Controlling with a Cycle

No, not that kind of cycle… This kind:

This is a Risk Control Cycle.  It includes Thinking/Observing steps and Action Steps.  The only reason a sane organization would spend the time on the Assessing, Planning and Monitoring steps is so that they could be more effective with the Risk Taking, Mitigating and Responding steps.

A process capable of limiting losses can be referred to as a complete risk control process, which would usually include the following:

• Identification of risks—with a process that seeks to find all risks inherent in a insurance product, investment instrument, or other situation, rather than simply automatically targeting “the usual suspects.”
• Assess Risks – This is both the beginning and the end of the cycle.  As the end, this step is looking back and determining whether your judgment about the risk and your ability to select and manage risks is as good as you thought that it would be.  As the beginning, you look forward to form a new opinion about the prospects for risk and rewards for the next year.  For newly identified risks/opportunities this is the due diligence phase.
• Plan Risk Taking and Risk Management – Based upon the risk assessment, management will make plans for how much of each risk that the organization will plan to accept and then how much of that risk will be transferred, offset and retained.  These plans will also include the determination of limits
• Take Risks – organizations will often have two teams of individuals involved in risk taking.  One set will identify potential opportunities based upon broad guidelines that are either carried over from a prior year or modified by the accepted risk plan.  (Sales) The other set will do a more detailed review of the acceptability of the risk and often the appropriate price for accepting the risk.  (Underwriting)
• Measuring and monitoring of risk—with metrics that are adapted to the complexity and the characteristics of the risk as well as Regular Reporting of Positions versus Limits/Checkpoints— where the timing needed to be effective depends on the volatility of the risk and the rate at which the insurer changes their risk positions. Insurers may report at a granular level that supports all specific decision making and actions on a regular schedule.
• Regular risk assessment and dissemination of risk positions and loss experience—with a standard set of risk and loss metrics and distribution of risk position reports, with clear attention from persons with significant standing and authority in the organization.
• Risk limits and standards—directly linked to objectives. Terminology varies widely, but many insurers have both hard “Limits” that they seek to never exceed and softer “Checkpoints” that are sometimes exceeded. Limits will often be extended to individuals within the organization with escalating authority for individuals higher in the organizational hierarchy.
• Response – Enforcement of limits and policing of checkpoints—with documented consequences for limit breaches and standard resolution processes for exceeding checkpoints. Risk management processes such as risk avoidance for risks where the insurer has zero tolerance. These processes will ensure that constant management attention is not needed to assure compliance. However, occasional assessment of compliance is often practiced. Loss control processes to reduce the avoidable excess frequency and severity of claims and to assure that when losses occur, the extent of the losses is contained to the extent possible. Risk transfer processes, which are used when an insurer takes more risk than they wish to retain and where there is a third party who can take the risk at a price that is sensible after accounting for any counterparty risk that is created by the risk transfer process. Risk offset processes, which are used when insurer risks can be offset by taking additional risks that are found to have opposite characteristics. These processes usually entail the potential for basis risk because the offset is not exact at any time or because the degree of offset varies as time passes and conditions change, which is overcome in whole or in part by frequent adjustment to the offsetting positions. Risk diversification, which can be used when risks can be pooled with other risks with relatively low correlation. Risk costing / pricing, which involves maintaining the capability to develop appropriate views of the cost of holding a risk in terms of expected losses and provision for risk. This view will influence the risks that an insurer will take and the provisioning for losses from risks that the insurer has taken (reserves). This applies to all risks but especially to insurance risk management. Coordination of insurance profit/loss analysis with pricing with loss control (claims) with underwriting (risk selection), risk costing, and reserving, so that all parties within the insurer are aware of the relationship between emerging experience of the 
risks that the insurer has chosen to retain and the expectations that the insurer held when it chose to write and retain the risks.
• Assess Risks – and the cycle starts again.

This is one of the seven ERM Principles for Insurers

Advertisement

Lessons for Insurers (5)

In late 2008,  the The CAS, CIA, and the SOA’s Joint Risk Management Section funded a research report about the Financial Crisis.  This report featured nine key Lessons for Insurers.  Riskviews will comment on those lessons individually…

5. It is important to develop a counterparty risk management system and establish counterparty limits.

Insurers need to fully understand several things about both credit and reinsurance to get this right.

First of all, in a credit or reinsurance situation, the insurer is usually trading uncertainty in the “expected” range of probabilities for a potential loss at a very high attachment point, the failure point for the counterparty.

Second of all, the insurer needs to recognize that the failure of their counterparty usually does not in any way change their obligation.  When an insurer buys a bond, they are usually responsible to make payments to their policyholder regardless of whether the bond is good.  When an insurer buys reinsurance they are still responsible to pay claims whether or not the reinsurer is able to meet its obligations.

Recognize that in almost all cases, the standard risk management terminology is flawed.  Risk is usually not transferred.

The other consideration that is important to insurers is that they need to look for counterparty exposures everywhere in their operations.  In each of their insurance lines as well as in every part of their investment portfolio.  In firms where traditionally insurance and investments are treated as completelyt separate silos, risk managers are finding that both sides of the house are sometimes dealing with the exact same counterparties.  Aggregation and management of these concentrations is key.

And finally to scare you completely, a good way to think of counterparty risk is that you are bring a fraction of the entire balance sheet on to your balance sheet in return for a contingent payment.  So that should make you very interested in transparency.  Or maybe not.  Maybe you close your eyes when you drive around sharp curves also.

Lessons for Insurers (1)

Lessons for Insurers (2)

Lessons for Insurers (3)

Lessons for Insurers (4)

Lessons for Insurers (5)

Lessons for Insurers (6)

Skating Away on the Thin Ice of the New Day

The title of an old Jethro Tull song.  It sounds like the theme song for the economy today!

Now we all know.  The correlations that we used for our risk models were not reliable in the one instance where we really wanted an answer.

In times of stress, correlations go to one.

That is finally, after only four or five examples with the exact same result, become accepted wisdom.

But does that mean that Diversification is dead as a strategy?

I would argue that it certainly puts a hurt to diversification as a strategy for finding risk free returns.  Which is how it was being (mis) used in the Sub Prime markets.

But Diversification should still reign as the king of risk management strategies.  But it needs to be real diversification.  Not tiny diversification that is observable only under a mathematical microscope.  Real Diversification is where risks have completely different drivers.  Not slightly different statistical histories.

So in Uncertain Times, and these days must be labeled Uncertain Times (or the thin ice age), diversification is the best risk management strategy.  Along with its mirror image twin, avoidance of concentrations.

The banks had given up on diversification as a risk strategy.  Instead they believed that they were making risk free returns by taking lots and lots of concentrated risk that they were either fully hedging or moving the risk off their balance sheets very quickly.

Both ideas failed.  Hedging failed when the counter party was Lehman Brothers.  It succeeded when the counter party was any of the other institutions that were bailed out, but there was an extended period of severe uncertainty about that before the bailouts were finally put into place.  Moving the risks off the balance sheet failed in two ways.  First it failed because they were really playing hot potato without admitting it.  When the music stopped, someone was holding the potato.  And some banks were holding many potatoes.  It also failed because some banks had been offloading the risks to hedge funds and other investors who they were lending funds to finance the purchase.  When the CDOs soured, the loans secured by the CDOs were underwated and the CDOs came back onto the bank balance sheets.

The banks that were hurt the least were the banks who were not so very concentrated in just one major risk.

The cost of the simple diversification strategy is that those banks with real diversification showed lower returns during the build up of the bubble.

So that is the risk reward trade off of real diversification – it will often produce lower returns than the mathematical diversification but it will also show lower losses in proportion to total revenue than a strategy that concentrates in the most profitable risk choices according to a model that is tuned to the accounting or performance bonus system.

Diversification is the risk management strategy for the Thin Ice Age.

LIVE from the ERM Symposium

(Well not quite LIVE, but almost)

The ERM Symposium is now 8 years old.  Here are some ideas from the 2010 ERM Symposium…

• Survivor Bias creates support for bad risk models.  If a model underestimates risk there are two possible outcomes – good and bad.  If bad, then you fix the model or stop doing the activity.  If the outcome is good, then you do more and more of the activity until the result is bad.  This suggests that model validation is much more important than just a simple minded tick the box exercize.  It is a life and death matter.
• BIG is BAD!  Well maybe.  Big means large political power.  Big will mean that the political power will fight for parochial interests of the Big entity over the interests of the entire firm or system.  Safer to not have your firm dominated by a single business, distributor, product, region.  Safer to not have your financial system dominated by a handful of banks.
• The world is not linear.  You cannot project the macro effects directly from the micro effects.
• Due Diligence for mergers is often left until the very last minute and given an extremely tight time frame.  That will not change, so more due diligence needs to be a part of the target pre-selection process.

• For merger of mature businesses, cultural fit is most important.
• For newer businesses, retention of key employees is key

• Modelitis = running the model until you get the desired answer
• Most people when asked about future emerging risks, respond with the most recent problem – prior knowledge blindness
• Regulators are sitting and waiting for a housing market recovery to resolve problems that are hidden by accounting in hundreds of banks.
• Why do we think that any bank will do a good job of creating a living will?  What is their motivation?
• We will always have some regulatory arbitrage.
• Left to their own devices, banks have proven that they do not have a survival instinct.  (I have to admit that I have never, ever believed for a minute that any bank CEO has ever thought for even one second about the idea that their bank might be bailed out by the government.  They simply do not believe that they will fail. )
• Economics has been dominated by a religious belief in the mantra “markets good – government bad”
• Non-financial businesses are opposed to putting OTC derivatives on exchanges because exchanges will only accept cash collateral.  If they are hedging physical asset prices, why shouldn’t those same physical assets be good collateral?  Or are they really arguing to be allowed to do speculative trading without posting collateral? Probably more of the latter.
• it was said that systemic problems come from risk concentrations.  Not always.  They can come from losses and lack of proper disclosure.  When folks see some losses and do not know who is hiding more losses, they stop doing business with everyone.  None do enough disclosure and that confirms the suspicion that everyone is impaired.
• Systemic risk management plans needs to recognize that this is like forest fires.  If they prevent the small fires then the fires that eventually do happen will be much larger and more dangerous.  And someday, there will be another fire.
• Sometimes a small change in the input to a complex system will unpredictably result in a large change in the output.  The financial markets are complex systems.  The idea that the market participants will ever correctly anticipate such discontinuities is complete nonsense.  So markets will always be efficient, except when they are drastically wrong.
• Conflicting interests for risk managers who also wear other hats is a major issue for risk management in smaller companies.
• People with bad risk models will drive people with good risk models out of the market.
• Inelastic supply and inelastic demand for oil is the reason why prices are so volatile.
• It was easy to sell the idea of starting an ERM system in 2008 & 2009.  But will firms who need that much evidence of the need for risk management forget why they approved it when things get better?
• If risk function is constantly finding large unmanaged risks, then something is seriously wrong with the firm.
• You do not want to ever have to say that you were aware of a risk that later became a large loss but never told the board about it.  Whether or not you have a risk management program.

ERM: Law of Unintended Consequences [2]

From Neil Bodoff

One of the reasons that so many counterparties bought CDS protection [from the same counterparty, precipitating a crisis] was their desire to reduce their regulatory capital requirements. So the regulatory framework had high capital requirements for credit risk, but low capital requirements when the credit risk was hedged. Basically the regulatory framework created a strong incentive for all banks to simultaneously execute the same strategy of hedging risk via CDS. Lessons are: [1] Whereas individual firms in a competitive market may pursue various strategies, the government’s monopoly on regulation might create a homogenizing effect on firms’ behavior, thus concentrating risk. Thus the regulatory framework itself becomes a systemic risk and thus requires extra scrutiny and care. [2] For any regulatory framework, the designers ought to choose someone to “roleplay” the part of firms trying to minimize regulatory capital requirements, so as to understand the behaviors and countermeasures the firms might take in response to the regulatory demands. [3] Beware of unintended consequences.

Counterparties

When you substitute counterparty risk for another risk, you are essentially bringing their entire balance sheet proportionately onto yours.  Counterparty due diligence is key.  Collateral agreements are important.  Some would say that collateral agreements brought down the banks that failed and AIG that was rescued, but from the counterparty point of view…  In addition to traditional credit analysis that is mostly backward looking, insurers should try to understand the approach to risk taking of their counterparties so that they can become comfortable with the risks that they may take in the future.  The counterparty exposure that exists right now may not be representative of the size of the exposures right after a major loss event.  Examination of those potential exposures and the potential losses to the reinsurer in a major loss event should be studied and factored into risk and reinsurance decisions.

This means plotting the level of obligation from the counterparty in the event of an extremely adverse scenario.  That is when the idea of taking on a proportionate share of the counterparties balance sheet takes on significant importance.  The degree to which the counterparty is concentrated in that particular risk becomes key.  That is not information that is available from just looking at the rating of the counterparty.  You must know and understand the other obligations of the counterparty to know the degree to which they are at risk from the type of event that you are offsetting (not transferring see Bad Labels ).

This means that a stress test becomes most important.  The stress test will look at (1) the amount of gross loss, (2) the amount due from the counterparty under the stress scenario in the form of a claim, a reserve credit, or collateral and (3) the degree to which the stress scenario impacts the ability of the counterparty to make good on their obligations.  As was seen during the financial crisis, the liquidity of the counterparty under stress may well be the constraint.  If your firm does not have the liquidity to easily pay the gross losses under that are due in cash, then you are relying on the counterparty as a source of liquidity.

ERM only has value to those who know that the future is uncertain.

Businesses have three key needs.

First they need to have a product or service that people will buy. They need revenues.

Second they need to have the ability to provide that product or service at a cost less than what their customers will pay. They need profits.

Once they have revenues and profits, their business is a valuable asset. So third, they need to have a system to avoid losing that asset because of unforeseen adverse experience. They need risk management.

So Risk Management is the third most important need of a firm.

And there is often a conflict between risk management and the other two goals. Risk management will sometimes say that a business activity that produces revenue is too risky and must be curtailed or modified in such a way that it produces less revenues. Risk Management often costs money or otherwise depresses profits. For example, an insurance policy covering fire of a building owned by the firm will cost money and depress profits.

So Risk Management needs to defend its value to the firm. Many risk management proponents have been asked to tell the value added of their activities. This is difficult to explain. Not because risk management does not have a value, but because the cost of risk management in terms of reduced revenues or increased costs are usually tangible and definite, while the benefits are probabilistic. Often the person asking the question is looking for a traditional spreadsheet answer that shows two columns adding up and perhaps the difference between the two is the benefit of risk management.

It does not work that way. For Risk Management to have value, one must understand that the future is uncertain. The value of risk management comes from the way that it shapes that uncertainty.

The next time you are asked about the value of risk management, ask the questioner what value they would put on the airbags and seat belts in their car. If they have no uncertainty about their ability to avoid accidents, then they will put a zero value on the safety devices – the personal risk management systems. If they resist answering, ask them if they will agree to have them removed for $20? Or for $2000? What value do they place on that risk management?

Most people will agree that the demise of a company is less serious than the demise of a person, but it is not difficult to see that there is some value to activities that increase the chance that a company will not expire in the next business cycle or windstorm.

So risk management decreases the uncertainty about the survival of the firm. There is a way to quantitatively value that reduction in uncertainty and compare it to the reduced revenues or increased costs of the risk management activities.

The Need for Speed

One of the causes for the financial crisis is the very high speed trading operations. There are several reasons that is true.

First, the high speed transaction oriented operations needs to eliminate any reflection or analysis on the part of the trading firms. There is simply no time for this. If the transactions need any analysis to support them, then that analysis must be outsourced. This is the driver behind the idea that credit risk, which for most of financial history has been seen to be a risk that required careful analysis and reflection, became a traded commodity. Banks started to merge market and credit risk and do away with their credit research staffs. This is one of the most common issues cited in explaining the crisis. Banks failure to do their own credit analysis on the sub prime loans. The lack of scrutiny led directly to the liar loans – since no one was looking at the loan applications there was no need to take any effort to make them correct.

Second, models of these risks need to be closed form models that can run instantly. More robust and complex monte carlo models that might capture the nuances of the risks were just not practical given the time frame. Monte Carlo models take too long to develop and too long to run. With a few simplifying assumptions, the need for Monte Carlo models can be eliminated and a closed form model that runs in seconds developed. The simplifying assumptions also allow the daily updating of these models. This process makes sense if and only if you believe that market prices generally reflect all information, so a closed form model that mostly just replicates and extends market prices is all that you need anyway. This approach to modeling risk makes it almost completely impossible to detect changes in the underlying risks. All users of this approach will always go over the cliff together – and they did.

Third, the speed of transactions means that there is turnover of the risks held during the year. This turnover may be 5 or 10 or 20 or 50 times. This business can easily be seen to be very, very low profit margin since capital is generally only held on the amount of risk at any one time. However, when the crisis hit, the banks were unable to continue to roll their inventory of risks and they piled up in amounts 5 or 10 times their past average holding.

Maybe MTM isn’t exactly what is needed?

Everyone (except corporate boards and managers) seem to agree that short term incentive compensation is one of the key drivers for the excessive risk taking that led to the financial crisis. In an earlier post, it is suggested that one of the reasons is that accounting is less reliable in the short term.

Perhaps the problem is Mark-to-Market accounting. While it is an extremely important discipline to know the market value of positions, MTM has a misleading presumption. In effect, MTM treats a position that has been closed by sale on the day that the financials are set exactly the same as an open position.

Short term compensation based upon such accounting allows traders and managers to take credit for open positions AS IF THEY HAD CLOSED THEM. And I mean truly closed them by Risk Transfer, not simply Risk Offset. This means that the firm settles with the trader for something that the trader has not yet done and that there is no sure indication that the trader could actually accomplish.

That is because the MTM value may or may not be the amount of cash that the trader could get for their position, especially if you include the requirement that the risk is actually really and totally off the books, not simply offset. To know the actual cash equivalent and the difference between that cash equivalent and the MTM value, a firm would need to study each market to understand the trend and liquidity.

This issue is particularly important when valuing the custom non-exchange traded derivatives. Practice is to value those contracts by a replication process, using market traded instruments. There is no attempt to assign any illiquidity premium. This accounting practice is one of the fundamental supports to the practice of trading off market. During the height of the sub prime crisis, it was found that there was no market at all for some of these securities and the MTM process produced completely sham values. Sham because the real clearing value for the securities was much lower than the values that the holders wanted to report.

The difference between the next trade and especially a trade of the size of the position valued and the last trade regardless of the size of the trade is the issue here. And the problem is with treating completely closed positions exactly the same as open positions, by valuing them both as realistic cash equivalents.

Finally, there is the issue of continuing risk. A totally closed (transferred or expired) position has no capital requirement. An open position SHOULD have a capital requirement. Even an OFFSET position should have a capital requirement based upon the basis risk, the counterparty risk.

This discussion reveals an additional risk – the clearing risk.

So the value of the open position needs to reflect one level of clearing risk and the capital needs to reflect a much larger amount of clearing risk.

Bad Label leads to Bad Thinking

How many times have you heard the term “Risk Transfer” to refer to a risk mitigation action such as hedging or (re)insurance? It is used in text books and articles about risk management. But, be careful, that labeling is bad and it could just lead to bad decisions.

That is because risks are rarely actually “transferred” to another party. If they were actually transferred, then the consequences would be theirs and theirs alone. However, in most hedging and (re)insurance situations, the risk is usually just “offset”. There are two common terms that are used to refer to the real differences between risk transfer and risk offset.

Those terms are counterparty risk and basis risk. If the risk had been transferred, then there would be no counterparty risk, the risk would BELONG to the other party. In fact, the risk does not belong to them, it still belongs to you. You have paired the risk with an offsetting obligation from the counterparty and you are as safe from loss due to the risk as the counterparty is secure. If the counterparty fails to pay their obligation to you, then you still have the risk and experience the entire loss.

And also, because you have not really transferred the risk, there is a possibility that their payment to you will not be a perfect match to the loss in timing or amount or both. The risk offset might be triggered by a different event than your obligation. For example, the trigger for CDS to actually pay-off are not exactly tied to missed bondholder obligations so the spreads on CDS for a distressed bond may move slightly differently than the actual bond spreads, even though they moved very similarly when the bond was not distressed. A hedging strategy based upon market sensitivities (greeks) is only as good of a fit with the hedged risk as the models used to calculate the greeks.

But this bad terminology is not harmless. If you execute a risk offset and tell others that it is a risk transfer, then they might be quite happy to treat the gains as fully realized. They will not inquire about the offsetting positions, because the bad terminology implies that there are none. When in fact, in any case of risk offset, it should be import to monitor and communicate the risk offsets, highlighting the counterparty risk and tracking the potential emergence of basis risk.

Learnings from the Financial Crisis (3)

Gone is not always gone – another of the underpinnings of the market risk business is the constant of trading of risks. However, in the case of sub prime, some of the counterparties in these trades were very intimately related to the banks that sold the risky securities. Sometimes, they were investment funds that were sold by to bank customers; sometimes the banks lent the money to the same party that bought the security. Sometimes, the bank kept the security and bought protection from a counterparty. In each of these types of situations, banks found that they ended up needing to take back some of all of the risks that they thought that they had laid off. Insurers can learn that they need to keep relationships clear. The banking model has long suffered from the idea that they were a relationship business and they would try to do as much business as possible with the customers who they have the best relationships with. Insurers need to be constantly aware of this trap that creates more and sometimes cloudy concentration risk. Both net and gross risks need to be tracked and attended to.

One simple reason for this part of the problem is the terminology that risk managers use. Usually hedging transactions are called Risk Transfers. But in fact, they are almost never a real transfer of risk. Usually they would more appropriately be called Risk Offsets. This sloppy terminology supports sloppy thinking. And the high speed of a trading business left no time for reflection, so the misrepresentation was left totally unchallenged.

Now good risk managers knew the truth and so were concerned with counterparty risk and basis risk as well as contract risk. But in the end, the largest risk turned out to be reputation risk. Banks were usually unable to take the hit to their reputation that walking away from their closely or even semi related counterparties. Especially when those counterparties were funded with customer money.

Lessons from the Financial Crisis (2)

It must be ok if everyone else is doing it – Banks were unwilling to miss out and not take part of this lucrative idea. In the past insurers have been caught up in this approach to business as well. The presence of a well respected firm in a market does not make that market good for everyone.

THis factor was so strong that one bank CEO suggested that if he did not allow his bank to continue in the lucrative sub prime business, that he would start to lose key employees and eventually would lose his job to someone who would participate in that business.

That must be one of the last stages of a bubble, when markets become so profitable that many feel that they have to participate.

In this case, the very low interest rates and spreads for almost any other type of risk helped to feed the situation. The sub prime market was one of the only place where there was any spread to be had.

And a major flaw with the “everyone is doing it” motivation is that some things only work if a small fraction of the market is doing it and fall apart when everyone jumps on.

Just like the ferry. A few people can stand on the edge looking at the shore, but if everyone on the ferry stands along that same edge and looks, the boat may dip and might even capsize.