Archive for the ‘Risk Treatment’ category

Risk Appetite is the Boundary

June 18, 2014

Actually, it is two boundaries.

First, it is the boundary between Management and the Board with regard to risk.

  • If risk taking is within the risk appetite, then Management can tell the board about that activity after the fact.
  • If risk taking is outside the risk appetite, then Management needs to talk to the board in advance and get agreement with the risk taking plans.  (We say outside, rather than above, because for firms in the risk taking business, risk appetite should involve a minimum AND a maximum.)


Second, it is the boundary between everyday risk mitigation practices and extraordinary mitigations.

  • Everyday mitigations are the rules for accepting risk (underwriting) and the rules for trimming risk (ALM, hedging and reinsurance)
  • Extraordinary mitigations are those special actions that are taken when risk is seen to be out of acceptable bounds (stopping or limiting new risk taking, bulk divestitures or acquisitions of risks, capital raising, etc.)

Firms that struggle with naming their risk appetite might try to think of where these two boundaries lie.  And set their risk appetite to be near or even at those boundaries.

Controlling with a Cycle

April 3, 2013


No, not that kind of cycle… This kind:

CycleThis is a Risk Control Cycle.  It includes Thinking/Observing steps and Action Steps.  The only reason a sane organization would spend the time on the Assessing, Planning and Monitoring steps is so that they could be more effective with the Risk Taking, Mitigating and Responding steps.

A process capable of limiting losses can be referred to as a complete risk control process, which would usually include the following:

  • Identification of risks—with a process that seeks to find all risks inherent in a insurance product, investment instrument, or other situation, rather than simply automatically targeting “the usual suspects.”
  • Assess Risks – This is both the beginning and the end of the cycle.  As the end, this step is looking back and determining whether your judgment about the risk and your ability to select and manage risks is as good as you thought that it would be.  As the beginning, you look forward to form a new opinion about the prospects for risk and rewards for the next year.  For newly identified risks/opportunities this is the due diligence phase.
  • Plan Risk Taking and Risk Management – Based upon the risk assessment, management will make plans for how much of each risk that the organization will plan to accept and then how much of that risk will be transferred, offset and retained.  These plans will also include the determination of limits
  • Take Risks – organizations will often have two teams of individuals involved in risk taking.  One set will identify potential opportunities based upon broad guidelines that are either carried over from a prior year or modified by the accepted risk plan.  (Sales) The other set will do a more detailed review of the acceptability of the risk and often the appropriate price for accepting the risk.  (Underwriting)
  • Measuring and monitoring of risk—with metrics that are adapted to the complexity and the characteristics of the risk as well as Regular Reporting of Positions versus Limits/Checkpoints— where the timing needed to be effective depends on the volatility of the risk and the rate at which the insurer changes their risk positions. Insurers may report at a granular level that supports all specific decision making and actions on a regular schedule.
  • Regular risk assessment and dissemination of risk positions and loss experience—with a standard set of risk and loss metrics and distribution of risk position reports, with clear attention from persons with significant standing and authority in the organization.
  • Risk limits and standards—directly linked to objectives. Terminology varies widely, but many insurers have both hard “Limits” that they seek to never exceed and softer “Checkpoints” that are sometimes exceeded. Limits will often be extended to individuals within the organization with escalating authority for individuals higher in the organizational hierarchy.
  • Response – Enforcement of limits and policing of checkpoints—with documented consequences for limit breaches and standard resolution processes for exceeding checkpoints. Risk management processes such as risk avoidance for risks where the insurer has zero tolerance. These processes will ensure that constant management attention is not needed to assure compliance. However, occasional assessment of compliance is often practiced. Loss control processes to reduce the avoidable excess frequency and severity of claims and to assure that when losses occur, the extent of the losses is contained to the extent possible. Risk transfer processes, which are used when an insurer takes more risk than they wish to retain and where there is a third party who can take the risk at a price that is sensible after accounting for any counterparty risk that is created by the risk transfer process. Risk offset processes, which are used when insurer risks can be offset by taking additional risks that are found to have opposite characteristics. These processes usually entail the potential for basis risk because the offset is not exact at any time or because the degree of offset varies as time passes and conditions change, which is overcome in whole or in part by frequent adjustment to the offsetting positions. Risk diversification, which can be used when risks can be pooled with other risks with relatively low correlation. Risk costing / pricing, which involves maintaining the capability to develop appropriate views of the cost of holding a risk in terms of expected losses and provision for risk. This view will influence the risks that an insurer will take and the provisioning for losses from risks that the insurer has taken (reserves). This applies to all risks but especially to insurance risk management. Coordination of insurance profit/loss analysis with pricing with loss control (claims) with underwriting (risk selection), risk costing, and reserving, so that all parties within the insurer are aware of the relationship between emerging experience of the 
risks that the insurer has chosen to retain and the expectations that the insurer held when it chose to write and retain the risks.
  • Assess Risks – and the cycle starts again.

This is one of the seven ERM Principles for Insurers

The End of ERM

October 16, 2012

In essence, if ERM is to be implemented in a way which helps an entity get to where it wants to go, it needs to have a bias toward action which many applications currently lack.   “The End of Enterprise Risk Management”  David Martin and Michael Power

In 2007, Martin and Power argued that the regulatory based Enterprise Risk Management programs that were COSO based provided the illusion of control, without actually achieving anything.  Now if you are an executive of a firm and you believe that things are being done just fine, thank you very much, then an ineffective ERM program is just what you want.  But if you really want ERM, the something else is needed.  Martin and Power suggest that the activities of ERM are focused much too much on activities that do not reault in actions to actually change the risks of the firm.  This is a favorite topic of RISKVIEWS as well.  See Beware the Risk Management Entertainment System

RISKVIEWS always tells managers who are interested in developing ERM systems that if some part of an ERM program cannot be clearly linked to decisions to take actions that would not have been taken without ERM, then they are better off without that part of ERM. 

Martin and Power go on to suggest that ERM that uses just one risk measure (usually VAR) is difficult to get right because of limitations of VAR.  RISKVIEWS would add that an ERM program that uses only one risk measure, no matter what that measure is, will be prone to problems.  See Law of Risk and Light. 

It is very nice to find someone who says the same things that you say.  Affirming.  But even better to read something that you haven’t said.  And Martin and Power provide that. 

Finally, there is a call for risk management that is Reflexive.  That reacts to the environment.  Most ERM systems do not have this Reflexive element.  Risk limits are set and risk positions are monitored most often assuming a static environment.  The static environment presumption in a risk management system works if you are operating in an environment that changes fairly infrequently.  In fact, it works best if the frequency of change to your environment is less then the frequency of your update to the risk factors that you use.  That is, if your update includes studying the environment and majing environment driven changes. 

RISKVIEWS has worked in ERM systems that were based upon risk assessment based upon “eternal” risk factors.  Eternal Risk factors are assumed to be good “for all time”.  The US RBC factors are such.  Those factors are changed only when there is a belief that the prior factors were inadequate in representing the full range of risk “for all time”. 

But firms would be better off looking at their risks in the light of a changing risk environment.  Plural Rationality theory suggests that there are four different risk environments.  If a company adopts this idea, then they need to look for signs that the environment is shifting and when it seems to be likely to be shifting, to consider how to change their risk acceptance and risk mitigation in the light of the expected new risk environment.  The idea of repeatedly catching this wave and correctly shifting course is called Rational Adaptability

So RISKVIEWS also strongly agrees with Martin and Powers that a risk management system needs to be reflexive. 

In “The End of ERM” Martin and Powers really mean the end of static ERM that is not action oriented and not reflexive with the environment.  With that RISKVIEWS can heartily agree.

Old Risk Management Programs – 10 ERM Questions from Investors – The Answer Key (7)

April 2, 2012

Riskviews was once asked by an insurance sector equity analyst for 10 questions that they could ask company CEOs and CFOs about ERM. Riskviews gave them 10 but they were trick questions. Each one would take an hour to answer properly. Not really what the analyst wanted. Here they are:

  1. What is the firm’s risk profile?
  2. How much time does the board spend discussing risk with management each quarter?
  3. Who is responsible for risk management for the risk that has shown the largest percentage rise over the past year?
  4. What outside the box risks are of concern to management?
  5. What is driving the results that you are getting in the area with the highest risk adjusted returns?
  6. Describe a recent action taken to trim a risk position?
  7. How does management know that old risk management programs are still being followed?
  8. What were the largest positions held by company in excess of the risk limits in the last year?
  9. Where have your risk experts disagreed with your risk models in the past year?
  10. What are the areas where you see the firm being able to achieve better risk adjusted returns over the near term and long term?

They never come back and asked for the answer key. Here it is:

Every company has legacy risk management programs.  Some are being dutifully followed, some have been abandoned and some are actually still alive and well.  The best answer to this question would be that the company has a process for periodically assessing all of its ERM programs.  That there is an aging metric for risk treatment processes and whenever a risk treatment process has gone three years without any changes or updates, that triggers a review.  In that review, the risk staff assess whether the risk treatment is still needed, whether it is still effective and whether it can be updated to take advantage of new developments.

One particular concern is whether changes elsewhere in the company have created a need for major increases or decreases in the tolerance for the risk being treated.  It is quite possible that changes elsewhere in the risk profile of the firm means that there now may be natural offsets to the old risk and risk treatment can be reduced.  It is also possible that the risk treatment program was put in place assuming that the risk would grow to a size that would make it material to the risk profile of the firm.  If that growth has not materialized, or if growth elsewhere in the firm has changes the scale considerations, then the materiality of the risk and the resulting need for the risk treatment program needs to be reassessed.

Of course, it also could be true that the level of risk treatment activities that were put in place in the past may be found to be inadequate and need to be increased.  This could be because the understanding of the risk has changed and the risk treatment is less effective than initially thought.  Or it may be that the risk environment has heightened and the risk per unit of activity is currently higher than assumed in determining the approach to risk treatment.

The cost of the risk treatment program should also be assessed.  There may now be different alternatives for achieving the same effectiveness of risk treatment for a lower cost that were not available previously.

This is important because everyone tends to forget old risks.  They just assume that since they have not been mentioned for some time that they have gone away.  But in many cases, old risks of insurers tend to linger.  And if the risk treatment programs that are supposed to be controlling those risks are being handled in an autopilot sort of mode, those risks might erupt into a totally unexpected problem if there is any stress.

ERM Fundamentals

January 21, 2011

You have to start somewhere.

My suggestion it that rather than starting with someone else’s idea of ERM, you start with what YOUR COMPANY is already doing.

In that spirit, I offer up these eight Fundamental ERM Practices.  So to follow my suggestion, you would start in each of these eight areas with a self assessment.  Identify what you already have in these eight areas.  THEN start to think about what to build.  If there are gaping holes, plan to fill those in with new practices.  If there are areas where your company already has a rich vein of existing practice build gently on that foundation.  Much better to use ERM to enhance existing good practice than to tear down existing systems that are already working.  Making significant improvement to existing good practices should be one of your lowest priorities.

  1. Risk Identification: Systematic identification of principal risks – Identify and classify risks to which the firm is exposed and understand the important characteristics of the key risks

  2. Risk Language: Explicit firm-wide words for risk – A risk definition that can be applied to all exposures, that helps to clarify the range of size of potential loss that is of concern to management and that identifies the likelihood range of potential losses that is of concern. Common definitions of the usual terms used to describe risk management roles and activities.

  3. Risk Measurement: What gets measured gets managed – Includes: Gathering data, risk models, multiple views of risk and standards for data and models.

  4. Policies and Standards: Clear and comprehensive documentation – Clearly documented the firm’s policies and standards regarding how the firm will take risks and how and when the firm will look to offset, transfer or retain risks. Definitions of risk-taking authorities; definitions of risks to be always avoided; underlying approach to risk management; measurement of risk; validation of risk models; approach to best practice standards.

  5. Risk Organization: Roles & responsibilities – Coordination of ERM through: High-level risk committees; risk owners; Chief Risk Officer; corporate risk department; business unit management; business unit staff; internal audit. Assignment of responsibility, authority and expectations.

  6. Risk Limits and Controlling: Set, track, enforce – Comprehensively clarifying expectations and limits regarding authority, concentration, size, quality; a distribution of risk targets

    and limits, as well as plans for resolution of limit breaches and consequences of those breaches.

  7. Risk Management Culture: ERM & the staff – ERM can be much more effective if there is risk awareness throughout the firm. This is accomplished via a multi-stage training program, targeting universal understanding of how the firm is addressing risk management best practices.

  8. Risk Learning: Commitment to constant improvement – A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses, both within the firm and from outside the firm.

Risk Limits and Controlling

December 16, 2010

A New York Times Magazine article on Jamie Dimon, now CEO of JP Morgan Chase Bank, tells that he once set a risk limit for Travelers…

  • Losses from a once in a hundred year storm could not exceed a quarter’s earnings.

For the quantifiable risks that banks and insurers have aplenty, that is exactly how a risk limit needs to read.  It must state a frequency (once in a hundred or 1%) and a severity (one quarter’s earnings).

That sort of simple clarity seems to escape most financial firms.  Probably that is because they have little experience with the frequency part of that statement.

Think of this analogy.  You are sitting there in an office building deciding what to set as the speed limit for a new transportation system.  That system has newly designed roads and vehicles.  You do not know the tolerances of either the roads or the vehicles.  You have been a passenger on test runs, but during that test, you were not shown the speeds that the vehicle was going.

Toyota Motor Triathlon Race Car 2007
What might make sense in that situation, would be for the person being asked to make the decisions on speed limits to be told what speed that they had been going on the long straight-aways, on the gradual curves, the sharp curves and how long it took to stop the vehicle at various speeds.  In addition, more trips, more experience, should be undertaken and the speed of the vehicle should be noted under various weather conditions as well as types of roads.

Polls often reveal that the most common shortfall of ERM development is in the area of Risk Tolerance and Risk Appetite.  In many cases, that shortfall is due to the inexperience of management and boards with the frequency information.

There is no shortcut to getting that experience.  But there are simple exercizes that can be undertaken to look at prior experiences and tell the story of just how fast the firm was going and how severe the weather was.

The best such exercize is to look backwards in time over the recent past as well as to famously adverse periods in the more remote past.  For each of those situations, the backwards looking frequency can be assigned.  This is done by looking at the current risk model and determining the frequency that is aligned with the level of gains losses that were experienced in general.  That frequency is analogous to the weather.  Then the risk analyst can look at the firm’s own gain or loss experience and the frequency that the model could attribute to that size gain or loss.

Once a firm has some comfort with frequency, they can write a real risk appetite statement.

And after that, they can go through an exercize each year of deciding what frequency to assign to the experience of the year’s gains and losses.

Pick the Targets before You Start Judging

October 4, 2010

In a Oct. 3 FT article, it says that just 30% of 465 executives surveyed said that “they were able to tap risk management programmes to prepare for and minimize the negative outcomes” of the recession.

But I wonder whether minimizing impact of a recession was among the targeted risks of those risk management programs.

And in addition, I wonder whether the risk managers would have been permitted to even think seriously about the impact of a recession as serious as the one that we have (and continue to) experienced.

Financial firms that would have been very well prepared for this recession would have been doing quite a bit more hedging than their peers and the cost of that hedging would have severely reduced earnings prior to the recession.

Non-Financial firms that would have been well prepared would have been running with very low inventories and with loads of unfilled positions, running tons of expensive  overtime prior to the flop.

The article also said that “only 44 percent said that they had adequately captured the potential problems before the downturn.

Some of that may be risk managers being slammed for being poor fortune tellers.   They did not foresee the size of this recession so they missed it.

I would suggest that these survey results are a case of risk management as scape goat.

Don’t get me wrong.  There are times when risk management gets it wrong.

But if you want risk managers to be focused upon minimizing the impact of a once in 75 year recession, then you ought to tell them that before the recession hits, not after.

And if accurate predictions of the economy are required of risk managers, then you ought to completely change your ideas about how much risk managers should be paid.

By the way, if you know now what sort of result you would have wanted from the recession, then that information should be used to set the firm’s risk tolerance – which should be done in advance, not after the fact.

But in fact, 80% of the firms have never agreed on a risk tolerance.  Quite often the reason for not picking one is a reluctance of management to have their options restricted by such a limit, to allow the board into decisions that they want to make without the help of the board.

%d bloggers like this: