Archive for the ‘Risk Management’ category

Top 10 RISKVIEWS Posts of 2014 – ORSA Heavily Featured

December 29, 2014

RISKVIEWS believes that this may be the best top 10 list of posts in the history of this blog.  Thanks to our readers whose clicks resulted in their selection.

  • Instructions for a 17 Step ORSA Process – Own Risk and Solvency Assessment is here for Canadian insurers, coming in 2015 for US and required in Europe for 2016. At least 10 other countries have also adopted ORSA and are moving towards full implementation. This post leads you to 17 other posts that give a detailed view of the various parts to a full ORSA process and report.
  • Full Limits Stress Test – Where Solvency and ERM Meet – This post suggests a link between your ERM program and your stress tests for ORSA that is highly logical, but not generally practiced.
  • What kind of Stress Test? – Risk managers need to do a better job communicating what they are doing. Much communications about risk models and stress tests is fairly mechanical and technical. This post suggests some plain English terminology to describe the stress tests to non-technical audiences such as boards and top management.
  • How to Build and Use a Risk Register – A first RISKVIEWS post from a new regular contributor, Harry Hall. Watch for more posts along these lines from Harry in the coming months. And catch Harry on his blog, http://www.pmsouth.com
  • ORSA ==> AC – ST > RCS – You will notice a recurring theme in 2014 – ORSA. That topic has taken up much of RISKVIEWS time in 2014 and will likely take up even more in 2015 and after as more and more companies undertake their first ORSA process and report. This post is a simple explanation of the question that ORSA is trying to answer that RISKVIEWS has used when explaining ORSA to a board of directors.
  • The History of Risk Management – Someone asked RISKVIEWS to do a speech on the history of ERM. This post and the associated new permanent page are the notes from writing that speech. Much more here than could fit into a 15 minute talk.
  • Hierarchy Principle of Risk Management – There are thousands of risks faced by an insurer that do not belong in their ERM program. That is because of the Hierarchy Principle. Many insurers who have followed someone’s urging that ALL risk need to be included in ERM belatedly find out that no one in top management wants to hear from them or to let them talk to the board. A good dose of the Hierarchy Principle will fix that, though it will take time. Bad first impressions are difficult to fix.
  • Risk Culture, Neoclassical Economics, and Enterprise Risk Management – A discussion of the different beliefs about how business and risk work. A difference in the beliefs that are taught in MBA and Finance programs from the beliefs about risk that underpin ERM make it difficult to reconcile spending time and money on risk management.
  • What CEO’s Think about Risk – A discussion of three different aspects of decision-making as practiced by top management of companies and the decision making processes that are taught to quants can make quants less effective when trying to explain their work and conclusions.
  • Decision Making Under Deep Uncertainty – Explores the concepts of Deep Uncertainty and Wicked Problems. Of interest if you have any risks that you find yourself unable to clearly understand or if you have any problems where all of the apparent solutions are strongly opposed by one group of stakeholders or another.

The History of Risk Management

August 28, 2014

Please find a new permanent page on RISKVIEWS – The History of Risk Management.  It is a simple list of major historical events that are important to Risk Management and ERM as it is practiced today.  This list was compiled with the help of INARM

Risk Management development has not followed a particularly straight line.  Practices have been adopted, ignored, misused.  Blow up have happened.  Some of those blow ups are mentioned on another page in RISKVIEWS – Risk Management Failures

But Risk Managers have learned from those blow ups and the next generation of Risk Management programs incorporated those learnings. 

The most important thing to know about risk management that we have learned from history is that risk management must be practiced in earnest.  No amount of good talks or fancy charts will take the place of roll up your sleeves and do it risk management.  Promoting that sort of Risk Management is the objective of this Blog. 

 

 

Ingram Looks into ERM – Eight short articles.

December 17, 2013

The magazine of the Society of Actuaries published eight short essays on a variety of ERM topics.

Making Risk Models Collaborative   With our risk models, we make the contribution of managers to the risk management of the company disappear into the mist of probabilities. And then we wonder why so many managers are opposed to “letting a model run the company.”

We Must Legitimize Uncertainty   In a post to the Harvard Business Review blog, “American CEO’s should Stop Complaining about Uncertainty,” Jonathan Berman points out that while African companies are able to cope with their uncertain environment, American CEOs mostly just complain.  Americans must legitimize the Uncertain environment and study how mest to cope.

Finding a Safe Place New ERM and Old School goals for risk management all seek to keep the company safe.

ERM and the Hierarchy of Corporate Needs  The reason that ERM is not given the degree of priority that its proponents desire is that its proponents want is that it is at best third in the hierarchy of corporate needs.

Help Wanted: Risk Tolerance  It is a rare company that can create a risk appetite statement if they do not already have years of experience with the measure of risk that will be used.

What should you do at a Yellow Light?  Companies need to plan in advance what should be happening when their risk reports indicates that they are entering into risky territory.

Are you Sure about that?  Frequently, we ignore the fact that our risk models do NOT produce infomation about our risks that are all consistently reliable.  Yet we still add those numbers to gether as if they were on the exact same basis. 

Creating a Risk Management Culture – Risk Management needs to be embedded into the corporate culture, just as expense management was embedded thirty years ago. 

 

What is the definition of RISK?

July 8, 2013

The word risk is a common English word with a definition that has been well established for hundreds of years.  There is no need for risk managers to redefine the word to mean something else.  In fact, redefining a word so that its meaning would incorporate the exact opposite of the common definition is a precess that George Orwell called DOUBLETHINK.

Imagine what you would think if you hired someone to paint your house and when they showed up they told you that in their minds the word “paint” meant repaving your driveway in addition to applying a colored covering to your house?  Sounds crazy doesn’t it.  But there are many, many risk managers who will heatedly argue about this point.  For example, see The ISO 31000 group discussion here.

The Definition of risk

noun

a situation involving exposure to danger:flouting the law was too much of a risk all outdoor activities carry an element of risk

[in singular] the possibility that something unpleasant or unwelcome will happen:reduce the risk of heart disease [as modifier]:a high consumption of caffeine was suggested as a risk factor for loss of bone mass

[usually in singular with adjective] a person or thing regarded as likely to turn out well or badly, as specified, in a particular context or respect:Western banks regarded Romania as a good risk

[with adjective] a person or thing regarded as a threat or likely source of danger:she’s a security risk gloss paint can burn strongly and pose a fire risk

(usually risks) a possibility of harm or damage against which something is insured.

the possibility of financial loss: [as modifier]:project finance is essentially an exercise in risk management

verb

[with object]

expose (someone or something valued) to danger, harm, or loss:he risked his life to save his dog

act or fail to act in such a way as to bring about the possibility of (an unpleasant or unwelcome event):unless you’re dealing with pure alcohol you’re risking contamination from benzene

incur the chance of unfortunate consequences by engaging in (an action):he was far too intelligent to risk attempting to deceive her

Phrases

at risk

exposed to harm or danger:23 million people in Africa are at risk from starvation

at one’s (own) risk

used to indicate that if harm befalls a person or their possessions through their actions, it is their own responsibility:they undertook the adventure at their own risk

at the risk of doing something

although there is the possibility of something unpleasant resulting:at the risk of boring people to tears, I repeat the most important rule in painting

at risk to oneself (or something)

with the possibility of endangering oneself or something:he visited prisons at considerable risk to his health

risk one’s neck

put one’s life in danger.

run the risk (or run risks)

expose oneself to the possibility of something unpleasant occurring:she preferred not to run the risk of encountering his sister

Origin:

mid 17th century: from French risque (noun), risquer (verb), from Italian risco ‘danger’ and rischiare ‘run into danger’

from Oxford dictionary of American English

Redefining the word risk to include its opposite (i.e. gain) is a perfect example of what Orwell called DOUBLETHINK.

DOUBLETHINK:  The power of holding two contradictory beliefs in one’s mind simultaneously, and accepting both of them… To tell deliberate lies while genuinely believing in them, to forget any fact that has become inconvenient, and then, when it becomes necessary again, to draw it back from oblivion for just as long as it is needed, to deny the existence of objective reality and all the while to take account of the reality which one denies – all this is indispensably necessary. Even in using the word doublethink it is necessary to exercise doublethink. For by using the word one admits that one is tampering with reality; by a fresh act of doublethink one erases this knowledge; and so on indefinitely, with the lie always one leap ahead of the truth.  From 1984 George Orwell (1949)

Controlling with a Cycle

April 3, 2013

Helsinki_city_bikes

No, not that kind of cycle… This kind:

CycleThis is a Risk Control Cycle.  It includes Thinking/Observing steps and Action Steps.  The only reason a sane organization would spend the time on the Assessing, Planning and Monitoring steps is so that they could be more effective with the Risk Taking, Mitigating and Responding steps.

A process capable of limiting losses can be referred to as a complete risk control process, which would usually include the following:

  • Identification of risks—with a process that seeks to find all risks inherent in a insurance product, investment instrument, or other situation, rather than simply automatically targeting “the usual suspects.”
  • Assess Risks – This is both the beginning and the end of the cycle.  As the end, this step is looking back and determining whether your judgment about the risk and your ability to select and manage risks is as good as you thought that it would be.  As the beginning, you look forward to form a new opinion about the prospects for risk and rewards for the next year.  For newly identified risks/opportunities this is the due diligence phase.
  • Plan Risk Taking and Risk Management – Based upon the risk assessment, management will make plans for how much of each risk that the organization will plan to accept and then how much of that risk will be transferred, offset and retained.  These plans will also include the determination of limits
  • Take Risks – organizations will often have two teams of individuals involved in risk taking.  One set will identify potential opportunities based upon broad guidelines that are either carried over from a prior year or modified by the accepted risk plan.  (Sales) The other set will do a more detailed review of the acceptability of the risk and often the appropriate price for accepting the risk.  (Underwriting)
  • Measuring and monitoring of risk—with metrics that are adapted to the complexity and the characteristics of the risk as well as Regular Reporting of Positions versus Limits/Checkpoints— where the timing needed to be effective depends on the volatility of the risk and the rate at which the insurer changes their risk positions. Insurers may report at a granular level that supports all specific decision making and actions on a regular schedule.
  • Regular risk assessment and dissemination of risk positions and loss experience—with a standard set of risk and loss metrics and distribution of risk position reports, with clear attention from persons with significant standing and authority in the organization.
  • Risk limits and standards—directly linked to objectives. Terminology varies widely, but many insurers have both hard “Limits” that they seek to never exceed and softer “Checkpoints” that are sometimes exceeded. Limits will often be extended to individuals within the organization with escalating authority for individuals higher in the organizational hierarchy.
  • Response – Enforcement of limits and policing of checkpoints—with documented consequences for limit breaches and standard resolution processes for exceeding checkpoints. Risk management processes such as risk avoidance for risks where the insurer has zero tolerance. These processes will ensure that constant management attention is not needed to assure compliance. However, occasional assessment of compliance is often practiced. Loss control processes to reduce the avoidable excess frequency and severity of claims and to assure that when losses occur, the extent of the losses is contained to the extent possible. Risk transfer processes, which are used when an insurer takes more risk than they wish to retain and where there is a third party who can take the risk at a price that is sensible after accounting for any counterparty risk that is created by the risk transfer process. Risk offset processes, which are used when insurer risks can be offset by taking additional risks that are found to have opposite characteristics. These processes usually entail the potential for basis risk because the offset is not exact at any time or because the degree of offset varies as time passes and conditions change, which is overcome in whole or in part by frequent adjustment to the offsetting positions. Risk diversification, which can be used when risks can be pooled with other risks with relatively low correlation. Risk costing / pricing, which involves maintaining the capability to develop appropriate views of the cost of holding a risk in terms of expected losses and provision for risk. This view will influence the risks that an insurer will take and the provisioning for losses from risks that the insurer has taken (reserves). This applies to all risks but especially to insurance risk management. Coordination of insurance profit/loss analysis with pricing with loss control (claims) with underwriting (risk selection), risk costing, and reserving, so that all parties within the insurer are aware of the relationship between emerging experience of the 
risks that the insurer has chosen to retain and the expectations that the insurer held when it chose to write and retain the risks.
  • Assess Risks – and the cycle starts again.

This is one of the seven ERM Principles for Insurers

Principles of ERM for Insurance Organizations

December 16, 2012

RISKVIEWS has published this list before.  You will notice that it is different from many other lists of the parts of ERM.  That is because we do not presume that there is some sort of risk management process already in place that “automatically” takes care of several of these things.  Many writers implicitly make that assumption so that they can focus solely upon the new, more exciting things, especially number 6 on the list below.  But in fact, ERM must include all seven of these things to actually work to manage risk as most managers expect.

  1. DIVERSIFICATION: Risks must be diversified. There is no risk management if a firm is just taking one big bet.
  2. UNDERWRITING: These must be a process for risk acceptance that includes an assessment of risk quality.  Firm needs to be sure of the quality of the risks that they take. This implies that multiple ways of evaluating risks are needed to maintain quality, or to be aware of changes in quality. There is no single source of information about quality that is adequate.
  3. CONTROL CYCLE: There must be a control cycle to manage the amount of risk taken. This implies measurements, appetites, limits, treatment actions, reporting, feedback
  4. CONSIDERATION: There must be a process for assuring that the consideration received for accepting risk is adequate.  For risks that are not traded, such as operational risks, the benefit of the risk needs to exceed the cost in terms of potential losses.
  5. PROVISIONING: There must be appropriate provisions held for retained risks, in terms of set asides (reserves) for expected losses and capital for excess losses.
  6. PORTFOLIO:  There must be an awareness of the interdependencies within the portfolio of risks that are retained by the insurer.  This would include awareness of both risk concentrations and diversification effects.  An insurer can use this information to take advantage of the opportunities that are often associated with its risks through a risk reward management process.
  7. FUTURE RISKS: There must be a process for identifying and preparing for potential future emerging risks.   This would include identification of risks that are not included in the processes above, assessment of the potential losses, development of leading indicators of emergence and contingent preparation of mitigation actions.

The Law of Risk and Light applies to these aspects of risk management just as it applies to aspects of risk.  The risk management that you do is in the light, the risk management that you skip is in the dark.  When parts of a full risk management program are in the dark, the risk that part of the risk management process would have protected you from will accumulate in your organization.

Future posts will explain these elements and focus on why ALL of these principles are essential.

Mitigating “Margin Call” risks

October 27, 2011

New movie about 24 hours in the life of a troubled bank at the height of the financial crisis, Margin Call.

Read a review from the point of view of a risk manager here.


%d bloggers like this: