Archive for the ‘Risk Management System’ category

Risk Trajectory – Do you know which way your risk is headed?

July 25, 2016

Arrows

Which direction are you planning on taking?

  • Are you expecting your risk to grow faster than your capacity to bare risk?
  • Are you expecting your risk capacity to grow faster than your risk?
  • Or are you planning to keep growth of your risk and your capacity in balance?

If risk is your business, then the answer to this question is one of just a few statements that make up a basic risk strategy.

RISKVIEWS calls this the Risk Trajectory.  Risk Trajectory is not a permanent aspect of a businesses risk strategy.  Trajectory will change unpredictably and usually not each year.

There are four factors that have the most influence on Risk Trajectory:

  1. Your Risk Profile – often stated in terms of the potential losses from all risks at a particular likelihood (i.e. 1 in 200 years)
  2. Your capacity to bare risk – often stated in terms of capital
  3. Your preferred level of security (may be factored directly into the return period used for Risk Profile or stated as a buffer above Risk Profile)
  4. The likely rewards for accepting the risks in your Risk Profile

If you have a comfortable margin between your Risk Profile and your preferred level of security, then you might accept a risk trajectory of Risk Growing Faster than Capacity.

Or if the Likely Rewards seem very good, you might be willing to accept a little less security for the higher reward.

All four of the factors that influence Risk Trajectory are constantly moving.  Over time, anything other than carefully coordinated movements will result in occasional need to change trajectory.  In some cases, the need to change trajectory comes from an unexpected large loss that results in an abrupt change in your capacity.

For the balanced risk and capacity trajectory, you would need to maintain a level of profit as a percentage of the Risk Profile that is on the average over time equal to the growth in Risk Profile.

For Capacity to grow faster than Risk, the profit as a percentage of the Risk Profile would be greater than the growth in Risk Profile.

For Risk to grow faster than Capacity, Risk profile growth rate would be greater than the profit as a percentage of the Risk Profile.

RISKVIEWS would guess that all this is just as easy to do as juggling four balls that are a different and somewhat unpredictably different size, shape and weight when they come down compared to when you tossed them up.

 

The CRO is making a list and checking it twice

February 2, 2015

“You never said that you wanted me to do that”  is an answer that managers often get when they point out a shortfall in performance.  And in many cases it is actually true.  As a rule, some of us tend to avoid too much writing things down.  And that is also true when it comes to risk management

That is where ERM policies come in.  The ERM policy is a written agreement between various managers in a company and the board documenting expectations regarding risk management.

policy

But too many people mistake a detailed procedure manual for a policy statement.  Often a policy statement can be just a page or two.

For Risk Management there are several places where firms tend to “write it down”:

  • ERM Policy – documents that the firm is committed to an enterprise wide risk management system and that there are broad roles for the board and for management.  This policy is usually approved by the board.  The ERM Policy should be reviewed annually, but may not be changed but every three to five years.
  • ERM Framework – this is a working document that lists many of the details of how the company plans to “do” ERM.  When an ERM program is new, this document many list many new things that are being done.  Once a program is well established, it will need no more or no less documentation than other company activities.  RISKVIEWS usually recommends that the ERM Framework would include a short section relating to each of the risk management practices that make up a Risk Management System.
  • Risk Appetite & Tolerance Statement – may be separate from the above to highlight its importance and the fact that it is likely to be more variable than the Policy statement, but not as detailed as the Framework.
  • Separate Risk Policies for major risk categories – almost all insurers have an investment policy.  Most insurers should consider writing policies for insurance risk.  Some firms decide to write operational risk policies as well.  Very few have strategic risk policies.
  • Policies for Hedging, Insurance and/or Reinsurance – the most powerful risk management tools need to have clear uses as well as clear lines of decision-making and authority.
  • Charter for Risk Committees – Some firms have three or more risk committees.  On is a board committee, one is at the executive level and the third is for more operational level people with some risk management responsibilities.  It is common at some firms for board committees to have charters.  Less so for committees of company employees.  These can be included in the ERM Framework, rather than as separate documents.
  • Job Description for the CRO – Without a clear job description many CROs have found that they become the scapegoat for whatever goes wrong, regardless of their actual authority and responsibilities before hand.

With written policies in place, the board can hold management accountable.  The CEO can hold the CRO responsible and the CRO is able to expect that may hands around the company are all sharing the risk management responsibilities.

More on ERM Policies on WillisWire.

http://blog.willis.com/2015/01/erm-in-practice-risk-policies-and-standards/

http://blog.willis.com/2014/02/erm-practices-policies-and-standards/

 

The ERM Pioneers and the Settlers – Let’s not have another range war!

January 24, 2015

Most of the people with CRO jobs are pioneers of ERM.  They came into ERM from other careers and have been working out what makes up an ERM process and how to make it work by hard work, trial & error and most often a good deal of experience on the other side of the risk – the risk taking side.

As ERM becomes a permanent (or at least a long term) business practice, it is more likely that the next generation of CROs will have come up through the ranks of the Risk function.  It is even becoming increasingly likely that they will have had some training and education regarding the various technical aspects of risk management and especially risk measurement.

The only problem is that some of the pioneers are openly disdainful of these folks who are likely to become their successors.  They will openly say that they have little respect for risk management education and feel strongly that the top people in Risk need to have significant business experience.

This situation is a version of the range wars in the Wild West.  The Pioneers were the folks who went West first.  They overcame great hardships to fashion a life out of a wilderness.  The Settlers came later and were making their way in a situation that was much closer to being already tamed.

Different skills and talents are needed for successful Pioneers than for successful Settlers.  Top among them is the Settlers need to be able to get along in a situation where there are more people.  The Risk departments of today are large and filled with a number of people with a wide variety of expertise.

Risk will transition from the Pioneer generation to the Settler generation of leadership.  That transition will be most successful if the Pioneers can help develop their Settler successros.

How to Build and Use a Risk Register

December 18, 2014

From Harry Hall at www.pmsouth.com

Project managers constantly think about risks, both threats and opportunities. What if the requirements are late? What if the testing environment becomes unstable? How can we exploit the design skills of our developers?

Let’s consider a simple but powerful tool to capture and manage your risks – the Risk Register. What is it? What should it include? What tools may be used to create the register? When should risk information be added?

The Risk Register is simply a list of risk related information including but not limited to:

  • Risk Description. Consider using this syntax: Cause -> Risk -> Impact. For example: “Because Information Technology is updating the testing software, the testing team may experience an unstable test environment resulting in adverse impacts to the schedule.”
  • Risk Owner. Each risk should be owned by one person and that person should have the knowledge and skills to plan and execute risk responses.
  • Triggers. Triggers indicate when a risk is about to occur or that the risk has occurred.
  • Category. Assigning categories to your risks allows you to filter, group, analyze, and respond to your risks by category. Standard project categories include schedule, cost, and quality.
  • Probability Risk Rating. Probability is the likelihood of risk occurring. Consider using a scale of 1 to 10, 10 being the highest.
  • Impact Risk Rating. Impact, also referred to as severity or consequence, is the amount of impact on the project. Consider using a scale of 1 to 10, 10 being the highest.
  • Risk Score. Risk score is calculated by multiplying probability x impact. If the probability is 8 and the impact is 5, the risk score is 40.
  • Risk Response Strategies. Strategies for threats include: accept the risk, avoid the risk, mitigate the risk, or transfer the risk. Strategies for opportunities include: accept the risk, exploit the risk, enhance the risk, or share the risk.
  • Risk Response Plan or Contingency Plan. The risk owner should determine the appropriate response(s) which may be executed immediately or once a trigger is hit. For example, a risk owner may take immediate actions to mitigate a threat. Contingency plans are plans that are executed if the risk occurs.
  • Fallback Plans. For some risks, you may wish to define a Fallback Plan. The plan outlines what would be done in the event that the Contingency Plan fails.
  • Residual Risks. The risk owner may reduce a risk by 70%. The remaining 30% risk is the residual risk. Note the residual risk and determine if additional response planning is required.
  • Trends. Note if each risk is increasing, decreasing, or is stable.

The Risk Register may be created in a spreadsheet, database, risk management tool, SharePoint, or a project management information system. Make sure that the Risk Register is visible and easy to access by your project team members.

The risk management processes include: 1) plan risk management, 2) identify risks, 3) evaluate/assess risks, 4) plan risk responses, and 5) monitor and control risks.

The initial risk information is entered when identifying risks in the planning process. For example, PMs may capture initial risks while developing the Communications Plan or the project schedule. The initial risk information may include the risks, causes, triggers, categories, potential risk owners, and potential risk responses.

As you evaluate your risk in the planning process, you should assign risk ratings for probability and impact and calculate the risk scores.

Next, validate risk owners and have risk owners complete response plans.

Lastly, review and update your risks during your team meetings (i.e., monitoring and control). Add emerging risks. Other reasons for updating the risk register include change requests, project re-planning, or project recovery.

ERM: Who is Responsible?

November 7, 2014

Masks

The Board is Responsible.

The CEO is Responsible.

Top Management is Responsible.

The CRO is Responsible.

The Business Unit Heads are Responsible.

The CFO is Responsible.

And on and on…

But this sounds like a recipe for disaster.  When everyone is responsible, often no one takes responsibility.  And if everyone is responsible, how is a decision ever reached?

Everyone needs to have different responsibilities within an ERM program.  So most often, people are given partial responsibility for ERM depending upon their everyday job responsibilities.

And in addition, a few people are given special new responsibilities and new roles (usually part time) are created to crystallize those new roles and responsibilities.  Those new roles are most often called:

  • Risk Owners
  • Risk Committee Members

But there are lots and lots of ways of dishing out the partial responsibilities.  RISKVIEWS suggests that there is no one right or best way to do this.  But instead, it is important to make sure that every risk management task is being done and that there is some oversight to each task.  (Three Lines of Defense is nice, but not really necessary.  There are really only two necessary functions – doing and assurance.)

To read more about a study of the choices of 12 insurers &

Too Much Risk

August 18, 2014

Risk Management is all about avoiding taking Too Much Risk.

And when it really comes down to it, there are only a few ways to get into the situation of taking too much risk.

  1. Misunderstanding the risk involved in the choices made and to be made by the organization
  2. Misunderstanding the risk appetite of the organization
  3. Misunderstanding the risk taking capacity of the organization
  4. Deliberately ignoring the risk, the risk appetite and/or the risk taking capacity

So Risk Management needs to concentrate on preventing these four situations.  Here are some thoughts regarding how Risk Management can provide that.

1. Misunderstanding the risk involved in the choices made and to be made by an organization

This is the most common driver of Too Much Risk.  There are two major forms of misunderstanding:  Misunderstanding the riskiness of individual choices and Misunderstanding the way that risk from each choice aggregates.  Both of these drivers were strongly in evidence in the run up to the financial crisis.  The risk of each individual mortgage backed security was not seriously investigated by most participants in the market.  And the aggregation of the risk from the mortgages was misunderestimated as well.  In both cases, there was some rationalization for the misunderstanding.  The Misunderstanding was apparent to most only in hindsight.  And that is most common for misunderstanding risks.  Those who are later found to have made the wrong decisions about risk were most often acting on their beliefs about the risks at the time.  This problem is particularly common for firms with no history of consistently and rigorously measuring risks.  Those firms usually have very experienced managers who have been selecting their risks for a long time, who may work from rules of thumb.  Those firms suffer this problem most when new risks are encountered, when the environment changes making their experience less valid and when there is turnover of their experienced managers.  Firms that use a consistent and rigorous risk measurement process also suffer from model induced risk blindness.  The best approach is to combine analysis with experienced judgment.

2.  Misunderstanding the risk appetite of the organization

This is common for organizations where the risk appetite has never been spelled out.  All firms have risk appetites, it is just that in many, many cases, no one knows what they are in advance of a significant loss event.  So misunderstanding the unstated risk appetite is fairly common.  But actually, the most common problem with unstated risk appetites is under utilization of risk capacity.  Because the risk appetite is unknown, some ambitious managers will push to take as much risk as possible, but the majority will be over cautious and take less risk to make sure that things are “safe”.

3.  Misunderstanding the risk taking capacity of the organization

 This misunderstanding affects both companies who do state their risk appetites and companies who do not.  For those who do state their risk appetite, this problem comes about when the company assumes that they have contingent capital available but do not fully understand the contingencies.  The most important contingency is the usual one regarding money – no one wants to give money to someone who really, really needs it.  The preference is to give money to someone who has lots of money who is sure to repay.  For those who do not state a risk appetite, each person who has authority to take on risks does their own estimate of the risk appetite based upon their own estimate of the risk taking capacity.  It is likely that some will view the capacity as huge, especially in comparison to their decision.  So most often the problem is not misunderstanding the total risk taking capacity, but instead, mistaking the available risk capacity.

4.  Deliberately ignoring the risk, the risk appetite and/or the risk taking capacity of the organization

A well established risk management system will have solved the above problems.  However, that does not mean that their problems are over.  In most companies, there are rewards for success in terms of current compensation and promotions.  But it is usually difficult to distinguish luck from talent and good execution in a business about risk taking.  So there is a great temptation for managers to deliberately ignore the risk evaluation, the risk appetite and the risk taking capacity of the firm.  If the excess risk that they then take produces excess losses, then the firm may take a large loss.  But if the excess risk taking does not result in an excess loss, then there may be outsized gains reported and the manager may be seen as highly successful person who saw an opportunity that others did not.  This dynamic will create a constant friction between the Risk staff and those business managers who have found the opportunity that they believe will propel their career forward.

So get to work, risk managers.

Make sure that your organization

  1. Understands the risks
  2. Articulates and understands the risk appetite
  3. Understands the aggregate and remaining risk capacity at all times
  4. Keeps careful track of risks and risk taking to be sure to stop any managers who might want to ignore the risk, the risk appetite and the risk taking capacity

Insurers need to adapt COSO/ISO Risk Management to achieve ERM

July 29, 2014

Both the COSO and ISO risk management frameworks describe many excellent practices.  However, in practice, insurers need to make two major changes from the typical COSO/ISO risk management process to achieve real ERM.

  1. RISK MEASUREMENT – Both COSO and ISO emphasize what RISKVIEWS calls the Risk Impressions approach to risk measurement.  That means asking people what their impression is of the frequency and severity of each risk.  Sometimes they get real fancy and also ask for an impression of Risk Velocity.  RISKVIEWS sees two problems with this for insurers.  First, impressions of risk are notoriously inaccurate.  People are just not very good at making subjective judgments about risk.  Second, the frequency/severity pair idea does not actually represent reality.  The idea properly applies to very specific incidents, not to risks, which are broad classes of incidents.  Each possible incident that makes up the class that we call a risk has a different frequency severity pair.   There is no single pair that represents the class.  Insurers risks are in one major way different from the risks of non-financial firms.  Insurers almost always buy and sell the risks that make up 80% or more of their risk profile.  That means that to make those transactions they should be making an estimate of the expected value of ALL of those frequency and severity pairs.  No insurance company that expects to survive for more than a year would consider setting its prices based upon something as lacking in reality testing as a single frequency and severity pair.  So an insurer should apply the same discipline to measuring its risks as it does to setting its prices.  After all, risk is the business that it is in.
  2. HIERARCHICAL RISK FOCUS – Neither COSO nor ISO demand that the risk manager run to their board or senior management and proudly expect them to sit still while the risk manager expounds upon the 200 risks in their risk register.  But a highly depressingly large number of COSO/ISO shops do exactly that.  Then they wonder why they never get a second chance in front of top management and the board.  However, neither COSO nor ISO provide strong enough guidance regarding the Hierarchical principal that is one of the key ideas of real ERM.    COSO and ISO both start with a bottoms up process for identifying risks.  That means that many people at various levels in the company get to make input into the risk identification process.  This is the fundamental way that COSO/ISO risk management ends up with risk registers of 200 risks.  COSO and ISO do not, however, offer much if any guidance regarding how to make that into something that can be used by top management and the board.  In RISKVIEWS experience, the 200 item list needs to be sorted into no more than 25 broad categories.  Then those categories need to be considered the Risks of the firm and the list of 200 items considered the Riskettes.  Top management should have a say in the development of that list.  It should be their chooses of names for the 25 Risks. The 25 Risks then need to be divided into three groups.  The top 5 to 7 Risks are the first rank risks that are the focus of discussions with the Board.    Those should be the Risks that are most likely to cause a financial or other major disruption to the firm.   Besides focusing on those first rank risks, the board should make sure that management is attending to all of the 25 risks.  The remaining 18 to 20 Risks then can be divided into two ranks.  The Top management should then focus on the first and second rank risks.  And they should make sure that the risk owners are attending to the third rank risks.  Top management, usually through a risk committee, needs to regularly look at these risk assignments and promote and demote risks as the company’s exposure and the risk environment changes.  Now, if you are a risk manager who has recently spent a year or more constructing the list of the 200 Riskettes, you are doubtless wondering what use would be made of all that hard work.  Under the Hierarchical principle of ERM, the process described above is repeated down the org chart.  The risk committee will appoint a risk owner for each of the 25 Risks and that risk owner will work with their list of Riskettes.  If their Riskette list is longer than 10, they might want to create a priority structure, ranking the risks as is done for the board and top management.  But if the initial risk register was done properly, then the Riskettes will be separate because there is something about them that requires something different in their monitoring or their risk treatment.  So the risk register and Riskettes will be an valuable and actionable way to organize their responsibilities as risk owner.  Even if it is never again shown to the Top management and the board.

These two ideas do not contradict the main thrust of COSO and ISO but they do represent a major adjustment in approach for insurance company risk managers who have been going to COSO or ISO for guidance.  It would be best if those risk managers knew in advance about these two differences from the COSO/ISO approach that is applied in non-financial firms.


%d bloggers like this: