably depending upon the characteristics of the risk.
Insurance and Investment risks are almost always consciously accepted by organizations, and the process of selecting the accepted risks is usually the most important part of risk management. That is why insurance risk owners are often Chief Underwriting Officers, and Chief Investment officers are often the owners of Investment risks. However, risk structuring, in the form of setting the terms and conditions of the insurance contract is a key risk mitigation effort, and may not be part of the Chief Underwriter role. On the other hand, structuring of investments, in situations where investments are made through a privately structured arrangement, is usually done within the Investment area. Other risk mitigations, through reinsurance and hedging could also be within or outside of these areas. Because of the dispersion of responsibilities for different parts of the risk management process, exercise of the Risk Owner responsibilities for Insurance Risks are collaborative among several company officers. In some firms, there is a position of Product Manager who is the natural Risk Owner of a product’s risks. The specialization of various investment types means that in many firms, a different lieutenant of the Chief Investment Officer is the risk owner for Equity risk, Credit Risk, Interest Rate Risk and risks from Alternative investments.
Operational risks are usually accepted as a consequence of other decisions; the opportunities for risk selection are infrequent as processes are updated. Often the risk owners for Operational risks are managers in various parts of the organization.
Strategic risks are usually accepted through a firm’s planning process. Usually the risk owners are the members of the top management team (management board) who are closest to each strategic risk, with the CEO taking the Risk Owner position for the risk of failure of the primary strategy of the firm.
The Risk Owner may be responsible to make a periodic Report on the status of their risk and Risk Management to the governing Board. This report may include:
Plans for Exposure to risk and Risk Strategy
Plans to exploit and mitigate
Changes to Exposures taken and Remaining after mitigation
Adequacy of resources to achieve plans
Risk Management Department
In all but the smallest organizations, the CRO’s responsibilities require more work and attention than can be provided by a single person. The CRO will gain an assistant and eventually an entire department. The risk management department serves primarily as support staff for the CRO and Risk Committee. In addition, they may also be subject matter experts on risk management to assist Risk Owners. Usually, the risk management department also compiles the risk reports for the risk committees and Board. They are also usually tasked to maintain the risk register as well as the risk management framework and risk policies.
Internal Audit
Internal Audit often has an assurance role in ERM. They will look to see that there is effective and continual compliance with Policies and Standards, and tracking and handling of risk limit breaches.
If there is no Internal Audit involvement, this compliance assurance responsibility falls to the risk management department; that may create a conflict between compliance role and advisory role of the risk management department. Compliance is the natural role of Internal Audit and giving this role to Internal Audit allows risk management to have more of a consultative and management information role.
In many firms, the roles for risk owners, the risk management department, along with internal audit, have been formalized under the title “Three Levels of Defense.”
This approach is often coupled with a compliance role for the board audit committee.
When internal audit is involved in this manner, there is sometimes a question about the role’s scope. That question is: whether internal audit should limit its role to assurance of compliance with the ERM Framework and policies, or should it also have a role reviewing the ERM Framework itself? To answer that question, the organization must assess the experience and capabilities of internal audit in enterprise risk management against the cost of engaging external experts to perform a review[4].
CEO Role in ERM
It is fairly common for a description of ERM roles at a bank or insurer to talk about roles for the board,CRO, and front line management, but not to mention any specific part for the CEO.
“No one has any business running a huge financial institution unless they regard themselves as the Chief Risk Officer” – Warren Buffett, speaking at the New School (2013)
Warren Buffett, the CEO of Berkshire Hathaway, has said many times that he is the Chief Risk Officer of his firm and that he does not believe that it would be a good idea to delegate that responsibility to another individual. While his position is an extreme that is not accepted by most CEO’s of financial institutions, there is an important role for the CEO that is very close to Buffett’s idea.
For the CRO and the ERM program to be effective, the organization needs clarity on the aspects of risk management which the CEO is directly delegating his or her authority to the CRO, which are being delegated to the Risk Committee, and which risk management decisions are being delegated to the Risk Owners. Leading up to the financial crisis of 2008, the authority for some risk decisions were not clearly delegated to either the CRO or the Risk Owners in some banks, and CEO’s remained aloof from resolving the issue[5].
[1] Executive Engagement: The Role of the Sponsor, Project Management Institute,
[2] “A Composite Sketch of a Chief Risk Officer”, Conference Board of Canada, 2001
[3] CRO Forum, Sound Risk Culture in the Insurance Industry, (2015)
[4] Institute of Internal Auditors, The Three Lines of Defense In Effective Risk Management And Control, (2013)
[5] Senior Supervisors Group, Risk Management Lessons from the Global Banking Crisis of 2008 (2009)
Enterprise Risk Management practice is different at different insurers. Partly that is driven by the different cultures and missions of insurers. For the most part, those differences can be seen to be driven by the choices that management makes of whether to emphasize one, two or all three of the following three parts of insurer ERM.
1. Individual risk management
Insurers practiced risk management long before they adopted enterprise risk management. With individual risk management (IRM), the insurer enables the organization to raise the risk management activities relating to all of the key risks of the organization up to a high and effective level of practice.
IRM includes the identification, assessment and prioritization of key risks followed by the addition of more formal control processes, including decisions to mitigate, transfer, accept, limit or exploit each of the key risks. It also includes periodic reporting on those processes.
The result of an IRM function will be a transparent and disciplined approach to all of an organization’s key risks. This is often called a bottom-up risk management process as well. ERM standards such as COSO and ISO31000 promote an individual enterprise risk management process.
2. Aggregate risk management
Insurers generally know how their capital compares to regulators’ minimum requirements and/or the level of capital rating agencies require for their preferred rating. With aggregate risk management (ARM), these standards are recognized as outsiders’ views of the insurer’s aggregate risk.
ARM functions treat the combined total of all of the key risks of the firm as another candidate for a transparent and disciplined control process. An insurer will use one or a series of risk models to evaluate the amount of aggregate capital needed to provide security for the risk exposure and an aggregate risk appetite and tolerance to help articulate the company’s expectations for capital levels in aggregate control processes.
Regulatory and rating agency requirements often focus primarily on this ERM function. The result of the ARM function is a deliberate process for managing the relationship between the risks that are retained by the insurer with the capital it holds.
3. Risk reward management
One of the primary requirements of the model(s) used to evaluate aggregate risk is that they need to be as consistent as possible in their assessments. Only consistent values can be combined to determine an actionable total risk amount. Once the insurer achieves these consistent risk assessments, it can compare different business activities: First regarding which are responsible for the largest parts of its risk profile, and, second, to look at the differences in reward for the risk taken.
With information about risk and reward, this ERM function will inform the capital budgeting process as well as enhance consistency (or at least reduce conscious inconsistencies) in insurance product pricing. It will also help the insurer in considering the tradeoffs among different strategic choices on a risk-adjusted basis. This ERM function provides the upside benefit from ERM to the insurer, helping to enhance the long-term value of the organization.
Insurers may choose to implement one, two or three of these ERM functions in their enterprise risk management programs. One important consideration for insurers is that financial services firms – primarily banks and insurers – tend to have risk profiles where the majority of their risks have been tracked on a highly granular basis for many years and therefore lend themselves to statistical methods, such as insurance, market and credit risks. Those risks frequently make up 75% or more of an insurer’s risk profile.
Insurers are, of course, also exposed to operational and strategic risks that are harder to quantify. Non-financial firms’ risk profiles are more often weighted toward operational and strategic risks. This difference is one of the main drivers of the limited focus of some ERM literature that often may not even mention aggregate risk management nor risk reward management.
Regulatory requirements for insurer ERM usually include aggregate risk management and some rating agencies (Standard & Poor’s – but not A.M. Best) are expecting insurers to have risk reward management as well. We have also noted some regulators (e.g. in the UK) are focusing increasingly on the sustainability of insurers’ business models, which can be shown via risk reward management.
At the most fundamental level, enterprise risk management can be understood as a control cycle. In an insurance company’s risk control cycle, management needs to first identify the key risks.
Management then decides the risk quantity they are willing to accept and retain. These decisions form the risk limits. It is then imperative to monitor the risk-taking throughout the year and react to actual situations that are revealed by the monitoring.
There are seven distinct steps in the typical risk control cycle:
Identify Risks – Choose which risks are the key controllable risks of the company
Assess – Examine what are the elements of the risks that need (or can be) controlled
Plan – Set the expectation for how much risk will be taken as an expected part of the plan and also the limits on how much more would be accepted and retained
Take Risks – Conduct the primary function of an insurance company
Mitigate – Take actions to keep the risks within limits
Monitor – Determine how risk positions compare to limits and report
Respond – Decide what actions to take if risk levels are significantly different from plan
Risk Control Cycle
The Complete Risk Control Process
A process capable of limiting losses can be referred to as a complete risk control process, which would usually include the following.
Identification of risks: The identified risks should be the main exposures which a company faces rather than an exhaustive list of all risks. The risk identification process must involve senior management and should consider the risk inherent in all insurance products underwritten. It must also take a broader view of overall risk. For example, large exposures to different investment instruments or other non-core risks must be considered. It is vital that this risk list is re-visited periodically rather than simply automatically targeting “the usual suspects”
Assess risks: This is both the beginning and the end of the cycle. At the beginning, you look forward to form a new opinion about the prospects for risk and rewards for the next year. At the end, management needs to assess how effective the control cycle has been. Did the selection process miss any key risks? Were limits set too high or perhaps too low? Were the breach processes effective?
Plan risk taking and risk management: Based upon the risk assessment, management will make plans for how much of each risk the organization will plan to accept and then how much of that risk will be transferred, offset and retained to manage the net risk position in line with defined risk limits
Take risks: Organizations will often start by identifying a list of potential risks to be taken based upon broad guidelines. This list is then narrowed down by selecting only risks which are aligned to overall corporate risk appetite. The final stage is deciding an appropriate price to be paid for accepting each risk (underwriting)
Measuring and monitoring of risk: With metrics or risk measures which capture the movement of the underlying risk position. These risk positions should be reported regularly and checked against limits and, in some cases, against lower checkpoints . The frequency of these checks should reflect the volatility of the risk and the rate at which the insurer changes their risk positions. Insurers may choose to report regularly at a granular level that supports all decision making and potential breach actions. The primary objective of this step is facilitating upwards reporting of risk through regular risk assessment and dissemination of risk positions and loss experience using a standard set of risk and loss metrics. These reports convey the risk output from the overall ERM framework and should receive the clear attention of persons with significant standing and authority in the organization. This allows for action to be taken which is the vital Respond stage in the risk control cycle
Risk limits and standards: Should be defined which are directly linked to objectives. Terminology varies widely, but many insurers have both hard “limits” that they seek to never exceed and softer “checkpoints” that are sometimes exceeded. Limit approval authority will often be extended to individuals within the organization with escalating amounts of authority for individuals higher in the organizational hierarchy. Limits ultimately need to be consistent with risk appetites, preferences and tolerances Additionally, there should be clear risk avoidance processes for risks where the insurer has zero tolerance. These ensure that constant management attention is not needed to assure compliance. A risk audit function is, however, often incorporated within the overall risk organization structure to provide an independent assessment of compliance.
Respond: Enforcement of limits and policing of checkpoints, with documented consequences for limit breaches and standard resolution processes for exceeding checkpoints. In some cases, the risk environment will have changed significantly from when the limits were set and the limits need to be reassessed. Some risks may be much more profitable than expected and risk limits can be raised, while other have become more expensive and/or riskier and limits need to be lowered
Assess risks: And the cycle starts again
The control cycle, and especially the risk appetite, tolerance and limit setting process can be the basis for a healthy discussion between management and the board.
Gaining the Greatest Benefit from the Risk Control Cycle
Ultimately, to get the most risk management benefit out of a risk control cycle, management must set limits at a level that matters and are tied to good measures of risk. These limits must be understood throughout the company and risk positions should be frequently and publicly reviewed so that any breaches can be identified.
But in addition to a policing function, the control cycle needs to include a learning element. With each pass through the cycle, management should gain some insight into the characteristics of their potential risks and associated mitigation alternatives, as well as the reactions of both to changes in the risk environment.
Risk Identification is widely acknowledged at the very first step in forming a new ERM program. What is not so widely known is that the risk identification process needs to be repeated and refreshed to keep ERM alive. In this regard, ERM is like a lawn. Initially, the ground is prepared, it is seeded and fertilized and watered until a bed of green grass emerges. But the lawn will eventually deteriorate if it is not reseeded and fertilized and weeded and watered regularly. Repeating the risk identification process is one of the key steps to keeping the ERM program alive and green!
Companies considering the risk identification process should be aware that it is not a solution in itself and can only add value if the results are used as the first step in a risk control cycle.
This is an iterative process that refines managements’ understanding of the exposures that it is managing, and measures the effectiveness of the mitigation strategies employed in controlling risk:
For the risk identification process to be effective it is essential that senior management is directly involved from the outset. Regulators may give little or less credibility to an ORSA report if this ownership of ERM isn’t in place.
A brainstorming session involving the leaders of all risk taking functions across the business provides an effective starting point in compiling a list of significant risks.
This often results in a list containing 30 or more risks; if the process involves a broad range of people at many levels in the organization, it is not uncommon to have a list of 100 to 150 risks.
By considering each risk individually and quantifying its potential impact on the business, management can work towards a shorter list of high priority risks which should be the starting point of the risk control cycle.
Risk Control Cycle
Step 1: Identify All Significant Risks
Risks must be identified in order to:
>Ensure that the full range of significant risks is encompassed within the risk management process >Develop processes to measure exposure to those risks >Begin to develop a common language for risk management with the company
Some companies prefer to start with a comprehensive but generic list of risks. The company should then aim to select its own list by considering the following criteria:
Relevance to the insurer’s activities
Impact on the insurers financial condition
Ability to manage separately from other risks
The risk output from the ERM program may be used in strategic capital allocation decisions within the on-going business planning process.
The final “risk list” should be checked for completeness and consistency with this intended use. A final check can be done by looking at the lists once separated into categories. Most risks can be classified into one of several categories.
For example:
Underwriting Risk
Market Risk
Operational Risk
Credit/Default Risk
Management can review the range of risks that appear in each category to make sure that they are satisfied with the degree to which they have addressed key exposures within each major category.
The remaining steps in the risk identification process are then used to narrow down this initial risk list to a set of high priority risks that can be the focus of ERM discussions among and with senior management and ultimately with the board.
Step 2: Understand Each Risk Exposure
It is necessary to develop a broad understanding of each of the risks selected from Step 1; this includes determining whether the risk is driven by internal or external events.
In some situations, it may prove helpful to actually plot the exact sequence of events leading to a loss situation. This could result in the identification of intermediate intervention points where losses can be prevented or limited.
Existing risk measurement and control processes should be documented, and if the loss sequence has been plotted, the location of each control process in the sequence can be identified.
The final step in understanding the risks is to study recent events related to risks, including loss events, successful risk control or mitigation, and near misses both in the wider world and inside the company. Such events should be studied and lessons can be learned and shared.
Step 3: Evaluate
The next step in the risk identification process is to evaluate the potential impact of each risk. This involves:
>Estimating the frequency of loss events, e.g., low, medium, and high >Estimating potential severity of loss events, e.g., low, medium, and high >Considering offsetting factors to limit frequency or severity of losses and understand potential control processes
Some insurers also include an additional aspect of the risks, velocity, which is defined as the rate at which the risk can develop into a major loss situation
Step 4: Prioritize
The evaluations of risk frequency, severity, and velocity from Step 3 are then combined into a single factor and the risks ranked.
The risks are ranked according to a combined score incorporating all three assessments. The ranking starts with the risk with the worst combination of frequency, severity, and velocity scores.
From this ranked list of risks, 10 to 15 risks are chosen to be the key risk list that will be the focus of senior management discussions. From that list, ultimately 4 – 6 risks are chosen to feature with the board.
This need not be a complex or time consuming task. Often a simple heat map approach provides an effective way for management to identify their highest priority risks:
The rest of the risks should not be ignored. Those risks may ultimately be addressed at another level within the insurer.
Regulatory Emphasis
Regulators have developed Own Risk and Solvency Assessment (ORSA) regimes which require re/insurers to demonstrate their use of appropriate enterprise risk management (ERM) practices to support their ability to meet prospective solvency requirements over the business planning period.
Regulators are providing only high-level guidelines and will expect companies to decide what “appropriate” means for them. There are a number of common threads linking the ORSA guidelines; one of these is the fundamental importance of risk identification.
ORSA Guidance Manual
This ORSA process is being applied in all parts of the globe. In the U.S., the National Association of Insurance Commissioners (NAIC) ORSA Guidance Manual names risk identification as one of the five key aspects of the insurer’s ERM program that should be described in the ORSA report.
That document provides a definition for risk identification and prioritization:
[a] process that is key to the organization; responsibility for this activity is clear; the risk management function is responsible for ensuring that the process is appropriate and functioning properly at all organizational levels
For the EU, the Solvency II ORSA requires that solo undertakings provide:
[a] qualitative description of risks [and] should subject the identified risks to a sufficiently wide range of stress test / scenario analyses to provide an adequate basis for the assessment of overall solvency needs.
In the case of groups, the ORSA should adequately identify, measure, monitor, manage and report all group specific risks.
Insurance Core Principles (ICP)
The risk identification process is key to all insurers, not just those required to prepare an ORSA. This wider relevance is underlined by the Financial Stability Board’s endorsement of the International Association of Insurance Supervisors (IAIS) Insurance Core Principles (ICPs); ICP 16 highlights the importance of ERM as a process of identifying, assessing, measuring, monitoring, controlling and mitigating risks.
Perhaps the most attractive feature of the risk identification process is its low cost, high-impact introduction to risk management that builds upon the existing infrastructure and risk knowledge in the company.
It does not require a large commitment to capital expenditures and, if done appropriately, will provide a valuable first step in rolling out risk management across the company.
The ICPs are guidance for the insurance regulators in all jurisdictions. The ORSA, or an equivalent process with an equally odd name, may well be eventually adopted in all countries.
Many risk managers tell RISKVIEWS that their bosses say that their objective is “No Surprises”. While that is an unrealistic ideal objective, cultivating Adaptability is the most likely way to approach that ideal.
Are you expecting your risk to grow faster than your capacity to bare risk?
Are you expecting your risk capacity to grow faster than your risk?
Or are you planning to keep growth of your risk and your capacity in balance?
If risk is your business, then the answer to this question is one of just a few statements that make up a basic risk strategy.
RISKVIEWS calls this the Risk Trajectory. Risk Trajectory is not a permanent aspect of a businesses risk strategy. Trajectory will change unpredictably and usually not each year.
There are four factors that have the most influence on Risk Trajectory:
Your Risk Profile – often stated in terms of the potential losses from all risks at a particular likelihood (i.e. 1 in 200 years)
Your capacity to bear risk – often stated in terms of capital
Your preferred level of security (may be factored directly into the return period used for Risk Profile or stated as a buffer above Risk Profile)
The likely rewards for accepting the risks in your Risk Profile
If you have a comfortable margin between your Risk Profile and your preferred level of security, then you might accept a risk trajectory of Risk Growing Faster than Capacity.
Or if the Likely Rewards seem very good, you might be willing to accept a little less security for the higher reward.
All four of the factors that influence Risk Trajectory are constantly moving. Over time, anything other than carefully coordinated movements will result in occasional need to change trajectory. In some cases, the need to change trajectory comes from an unexpected large loss that results in an abrupt change in your capacity.
For the balanced risk and capacity trajectory, you would need to maintain a level of profit as a percentage of the Risk Profile that is on the average over time equal to the growth in Risk Profile.
For Capacity to grow faster than Risk, the profit as a percentage of the Risk Profile would be greater than the growth in Risk Profile.
For Risk to grow faster than Capacity, Risk profile growth rate would be greater than the profit as a percentage of the Risk Profile.
RISKVIEWS would guess that all this is just as easy to do as juggling four balls that are a different and somewhat unpredictably different size, shape and weight when they come down compared to when you tossed them up.
“You never said that you wanted me to do that” is an answer that managers often get when they point out a shortfall in performance. And in many cases it is actually true. As a rule, some of us tend to avoid too much writing things down. And that is also true when it comes to risk management
That is where ERM policies come in. The ERM policy is a written agreement between various managers in a company and the board documenting expectations regarding risk management.
But too many people mistake a detailed procedure manual for a policy statement. Often a policy statement can be just a page or two.
For Risk Management there are several places where firms tend to “write it down”:
ERM Policy – documents that the firm is committed to an enterprise wide risk management system and that there are broad roles for the board and for management. This policy is usually approved by the board. The ERM Policy should be reviewed annually, but may not be changed but every three to five years.
ERM Framework – this is a working document that lists many of the details of how the company plans to “do” ERM. When an ERM program is new, this document many list many new things that are being done. Once a program is well established, it will need no more or no less documentation than other company activities. RISKVIEWS usually recommends that the ERM Framework would include a short section relating to each of the risk management practices that make up a Risk Management System.
Risk Appetite & Tolerance Statement – may be separate from the above to highlight its importance and the fact that it is likely to be more variable than the Policy statement, but not as detailed as the Framework.
Separate Risk Policies for major risk categories – almost all insurers have an investment policy. Most insurers should consider writing policies for insurance risk. Some firms decide to write operational risk policies as well. Very few have strategic risk policies.
Policies for Hedging, Insurance and/or Reinsurance – the most powerful risk management tools need to have clear uses as well as clear lines of decision-making and authority.
Charter for Risk Committees – Some firms have three or more risk committees. On is a board committee, one is at the executive level and the third is for more operational level people with some risk management responsibilities. It is common at some firms for board committees to have charters. Less so for committees of company employees. These can be included in the ERM Framework, rather than as separate documents.
Job Description for the CRO – Without a clear job description many CROs have found that they become the scapegoat for whatever goes wrong, regardless of their actual authority and responsibilities before hand.
With written policies in place, the board can hold management accountable. The CEO can hold the CRO responsible and the CRO is able to expect that may hands around the company are all sharing the risk management responsibilities.
Most of the people with CRO jobs are pioneers of ERM. They came into ERM from other careers and have been working out what makes up an ERM process and how to make it work by hard work, trial & error and most often a good deal of experience on the other side of the risk – the risk taking side.
As ERM becomes a permanent (or at least a long term) business practice, it is more likely that the next generation of CROs will have come up through the ranks of the Risk function. It is even becoming increasingly likely that they will have had some training and education regarding the various technical aspects of risk management and especially risk measurement.
The only problem is that some of the pioneers are openly disdainful of these folks who are likely to become their successors. They will openly say that they have little respect for risk management education and feel strongly that the top people in Risk need to have significant business experience.
This situation is a version of the range wars in the Wild West. The Pioneers were the folks who went West first. They overcame great hardships to fashion a life out of a wilderness. The Settlers came later and were making their way in a situation that was much closer to being already tamed.
Different skills and talents are needed for successful Pioneers than for successful Settlers. Top among them is the Settlers need to be able to get along in a situation where there are more people. The Risk departments of today are large and filled with a number of people with a wide variety of expertise.
Risk will transition from the Pioneer generation to the Settler generation of leadership. That transition will be most successful if the Pioneers can help develop their Settler successros.
Project managers constantly think about risks, both threats and opportunities. What if the requirements are late? What if the testing environment becomes unstable? How can we exploit the design skills of our developers?
Let’s consider a simple but powerful tool to capture and manage your risks – the Risk Register. What is it? What should it include? What tools may be used to create the register? When should risk information be added?
The Risk Register is simply a list of risk related information including but not limited to:
Risk Description. Consider using this syntax: Cause -> Risk -> Impact. For example: “Because Information Technology is updating the testing software, the testing team may experience an unstable test environment resulting in adverse impacts to the schedule.”
Risk Owner. Each risk should be owned by one person and that person should have the knowledge and skills to plan and execute risk responses.
Triggers. Triggers indicate when a risk is about to occur or that the risk has occurred.
Category. Assigning categories to your risks allows you to filter, group, analyze, and respond to your risks by category. Standard project categories include schedule, cost, and quality.
Probability Risk Rating. Probability is the likelihood of risk occurring. Consider using a scale of 1 to 10, 10 being the highest.
Impact Risk Rating. Impact, also referred to as severity or consequence, is the amount of impact on the project. Consider using a scale of 1 to 10, 10 being the highest.
Risk Score. Risk score is calculated by multiplying probability x impact. If the probability is 8 and the impact is 5, the risk score is 40.
Risk Response Strategies. Strategies for threats include: accept the risk, avoid the risk, mitigate the risk, or transfer the risk. Strategies for opportunities include: accept the risk, exploit the risk, enhance the risk, or share the risk.
Risk Response Plan or Contingency Plan. The risk owner should determine the appropriate response(s) which may be executed immediately or once a trigger is hit. For example, a risk owner may take immediate actions to mitigate a threat. Contingency plans are plans that are executed if the risk occurs.
Fallback Plans. For some risks, you may wish to define a Fallback Plan. The plan outlines what would be done in the event that the Contingency Plan fails.
Residual Risks. The risk owner may reduce a risk by 70%. The remaining 30% risk is the residual risk. Note the residual risk and determine if additional response planning is required.
Trends. Note if each risk is increasing, decreasing, or is stable.
The Risk Register may be created in a spreadsheet, database, risk management tool, SharePoint, or a project management information system. Make sure that the Risk Register is visible and easy to access by your project team members.
The risk management processes include: 1) plan risk management, 2) identify risks, 3) evaluate/assess risks, 4) plan risk responses, and 5) monitor and control risks.
The initial risk information is entered when identifying risks in the planning process. For example, PMs may capture initial risks while developing the Communications Plan or the project schedule. The initial risk information may include the risks, causes, triggers, categories, potential risk owners, and potential risk responses.
As you evaluate your risk in the planning process, you should assign risk ratings for probability and impact and calculate the risk scores.
Next, validate risk owners and have risk owners complete response plans.
Lastly, review and update your risks during your team meetings (i.e., monitoring and control). Add emerging risks. Other reasons for updating the risk register include change requests, project re-planning, or project recovery.
But this sounds like a recipe for disaster. When everyone is responsible, often no one takes responsibility. And if everyone is responsible, how is a decision ever reached?
Everyone needs to have different responsibilities within an ERM program. So most often, people are given partial responsibility for ERM depending upon their everyday job responsibilities.
And in addition, a few people are given special new responsibilities and new roles (usually part time) are created to crystallize those new roles and responsibilities. Those new roles are most often called:
Risk Owners
Risk Committee Members
But there are lots and lots of ways of dishing out the partial responsibilities. RISKVIEWS suggests that there is no one right or best way to do this. But instead, it is important to make sure that every risk management task is being done and that there is some oversight to each task. (Three Lines of Defense is nice, but not really necessary. There are really only two necessary functions – doing and assurance.)
Risk Management is all about avoiding taking Too Much Risk.
And when it really comes down to it, there are only a few ways to get into the situation of taking too much risk.
Misunderstanding the risk involved in the choices made and to be made by the organization
Misunderstanding the risk appetite of the organization
Misunderstanding the risk taking capacity of the organization
Deliberately ignoring the risk, the risk appetite and/or the risk taking capacity
So Risk Management needs to concentrate on preventing these four situations. Here are some thoughts regarding how Risk Management can provide that.
1. Misunderstanding the risk involved in the choices made and to be made by an organization
This is the most common driver of Too Much Risk. There are two major forms of misunderstanding: Misunderstanding the riskiness of individual choices and Misunderstanding the way that risk from each choice aggregates. Both of these drivers were strongly in evidence in the run up to the financial crisis. The risk of each individual mortgage backed security was not seriously investigated by most participants in the market. And the aggregation of the risk from the mortgages was misunderestimated as well. In both cases, there was some rationalization for the misunderstanding. The Misunderstanding was apparent to most only in hindsight. And that is most common for misunderstanding risks. Those who are later found to have made the wrong decisions about risk were most often acting on their beliefs about the risks at the time. This problem is particularly common for firms with no history of consistently and rigorously measuring risks. Those firms usually have very experienced managers who have been selecting their risks for a long time, who may work from rules of thumb. Those firms suffer this problem most when new risks are encountered, when the environment changes making their experience less valid and when there is turnover of their experienced managers. Firms that use a consistent and rigorous risk measurement process also suffer from model induced risk blindness. The best approach is to combine analysis with experienced judgment.
2. Misunderstanding the risk appetite of the organization
This is common for organizations where the risk appetite has never been spelled out. All firms have risk appetites, it is just that in many, many cases, no one knows what they are in advance of a significant loss event. So misunderstanding the unstated risk appetite is fairly common. But actually, the most common problem with unstated risk appetites is under utilization of risk capacity. Because the risk appetite is unknown, some ambitious managers will push to take as much risk as possible, but the majority will be over cautious and take less risk to make sure that things are “safe”.
3. Misunderstanding the risk taking capacity of the organization
This misunderstanding affects both companies who do state their risk appetites and companies who do not. For those who do state their risk appetite, this problem comes about when the company assumes that they have contingent capital available but do not fully understand the contingencies. The most important contingency is the usual one regarding money – no one wants to give money to someone who really, really needs it. The preference is to give money to someone who has lots of money who is sure to repay. For those who do not state a risk appetite, each person who has authority to take on risks does their own estimate of the risk appetite based upon their own estimate of the risk taking capacity. It is likely that some will view the capacity as huge, especially in comparison to their decision. So most often the problem is not misunderstanding the total risk taking capacity, but instead, mistaking the available risk capacity.
4. Deliberately ignoring the risk, the risk appetite and/or the risk taking capacity of the organization
A well established risk management system will have solved the above problems. However, that does not mean that their problems are over. In most companies, there are rewards for success in terms of current compensation and promotions. But it is usually difficult to distinguish luck from talent and good execution in a business about risk taking. So there is a great temptation for managers to deliberately ignore the risk evaluation, the risk appetite and the risk taking capacity of the firm. If the excess risk that they then take produces excess losses, then the firm may take a large loss. But if the excess risk taking does not result in an excess loss, then there may be outsized gains reported and the manager may be seen as highly successful person who saw an opportunity that others did not. This dynamic will create a constant friction between the Risk staff and those business managers who have found the opportunity that they believe will propel their career forward.
So get to work, risk managers.
Make sure that your organization
Understands the risks
Articulates and understands the risk appetite
Understands the aggregate and remaining risk capacity at all times
Keeps careful track of risks and risk taking to be sure to stop any managers who might want to ignore the risk, the risk appetite and the risk taking capacity
Both the COSO and ISO risk management frameworks describe many excellent practices. However, in practice, insurers need to make two major changes from the typical COSO/ISO risk management process to achieve real ERM.
RISK MEASUREMENT – Both COSO and ISO emphasize what RISKVIEWS calls the Risk Impressions approach to risk measurement. That means asking people what their impression is of the frequency and severity of each risk. Sometimes they get real fancy and also ask for an impression of Risk Velocity. RISKVIEWS sees two problems with this for insurers. First, impressions of risk are notoriously inaccurate. People are just not very good at making subjective judgments about risk. Second, the frequency/severity pair idea does not actually represent reality. The idea properly applies to very specific incidents, not to risks, which are broad classes of incidents. Each possible incident that makes up the class that we call a risk has a different frequency severity pair. There is no single pair that represents the class. Insurers risks are in one major way different from the risks of non-financial firms. Insurers almost always buy and sell the risks that make up 80% or more of their risk profile. That means that to make those transactions they should be making an estimate of the expected value of ALL of those frequency and severity pairs. No insurance company that expects to survive for more than a year would consider setting its prices based upon something as lacking in reality testing as a single frequency and severity pair. So an insurer should apply the same discipline to measuring its risks as it does to setting its prices. After all, risk is the business that it is in.
HIERARCHICAL RISK FOCUS – Neither COSO nor ISO demand that the risk manager run to their board or senior management and proudly expect them to sit still while the risk manager expounds upon the 200 risks in their risk register. But a highly depressingly large number of COSO/ISO shops do exactly that. Then they wonder why they never get a second chance in front of top management and the board. However, neither COSO nor ISO provide strong enough guidance regarding the Hierarchical principal that is one of the key ideas of real ERM. COSO and ISO both start with a bottoms up process for identifying risks. That means that many people at various levels in the company get to make input into the risk identification process. This is the fundamental way that COSO/ISO risk management ends up with risk registers of 200 risks. COSO and ISO do not, however, offer much if any guidance regarding how to make that into something that can be used by top management and the board. In RISKVIEWS experience, the 200 item list needs to be sorted into no more than 25 broad categories. Then those categories need to be considered the Risks of the firm and the list of 200 items considered the Riskettes. Top management should have a say in the development of that list. It should be their chooses of names for the 25 Risks. The 25 Risks then need to be divided into three groups. The top 5 to 7 Risks are the first rank risks that are the focus of discussions with the Board. Those should be the Risks that are most likely to cause a financial or other major disruption to the firm. Besides focusing on those first rank risks, the board should make sure that management is attending to all of the 25 risks. The remaining 18 to 20 Risks then can be divided into two ranks. The Top management should then focus on the first and second rank risks. And they should make sure that the risk owners are attending to the third rank risks. Top management, usually through a risk committee, needs to regularly look at these risk assignments and promote and demote risks as the company’s exposure and the risk environment changes. Now, if you are a risk manager who has recently spent a year or more constructing the list of the 200 Riskettes, you are doubtless wondering what use would be made of all that hard work. Under the Hierarchical principle of ERM, the process described above is repeated down the org chart. The risk committee will appoint a risk owner for each of the 25 Risks and that risk owner will work with their list of Riskettes. If their Riskette list is longer than 10, they might want to create a priority structure, ranking the risks as is done for the board and top management. But if the initial risk register was done properly, then the Riskettes will be separate because there is something about them that requires something different in their monitoring or their risk treatment. So the risk register and Riskettes will be an valuable and actionable way to organize their responsibilities as risk owner. Even if it is never again shown to the Top management and the board.
These two ideas do not contradict the main thrust of COSO and ISO but they do represent a major adjustment in approach for insurance company risk managers who have been going to COSO or ISO for guidance. It would be best if those risk managers knew in advance about these two differences from the COSO/ISO approach that is applied in non-financial firms.
For a set of activities to be called ERM, they must satisfy ALL of these Key Ideas…
Transition from Evolved Risk Management to planned ERM
Comprehensive – includes ALL risks
Measurement – on a consistent basis allows ranking and…
Aggregation – adding up the risks to know total
Capital – comparing sum of risks to capital – can apply security standard to judge
Hierarchy – decisions about risks are made at the appropriate level in the organization – which means information must be readily available
Risk management activities that do not satisfy ALL Key Ideas may well be good and useful things that must be done, but they are not, by themselves ERM.
Many activities that seek to be called ERM do not really satisfy ALL Key Ideas. The most common “fail” is item 2, Comprehensive. When risks are left out of consideration, that is the same as a measurement of zero. So no matter how difficult to measure, it is extremely important to really, really be Comprehensive.
But it is quite possible to “fail” on any of the other Key Ideas.
The Transition idea usually “fails” when the longest standing traditional risk management practices are not challenged to come up to ERM standards that are being applied to other risks and risk management activities.
Measurement “fails” when the tails of the risk model are not of the correct “fatness“. Risks are significantly undervalued.
Aggregation “fails” when too much independence of risks is assumed. Most often ignored is interdependence caused by common counter parties.
Capital “fails” when the security standard is based upon a very partial risk model and not on a completely comprehensive risk model.
Hierarchy “fails” when top management and/or the board do not personally take responsibility for ERM. The CRO should not be an independent advocate for risk management, the CRO should be the agent of the power structure of the firm.
In fact Hierarchy Failure is the other most common reason for ERM to fail.
We can know, looking back at last year, how much risk that an insurer was exposed to. And we can simply look at the balance sheet to see how much capital that they held. So that is the way we have tended to look at solvency. Backwards. Was the insurer solvent last year end? Not really useful information. Unless…
That is, unless you make some potentially heroic assumptions about the future. Not an unusual assumption. Just that common assumption that the future will be just like the past.
That assumption is usually ok. Let’s see. In the past 15 years, it has been correct four or five times. But is that good enough for solvency work – a system that might give the right answer a third of the time?!?
But there is a solution. Regulators have led us right up to that solution but they haven’t yet dared to say what it is. Perhaps they do not know, or even that they are not thinking that the backward looking problem has two aspects. We are making two of the heroic assumptions:
We are assuming that the environment will be the same in the near future as the recent past.
We are assuming that the company activity will be the same in the near future as the recent past.
The regulatory response to these two shaky assumptions is:
Stress Scenarios
Look forward using company plans
Solution 1 can help, but solution 2 can be significantly improved by using the ERM program and risk appetite. You may have noticed that regulators have all said that ERM is very important. And that Risk Appetite is a very, very important part of ERM. But they have never, ever, explained why it is important.
Well, the true answer is that it can be important. It can be the solution to one part of the backward looking problem. The idea of looking forward with company plans is a step in the right direction. But only a half step. The full step solution is the FULL LIMIT STRESS TEST.
That test looks forward to see how the company will operate based upon the risk appetite and limits that management has set. ERM and risk appetite provide provide a specific vision of how much risk is allowed by management and the board. The plan represents a target, but the risk appetite represents the most risk that the company is willing to take.
So the FULL LIMIT STRESS TEST would involve looking at the company with the assumption that it chooses to take the full amount of risk that the ERM program allows. That can then be combined with the stress scenarios regarding the external environment.
Now the FULL LIMIT STRESS TEST will only actually use the risk appetite for firms that have a risk appetite and an ERM program that clearly functions to maintain the risk of he firm within the risk appetite. For firms that do not have such a system in place, the FULL LIMIT STRESS TEST needs to substitute some large amount of growth of risk that is what industry experience tells us that can happen to a firm that has gone partially or fully out of control with regard to its risk taking.
That makes the connection between ERM and Solvency very substantial and realistic.
A firm with a good risk management program and tight limits and overall risk appetite will need the amount of capital that would support the planned functioning of the ERM program. The overall risk appetite will place a limit on the degree to which ALL individual risk limits can be reached at the same time.
An otherwise similar firm with a risk management program and loose risk appetite will need to hold higher capital.
A similar firm with individual risk limits but no overall risk appetite will need to hold capital to support activity at the limit for every single risk.
A firm without a risk management program will need to hold capital to support the risks that history tells us that a firm with uncontrolled growth of risk might take on in a year. A track record of informal control of risk growth cannot be used as a predictor of the range of future performance. (It may be valuable to ask all firms to look at an uncontrolled growth scenario as well, but for firms with a good risk control process will be considered to prepare for that scenario with their ERM program.)
A firm without any real discipline of its risk management system will be treated similarly to a firm without an ERM program.
With this FULL LIMIT STRESS TEST, ERM programs will then be fully and directly connected to Solvency in an appropriate manner.
“We are not big enough to need ERM.” says the smaller company CEO. “So we all do it together.”
But what is everyone’s job, is no one’s responsibility. No one is held accountable for how or even whether ERM functions actually happen.
If a company wants to have ERM, then they must make assignments – assignments to individuals.
This process, these assignments, are what RISKVIEWS calls Risk Organization. Everyone does not need the same Risk Organization, but everyone who is serious about ERM needs to clearly assigning responsibility for the risk identification, measurement and management of risks.
This week’s post on the WillisWire series on ERM Practices is about Risk Organization:
ERM programs all start out with a suggestion that you must identify your risks.
Many folks take this as a trivial exercize. But it is not. There are two important reasons why not:
Everyone has risks in the same major categories, but the way that those categories are divided into the action level is important. All insurers have UNDERWRITING RISK. But almost all insurers should be subdividing their UDERWRITING RISK into major subcategories, usually along the lines that they manage their insurance business. Even the very smallest single line single state insurers sub divide their insurance business. Risks should also be subdivided.
Names are important. Your key risks must have names that are consistent with how everyone in the company talks.
Best practice companies will take the process of updating very seriously. They treat it as a discovery and validation process.
To read more about Risk identification, see the WillisWire post
Yes, that is right. Just buying a treadmill has absolutely no health benefits.
And in the same vein, just creating a risk management system does not provide any benefit. You actually have to activate that system and pay attenion to the signals that it sends.
And you can count on the risk management system being disruptive. In fact, if it is not disruptive, then you should shut it down.
The risk management system is a waste of time and money if it just stays out of the way and you end up doing exactly what you would have done without it. But, in at least 2/3 of the companies that claim to be running a risk management system, they have trouble coming up with even one story of how they changed what they were planning to do because of the risk management system.
Usually, in a company that is really running a risk management system, the stories of the impact of risk management are of major clashes.
Risk management is a control system that focuses on three things:
Riskiness of accepted risks
Volume of accepted risks
Return from accepted risks
The disruptions caused by an actual active risk management system fall into those three categories:
Business that would have been accepted prior to risk management system is now deemed to be unacceptable because it is too risky. Rejection of business or mitigation of the excess risk is now required.
Growth of risky business that may not have been restricted before the risk management system is now seen to be excessive. Rejection of business or mitigation of the excess risk is now required.
Return from business where the risk was not previously measured is now seen to be inadequate compared to the risk involved. Business emphasis is now shifted to alternatives with a better return for risk.
Some firms will find the disruptions less than others, but there will almost always be disruptions.
The worst case scenario for a new risk management system is that the system is implemented and then when a major potentially disruptive situation arises, an exception to the new risk management system is granted. That is worst case because those major disruptive situations are actually where the risk management system pays for itself. If the risk management only applies to minor business decisions, then the company will experience all of the cost of the system but very little of the benefits.
[The material below is the work of an ad hoc IAA working group. It was produced in 2011 but never completed or published. RISKVIEWS is sharing so that this good work can be viewed.]
Culture is the combination of the behaviours of people in the company – often described as “the way we do things around here”. All organisations have a risk management culture. Risk culture is the shared attitudes, values and practices that characterize how a company considers risk in its day-to-day activities. For some companies, the risk culture flows from an explicit risk philosophy and risk appetite. The risk culture should support the goals, activities and desired outcomes of the company while mitigating the risks of not achieving desired outcomes. Appropriate risk management behaviours may vary according to the organisation, the industry context, the location of operations both within and across national boundaries together with the resultant jurisdictional requirements. However behaviours that allow , that inspire a culture of fear or retribution, that allow “shooting the messenger” or that help “bad news to travel slowly” are not likely to be conducive to good risk management.
Desired actions/features of risks management by category:
Ad Hoc
1. Each part of the company has their own risk language.
2. There is very little cross discipline communications and discussion of risk and risk management issues.
3. Risk decisions are almost always made individually, without reference to any corporate goals or objectives for risk.
4. Responsibility for dealing with risks is unclear.
5. There is an expectation of negative consequences for those associated with any activity that makes unexpected losses.
6. There is a possibility of negative consequences for those who report bad news.
7. There is little discussion of past problems or losses either at the time or subsequently.
8. Senior Management and Board at best pay lip service to an idea that a company has a culture.
Basic
1. Company has a formal risk management program that follows an outside standard or requirement.
2. Company has not adapted that program to the specific culture of the firm in any significant way.
3. Risk management responsibility and discussion are concentrated with a small number of “risk management staff”.
4. Risk culture is acknowledged as important by senior management and Board.
Standard
1. There is a common specific risk language at the company.
2. Company has communication tools, cross-functional discussions about management of risks, reporting tools and risks matrices.
3. There are common techniques for risk assessment and risk treatment methodologies.
4. There is a consistent point of view from the enterprise and business levels with regard to risk management.
5. There are common understandings of the corporate goals and objectives for risk management.
6. Company usually carefully reviews unexpected losses seeking to learn from experiences.
7. Incentive compensation scheme support the achievement of risk management objectives
8. Risk culture is actively promoted by senior management and the Board.
Advanced – in addition to the Standard Practices:
1. Cultural is reinforced by frequent communications and training programs, and by senior management and Board being seen to act in line with corporate risk culture.
2. The degree of employee knowledge application of the corporate risk culture is periodically monitored.
3. The communications and training programs are updated in reaction to the monitoring inputs.
4. ERM thinking is automatically incorporated in to all management decision making
[The material below is the work of an ad hoc IAA working group. It was produced in 2011 but never completed or published. RISKVIEWS is sharing so that this good work can be viewed.]
A Risk Control Framework (RCF) can be considered as the measuring stick against which risk management performance will be judged. It is right at the heart of the co-ordinated activities used to control an organisation with regard to risk, that is risk management.
The effective management and leverage of risk should add to the bottom line of an organisation that implements it. The risk control framework is a central tool in an organisations armoury, that can be used to ensure that the organisation achieves its strategic goals, with regard to an accepted and monitored level of risk.
There needs to be committment at a high level to managing the risk, and this should be transparent. This would involve the risk managers having a very clear view of what the company does and not just trying to avoid risk. It should be undertaken to the extent that it pays for itself, although this is hard to measure. Ownership and implementation by all is required as a risk in one small section of the organisation can be a serious threat to the whole organisation.
A RCF would need to be bespoke and fit the organisation’s Vision, Mission, Objectives, Strategy and Tactics (VMOST).
<An organization’s vision is all about what is possible, all about potential and may be aspirational. The mission is what it takes to make that vision come true. Happy to change the words or put in a definition, the point being that there is a bigger picture view of whats going on that the risk control frame work need to be informed by this. I really want to get across that the risk management need to be alighned, to what the organisation is trying to achieve >.
The RCF can act as a focus and ensure that:
There are no gaps and that there is appropriate accountability
Aligning organsiations objectives with the RCF
The reporting mechanisms and management system is embedded – this could be a driver of culture
A uniform risk criteria and evaluation metrics is created – those accountable know how they are going to be measured
Given much risk is derived from a company’s culture (think investment banking culture/ENRON etc), and that the ease of implementing the key stages will also depend on culture. For example if the risk control framework may be excellent on paper, but if it is not implemented effectively then it is not worth the paper it is written on.
A clear goal of the RCF is to ensure clarity of the risks being managed along with appropriate accountability (with individuals) for ensuring effective action.
When implementing an RCF (either creating a new one or testing an existing RCF) then the following model internal factors (using the McKinsey 7 s framework ) should be considered:-
Hard factors (tangible) Systems
Are there systems in place that can assist in risk identification and monitoring?
Can an IT soution be implemented for subsets of systemic risk (e.g. aggregate monitoring for RI’s)?
What are the legal minimums with respect to certain risks, how is compliance measured?
Is there information already gathered
Strategy
Does strategic planning consider risk management, is it open to this, can risk management contribute?
Does risk management have board level support?
What is the organisations risk appetite?
What is the organisations risk tolerance?
Structure
Is the risk management function senior enough to have an influence?
Do the risks need to be restructured so that a single individual/department can take the key responsibility for certain cross function risks?
Is there a forum for considered emergent risks?
Are there regional or location specific risks to consider, how integrated is the whole approach?
Soft factors (intangible) Style
The way management goes about solving problems, listening or dominant there are ways to measure this
Passive vs active management
Business goal driven or risk averse
Who makes the key decisions – who is involved – is this structured? Does risk management get a seat?
Staff
The collective presence of the people- different styles will appeal to certain types: gung ho vs risk averse
How active is the framework managed, active “positive assurance” to passive “nothing has come my way”
Are staff time poor, are there dedicated risk staff in business units?
Is risk perceived as compliance rather than business driven?
Skills
adaptable, thoughtfull, processing?
Is there suffienct understanding of what is risky and what is unknown?
Are the risk able to be measured
Are there enough skillfull communicators to ensure that messages sent are received in the same context internally
Shared Values
infighting between depts, risk mgmt seen as an inhibitor rather than strategic?
Is the companies strategic vision emebeded in the culture, is each department headed in the same direction?
Is there interdepartmental meetings happening or a siloed approach?
How are decisions made, centralised vs local, is this effective, who has the final say?
The above can act as a litmus test to perhaps assess the receptiveness or otherwise of the risk management in general, an important part is the links between the factors. For risk management to be effective it needs to be part of “the way things are done around here”, ie the companies culture.
The following are the key minimum generic elements that need to be considered in a Risk Control Framework(RCF):-
Risk identification
Risk monitoring
Policies and limits
Risk Treatment
Limit Compliance
Feedback
Effectiveness
It can often be difficult to measure the effectiveness of effective controls as the events that the controls are in place to prevent never happen. This lack of event could be an effective control well implemented or an uneccesary control (similar to the old anti elephant powder joke).
Below we give some definitions on the effectiveness of the RCF using the minimum criteria identified above.
Ad Hoc Risk Control Framework
Risk identification – Not all significant risk exposures have been identified.
Risk monitoring – Company’s risk monitoring is informal, irregular, and of questionable accuracy.
Policies and limits – Risk limits are not documented or are so broad that they do not have any impact on operational decision making. Risk limits and policies are not widely known or understood.
Risk Treatment – Risk-management activities are situational, ad hoc, and driven by individual judgment.
Limit Compliance – Review of compliance of limits is irregular, and often there are no consequences for exceeding limits.
Feedback – Company quickly puts loss situations behind it without review or with a review of extremely limited scope.
Basic Risk Control Framework
Risk identification – Significant risk exposures are believed to have been identified.
Risk monitoring – Company’s risk monitoring is performed post events, tend to miss events before they occur
Policies and limits – Risk limits are documented, but they have limited impact prior to an event that is they do not have any impact on operational decision making.
Risk Treatment – Risk-management activities not laid out, but are raised to management
Limit Compliance – Review of compliance of limits is irregular, and often there are no consequences for exceeding limits.
Feedback – Company quickly puts loss situations behind it without review or with a review of extremely limited scope.
Standard Risk Control Framework
Risk identification – Company management has performed a process of identifying risks exposures and the most significant of those exposures.
Risk monitoring – Company monitors all significant risks on a regular basis, with timely and accurate measures of risk.
Policies and limits – Company has clearly documented policies and limits for risk taking and risk management that are widely understood within the company.
Risk Treatment – Company has clear programs in place that are regularly used to manage the risks the company takes.
Limit Compliance – Company has a process in place to see that risk limits and risk-management programs are followed as planned. Exceeding limits has clear, predetermined, and effective consequences.
Feedback – Company has a loss post-mortem process to determine if its processes need improvement.
Advanced Risk Control Framework
Risk identification – Company management has performed a process of identifying risks exposures and the most significant of those exposures. This is holistic and done a part of the usual way of doing business.
Risk monitoring – Company monitors all significant risks as a matter of course
Policies and limits – Company has clearly documented policies and limits for risk taking and risk management that are widely understood within the company, these are embedded and part of normal routines, they never get challenged and don’t get in the way of the business.
Risk Treatment – Company has clear and integrated programs in place that are regularly used to manage the risks the company takes.
Limit Compliance – Company has a process in place to see that risk limits and risk-management programs are followed as planned. Exceeding limits has clear, predetermined, and effective consequences, although in practice risk limits are amolst never challenged.
Feedback – Company has a loss post-mortem process to determine if its processes need improvement.
In 1952, Harry Markowitz wrote the article “Portfolio Selection” which became the seed for the theory called Modern Portfolio Theory. Modern Portfolio Theory (MPT) promises a path to follow to achieve the maximum return for a given level of risk for an investment portfolio.
It is not clear who first thought to apply the MPT ideas to a portfolio of risks in an insurer. In 1974, Gustav Hamilton of Sweden’s Statsforetag proposed the “risk management circle” to describe the interaction of all elements in the risk management process, including assessment, control, financing and communication. In 1979, Randell Brubaker wrote about “Profit Maximization for a multi line Property/Liability Company.” Since then, the idea of risk and reward optimization has become to many the actual definition of ERM.
Standard & Poor’s calls the process “Strategic Risk Management”.
“Strategic Risk Management is the Standard & Poor’s term for the part of ERM that focuses on both the risks and returns of the entire firm. Although other aspects of ERM mainly focus on limiting downside, SRM is the process that will produce the upside, which is where the real value added of ERM lies.“
The Risk Portfolio Management process is nothing more or less than looking at the expected reward and loss potential for each major profit making activity of an insurer and applying the Modern Portfolio Management ideas of portfolio optimization to that risk and reward information.
At the strategic level, insurers will leverage the risk and reward knowledge that comes from their years of experience in the insurance markets as well as from their enterprise risk management (ERM) systems to find the risks where their company’s ability to execute can produce better average risk-adjusted returns. They then seek to optimize the risk/reward mix of the entire portfolio of insurance and investment risks that they hold. There are two aspects of this optimization process. First is the identification of the opportunities of the insurer in terms of expected return for the amount of risk. The second aspect is the interdependence of the risks. A risk with low interdependency with other risks may produce a better portfolio result than another risk with a higher stand alone return on risk but higher interdependence.
Proposals to grow or shrink parts of the business and choices to offset or transfer different major portions of the total risk positions can be viewed in terms of risk-adjusted return. This can be done as part of a capital budgeting/strategic resource allocation exercise and can be incorporated into regular decision-making. Some firms bring this approach into consideration only for major ad hoc decisions on acquisitions or divestitures and some use it all the time.
There are several common activities that may support the macro- level risk exploitation.
Economic Capital
Economic capital (EC) flows from the Provisioning principle. EC is often calculated with a comprehensive risk model consistently for all of the actual risks of the company. Adjustments are made for the imperfect correlation of the risks. Identification of the highest-concentration risks as well as the risks with lower correlation to the highest-concentration risks is risk information that can be exploited. Insurers may find that they have an advantage when adding risks to those areas with lower correlation to their largest risks if they have the expertise to manage those risks as well as they manage their largest risks.
Risk-adjusted product pricing
Another part of the process to manage risk portfolio risk reward involves the Consideration principle. Product pricing is “risk-adjusted” using one of several methods. One such method is to look at expected profits as a percentage of EC resulting in an expected return-to-risk capital ratio. Another method reflects the cost of capital associated with the economic capital of the product as well as volatility of expected income. The cost of capital is determined as the difference between the price to obtain capital and the rate of investment earnings on capital held by the insurer. Product profit projections then will show the pure profit as well as the return for risk of the product. Risk-adjusted value added is another way of approaching risk-adjusted pricing.
Capital budgeting
The capital needed to fulfill proposed business plans is projected based on the economic capital associated with the plans. Acceptance of strategic plans includes consideration of these capital needs and the returns associated with the capital that will be used. Risk exploitation as described above is one of the ways to optimize the use of capital over the planning period. The allocation of risk capital is a key step in this process.
Risk-adjusted performance measurement (RAPM)
Financial results of business plans are measured on a risk-adjusted basis. This includes recognition of the cost of holding the economic capital that is necessary to support each business as reflected in risk-adjusted pricing as well as the risk premiums and loss reserves for multi-period risks such as credit losses or casualty coverages. This should tie directly to the expectations of risk- adjusted profits that are used for product pricing and capital budgeting. Product pricing and capital budgeting form the expectations of performance. Risk-adjusted performance measurement means actually creating a system that reports on the degree to which those expectations are or are not met.
For non-life insurers, Risk Portfolio Management involves making strategic trade-offs between insurance, credit (on reinsurance ceded) and all aspects of investment risk based on a long-term view of risk-adjusted return for all of their choices.
Insurers that do not practice Portfolio Risk Management usually fail to do so because they do not have a common measurement basis across all of their risks. The recent move of many insurers to develop economic capital models provides a powerful tool that can be used as the common risk measure for this process. Economic capital is most often the metric used to define risk in the risk/reward equation of insurers.
Some insurers choose not to develop an EC model and instead rely upon rating agency or regulatory capital formulas. The regulatory and rating agency capital formulas are by their nature broad market estimates of the risk capital of the insurer. These formulae will over-state the capital needs for some of the insurer’s activity and understate the needs for others. The insurer has the specific data about their own risks and can do a better job of assessing their risks than any outsider could ever do. In some cases, insurers took high amounts of catastrophe exposure or embedded guarantee and option risks, which were not penalized in the generic capital formulas. In the end, some insurers found that they had taken much more risk than their actual loss tolerance or capacity.
Risk Portfolio management provides insurers with the framework to take full advantage of the power of diversification in their risk selection. They will look at their insurance and investment choices based on the impact, after diversification, on their total risk/reward profile. These insurers will also react to the cycles in risk premium that exist for all of their different insurance risks and for all of their investment risks in the context of their total portfolio.
Sales of most insurance company products result in an increase in the amount of capital needed by the business due to low or negative initial profits and the need to support the new business with Economic Capital. After the year of issue, most insurance company products will show annual releases of capital both due to the earnings of the product as well as the release of supporting capital that is no longer needed due to terminations of prior coverages. The net capital needs of a business arise when growth (new sales less terminations) is high and/or profits are low and capital is released when growth is low and/or profits are high.
The definition of the capital needs for a product is the same as the definition of distributable earnings for an entire business: projected earnings less the increase in Economic Capital. The capital budgeting process will then focus on obtaining the right mix of short and long term returns for the capital that is needed for each set of business plans.
Both new and existing products can be subjected to this capital budgeting discipline. A forecast of capital usage by a new product can be developed and used as a factor in deciding which of several new products to develop. In considering new and existing products, capital budgeting may involve examining historic and projected financial returns.
Pitfalls of Risk Portfolio Management
In theory, optimization processes can be shown to produce the best results for practitioners. And for periods of time when fluctuations of experience are moderate and fall comfortably within the model parameters, continual fine tuning and higher reliance on the modeled optimization recommendations produce ever growing rewards for the expert practitioner. However, model errors and uncertainties are magnified when management relies upon the risk model to lever up the business. And at some point, the user of complex risk models will see that levering up their business seems to be a safe and profitable way to operate. When volatility shifts into a less predictable and/or higher level, the highly levered company can find it self quickly in major trouble.
Even without major deviations of experience, the Risk Portfolio Management principles can lead to major business disruptions. When an insurer makes a major change in its risk profile through an acquisition or divestiture of a large part of their business, the capital allocation of all other activities may shift drastically. Strict adherence to theory can whipsaw businesses as the insurer makes large changes in business.
Insurers need to be careful to use the risk model information to inform strategic decisions without overreliance and abdication of management judgment. Management should also push usage of risk and reward thinking throughout the organization. The one assumption that seems to cause the most trouble is correlation. The saying goes that “in a crisis, all correlations go to one”. If the justification for a major strategic decision is that correlations are far from one, management should take note of the above saying and prepare accordingly. In addition management should study the variability of correlations over time. They will find that correlations are often highly unreliable and this should have a major impact on the way that they are used in the Risk Portfolio Management process.
This is a Risk Control Cycle. It includes Thinking/Observing steps and Action Steps. The only reason a sane organization would spend the time on the Assessing, Planning and Monitoring steps is so that they could be more effective with the Risk Taking, Mitigating and Responding steps.
A process capable of limiting losses can be referred to as a complete risk control process, which would usually include the following:
Identification of risks—with a process that seeks to find all risks inherent in a insurance product, investment instrument, or other situation, rather than simply automatically targeting “the usual suspects.”
Assess Risks – This is both the beginning and the end of the cycle. As the end, this step is looking back and determining whether your judgment about the risk and your ability to select and manage risks is as good as you thought that it would be. As the beginning, you look forward to form a new opinion about the prospects for risk and rewards for the next year. For newly identified risks/opportunities this is the due diligence phase.
Plan Risk Taking and Risk Management – Based upon the risk assessment, management will make plans for how much of each risk that the organization will plan to accept and then how much of that risk will be transferred, offset and retained. These plans will also include the determination of limits
Take Risks – organizations will often have two teams of individuals involved in risk taking. One set will identify potential opportunities based upon broad guidelines that are either carried over from a prior year or modified by the accepted risk plan. (Sales) The other set will do a more detailed review of the acceptability of the risk and often the appropriate price for accepting the risk. (Underwriting)
Measuring and monitoring of risk—with metrics that are adapted to the complexity and the characteristics of the risk as well as Regular Reporting of Positions versus Limits/Checkpoints— where the timing needed to be effective depends on the volatility of the risk and the rate at which the insurer changes their risk positions. Insurers may report at a granular level that supports all specific decision making and actions on a regular schedule.
Regular risk assessment and dissemination of risk positions and loss experience—with a standard set of risk and loss metrics and distribution of risk position reports, with clear attention from persons with significant standing and authority in the organization.
Risk limits and standards—directly linked to objectives. Terminology varies widely, but many insurers have both hard “Limits” that they seek to never exceed and softer “Checkpoints” that are sometimes exceeded. Limits will often be extended to individuals within the organization with escalating authority for individuals higher in the organizational hierarchy.
Response – Enforcement of limits and policing of checkpoints—with documented consequences for limit breaches and standard resolution processes for exceeding checkpoints. Risk management processes such as risk avoidance for risks where the insurer has zero tolerance. These processes will ensure that constant management attention is not needed to assure compliance. However, occasional assessment of compliance is often practiced. Loss control processes to reduce the avoidable excess frequency and severity of claims and to assure that when losses occur, the extent of the losses is contained to the extent possible. Risk transfer processes, which are used when an insurer takes more risk than they wish to retain and where there is a third party who can take the risk at a price that is sensible after accounting for any counterparty risk that is created by the risk transfer process. Risk offset processes, which are used when insurer risks can be offset by taking additional risks that are found to have opposite characteristics. These processes usually entail the potential for basis risk because the offset is not exact at any time or because the degree of offset varies as time passes and conditions change, which is overcome in whole or in part by frequent adjustment to the offsetting positions. Risk diversification, which can be used when risks can be pooled with other risks with relatively low correlation. Risk costing / pricing, which involves maintaining the capability to develop appropriate views of the cost of holding a risk in terms of expected losses and provision for risk. This view will influence the risks that an insurer will take and the provisioning for losses from risks that the insurer has taken (reserves). This applies to all risks but especially to insurance risk management. Coordination of insurance profit/loss analysis with pricing with loss control (claims) with underwriting (risk selection), risk costing, and reserving, so that all parties within the insurer are aware of the relationship between emerging experience of the risks that the insurer has chosen to retain and the expectations that the insurer held when it chose to write and retain the risks.
Severe and intense threats are usually associated with dramatic weather events, terrorist attacks, earthquakes, nuclear accidents and such like. When one of these types of threats is thought to be immanent, people will often cooperate with a cooperative ERM scheme, if one is offered. But when the threat actually happens, there are four possible responses: cooperation with disaster plan, becoming immobilized and ignoring the disaster, panic and anti-social advantage taking. Disaster planning sometimes goes no further than developing a path for people with the first response. A full disaster plan would need to take into account all four reactions. Plans would be made to deal with the labile and panicked people and to prevent the damage from the anti-social. In businesses, a business continuity or disaster plan would fall into this category of activity.
When businesses do a first assessment, risks are often displayed in four quadrants: Low Likelihood/Low Severity; Low Likelihood/High Severity; High Likelihood/Low Severity; and High Likelihood/High Severity. It is extremely difficult to survive if your risks are High Likelihood/High Severity, so few businesses find that they have risks in that quadrant. So businesses usually only have risks in this category that are Low Likelihood.
Highly Cooperative mode of Risk Management means that everyone is involved in risk management because you need everyone to be looking out for the threats. This falls apart quickly if your threats are not Severe and Intense because people will question the need for so much vigilance.
Highly Complex threats usually come from the breakdown of a complex system of some sort that you are counting upon. For an insurer, this usually means that events that they thought had low interdependency end up with a high correlation. Or else a new source of large losses emerges from an existing area of coverage. Other complex threats that threaten the life insurance industry include the interplay of financial markets and competing products, such as happened in the 1980’s when money market funds threatened to suck all of the money out of insurers, or in the 1990’s the variable products that decimated the more traditional guaranteed minimum return products.
In addition, financial firms all create their own complex threat situations because they tend to be exposed to a number of different risks. Keeping track of the magnitude of several different risk types and their interplay is itself a complex task. Without very complex risk evaluation tools and the help of trained professionals, financial firms would be flying blind. But these risk evaluation tools themselves create a complex threat.
Highly Organized mode of Risk Management means that there are many very different specialized roles within the risk management process. May have different teams doing risk assessment, risk mitigation and assurance, for each separate threat. This can only make sense when the rewards for taking these risks is large because this mode of risk management is very expensive.
Highly Unpredictable Threats are common during times of transition when a system is reorganizing itself. “Uncertain” has been the word most often used in the past several years to describe the current environment. We just are not sure what will be hitting us next. Neither the type of threat, the timing, frequency or severity is known in advance of these unpredictable threats.
Businesses operating in less developed economies will usually see this as their situation. Governments change, regulations change, the economy dips and weaves, access to resources changes abruptly, wars and terrorism are real threats.
Highly Adaptable mode of Risk Management means that you are ready to shift among the other three modes at any time and operate in a different mode for each threat. The highly adaptable mode of risk management also allows for quick decisions to abandon the activity that creates the threat at any time. But taking up new activities with other unique threats is less of a problem under this mode. Firms operating under the highly adaptive mode usually make sure that their activities do not all lead to a single threat and that they are highly diversified.
Benign Threats are things that will never do more than partially reduce earnings. Small stuff. Not good news, but not bad enough to lose any sleep over.
Low Cooperation mode of Risk Management means that individuals within their firm can be separately authorized to undertake activities that expand the threats to the firm. The individuals will all operate under some rules that put boundaries around their freedom, but most often these firms police these rules after the action, rather than with a process that prevents infractions. At the extreme of low cooperation mode of risk management, enforcement will be very weak.
For example, many banks have been trying to get by with a low cooperation mode of ERM. Risk Management is usually separate and adversarial. The idea is to allow the risk takers the maximum degree of freedom. After all, they make the profits of the bank. The idea of VaR is purely to monitor earnings fluctuations. The risk management systems of banks had not even been looking for any possible Severe and Intense Threats. As their risk shifted from a simple “Credit” or “Market” to very complex instruments that had elements of both with highly intricate structures there was not enough movement to the highly organized mode of risk management within many banks. Without the highly organized risk management, the banks were unable to see the shift of those structures from highly complex threats to severe and intense threats. (Or the risk staff saw the problem, but were not empowered to force action.) The low cooperation mode of risk management was not able to handle those threats and the banks suffered large losses or simply collapsed.
The American Banker has a new column on risk management. The first article is here. Clifford Rossi makes some good points about the JP Morgan story. But Riskviews takes issue with one point that he makes…
The paradigm of the trader and the risk manager are fundamentally at odds. The trader will believe that if they are given the funds to make one more trade, they will make up all of the past losses and post a large gain. The stories of successful traders and hedge fund managers all read the same, losses, growing losses, no one else believes in the trader. Finally, they are vindicated by a large gain that makes them the hero. When you listen to the stories from Bear Sterns and Lehman, folks who were involved all say that it was just a liquidity issue. If they just had a little more funds, they would have made the trades that would have brought the firm back.
The risk manager on the other hand believes that there must be a limit to the amount that is put at risk by the firm. Do not bet what you cannot afford to lose. The risk manager believes that even the best theory can have a run of bad luck that the firm cannot afford.
Ultimately, the risk manager is not the moral compass of the firm. The risk manager is nothing more or less than the person who is charged to make sure that the CEO and the Board understand and are fully aware and approve of all of the risk taking activities of the firm. To make that process work, the risk manager will ask the board and CEO to pre-approve some activities and to require to be notified about others.
In JP Morgan’s case, the board and CEO should have been aware of what was going on, of the size of the positions. Perhaps they did not give clear directions to the risk manager or perhaps the risk manager for some reason failed to report the risk positions.
However, it should have been a business decision made by the Board and CEO, not a decision of the trader or of the risk manager. The loss that resulted would be a decision that did not work out as intended, not even necessarily a bad decision. All decisions do not work out well. And while $3 Billion is a large amount of money, it is only a fraction of earnings for a good year for JP Morgan.
If the decision to make the trade(s) that added up to the $3 Billion loss were made by the trader and not reported to the CEO and Board, then and only then is this a risk management failure.
– How much risk to take compared to their capacity to absorb risk via their level of average earnings and their capital position. They have a basket. Each basket is different. It can easily hold so much. Sometimes, you decide to put a little more in the basket, sometimes a little less. They should know when they have stacked their risk far over the top of the basket.
– What kinds of risk to take. They have a plan for how much of each major class of risk they they will pick up to use up the capacity of their basket.
– Then when the actually go to fill the basket, they need to carefully choose each and every risk that they put into the basket.
– And as long as they have those risks in the basket, they need to pay attention and make sure that none of the risks are spoiling themselves and especially that they are not spoiling the entire basket of fruit or ruining the basket itself.
But that is not what a successful business is all about. They are not in business to be careful with their basket of risks. They are in business to make sure that their basket makes a profit.
+ So how much risk to take is informed by the level of profit to be had for risk in the marketplace. Some business managers do it backwards. If they are not being paid much for risk, they fill up the basket higher and higher. That is what many did just prior to the financial crisis. In insurance terms, they grew rapidly at the peak of the soft market. Just prior to the cirsis, risk margins for most financial market risks were at cyclical lows. What makes sense for a business that wants to get the best reward for the risk taken would be to take the most risk when the reward for risk is the highest. Few do that. However, the problem faced by firms whose primary business is risk taking is that taking less risk in times of low reward for risk creates even more pressure on their income because of decreased expense coverage. This problem seems to indicate that businesses in such cyclical markets should be very careful to manage their level of fixed expenses.
+ What types of risk to take is also informed very much by the margins. But it also needs to be informed by diversification principles. Short term thinking suggests that risk taking shift all to the particular risk with the immediate best risk adjusted margin. Long term thinking suggests something very different. Long term thinking realizes that the business needs to have alternatives. For most markets, the alternatives are only maintained if a presence in multiple risks is maintained in good times and bad. Risk and reward needs to develop a balance between short term and long term. To allow for exploiting particularly rich markets while maintaining discipline in other markets.
+ Which specific risks to select needs to incorporate a clear view of actual profitability. It is very easy on a spreadsheet to take your sales projection and profit projections and multiply both numbers by two. However, it is only through careful selection of individual risks that something even remotely like that simple minded projection can be achieved. The profit opportunity from each risk for the additional sales may be at the same rate as the original margins, it may be higher (unlikely) and it may well be lower. The risk reward system needs to be sensitive to all of these three possibilities and ready to react accordingly.
A. Risk management is a key part of our corporate management. Its task is not only to safeguard the Group’s financial strength in order to satisfy our obligations to clients and create sustained value for our shareholders, but also to protect Munich Re’s reputation. We achieve these objectives through global risk management encompassing all areas of our operations. (Munich Re)
B. The financial crisis has demonstrated the importance of a strong and independent risk management function, as well as the need for an integrated approach to assessing and controlling risks. To this end, we further enhanced our risk management by establishing a more robust governance process, intensifying our risk oversight and strengthening our liquidity management. (Swiss Re)
C. We employ an enterprise-wide approach to all risk taking and risk management activities globally. The enterprise risk management framework sets out policies and standards of practice related to risk governance, risk identification and monitoring, risk measurement, and risk control and mitigation. In order to ensure that we can effectively execute our risk management we continuously invest to attract and retain qualified risk professionals, and to build and maintain the necessary processes, tools and systems. (Manulife Financial)
D. Management believes that effective risk management is of primary importance to the success of Goldman Sachs. Accordingly, we have a comprehensive risk management process to monitor, evaluate and manage the principal risks we assume in conducting our activities.
E. AEGON’s risk management and control systems are designed to ensure that these risks are managed as effectively and efficiently as possible. For AEGON, risk management involves:
· Understanding which risks the company is able to underwrite;
· Assessing the risk-return trade-off associated with these risks;
· Establishing limits for the level of exposure to a particular risk or combination of risks; and Measuring and monitoring risk exposures and actively managing the company’s overall risk and solvency positions.
F. The mission of Zurich’s Enterprise Risk Management is to promptly identify, measure, manage, report and monitor risks that affect the achievement of our strategic, operational and financial objectives. This includes adjusting the risk profile in line with the Group’s stated risk tolerance to respond to new threats and opportunities in order to optimize returns.
G. QBE’s risk management strategy is underpinned by a number of robust processes which are aimed at reducing uncertainty and volatility and avoiding unwelcome surprises. Risks are subject to rigorous identification and evaluation throughout the business management cycle.
H. The management of risk is a core skill supporting the Group’s ability to offer both sustainable risk transfer solutions to its clients and attractive returns to shareholders. The management and identification of risk is the day to day responsibility of many of our staff and is a feature of all our business activities. (Amlin)
I. Diversification is used as a tool to reduce the Group’s overall insurance risk profile by spreading exposures, thereby reducing the volatility of results. QBE’s approach is to diversify insurance risk, both by product and geographically.
J. The Group employs a comprehensive risk management framework to identify, assess, manage and monitor the risks arising as a result of operating the business. The framework includes a comprehensive suite of risk policies, procedures, measurement, reporting and monitoring techniques and a series of stress tests and scenario analyses to ensure that the Group’s risk exposures are managed appropriately. (RSA)
Talk to CROs and all the nice theories about risk management get put in their place. In real companies, the loudest and most influential voice is usually the people who want to add risks.
A real CRO is not often struggling with issues of risk theory. They are totally immersed in the reality of corporate power politics.
In some firms, the CEO will set up the CRO in a position where risk concerns will trump all else. The CRO will have authority to stop or curtail any activity that s/he feels is excessively risky.
In other firms, the CEO will set up the CRO to be one of many voices that are clamoring for attention and for their point of view to be heard.
And a third set of firms has the CRO as purely a reporting function, not directly involved in the actual decision making of the firm.
The first case sounds ideal, until the CRO and the CEO go head to head on a major decision. The battle is not usually long. The CEO’s view will will. In these firms, it is usually true that the CRO and the CEO see eye to eye on most things. The CEO in these firms has the opinion that the business units would take enough risk to imperil the firm if left alone. But the CEO is still responsible to make sure that the firm is able to grow profitably. And a CRO who gets used to power over risk decisions, sometimes forgets that power comes solely from the CEO. But for the most part, the CRO in this firm gets to implement the risk management system that works the way that they thinks is best.
The second case sounds much more common. The CEO is not saying exactly how much s/he supports ERM. The CEO will decide in each situation whether to support the CRO or a business unit head on any risk related major decision. The risk management system in this firm exists in a grey area. It might look like the risk management system of the first firm, but it does not always have the same amount of authority. Managers will find out quickly enough that it is usually better to ask for forgiveness rather than follow the rules in the times when they see an important opportunity. The CRO in this firm will be seeking to make a difference but has to define their goals as all relative. Are they able to make a noticeable shift in the way that the firm takes risk. That shift may not go all the way to an optimal risk taking approach, but it will be a shift towards that situation. Over time they can hope to educate the business unit management to the risk aware point of view with the expectation that they will gradually shift to more and more comfort with the risk management system.
In some of these firms, the risk management system will look more like the system of the third case below – a Risk Information system. The approach is to keep all of the negotiation and confrontation that is involved with managing risk limits and standards to be verbal rather than on paper.
In third case, the risk management system exists to placate some outside audience. The CEO has no intention of letting this process dictate or even change any of the decisions that s/he intends to make. The most evident part of an ERM system is the reports, so the risk management system in these firms will consist almost entirely of reporting. These firms will be deliberately creating an ERM Entertainment system. The best hope in these firms is that eventually, the information itself will lead management to better decisions.
What is working against the CRO in the second and third cases are the risk attitudes of the different members of management. If the CRO is targeting the ERM system and/or reports to the Manager risk attitude then it might be a long time before the executives with other risk attitudes see any value in ERM.
The Yellow light was invented in 1920. Almost 100 years later. 85% of drivers have no idea what to do when they see one.
A risk management system needs yellow lights. Signals that automatically tell people to “Proceed with Caution”. These signals need to be sensitive to both outside changes in the risk environment and to inside decisions about risk.
In the outside world, the level of risk is changing all of the time. Everyone anywhere a hurricane zone knows the annual season for those storms. They make sure that they are prepared during that season and don’t worry so much in the off season. Most risks do not have clear regular seasons, like hurricanes. (And in fact hurricanes are not really completely bound by those rules either.)
A good risk management program needs to have a system that looks for the conditions that mean that it is hurricane season for each of the major risks. And it needs to have plans for what needs to to done in each part of the firm so that they “Proceed with Caution”. And the managers of the affected areas need to know those plans and their own roles. And there needs to be a Yellow (or Amber) light that flashes somewhere. And then the managers need to act, they need to execute the plans to Proceed with Caution.
The same thing applies to the other reason that might trigger a yellow light. That would be company actions. Most firms have risk limits. Some of those risk limits are “soft” limits. That means that the limit itself is a Yellow Light. Hitting the limit in these firms means that you must “Proceed with Caution”.
More commonly, the limits are HARD; either Red Lights, Cement Barriers or Brick Walls. A red Light risk limit, means that when you get to the limit, you must stop and wait for someone to tell you that you can proceed. A cement barrier risk limit means that you are prohibited from proceeding when you hit a limit. A brick wall risk limits means that if you hit the limit, you are likely to be terminated. In these three sorts of control systems, there are often informal Yellow Lights and occasionally formal caution signals. RISKVIEWS suggests that all firms that use HARD limits should create a formal Yellow Light system with a process that identifies an official Caution point along with suggestions or rules or plans of how to proceed when the Yellow Light goes on.
On the highway, Yellow Lights cause problems because there are really three different understandings. One group believes that it means “Speed Up to avoid the Red Light”, while another group thinks it means “Stop now and Avoid having to make an Emergency Stop when the Red Light comes on”.
The third group knows that what the Yellow Light really means is
The good news for risk managers is that times have been tough, so that company management is listening more and more to your message.
The bad news for risk managers is that times have been tough, so there is not much budget for anyone, let alone an area where there is no hope of new revenue generation.
So risk managers are being asked to do more and more with less and less.
Here are some tips for how to manage to meet expectations without crashing the budget:
Identify the area or activity that now has the most expensive risk oversight process. Identify the reason for that expense and make sure that a) there really is a need for that much oversight, b) if so, that the profit margins of the activity support the expense of the oversight and c) if there is a way that the riskiest 20% of that activity produces a high proportion of the profits. Can a shift in the risk acceptance criteria or the risk limits make a drastic change in oversight needs without a drastic change in profitability?
Get more people involved in risk management. This seems counter to the idea of decreasing costs of risk management, but in fact it can work well. Study the things that the risk management staff is spending time on and determine which of those activities can be transfered to the business unit staff who can do the oversight on a very part time basis. Your risk management staff can then shift to periodic review of their activities instead. This should be promoted as a natural evolution of risk management. Ultimately, the business units should be managing their own risk anyway.
Find out which risk reports are not being used and eliminate them. Constructing management information reports can be a very time consuming part of your staff’s time. Some of those reports are hopefully being relied upon for major decisions, but there may be some that just sit unread in the in boxes.
Reduce staff support for risk management in areas where activity levels are falling. It is very important that risk management be ramped up with volumes and just as important that it be seen to ramp down with volumes.
Leverage outside resources. In fat times, you may be declining free support from vendors and other business partners. In lean times, they may be even more happy to provide their support. Just make sure that the help that they give supports your needs.
Reduce frequency of time consuming model runs for risks that just do not change that much from run to run or that change proportionately with volumes of business. See recent post on model accuracy.
Expand your own personal capacity by delegating more of the matters that have become more routine. There is a natural tendency for the leader to be involved in everything that is new and important. Sometimes, you forget to transfer those responsibilities to someone on your staff or even someone outside your staff once you are sure that it is up and going smoothly. Let go. Make sure that you have the time that will be needed to take up the next new thing. Lean times will not last forever and you need to be available to pay attention to the thing that will pull your firm forward into the next stage of robust growth.
These are all the sorts of things that every manager in your firm should be thinking about. Risk managers should be doing the same sorts of thinking. You and your function are another natural part of the business environment of the firm. You will not be immune from the pressures of business, nor should you expect to be.
Mine only shows the numbers every 20 and has markers for gradations of 5. So the people who make cars think that it is sufficient accuracy to drive a car that the driver know the speed of the car within 5.
And for the sorts of things that one usually needs to do while driving, that seems fine to me. I do not recall ever even wondering what my speed is to the nearest .0001.
That is because I never need to make any decisions that require the more precise value.
What about your economic capital model? Do you make decisions that require an answer to the nearest million? Or nearest thousand, or nearest 1? How much time and effort goes into getting the accuracy that you do not use?
What causes the answer to vary from one time you run your model to another? Riskviews tries to think of the drivers of changes as volume variances and rate variances.
The volume variances are the changes you experience because the volume of risk changes. You wrote more or less business. Your asset base grew or shrunk.
Rate variances are the changes that you experience because the amount of risk per unit of activity has changed. Riskviews likes to call this the QUALITY of the risk. For many firms, one of the primary objectives of the risk management system is to control the QUANTITY of risk.
QUANTITY of risk = QUALITY of risk times VOLUME of risk.
Some of those firms seek to control quantity of risk solely by managing VOLUME. They only look at QUALITY of risk after the fact. Some firms only look at QUALITY of risk when they do their economic capital calculation. They try to manage QUALITY of risk from the modeling group. That approach to managing QUALITY of risk is doomed to failure.
That is because QUALITY of risk is a micro phenomena and needs to be managed operationally at the stage of risk acceptance. Trying to manage it as a macro phenomena results in the development of a process to counter the risks taken at the risk acceptance area with a macro risk offsetting activity. This adds a layer of unnecessary cost and also adds a considerable amount of operational risk.
Some firms have processes for managing both QUANTITY and QUALITY of risk at the micro level. At the risk acceptance stage. The firm might have tight QUALITY criteria for risk acceptance or if the firm has a broad range of acceptable risk QUALITY it might have QUANTITY of risk criteria that have been articulated as the accumulation of quantity and quality. (In fact, if they do their homework, the firms with the broad QUALITY acceptance will find that some ranges of QUALITY are much preferable to others and they can improve their return for risk taking by narrowing their QUALITY acceptance criteria.)
Once the firm has undertaken one or the other of these methods for controlling quality, then the need for detailed and complex modeling of their risks decreases drastically. They have controlled their accumulation of risks and they already know what their risk is before they do their model.
Joshua Brown wrote “Ten Commandments for a Crash” – his advice for stock traders in a stock market crash. Most of his ideas can be generalized to refer to any situation where large losses or even the threat of large losses occurs.
1. Acknowledge that its a crash.
This is first and most difficult. The natural impulse of humans when things look worse than they ever imagined is to close your eyes and hope that it was a dream. To wait for things to come back to normal. But sometimes the only survivors are the people who stopped imagining a return to normal first and accepted the bad news as reality.
2. Pencils Down!
This means abandoning your research based upon the previous paradigm. Do not run the model one more time to see what it says. All of the model parameters are now suspect. You do not usually know enough to say which ones are still true.
3. Don’t listen to “stockpickers” or sell-side equity analysts.
Get your head out of the nits. Your usual business may require that you are a master of the details of your markets. You are looking to build your year’s result up over 52 weeks, looking to create 1/52 of your target return each week. But when the crisis hits, the right macro decisions can change your results by half a year’s worth of normal business.
4. Ignore the asset-gatherers and the brokerage firm strategists,
Know the bias of the people you are getting advice from. They may be saying what is necessary for THEIR firm to make it through the crash, no matter what their advice would do to you.
5. Make sacrifices
You are going to need to let go of one or several of the things that you were patiently nursing along in hopes of a big payoff later on when they came around. Make these decisions sooner rather than later. Otherwise, they will be dragging you down along with everything else. Think of it as a scale change. The old long term opportunities mostly become losers while some of the marginally profitable situations become your new opportunities. Choose fast.
6. Make two lists.
Those are the lists of things that you might now want to start doing if the terms suddenly get sweeter and the things where you plan to dump unless you can tighten the terms. Keep updating the list every day as you get new information. Act on the list as opportunities change.
7. Watch sentiment more closely
This is the flip side to #1 above. The analysis may no longer be of help, but a good handle on the sentiment of your market will be invaluable. It will tell you when it is time to press for the stricter terms from your list #6.
8. Abandon any hope or intention of catching the bottom.
This may be an excuse for not making decisions when things are unclear. Guess what? THe bottom is only ever clear afterwards.
9. Suspend disbelief.
Any opinions that you have that some aspect of your business environment will never get “that” bad will often be trashed by reality. In case you have been asleep for the last decade, each crisis results in new bigger losses than ever before. The sooner you get off the illusion that you know exactly how bad it can get, the sooner you will be making the right decisions and avoiding totally wrongly timed moves.
10. Stop being a know-it-all and shut up.
Everyone out there seems to know a small part of what is happening that no one else knows and is totally ignorant of most of what is going on from their own internal sources. If you talk all of the time, you will never learn those other pieces of the puzzle.
A good list. Some things to think about. A challenge to work these ideas into your planning for emerging risks. Need to practice adopting this point of view.
All air breathing organisms do not need any special process to avoid the risk of simply forgetting to breathe. Mostly, they just do it automatically. And if for some strange reason, they stop breathing, their body very quickly develops a violent response to the lack of new air.
Drinking and eating are not quite so automatic, but it is also unnecessary to remind people not to starve to death, when they have a choice to do otherwise.
Animals, including humans, can be observed to also have many, many automatic risk management behaviors. Fear of heights, startle reactions, fight or flight adrenalin releases, and so on. In fact, if you are at a loss of how to deal with any business risk, just go down the list of human natural defenses against risk and you will get lots and lots of different ideas. The natural environment in which the human species evolved was and remains very dangerous. Risks come at us from every direction. Some are constant (like falling from a great height) and some change all the time (like predators and competitors for resources).
Many business managers will contend that their company has developed automatic systems that are embedded in the DNA of the firm to handle risk. The continued existence of the firm is put in evidence as the primary proof of that contention.
The problem with believing that sort of argument is that while a failure to breathe will send an animal into fits of gasping, and dancing on the edge of a cliff will make most animal’s head spin with a natural fear reflex, there is no noticeable consequences of a business stopping their risk management activities.
There are natural, automatic and almost fool proof mechanisms in animals to prevent them from taking some of the most immediately dangerous risks. There are absolutely none of those in a business setting.
So even if there has been a long history of ingrained risk management actions in a firm, a sudden change in personnel can send all that right out the window.
One way of looking at a risk management system is as the replacement for the natural fail safe mechanisms.
Nature saw fit to add a violent automatic natural reaction to a lack of air to the automatic breathing mechanism that can be consciously overridden. The business risk management traditions can be easily and painlessly overridden, unless there is a good risk management system to make the company gasp for breath.
You might find yourself swimming underwater. You override your natural urge to breathe. There are interesting things to see underwater. But you will find it very difficult to stay under too long. Your body has failsafe mechanisms that means you have to work at it very hard to stay under long enough to really hurt yourself. In fact, the mechanism seems to have such a margin of error that you start to want to come back up when you still have the capacity to get back to the surface.
Companies have no similar automatic mechanism. When someone fails to do the risk management that they should, usually the reaction is that things look and seem better. Most often, risk management depresses profits, and reduces choices. The feedback that is experienced leads the exact wrong direction.
A risk management system is the answer to the problem. The risk management system needs to have mechanisms to keep reminding employees that they need to follow the system rules.
Risk management is not at all like breathing. In fact quite the opposite. A firm that wants to have risk management for the long term will need to have a formal process to remind employees that it is important. In addition, the importance of risk management needs to be periodically reinforced by statements of support from top management.
Risk management is more like a medicine that a person who feels perfectly fine is asked to take regularly. Every day, they get up and take this medicine, but there is no obvious indication that the medicine is needed. Many will simply start to forget to take the medicine. Stop wasting the time it takes to buy and take the medicine. Avoid even minor side effects.
On the other hand, things that are bad for your health are give quite positive short term feedback.
The trick is to make risk management become more and more like breathing. To make it a reflex and to build up the mechanisms that will send out danger signals if someone tries to override those automatic mechanism.
In a post last week, it was noted that US insurers are starting to admit to managing their risks in their public disclosures. The 671 word discussion of the ERM process of Travelers was reproduced. (Notice that over 100 of those words talk about the unreliability of the ERM system. )
But disclosure of ERM processes has been much more widespread and much more extensive in other parts of the world for more than 5 years.
For Example, Munich Re’s 2010 annual report has a 20 page section titled Risk Report. That section has sub headings such as:
Risk governance and risk management system
Risk management organisation, roles and responsibilities
Control and monitoring systems
Risk reporting
Significant risks
Underwriting risk: Property-casualty insurance
Underwriting risk: Life and health insurance
Market risk
Credit Risk
Operational risk
Liquidity risk
Strategic risk
Reputation Risk
Economic Capital
Available Financial Resources
Selected Risk Complexes
It is not just Munich Re. Manulife’s Risk Management disclosure is 22 pages of their annual report. Below is the introduction to that section:
Manulife Financial is a financial institution offering insurance, wealth and asset management products and services, which subjects the Company to a broad range of risks. We manage these risks within an enterprise-wide risk management framework. Our goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue, earnings and capital growth.
We seek to achieve this by capitalizing on business opportunities that are aligned with the Company’s risk taking philosophy, risk appetite and return expectations; by identifying, measuring and monitoring key risks taken; and by executing risk control and mitigation programs.
We employ an enterprise-wide approach to all risk taking and risk management activities globally. The enterprise risk management (“ERM”) framework sets out policies and standards of practice related to risk governance, risk identification, risk measurement, risk monitoring, and risk control and mitigation. With an overall goal of effectively executing risk management activities, we continuously invest to attract and retain qualified risk professionals, and to build, acquire and maintain the necessary processes, tools and systems.
We manage risk taking activities against an overall risk appetite, which defines the amount and type of risks we are willing to assume. Our risk appetite reflects the Company’s financial condition, risk tolerance and business strategies. The quantitative component of our risk appetite establishes total Company targets defined in relation to economic capital, regulatory capital required, and earnings sensitivity.
We have further established targets for each of our principal risks to assist us in maintaining appropriate levels of exposures and a risk profile that is well diversified across risk categories. In 2010, we cascaded the targets for the majority of our principal risks down to the business level, to facilitate the alignment of business strategies and plans with the Company’s overall risk management objectives.
Individual risk management programs are in place for each of our broad risk categories: strategic, market, liquidity, credit, insurance and operational. To ensure consistency, these programs incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework, covering:
■ Assignment of risk management accountabilities across the organization;
■ Delegation of authorities related to risk taking activities;
■ Philosophy and appetite related to assuming risks;
■ Establishment of specific risk targets or limits;
■ Identification, measurement, assessment, monitoring, and reporting of risks; and
■ Activities related to risk control and mitigation.
Such frank discussion of risk and risk management may be seen by some US insurers’ management to be dangerous. In the rest of the world, it is moving towards a situation where NOT discussing risk and risk management frankly and openly is a risk to management.
In a recent post, RISKVIEWS stated six key parts to ERM. These six ideas can act as the outline for describing an ERM Program. Here is how they could be used:
1. Risks need to be diversified. There is no risk management if a firm is just taking one big bet.
REPORT: Display the risk profile of the firm. Discuss how the firm has increased or decreased diversification within each risk and between risks in the recent past. Discuss how this is a result of deliberate risk and diversification related choices of the firm, rather than just a record of what happened as a result of other totally unrelated decisions.
2. Firm needs to be sure of the quality of the risks that they take. This implies that multiple ways of evaluating risks are needed to maintain quality, or to be aware of changes in quality. There is no single source of information about quality that is adequate.
REPORT: Display the risk quality of the firm. Discuss how the firm has increased or decreased risk quality in the recent past and the reasons for those changes. Discuss how risk quality is changing in the marketplace and how the firm maintains the quality of the risks that are chosen.
3. A control cycle is needed regarding the amount of risk taken. This implies measurements, appetites, limits, treatment actions, reporting, feedback.
REPORT: The control cycle will be described in terms of who is responsible for each step as well as the plans for remediation should limits be breached. A record of breaches should also be shown. (Note that a blemish-less record might be a sign of good control or it might simply mean that the limits are ineffectively large.) Emerging risks should have their own control cycle and be reported as well.
4. The pricing of the risks needs to be adequate. At least if you are in the risk business like insurers, for risks that are traded. For risks that are not traded, the benefit of the risk needs to exceed the cost in terms of potential losses.
REPORT: For General Insurance, this means reporting combined ratio. In addition, it is important to show how risk margins are similar to market risk margins. Note that products with combined ratios over 100% may or may not be profitable if the reserves do not include a discount for interest. This is accomplished by mark-to-market accounting for investment risks. Some insurance products have negative value when marked to market (all-in assets and liabilities) because they are sold with insufficient risk margins. This should be clearly reported, as well as the reasons for that activity.
5. The firm needs to manage its portfolio of risks so that it can take advantage of the opportunities that are often associated with its risks. This involves risk reward management.
REPORT: Risk reward management requires determining return on risk for all activities as well as a planning process that starts with projections of such and a conscious choice to construct a portfolio of risks. This process has its own control cycle. The reporting for this control cycle should be similar to the process described above. This part of the report needs to explain how management is thinking about the diversification benefits that potentially exist from the range of diverse risks taken.
6. The firm needs to provision for its retained risks appropriately, in terms of set asides (reserves or technical provisions) for expected losses and capital for excess losses.
REPORT: Losses can be shown in four layers, expected losses, losses that decrease total profits, losses that exceed gains from other sources but that are less than capital and losses that exceed capital. The likelihood of losses in each of those four layers should be described as well as the reasons for material changes. Some firms will choose to report their potential losses in two layers, expected losses, losses that reach a certain likelihood (usually 99.5% in a year or similar likelihood). However, regulators should have a high interest in the nature and potential size of those losses in excess of capital. The determination of the likelihood of losses in each of the four layers needs to reflect the other five aspects of ERM and when reporting on this aspect of ERM, discussion of how they are reflected would be in order.
If you really want to have Enterprise Risk Management, then you must at all times abandon all presumptions. You must make sure that all of the things to successfully manage risks are being done, and done now, not sometime in the distant past.
A pilot of an aircraft will spend over an hour checking things directly and reviewing other people’s checks. The pilot will review:
the route of flight
weather at the origin, destination, and enroute.
the mechanical status of the airplane
mechanical issues that may have been improperly logged.
the items that may have been fixed just prior to the flight to make certain that system works
the flight computer
the outside of the airplane for obvious defects that may have been overlooked
the paperwork
the fuel load
the takeoff and landing weights to make sure that they are within limits for the flight
Most of us do not do anything like this when we get into our cars to drive. Is this overkill? You decide.
When you are expecting to fly somewhere and there is a last minute delay because of something that seems like it should have really been taken care of, that is likely because the pilot finds something that someone might normally PRESUME was ok that was not.
Personally, as someone who takes lots and lots of flights, RISKVIEWS thinks that this is a good process. One that RISKVIEWS would recommend to be used by risk managers.
THE NO PRESUMPTION APPROACH TO RISK MANAGEMENT
Here are the things that the Pilot of the ERM program needs to check before taking off on each flight.
1. Risks need to be diversified. There is no risk management if a firm is just taking one big bet.
2. Firm needs to be sure of the quality of the risks that they take. This implies that multiple ways of evaluating risks are needed to maintain quality, or to be aware of changes in quality. There is no single source of information about quality that is adequate.
3. A control cycle is needed regarding the amount of risk taken. This implies measurements, appetites, limits, treatment actions, reporting, feedback
4. The pricing of the risks needs to be adequate. At least if you are in the risk business like insurers, for risks that are traded. For risks that are not traded, the benefit of the risk needs to exceed the cost in terms of potential losses.
5. The firm needs to manage its portfolio of risks so that it can take advantage of the opportunities that are often associated with its risks. This involves risk reward management.
6. The firm needs to provision for its retained risks appropriately, in terms of set asides (reserves) for expected losses and capital for excess losses.
A firm ultimately needs all six of these things. Things like a CRO, or risk committees or board involvement are not on this list because those are ways to get these six things.
The Risk Manager needs to take a NO PRESUMPTIONS approach to checking these things. Many of the problems of the financial crisis can be traced back to presumptions that one or more of these six things were true without any attempt to verify.
Riskviews was once asked by an insurance sector equity analyst for 10 questions that they could ask company CEOs and CFOs about ERM. Riskviews gave them 10 but they were trick questions. Each one would take an hour to answer properly. Not really what the analyst wanted.
Here they are:
What is the firm’s risk profile?
How much time does the board spend discussing risk with management each quarter?
Who is responsible for risk management for the risk that has shown the largest percentage rise over the past year?
What outside the box risks are of concern to management?
What is driving the results that you are getting in the area with the highest risk adjusted returns?
Describe a recent action taken to trim a risk position?
How does management know that old risk management programs are still being followed?
What were the largest positions held by company in excess of risk the limits in the last year?
Where have your risk experts disagreed with your risk models in the past year?
What are the areas where you see the firm being able to achieve better risk adjusted returns over the near term and long term?
They never come back and asked for the answer key. Here it is:
There are a number of issues relating to this question. First of all, does the insurer ever trim a risk position? Some insurers are pure buy and hold. They never think to trim a position, on either side of their balance sheet. But it is quite possible that the CEO might know that terminology, but the CFO should. And if the insurer actually has an ERM program then they should have considered trimming positions at some point in time. If not, then they may just have so much excess capital that they never have felt that they had too much risk.
Another issue is whether the CEO and CFO are aware of risk position trimming. If they are not, that might indicate that their system works well and there are never situations that need to get brought to their attention about excess risks. Again, that is not such a good sign. It either means that their staff never takes and significant risks that might need trimming or else there is not a good communication system as a part of their ERM system.
Risks might need trimming if either by accident or on purpose, someone directly entered into a transaction, on either side of the balance sheet, that moved the company past a risk limit. That would never happen if there were no limits, if there is no system to check on limits or if the limits are so far above the actual expected level of activity that they are not operationally effective limits.
In addition, risk positions might need trimming for several other reasons. A risk position that was within the limit might have changed because of a changing environment or a recalibration of a risk model. Firms that operate hedging or ALM programs could be taking trimming actions at any time. Firms that use cat models to assess their risk might find their positions in excess of limits when the cat models get re-calibrated as they were in the first half of 2011.
And risk positions may need to be trimmed if new opportunities come along that have better returns than existing positions on the same risk. A firm that is expecting to operate near its limits might want to trim existing positions so that the new opportunity can be fit within the limits.
SO a firm with a good ERM program might be telling any of those stories in answer to the question.
Riskviews was once asked by an insurance sector equity analyst for 10 questions that they could ask company CEOs and CFOs about ERM. Riskviews gave them 10 but they were trick questions. Each one would take an hour to answer properly. Not really what the analyst wanted.
Here they are:
What is the firm’s risk profile?
How much time does the board spend discussing risk with management each quarter?
Who is responsible for risk management for the risk that has shown the largest percentage rise over the past year?
What outside the box risks are of concern to management?
What is driving the results that you are getting in the area with the highest risk adjusted returns?
Describe a recent action taken to trim a risk position?
How does management know that old risk management programs are still being followed?
What were the largest positions held by company in excess of risk the limits in the last year?
Where have your risk experts disagreed with your risk models in the past year?
What are the areas where you see the firm being able to achieve better risk adjusted returns over the near term and long term?
They never come back and asked for the answer key. Here it is:
3. The answer to this question requires several parts of risk management to be right. First of all, the answerer needs to know which risk position grew the most. Second of all, in a good risk management program, the position that grew the most should have had by far the most scruitny. High growth does not always spark big blow ups, but big blow ups are always preceded by high growth. A firm that is not paying lots and lots of attention to its fastest growing risk is not going to end up with good results. The highest growth positions require a disproportionate large amount of attention, but most often they get a disproportionately smaller share of attention. Risk management budgets are determined based upon the business at the start of the year. Finally, to answer the question, the firm needs to have someone who they can immediately identify who is responsible for that risk. Best practice is to have a senior person responsible for each major risk. That should be a business person, not the CRO or CFO. If it is not the same person who is responsible for sales and profits, then management has set up a fight. On one side is the person responsible for bringing in the business and for achieving profits. On the other side is the person responsible for preventing losses. Not a fair fight in most firms.
In the end, the best practice firms recognize that in situations of great change, there needs to be a special ERM process that exceeds the regular ERM process.
Riskviews was once asked by an insurance sector equity analyst for 10 questions that they could ask company CEOs and CFOs about ERM. Riskviews gave them 10 but they were trick questions. Each one would take an hour to answer properly. Not really what the analyst wanted.
Here they are:
What is the firm’s risk profile?
How much time does the board spend discussing risk with management each quarter?
Who is responsible for risk management for the risk that has shown the largest percentage rise over the past year?
What outside the box risks are of concern to management?
What is driving the results that you are getting in the area with the highest risk adjusted returns?
Describe a recent action taken to trim a risk position?
How does management know that old risk management programs are still being followed?
What were the largest positions held by company in excess of risk the limits in the last year?
Where have your risk experts disagreed with your risk models in the past year?
What are the areas where you see the firm being able to achieve better risk adjusted returns over the near term and long term?
They never come back and asked for the answer key. Here it is:
2. One of the large banks that is no longer with us had, on paper, a complete ERM system with a board risk committee that they reviewed their risk reports with every quarter. But in 2007, when the financial markets were starting to crack up, their board risk committee had not met for more than six months. The answer to this question is the difference between a pretend ERM system and a real risk system. The time spent should be proportionate to the complexity of the risk positions of the firm. For the banks with risk positions that are so complex that they feel that they cannot possibly find enough paper to disclose them, there needs to be much more board time spent, since investors are relying on board oversight rather than market discipline to police the risk taking. Ask Bernie what you can get away with if there is no disclosure and no oversight.
Many CEOs will tell you that the board has always spent plenty of time talking about risk. This might be true. But the standard now is for boards to have a formal risk committee. Boards that have simply added risk to the Audit committee’s agenda ends up short changing either audit or risk or both. The Audit Committee had a full plate before the Risk responsibility was added.
And for a larger complex firm, a single annual risk briefing on risk is definitely not sufficient. For a firm with an ERM program, the board needs to review the risk profile, both actual and planned for each year, approve the risk appetite, approve the ERM Framework and policies of the firm, review the risk limits and be informed of each breach of the limits or policies of the firm. If the firm has an economic capital model, the model results need to be presented to the board risk committee each year and updated quarterly. Risks associated with anything new that the company is doing would be presented as well.
Does that sound like anything other than a full committee? So your follow up question, if the CEO gives a vague answer is to ask about whether the board reviewed each of the items listed in the preceding paragraph in the past year.
Back to that former bank. Their risk reports showed a massive build up in risk in violation of board approved limits.
And the board risk committee saved time by not meeting during the period of that run up in risk.
A discussion of how the current low interest rate environment impacts choices for (1) interest rate risk, (2) other risks and (3) Enterprise Risk Management.
How an insurer might react to low interest rates depends to a large extent on risk taking strategy and their point of view about interest rate risk. There are four primary strategies for interest rate risk:
Minimize Risk
The Classic ALM approach is designed to minimize risk. Duration mismatch is a measure of the degree to which you failed to achieve risk minimization. Most ALM programs allow for an acceptable level of mismatch which might be an operational risk acceptance or it might be an option to take some interest rate risk tactically. Risk is evaluated compared to Zero (matched position).
Accumulate Risk
The classic approach of banks to interest rate risk is to accumulate it. The Japan carry trade is an interest rate accumulation trade. Life Insurers usually Accumulate Mortality Risk. Non-Life Insurers usually Accumulate attritional Risks Accumulation of risk usually means that there is no limit to the amount of the risk that may be taken if it is priced right. Risk is evaluated compared to expected cost using Utility theory – accept risk if expected value >0.
Manage Risk
The New ERM approach to Risk is to Manage Risk by looking at Risk vs. Reward for the portfolio of risks including diversification effects. Taking a Strategic or Tactical approach to making choices – Return Targets “Over the Cycle” or “Every Year”. Risk is evaluate with an Economic Capital model. Risk means increase in total enterprise Economic Capital.
Diversify Risk
Many firms pay attention to diversification, but few make it the cornerstone to their ERM. Firms focused on diversification will accumulate a risk as long as it does not come to dominate their risk profile and if it is expected to be profitable, often taking a purely Tactical approach to which risks that they will accumulate. They may not even have a chosen Long Term Strategic view of most risks. They evaluate each risk in comparison to other risks of the enterprise. The target is to have no single large risk concentration.
There are two aspects of Point of View that you need to be clear about:
Long Term Strategic vs. Short Term Tactical
You might ignore both and imply avoid a risk
You might ignore Strategic and take risks tactically that might not make sense in the long run
You might Strategically decide to take a risk and ignore Tactical which means you take the risk no matter the environment
You might pay attention to both and always take the risk but vary the amount of the risk
Going Concern vs. Going out of Business
Classic ALM (and Economic Capital models) use a “going out of business” model
But the “Going Concern” model is much more complicated and requires assumptions about future business and should include a going out of business assumption
With these questions resolved a company can go about setting their strategy for interest rate risk taking in a low interest environment.
To do that they may want to look at three scenarios:
·Scenario 1 – Interest Rates stay low
·Scenario 2 – Interest Rates increase slowly
·Scenario 3 – Interest Rates increase quickly
For each scenario, look at the implications for both interest rate risk as well as all of the other aspects of their risk profile and their business strategy. If a scenario shows results that are unacceptable, then the planners and risk managers need to develop strategies to avoid or mitigate the projected problem, should that scenario come to pass as well as triggers for initiating those activities should the scenario appear imminent.
Risk has traditionally been a minor part of strategy discussions in many firms.
Usually you get it out of the way at the very start with a Strengths, Weaknesses, Opportunities and Threats (SWOT) discussion. As quickly as possible, the planners shift into concentrating on discussion of Opportunities. That is what they are there for anyway – Opportunities.
Utility theory and the business education that flows from utility theory suggests very little consideration of risk. Not none at all, but very little. Opportunities where the gains from the expected opportunities exceed the losses from the expected threats are considered good. That is one spot where risk creeps in. In addition, risk might be also reflected as an externality – the capital required by a regulator or ratings agency.
Financial economics came along and offered a more complicated view of risk. Instead of using a fuzzily determined present value of risk from utility theory, Financial Economics substitutes the market cost of risk.
Risk management suggests a completely different and potentially contradictory approach.
The risk management approach to bringing risk into planning and strategy is to make risk appetite central to strategy selection. The internal risk appetite becomes the constraint instead of the external capital constraint. For firms that were using that external capital constraint as a key factor in planning, this could be an easy switch. But often is actually is not.
The boards and management of most firms have failed to choose their own risk appetite constraint.
Riskviews believes that this is because the folks who have spent their entire careers under and external constraint system are ill equipped to set their own limits. They do not have the experience with trial and error of setting risk appetite unlike the long experience that they have with most of their other management decisions. For most management decisions, they came up through the management ranks watching their predecessors make good and bad decisions and succeed or fail. When they reached their current positions, they had a lifetime of experience with most of the types of decisions that they need to make.
Now risk managers and regulators and rating agencies and consultants tell them that they need to make an entirely new decision about risk appetite, and then lever all of their other important decisions off of that one decision. And when they look back upon their education and experience there was no mention at all of this risk appetite stuff.
And as the discussion at the start of this post states, the business education did not include risk appetite either.
But there are other ways that risk can be incorporated into the planning and strategy.
Risk Profile. A part of the statement of the impact that the plan will have on the company should be a before and after risk profile. This will show how the plan either grows the larger risks of the firm or diversifies those risks. Risk cannot be fully described by any one number and therefore there is not one single pie chart that is THE risk profile of the firm. The risk profile should be presented so that it shows the key aspects of risk that are the consequences of the plan – intended or unintended. That may mean showing the geographic risk profile, the product by product risk profile, the risk profile by distribution system or the risk profile by risk type. By looking at these risk profiles, the planners will naturally be drawn to the strengths and weaknesses of the risk aspects of the plan. They will see the aspects of risk that are growing rapidly and therefore need extra attention from a control perspective. And even if there are none of those reactions, the exposure to the risk information will eventually lead to a better understanding of risk and a drift towards more risk aware planning.
Risk management view of gains and losses. Planning usually starts with a review of recent experience. The risk managers can prepare a review of the prior year that describes the experience for each risk in terms of the exceedence probability from the risk models. This could lead to a discussion of the model calibration and possibly to either better credibility for the risk model or a different calibration that can be more credible.
Risk Controls review. Each risk operated within a control system. The above review of recent experience should include discussion of whether the control systems worked as expected or not.
Risk Pricing review. The review of gains and losses can also be done as a review of the risk margins compared to the risks for each major business or product or risk type. Comparison to a neutral index could be considered as well. With this review, the question of whether the returns of the firm were a result of taking more risk or from better selection and management of the risks taken should be addressed.
Some management groups will be much more interested in one or another of these approaches. The risk manager must seek to find the approach to discussing risk that fits management’s interests for risk to become a part of planning and strategy. Without that match, any discussions of risk that take place to satisfy regulatory or rating agency pressures will be largely perfunctory.
Of course it is. The equipment never wins the game. It never runs the game. But a team that shows up without proper equipment has only a slim chance of prevailing.
And ERM is about more than just models. Some people have mistakenly equated ERM with Economic Capital or VAR models. That makes no more sense than the idea that football is all about the shoes.
Football is about having the right team, assigning the the right roles, setting the strategy and finally mostly about execution. If you asked 1000 experts about football, few if any of them would even list the shoes.
But for ERM, you do need to also find the right people, assign the the right roles, set the risk strategy and execute.
So why have models found their way into the debate about ERM in financial affairs?
Models in general and Economic Capital in specific has become central to the ERM process because insurers and banks have traditionally used very crude and very different approaches to measuring risks, when they actually did try to measure them. It is difficult to believe that an industry that exists by taking on risks from others like insurance would not have a clear tradition of measuring how much risk it was taking on in any clear and consistent way.
The methods that tended to be employed by insurers worked when the risks that they were taking stayed the same over time. When the risks could be adequately tracked by reference to something that indirectly tracked with the level of the risk. But when businesses and people and markets are changing the nature and level of risk constantly, those old relationships completely broke down.
The promise of economic capital and VaR models is to replace the old rules of thumb with timely and consistent scientific assessments of risk.
But even if that promise is achieved, the insurer or bank has only then got to the point of buying shoes for their football team. Now they need to start training and coaching the team and watching to see how the team performs, providing feedback and constantly making adjustments as the other teams adjust their teams and strategies.
So the model is a start but it is the start of the football season, not even the start of the playoffs.
The reality is that regulatory capital requirements, no matter how much we try to refine them, will always be a blunt tool. Certainly they should not create the wrong incentives, but we cannot micromanage firm behavior through regulatory capital requirements. There are diminishing returns to pursuing precision in regulatory capital requirements.
Terri Vaughan, NAIC
These remarks were made in Europe recently by the lead US regulator of the insurance industry. In Europe, there has never been a regulatory capital requirement that was risk related. But the Europeans have been making the discussion all about capital for about 10 years now in anticipation of their first risk based capital regime, Solvency II.
The European assumption is that if they follow as closely as possible the regulatory regime that has failed so spectacularly to control the banking system, Basel II, then everything will be under control.
The idea seems to be that if you concentrate, really concentrate, on measuring risk, then insurance company management will really take seriously the idea of managing risk. Of course, that conclusion is also based upon the assumption that if you really, really concentrate on measuring risk that you will get it right.
But the Law of Risk and Light tells us that our risk taking systems will lead us to avoid the risk in the light and to load up on the risk in the dark.
That means the risks that are properly measured by the risk based capital regulatory system will be managed.
But whatever risks that are not properly measured will come to predominate the system. The companies that take those risks will grow their business and their profits faster than the companies that do not take those poorly measured risks.
And if everyone is required to use the same expensive risk measurement system, very, very few will invest the additional money to create alternate measures that will see the flaws in the regulatory regime.
The banking system had a flaw. And many banks concentrated on risks that looked good in the flawed system but that were actually rotten.
What is needed instead is a system that concentrates on risk controlling. A firm first needs a risk appetite and second needs a system that makes sure that their risks stay within their appetite.
Under a regulatory risk capital system, the most common risk appetite is that a firm will maintain capital above the regulatory requirement. This represents a transfer of the duty of management and the board onto the regulator. They never need to say how much risk that they are willing to take. They say instead that they are in business to satisfy the regulator with regard to their risk taking.
The capital held by the firm should depend upon the firm’s risk appetite. The capital held should support the risk limits allowed by the board.
And the heart of the risk control system should be the processes that ensure that the risk stays within the limits.
And finally, the limits should not be a part of a game that managers try to beat. The limits need to be an extremely clear expression of the fundamental way that the firm wants to conduct business. So any manager that acts in a way that is contrary to the fundamental goals of the firm should not continue to have authority to direct the activities of the firm.
The four methods of controlling chart above can be very helpful to envision ways to improve risk management control systems. A control system can use one or several of these methods. But first it might require a little translation:
Contrived Randomness – choosing by lots does not seem to be a control method, but in fact it is a part of a method that is used every day in almost every business. Contrived randomness is usually used along with another of the control techniques. Instead of constantly applying the other control processes, they are applied in a random fashion. It is easy to imagine how the contrived randomness is vital to cost effective and just plain effective controlling. If Oversight, for example, is used for controlling on a constant basis, it is very costly, requiring review of every single outcome. However, if the Oversight is applied regularly, say every 10th event, then the cost is reduced by 90%, but the effectiveness is also reduced by up to 90%. That is because the person who is being overseen can easily adjust to comply with the control process only on every 10th event and fail to comply the other 9 times without the control process noticing. Using a random schedule means that a person seeking to avoid the effort of compliance is at much higher risk of being caught by oversight. And even better, BF Skinner found that intermittent reinforcement provided by positive situations found in random inspections can have much higher impact on creating favorable habits than regular or even constant reinforcement. The chart also suggest rotation of staff. This part of the Contrived Randomness approach to controlling is seen in the efforts by banks to control fraud by shifting employees and especially by doing more thorough audits during employee vacations, which is again a combination of randomness and Oversight.
Mutuality – When Mutuality is used as a control system, it sometimes uses peer review, in addition to processes that involve partnering. The partnering process can be very expensive, or it may save time and money depending on the process. When the partnering involves two people doing what one might have done, then the extra cost is obvious. In fact, the cost might well be more than double for a two person term because of the degree in interaction between the partners that might add time to the tasks. This must be offset by an increase in effectiveness, quality or continuity for the doubling of resources to make sense. But the control system application of peer review is very common. The peer review can be at several possible levels – the peer can be doing a very high level check – “does this make sense?” Or they can be doing a more thorough review. Or the peer can be trying to totally independently reproduce the work being reviewed. In addition, the decision must be made of the frequency of the peer review. The same ideas expressed above about intermittent reinforcement apply to peer review.
Oversight – monitoring from a supervisory position is the most common form of control. The supervisor is the most natural candidate for the type of oversight that is needed. It means broadening the supervisor’s role to go beyond the accomplishment of the primary objective of the unit to also include the controlling objectives. The downside to this method is the dilution of the supervisor’s attention distracting them from the accomplishment of the primary objective. In addition, there is the potential mismatch of skills and talents. In some cases, the primary objective and the controlling objectives require very different methods and skills.
Competition – Competition is another technique that may be difficult to imagine as a control method. And what is needed to make competition a controlling system is openness of information about the activities that are to be controlled. For different members of a team to compete, they need to know what and how the others are doing. This openness is not very common. But one of the objectives of the open office movement is the free controlling that automatically comes in the open environment. Some firms do use Competition through a totally open system of managing where all members of a unit know about what every other member is doing. Control breaches then can only happen if the entire unit agrees that they are necessary.
Many would think that Oversight is the main form of controlling. Hopefully, this post will expand your view to include these other options.
The good news is that the richest country in the world did not flunk.
The bad news is that the overall average grade is a D.
Now Warren Buffet reminds us that you shouldn’t expect an unbiased answer if you ask a barber whether you need a haircut. And in this case, the civil engineers would benefit significantly from an increase of attention to infrastructure.
But let’s look at the sorts of suggestions that they make. Many of them can be generalized to other areas of risk. (Paraphrased by Riskviews)
Encourage risk reduction/management programs
Use the best of current science rather than continuing to follow science from many years ago
Develop emergency action plans
Develop maintenance standards
Establish plan to fund needed improvements in risk management
Evaluate specific impact of failure to improve risk management
Educate stakeholders regarding above
Establish a regular review process
In the case of infrastructure, there is a recognized lifespan of the systems and a continual deterioration expected.
Risk systems in general are not thought of as wasting assets, but perhaps that is simply because risk management is so new.
Perhaps even the firms that have achieved the point of a full and integrated set of risk management systems should think of the useful life of those systems.
“The principal reason we have train crashes is a lack of investment in rail infrastructure – and the reason we have systemic crises is a lack of investment in financial infrastructure.” Hugo Bänziger, in the FT
The money will always be there to keep funding innovations in the way that risk is added to a firm.
The ninth ERM Symposium in Chicago was the crossroads of ERM for a few days.
Heard there:
The Financial crisis was not the failure of regulators, except perhaps the OTS.
Compliance culture of risk management in banks contributed to the crisis
85% of bank losses were from the structured finance area.
Securitization was 30 years old, but there was a quantum jump of complexity.
Banks were supposed to have been sophisticated enough to control their risks.
Discussion of subsidization of housing was broadly blamed.
Riskviews suggests that only a tiny part of the fault is with housing policy. Rest is simply finger pointing at best and deliberate misdirection at worst. Losses and problems in banks were 400% or more higher than actual losses in mortgages, possibly 1000% or more higher. Severe losses resulted from using housing as the basis for gambling. They could have just as easily have bet on rainfall. Then would they blame the weather for the losses? Securities in play far exceeded the amount of mortgages. And the multiple layers of bets concentrated on the worst stuff.
Regulators need to keep up with innovation and excessive leverage from innovation.
Riskviews: No evidence that regulators have even started to deal with excessive leverage except in the crudest manner. It is still possible to derivatives to skip right past leverage rules. If you can replicated a highly levered position with a derivative position, then the derivative position IS A HIGHLY LEVERED POSITION.
German regulator requires that banks have a Risk Controller who reports directly to the board.
ERM is not an EASY button from Staples.
Energy firms that had excessive trading losses were allowed to fail.
Banking suffered from concentrated opacity.
The board has to challenge management about risk. Masters of the Universe approach or the smartest guys in the room tries to intimidate the board into feeling too stupid if they ask any questions.
There will need to be major cultural changes for ICAAP/ORSA to be effective.
Many banks and insurers should be failing the use test for ERM regulation to be effective.
Stress testing is becoming a major tool for regulators.
European regulators could not apply real stress tests because that would have meant publicly asking banks to look at a scenario of major sovereign defaults in Europe.
Regulators need to be able to pay competitive market salaries
Cross boarder collaboration among regulators has broken out.
Difficult for risk managers to operate under multiple constraints of multiple regulators, accounting systems.
Riskviews: It would be much faster to reach wrong conclusions if there were only one system to worry about. That is not the way to go if there is really a concern about risk. The multiple points of view encourage true understanding of the underlying risks.
Banks are natural oligopolies
Nice tree/forest story: Small trees take resources from the forest. Large trees shade smaller trees making it harder for them to get sunlight. Old trees die and fall crashing through the forest taking out smaller trees.
Riskviews: This story illustrates to me that there is too much worry and manipulation to try to fix short term issues. Natural processes work fairly well. But interference has allowed a few trees to grow so large that little else can gro making the forest unhealthy. Solution is to trim largest trees and plant/encourage new smaller trees.
Things that people say will never go wrong will go wrong.
Compliance should be the easy part of ERM, not the whole thing
Asking dumb questions should be seen as good for firm. 10th dumb question might reveal something that no one else saw.
There is a lack of imagination of adverse events. US has cultural optimism. Culture is risk seeking.
Swiss approach to regulating banks is for their banks to hold the most capital. Credit Swisse has signaled that they will seek lower return on capital. Using that as marketing advantage – they are the most secure banks.
90% of Risk Management professionals believe that Dodd Frank will push the risks of the financial system out of regulated banks into unregulated financial enterprises. (Hedge Funds)
Trade-off between liquidity and transparency is not true
Requirements to post collateral may not increase costs at all for non-financial firms. The dealers were changing them for the lack of collateral. Prices may go down net of all costs.
Bear Stearns was well capitalized.
People understand and prefer principles based regulation. But when trust is gone everything moves towards rules.
Riskviews: MTM should be adjusted for illiquidity. Much larger adjustment than being contemplated for illiquid insurance liabilities. Need to compare position size to trading volume. If position is much larger than trading volume then liquidity adjustment needs to reflect possible price movements during the time needed to liquidate.
Many CROs have been given the role of minimizing capital required for the firm.
Insurers are moving rapidly to the bank model for this.
The range of ERM practices are narrowing
Riskviews: Narrow range of practices is only a good thing if the next large risk event is cooperative with practices that everyone is using. Diversity is much, much healthier.
Need to get rid of arb between trading and banking books in banks.
FSA wants the whole world on one standard
Riskviews: Solves one problem. Creates another that is doubtless much, much larger.
Difficult to explain decisions when there are multiple accounting and regulatory systems.
Riskviews: Modern US society has moved in the opposite direction of Caveat Emptor. It is always someone else’s fault. Risk Management needs to overcome this tendency.
Businesses need to learn to say no to non-core activities, no matter how good they look. They usually do not have the expertise to really examine them, not to manage them.
A risk metric that makes you more effective makes you special.
Do we overtrade?
Reduction of ROE target would take off pressure to take excessive risks.
Regulators put 80% weight on model and 20% weight on judgment. Should be the other way around.
We have shifted to being too focused on risk, need to balance business need for returns.
There will be unintended consequences from the major shifts in regulation.
Must not freeze in a crisis. Need to act and act approximately correctly.
Moral Hazard was a major issue. Some people should be put in jail because of the crisis.
Riskviews: The losses to bank executives and employees were enormous. People look at salaries of remaining bankers, forgetting that there are now 10% to 20% less of them. Shareholders of Citi are still off 90% from the peak. Execs whose net worth was largely in stock holdings and stock options are still out quite a large amount of money. Riskviews has trouble understanding the moral hazard argument. It does not match up well with any facts except the bail outs. Moral hazard ONLY seems to have impact on creditors of banks. Not unimportant but not the largest driver in bank activities.
SIFI do get GSE level cost of borrowing.
Riskviews: My question is why it is good public policy for monetary policy to transfer so much money to the shareholders and employees of banks? They have been able operate at approximately zero cost of goods sold for four years now. Their lending rates do not pass all of those savings along. Why does it make sense for the banks to find themselves to be so smart and well paid when they are being totally supported by monetary policy. In any other business you would have to be totally brain dead to not succeed if someone gave you your raw materials for free.
A risk policy specifies which risks a company will be willing to assume and which risks it will not. The risk policy of an insurance company focuses on:
creating and protecting shareholders’ value from the volatility of its financial results, and
containing the impact of this volatility on the cost of its capital and thus also, the cost of its risk capacity
Since insurance contracts involve assumption of insurance and investment risks, risk policies of insurance companies must include distinct insurance and investment components.
Insurance risk policy
To develop its insurance risk policy, a company needs to takes into account its ability to establish and sustain a competitive advantage by leveraging superior capabilities (e.g. underwriting expertise, claim management, risk management, etc.). It must evaluate the attractiveness of individual insurance markets based on analysis and assessment of key factors that shape business strategy, including:
Market structure and characteristics (size in premium revenue, number of accounts, distribution of exposures by location, industry, etc.)
Revenue growth potential
Business acquisition and underwriting expenses
Changes in customer needs and value perceptions
Assessment of relative competitive positions
Loss frequency and severity, and expected loss ratio
Correlations with macro economic factors (e.g., inflation and GDP growth rates), and other markets served by the company.
Systemic insurance risk
Availability, cost and anticipated use of reinsurance
Insurance companies can use data available from public and private sources (e.g., brokers) to estimate the level and volatility of revenues and earnings associated with specific exposure types, i.e. to develop an “ex-ante” assessment of the risks it considers accumulating. The underlying loss distributions can then be used to develop estimates of i) capital intensity, ii) the impact of the accumulation of specific exposures on the company’s risk profile, iii) the utilization of its risk capacity and iv) financial performance under alternative risk policies. In every situation, there is a need to verify that a company’s capital and earnings base are sufficient relative to limits written and the probable maximum loss of the portfolio to protect the company’s ratings and ensure the viability of the company as a going concern.
Investment risk policy
The investment risk policy needs to address the following two effects of investment value volatility that might cause:
The absolute market value of invested assets to fall in a given time period, thereby reducing available capital and risk capacity
Changes in the market value of invested assets relative to the value of liabilities that increase the volatility of the company’s capital position, thereby also increasing the probability of downgrading, or of intervention by regulators in company management
These effects of investment value volatility are addressed through reinsurance and asset strategies that contain the volatility of net assets. Insurance companies determine the extent and manner in which these strategies can be optimized, and supplemented in certain cases by arrangement of back-up lines of credit, through analysis of the volatility of their cash flows, taking into consideration the execution of their strategy, the potential liquidity and value volatility of their invested assets and the payment patterns of their liabilities. Note that liabilities of insurance companies, unlike bank demand deposits and overnight funding, are a source of relatively stable funding. Many companies take investment positions that take advantage of this relative illiquidity to create value.
The objective of an investment risk policy is to guide management in ascertaining when, to what extent and how a company should deviate from investing in a portfolio that replicates its liabilities. Its investment risk policy, at a minimum, should specify:
Which asset classes are permissible, by type, rating class, liquidity, etc.
Which risk types may be assumed to enhance returns, given a company’s risk capacity (e.g. interest rate, credit, inflation, currency, beta, idiosyncratic, liquidity, etc.)
How much of the assets may be invested in alternative assets, including illiquid positions (e.g. venture capital, real estate, hedge funds, funds of funds, etc.)
Guidelines for diversification within and between asset classes
How much volatility in investment income and portfolio value is consistent with the respective solvency and value risk tolerances of the company’s stakeholders
Guidelines for using hedging strategies, and controlling counterparty risk
To develop this policy, a company needs to simulate the impact of alternative guidelines in relation to liabilities and the risk capital consumed, assess their contribution to economic objectives, and identify the range of acceptable asset allocations and strategies. Ultimately, the policy should provide a framework within which a company can determine how much of its return to seek through investment in risk-free instruments, or instruments that provide extra “market return” (beta) or even additional skill-based returns (alpha).
Revision of risk policy
Although it is widely recognized that an insurance company needs to develop its risk policy when it starts operating, there is no consensus on how often an established company needs to revise its risk policy.
Many insurance companies review their risk policy when they are contemplating an acquisition or entering a new business. Because such decisions can have a significant impact on their risk profile, companies often perform detailed pro-forma actuarial analyses to develop the risk insights they need before making a commitment. However, when no significant change in business portfolio is contemplated, insurance executives are often reluctant to invest time to revisit their company’s risk policy.
The recent crisis suggests, however, that there is hardly any activity of greater importance to the survival and success of insurance companies.
Note: This article is abstracted from the “Risk Management and Business Strategy in P/C Insurance Companies” briefing paper published by Advisen (www.advisen.com) and available at the Corner Store.
Many people struggle with clearly identifying how to measure the success of their risk management program.
But they really are struggling with is either a lack of clear objectives or with unobtainable objectives.
Because if there are clear and obtainable objectives, then measuring success means comparing performance to those objectives.
The objectives need to be framed in terms of the things that risk management concentrates upon – that is likelihood and severity of future problems.
The objectives need to be obtainable with the authority and resources that are given to the risk manager. A risk manager who is expected to produce certainty about losses needs to either have unlimited authority or unlimited budget to produce that certainty.
The most difficult part of judging the success of a risk management program is when those programs are driven by assessments of risk that end up being totally insufficient. But again the real answer to this issue is authority and budget. If the assumptions of the model are under the control of the risk manager, that is totally under the risk manager’s control, then the risk manager would be prudent to incorporate significant amounts of margin either into the model or into the processes that use the model for model risk. But then the risk manager is incented to make the model as conservative as their imagination can make it. The result will be no business – it will all look too risky.
So a business can only work if the model assumptions are the join responsibility of the risk manager and the business users.
But there are objectives for a risk management program that can be clear and obtainable. Here are some examples:
The Risk Management program will be compliant with regulatory and/or rating agency requirements
The Risk Management program will provide the information and facilitate the process for management to maintain capital at the most efficient level for the risks of the firm.
The Risk Management program will provide the information and facilitate the process for management to maintain profit margins for risk (pricing in insurance terms) at a level consistent with corporate goals.
The Risk Management program will provide the information and facilitate the process for management to maintain risk exposures to within corporate risk tolerances and appetites.
The Risk Management program will provide the information and facilitate the process for management and the board to set and update goals for risk management and return for the organization as well as risk tolerances and appetites at a level and form consistent with corporate goals.
The Risk Management program will provide the information and facilitate the process for management to avoid concentrations and achieve diversification that is consistent with corporate goals.
The Risk Management program will provide the information and facilitate the process for management to select strategic alternatives that optimize the risk adjusted returns of the firm over the short and long term in a manner that is consistent with corporate goals.
The Risk Management program will provide information to the board and for public distribution about the risk management program and about whether company performance is consistent with the firm goals for risk management.
Note that the firm’s goals for risk management are usually not exactly the same as the risk management program’s goals. The responsibility for achieving the risk management goals is shared by the management team and the risk management function.
Goals for the risk management program that are stated like the following are the sort that are clear, but unobtainable without unlimited authority and/or budget as described above:
X1 The Risk Management program will assure that the firm maintains profit margins for risk at a level consistent with corporate goals.
X2 The Risk Management program will assure that the firm maintains risk exposures to within corporate risk tolerances and appetites so that losses will not occur that are in excess of corporate goals.
X3 The Risk Management program will assure that the firm avoids concentrations and achieve diversification that is consistent with corporate goals.
X4 The Risk Management program will assure that the firm selects strategic alternatives that optimize the risk adjusted returns of the firm over the short and long term in a manner that is consistent with corporate goals.
The worst case situation for a risk manager is to have the position in a firm where there are no clear risk management goals for the organization (item 4 above) and where they are judged on one of the X goals but which one that they will be judged upon is not determined in advance.
Unfortunately, this is exactly the situation that many, many risk managers find themselves in.
Riskviews 