Risk Appetite is the Boundary

Actually, it is two boundaries.

First, it is the boundary between Management and the Board with regard to risk.

• If risk taking is within the risk appetite, then Management can tell the board about that activity after the fact.
• If risk taking is outside the risk appetite, then Management needs to talk to the board in advance and get agreement with the risk taking plans.  (We say outside, rather than above, because for firms in the risk taking business, risk appetite should involve a minimum AND a maximum.)

 

Second, it is the boundary between everyday risk mitigation practices and extraordinary mitigations.

• Everyday mitigations are the rules for accepting risk (underwriting) and the rules for trimming risk (ALM, hedging and reinsurance)
• Extraordinary mitigations are those special actions that are taken when risk is seen to be out of acceptable bounds (stopping or limiting new risk taking, bulk divestitures or acquisitions of risks, capital raising, etc.)

Firms that struggle with naming their risk appetite might try to think of where these two boundaries lie.  And set their risk appetite to be near or even at those boundaries.

Advertisement

Controlling with a Cycle

No, not that kind of cycle… This kind:

This is a Risk Control Cycle.  It includes Thinking/Observing steps and Action Steps.  The only reason a sane organization would spend the time on the Assessing, Planning and Monitoring steps is so that they could be more effective with the Risk Taking, Mitigating and Responding steps.

A process capable of limiting losses can be referred to as a complete risk control process, which would usually include the following:

• Identification of risks—with a process that seeks to find all risks inherent in a insurance product, investment instrument, or other situation, rather than simply automatically targeting “the usual suspects.”
• Assess Risks – This is both the beginning and the end of the cycle.  As the end, this step is looking back and determining whether your judgment about the risk and your ability to select and manage risks is as good as you thought that it would be.  As the beginning, you look forward to form a new opinion about the prospects for risk and rewards for the next year.  For newly identified risks/opportunities this is the due diligence phase.
• Plan Risk Taking and Risk Management – Based upon the risk assessment, management will make plans for how much of each risk that the organization will plan to accept and then how much of that risk will be transferred, offset and retained.  These plans will also include the determination of limits
• Take Risks – organizations will often have two teams of individuals involved in risk taking.  One set will identify potential opportunities based upon broad guidelines that are either carried over from a prior year or modified by the accepted risk plan.  (Sales) The other set will do a more detailed review of the acceptability of the risk and often the appropriate price for accepting the risk.  (Underwriting)
• Measuring and monitoring of risk—with metrics that are adapted to the complexity and the characteristics of the risk as well as Regular Reporting of Positions versus Limits/Checkpoints— where the timing needed to be effective depends on the volatility of the risk and the rate at which the insurer changes their risk positions. Insurers may report at a granular level that supports all specific decision making and actions on a regular schedule.
• Regular risk assessment and dissemination of risk positions and loss experience—with a standard set of risk and loss metrics and distribution of risk position reports, with clear attention from persons with significant standing and authority in the organization.
• Risk limits and standards—directly linked to objectives. Terminology varies widely, but many insurers have both hard “Limits” that they seek to never exceed and softer “Checkpoints” that are sometimes exceeded. Limits will often be extended to individuals within the organization with escalating authority for individuals higher in the organizational hierarchy.
• Response – Enforcement of limits and policing of checkpoints—with documented consequences for limit breaches and standard resolution processes for exceeding checkpoints. Risk management processes such as risk avoidance for risks where the insurer has zero tolerance. These processes will ensure that constant management attention is not needed to assure compliance. However, occasional assessment of compliance is often practiced. Loss control processes to reduce the avoidable excess frequency and severity of claims and to assure that when losses occur, the extent of the losses is contained to the extent possible. Risk transfer processes, which are used when an insurer takes more risk than they wish to retain and where there is a third party who can take the risk at a price that is sensible after accounting for any counterparty risk that is created by the risk transfer process. Risk offset processes, which are used when insurer risks can be offset by taking additional risks that are found to have opposite characteristics. These processes usually entail the potential for basis risk because the offset is not exact at any time or because the degree of offset varies as time passes and conditions change, which is overcome in whole or in part by frequent adjustment to the offsetting positions. Risk diversification, which can be used when risks can be pooled with other risks with relatively low correlation. Risk costing / pricing, which involves maintaining the capability to develop appropriate views of the cost of holding a risk in terms of expected losses and provision for risk. This view will influence the risks that an insurer will take and the provisioning for losses from risks that the insurer has taken (reserves). This applies to all risks but especially to insurance risk management. Coordination of insurance profit/loss analysis with pricing with loss control (claims) with underwriting (risk selection), risk costing, and reserving, so that all parties within the insurer are aware of the relationship between emerging experience of the 
risks that the insurer has chosen to retain and the expectations that the insurer held when it chose to write and retain the risks.
• Assess Risks – and the cycle starts again.

This is one of the seven ERM Principles for Insurers

The End of ERM

In essence, if ERM is to be implemented in a way which helps an entity get to where it wants to go, it needs to have a bias toward action which many applications currently lack.   “The End of Enterprise Risk Management”  David Martin and Michael Power

In 2007, Martin and Power argued that the regulatory based Enterprise Risk Management programs that were COSO based provided the illusion of control, without actually achieving anything.  Now if you are an executive of a firm and you believe that things are being done just fine, thank you very much, then an ineffective ERM program is just what you want.  But if you really want ERM, the something else is needed.  Martin and Power suggest that the activities of ERM are focused much too much on activities that do not reault in actions to actually change the risks of the firm.  This is a favorite topic of RISKVIEWS as well.  See Beware the Risk Management Entertainment System. 

RISKVIEWS always tells managers who are interested in developing ERM systems that if some part of an ERM program cannot be clearly linked to decisions to take actions that would not have been taken without ERM, then they are better off without that part of ERM. 

Martin and Power go on to suggest that ERM that uses just one risk measure (usually VAR) is difficult to get right because of limitations of VAR.  RISKVIEWS would add that an ERM program that uses only one risk measure, no matter what that measure is, will be prone to problems.  See Law of Risk and Light. 

It is very nice to find someone who says the same things that you say.  Affirming.  But even better to read something that you haven’t said.  And Martin and Power provide that. 

Finally, there is a call for risk management that is Reflexive.  That reacts to the environment.  Most ERM systems do not have this Reflexive element.  Risk limits are set and risk positions are monitored most often assuming a static environment.  The static environment presumption in a risk management system works if you are operating in an environment that changes fairly infrequently.  In fact, it works best if the frequency of change to your environment is less then the frequency of your update to the risk factors that you use.  That is, if your update includes studying the environment and majing environment driven changes. 

RISKVIEWS has worked in ERM systems that were based upon risk assessment based upon “eternal” risk factors.  Eternal Risk factors are assumed to be good “for all time”.  The US RBC factors are such.  Those factors are changed only when there is a belief that the prior factors were inadequate in representing the full range of risk “for all time”. 

But firms would be better off looking at their risks in the light of a changing risk environment.  Plural Rationality theory suggests that there are four different risk environments.  If a company adopts this idea, then they need to look for signs that the environment is shifting and when it seems to be likely to be shifting, to consider how to change their risk acceptance and risk mitigation in the light of the expected new risk environment.  The idea of repeatedly catching this wave and correctly shifting course is called Rational Adaptability. 

So RISKVIEWS also strongly agrees with Martin and Powers that a risk management system needs to be reflexive. 

In “The End of ERM” Martin and Powers really mean the end of static ERM that is not action oriented and not reflexive with the environment.  With that RISKVIEWS can heartily agree.

Old Risk Management Programs – 10 ERM Questions from Investors – The Answer Key (7)

Riskviews was once asked by an insurance sector equity analyst for 10 questions that they could ask company CEOs and CFOs about ERM. Riskviews gave them 10 but they were trick questions. Each one would take an hour to answer properly. Not really what the analyst wanted. Here they are:

1. What is the firm’s risk profile?
2. How much time does the board spend discussing risk with management each quarter?
3. Who is responsible for risk management for the risk that has shown the largest percentage rise over the past year?
4. What outside the box risks are of concern to management?
5. What is driving the results that you are getting in the area with the highest risk adjusted returns?
6. Describe a recent action taken to trim a risk position?
7. How does management know that old risk management programs are still being followed?
8. What were the largest positions held by company in excess of the risk limits in the last year?
9. Where have your risk experts disagreed with your risk models in the past year?
10. What are the areas where you see the firm being able to achieve better risk adjusted returns over the near term and long term?

They never come back and asked for the answer key. Here it is:

Every company has legacy risk management programs.  Some are being dutifully followed, some have been abandoned and some are actually still alive and well.  The best answer to this question would be that the company has a process for periodically assessing all of its ERM programs.  That there is an aging metric for risk treatment processes and whenever a risk treatment process has gone three years without any changes or updates, that triggers a review.  In that review, the risk staff assess whether the risk treatment is still needed, whether it is still effective and whether it can be updated to take advantage of new developments.

One particular concern is whether changes elsewhere in the company have created a need for major increases or decreases in the tolerance for the risk being treated.  It is quite possible that changes elsewhere in the risk profile of the firm means that there now may be natural offsets to the old risk and risk treatment can be reduced.  It is also possible that the risk treatment program was put in place assuming that the risk would grow to a size that would make it material to the risk profile of the firm.  If that growth has not materialized, or if growth elsewhere in the firm has changes the scale considerations, then the materiality of the risk and the resulting need for the risk treatment program needs to be reassessed.

Of course, it also could be true that the level of risk treatment activities that were put in place in the past may be found to be inadequate and need to be increased.  This could be because the understanding of the risk has changed and the risk treatment is less effective than initially thought.  Or it may be that the risk environment has heightened and the risk per unit of activity is currently higher than assumed in determining the approach to risk treatment.

The cost of the risk treatment program should also be assessed.  There may now be different alternatives for achieving the same effectiveness of risk treatment for a lower cost that were not available previously.

This is important because everyone tends to forget old risks.  They just assume that since they have not been mentioned for some time that they have gone away.  But in many cases, old risks of insurers tend to linger.  And if the risk treatment programs that are supposed to be controlling those risks are being handled in an autopilot sort of mode, those risks might erupt into a totally unexpected problem if there is any stress.

ERM Fundamentals

You have to start somewhere.

My suggestion it that rather than starting with someone else’s idea of ERM, you start with what YOUR COMPANY is already doing.

In that spirit, I offer up these eight Fundamental ERM Practices.  So to follow my suggestion, you would start in each of these eight areas with a self assessment.  Identify what you already have in these eight areas.  THEN start to think about what to build.  If there are gaping holes, plan to fill those in with new practices.  If there are areas where your company already has a rich vein of existing practice build gently on that foundation.  Much better to use ERM to enhance existing good practice than to tear down existing systems that are already working.  Making significant improvement to existing good practices should be one of your lowest priorities.

1. Risk Identification: Systematic identification of principal risks – Identify and classify risks to which the firm is exposed and understand the important characteristics of the key risks

2. Risk Language: Explicit firm-wide words for risk – A risk definition that can be applied to all exposures, that helps to clarify the range of size of potential loss that is of concern to management and that identifies the likelihood range of potential losses that is of concern. Common definitions of the usual terms used to describe risk management roles and activities.

3. Risk Measurement: What gets measured gets managed – Includes: Gathering data, risk models, multiple views of risk and standards for data and models.

4. Policies and Standards: Clear and comprehensive documentation – Clearly documented the firm’s policies and standards regarding how the firm will take risks and how and when the firm will look to offset, transfer or retain risks. Definitions of risk-taking authorities; definitions of risks to be always avoided; underlying approach to risk management; measurement of risk; validation of risk models; approach to best practice standards.

5. Risk Organization: Roles & responsibilities – Coordination of ERM through: High-level risk committees; risk owners; Chief Risk Officer; corporate risk department; business unit management; business unit staff; internal audit. Assignment of responsibility, authority and expectations.

6. Risk Limits and Controlling: Set, track, enforce – Comprehensively clarifying expectations and limits regarding authority, concentration, size, quality; a distribution of risk targets

   and limits, as well as plans for resolution of limit breaches and consequences of those breaches.

7. Risk Management Culture: ERM & the staff – ERM can be much more effective if there is risk awareness throughout the firm. This is accomplished via a multi-stage training program, targeting universal understanding of how the firm is addressing risk management best practices.

8. Risk Learning: Commitment to constant improvement – A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses, both within the firm and from outside the firm.

Risk Limits and Controlling

A New York Times Magazine article on Jamie Dimon, now CEO of JP Morgan Chase Bank, tells that he once set a risk limit for Travelers…

• Losses from a once in a hundred year storm could not exceed a quarter’s earnings.

For the quantifiable risks that banks and insurers have aplenty, that is exactly how a risk limit needs to read.  It must state a frequency (once in a hundred or 1%) and a severity (one quarter’s earnings).

That sort of simple clarity seems to escape most financial firms.  Probably that is because they have little experience with the frequency part of that statement.

Think of this analogy.  You are sitting there in an office building deciding what to set as the speed limit for a new transportation system.  That system has newly designed roads and vehicles.  You do not know the tolerances of either the roads or the vehicles.  You have been a passenger on test runs, but during that test, you were not shown the speeds that the vehicle was going.

What might make sense in that situation, would be for the person being asked to make the decisions on speed limits to be told what speed that they had been going on the long straight-aways, on the gradual curves, the sharp curves and how long it took to stop the vehicle at various speeds.  In addition, more trips, more experience, should be undertaken and the speed of the vehicle should be noted under various weather conditions as well as types of roads.

Polls often reveal that the most common shortfall of ERM development is in the area of Risk Tolerance and Risk Appetite.  In many cases, that shortfall is due to the inexperience of management and boards with the frequency information.

There is no shortcut to getting that experience.  But there are simple exercizes that can be undertaken to look at prior experiences and tell the story of just how fast the firm was going and how severe the weather was.

The best such exercize is to look backwards in time over the recent past as well as to famously adverse periods in the more remote past.  For each of those situations, the backwards looking frequency can be assigned.  This is done by looking at the current risk model and determining the frequency that is aligned with the level of gains losses that were experienced in general.  That frequency is analogous to the weather.  Then the risk analyst can look at the firm’s own gain or loss experience and the frequency that the model could attribute to that size gain or loss.

Once a firm has some comfort with frequency, they can write a real risk appetite statement.

And after that, they can go through an exercize each year of deciding what frequency to assign to the experience of the year’s gains and losses.

Pick the Targets before You Start Judging

In a Oct. 3 FT article, it says that just 30% of 465 executives surveyed said that “they were able to tap risk management programmes to prepare for and minimize the negative outcomes” of the recession.

But I wonder whether minimizing impact of a recession was among the targeted risks of those risk management programs.

And in addition, I wonder whether the risk managers would have been permitted to even think seriously about the impact of a recession as serious as the one that we have (and continue to) experienced.

Financial firms that would have been very well prepared for this recession would have been doing quite a bit more hedging than their peers and the cost of that hedging would have severely reduced earnings prior to the recession.

Non-Financial firms that would have been well prepared would have been running with very low inventories and with loads of unfilled positions, running tons of expensive  overtime prior to the flop.

The article also said that “only 44 percent said that they had adequately captured the potential problems before the downturn.

Some of that may be risk managers being slammed for being poor fortune tellers.   They did not foresee the size of this recession so they missed it.

I would suggest that these survey results are a case of risk management as scape goat.

Don’t get me wrong.  There are times when risk management gets it wrong.

But if you want risk managers to be focused upon minimizing the impact of a once in 75 year recession, then you ought to tell them that before the recession hits, not after.

And if accurate predictions of the economy are required of risk managers, then you ought to completely change your ideas about how much risk managers should be paid.

By the way, if you know now what sort of result you would have wanted from the recession, then that information should be used to set the firm’s risk tolerance – which should be done in advance, not after the fact.

But in fact, 80% of the firms have never agreed on a risk tolerance.  Quite often the reason for not picking one is a reluctance of management to have their options restricted by such a limit, to allow the board into decisions that they want to make without the help of the board.

Lightning or Lightning Bug

Mark Twain once observed that there was a difference between Lightning and Lightning Bug. An important difference.

The difference between the almost right word & the right word is really a large matter–it’s the difference between the lightning bug and the lightning.

Might there be a similar difference between Risk Management System and Risk Management?

A Risk Management System is composed of org charts, policy statements, Reports, meetings,committees, computer models, powerpoints and dashboards.

Risk Management means making tough decisions and taking unpopular actions that more than 9 out of 1o times will not look like they were the right calls after the facts.

But decisions and actions that every once in a long while will save the firm.

So can Risk Management happen inside of a Risk Management system?

But think about it.  Can you think of an example of a situation outside of a risk management system where getting more people involved results in MORE of the tough decisions being made?  Or MORE unpopular actions being taken?

So how should one go about creating a risk management system that actually does Risk Management?

Start with the tough decisions and unpopular actions that are sometimes needed.  Can you identify them?

Start there.  Find a person who has the qualities of discernment, judgment, balance, toughness and experience with the risk to make those tough decisions and to make sure that the unpopular actions happen.  Build the risk management system so that the person gets the information and authority and protection that they need to get the job done.

That would be difficult if that was all that was needed.  But this person, if they are doing their job, will be reversing some business decisions that might otherwise make some money.  So you also need an information system that assures top management that the risk manager is making the right tough decisions.

That system needs to help to identify whether the risk manager is making either Type I or Type II errors.  And if you want to keep a good risk manager and avoid keeping a bad risk manager, you need to have a realistic tolerance for the errors that your information system identifies.

Oh Hell.  It is much easier to just do the pretty risk management system and try to just take as much risk as everyone else.

Must be why so little Risk Management actually happens.

And Lightning Bugs are so pretty on a summer night.

Increasing the usefulness of ERM

By Jean-Pierre Bertiet

Discussions with senior executives have suggested that decision signals from ERM would be more credible and that ERM would be a more effective management process if ERM frameworks were shown to:

• Align performance metrics with management’s performance measurement philosophy
• Integrate ERM into daily management activities

The following two sections discuss these issues and suggest action steps that insurance companies should take to establish ERM as a more robust and valuable management process.

1.  Aligning performance metrics with management’s performance measurement philosophy

To provide useful guideposts for business decisions, the risk adjusted performance measurement framework supporting ERM needs to reflect senior management’s views regarding alignment of responsibilities and performance metrics. Alignment is ensured by i) matching of the structure of the financial management reports to the boundaries of business segment, ii) accurate attribution of capital, premium revenues, investment income and expenses to business segments and iii) segregation in financial reports of the results associated with the current period from the impact of business written in prior years.

This alignment ensures appropriate distinctions between results of current and past decisions and a sharp focus on differences in drivers of performance.

In practice, leading companies are making explicit decisions about the design and features of the financial performance measures they develop by developing customized answers to questions such as the following:

• Are business segments to be evaluated on a stand alone basis or in a portfolio context (i.e. after attribution of a capital credit for diversification)?
• Are business segments to be evaluated as if assets they earned risk free, duration matched investment income? Or the average rate of return on the investment portfolio?
• Are business segments to be evaluated in relation to their ‘consumption” of economic capital? Regulatory capital? Rating agency capital?
• Should individual business segments bear the cost of “excess” or “stranded” capital?
• Should performance benchmarks vary across business segments, in line with differences in the volatility of their total risk? Or differences in exposure/premium leverage across lines? Or differences in contribution to corporate debt capacity?
• How granular does such reporting need to be?
• Should performance metrics be developed in a policy/underwriting year framework? Would such metrics need to be reconciled with metrics based on fiscal year GAAP reported numbers?
• How should the period performance of the in-force (or liabilities run off) be measured and separated from the performance of the “new business”? To what extent and how should the performance of “renewal” policies be separated from that of policies written for new customers in property, casualty companies?
• Should the performance reporting framework provide only period measures of performance or should it be extended to capture the longer term economic value of insurance contracts, such as the change in the embedded value of the business?
• Should the performance reporting framework be extended to incorporate stochastic performance metrics such as Earnings@Risk or Embedded Value@Risk?

Leading ERM practitioners, especially in Europe, have found that the usefulness, but also the complexity and cost of risk adjusted performance metrics are determined by the desired level of granularity in reporting, and design decisions in i) risk measurement,

ii) capital measurement and, iii) financial reporting. The availability and quality of risk and financial data determine to a significant degree the level of granularity that can be built to support ERM.

In my experience, success in establishing ERM is highly dependent on the level of effort that companies devote to designing a reporting framework that the organization can understand and embrace intuitively, without having to be trained in advanced financial or risk topics. Setting out to develop the most rigorous and actuarially correct framework is likely to result in poor acceptance by operating managers.

2. Integrating ERM into daily management activities

Many senior executives recognize that establishing an ERM process is an obligation that cannot be avoided in today’s environment. They also have a strong intuitive sense that the science of risk measurement and analysis offered by the actuarial profession and other specialists in risk does not yet provide robust answers to many important questions that are asked by people who manage the operations of insurance companies day by day. Differences in perspectives between executives in the corporate center and the managers of business units hamper the effectiveness of ERM. Bridging these differences is a major challenge to the establishment of ERM. This challenge is rooted in fundamental differences in the roles and responsibilities of these actors.

Corporate center executives who operate under oversight of the Board of Directors are highly sensitive to risk concerns of shareholders. It is natural for these executives to take an aggregate view of risk, across the business portfolio. They contribute to corporate performance by  making i) strategic risk management decisions in connection with capacity deployment, reinsurance and asset allocation, ii) operational risk management decisions principally in connection with the management of shared services. Their most important risk decisions, related to capital allocation, involve significant strategic risks.

By contrast, business unit managers have a different outlook. They are typically more focused on meeting the needs of policyholders. They are more likely to view risk as stemming from products and customers.  From their point of view risk management starts with product design, underwriting and pricing decisions, control of risk accumulations and concentrations, product mix and customer mix. With regards to operational risk, their activity places them on the front line to control the “execution risks” elements of operational risk. Business unit managers tend to view requests for support of ERM as distractions from serving policyholders and accomplishing their goals. They believe that they help protect shareholders from value loss by focusing on establishing and maintaining a competitive advantage.

The CFO of a very large insurance group confided to me recently that aligning the perspectives of executives at the corporate center with that of business managers was a challenge of great importance. He expressed the view that results from risk models cannot be used simplistically and that experience and business judgment are needed to guide decisions. Caution and prudence are especially important in interpreting decision signals when model results appear unstable or when complexity makes it difficult to recognize possible biases. He had become interested in using a combination of approaches to develop reliable insights into strategy and risk dynamics in his company.  He was particularly focused on finding ways to bring these insights to bear on the daily activities of employees who manage risk accumulation, risk mitigation and risk transfer activities, on both sides of the balance sheet. In his judgment, borne out by other discussions and my experience with clients, ERM comes to life and creates value best when a top down framework initiated by senior management is embraced bottom up throughout the organization.

Consistent with these considerations, ERM appears to work best in companies in which operating managers have “bought in” ERM and embraced the perspective it provides. In many of these companies, one observes that:

• Risk management responsibility is owned by operating managers
• Product definitions and investment boundaries are clear and matched to explicit risk limits
• Policies and procedures have been co-developed with operating personnel
• Product approval and risk accumulation are subject to oversight by the central ERM unit
• Risk and value governance are integrated through a committee with authority to adjudicate decisions about trade-offs between risks and returns
• Compliance and exceptions are subject to review by senior management

It is important to observe that none of the considerations discussed in the two sections of this note are about the technical components of risk management. Rather, they define a context for accountability, empowerment and appropriate limitations on the activities of people who run day to day operation in insurance companies.

©Jean-Pierre Berliet

Berliet Associates, LLP

(203) 247 6448

jpberliet@att.net

Risk/Reward NOT Linked

At least they are not automatically linked.

Here is a description of the “Law of Risk and Reward” from somewhere on the web. . .

The risk versus reward curve is a fundamental principle in business. The simple explanation is that, as risk in a given transaction increases so does the reward.

This is the fallacy that most of us have heard many, many times.  We hear it so often, it actually seems to be true. 

But it definitely is not now, nor was it ever true that increasing risk increases reward.  

Alfred Marshal is the originator of the supply and demand curves that we were all taught in microeconomics. 

“in all undertakings in which there are risks of great losses, there must also be hopes of great gains.”
Alfred Marshall 1890 Principles of Economics

Somehow, as his idea above about “hopes” for gains was repeated over the years, the word “hopes” was left off. 

And in fact, it takes much more than “hopes” to get great gains out of great risks.  In fact, there are two paths to great gains…

• Great Luck
• Great Risk Management

The “Law of Risk and Reward” above seems to follow a fairness sort of reasoning.  It would only be fair if increased risk resulted in increased reward.  But the world is not fair. 

It is quite possible to:

1. Get a large gain after taking a small risk
2. Get a large loss after taking a small risk
3. Get a small gain after taking a large risk
4. Get a small gain after taking a small risk
5. Get a large gain after taking a large risk
6. Get a large loss after taking a large risk

There are several reasons for this.  First of all, the size of the risk is always an estimate made in advance with incomplete information.  Clearly the situations like number 2 above are cases where the risk may have been underestimated.  Also, the economists will emphasize that situations like 1 do not usually last for long.  (See the old joke about the economist and the $20 bill.)  A second reason is that the risk management performed by the risk taker can be effective both in terms of risk selection and in terms of loss severity mitigation.  However, the risk management tasks that result in good risk selection and effective loss severity mitigation require skill and execution. 

Risk takers who believe in the “Law of Risk and Reward” will tend to think that the time, effort and expense of doing good risk management is wasted effort since more risk results in more reward by law.

Assumptions Embedded in Risk Analysis

The picture below from Dour VanDemeter’s blog gives an interesting take on the embedded assumptions in various approaches to risk analysis and risk treatment.

But what I take from this is a realization that many firms have activity in one or two or three of those boxes, but the only box that does not assume away a major part of reality is generally empty.

In reality, most financial firms do experience market, credit and liability risks all at the same time and most firms do expect to be continuing to receive future cashflows both from past activities and from future activities.

But most firms have chosen to measure and manage their risk by assuming that one or two or even three of those things are not a concern.  By selectively putting on blinders to major aspects of their risks – first blinding their right eye, then their left, then by not looking up and finally not looking down.

Some of these processes were designed that way in earlier times when computational power would not have allowed anything more.  For many firms their affairs are so very complicated and their future is so uncertain that it is simply impractical to incorporate everything into one all encompassing risk assessment and treatment framework.

At least that is the story that folks are most likely to use.

But the fact that their activity is too complicated for them to model does not seem to send them any flashing red signal that it is possible that they really do not understand their risk.

So look at Doug’s picture and see which are the embedded assumptions in each calculation – the ones I am thinking of are the labels on the OTHER rows and columns.

For Credit VaR – the embedded assumption is that there is no Market Risk and that there is no new assets or liabilities (business is in sell-off mode)

For Interest risk VaR – the embedded assumption is that there is no credit risk nor new assets or liabilities (business is in sell-off mode)

For ALM – the embedded assumption is that there is no credit risk and business is in run-off mode.

Those are the real embedded assumptions.  We should own up to them.

LIVE from the ERM Symposium

(Well not quite LIVE, but almost)

The ERM Symposium is now 8 years old.  Here are some ideas from the 2010 ERM Symposium…

• Survivor Bias creates support for bad risk models.  If a model underestimates risk there are two possible outcomes – good and bad.  If bad, then you fix the model or stop doing the activity.  If the outcome is good, then you do more and more of the activity until the result is bad.  This suggests that model validation is much more important than just a simple minded tick the box exercize.  It is a life and death matter.
• BIG is BAD!  Well maybe.  Big means large political power.  Big will mean that the political power will fight for parochial interests of the Big entity over the interests of the entire firm or system.  Safer to not have your firm dominated by a single business, distributor, product, region.  Safer to not have your financial system dominated by a handful of banks.
• The world is not linear.  You cannot project the macro effects directly from the micro effects.
• Due Diligence for mergers is often left until the very last minute and given an extremely tight time frame.  That will not change, so more due diligence needs to be a part of the target pre-selection process.

• For merger of mature businesses, cultural fit is most important.
• For newer businesses, retention of key employees is key

• Modelitis = running the model until you get the desired answer
• Most people when asked about future emerging risks, respond with the most recent problem – prior knowledge blindness
• Regulators are sitting and waiting for a housing market recovery to resolve problems that are hidden by accounting in hundreds of banks.
• Why do we think that any bank will do a good job of creating a living will?  What is their motivation?
• We will always have some regulatory arbitrage.
• Left to their own devices, banks have proven that they do not have a survival instinct.  (I have to admit that I have never, ever believed for a minute that any bank CEO has ever thought for even one second about the idea that their bank might be bailed out by the government.  They simply do not believe that they will fail. )
• Economics has been dominated by a religious belief in the mantra “markets good – government bad”
• Non-financial businesses are opposed to putting OTC derivatives on exchanges because exchanges will only accept cash collateral.  If they are hedging physical asset prices, why shouldn’t those same physical assets be good collateral?  Or are they really arguing to be allowed to do speculative trading without posting collateral? Probably more of the latter.
• it was said that systemic problems come from risk concentrations.  Not always.  They can come from losses and lack of proper disclosure.  When folks see some losses and do not know who is hiding more losses, they stop doing business with everyone.  None do enough disclosure and that confirms the suspicion that everyone is impaired.
• Systemic risk management plans needs to recognize that this is like forest fires.  If they prevent the small fires then the fires that eventually do happen will be much larger and more dangerous.  And someday, there will be another fire.
• Sometimes a small change in the input to a complex system will unpredictably result in a large change in the output.  The financial markets are complex systems.  The idea that the market participants will ever correctly anticipate such discontinuities is complete nonsense.  So markets will always be efficient, except when they are drastically wrong.
• Conflicting interests for risk managers who also wear other hats is a major issue for risk management in smaller companies.
• People with bad risk models will drive people with good risk models out of the market.
• Inelastic supply and inelastic demand for oil is the reason why prices are so volatile.
• It was easy to sell the idea of starting an ERM system in 2008 & 2009.  But will firms who need that much evidence of the need for risk management forget why they approved it when things get better?
• If risk function is constantly finding large unmanaged risks, then something is seriously wrong with the firm.
• You do not want to ever have to say that you were aware of a risk that later became a large loss but never told the board about it.  Whether or not you have a risk management program.

No Risk Management is Betting

So many times, the financial press gets it exactly backwards. (See Bloomberg) Firms who manage their risks by hedging or insurance are reported to be betting and firms who do not are simply subject to the normal fluctuations of uncontrollable events.

But Risk Management offers a real alternative to either betting or being tossed around by the frothy seas of misfortune.  Risk management offers the possibility of identifying and mitigating the most extreme negative events and trends of the world.

Imagine your business owns a building worth $100,000,000.  There is a 1 in 250 chance that a storm will hit your building and destroy the building leaving you with a $10 million piece of empty property and a $10 million clean up bill.  (ignore the business interruption for now).

So the expected cost of that loss is $400,000.  You get an insurance quote for $600,000.  There are two ways you can tell the story of purchasing insurance:

1. The firm can place a bet that its building will be destroyed by a storm.  If there is no storm, then they lose their bet.
2. The firm can manage its risk from a severe storm by buying an insurance policy.

Now if the storm does not happen, the story can be:

1. The firm lost its bet that its building would be destroyed.
2. The firm incurred a fixed cost of managing its storm risk and avoided the volatility of an uninsured situation.

And if the storm does one day hit, the story is:

1. The firm won its bet that a storm would destroy its building and was rewarded by a $100 million gain from insurance.
2. The losses from the storm were covered by the firms insurance.

Risk Management just is not a good story for the reporters, if told right.  For the firm, that may just be one more reason to consider risk management.

Now if the firm chooses not to buy the insurance, the coverage is twisted.  Again read two ways that it might be reported if there is no storm:

1. No story.  Nothing happened.
2. The firm got lucky and did not take a loss on its uninsured building.  They took a bet that had a huge downside for their shareholders for a very small payoff.

ANd if the storm hits, the story is reported as:

1. Tragedy strikes.  Unfortunate event causes $100 M loss.  CEO say “We are just not able to control the weather.”
2. The bet that management took went bad.  That bet was just not necessary.  Now shareholders have experienced large losses because the management was trying to save a little on insurance.  The CEO should be fired.

Unless the firm’s was in the business of long term weather forecasting they had no business making the bet when they did NOT buy the insurance.  THey had no expertise to tell them that they shouldn’t buy the insurance.

They were just gambling.

Protected by the Crowd

A major question for risk managers to ponder is whether it is sufficient to be protected by the crowd.

What I mean is whether they can feel that they are doing their job when they are ignoring the same risks that every one else is ignoring.

An example of that is inflation risk.  Inflation risk does not appear on most firms list of major risks.  But if there is inflation, their expenses will rise, their cost of borrowing will rise, the values of their stock and bond portfolios will fall, their claims costs will rise – all for certain and possibly, just possibly, their prices and their earnings on investments will rise enough to compensate for all of that.

But most firms take the approach that if they do not put inflation on their list of risks, then they do not have to deal with it.

Inflation can be like the rising tide eating away at the child’s sandcastle on the beach.  It does not appear anywhere near as inevitable as it is.  During the low tide, the sand castle appears more than strong enough and plenty far away from the water.  But slowly, slowly the tide works its way up the beach until eventually the castle is completely swept away.

And if everyone does not prepare for inflation, then the price increases that everyone will be able to get will most likely be enough to survive.  Because everyone in the market will need the price increases to survive themselves.

So all it takes to ruin that situation is for one significant competitor to screw it all up and to prepare for the risk of inflation.  Like the one airline that hedged their fuel costs.  They did not need to raise prices when oil prices spiked, so therefore, everyone that competed on routes with them had to eat the cost of their lack of risk management.

The same will be true with inflation.  Some firms will prepare for inflation.  They will not depend on being protected by the crowd.  And they will spoil it by refusing to raise prices as much as the firms that were not prepared need.  The unprepared firms will be stuck with several bad choices – losing business,  doing business at an unsupportable price or cutting costs that may not have any fat in them already.

The U.S. government on Wednesday said it will expand sales of Treasury securities that help investors hedge against inflation risks, a move aimed at improving management of its ballooning debt sales while boosting buying interest at home and abroad. (WSJ)

There has been an excuse, however.  Inflation has been difficult to hedge.  But with the above program of expanding the offerings of TIPS, the cost of hedging inflation may be reduced to something more similar to the hedge costs for other risks (I mean the transaction cost part of the cost of hedging).

The interesting thing about the story behind the TIPS change is that TIPS cannot be said to be a very successful program to date – largely because of the fact that most people and most firms choose to hide in the crowd for this risk.  The TIPS market has been just too thinly traded.  However, the WSJ article says that the TIPS are now seen to be a way to protect foreign investors against rampant dollar inflation.  If the US government must make inflation adjusted payments for a significant fraction of the debt, the WSJ article thought that might be a disincentive to the government excesses that drive inflation.

I wonder if the people who wrote that have heard of the inflation plagued countries where everything is indexed to inflation.  It makes inflation into a more bearable fact of life.  That seems to be a dangerous path to start down.

New Decade Resolutions

Here are New Decade Resolutions for firms to adopt who are looking to be prepared for another decade

1. Attention to risk management by top management and the board.  The past decade has been just one continuous lesson that losses can happen from any direction. This is about the survival of the firm.  Survival must not be delegated to a middle manager.  It must be a key concern for the CEO and board.
2. Action oriented approach to risk.  Risk reports are made to point out where and what actions are needed.  Management expects to and does act upon the information from the risk reports.
3. Learning from own losses and from the losses of others.  After a loss, the firm should learn not just what went wrong that resulted in the loss, but how they can learn from their experience to improve their responses to future situations both similar and dissimilar.  Two different areas of a firm shouldn’t have to separately experience a problem to learn the same lesson. Competitor losses should present the exact same opportunity to improve rather than a feeling of smug superiority.
   
4. Forwardlooking risk assessment. Painstaking calibration of risk models to past experience is only valuable for firms that own time machines.  Risk assessment needs to be calibrated to the future. 
   
5. Skeptical of common knowledge. The future will NOT be a repeat of the past.  Any risk assessment that is properly calibrated to the future is only one one of many possible results.  Look back on the past decade’s experience and remember how many times risk models needed to be recalibrated.  That recalibration experience should form the basis for healthy skepticism of any and all future risk assessments.

6. Drivers of risks will be highlighted and monitored.  Key risk indicators is not just an idea for Operational risks that are difficult to measure directly.  Key risk indicators should be identified and monitored for all important risks.  Key risk indicators need to include leading and lagging indicators as well as indicators from information that is internal to the firm as well as external. 
   
7. Adaptable. Both risk measurement and risk management will not be designed after the famously fixed Ligne Maginot that spectacularly failed the French in 1940.  The ability needs to be developed and maintained to change focus of risk assessment and to change risk treatment methods on short notice without major cost or disruption. 
   
8. Scope will be clear for risk management.  I have personally favored a split between risk of failure of the firm strategy and risk of losses within the form strategy, with only the later within the scope of risk management.  That means that anything that is potentially loss making except failure of sales would be in the scope of risk management. 
   
9. Focus on  the largest exposures.  All of the details of execution of risk treatment will come to naught if the firm is too concentrated in any risk that starts making losses at a rate higher than expected.  That means that the largest exposures need to be examined and re-examined with a “no complacency” attitude.  There should never be a large exposure that is too safe to need attention.   Big transactions will also get the same kind of focus on risk. 
   

Adaptability is the Key Survival Trait

…different and potentially much more difficult issues arise in the identification and measurement of risks where past experience is an uncertain or potentially misleading guide. When risk materialises, it may do so as a risk previously thought to be understood and managed that turns out to be very different indeed, and may do so quickly, well within normal audit cycles. The valuation of an asset or liability in a stressed market environment and the identification of other potential risks that may not previously have been encountered pose major questions for real-time assessment that are unlikely to have been factored into construction of the pre-existing business model.

Excerpt from the Walker Review

To survive such situations, it seems that the ability to quickly assess new situations, especially ones that look like old tried and true but that are seriously more dangerous, and to change what the organization is doing in response to these risks is key.

But to do that, significant amounts of senior resources must be dedicated to determining whether such risks are NOW in the environment each and every day.  The findings of this review must be taken very seriously and the organization must consider the possibility of changing course – not just a minor correction – a major change of business activity.

In addition to the discernment to identify such situations, the organization must cultivate the capacity to make such changes quickly and effectively.

An organization that can do those things have true adaptability and have a much better chance of survival.

However, for a business to be very profitable, it needs to be very focused, very efficient.  Everyone in the organization needs to be pointed in the same direction.  Doubt will undermine.

Within capitalism, the conflict is resolved by allowing individual businesses to maximize profits and relying on an assumption that there will be enough diversity of businesses that enough businesses will have chosen the right business model for the new environment.  Some of the most successful businesses from the old environment will fail to adapt, but some of the laggards will now thrive.

And therefore, the system survives.

But, that is not always so.  In some circumstances, too many firms choose the exact same strategy.  If the environment stays unchanging for too long, individual firms lose any adaptability that they might have had, they all become specialists in that one “most profitable thing”.  A major change in the environment and too many businesses fail too fast.

How does that happen?

Regulators play a large role.  The central bankers work very hard to keep the environment on a steady course, moderating the bumps that encourage diversity.

Prudential and risk management regulation also play a large role, forcing everyone to pay attention to the exact same risks and encouraging similar risk treatments through capital regime incentives.

So for the system to remain healthy, it needs adaptability and adaptability comes from diversity.  And diversity will not exist unless the environment is more variable.  There needs to be diversity in terms of both business strategy and interms of risk management approaches.

So improving the prudential regulation will have the effect of driving everyone to have the same risk management – it will have the perverse effect of diminishing the likelihood of survival of the system.

MARTA – Risk Management… beyond mitigation

Submitted by Antony Marcano

From his Blog Testingreflections.com

In a previous rant about the misuse of the term mitigate in the context of risk management I listed the following strategies (I call them MARTA) for managing a given risk:

• Mitigate – Reduce the severity of its impact
• Avoid – Don’t do the thing that makes the risk possible
• Reduce – Make the risk less likely to happen
• Transfer – Move the impact of the problem to another party (e.g. insure such as paid insurance or outsource with penalties for failure)
• Accept – Do nothing or set aside budget to cope with the impact

I recently found myself having to explain this and used the analogy of crossing a busy road with fast-moving cars. What’s the risk? Well, you might get hit by a car.

This will probably be more useful if you take a moment to think of a busy road with fast moving traffic that you know of and then use each of the above strategies to identify different ways of managing the risk. What factors would be significant in deciding on which strategy (or combination of strategies) was the way to go?

Ok, now that you’ve had a chance to think about it, here is what I came up with:

• Mitigate – Walk down the street until I can find a section of the road where there is a 20mph speed restriction. (This is mitigation because I’m not necessarily making it any less likely that I’m hit, but if I am hit the ‘impact’ is reduced – i.e. I’ll probably live – albeit with injury).
• Avoid – I could simply not cross the street, by deciding that whatever is on the other side simply isn’t that important or I could use an underground subway (which of course has other risks associated with it depending on the area you’re in).
• Reduce – Find a stretch of road where there are fewer cars – reducing the probability of being hit by a car.
• Transfer – Get someone else to cross the street, maybe someone more skilled at crossing the road than me.
• Accept – Now, if it was a busy street, I wouldn’t ‘accept’ the risk. But, if the road allowed for lots of visibility and there were very few cars and there were speed bumps slowing the traffic down to 10mph then I might just accept the risk.

The person I explained this to found this to be a useful exercise in understanding my views on risk management – beyond mitigation. Hope you find this way of explaining it useful too.

» Antony Marcano’s blog

UNRISK (Part 1)

Post from Jawwad Farid

I have now been doing this “risk” business for more than a decade. Eleven years ago, right about this time, I was rudely introduced to my first risk application. Fresh from my actuarial exams, I was stumped on an interview question dealing with moments of a distribution. I have read the material, struggled with it, taken an exam on it and passed it. But in the room overlooking Fleet Street in London, in the month Russia defaulted on its domestic debt, I couldn’t explain it.

A question dealing with the moment generating function has an exact and mathematical answer. These days, across three continents, clients ask more difficult questions. “Does risk really works? Or is it smoke and mirrors” and/or “what is the one thing I can do to better manage my exposures?” While risk managers are generally stereotyped as the quite sort with short snappy answers (or little to say as some uncharitable critics suggest), it has been difficult to come up with a catchy symbolic one word answer to the above two questions.

Sometime last year while reviewing a list of competitors I came across an interesting name “Unrisk”. Same concept as insured, uninsured. Risk, unrisk. Just the word I had been looking for. Catchy, symbolic and with far more cool/mystique factor than just plain simple risk management. A bright new term for an age old profession. When I saw it for the first time, I instantly knew that Unrisk would represent a state of institutional nirvana that we would achieve when we have done all that we could possibly do to manage risk on our platforms.

Next time a client would ask for a guide to a risk based paradise; you would simply give him the road map to the Unrisk state. The real question would be what you would put on that road map? And would it really protect you from all that an evil generating function could throw at you.

Second question first. No the unrisk state won’t really guarantee immunity from the evil eye. Neither will we stop booking risk. We will keep on carrying exposures on our balance sheet and will load as much risk as we can carry, sometimes even more.

And yes it won’t stop us from falling, stumbling or faltering.

Just that the frequency and severity of our nightmares would reduce a bit; we would still degrade but we would do it far more gracefully.

My personal recipe for the state is a short one. It only has one item on it.

1. Understanding the distribution

To be continued

Beware the Risk Management Entertainment Systems

To shoot a gun, the proper command is “Ready, Aim, Fire.”  While the Fire part is the only active part of that sequence, it is clearly known by all that there is usually little point to simply sighting a gun without firing.  And in fact, for anyone who has ever owned a gun, there is at least some attention required to keep the gun clean and free of obstructions and the ammunition “fresh”.  I suppose that all fits into the “Ready” command.  So guns are not all about “fire,” but it would make little sense to talk about a gun without spending quite a bit of time talking about what happens when you pull the trigger.

Many firms have invested in ERM.  They have spent money on creating elaborate measurement systems; they have invested much, much management time in Identifying, Monitoring, Analyzing, Discussing, Reviewing, Evaluating, Communicating and Consulting about their risks.  They have brought this information to their boards and communicated about all of this activity to their board.

When asked what happens when there is a problem indicated by all of this activity, some of these firms would say that when a problem is found, they put it on the agenda for the next risk committee meeting, which may well recommend that a study be performed and the study would be reviewed at the next committee meeting.  The committee might then decide to move that risk to the top of the next report into the highlighted section of the report, when it will stay until the situation is resolved.

Perhaps these risk management systems are like the gun that is never fired.  It is cleaned repeatedly, new ammunition is purchased on time and the sight is checked, but the gun is just not fired.

In the ERM field, this is what can be called a Risk Management Entertainment System (RMES).  Below is a flow chart depicting a RMES.

In many cases, literature that describes ERM programs give so much attention to these components and so little to the other component that actually turns a RMES into an actual Risk Management System – the action part of ERM, that is when the risk manager pulls the trigger and actually does something.

The following picture, taken from the AS/NZ 4360 Risk Management Standard shows a complete Risk Management system.  The additional section of the chart that differentiates this from a RMES, titled here “Risk Treatment,” is the only active section of the chart.

But the picture of ERM is still dangerously misleading.  The danger is both to the firm managers who think that ACTION is just a tiny part of ERM and to the ultimate reputation of ERM.

The Risk Maangement Entertainment Systems create a very strong impression that ERM is a talking and paper shuffling activity.  A waste of scarce corporate time, resources and dollars.

ERM needs to be about action.  If in the end, ERM does not result in any changes to a firm’s treatment of risks or selection of risks, then there was no real business reason for ERM.

ERM needs to look like this: