Knowing the amount of surplus an insurer needs to support risk is fundamental to enterprise risk management (ERM) and to the own risk and solvency assessment (ORSA).
With the increasing focus on ERM, regulators, rating agencies, and insurance and reinsurance executives are more focused on risk capital modeling than ever before.
Risk – and the economic capital associated with it – cannot actually be measured as you can measure your height. Risk is about the future.
To measure risk, you must measure it against an idea of the future. A risk model is the most common tool for comparing one idea of the future against others.
Types of Risk Models
There are many ways to create a model of risk to provide quantitative metrics and derive a figure for the economic capital requirement.
Each approach has inherent strengths and weaknesses; the trade-offs are between factors such as implementation cost, complexity, run time, ability to represent reality, and ease of explaining the findings. Different types of models suit different purposes.
Each of the approaches described below can be used for purposes such as determining economic capital need, capital allocation, and making decisions about risk mitigation strategies.
Some methods may fit a particular situation, company, or philosophy of risk better than others.
Factor-Based Models
Here the concept is to define a relatively small number of risk categories; for each category, we require an exposure metric and a measure of riskiness.
The overall risk can then be calculated by multiplying “exposure × riskiness” for each category, and adding up the category scores.
Because factor-based models are transparent and straightforward to apply, they are commonly used by regulators and rating agencies.
The NAIC Risk-Based Capital and the Solvency II Standard Formula are calculated in this way, as is A.M. Best’s BCAR score and S&P’s Insurance Capital Model.
Stress Test Models
Stress tests can provide valuable information about how a company might hold up under adversity. As a stand-alone measure or as an adjunct to factor-based methods, stress tests can provide concrete indications that reflect company-specific features without the need for complex modeling. A robust stress testing regime might reflect, for example:
Worst company results experienced in last 20 years Worst results observed across peer group in last 20 years Worst results across peer group in last 50 years (or, 20% worse than stage 2) Magnitude of stress-to-failure
Stress test models focus on the severity of possible adverse scenarios. While the framework used to create the stress scenario may allow rough estimates of likelihood, this is not the primary goal.
High-Level Stochastic Models
Stochastic models enable us to analyze both the severity and likelihood of possible future scenarios. Such models need not be excessively complex. Indeed, a high-level model can provide useful guidance.
Categories of risk used in a high-level stochastic model might reflect the main categories from a factor-based model already in use; for example, the model might reflect risk sources such as underwriting risk, reserve risk, asset risk, and credit risk.
A stochastic model requires a probability distribution for each of these risk sources. This might be constructed in a somewhat ad-hoc way by building on the results of a stress test model, or it might be developed using more complex actuarial analysis.
Ideally, the stochastic model should also reflect any interdependencies among the various sources of risk. Timing of cash flows and present value calculations may also be included.
Detailed Stochastic Models
Some companies prefer to construct a more detailed stochastic model. The level of detail may vary; in order to keep the model practical and facilitate quality control, it may be best to avoid making the model excessively complicated, but rather develop only the level of granularity required to answer key business questions.
Such a model may, for example, sub-divide underwriting risk into several lines of business and/or profit centers, and associate to each of these units a probability distribution for both the frequency and the severity of claims. Naturally, including more granular sources of risk makes the question of interdependency more complicated.
Multi-Year Strategic Models with Active Management
In the real world, business decisions are rarely made in a single-year context. It is possible to create models that simulate multiple, detailed risk distributions over a multi-year time frame.
And it is also possible to build in “management logic,” so that the model responds to evolving circumstances in a way that approximates what management might actually do.
For example, if a company sustained a major catastrophic loss, in the ensuing year management might buy more reinsurance to maintain an adequate A.M. Best rating, rebalance the investment mix, and reassess growth strategy.
Simulation models can approximate this type of decision making, though of course the complexity of the model increases rapidly.
Key Questions and Decisions
Once a type of risk model has been chosen, there are many different ways to use this model to quantify risk capital. To decide how best to proceed, insurer management should consider questions such as:
What are the issues to be aware of when creating or refining our model?
What software offers the most appropriate platform?
What data will we need to collect?
What design choices must we make, and which selections are most appropriate for us?
How best can we aggregate risk from different sources and deal with interdependency?
There are so many risk metrics that can be used to determine risk capital – Value at Risk, Tail Value at Risk, Probability of Ruin, etc. – what are their implications, and how can we choose among them?
How should this coordinate with catastrophe modeling?
Will our model actually help us to answer the questions most important to our firm?
What are best practices for validating our model?
How should we allocate risk capital to business units, lines of business, and/or insurance policies?
How should we think about the results produced by our model in the context of rating agency capital benchmarks?
Introducing a risk capital model may create management issues – how can we anticipate and deal with these?
In answering these questions, it is important to consider the intended applications. Will the model be used to establish or refine risk appetite and risk tolerance?
Will modeled results drive reinsurance decisions, or affect choices about growth and merger opportunities? Does the company intend to use risk capital for performance management, or ratemaking?
Will the model be used to complete the NAIC ORSA, or inform rating agency capital adequacy discussions?
The intended applications, along with the strengths and weaknesses of the various modeling approaches and range of risk metrics, should guide decisions throughout the economic capital model design process.
Larger organizations with mature ERM programs tend to have evolved a short list of major risk management specific roles; many of which are part-time additions to already full time positions, while some are full time risk management only roles. Smaller organizations tend to need an ERM operation with all part-timers. We will call the former “Group ERM” programs and the latter “Company ERM”.
The organizing process always begins with two roles – the senior sponsor and the risk officer. During the developmental phase, these two roles are very similar to those of Executive Sponsor and Project Manager as defined for normal project management[1]. The Executive Sponsor initiates a project and gets appropriate resources and budget for the project. The Project Manager runs the project on a day-to-day basis. During implementation, the Project Manager will keep the Executive Sponsor informed of progress and setbacks. When problems are outside of the Project Manager’s authority, the Executive Sponsor will help by bringing in assistance or removing blockages from outside of the project team.
Chief Risk Officer
The risk officer role that was the project manager for the initial development of a new ERM function will usually grow into a senior management role with the title of Chief Risk Officer (CRO).
The CRO differs from organization to organization, but generally have some or all of these responsibilities:
Head the Risk Management Function
Chair the Risk Committee
Report to the Board on ERM
Report to shareholders on risk and capital management
Communicate risk and risk management matters to other stakeholders including rating agencies, employees, regulators
Each of these will be discussed in following sections of this chapter.
The Chief Risk Officer may report directly to the CEO or, more often to the Chief Financial Officer. Or else, the CRO role is handled by another senior officer such as the Internal Auditor, or, in an insurer, the Chief Underwriting Officer or Chief Actuary.
The CRO has a wide variety of roles. First and foremost, the CRO provides leadership and vision for the organization’s ERM program. They must have a clear idea of the ERM objectives and the ability to direct a diverse group of employees throughout the organization, most of whom do not officially report to the CRO, to follow that vision. The CRO is the point person in establishing and updating the ERM Framework, the ERM Policies and the Risk Appetite/Tolerance/Limit system. This requires the CRO to understand the degree to which formal documents and processes fit with the organization’s culture. The CRO is always the champion of intelligent risk management – risk management that fits the objectives, needs and budget of the organization. The CRO may be the owner of the Enterprise Risk Model or that model may be owned by the Chief Actuary.
The CRO will lead the discussion that leads to the formation and updating of the Risk Appetite and Tolerance. This discussion will be based upon a single risk metric that is common to all risks; in countries that have adopted Solvency II, that single metric for insurers is almost always related to capital. This is a source of conflict between the regulatory process and the management culture, especially in for-profit insurers, because otherwise, the preference for risk metric would likely be tied to earnings shortfalls rather than capital.
The CRO is the leader of value added risk management. That means using the information from the ERM system to help the growth of the firm’s risk adjusted value. That requires some version of risk-adjusted financial results for various business units, territories and/or products. The risk-adjustment is most often made based on Economic Capital either via a cost-of-capital adjustment to earnings, or through the reliance on a return on risk capital ratio.
The CRO is the champion for the Value Added ERM, a major part of the implementation, as well as in explaining the idea and the results to stakeholders. A major step in that process is the development and implementation of the analytic platform for Economic Capital Allocation. The CRO may be responsible to perform analysis of risk-adjusted plan proposals and act as a resource to business units for developing risk-adjusted proposals. As time progresses, the CRO will also work with the CFO to provide monitoring of plan vs. actual performance.
The CRO’s wide range of responsibilities means that there is no single route to the position. A Canadian survey[2] of twenty-one CROs found that, in their opinion, CROs needed to be skilled in Math, Finance, Communication and Accounting.
Management Risk Committee
Most organizations form one or more risk management committees with a major role in the ERM framework. There are three main reasons: To provide support and assistance for the CRO, to help keep the ERM process realistic (i.e. Intelligent ERM above); and, to direct the application of resources for ERM activities that are outside of the risk management department.
Most often, the Risk Committee will focus first on the ERM reports to the board, reviewing the draft reports prepared by the risk management department for quality assurance, to make sure that the CRO will be able to tell the story that goes with the report, and that both the CRO and the risk committee members can answer any questions raised by the ERM report. The Risk Committee is the nexus of Risk Culture for the organization – each area of the organization that has a major role in risk taking and risk management is usually represented on the risk committee.
The exact responsibilities of the Risk Committee will vary by organization. The four most common and most important responsibilities are:
Setting Risk Appetite and Tolerance
Approving Risk framework and policies
Allocating Risk Appetite & Setting Risk Limits
Setting standards for risk assessment and economic capital
The Risk Committee is usually responsible for setting (or recommending for approval by the board) the Risk Appetite and Tolerance for the organization. This is a difficult and often tentative process the first time; mainly because the Risk Committee, like most of the management team, has little experience with the concepts behind Risk Appetite and Tolerance, and is wary about possibly making a mistake that will end up damaging the organization. Once an initial Risk Appetite and Tolerance are set, making adjustments for early imperfections and updates for changing plans and circumstances become much more routine exercises.
The Risk committee usually approves the Risk Framework and Risk Policies – in some cases, they are recommended for approval to the Board. These will lay out the responsibilities of the CRO, Risk Committee, Risk Owners and ERM Department. The Risk Committee should review these documents to make sure that they agree with the suggested range of responsibilities and authorities of the CRO. The new responsibilities and authorities of the CRO are often completely new activities for an organization, or, they may include carving some responsibilities and authorities out of existing positions. The Risk Committee members are usually top managers within the organization who will need to work with the CRO, not just in the Risk Committee context, but also in the ways that the CRO’s new duties overlap with their business functions. The committee members will also be concerned with the amount of time and effort that will be required of the Risk Owners, who for the most part will either be the Risk Committee members or their senior lieutenants.
In some organizations, the allocation of Risk Appetite and setting of risk limits is done in the planning process; but most often, only broad conclusions are reached and the task of making the detailed decisions is left to the Risk Committee. For this, the Risk Committee usually relies upon detailed work performed by the Risk Department or the Risk Owners. The process is usually to update projections of risk capital requirements to reflect the final planning decisions and then to adjust Risk Appetite for each business unit or risk area and recommend limits that are consistent with the Risk Appetite.
Many ERM programs have legacy risk assessment and economic capital calculation standards that may or may not be fully documented. As regulatory processes have intruded into risk assessment, documentation and eventually consistency are required. In addition, calls for consistency of risk assessment often arise when new products or new risks are being considered. These discussions can end up being as much political as they are analytical, since the decision of what processes and assumptions make a risk assessment consistent with existing products and risks often determines whether the new activity is viable. And since the Risk Committee members are usually selected for their position within the organization’s hierarchy, rather than their technical expertise, they are the right group to resolve the political aspects of this topic.
Other topics that may be of concern to the Risk Committee include:
Monitoring compliance with limits and policies
Reviewing risk decisions
Monitoring risk profile
Proposing risk mitigation actions
Coordinate the risk control processes
Identify emerging risks
Discussing the above with the Board of Directors as agreed
Larger organizations often have two or more risk committees – most common is to have an executive risk committee made up of most or all of the senior officers and a working risk committee whose members are the people responsible for implementing the risk framework and policies. In other cases, there are separate risk committees for major risk categories, which sometimes predate the ERM program.
Risk Owners
Many organizations assign a single person the responsibility for each major risk. Going beyond an organizational chart, a clear organizational structure includes documented responsibilities and clear decision making and escalation procedures. Clarity on roles and responsibilities—with regard to oversight and decision-making—contributes to improvement capability and expertise to meet the changing needs of the business[3].
Specifically, the Risk Owner is the person who organizationally resides in the business and is responsible for making sure that the risk management is actually taking place as risks are taken, which most of ten should the most effective way to manage a risk.
The Risk Owner’s role varies considerably depending upon the characteristics of the risk.
Insurance and Investment risks are almost always consciously accepted by organizations, and the process of selecting the accepted risks is usually the most important part of risk management. That is why insurance risk owners are often Chief Underwriting Officers, and Chief Investment officers are often the owners of Investment risks. However, risk structuring, in the form of setting the terms and conditions of the insurance contract is a key risk mitigation effort, and may not be part of the Chief Underwriter role. On the other hand, structuring of investments, in situations where investments are made through a privately structured arrangement, is usually done within the Investment area. Other risk mitigations, through reinsurance and hedging could also be within or outside of these areas. Because of the dispersion of responsibilities for different parts of the risk management process, exercise of the Risk Owner responsibilities for Insurance Risks are collaborative among several company officers. In some firms, there is a position of Product Manager who is the natural Risk Owner of a product’s risks. The specialization of various investment types means that in many firms, a different lieutenant of the Chief Investment Officer is the risk owner for Equity risk, Credit Risk, Interest Rate Risk and risks from Alternative investments.
Operational risks are usually accepted as a consequence of other decisions; the opportunities for risk selection are infrequent as processes are updated. Often the risk owners for Operational risks are managers in various parts of the organization.
Strategic risks are usually accepted through a firm’s planning process. Usually the risk owners are the members of the top management team (management board) who are closest to each strategic risk, with the CEO taking the Risk Owner position for the risk of failure of the primary strategy of the firm.
The Risk Owner may be responsible to make a periodic Report on the status of their risk and Risk Management to the governing Board. This report may include:
Plans for Exposure to risk and Risk Strategy
Plans to exploit and mitigate
Changes to Exposures taken and Remaining after mitigation
Adequacy of resources to achieve plans
Risk Management Department
In all but the smallest organizations, the CRO’s responsibilities require more work and attention than can be provided by a single person. The CRO will gain an assistant and eventually an entire department. The risk management department serves primarily as support staff for the CRO and Risk Committee. In addition, they may also be subject matter experts on risk management to assist Risk Owners. Usually, the risk management department also compiles the risk reports for the risk committees and Board. They are also usually tasked to maintain the risk register as well as the risk management framework and risk policies.
Internal Audit
Internal Audit often has an assurance role in ERM. They will look to see that there is effective and continual compliance with Policies and Standards, and tracking and handling of risk limit breaches.
If there is no Internal Audit involvement, this compliance assurance responsibility falls to the risk management department; that may create a conflict between compliance role and advisory role of the risk management department. Compliance is the natural role of Internal Audit and giving this role to Internal Audit allows risk management to have more of a consultative and management information role.
In many firms, the roles for risk owners, the risk management department, along with internal audit, have been formalized under the title “Three Levels of Defense.”
This approach is often coupled with a compliance role for the board audit committee.
When internal audit is involved in this manner, there is sometimes a question about the role’s scope. That question is: whether internal audit should limit its role to assurance of compliance with the ERM Framework and policies, or should it also have a role reviewing the ERM Framework itself? To answer that question, the organization must assess the experience and capabilities of internal audit in enterprise risk management against the cost of engaging external experts to perform a review[4].
CEO Role in ERM
It is fairly common for a description of ERM roles at a bank or insurer to talk about roles for the board,CRO, and front line management, but not to mention any specific part for the CEO.
“No one has any business running a huge financial institution unless they regard themselves as the Chief Risk Officer” – Warren Buffett, speaking at the New School (2013)
Warren Buffett, the CEO of Berkshire Hathaway, has said many times that he is the Chief Risk Officer of his firm and that he does not believe that it would be a good idea to delegate that responsibility to another individual. While his position is an extreme that is not accepted by most CEO’s of financial institutions, there is an important role for the CEO that is very close to Buffett’s idea.
For the CRO and the ERM program to be effective, the organization needs clarity on the aspects of risk management which the CEO is directly delegating his or her authority to the CRO, which are being delegated to the Risk Committee, and which risk management decisions are being delegated to the Risk Owners. Leading up to the financial crisis of 2008, the authority for some risk decisions were not clearly delegated to either the CRO or the Risk Owners in some banks, and CEO’s remained aloof from resolving the issue[5].
[1] Executive Engagement: The Role of the Sponsor, Project Management Institute,
[2] “A Composite Sketch of a Chief Risk Officer”, Conference Board of Canada, 2001
[3] CRO Forum, Sound Risk Culture in the Insurance Industry, (2015)
[4] Institute of Internal Auditors, The Three Lines of Defense In Effective Risk Management And Control, (2013)
[5] Senior Supervisors Group, Risk Management Lessons from the Global Banking Crisis of 2008 (2009)
Enterprise Risk Management practice is different at different insurers. Partly that is driven by the different cultures and missions of insurers. For the most part, those differences can be seen to be driven by the choices that management makes of whether to emphasize one, two or all three of the following three parts of insurer ERM.
1. Individual risk management
Insurers practiced risk management long before they adopted enterprise risk management. With individual risk management (IRM), the insurer enables the organization to raise the risk management activities relating to all of the key risks of the organization up to a high and effective level of practice.
IRM includes the identification, assessment and prioritization of key risks followed by the addition of more formal control processes, including decisions to mitigate, transfer, accept, limit or exploit each of the key risks. It also includes periodic reporting on those processes.
The result of an IRM function will be a transparent and disciplined approach to all of an organization’s key risks. This is often called a bottom-up risk management process as well. ERM standards such as COSO and ISO31000 promote an individual enterprise risk management process.
2. Aggregate risk management
Insurers generally know how their capital compares to regulators’ minimum requirements and/or the level of capital rating agencies require for their preferred rating. With aggregate risk management (ARM), these standards are recognized as outsiders’ views of the insurer’s aggregate risk.
ARM functions treat the combined total of all of the key risks of the firm as another candidate for a transparent and disciplined control process. An insurer will use one or a series of risk models to evaluate the amount of aggregate capital needed to provide security for the risk exposure and an aggregate risk appetite and tolerance to help articulate the company’s expectations for capital levels in aggregate control processes.
Regulatory and rating agency requirements often focus primarily on this ERM function. The result of the ARM function is a deliberate process for managing the relationship between the risks that are retained by the insurer with the capital it holds.
3. Risk reward management
One of the primary requirements of the model(s) used to evaluate aggregate risk is that they need to be as consistent as possible in their assessments. Only consistent values can be combined to determine an actionable total risk amount. Once the insurer achieves these consistent risk assessments, it can compare different business activities: First regarding which are responsible for the largest parts of its risk profile, and, second, to look at the differences in reward for the risk taken.
With information about risk and reward, this ERM function will inform the capital budgeting process as well as enhance consistency (or at least reduce conscious inconsistencies) in insurance product pricing. It will also help the insurer in considering the tradeoffs among different strategic choices on a risk-adjusted basis. This ERM function provides the upside benefit from ERM to the insurer, helping to enhance the long-term value of the organization.
Insurers may choose to implement one, two or three of these ERM functions in their enterprise risk management programs. One important consideration for insurers is that financial services firms – primarily banks and insurers – tend to have risk profiles where the majority of their risks have been tracked on a highly granular basis for many years and therefore lend themselves to statistical methods, such as insurance, market and credit risks. Those risks frequently make up 75% or more of an insurer’s risk profile.
Insurers are, of course, also exposed to operational and strategic risks that are harder to quantify. Non-financial firms’ risk profiles are more often weighted toward operational and strategic risks. This difference is one of the main drivers of the limited focus of some ERM literature that often may not even mention aggregate risk management nor risk reward management.
Regulatory requirements for insurer ERM usually include aggregate risk management and some rating agencies (Standard & Poor’s – but not A.M. Best) are expecting insurers to have risk reward management as well. We have also noted some regulators (e.g. in the UK) are focusing increasingly on the sustainability of insurers’ business models, which can be shown via risk reward management.
Many discussions of COVID-19 mitigation revolve around the requirements and recommendations that are made by the government.
The CDC suggests answering this question:
To what extent do individuals and organizations practice community mitigation strategies?
We will seek to answer that question via a questionnaire. Right now, we have piloted that questionnaire twice with about 30 people providing observations.
We have observations from people in the above states, which provide diverse situations regarding their COVID situation. (Here Level refers to the number of new cases per 100k from the past 14 days and Rate refers to the New Infection Rate which is the new infections from the current day as a percentage of the infections for the prior 14 days.)
Pilot Project Findings – not credible amount of data
The above reflects the average compliance over 36 mitigation strategies. This is a Pilot, so we are not concerning ourselves about numbers of observations but we recognize that these are not sufficient to draw any conclusions about the actual level of compliance. Of those 36 strategies, the top 10 are:
Pilot Project Findings – not credible amount of data
We welcome additional observers. We will be continuing the Pilot Project and working on getting funding to turn this into a full scale research project.
To contribute your observations follow this LINK. We welcome both additional observers for the states above as well as observers from states where we have not yet received any observations.
RISKVIEWS believes that this may be the best top 10 list of posts in the history of this blog. Thanks to our readers whose clicks resulted in their selection.
Instructions for a 17 Step ORSA Process– Own Risk and Solvency Assessment is here for Canadian insurers, coming in 2015 for US and required in Europe for 2016. At least 10 other countries have also adopted ORSA and are moving towards full implementation. This post leads you to 17 other posts that give a detailed view of the various parts to a full ORSA process and report.
What kind of Stress Test? – Risk managers need to do a better job communicating what they are doing. Much communications about risk models and stress tests is fairly mechanical and technical. This post suggests some plain English terminology to describe the stress tests to non-technical audiences such as boards and top management.
ORSA ==> AC – ST > RCS– You will notice a recurring theme in 2014 – ORSA. That topic has taken up much of RISKVIEWS time in 2014 and will likely take up even more in 2015 and after as more and more companies undertake their first ORSA process and report. This post is a simple explanation of the question that ORSA is trying to answer that RISKVIEWS has used when explaining ORSA to a board of directors.
The History of Risk Management – Someone asked RISKVIEWS to do a speech on the history of ERM. This post and the associated new permanent page are the notes from writing that speech. Much more here than could fit into a 15 minute talk.
Hierarchy Principle of Risk Management– There are thousands of risks faced by an insurer that do not belong in their ERM program. That is because of the Hierarchy Principle. Many insurers who have followed someone’s urging that ALL risk need to be included in ERM belatedly find out that no one in top management wants to hear from them or to let them talk to the board. A good dose of the Hierarchy Principle will fix that, though it will take time. Bad first impressions are difficult to fix.
Risk Culture, Neoclassical Economics, and Enterprise Risk Management– A discussion of the different beliefs about how business and risk work. A difference in the beliefs that are taught in MBA and Finance programs from the beliefs about risk that underpin ERM make it difficult to reconcile spending time and money on risk management.
What CEO’s Think about Risk– A discussion of three different aspects of decision-making as practiced by top management of companies and the decision making processes that are taught to quants can make quants less effective when trying to explain their work and conclusions.
Decision Making Under Deep Uncertainty– Explores the concepts of Deep Uncertainty and Wicked Problems. Of interest if you have any risks that you find yourself unable to clearly understand or if you have any problems where all of the apparent solutions are strongly opposed by one group of stakeholders or another.
Please find a new permanent page on RISKVIEWS – The History of Risk Management. It is a simple list of major historical events that are important to Risk Management and ERM as it is practiced today. This list was compiled with the help of INARM.
Risk Management development has not followed a particularly straight line. Practices have been adopted, ignored, misused. Blow up have happened. Some of those blow ups are mentioned on another page in RISKVIEWS – Risk Management Failures.
But Risk Managers have learned from those blow ups and the next generation of Risk Management programs incorporated those learnings.
The most important thing to know about risk management that we have learned from history is that risk management must be practiced in earnest. No amount of good talks or fancy charts will take the place of roll up your sleeves and do it risk management. Promoting that sort of Risk Management is the objective of this Blog.
The word risk is a common English word with a definition that has been well established for hundreds of years. There is no need for risk managers to redefine the word to mean something else. In fact, redefining a word so that its meaning would incorporate the exact opposite of the common definition is a precess that George Orwell called DOUBLETHINK.
Imagine what you would think if you hired someone to paint your house and when they showed up they told you that in their minds the word “paint” meant repaving your driveway in addition to applying a colored covering to your house? Sounds crazy doesn’t it. But there are many, many risk managers who will heatedly argue about this point. For example, see The ISO 31000 group discussion here.
The Definition of risk
noun
a situation involving exposure to danger:flouting the law was too much of a risk all outdoor activities carry an element of risk
[in singular] the possibility that something unpleasant or unwelcome will happen:reduce the risk of heart disease [as modifier]:a high consumption of caffeine was suggested as a risk factor for loss of bone mass
[usually in singular with adjective] a person or thing regarded as likely to turn out well or badly, as specified, in a particular context or respect:Western banks regarded Romania as a good risk
[with adjective] a person or thing regarded as a threat or likely source of danger:she’s a security risk gloss paint can burn strongly and pose a fire risk
(usually risks) a possibility of harm or damage against which something is insured.
the possibility of financial loss: [as modifier]:project finance is essentially an exercise in risk management
verb
[with object]
expose (someone or something valued) to danger, harm, or loss:he risked his life to save his dog
act or fail to act in such a way as to bring about the possibility of (an unpleasant or unwelcome event):unless you’re dealing with pure alcohol you’re risking contamination from benzene
incur the chance of unfortunate consequences by engaging in (an action):he was far too intelligent to risk attempting to deceive her
Phrases
at risk
exposed to harm or danger:23 million people in Africa are at risk from starvation
at one’s (own) risk
used to indicate that if harm befalls a person or their possessions through their actions, it is their own responsibility:they undertook the adventure at their own risk
at the risk of doing something
although there is the possibility of something unpleasant resulting:at the risk of boring people to tears, I repeat the most important rule in painting
at risk to oneself (or something)
with the possibility of endangering oneself or something:he visited prisons at considerable risk to his health
risk one’s neck
put one’s life in danger.
run the risk (or run risks)
expose oneself to the possibility of something unpleasant occurring:she preferred not to run the risk of encountering his sister
Origin:
mid 17th century: from French risque (noun), risquer (verb), from Italian risco ‘danger’ and rischiare ‘run into danger’
Redefining the word risk to include its opposite (i.e. gain) is a perfect example of what Orwell called DOUBLETHINK.
DOUBLETHINK: The power of holding two contradictory beliefs in one’s mind simultaneously, and accepting both of them… To tell deliberate lies while genuinely believing in them, to forget any fact that has become inconvenient, and then, when it becomes necessary again, to draw it back from oblivion for just as long as it is needed, to deny the existence of objective reality and all the while to take account of the reality which one denies – all this is indispensably necessary. Even in using the word doublethink it is necessary to exercise doublethink. For by using the word one admits that one is tampering with reality; by a fresh act of doublethink one erases this knowledge; and so on indefinitely, with the lie always one leap ahead of the truth. From 1984 George Orwell (1949)
This is a Risk Control Cycle. It includes Thinking/Observing steps and Action Steps. The only reason a sane organization would spend the time on the Assessing, Planning and Monitoring steps is so that they could be more effective with the Risk Taking, Mitigating and Responding steps.
A process capable of limiting losses can be referred to as a complete risk control process, which would usually include the following:
Identification of risks—with a process that seeks to find all risks inherent in a insurance product, investment instrument, or other situation, rather than simply automatically targeting “the usual suspects.”
Assess Risks – This is both the beginning and the end of the cycle. As the end, this step is looking back and determining whether your judgment about the risk and your ability to select and manage risks is as good as you thought that it would be. As the beginning, you look forward to form a new opinion about the prospects for risk and rewards for the next year. For newly identified risks/opportunities this is the due diligence phase.
Plan Risk Taking and Risk Management – Based upon the risk assessment, management will make plans for how much of each risk that the organization will plan to accept and then how much of that risk will be transferred, offset and retained. These plans will also include the determination of limits
Take Risks – organizations will often have two teams of individuals involved in risk taking. One set will identify potential opportunities based upon broad guidelines that are either carried over from a prior year or modified by the accepted risk plan. (Sales) The other set will do a more detailed review of the acceptability of the risk and often the appropriate price for accepting the risk. (Underwriting)
Measuring and monitoring of risk—with metrics that are adapted to the complexity and the characteristics of the risk as well as Regular Reporting of Positions versus Limits/Checkpoints— where the timing needed to be effective depends on the volatility of the risk and the rate at which the insurer changes their risk positions. Insurers may report at a granular level that supports all specific decision making and actions on a regular schedule.
Regular risk assessment and dissemination of risk positions and loss experience—with a standard set of risk and loss metrics and distribution of risk position reports, with clear attention from persons with significant standing and authority in the organization.
Risk limits and standards—directly linked to objectives. Terminology varies widely, but many insurers have both hard “Limits” that they seek to never exceed and softer “Checkpoints” that are sometimes exceeded. Limits will often be extended to individuals within the organization with escalating authority for individuals higher in the organizational hierarchy.
Response – Enforcement of limits and policing of checkpoints—with documented consequences for limit breaches and standard resolution processes for exceeding checkpoints. Risk management processes such as risk avoidance for risks where the insurer has zero tolerance. These processes will ensure that constant management attention is not needed to assure compliance. However, occasional assessment of compliance is often practiced. Loss control processes to reduce the avoidable excess frequency and severity of claims and to assure that when losses occur, the extent of the losses is contained to the extent possible. Risk transfer processes, which are used when an insurer takes more risk than they wish to retain and where there is a third party who can take the risk at a price that is sensible after accounting for any counterparty risk that is created by the risk transfer process. Risk offset processes, which are used when insurer risks can be offset by taking additional risks that are found to have opposite characteristics. These processes usually entail the potential for basis risk because the offset is not exact at any time or because the degree of offset varies as time passes and conditions change, which is overcome in whole or in part by frequent adjustment to the offsetting positions. Risk diversification, which can be used when risks can be pooled with other risks with relatively low correlation. Risk costing / pricing, which involves maintaining the capability to develop appropriate views of the cost of holding a risk in terms of expected losses and provision for risk. This view will influence the risks that an insurer will take and the provisioning for losses from risks that the insurer has taken (reserves). This applies to all risks but especially to insurance risk management. Coordination of insurance profit/loss analysis with pricing with loss control (claims) with underwriting (risk selection), risk costing, and reserving, so that all parties within the insurer are aware of the relationship between emerging experience of the risks that the insurer has chosen to retain and the expectations that the insurer held when it chose to write and retain the risks.
RISKVIEWS has published this list before. You will notice that it is different from many other lists of the parts of ERM. That is because we do not presume that there is some sort of risk management process already in place that “automatically” takes care of several of these things. Many writers implicitly make that assumption so that they can focus solely upon the new, more exciting things, especially number 6 on the list below. But in fact, ERM must include all seven of these things to actually work to manage risk as most managers expect.
DIVERSIFICATION: Risks must be diversified. There is no risk management if a firm is just taking one big bet.
UNDERWRITING:These must be a process for risk acceptance that includes an assessment of risk quality. Firm needs to be sure of the quality of the risks that they take. This implies that multiple ways of evaluating risks are needed to maintain quality, or to be aware of changes in quality. There is no single source of information about quality that is adequate.
CONTROL CYCLE: There must be a control cycle to manage the amount of risk taken. This implies measurements, appetites, limits, treatment actions, reporting, feedback
CONSIDERATION:There must be a process for assuring that the consideration received for accepting risk is adequate. For risks that are not traded, such as operational risks, the benefit of the risk needs to exceed the cost in terms of potential losses.
PROVISIONING: There must be appropriate provisions held for retained risks, in terms of set asides (reserves) for expected losses and capital for excess losses.
PORTFOLIO: There must be an awareness of the interdependencies within the portfolio of risks that are retained by the insurer. This would include awareness of both risk concentrations and diversification effects. An insurer can use this information to take advantage of the opportunities that are often associated with its risks through a risk reward management process.
FUTURE RISKS:There must be a process for identifying and preparing for potential future emerging risks. This would include identification of risks that are not included in the processes above, assessment of the potential losses, development of leading indicators of emergence and contingent preparation of mitigation actions.
The Law of Risk and Light applies to these aspects of risk management just as it applies to aspects of risk. The risk management that you do is in the light, the risk management that you skip is in the dark. When parts of a full risk management program are in the dark, the risk that part of the risk management process would have protected you from will accumulate in your organization.
Future posts will explain these elements and focus on why ALL of these principles are essential.
Actuarial Review of Enterprise Risk Management Practices –
A Working Group formed by The Enterprise and Financial Risks Committee of the IAA has started working on a white paper to be titled: “Actuarial Review of Enterprise Risk Management Practices”. We are seeking volunteers to assist with writing, editing and research.
This project would set out a systematic process for actuaries to use when evaluating risk management practices. Actuaries in Australia are now called to certify risk management practices of insurers and that the initial reaction of some actuaries was that they were somewhat unprepared to do that. This project would produce a document that could be used by actuaries and could be the basis for actuaries to propose to take on a similar role in other parts of the world. Recent events have shown that otherwise comparable businesses can differ greatly in the effectiveness of their risk management practices. Many of these differences appear to be qualitative in character and centered on management processes. Actuaries can take a role to offer opinion on process quality and on possible avenues for improvement. More specifically, recent events seem likely to increase emphasis on what the supervisory community calls Pillar 2 of prudential supervision – the review of risk and solvency governance. In Solvency II in Europe, a hot topic is the envisaged requirement for an ‘Own Risk and Solvency Assessment’ by firms and many are keen to see actuaries have a significant role in advising on this. The International Association of Insurance Supervisors has taken up the ORSA requirement as an Insurance Core Principle and encourages all regulators to adopt as part of their regulatory structure. It seems an opportune time to pool knowledge.
The plan is to write the paper over the next six months and to spend another six months on comment & exposure prior to finalization. If we get enough volunteers the workload for each will be small. This project is being performed on a wiki which allows many people to contribute from all over the world. Each volunteer can make as large or as small a contribution as their experience and energy allows. People with low experience but high energy are welcome as well as people with high experience.
Volunteers are needed to help to make this into a real resource. Over 200 books, articles and papers have been identified as possible resources ( http://ermbooks.wordpress.com/lists-of-books/ )
Posts to this website give a one paragraph summary of a resource and identify it within several classification categories. 15 examples of posts with descriptions and categorizations can be found on the site.
Volunteers are needed to (a) identify additional resources and (b) write 1 paragraph descriptions and identify classifications.
If possible, we are hoping that this site will ultimately contain information on the reading materials for all of the global CERA educational programs. So help from students and/or people who are developing CERA reading lists is solicited.
Participants will be given author access to the ermbooks site. Registration with wordpress at www.wordpress.com is needed prior to getting that access.
Please contact Dave Ingram if you are interested in helping with this project.
Riskviews was once asked by an insurance sector equity analyst for 10 questions that they could ask company CEOs and CFOs about ERM. Riskviews gave them 10 but they were trick questions. Each one would take an hour to answer properly. Not really what the analyst wanted.
Here they are:
What is the firm’s risk profile?
How much time does the board spend discussing risk with management each quarter?
Who is responsible for risk management for the risk that has shown the largest percentage rise over the past year?
What outside the box risks are of concern to management?
What is driving the results that you are getting in the area with the highest risk adjusted returns?
Describe a recent action taken to trim a risk position?
How does management know that old risk management programs are still being followed?
What were the largest positions held by company in excess of risk the limits in the last year?
Where have your risk experts disagreed with your risk models in the past year?
What are the areas where you see the firm being able to achieve better risk adjusted returns over the near term and long term?
They never come back and asked for the answer key. Here it is:
One of the most difficult things to accomplish in any organization is continuing to do well the things that were well developed in the past but that are not longer on the “front burner”.
Top management needs to limit attention to the most pressing problems. So an existing program that is working well is just not likely to get much, if any, top management attention. Continuing to get it right for the old tried and true parts of the organization is however of vital importance to the success of the organization.
Therefore Middle Management needs to be the keeper of these programs. In some organization, this actually puts them at odds with top management priorities. Some Middle Managers, the lifers who are more loyal to the organization than to the current top management, will manage to do this under almost all circumstances, risking even their own positions to keep these vital programs going. Other Middle Managers will feel that they are more loyal to the current management who put them in their positions. They will reduce resources and even Middle Management attention to these old programs.
So far, this discussion could be about anything. It does apply to risk management along with many other programs. Old risk management programs are the base that new Enterprise Risk Management programs are built upon. The old risk management programs are usually what creates the actual risk level of the firm that ERM then tries to manipulate. However, if the firm brings in too many new risk managers who do not understand the importance of the old risk management programs, then they are likely to let them wither.
The trick to this question is that the answer will tell you whether the CEO is aware of any of this dynamic. CEOs can be temporarily very successful by shifting all management attention to new products, or markets or programs, such as ERM. For some period of time, the old risk management programs will continue to operate without any management attention, giving the firm a short free ride. Eventually, those programs will wither away and the company will start to be hurt because the failure of these old programs that had an unrecognized, but bery real benefit.
A clear example of this is the area of Credit Risk underwriting. Ten to fifteen years ago, every major financial institution had large credit underwriting staffs and a very carefully administered system for reviewing and coming to an agreement on credit quality of each opportunity for a loan or other extension of credit. But with the development of trading desks, credit underwriting lost the attention of management. Eventually, it simply stopped happening in many institutions, Credit shifted to the trading paradigm. However, the credit underwriting had a purpose and when it stopped happening, the presumption that credit positions had certain characteristics slowly had less and less meaning. Until at the height of the credit crisis, a large number of institutions all believed and acted on that belief that very low credit quality positions in sub prime mortgages were actually of the very highest quality. A small amount of work by an experienced credit underwriting team would have shown that presumption to be totally untrue. (One firm who didn’t do credit underwriting, but did believe in reality checks sent their traders to spend some time each quarter applying for mortgages in the hottest markets. Those traders wouldn’t touch any mortgage related exposure.)
So the best answer to this question would be for the CEO to understand the old risk management programs that create the presumptions that their visions for the future are based upon. And to hear that the CEO values those programs. As to how the firm keeps those programs going, the fact that the CEO can say the above two statements is probably enough in most firms. As long as they do not undermine their words by cutting off funding to those old programs.
For extra credit, see if the CEO can actually list these old programs.
Riskviews was once asked by an insurance sector equity analyst for 10 questions that they could ask company CEOs and CFOs about ERM. Riskviews gave them 10 but they were trick questions. Each one would take an hour to answer properly. Not really what the analyst wanted.
Where have your risk experts disagreed with your risk models in the past year?
What are the areas where you see the firm being able to achieve better risk adjusted returns over the near term and long term?
They never come back and asked for the answer key. Here it is:
1. The first step in real risk management is to be able to think of the firm from a risk point of view. Any CEO can do that from a sales point of view and from a profits point of view. They know that 40% of the revenues come from the pumpkin business in South Florida and 25% of the profits from the Frozen Beet Juice Pops product line. Those statistics are a part of the sales profile and the profits profile. A first step to having a real ERM system is for the CEO to have an equal command of the Risk Profile. Any firm where the CEO does not have an equal command of risk as they do for sales does not have ERM yet. So this question is first and most important. The CEOs who are most likely to be unable to answer this question are the leaders of larger more complex companies. The investor need to make sure that top management of those firms has actual command of all of the key issues regarding the firm and its business. Risk really is a key issue. A vague or slow answer to this question indicates that Risk has not really been an issue that the CEO has attended to. That may work out fine for the company and the investors. If they are lucky.
PNC Chairman and Chief Executive Officer James E. Rohr is quoted in the Balitomore Sun as saying that Dodd Frank would raise costs and that those costs would ultimately be passed along to the customers.
Now Riskviews is not trying to suggest that Dodd Frank is necessarily good risk management.
But risk management, like regulation, usually has a definite cost and indefinite benefits.
The opponents of Dodd Frank, like the opponents of risk management will always point to those sure costs and a reason not to do regulations or risk management.
But with Dodd Frank, looking backwards, it is quite easy to imagine that more regulation of banks could have a pennies to millions cost – benefit relationship. The cost of over light regulation of the banks was in the trillions in terms of the losses in the banks plus the bailout costs to the government PLUS the costs to the economy. Everyone who has lost a job or lost profits or lost bonuses or who will ultimately pay for the government deficit that resulted from the decreased economic activity have or will pay the cost of underregulated banks.
The same sort of argument can be made for risk management. The cost of good risk management is usually an increase to costs or a decrease to revenues in good times. This is offset by a reduction to losses that might have been incurred in bad times. This is a view that is REQUIRED by our accounting systems. A hedge position MUST be reported as something with lower revenues than an unhedged position. Lack of Risk Management is REQUIRED to be reported as superior to good risk management except when a loss occurs.
Unless and until someone agrees to a basis for reporting risk adjusted financials, this will be the case.
Someone who builds a factory on cheap land by the river that floods occasionally but who does not insure their factory MUST report higher profits than the firm next door that buys expensive flood insurance, except in the year that the flood occurs.
A firm that operates in a highly regulated industry may look less profitable than a firm that is able to operate without regulation AND that is able to shed most of their extreme losses to the government or to third parties.
Someone always bears those risk costs. But it is a shame when someone like Rohr tries to make that look as if the cost of regulation are the only possible costs.
#2 Higher Interest Rates and Tighter Money in Emerging Markets
#3 Political Crises in the Middle East
#4 Surging Oil Prices
#5 An Increase in Interest Rates in Developed Markets
#6 The End of QE2
#7 Fiscal Cuts and Sovereign Debt Crises
#8 The Japanese Disaster
How should ideas like these impact on ERM systems? Is it at all reasonable to say that they should not? Definitely not.
These potential shocks illustrate the need for the ERM system to be reflexive. The system needs to react to changes in the risk environment. That would mean that it needs to reflect differences in the risk environment in three possible ways:
In the calibration of the risk model. Model assumptions can be adjusted to reflect the potential near term impact of the shocks. Some of the shocks are certain and could be thought to impact on expected economic activity (Japanese disaster) but have a range of possible consequences (changing volatility). Other shocks, which are much less certain (end of QE2 – because there could still be a QE3) may be difficult to work into model assumptions.
With Stress and Scenario Tests – each of these shocks as well as combinations of the shocks could be stress or scenario tests. Riskviews suggest that developing a handful of fully developed scenarios with 3 or more of these shocks in each would be the modst useful.
In the choices of Risk Appetite. The information and stress.scenario tests should lead to a serious reexamination of risk appetite. There are several reasonable reactions – to simply reduce risk appetite in total, to selectively reduce risk appetite, to increase efforts to diversify risks, or to plan to aggressively take on more risk as some risks are found to have much higher reward.
The last strategy mentioned above (aggressively take on more risk) might not be thought of by most to be a risk management strategy. But think of it this way, the strategy could be stated as an increase in the minimum target reward for risk. Since things are expected to be riskier, the firm decides that it must get paid more for risk taking, staying away from lower paid risks. This actually makes quite a bit MORE sense than taking the same risks, expecting the same reward for risks and just taking less risk, which might be the most common strategy selected.
The final consideration is compensation. How should the firm be paying people for their performance in a riskier environment? How should the increase in market risk premium be treated?
The good news is that the richest country in the world did not flunk.
The bad news is that the overall average grade is a D.
Now Warren Buffet reminds us that you shouldn’t expect an unbiased answer if you ask a barber whether you need a haircut. And in this case, the civil engineers would benefit significantly from an increase of attention to infrastructure.
But let’s look at the sorts of suggestions that they make. Many of them can be generalized to other areas of risk. (Paraphrased by Riskviews)
Encourage risk reduction/management programs
Use the best of current science rather than continuing to follow science from many years ago
Develop emergency action plans
Develop maintenance standards
Establish plan to fund needed improvements in risk management
Evaluate specific impact of failure to improve risk management
Educate stakeholders regarding above
Establish a regular review process
In the case of infrastructure, there is a recognized lifespan of the systems and a continual deterioration expected.
Risk systems in general are not thought of as wasting assets, but perhaps that is simply because risk management is so new.
Perhaps even the firms that have achieved the point of a full and integrated set of risk management systems should think of the useful life of those systems.
“The principal reason we have train crashes is a lack of investment in rail infrastructure – and the reason we have systemic crises is a lack of investment in financial infrastructure.” Hugo Bänziger, in the FT
The money will always be there to keep funding innovations in the way that risk is added to a firm.
Many people struggle with clearly identifying how to measure the success of their risk management program.
But they really are struggling with is either a lack of clear objectives or with unobtainable objectives.
Because if there are clear and obtainable objectives, then measuring success means comparing performance to those objectives.
The objectives need to be framed in terms of the things that risk management concentrates upon – that is likelihood and severity of future problems.
The objectives need to be obtainable with the authority and resources that are given to the risk manager. A risk manager who is expected to produce certainty about losses needs to either have unlimited authority or unlimited budget to produce that certainty.
The most difficult part of judging the success of a risk management program is when those programs are driven by assessments of risk that end up being totally insufficient. But again the real answer to this issue is authority and budget. If the assumptions of the model are under the control of the risk manager, that is totally under the risk manager’s control, then the risk manager would be prudent to incorporate significant amounts of margin either into the model or into the processes that use the model for model risk. But then the risk manager is incented to make the model as conservative as their imagination can make it. The result will be no business – it will all look too risky.
So a business can only work if the model assumptions are the join responsibility of the risk manager and the business users.
But there are objectives for a risk management program that can be clear and obtainable. Here are some examples:
The Risk Management program will be compliant with regulatory and/or rating agency requirements
The Risk Management program will provide the information and facilitate the process for management to maintain capital at the most efficient level for the risks of the firm.
The Risk Management program will provide the information and facilitate the process for management to maintain profit margins for risk (pricing in insurance terms) at a level consistent with corporate goals.
The Risk Management program will provide the information and facilitate the process for management to maintain risk exposures to within corporate risk tolerances and appetites.
The Risk Management program will provide the information and facilitate the process for management and the board to set and update goals for risk management and return for the organization as well as risk tolerances and appetites at a level and form consistent with corporate goals.
The Risk Management program will provide the information and facilitate the process for management to avoid concentrations and achieve diversification that is consistent with corporate goals.
The Risk Management program will provide the information and facilitate the process for management to select strategic alternatives that optimize the risk adjusted returns of the firm over the short and long term in a manner that is consistent with corporate goals.
The Risk Management program will provide information to the board and for public distribution about the risk management program and about whether company performance is consistent with the firm goals for risk management.
Note that the firm’s goals for risk management are usually not exactly the same as the risk management program’s goals. The responsibility for achieving the risk management goals is shared by the management team and the risk management function.
Goals for the risk management program that are stated like the following are the sort that are clear, but unobtainable without unlimited authority and/or budget as described above:
X1 The Risk Management program will assure that the firm maintains profit margins for risk at a level consistent with corporate goals.
X2 The Risk Management program will assure that the firm maintains risk exposures to within corporate risk tolerances and appetites so that losses will not occur that are in excess of corporate goals.
X3 The Risk Management program will assure that the firm avoids concentrations and achieve diversification that is consistent with corporate goals.
X4 The Risk Management program will assure that the firm selects strategic alternatives that optimize the risk adjusted returns of the firm over the short and long term in a manner that is consistent with corporate goals.
The worst case situation for a risk manager is to have the position in a firm where there are no clear risk management goals for the organization (item 4 above) and where they are judged on one of the X goals but which one that they will be judged upon is not determined in advance.
Unfortunately, this is exactly the situation that many, many risk managers find themselves in.
Over the years, Riskviews has seen many risk management systems that are developed by people, usually auditors, from the COSO guide to ERM. What is most commonly seen is that COSO based ERM system has a few characteristics in common:
They usually take at least a year to implement phase 1. By the end of that year, no actual improvements or changes to actual risk treatment activities take place. The most common product of that year’s efforts is a risk register.
The risk register usually contains at least 100 risks. Many of these systems have closer to 200 risks identified.
Top management is completely baffled about why they need to spend their time paying any attention to such activity. If you ask them anything about risk or risk management at the end of the year, you will often find that they cannot recall anything specific about the process.
The COSO process seems to be totally a Loss Controlling approach to ERM. This approach would appeal to companies and managers of companies who have the Conservator risk attitude. Riskviews has found that a small minority of insurance company management have the Conservator risk attitude and that almost zero insurance firms are managed with a Conservator risk approach. That is another way of saying that COSO does not fit well with insurance company management approaches.
ISO 31000 is new risk management standard that was developed from the Australia/New Zealand standards that have been used and improved over the past 15 years. The following post gives a discussion of the differences between the two.
ISO 31000 does not clearly fall into the Loss Controlling category of ERM approach. It seems to seek to be in the Risk Steering camp. Which makes it much more applicable to insurers, many of which are managed with the Manager risk approach.
Riskviews main complaint about ISO 31000 is with the degree to which it emphasizes endless process over actual risk treatment action.
ISO 31000 encourages firms to adopt what Riskviews calls a Risk Management Entertainment System. Sadly, this is not a joke. Many firms will proudly present a show and tell about their reports and meetings and org charts and policy statements when asked about ERM and be flummoxed when asked about any actual risk treatment that is taking place and where it fits into the risk management system.
That is a major problem with detailed prescriptive systems like ISO 31000. While that document says nearly all the right things, the people who pick it up and seek to apply it quite often do not get the sense of what is IMPORTANT and what is less important in developing an ERM system.
In fact, what is actually IMPORTANT is that ERM helps management to focus on the important risks of the firm and making the right moves so that exposures to those risks are of the size that they would choose. Human beings have limitations and those limitations would suggest that these important risks need to number less than 10 if they are really going to get top management attention.
And in practice, the people who implement COSO and ISO 31000 risk management systems often miss that most important objective.
At first glance, the Own Risk and Solvency Assessment (ORSA) seems like an unnecessary redundancy. For some firms, they will have looked at the Standard formula for capital adequacy and then looked again at the Internal Model and the Economic Capital. And on all of those views, the firm has sufficient solvency margin.
But the problem that ORSA solves is a problem that is so very fundamental that we have almost completely forgotten that it exists. That problem is that all of the traditional ways of looking at capital adequacy look at the wrong thing. Yes, you heard that right, we have always and will continue to focus on the wrong thing when we assess capital adequacy.
The basis for capital assessment is the wrong view because it looks backwards. We already know that the firm survived the past year. What we really need to know is whether the firm can survive the next year and probably the one after that.
The traditional backwards looking solvency assessment tradition started when there was no viable alternative. It is a good basis for looking at solvency under only a few possible futures. Fortunately, many firms broadly operate within the range of futures.
For the backwards looking approach to solvency to have any validity, the future of the firm needs to be very much like the past of the firm. Firms need capital more for the future than for the past and the balance sheet is more about the past of the firm than the future. So a capital regime that is tied to the balance sheet is useful only to the firms whose future does not materially change their balance sheet.
But wait, the only time when that capital is needed is when the balance sheet DOES change materially.
So ORSA shifts the question of solvency from the past to the future.
The second thing that ORSA does is to shift the burden of determining adequacy of capital from the regulator to the board and management. With the ORSA, the board and management will never again have the excuse that they thought everything was fine because they met the standards of the regulators. The ORSA requires the board and management to assert, IN THEIR OWN OPINION, that the firm has sufficient capital for its own risks AND its own risk management systems. Prior regimes allowed management to pass a test set by the regulator and thereby show adequacy of capital. Even if the test did not pick up on some new risk that management was totally aware of but which was not at all recognized by the regulatory formula.
Most successful larger organizations have a separate Sales department. There certainly are firms that go around saying that “Sales are everyone’s job”, but they invariably have people who’s only job is Sales.
Move along to Profits and the picture shifts somewhat. Often there is one department that has responsibility for pricing, another for assisting with managing expenses and the largest component is the folks who are responsible for tracking profits – the accounting department. Again, many firms also say that “Profits is everyone’s job”, but they do assign many people to jobs that deal primarily with Profits.
So, that brings us to Security, which is the flip side of Risk. Security needs a parallel structure to what you find for Profits. The system of work assignments for Profits has evolved over many years.
Many firms have set out to create a Risk system on a much, much shorter time frame. One approach would be to say that since Losses are the opposite of Profits, then assign the responsibility for Security to the same people who have that responsibility for Profits. But what is likely to happen there is that attention to Profits will most often trump attention to Risk. That is natural, since Profits are higher up the Hierarchy of Corporate Needs than Risk. In addition, measuring Profits is most often done in arrears and Risk can best be managed when measured in advance. In fact, when responsibility for Risk is given to the folks who are experienced in managing Profits, they often make the mistake of trying to manage Risk by looking backwards.
So certainly to get started, and probably for the foreseeable future, Risk will need its own organization.
Risk Organizations will often include Risk Committees, sometimes more than one. The committee roles will include High level decision making (Steering), Technical Leadership, and Execution.
One of the most important aspects of a Risk organization is the assignment of responsibility for Risk. In many firms it is best to assign responsibility to a Line manager that controls the business that creates the risk. The person with responsibility should be a person who does periodically stand before the board. They should be asked to say to the board regularly where things stand with respect to managing their Risk.
As with Profits, there is a need for an independent role of Risk measurement. Usually that role is given responsibility for both prospective measurement of Risk exposures as well as the analysis of losses.
When people talk about independence for Risk, the place where that is really needed is between the responsibility for managing Risk and the responsibility for measuring Risk and assessing losses. The same way that is done for Profits. No one would consider assigning Profit management to the folks who measure Profits.
Another way to differentiate risks and loss situations is to distinguish between systematic losses and losses where your firm ends up in the bottom quartile of worst losses.
You can get to that by way of having a higher concentration of a risk exposure than your peers. Or else you can lose more in proportion to your exposure than your peers.
The reason it can be important to distinguish these situations is that there is some forgiveness from the market, from your customers and from your distributors if you lose money when everyone else is losing it. But there is little sympathy for the firm that manages to lose much more than everyone else.
And worst of all is to lose money when no one else is losing it.
So perhaps you might want to go through each of your largest risk exposures and imagine how either of these three scenarios might hit you.
One company had a loss of 50% of capital during the credit crunch of the early 1990’s. Their largest credit exposure was over 50% of capital and it went south. Average recoveries were 60% to 80% in those days, but this default had a 10% recovery. That 60% to 80% was an average, not a guaranteed recovery amount. Most companies lost less than 5% of capital in that year.
Another company lost well over 25% of capital during the dot com bust. They had concentrated in variable annuities. No fancy guarantees, just guaranteed death benefits. But their clientele was several years older than their average competitors. And the difference in mortality rate was enough that they had losses that were much larger than their competitors, who were also not so concentrated in variable annuities.
Explaining their claims for Hurricane Katrina that were about 50% higher as a percent of their expected total claims, one insurer found that they had failed to reinsure a large commercial customer whose total loss from the hurricane made up almost 75% of the excess. Had they followed their own retention rules on that one case, that excess would have been reduced by half.
So go over your risks. Create scenarios for each major risk category that might send your losses far over the rest of the pack. Then look for what needs to be done to prevent those extraordinary losses.
Usually risk managers do not think of themselves as being at war. But a risk manager is facing a number of foes. And failure to succeed against those foes can result in the end of the enterprise. So maybe the risk manager can learn from The Art of War.
Sun Tzu’s The Art of War has 11 chapters. Each of these topics can be seen to have a lesson for risk managers.
Laying Plans explores the five fundamental factors that define a successful outcome (the Way, seasons, terrain, leadership, and management). By thinking, assessing and comparing these points you can calculate a victory, deviation from them will ensure failure. Remember that war is a very grave matter of state. The risk manager of course needs plans. Remember that risk management is a grave matter for the enterprise.
Waging War explains how to understand the economy of war and how success requires making the winning play, which in turn, requires limiting the cost of competition and conflict. Risk management does not run on an unlimited budget. In some cases risk managers have not completed their preparations because they have gone forward as if they could spend whatever it took to fulfill their vision for risk management. Of course risk management spending needs to be at a sensible level for the enterprise. Excessive risk management spending can harm an enterprise just as much as an unexpected loss.
Attack by Stratagem defines the source of strength as unity, not size, and the five ingredients that you need to succeed in any war. The risk manager succeeds best if they are able to get the entire organization to support the risk management efforts, not just a large corporate risk management department.
Tactical Dispositions explains the importance of defending existing positions until you can advance them and how you must recognize opportunities, not try to create them. The risk manager needs to build organizational strength to support risk management opportunistically. A risk management program that does not wait for the right opportunities will create internal enemies and will then be fighting both the external risks as well as the internal enemies.
Energy explains the use of creativity and timing in building your momentum. The risk manager also needs to be creative and needs to build momentum. The best risk management program fits well with the culture of the organization. That fit will need to be developed by creatively combining the ideas of risk management with the written and unwritten parts of the organizational imperatives.
Weak Points & Strong explains how your opportunities come from the openings in the environment caused by the relative weakness of your enemy in a given area. Quite often the risk manager will know the right thing to do but will not be able to execute except at extreme danger to their position in the firm. The openings for a risk manager to make the moves that will really lake a difference in the future of the firm come infrequently and without warning. The Risk manager must be looking at these openings and be ready and able to act.
Maneuvering explains the dangers of direct conflict and how to win those confrontations when they are forced upon you. Some thing that the risk managers job is the direct conflict with the important people in the firm who would put the firm in an excessively risky position. This in inadvisable
Variation in Tactics focuses on the need for flexibility in your responses. It explains how to respond to shifting circumstances successfully. Risk Management tactics will be the most successful if they are alligned with the actual risk environment. SeePlural Rationalities and ERM.
The Army on the March describes the different situations in which you find yourselves as you move into new enemy territories and how to respond to them. Much of it focuses on evaluating the intentions of others. Rational Adaptability is the process of assessing the risk environment and selecting the risk management strategy that will work best for the environment.
Terrain looks at the three general areas of resistance (distance, dangers, and barriers) and the six types of ground positions that arise from them. Each of these six field positions offer certain advantages and disadvantages. The risk environment has four main stages, Boom, Bust, Moderate and Uncertain.
The Nine Situations describe nine common situations (or stages) in a campaign, from scattering to deadly, and the specific focus you need to successfully navigate each of them. Companies must determine their risk taking strategy and their risk appetite by looking at the risk environment as well as at their risk taking capacity.
The Attack by Fire explains the use of weapons generally and the use of the environment as a weapon specifically. It examines the five targets for attack, the five types of environmental attack, and the appropriate responses to such attack.
The Use of Spies focuses on the importance of developing good information sources, specifically the five types of sources and how to manage them.
In a Oct. 3 FT article, it says that just 30% of 465 executives surveyed said that “they were able to tap risk management programmes to prepare for and minimize the negative outcomes” of the recession.
But I wonder whether minimizing impact of a recession was among the targeted risks of those risk management programs.
And in addition, I wonder whether the risk managers would have been permitted to even think seriously about the impact of a recession as serious as the one that we have (and continue to) experienced.
Financial firms that would have been very well prepared for this recession would have been doing quite a bit more hedging than their peers and the cost of that hedging would have severely reduced earnings prior to the recession.
Non-Financial firms that would have been well prepared would have been running with very low inventories and with loads of unfilled positions, running tons of expensive overtime prior to the flop.
The article also said that “only 44 percent said that they had adequately captured the potential problems before the downturn.
Some of that may be risk managers being slammed for being poor fortune tellers. They did not foresee the size of this recession so they missed it.
I would suggest that these survey results are a case of risk management as scape goat.
Don’t get me wrong. There are times when risk management gets it wrong.
But if you want risk managers to be focused upon minimizing the impact of a once in 75 year recession, then you ought to tell them that before the recession hits, not after.
And if accurate predictions of the economy are required of risk managers, then you ought to completely change your ideas about how much risk managers should be paid.
By the way, if you know now what sort of result you would have wanted from the recession, then that information should be used to set the firm’s risk tolerance – which should be done in advance, not after the fact.
But in fact, 80% of the firms have never agreed on a risk tolerance. Quite often the reason for not picking one is a reluctance of management to have their options restricted by such a limit, to allow the board into decisions that they want to make without the help of the board.
The 2009 call for essays, “Risk Management: The Current Financial Crisis, Lessons Learned and Future Implications,” which was published in early 2009, contained 35 short essays . Over half of those essays were contributed by folks who were on the INARM email group.
Systemic risk is the risk of the collapse of an entire financial system or market as opposed to risk associated with any one individual entity. Risk systems consist of social institutions, laws, processes and products designed to facilitate the transfer, sharing, distribution and mitigation/hedging of risks between various buyers and sellers. Examples of risk systems include insurance, banking, capital markets, exchanges, and government and private health and retirement programs. Historically, these risk systems are rarely analyzed in a manner that looks at the ability of the system to survive extreme risk events and still carry out their function – creating an ongoing market for the exchange of risk. The failure of a risk system may be due to asymmetric information, unbalanced incentives of its participants and/or the failure of trust amongst its participants. In reflecting on the events of the last two years, is it possible to effectively develop early warning indicators that trigger intervention in advance of a complete collapse of an entire financial system or market? Does it make sense to have a chief risk officer of, say, the United States of America, whose role it would be to manage/mitigate this risk?
We invite the submission of essays to address these questions, and to offer thought leadership on the ERM discipline and the essential elements needed to maintain risk transfer systems in times of unusual stresses and unlikely events.
This topic has been intentionally left broad to allow essays that address industry-specific issues or a wide range of issues across industries. Each essay should be no more than two pages (1,500 words or less) and should be submitted no later than Friday September 15, 2010. Depending on the response, we may limit the number of essays that are published. SOA/CAS resources will be utilized to publish and promote the resulting publication. Publication is planned for Fall of 2010. Submit your essay here .
Awards for worthy papers:
1st Place Prize – $500
2nd Place Prize – $250
3rd Place Prize – $100
Feel free to pass along any questions to Robert Wolf , FCAS, CERA, ASA, MAAA, Staff Partner- Joint Risk Management Section and Investment Section, who will be coordinating the publication.
Mark Twain once observed that there was a difference between Lightning and Lightning Bug. An important difference.
The difference between the almost right word & the right word is really a large matter–it’s the difference between the lightning bug and the lightning.
Might there be a similar difference between Risk Management System and Risk Management?
A Risk Management System is composed of org charts, policy statements, Reports, meetings,committees, computer models, powerpoints and dashboards.
Risk Management means making tough decisions and taking unpopular actions that more than 9 out of 1o times will not look like they were the right calls after the facts.
But decisions and actions that every once in a long while will save the firm.
So can Risk Management happen inside of a Risk Management system?
But think about it. Can you think of an example of a situation outside of a risk management system where getting more people involved results in MORE of the tough decisions being made? Or MORE unpopular actions being taken?
So how should one go about creating a risk management system that actually does Risk Management?
Start with the tough decisions and unpopular actions that are sometimes needed. Can you identify them?
Start there. Find a person who has the qualities of discernment, judgment, balance, toughness and experience with the risk to make those tough decisions and to make sure that the unpopular actions happen. Build the risk management system so that the person gets the information and authority and protection that they need to get the job done.
That would be difficult if that was all that was needed. But this person, if they are doing their job, will be reversing some business decisions that might otherwise make some money. So you also need an information system that assures top management that the risk manager is making the right tough decisions.
That system needs to help to identify whether the risk manager is making either Type I or Type II errors. And if you want to keep a good risk manager and avoid keeping a bad risk manager, you need to have a realistic tolerance for the errors that your information system identifies.
Oh Hell. It is much easier to just do the pretty risk management system and try to just take as much risk as everyone else.
Must be why so little Risk Management actually happens.
And Lightning Bugs are so pretty on a summer night.
One the one side, you have the folks who say that risk management is an expensive waste of time, and on the other the folks who see risk management as vital to the survival of the firm.
The folks in the first group pull out their trump card…
OK, if risk management is so good, show me a demonstration of the value added.
And what they are looking for is a clear example where all that money spent on risk management resulted in some clear cut benefit.
The risk managers will sometimes be able to show a benefit. But usually the best examples are somewhat difficult to claim clear credit for:
Remember when Risk Management suggested that we reduce our stock market exposure in 2007? Well, we cut it in half and saved the company millions. (Or do you look at that as keeping half and losing millions???)
Or that time when we stopped that trade that if it had gone through the firm would have lost a million.
Firms of all, viewed in that manner, risk management “accomplishments always seem negative. Always seem like they are all about stopping business.
Second, it is quite possible that in good times, risk management will not have any stories like this at all to talk about.
In the best of times, risk management does seem like a complete drag. The folks who had weak risk management seem to do better than the folks with strong risk management. That is because even the bad trades make money in the best times.
Risk management needs to avoid getting sucked into this discussion.
That is because the primary benefit of risk management is purely prospective, not retrospective. It is pure luck whether risk management advice has resulted in positive benefits during any period of time.
Risk management has benefit and provides value in the way that it shapes the FUTURE.
The value of risk management is that it creates a future that has the risk profile that is what management and the board wants. A firm with good risk management has potential for failure and potential for success. Those potentials have been deliberately balanced by consciously balanced by management and the board.
The value of risk management is the value of a known balance compared to the value of an unknown balance.
The management of a firm is betting on a roulette wheel. The firm with risk management knows how many numbers are on the wheel and can choose how many it wants to cover. The firm without risk management does not even know how many numbers are on the wheel and may not even know the extent of its bets on any one spin of the wheel.
With that idea in mind, risk managers should be asking how the opponents of risk management would propose that they can value their own future.
Managers of some firms just know that they do not need that risk management stuff.
They can tell because they have positive cash flow.
A firm with positive cannot possibly go out of business. They know that.
Many young firms that are growing quickly utilize this sort of thinking to put off any development of risk management. Because they just know that risk management would create real risk. Risk management could put a stop to the positive cash flow.
Early in its history, insurance carriers thought that this positive risk management idea was just great. It was so easy to keep the cashflow positive for an insurer. Steady growth helped. And the natural process of collecting premiums now and paying out claims later helped even more.
But then some spoilsport came along and ruined things and discovered the idea of reserves.
So the game had to shift to positive net income risk management. As long as your net income was positive, there was no problem. That sort of risk management created tensions between the positive net income folks and the actuary setting the reserves. But many firms found a way around that and could set lower reserves and keep up the Ponzi Risk Management for a few more periods.
But periods of slower growth, due to economic slow downs or other issues were especially troublesome for the Ponzi Risk Management firms. Or like its namesake, the real Ponzi scheme, Ponzi Risk Management runs into trouble as soon as the flow of new customers slows for any reason.
A variation on Ponzi RIsk Management is the Rolling Stone Risk Management. Under Rolling Stone Risk Management, the firm keeps acquiring new smaller firms. The chaos that exists through the transition is good to hide the waning growth and fundamental unprofitability of the Rolling Stone company. If they can keep rolling, they gather no Loss.
But Rolling Stone risk management requires larger and larger acquisitions to be big enough to hid all of the prior sins because the backlog of problems keeps getting larger and larger. And the compulsion to acquire means that the Rolling Stone company pays more and more for the acquisitions because those purchases are really a life and death matter for them. They desperately need more Good Will to amortize.
But to be slightly clearer, Ponzi Risk Management is not real risk management.
The difference between Ponzi Risk Management and real Risk Management is that real Risk Management provides protection to firms that are growing and to firms that are not growing. Real risk management means that the risk manager has taken into account the risks of the firm in both a going concern basis to help to maximize value of the firm as well as the potential risks of a stoppage of growth. Real risk management means that the firm has made provision, not just for the profitability of most parts of the business on a stand alone, more or less static basis, they have also made sufficient provision for the risks of that business both in terms of margin to compensate the firm for the risks and to provide a cushion against the fluctuations of profitability and even the extreme loss potential of that business.
Once you think of it, it seems obvious. Risk Managers need humility.
If you are dealing with any killer physical risk, there are two types of people who work close to that risk, the humble and the dead.
Being humble means that you never lose sight of the fact that RISK may at any time rise up in some new and unforeseen way and kill you or your firm.
Risk managers should read the ancient Greek story of Icarus.
Risk managers without humility will suffer the same fate.
Humility means remembering that you must do every step in the risk management process, every time. The World Cup goalkeeper Robert Green who lets an easy shot bounce off of his hands and into the goal has presumed that they do not need to consciously attend to the mundane task of catching the ball. They can let their reflexes do that and their mind can move on to the task of finding the perfect place to put the ball next.
But they have forgotten their primary loss prevention task and are focusing on their secondary offense advancement task.
The risk managers with humility will be ever watchful. They will be looking for the next big unexpected risk. They will not be out there saying how well that they are managing the risks, they will be more concerned about the risks that they are unprepared for.
Risk managers who are able to say that they have done all that can be done, who have taken all reasonable precautions, who can help their firm to find the exact right level and mix of risks to optimize the risk reward of the firm are at serious risk of having the wax holding their feathers melt away and of falling to earth.
Discussions with senior executives have suggested that decision signals from ERM would be more credible and that ERM would be a more effective management process if ERM frameworks were shown to:
Align performance metrics with management’s performance measurement philosophy
Integrate ERM into daily management activities
The following two sections discuss these issues and suggest action steps that insurance companies should take to establish ERM as a more robust and valuable management process.
1. Aligning performance metrics with management’s performance measurement philosophy
To provide useful guideposts for business decisions, the risk adjusted performance measurement framework supporting ERM needs to reflect senior management’s views regarding alignment of responsibilities and performance metrics. Alignment is ensured by i) matching of the structure of the financial management reports to the boundaries of business segment, ii) accurate attribution of capital, premium revenues, investment income and expenses to business segments and iii) segregation in financial reports of the results associated with the current period from the impact of business written in prior years.
This alignment ensures appropriate distinctions between results of current and past decisions and a sharp focus on differences in drivers of performance.
In practice, leading companies are making explicit decisions about the design and features of the financial performance measures they develop by developing customized answers to questions such as the following:
Are business segments to be evaluated on a stand alone basis or in a portfolio context (i.e. after attribution of a capital credit for diversification)?
Are business segments to be evaluated as if assets they earned risk free, duration matched investment income? Or the average rate of return on the investment portfolio?
Are business segments to be evaluated in relation to their ‘consumption” of economic capital? Regulatory capital? Rating agency capital?
Should individual business segments bear the cost of “excess” or “stranded” capital?
Should performance benchmarks vary across business segments, in line with differences in the volatility of their total risk? Or differences in exposure/premium leverage across lines? Or differences in contribution to corporate debt capacity?
How granular does such reporting need to be?
Should performance metrics be developed in a policy/underwriting year framework? Would such metrics need to be reconciled with metrics based on fiscal year GAAP reported numbers?
How should the period performance of the in-force (or liabilities run off) be measured and separated from the performance of the “new business”? To what extent and how should the performance of “renewal” policies be separated from that of policies written for new customers in property, casualty companies?
Should the performance reporting framework provide only period measures of performance or should it be extended to capture the longer term economic value of insurance contracts, such as the change in the embedded value of the business?
Should the performance reporting framework be extended to incorporate stochastic performance metrics such as Earnings@Risk or Embedded Value@Risk?
Leading ERM practitioners, especially in Europe, have found that the usefulness, but also the complexity and cost of risk adjusted performance metrics are determined by the desired level of granularity in reporting, and design decisions in i) risk measurement,
ii) capital measurement and, iii) financial reporting. The availability and quality of risk and financial data determine to a significant degree the level of granularity that can be built to support ERM.
In my experience, success in establishing ERM is highly dependent on the level of effort that companies devote to designing a reporting framework that the organization can understand and embrace intuitively, without having to be trained in advanced financial or risk topics. Setting out to develop the most rigorous and actuarially correct framework is likely to result in poor acceptance by operating managers.
2. Integrating ERM into daily management activities
Many senior executives recognize that establishing an ERM process is an obligation that cannot be avoided in today’s environment. They also have a strong intuitive sense that the science of risk measurement and analysis offered by the actuarial profession and other specialists in risk does not yet provide robust answers to many important questions that are asked by people who manage the operations of insurance companies day by day. Differences in perspectives between executives in the corporate center and the managers of business units hamper the effectiveness of ERM. Bridging these differences is a major challenge to the establishment of ERM. This challenge is rooted in fundamental differences in the roles and responsibilities of these actors.
Corporate center executives who operate under oversight of the Board of Directors are highly sensitive to risk concerns of shareholders. It is natural for these executives to take an aggregate view of risk, across the business portfolio. They contribute to corporate performance by making i) strategic risk management decisions in connection with capacity deployment, reinsurance and asset allocation, ii) operational risk management decisions principally in connection with the management of shared services. Their most important risk decisions, related to capital allocation, involve significant strategic risks.
By contrast, business unit managers have a different outlook. They are typically more focused on meeting the needs of policyholders. They are more likely to view risk as stemming from products and customers. From their point of view risk management starts with product design, underwriting and pricing decisions, control of risk accumulations and concentrations, product mix and customer mix. With regards to operational risk, their activity places them on the front line to control the “execution risks” elements of operational risk. Business unit managers tend to view requests for support of ERM as distractions from serving policyholders and accomplishing their goals. They believe that they help protect shareholders from value loss by focusing on establishing and maintaining a competitive advantage.
The CFO of a very large insurance group confided to me recently that aligning the perspectives of executives at the corporate center with that of business managers was a challenge of great importance. He expressed the view that results from risk models cannot be used simplistically and that experience and business judgment are needed to guide decisions. Caution and prudence are especially important in interpreting decision signals when model results appear unstable or when complexity makes it difficult to recognize possible biases. He had become interested in using a combination of approaches to develop reliable insights into strategy and risk dynamics in his company. He was particularly focused on finding ways to bring these insights to bear on the daily activities of employees who manage risk accumulation, risk mitigation and risk transfer activities, on both sides of the balance sheet. In his judgment, borne out by other discussions and my experience with clients, ERM comes to life and creates value best when a top down framework initiated by senior management is embraced bottom up throughout the organization.
Consistent with these considerations, ERM appears to work best in companies in which operating managers have “bought in” ERM and embraced the perspective it provides. In many of these companies, one observes that:
Risk management responsibility is owned by operating managers
Product definitions and investment boundaries are clear and matched to explicit risk limits
Policies and procedures have been co-developed with operating personnel
Product approval and risk accumulation are subject to oversight by the central ERM unit
Risk and value governance are integrated through a committee with authority to adjudicate decisions about trade-offs between risks and returns
Compliance and exceptions are subject to review by senior management
It is important to observe that none of the considerations discussed in the two sections of this note are about the technical components of risk management. Rather, they define a context for accountability, empowerment and appropriate limitations on the activities of people who run day to day operation in insurance companies.
I had occasion recently to search the Basel website to try to document the history of their involvement in risk management.
The oldest document that is still available there that has the term Risk Management in its title is July 1994, Risk Management Guidelines for Derivatives. That matches up with my impression that modern risk management can be traced back to the efforts of banks and banking supervisors to contain the risks associated with derivatives trading that had lead to several blow-ups in the early 1990’s.
But the first real classic is the next oldest document on the Basel website, Principles for the management of interest rate risk, from September 1997. That document clearly lays out the structure and process for a full scale risk management system. If you take that link, it will tell that the 1997 document has been superceded. But if you look at the 2004 update and the 1997 original, you will see that they have added lots of details and lost most of the clarity to the original. So if you want trees, take the 2004 version, if you want forest, like me, you would prefer the original 1997 version.
What I particularly liked about the original is that it really wasn’t about interest rate risk at all. It really captured the essence of risk management and applied that essence to interest rate risk. Therefore, I believe that the document can easily be used as a guide to building a risk management system for any risk.
The document is built around 1o Principles:
The role of the board and senior management
Principle 1: In order to carry out its responsibilities, the board of directors in a bank should approve strategies and policies with respect to interest rate risk management and ensure that senior management takes the steps necessary to monitor and control these risks. The board of directors should be informed regularly of the interest rate risk exposure of the bank in order to assess the monitoring and controlling of such risk.
Principle 2: Senior management must ensure that the structure of the bank’s business and the level of interest rate risk it assumes are effectively managed, that appropriate policies and procedures are established to control and limit these risks, and that resources are available for evaluating and controlling interest rate risk.
Principle 3: Banks should clearly define the individuals and/or committees responsible for managing interest rate risk and should ensure that there is adequate separation of duties in key elements of the risk management process to avoid potential conflicts of interest. Banks should have risk measurement, monitoring and control functions with clearly defined duties that are sufficiently independent from position-taking functions of the bank and which report risk exposures directly to senior management and the board of directors. Larger or more complex banks should have a designated independent unit responsible for the design and administration of the bank’s interest rate risk measurement, monitoring and control functions.
Policies and procedures
Principle 4: It is essential that banks’ interest rate risk policies and procedures be clearly defined and consistent with the nature and complexity of their activities. These policies should be applied on a consolidated basis and, as appropriate, at the level of individual affiliates, especially when recognising legal distinctions and possible obstacles to cash movements among affiliates.
Principle 5: It is important that banks identify the risks inherent in new products and activities and ensure these are subject to adequate procedures and controls before being introduced or undertaken. Major hedging or risk management initiatives should be approved in advance by the board or its appropriate delegated committee.
Measurement and monitoring system
Principle 6: It is essential that banks have interest rate risk measurement systems that capture all material sources of interest rate risk and that assess the effect of interest rate changes in ways that are consistent with the scope of their activities. The assumptions underlying the system should be clearly understood by risk managers and bank management.
Principle 7: Banks must establish and enforce operating limits and other practices that maintain exposures within levels consistent with their internal policies.
Principle 8: Banks should measure their vulnerability to loss under stressful market conditions – including the breakdown of key assumptions – and consider those results when establishing and reviewing their policies and limits for interest rate risk.
Principle 9: Banks must have adequate information systems for measuring, monitoring, controlling and reporting interest rate exposures. Reports must be provided on a timely basis to the bank’s board of directors, senior management and, where appropriate, individual business line managers.
Internal controls
Principle 10: Banks must have an adequate system of internal controls over their interest rate risk management process. A fundamental component of the internal control system involves regular independent reviews and evaluations of the effectiveness of the system and, where necessary, ensuring that appropriate revisions or enhancements to internal controls are made. The results of such reviews should be available to the relevant supervisory authorities.
I would generalize these with very simple editing. Here is Generalized Principle 1:
Principle 1: In order to carry out its responsibilities, the board of directors in a firm should approve strategies and policies with respect to risk management and ensure that senior management takes the steps necessary to monitor and control these risks. The board of directors should be informed regularly of the risk exposure of the firm in order to assess the monitoring and controlling of such risk.
This was done by simply deleting 2 instances of the words “interest rate” and exchanging the word “firm” for the word “bank”.
This mindless editing can be done to almost every one of the 10 principles and the result is not just usable, but is a very clear and basic guideline for any risk management program.
The title of an old Jethro Tull song. It sounds like the theme song for the economy today!
Now we all know. The correlations that we used for our risk models were not reliable in the one instance where we really wanted an answer.
In times of stress, correlations go to one.
That is finally, after only four or five examples with the exact same result, become accepted wisdom.
But does that mean that Diversification is dead as a strategy?
I would argue that it certainly puts a hurt to diversification as a strategy for finding risk free returns. Which is how it was being (mis) used in the Sub Prime markets.
But Diversification should still reign as the king of risk management strategies. But it needs to be real diversification. Not tiny diversification that is observable only under a mathematical microscope. Real Diversification is where risks have completely different drivers. Not slightly different statistical histories.
So in Uncertain Times, and these days must be labeled Uncertain Times (or the thin ice age), diversification is the best risk management strategy. Along with its mirror image twin, avoidance of concentrations.
The banks had given up on diversification as a risk strategy. Instead they believed that they were making risk free returns by taking lots and lots of concentrated risk that they were either fully hedging or moving the risk off their balance sheets very quickly.
Both ideas failed. Hedging failed when the counter party was Lehman Brothers. It succeeded when the counter party was any of the other institutions that were bailed out, but there was an extended period of severe uncertainty about that before the bailouts were finally put into place. Moving the risks off the balance sheet failed in two ways. First it failed because they were really playing hot potato without admitting it. When the music stopped, someone was holding the potato. And some banks were holding many potatoes. It also failed because some banks had been offloading the risks to hedge funds and other investors who they were lending funds to finance the purchase. When the CDOs soured, the loans secured by the CDOs were underwated and the CDOs came back onto the bank balance sheets.
The banks that were hurt the least were the banks who were not so very concentrated in just one major risk.
The cost of the simple diversification strategy is that those banks with real diversification showed lower returns during the build up of the bubble.
So that is the risk reward trade off of real diversification – it will often produce lower returns than the mathematical diversification but it will also show lower losses in proportion to total revenue than a strategy that concentrates in the most profitable risk choices according to a model that is tuned to the accounting or performance bonus system.
Diversification is the risk management strategy for the Thin Ice Age.
The ERM Symposium is now 8 years old. Here are some ideas from the 2010 ERM Symposium…
Survivor Bias creates support for bad risk models. If a model underestimates risk there are two possible outcomes – good and bad. If bad, then you fix the model or stop doing the activity. If the outcome is good, then you do more and more of the activity until the result is bad. This suggests that model validation is much more important than just a simple minded tick the box exercize. It is a life and death matter.
BIG is BAD! Well maybe. Big means large political power. Big will mean that the political power will fight for parochial interests of the Big entity over the interests of the entire firm or system. Safer to not have your firm dominated by a single business, distributor, product, region. Safer to not have your financial system dominated by a handful of banks.
The world is not linear. You cannot project the macro effects directly from the micro effects.
Due Diligence for mergers is often left until the very last minute and given an extremely tight time frame. That will not change, so more due diligence needs to be a part of the target pre-selection process.
For merger of mature businesses, cultural fit is most important.
For newer businesses, retention of key employees is key
Modelitis = running the model until you get the desired answer
Most people when asked about future emerging risks, respond with the most recent problem – prior knowledge blindness
Regulators are sitting and waiting for a housing market recovery to resolve problems that are hidden by accounting in hundreds of banks.
Why do we think that any bank will do a good job of creating a living will? What is their motivation?
We will always have some regulatory arbitrage.
Left to their own devices, banks have proven that they do not have a survival instinct. (I have to admit that I have never, ever believed for a minute that any bank CEO has ever thought for even one second about the idea that their bank might be bailed out by the government. They simply do not believe that they will fail. )
Economics has been dominated by a religious belief in the mantra “markets good – government bad”
Non-financial businesses are opposed to putting OTC derivatives on exchanges because exchanges will only accept cash collateral. If they are hedging physical asset prices, why shouldn’t those same physical assets be good collateral? Or are they really arguing to be allowed to do speculative trading without posting collateral? Probably more of the latter.
it was said that systemic problems come from risk concentrations. Not always. They can come from losses and lack of proper disclosure. When folks see some losses and do not know who is hiding more losses, they stop doing business with everyone. None do enough disclosure and that confirms the suspicion that everyone is impaired.
Systemic risk management plans needs to recognize that this is like forest fires. If they prevent the small fires then the fires that eventually do happen will be much larger and more dangerous. And someday, there will be another fire.
Sometimes a small change in the input to a complex system will unpredictably result in a large change in the output. The financial markets are complex systems. The idea that the market participants will ever correctly anticipate such discontinuities is complete nonsense. So markets will always be efficient, except when they are drastically wrong.
Conflicting interests for risk managers who also wear other hats is a major issue for risk management in smaller companies.
People with bad risk models will drive people with good risk models out of the market.
Inelastic supply and inelastic demand for oil is the reason why prices are so volatile.
It was easy to sell the idea of starting an ERM system in 2008 & 2009. But will firms who need that much evidence of the need for risk management forget why they approved it when things get better?
If risk function is constantly finding large unmanaged risks, then something is seriously wrong with the firm.
You do not want to ever have to say that you were aware of a risk that later became a large loss but never told the board about it. Whether or not you have a risk management program.
If any of you heard me give the luncheon talk last year at the ERM Symposium, you will have to mark your calendars to attend a follow-up session on the same topic this year. This year, Michael Thompson will be doing most of the talking.
That topic is the application of Plural Rationalities (aka Cultural Theory) to risk management.
Over the year since I gave that speech I have been working with Michael Thompson, one of the original authors of the Cultural Theory book, to explain the ways that the ideas from anthropology help to explain and can help to plan for the various experiences.
The key idea is called Surprise! That is the name for what happens when someone expects one thing and another happens. Thompson will be explaining how Surprise is a key driver of how people experience the risk environment.
In addition, I will be discussing an agent based model called The Surprise Game that demonstrates the dynamics of a system that runs under the rules of Plural Rationalities.
Thompson will wrap up with a discussion of the Clumsy solutions that have been found to be the answer to the puzzle of the world of risk.
So if I caught anyone’s interest last year at lunch with my smiley faces, come back this year for some serious discussion of the four part world of Plural Rationalities.
So many times, the financial press gets it exactly backwards. (See Bloomberg) Firms who manage their risks by hedging or insurance are reported to be betting and firms who do not are simply subject to the normal fluctuations of uncontrollable events.
But Risk Management offers a real alternative to either betting or being tossed around by the frothy seas of misfortune. Risk management offers the possibility of identifying and mitigating the most extreme negative events and trends of the world.
Imagine your business owns a building worth $100,000,000. There is a 1 in 250 chance that a storm will hit your building and destroy the building leaving you with a $10 million piece of empty property and a $10 million clean up bill. (ignore the business interruption for now).
So the expected cost of that loss is $400,000. You get an insurance quote for $600,000. There are two ways you can tell the story of purchasing insurance:
The firm can place a bet that its building will be destroyed by a storm. If there is no storm, then they lose their bet.
The firm can manage its risk from a severe storm by buying an insurance policy.
Now if the storm does not happen, the story can be:
The firm lost its bet that its building would be destroyed.
The firm incurred a fixed cost of managing its storm risk and avoided the volatility of an uninsured situation.
And if the storm does one day hit, the story is:
The firm won its bet that a storm would destroy its building and was rewarded by a $100 million gain from insurance.
The losses from the storm were covered by the firms insurance.
Risk Management just is not a good story for the reporters, if told right. For the firm, that may just be one more reason to consider risk management.
Now if the firm chooses not to buy the insurance, the coverage is twisted. Again read two ways that it might be reported if there is no storm:
No story. Nothing happened.
The firm got lucky and did not take a loss on its uninsured building. They took a bet that had a huge downside for their shareholders for a very small payoff.
ANd if the storm hits, the story is reported as:
Tragedy strikes. Unfortunate event causes $100 M loss. CEO say “We are just not able to control the weather.”
The bet that management took went bad. That bet was just not necessary. Now shareholders have experienced large losses because the management was trying to save a little on insurance. The CEO should be fired.
Unless the firm’s was in the business of long term weather forecasting they had no business making the bet when they did NOT buy the insurance. THey had no expertise to tell them that they shouldn’t buy the insurance.
Many people will look at Risk Management actions as “bets” that they either win or lose. To those people, Risk Management is a good bet if there is an actual net increase to profits from the risk management activities.
That is a backwards looking approach to Risk Management. Under that approach, many risk management actions will “lose” money for the firm. That is because if the risk management action involves a transaction that creates a risk offset, the counterparty will expect to be paid a margin over the expected cost of the risk, which will mean that on the average, people who transfer risks will lose money to at least the amount of that margin.
But that backwards look is not the whole story about Risk Management’s value. The rest of the story is about how Risk Management changes the forward looking prospects of the firm.
Think about it this way, if your business is to run lit sticks of explosives into a building to be demolished, how would you feel about a longer fuse?
For as long as you have been in this business, the fuse has been long enough. So without the longer fuse, you have always been ok. And so far, you have never, ever tripped and fallen on the way in or out of a building.
And more fuse is expensive. Probably a dollar per inch. If you had added a few extra inches in the past for the hundreds of times you had run the dynamite into the buildings, all of that extra money would have been wasted.
All that extra fuse adds is a chance to get up and run out of the range of the blast if you should stumble. And if you never stumble that is a waste of money.
Is what the Cheshire Cat told Alice. Since she did not know where she was going.
And unfortunately, that is where the European Bank Supervisors seem to be regarding Risk Management. They just published a short paper entitled “High level principles for risk management”, which despite the lofty title gives very little clear guidance at a high level. I will instead point you to something along the same lines that WAS well written that DOES represent actual principles of risk management. I refer you to the BIS report in Interest Rate Risk Management from 1997. Their 11 top principles are listed below.
A. The role of the board and senior management
Principle 1: In order to carry out its responsibilities, the board of directors in a bank should approve interest rate risk management policies and procedures, and should be informed regularly of the interest rate risk exposure of the bank.
Principle 2: Senior management must ensure that the structure of the bank’s business and the level of interest rate risk it assumes are effectively managed, that appropriate policies and procedures are established to control and limit these risks, and that resources are available for evaluating and controlling interest rate risk. Principle 3: Banks should have a risk management function with clearly defined duties that reports risk exposures directly to senior management and the board of directors and is sufficiently independent from the business lines of the bank. Larger or more complex banks should have units responsible for the design and administration of the bank’s interest rate risk management system.
B. Policies and procedures
Principle 4: It is essential that banks’ interest rate risk policies and procedures be clearly defined and consistent with the nature and complexity of their activities. These policies should address the bank’s exposures on a consolidated basis and, as appropriate, also at the level of individual affiliates.
Principle 5: It is important that banks identify the risks inherent in new products and activities and ensure these are subject to adequate procedures and controls before being introduced or undertaken. Major hedging or risk management initiatives should be approved in advance by the board or its appropriate delegated committee.
C. Measurement and monitoring system
Principle 6: It is essential that banks have interest rate risk measurement systems that capture all material sources of interest rate risk and that assess the effect of interest rate changes in ways which are consistent with the scope of their activities. The assumptions underlying the system should be clearly understood by risk managers and bank management. Principle 7: Banks must establish and enforce operating limits and other practices that maintain exposures within levels consistent with their internal policies.
Principle 8: Banks should measure their vulnerability to loss under stressful market conditions – including the breakdown of key assumptions – and consider those results when establishing and reviewing their policies and limits for interest rate risk.
Principle 9: Banks must have adequate information systems for monitoring and reporting interest rate exposures to senior management and boards of directors on a timely basis.
D. Independent controls
Principle 10: Banks must have adequate internal controls for their interest rate risk management process and should evaluate the adequacy and integrity of those controls periodically. Individuals responsible for evaluating control procedures must be independent of the function they are assigned to review.
Principle 11: Banks should periodically conduct an independent review of the adequacy and integrity of their risk management processes. Such reviews should be available to relevant supervisory authorities.
These principles are so universal that you will find that if you simply substitute the name of any other risk for the words “interest rate” in the sentences above, you will still have an excellent list of risk management principles. In fact, just substitute the words “Bank” or even “Insurer” for interest rate above and you now have a complete and coherent set of PRINCIPLES FOR RISK MANAGEMENT.
The most puzzling thing to me is that this BIS report has long been superseded by something with wording much more like the meandering and fuzzy report of the CEBS. Don’t take my word for it, the newest version of this BIS interest rate risk management paper is available on their website. Compare the wording of that report to these crystal clear principles and let me know where you see any improvements.
Do you have a plan for what to do when your parachute doesn’t open?
Well, if you do not, pay attention. Here is a 6 step checklist for what to do:
Signal your Buddy.
Get close with your Buddy.
Link your arms through his/her straps.
Open his/her chute.
Let your Buddy steer the chute.
Suggest that he/she look for an extra soft place to land (water).
There now. Don’t you feel safer?
You say you do not parachute jump? So what good it this?
Well, you must see that this is really good advice that can be applied to many situations. Not just parachute jumping.
1. Signal Your Buddy – this step might just be the most difficult. That is because it requires two very different things. First, you must recognize that you have a serious and potentially fatal problem. You must be able to make that decision before it is too late. So you probably need to have thought ahead to know how serious of a problem just might be terminal. Second, you have to have a buddy in sight to be signaled. If you are an individual working in risk management in a firm, you need to know in advance who is going to be your buddy in case of emergency. This applies to entire firms as well. The firm needs to know who they will go to when they might be in terminal trouble.
2. Get Close with your Buddy – Troubled times are when you find out who your real buddies are. Your fair weather friends will not be interested in getting close to you when you are in trouble. This is the real definition of a Buddy. Someone who is willing to be next you you then. You need to realize that now and decide whether you have any real buddies. If you are prarchute jumping, you need to figure that out on the ground, not in the air. If you are managing risks, perhaps you are at the wrong firm if you look around and you do not know who your buddy is. A firm with a good risk management program will more than encourage buddies, it will require them. And it will foster a culture of mutual responsibility, not everyone for themselves. It needs to be a firmwide expectation that you can count on several potential buddies when a real problem crops up.
3. Link your arms through his/her straps – for parachuting, holding on is not sufficient, the g-force that will hit when the chute opens with two people and one chute will rip you apart. Also in risk management, the committment to the Buddy needs to be very firm. All too often risk managers get blamed for inproper risk appetites, even when they had explicitly warned against the exact event that is causing the problem. Many risk managers will sorely need to have someone who will remind management that the risk manager was not the one at fault.
4. Open his/her chute. This is the key step for both the diver and the risk manager. And it needs to be said and repeated and rehearshed. The reason that the risk management might be of value to the organization is that it causes the organization to contemplate doing some things differently. When there is severe troubles, the risk manager needs to be able to clearly call for action and the organization needs to be prepared to take that action, either by directly empowering the risk manager or through a cultural committment to real action based upon risk information. The Buddy system described here might be a good way to create the possibility of quick action with some checks and balances in the event of severe threats. The empowerment to action might require the agreement of the buddy.
5. Let your Buddy steer the chute. This item on the checklist is there to acknowledge that the person who loses the chute might just be a little (or a lot) shook up and therefore might have somewhat impaired judgment. The same might be true in the event of a disaster to the firm. The buddy and the firm in general needs to look out for any actions that are of the nature of “doubling down” to recover past losses. There must be a recognition that the best thing to do now can best be determined by looking at likely futures rather than the past.
6. Suggest that he/she look for an extra soft place to land (water). The parachute will often not work exactly as planned when it carries two. So the person steering needs to be particularly diligent to look for a softer than usual place to land. So to with a risk management emergency. It might be desirable to end up in a slightly more secure position than normal minimum standards after a major problem. It will make everyone feel better. The hardest story to tell is when a firm has had a major loss but was not able to really put on the brakes so is not sure if or how much further loss will be happening. Both need to help with looking for that soft place to land.
In late 2008, the The CAS, CIA, and the SOA’s Joint Risk Management Section funded a research report about the Financial Crisis. This report featured nine key Lessons for Insurers. Riskviews will comment on those lessons individually…
3. The presence of systemic risks means that insurers should pay attention to not only what
is going on inside their “own houses” but also be aware of what is going on in their
“neighbors’ yards.” Regulators should also pay attention to what is happening in other
countries.
Risk management that is inwards directed, referred to above as in “own houses” is not just important because of systemic risk. At any time, the actions of others in the marketplace could have a massive negative impact on an insurer. Most parts of the insurance and financial markets are different each year because of changes that are almost always from “outside”. In insurance markets, there are constant shifts in underwriting standards and pricing strategies of the other firms in the market. New products and product features change the landscape all of the time. Risk managers need to stay aware of how those changes impact on the business that gets written by the insurer. The most important thing to look out for is whether the shifting competition has managed to siphon off the better risks, leaving the insurer with the worse risks.
There are also plenty of times when the rest of the world drags things into the dumps without causing a systemic meltdown. The term Systemic Risk is highly overused right now. While the recent Systemic Risk event will be heavily ingrained in the memories of most of us, it is only the second such event in 75 years. So the risk manager cannot be limiting their concern about the actions of others in the marketplace to events that might become systemic. For example, the 2000 – 2002 equity bear market was quite difficult to firms that were heavily exposed to equities. But even three years of losses there did not cause a systemic breakdown. However, the tech boom that preceded the bust was a clear example of a bubble.
So perhaps, rather than systemic risks, the advice from the report should have read “The presence of bubbles…” Bubbles are much more common that systemic breakdowns and are definitely worth the time and effort that it takes to avoid them. Bubbles can be broadly defined to include those points in the underwriting cycle when premiums are far below break-even.
A former boss of mine once said that the problem with the commercial real estate business is that even if you do your homework and pick just the right spot to build a new building, right where there is no competition and strong demand for the type of space you are adding, all it takes is another fool who doesn’t do any homework, but who see the full parking lot outside your building and with that research in hand builds an identical building right down the street. Overcapacity and you both fail.
That story applies to most things in one way or another in business. And that is a major source of risk – the fool building an identical building right down the street.
Whenever you find that something that you have been doing successfully becomes highly popular, you need to start making contingency plans and find another niche to exploit. You will need both.
In late 2009, the The CAS, CIA, and the SOA’s Joint Risk Management Section funded a research report about the Financial Crisis. This report featured nine key Lessons for Insurers. Riskviews will comment on those lessons individually…
2. Risk management is most effective at prevention. Failing at prevention results in damage control, which is often expensive and ineffective.
This “lesson” is based upon an old car repair commercial where the mechanic says “You pay me now or pay me later”.
But Loss Prevention is only one of three major goals of risk management. There is much confusion about the fact that there are really three different things that are all called risk management by different people.
However, many people do not realize that there are really three separate systems involved in those three types of risk management and end up adopting elements of all three systems without necessarily adopting all of any of the three. That is one of the things that creates much frustration with ERM among general management.
And some ERM systems are not clear themselves about which of the three types of ERM goals that they are trying to accomplish.
Just to be clear, the three goals are:
Controlling the Frequency and Severity of Losses
Managing the risk reward trade-off on a transactional level
Managing the risk reward trade-off on a macro (line of business or subsidiary) level
As you could imagine, completely different people are involved in executing each of the three. And each of these three types of ERM include activities and goals that existed in most firms before the existence of ERM.
Usually, the difference between an ERM approach to these objectives and the pre-ERM approach is two things:
A commitment to pursuing the goals consistently throughout the entire enterprise
A common definition of RISK and metrics for measuring RISK applied to all risks
What is the reaction of your firm going to be in the event of a large loss or other crisis?
If you are responsible for risk management, it is very much in your interest to enter into a Crisis Pre-Nuptial.
The Crisis Pre-Nuptial has two important components.
A protocol for management actions in the event of the crisis. There is likely a need for there to be a number of these protocols. These protocols can be extremely valuable, their value will most likely far exceed the entire cost of a risk management function. Their value comes because they eliminate two major problems that firms face in the event of a crisis or large loss. First is the deer in the headlights problem – the delay when no one is sure what to do and who is to do it. That delay can mean that corrective actions are much less effective or much more expensive or both. Second is the opposite, that too many people take actions, but that the actions are conflicting. This again increasses costs and decreases effectiveness. Just as with severe medical emergencies, prompt corrective actions are almost always more likely to have the most favorable results.
Setting up an expectation that the crises and losses either are or are not an expected part of the risks that the firm is taking. If the firm is taking high risks, but does not expect to ever experience losses, then there is a major disconnect between the two. Just as a marital pre-nuptial agreement is a conscious acknowledgement that marriages sometimes end in divorce, a Crisis Pre-Nuptial is an acknowledgement that normal business activity sometimes involves losses and crises.
Risk managers who have a Crisis Pre-Nuptial in place might, just might, have a better chance to survive with their job in tact after a crisis or large loss.
And if someday, investors and/or boards come to the realization that firms that plan for rainy days are, in the long run, going to be more valuable, the information that is in the Crisis pre-nuptial could be very important information for them.
Kevin Dowd has written a fine article titled “Moral Hazard and the Financial Crisis” for the Cato Journal. Some of his very well articulated points include:
Moral Hazard comes from the ability for individuals to benefit from gains without having an equal share in losses. (I would add that that has almost nothing to do with government bailouts. It exists fully in the compensation of most executives of most firms in most economies. )
Bad risk model (Gaussian). That ignore abnormal market conditions.
Ignoring the fact that others in the market all have the same risk management strategy and that that strategy does not work for the entire market at once.
Mark to Model where model is extremely sensitive to assumptions.
Using models that were not designed for that purpose.
Assumption of continuously liquid markets.
Risk management system too rigid, resulting in easy gaming by traders.
“the more sophisticated the [risk management] system, the more unreliable it might be.”
Senior management was out of control. (and all CEOs are paid as if they were above average!)
Fundamental flaw in Limited Liability system. No one has incentive to put a stop to this. Moral Hazard is baked into the system.
Unfortunately, there are two flaws that I see in his paper.
First, he misses the elephant in the room. The actual exposure of the financial system to mortage loan losses in the end was over 400% of the amount of mortgages. So without the multiplication of risk that happened under the guise of risk spreading had not happened, the global financial crisis would have simply been a large loss for the banking sector and other investors. However, with the secret amplification of risk that happened with the CDO/CDS over the counter trades, the mortgage crisis became a depression sized loss, exceeding the capital of many large banks.
So putting all of the transactions out in the open may have gone a long way towards allowing the someone to react intelligently to the situation. Figuring out a way to limit the amount of the synthetic securities would probably be a good idea as well. Moral Hazard is a term from insurance that is important to this situation. Insurable interest in one as well.
The second flaw of the paper is the standard Cato line that regulation should be eliminated. In this case, it is totally outrageous to suggest that the market would have applied any discipline. The market created the situation, operating largely outside of regulations.
So while I liked most of the movie, I hated the ending.
We really do need a Systemic Risk Regulator. And somehow, we need to create a system so that 50 years from now when that person is sitting on a 50 year track record of no market meltdowns, they will still have enough credibility to act against the mega bubble of those days.
The Risk Management Quotes page of Riskviews has consistently been the most popular part of the site. Since its inception, the page has received almost 2300 hits, more than twice the next most popular part of the site.
The quotes are sometimes actually about risk management, but more often they are statements or questions that risk managers should keep in mind.
They have been gathered from a wide range of sources, and most of the authors of the quotes were not talking about risk management, at least they were not intending to talk about risk management.
The list of quotes has recently hit its 100th posting (with something more than 100 quotes, since a number of the posts have multiple quotes.) So on that auspicous occasion, here are my favotites:
Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. Douglas Adams
“when the map and the territory don’t agree, always believe the territory” Gause and Weinberg – describing Swedish Army Training
When you find yourself in a hole, stop digging.-Will Rogers
“The major difference between a thing that might go wrong and a thing that cannot possibly go wrong is that when a thing that cannot possibly go wrong goes wrong it usually turns out to be impossible to get at or repair” Douglas Adams
“A foreign policy aimed at the achievement of total security is the one thing I can think of that is entirely capable of bringing this country to a point where it will have no security at all.”– George F. Kennan, (1954)
“THERE ARE IDIOTS. Look around.” Larry Summers
the only virtue of being an aging risk manager is that you have a large collection of your own mistakes that you know not to repeat Donald Van Deventer
Philip K. Dick “Reality is that which, when you stop believing in it, doesn’t go away.”
Everything that can be counted does not necessarily count; everything that counts cannot necessarily be counted. Albert Einstein
“Perhaps when a man has special knowledge and special powers like my own, it rather encourages him to seek a complex explanation when a simpler one is at hand.” Sherlock Holmes (A. Conan Doyle)
The fact that people are full of greed, fear, or folly is predictable. The sequence is not predictable. Warren Buffett
“A good rule of thumb is to assume that “everything matters.” Richard Thaler
“The technical explanation is that the market-sensitive risk models used by thousands of market participants work on the assumption that each user is the only person using them.” Avinash Persaud
There are more things in heaven and earth, Horatio,
Than are dreamt of in your philosophy.
W Shakespeare Hamlet, scene v
When Models turn on, Brains turn off Til Schuermann
You might have other favorites. Please let us know about them.
In late 2009, the The CAS, CIA, and the SOA’s Joint Risk Management Section funded a research report about the Financial Crisis. This report featured nine key Lessons for Insurers. Riskviews will comment on those lessons individually…
1. The success of ERM hinges on a strong risk management culture which starts at the top of
a company.
This seems like a very simple statement that is made over and over again by most observers. But why is it important and why is it very often lacking?
First, what does it mean that there is a “strong risk management culture”?
A strong risk management culture is one where risk considerations make a difference when important decisions are made PERIOD
When a firm first adopts a strong risk management culture, managers will find that there will be clearly identifiable decisions that are being made differently than previously. After some time, it will become more and more difficult for management to notice such distinctions because as risk management becomes more and more embedded, the specific impact of risk considerations will become a natural inseparable part of corporate life.
Next, why is it important for this to come from the top? Well, we are tying effective risk management culture to actual changes in DECISIONS and the most important decisions are made by top management. So if risk management culture is not there at the top, then the most important decisions will not change. If the risk management culture had started to grow in the firm,
when middle managers see that top management does not let risk considerations get in their way, then fewer and fewer decisions will be made with real consideration risk.
Finally, why is this so difficult? The answer to that is straight forward, though not simple. The cost of risk management is usually a real and tangible reduction of income. The benefit of risk management is probabilistic and intangible. Firms are compared each quarter to their peers.
If peer firms are not doing risk management, then their earnings will appear higher in most periods.
Banks that suffered in the current financial crisis gave up 10 years of earnings! But the banks that in fact correctly shied away from the risks that led to the worst losses were seen as poor performers in the years leading up to the crisis.
So what will change this? Only investors will ultimately change this. Investors who recognize that in many situations, they have been paying un-risk adjusted multiples for earnings that have a large component of risk premiums for low frequency, high severity risks.
They are paying multiples, in many cases where they should be taking discounts!
Here are New Decade Resolutions for firms to adopt who are looking to be prepared for another decade
Attention to risk management by top management and the board. The past decade has been just one continuous lesson that losses can happen from any direction. This is about the survival of the firm. Survival must not be delegated to a middle manager. It must be a key concern for the CEO and board.
Action oriented approach to risk. Risk reports are made to point out where and what actions are needed. Management expects to and does act upon the information from the risk reports.
Learning fromown losses and from the losses of others. After a loss, the firm should learn not just what went wrong that resulted in the loss, but how they can learn from their experience to improve their responses to future situations both similar and dissimilar. Two different areas of a firmshouldn’t have to separately experience a problem to learn the same lesson. Competitor losses should present the exact same opportunity to improve rather than a feeling of smug superiority.
Forwardlooking risk assessment. Painstaking calibration of risk models to past experience is only valuable for firms that own time machines. Risk assessment needs to be calibrated to the future.
Skeptical of common knowledge. The future will NOT be a repeat of the past. Any risk assessment that is properly calibrated to the future is only one one of many possible results. Look back on the past decade’s experience and remember how many times risk models needed to be recalibrated. That recalibration experience should form the basis for healthy skepticism of any and all future risk assessments.
Drivers of risks will be highlighted and monitored. Key risk indicators is not just an idea for Operational risks that are difficult to measure directly. Key risk indicators should be identified and monitored for all important risks. Key risk indicators need to include leading and lagging indicators as well as indicators from information that is internal to the firm as well as external.
Adaptable. Both risk measurement and risk managementwill not be designed after the famously fixed Ligne Maginot that spectacularly failed the French in 1940. The ability needs to be developed and maintained to change focus of risk assessment and to change risk treatment methods on short notice without major cost or disruption.
Scope will be clear for risk management. I have personally favored a split between risk of failure of the firm strategy and risk of losses within the form strategy, with only the later within the scope of risk management. That means that anything that is potentially loss making except failure of sales would be in the scope of risk management.
Focus on the largest exposures. All of the details of execution of risk treatment will come to naught if the firm is too concentrated in any risk that starts making losses at a rate higher than expected. That means that the largest exposures need to be examined and re-examined with a “no complacency” attitude. There should never be a large exposure that is too safe to need attention. Big transactions will also get the same kind of focus on risk.
On December 18, Bloomberg posted a story about losses on interest rate swaps at Harvard. The story says that in 2004, Harvard entered into long term swaps to lock in future rates for planned borrowing. That seems like ok risk management. But as it happened, interests did not rise, they fell. So the hedge was not needed. They type of hedging strategy that they chose had no initial cost. The cost of risk management was incurred only if the hedged event did not happen. If interest rated did risk, then the swaps would have resulted in a gain so that Harvard’s costs were limited to a predetermined amount. If Interest rates fell, then Harvard would pay on the swaps, but save on the interest costs, bring the sum of interest paid on their borrowing and the swap payments to a fixed predetermined total in all cases.
However, Bloomberg chooses to say is this way:
Harvard was betting in 2004 that interest rates would rise by the time it needed to borrow.
The bulk of the story is about how Harvard lost their “bet” and how much money that they lost because they lost the “bet” when interest rates fell, and Harvard had to postpone their planned borrowing.
No wonder it is difficult for firms to disclose any information about actual risk management actions and plans. If a reasonable, but not perfect risk management action is seen as a “bet”, rather than a move to stablize interest costs.
Every risk management action will have a cost. Harvard’s real bad move, similar to the one by Soc Gen in January 2008, the choice to lock in losses, and at the worst time. Interest rates cannot go below zero, so there is absolutely no reason to get out of those swaps, unless their cashflow was so, so poor that they had no way to pay the monthly interrest swap amount (even though they somehow had the cash to settle all of the swaps, presumably paying the present value of the long term swap amounts as viewed at a time ov very low interest rates).
Their other bad move was to fail to hedge the possibility that they would not even do the project and therefore not need the hedge. To identify how to hedge that situation, they would have had to do some scenario testing of scenarios of extreme losses in their endownment that would have resulted in the situation that they now find themselves. That analysis should have resulted in some far out of the money hedges on the investments in Harvard’s portfolio. And the fact that much of their portfolio may be unhedegable should have been a warning about the wisdom of making forward committments like the swaps that presume that the endownment will not tank.
Seeing how wrongheaded the coverage of the transactions was, Harvard probably felt that they had long term reputational risk from paying the monthly payments.
Alternately, if as the article says, the swap markets are so much more liquid at periods for up to 3 years, they why didn’t they enter into trades to reverse the first 3 years of the payments?
No matter what the market says right this minute, I find it hard to believe that interest rates for Harvard will never again reach 4.72% that the swaps were locking in as the rate.
But that is not the point. The point is that Bloomberg reports Risk Management as a “bet” implying that lack of risk management is not a “bet”.
But, how many companies are implicitly taking a “bet” that the future will never get worse than the present by not hedging anything?
Are you working with live ammunition with your risk management program?
What I mean is, when the risk models and the risk reports show a problem, is the reaction to promptly fix the problem, or is the reaction to start a study of the problem?
The question really is whether the risk management information streams are considered primary information for managing the firm or are they secondary systems?
If the reaction to an indication of a problem from the risk management systems is to initiate a study, then the implied presumption is that the real information systems say that everything is ok, and this secondary system says not. So we need to check this out.
Many commentators about risk management have been calling for “RISK” to be given authority. What I think that means is that RISK would be empowered to act when the risk management system tells of a problem. RISK would order that something be bought or sold or whatever to fix the problem.
I think that the presumption there is that there is no possibility that anyone other than RISK would actually ever act upon a warning from the risk management systems. So if risk management is to be taken seriously, then it must be for RISK to do that.
Well, wouldn’t it be much better if the risk management information was considered to be a primary information source for the folks who actually run the businesses? Think about it. If you run a bus company and want the drivers to stay within the speed limit, do you put someone in the back of the bus with a speedometer and a break pedal who will step on the brake whenever the bus starts to go too fast? Or do you train the bus driver to use the brake pedal herself?
Risk Management needs to be everyone’s job. If the CEO of the firm is not willing to hold business managers responsible for risk, then he really does not want risk management.
The job of RISK is not to over ride the bus drivers, it is to make sure that the speedometers and brakes work right, that the acceleration pedal does not stick down and that the driver is well trained in how to interpret the speedometer and use the brakes in the right way. RISK keeps the CEO and the Board informed about the effectiveness of the risk management system and helps top management to understand the risk reward choices that they are faced with when the major decisions about the firm’s future are being made.
The use of derivatives and risk management processes to control risk was very successful in changing the risk management Landscape.
But that change has been in the same vein as the changes to forest management practices that saw us eliminating the small forest fires only to find that the only fires that we then had were the fires that were too big to control. Those giant forest fires were out of control from the start and did more damage than 10 years of small fires.
The geography of the world from a risk management view is represented by this picture:
The ball represents the state of the world. Taking a risk is represented by moving the ball one direction or the other. If the ball goes over the top and falls down the sides, then that is a disaster.
So risk managers spend lots of time trying to measure the size of the valley and setting up processes and procedures so that the firm does not get up to the top of the valley onto one of the peaks, where a good stiff wind might blow the firm into the abyss.
The tools for risk management, things like derivatives with careful hedging programs now allowed firms to take almost any risk imaginable and to “fully” offset that risk. The landscape was changed to look like this:
Managers believed that the added risk management bars could be built as high as needed so that any imagined risk could be taken. In fact, they started to believe that the possibility of failure was not even real. They started to think of the topology of risk looking like this:
Notice that in this map, there is almost no way to take a big enough risk to fall off the map into disaster. So with this map of risk in mind, company managers loaded up on more and more risk.
But then we all learned that the hedges were never really perfect. (There is no profit possible with a perfect hedge.) And in addition, some of the hedge counterparties were firms who jumped right to the last map without bothering to build up the hedging walls.
And we also learned that there was actually a limit to how high the walls could be built. Our skill in building walls had limits. So it was important to have kept track of the gross amount of risk before the hedging. Not just the small net amount of risk after the hedging.
Now we need to build a new view of risk and risk management. A new map. Some people have drawn their new map like this:
They are afraid to do anything. Any move, any risk taken might just lead to disaster.
Others have given up. They saw the old map fail and do not know if they are ever again going to trust those maps.
They have no idea where the ball will go if they take any risks.
So we risk managers need to go back to the top map again and revalidate our map of risk and start to convince others that we do know where the peaks are and how to avoid them. We need to understand the limitations to the wall building version of risk management and help to direct our firms to stay away from the disasters.
The events of the past three years are unprecedented in almost all of our lifetimes. One needs to go back and look at how much was happening in such a short time to get an appreciation of how difficult it must have been to be in the hot seats of government, central banks and regulators, especially during the fall of 2008.
On the other hand, it is pretty easy, with 20-20 hindsight, to point to events that should have made it clear that something bad was on its way.
The timeline that is posted here on Riskviews is an amalgam from 5 or 6 different sources, including the BBC, Federal Reserve and Wikipedia. None of them seemed to be very complete. Not that this one is. My personal biases left out some items from all of the sources.
Let us know what was left out that is important. This timeline was created over a one year period and there was little effort to go back and pick up items that did not seem important at the time, but that later were found to be early signals of later big problems.
The reaction that I have had when I used this timeline to make a presentation about the Financial Crisis is that it is pretty unfair to go pointing fingers about actions taken during the fall of 2008. When you look at the daily earth shaking events that were happening, it is really totally overwhelming, even a year later. If the events that occured daily were spread out one per month, then perhaps a case could be made that “they” should ahve done better.
Going back much further, I am not willing to be quite so kind. This crisis was manufactured by collision of two deliberate government policies – home-ownership for all and deregulation of financial markets. That collision was preventable. Neither policy had to be taken to the extreme that it was taken – to what looks now like an absurd extreme in both cases.
And in addition, the financial firms themselves are far from blameless. Greenspan’s belief that the bankers were capable of looking out for their shareholder’s best interest was correct. They were capable.
Read the history. See what happened. Decide for yourself. Let me know what I missed.
Time magazine is calling the 00’s, the Decade From Hell. At least from an American point of view (admitting that things in China, India or Brazil have been very different in the past 10 years).
Here is a partial list of the problems:
Y2K – one of the highlights actually
2000 Presidential Election
Tech Bubble bursting
9/11 WTC
Hurricane Katrina
War in Afghanistan
War in Iraq
Enron & Worldcom & Madoff
2004 Tsunami
Housing Bubble bursting
Banking Crisis
Time reminds us of Ronald Regan’s famous question “Are you better off than 10 years ago?”
This is also the decade that saw the emergence of Risk Management as a serious discipline. We should ask ourselves “Was Risk Management a response to these crisis or was it a contributor?”
John Adams calls it the Risk Thermometer effect. Just like our body seeks to keep the same internal temperature no matter what the temperature outside, our risk thermometer seeks to keep the same level of risk. That means that when we add risk management for additional safety, we automatically add more risk to bring things back to the same level of risk.
The other claim is that risk management failed. At the very least, it was heavily over sold.
And finally, there is the argument made by the Senior Supervisors Group that risk management was actually under-bought, that few firms were actually doing risk management in the last decade.
So we have a month left in the decade. Most were touched by the adverse events of the past decade in some way. Risk Managers should be able to offer something for the future that is better than the 00’s.
Riskviews 