Over the past several years, an anthropologist (Thompson), a control engineer (Beck) and an actuary (Ingram) have formed an unlikely collaboration that has resulted in countless discussions among the three of us along with several published (and posted) documents.
Our work was first planned in 2018. One further part of what was planned is still under development — the application of these ideas to economic thinking. This is previewed in document (2) below, where it is presented as Institutional Evolutionary Economics.
Here are abstracts and links to the existing documents:
Model Governance and Rational Adaptability in Enterprise Risk Management, January 2020, AFIR-ERM section of the International Actuarial Association. The problem context here is what has been called the “Insurance Cycle”. In this cycle we recognize four qualitatively different risk environments, or seasons of risk. We address the use of models for supporting an insurer’s decision making for enterprise risk management (ERM) across all four seasons of the cycle. In particular, the report focuses expressly on: first, the matter of governance for dealing with model risk; and, second, model support for Rational Adaptability (RA) at the transitions among the seasons of risk. This latter examines what may happen around the turning points in the insurance cycle (any cycle, for that matter), when the risk of a model generating flawed foresight will generally be at its highest.
Modeling the Variety of Decision Making, August 2021, Joint Risk Management Section. The four qualitatively different seasons of risk call for four distinctly different risk-coping decision rules. And if exercising those strategies is to be supported and informed by a model, four qualitatively different parameterizations of the model are also required. This is the variety of decision making that is being modeled. Except that we propose and develop in this work a first blueprint for a fifth decision-making strategy, to which we refer as the adaptor. It is a strategy for assisting the process of RA in ERM and navigating adaptively through all the seasons of risk, insurance cycle after insurance cycle. What is more, the variety of everyday risk-coping decision rules and supporting models can be substituted by a single corresponding rule and model whose parameters vary (slowly) with time, as the model tracks the seasonal business and risk transitions.
The Adaptor Emerges, December 2021, The Actuary Magazine, Society of Actuaries. The adaptor strategy focuses on strategic change: on the chops and changes among the seasons of risk over the longer term. The attention of actuaries coping with everyday risk is necessarily focused on the short term. When the facts change qualitatively, as indeed they did during the pandemic, mindsets, models, and customary everyday rules must be changed. Our adaptor indeed emerged during the pandemic, albeit coincidentally, since such was already implied in RA for ERM.
An Adaptor Strategy for Enterprise Risk Management, April 2022, Risk Management Newsletter, Joint Risk Management Section. In our earlier work (2009-13), something called the “Surprise Game” was introduced and experimented with. In it, simulated businesses are obliged to be surprised and shaken into eventually switching their risk-coping decision strategies as the seasons of risk undergo qualitative seasonal shifts and transitions. That “eventually” can be much delayed, with poor business performance accumulating all the while. In control engineering, the logic of the Surprise Game is closely similar to something called cascade control. We show how the adaptor strategy is akin to switching the “autopilot” in the company driving seat of risk-coping, but ideally much more promptly than waiting (and waiting) for any eventual surprise to dawn on the occupant of the driving seat.
An Adaptor Strategy for Enterprise Risk Management(Part 2), July 2022, Risk Management Newsletter, Joint Risk Management Section. Rather than its switching function, the priority of the adaptor strategy should really be that of nurturing the human and financial resources in the makeup of a business — so that the business can perform with resilience, season in, season out, economic cycle after economic cycle. The nurturing function can be informed and supported by an adaptor “dashboard”. For example, the dashboard can be designed to alert the adaptor to the impending loss or surfeit of personnel skilled in implementing any one of the four risk-coping strategies of RA for ERM. We cite evidence of such a dashboard from both the insurance industry and an innovation ecosystem in Linz, Austria.
Adaptor Exceptionalism:Structural Change & Systems Thinking, March 2022, RISKVIEWS, Here we link Parts 1 and 2 of the Risk Management Newsletter article ((4) and (5) above). When we talk of “when the facts change, we change our mindsets”, we are essentially talking about structural change in a system, most familiarly, the economy. One way of grasping the essence of this, hence the essence of the invaluable (but elusive) systemic property of resilience, is through the control engineering device of a much simplified model of the system with a parameterization that changes relatively slowly over time — the adaptor model of document (2) above, in fact. This work begins to show how the nurturing function of the adaptor strategy is so important for the achievement of resilient business performance.
Adaptor Strategy: Foresight, May 2022, RISKVIEWS. This is a postscript to the two-part Newsletter article and, indeed, its linking technical support material of document (6). It identifies a third possible component of an adaptor strategy: that of deliberately probing the uncertainties in business behaviour and its surrounding risk environment. This probing function derives directly from the principle of “dual adaptive control” — something associated with systems such as guided missiles. Heaven forbid: that such should be the outcome of a discussion between the control engineer, the actuary, and the anthropologist!
Still to be completed is the full exposition of Institutional Evolutionary Economics that is previewed in Section 1 of Modeling the Variety of Decision Making (Item 2 above).
The Joint Risk Management Section of the Canadian Institute of Actuaries, the Casualty Actuarial Society, and the Society of Actuaries will oversee an online survey to help understand individual risk managers’ perspectives on emerging risks. We value insights from all levels of experience and background and invite you to participate in this annual survey. Please complete this survey by Nov. 22nd. It should take about 15 minutes to complete. We hope you will share your thoughts and experiences in comment boxes. Responses from more than one risk manager within the same company are encouraged. All responses are anonymous. Thanks to the SOA Reinsurance and Financial Reporting Sections for supporting this research. If you have questions about the survey, please contact Jan Schuh at the SOA Research Institute, jschuh@soa.org.
At the most fundamental level, enterprise risk management can be understood as a control cycle. In an insurance company’s risk control cycle, management needs to first identify the key risks.
Management then decides the risk quantity they are willing to accept and retain. These decisions form the risk limits. It is then imperative to monitor the risk-taking throughout the year and react to actual situations that are revealed by the monitoring.
There are seven distinct steps in the typical risk control cycle:
Identify Risks – Choose which risks are the key controllable risks of the company
Assess – Examine what are the elements of the risks that need (or can be) controlled
Plan – Set the expectation for how much risk will be taken as an expected part of the plan and also the limits on how much more would be accepted and retained
Take Risks – Conduct the primary function of an insurance company
Mitigate – Take actions to keep the risks within limits
Monitor – Determine how risk positions compare to limits and report
Respond – Decide what actions to take if risk levels are significantly different from plan
Risk Control Cycle
The Complete Risk Control Process
A process capable of limiting losses can be referred to as a complete risk control process, which would usually include the following.
Identification of risks: The identified risks should be the main exposures which a company faces rather than an exhaustive list of all risks. The risk identification process must involve senior management and should consider the risk inherent in all insurance products underwritten. It must also take a broader view of overall risk. For example, large exposures to different investment instruments or other non-core risks must be considered. It is vital that this risk list is re-visited periodically rather than simply automatically targeting “the usual suspects”
Assess risks: This is both the beginning and the end of the cycle. At the beginning, you look forward to form a new opinion about the prospects for risk and rewards for the next year. At the end, management needs to assess how effective the control cycle has been. Did the selection process miss any key risks? Were limits set too high or perhaps too low? Were the breach processes effective?
Plan risk taking and risk management: Based upon the risk assessment, management will make plans for how much of each risk the organization will plan to accept and then how much of that risk will be transferred, offset and retained to manage the net risk position in line with defined risk limits
Take risks: Organizations will often start by identifying a list of potential risks to be taken based upon broad guidelines. This list is then narrowed down by selecting only risks which are aligned to overall corporate risk appetite. The final stage is deciding an appropriate price to be paid for accepting each risk (underwriting)
Measuring and monitoring of risk: With metrics or risk measures which capture the movement of the underlying risk position. These risk positions should be reported regularly and checked against limits and, in some cases, against lower checkpoints . The frequency of these checks should reflect the volatility of the risk and the rate at which the insurer changes their risk positions. Insurers may choose to report regularly at a granular level that supports all decision making and potential breach actions. The primary objective of this step is facilitating upwards reporting of risk through regular risk assessment and dissemination of risk positions and loss experience using a standard set of risk and loss metrics. These reports convey the risk output from the overall ERM framework and should receive the clear attention of persons with significant standing and authority in the organization. This allows for action to be taken which is the vital Respond stage in the risk control cycle
Risk limits and standards: Should be defined which are directly linked to objectives. Terminology varies widely, but many insurers have both hard “limits” that they seek to never exceed and softer “checkpoints” that are sometimes exceeded. Limit approval authority will often be extended to individuals within the organization with escalating amounts of authority for individuals higher in the organizational hierarchy. Limits ultimately need to be consistent with risk appetites, preferences and tolerances Additionally, there should be clear risk avoidance processes for risks where the insurer has zero tolerance. These ensure that constant management attention is not needed to assure compliance. A risk audit function is, however, often incorporated within the overall risk organization structure to provide an independent assessment of compliance.
Respond: Enforcement of limits and policing of checkpoints, with documented consequences for limit breaches and standard resolution processes for exceeding checkpoints. In some cases, the risk environment will have changed significantly from when the limits were set and the limits need to be reassessed. Some risks may be much more profitable than expected and risk limits can be raised, while other have become more expensive and/or riskier and limits need to be lowered
Assess risks: And the cycle starts again
The control cycle, and especially the risk appetite, tolerance and limit setting process can be the basis for a healthy discussion between management and the board.
Gaining the Greatest Benefit from the Risk Control Cycle
Ultimately, to get the most risk management benefit out of a risk control cycle, management must set limits at a level that matters and are tied to good measures of risk. These limits must be understood throughout the company and risk positions should be frequently and publicly reviewed so that any breaches can be identified.
But in addition to a policing function, the control cycle needs to include a learning element. With each pass through the cycle, management should gain some insight into the characteristics of their potential risks and associated mitigation alternatives, as well as the reactions of both to changes in the risk environment.
Behavioral Finance / Behavioral Economics (BF for short) says that in general folks do a poor job of decision-making related to risk and finance. There is quite a lot of analysis of systematic errors that their experimental subjects have been found to make.
In general, people are found to make IRRATIONAL choices. RATIONAL choices are defined to be the choices that economists have found to be the best. (The best in the world specified by the economists – not necessarily in the world that people actually live in. But that is the subject for a different and long essay.)
This work is highly regarded and widely studied and quoted. Kahneman and Smith received a Nobel Prize for the original development of BF in 2002 and Thaler received a Nobel prize for his advancements in the field in 2017.
But does it actually make sense? As they pose the issue, it seems to. But take a step back. They are comparing economic decisions made by an economist to decisions made by folks with no training in economics. If they follow the general protocols of psychology, they would have looked for subjects with the least amount of knowledge of finance and risk.
So should it be a surprise that the studied population did not do well in their study? That they made systematic errors?
Imagine if you had a group of adults who had never been exposed to multiplication. And you gave them a simple multiplication test. Their answers would be compared to a group of math PhDs. So for the most part, they would have been guessing at the answers to the questions. If asked, they might well have felt good about their answers to some or all of the questions. But it is highly likely that they would be wrong.
From this experiment, it would be concluded that people cannot answer multiplication problems. The study might progress further and start to look at word problems, including word problems that represent everyday situations where multiplication is vital to getting by. Oh no, people are found to be poor at this as well.
But the solution is not some grand theory about how people are flawed regarding multiplication. The solution is math education!!!
On risk and finance, our society takes the position that in general we will not instruct people. That the best way to learn risk is via experience. And the best way to learn about finance is from a payday lender or a credit card past due debt collector.
Economists generally have PhDs. And their course of study includes both risk and finance. One topic, for example, is the math of finance. Taught within that topic are many of the approaches to financial decision making that BF has found that people make IRRATIONALLY. Another course that is generally required of economics PhDs is statistics. One of the ideas usually covered in statistics is risk. Even an introductory statistics course provides much more knowledge of risk than is needed to answer the BF questions. So economists have had systematic instruction that allows them to give the RATIONAL answers to the BF questions.
A side note – the idea of RATIONAL used in BF is consistent with Utility Maximization – an economics theory that was first fully developed in 1947. So even some economists might have failed the BF questions prior to that.
So instead of the conclusions reached by BF, RISKVIEWS would suggest a very simple alternative:
There are many flavors of Risk Management. Each flavor of risk manager believes that they are addressing the Real World.
Bank risk managers believe that the world consists of exactly three sorts of risk: Market, Credit and Operational. They believe that because that is the way that banks are organized. At one time, if you hired a person who was a banking risk manager to manage your risks, their first step would be to organize the risk register into those three buckets.
Insurance Risk Managers believe that a company’s insurable risks – liability, E&O, D&O, Workers Comp, Property, Auto Liability – are the real risks of a firm. As insurance risk managers have expanded into ERM, they have adapted their approach, but not in a way that could, for instance, help at all with the Credit and Market risk of a bank.
Auditor Risk Managers believe that there are hundreds of risks worth attention in any significant organization. Their approach to risk is often to start at the bottom and ask the lowest level supervisors. Their risk management is an extension of their audit work. Consistent with the famous Guilliani broken windows approach to crime. However, this approach to risk often leads to confusion about priorities and they sometimes find it difficult to take their massive risk registers to top management and the board.
Insurer Risk Managers are focused on statistical models of risk and have a hard time imagining dealing with risks that are not easily modeled such as operational and strategic risks. The new statistical risk managers often clash with the traditional risk managers (aka the underwriters) whose risk management takes the form of judgment based selection and pricing processes.
Trading Desk Risk Managers are focused on the degree to which any traders exceed their limits. These risk managers have evolved into the ultimate risk takers of their organizations because they are called upon to sometime approve breaches when they can be talked into agreeing with the trader about the likelihood of a risk paying off. Their effectiveness is viewed by comparing the number of days that the firm’s losses exceed the frequency predicted by the risk models.
So what is Real World Risk?
Start with this…
Top Causes of death
Heart disease
stroke
lower respiratory infections
chronic obstructive lung disease
HIV
Diarrhea
Lung cancers
diabetes
Earthquakes, floods and Hurricanes are featured as the largest insured losses. (Source III)
Note that these are the insured portion of the losses. the total loss from the Fukishima disaster is estimated to be around $105B. Katrina total loss $81B. (Source Wikipedia)
Financial Market risk seems much smaller. When viewed in terms of losses from trading, the largest trading loss is significantly smaller than the 10th largest natural disaster. (Source Wikipedia)
But the financial markets sometimes create large losses for everyone who is exposed at the same time.
The largest financial market loss is the Global Financial Crisis of 2008 – 2009. One observer estimates the total losses to be in the range of $750B to $2000B. During the Great Depression, the stock market dropped by 89% over several years, far outstripping the 50% drop in 2009. But some argue that every large drop in the stock market is preceded by an unrealistic run up in the value of stocks, so that some of the “value” lost was actually not value at all.
If your neighbor offers you $100M for your house but withdraws the offer before you can sell it to him and then you subsequently sell the house for $250k, did you lose $99.75M? Of course not. But if you are the stock market and for one day you trade at 25 time earnings and six months later you trade at 12 times earnings, was that a real loss for any investors who neither bought or sold at those two instants?
RISKVIEWS believes that this may be the best top 10 list of posts in the history of this blog. Thanks to our readers whose clicks resulted in their selection.
Instructions for a 17 Step ORSA Process– Own Risk and Solvency Assessment is here for Canadian insurers, coming in 2015 for US and required in Europe for 2016. At least 10 other countries have also adopted ORSA and are moving towards full implementation. This post leads you to 17 other posts that give a detailed view of the various parts to a full ORSA process and report.
What kind of Stress Test? – Risk managers need to do a better job communicating what they are doing. Much communications about risk models and stress tests is fairly mechanical and technical. This post suggests some plain English terminology to describe the stress tests to non-technical audiences such as boards and top management.
ORSA ==> AC – ST > RCS– You will notice a recurring theme in 2014 – ORSA. That topic has taken up much of RISKVIEWS time in 2014 and will likely take up even more in 2015 and after as more and more companies undertake their first ORSA process and report. This post is a simple explanation of the question that ORSA is trying to answer that RISKVIEWS has used when explaining ORSA to a board of directors.
The History of Risk Management – Someone asked RISKVIEWS to do a speech on the history of ERM. This post and the associated new permanent page are the notes from writing that speech. Much more here than could fit into a 15 minute talk.
Hierarchy Principle of Risk Management– There are thousands of risks faced by an insurer that do not belong in their ERM program. That is because of the Hierarchy Principle. Many insurers who have followed someone’s urging that ALL risk need to be included in ERM belatedly find out that no one in top management wants to hear from them or to let them talk to the board. A good dose of the Hierarchy Principle will fix that, though it will take time. Bad first impressions are difficult to fix.
Risk Culture, Neoclassical Economics, and Enterprise Risk Management– A discussion of the different beliefs about how business and risk work. A difference in the beliefs that are taught in MBA and Finance programs from the beliefs about risk that underpin ERM make it difficult to reconcile spending time and money on risk management.
What CEO’s Think about Risk– A discussion of three different aspects of decision-making as practiced by top management of companies and the decision making processes that are taught to quants can make quants less effective when trying to explain their work and conclusions.
Decision Making Under Deep Uncertainty– Explores the concepts of Deep Uncertainty and Wicked Problems. Of interest if you have any risks that you find yourself unable to clearly understand or if you have any problems where all of the apparent solutions are strongly opposed by one group of stakeholders or another.
The WC Roundup is hosting the 207th Cavalcade of Risk. This bi-weekly blog is a collection of risk-related posts covering topics from finance, to insurance, to health.
The word risk is a common English word with a definition that has been well established for hundreds of years. There is no need for risk managers to redefine the word to mean something else. In fact, redefining a word so that its meaning would incorporate the exact opposite of the common definition is a precess that George Orwell called DOUBLETHINK.
Imagine what you would think if you hired someone to paint your house and when they showed up they told you that in their minds the word “paint” meant repaving your driveway in addition to applying a colored covering to your house? Sounds crazy doesn’t it. But there are many, many risk managers who will heatedly argue about this point. For example, see The ISO 31000 group discussion here.
The Definition of risk
noun
a situation involving exposure to danger:flouting the law was too much of a risk all outdoor activities carry an element of risk
[in singular] the possibility that something unpleasant or unwelcome will happen:reduce the risk of heart disease [as modifier]:a high consumption of caffeine was suggested as a risk factor for loss of bone mass
[usually in singular with adjective] a person or thing regarded as likely to turn out well or badly, as specified, in a particular context or respect:Western banks regarded Romania as a good risk
[with adjective] a person or thing regarded as a threat or likely source of danger:she’s a security risk gloss paint can burn strongly and pose a fire risk
(usually risks) a possibility of harm or damage against which something is insured.
the possibility of financial loss: [as modifier]:project finance is essentially an exercise in risk management
verb
[with object]
expose (someone or something valued) to danger, harm, or loss:he risked his life to save his dog
act or fail to act in such a way as to bring about the possibility of (an unpleasant or unwelcome event):unless you’re dealing with pure alcohol you’re risking contamination from benzene
incur the chance of unfortunate consequences by engaging in (an action):he was far too intelligent to risk attempting to deceive her
Phrases
at risk
exposed to harm or danger:23 million people in Africa are at risk from starvation
at one’s (own) risk
used to indicate that if harm befalls a person or their possessions through their actions, it is their own responsibility:they undertook the adventure at their own risk
at the risk of doing something
although there is the possibility of something unpleasant resulting:at the risk of boring people to tears, I repeat the most important rule in painting
at risk to oneself (or something)
with the possibility of endangering oneself or something:he visited prisons at considerable risk to his health
risk one’s neck
put one’s life in danger.
run the risk (or run risks)
expose oneself to the possibility of something unpleasant occurring:she preferred not to run the risk of encountering his sister
Origin:
mid 17th century: from French risque (noun), risquer (verb), from Italian risco ‘danger’ and rischiare ‘run into danger’
Redefining the word risk to include its opposite (i.e. gain) is a perfect example of what Orwell called DOUBLETHINK.
DOUBLETHINK: The power of holding two contradictory beliefs in one’s mind simultaneously, and accepting both of them… To tell deliberate lies while genuinely believing in them, to forget any fact that has become inconvenient, and then, when it becomes necessary again, to draw it back from oblivion for just as long as it is needed, to deny the existence of objective reality and all the while to take account of the reality which one denies – all this is indispensably necessary. Even in using the word doublethink it is necessary to exercise doublethink. For by using the word one admits that one is tampering with reality; by a fresh act of doublethink one erases this knowledge; and so on indefinitely, with the lie always one leap ahead of the truth. From 1984 George Orwell (1949)
In his book, The Halo Effect: … and the Eight Other Business Delusions That Deceive Managers, author Phil Rosenzweig discusses the following 8 delusions about success:
1. Halo Effect: Tendency to look at a company’s overall performance and make attributions about its culture, leadership, values, and more.
2. Correlation and Causality: Two things may be correlated, but we may not know which one causes which.
3. Single Explanations: Many studies show that a particular factor leads to improved performance. But since many of these factors are highly correlated, the effect of each one is usually less than suggested.
4. Connecting the Winning Dots: If we pick a number of successful companies and search for what they have in common, we’ll never isolate the reasons for their success, because we have no way of comparing them with less successful companies.
5. Rigorous Research: If the data aren’t of good quality, the data size and research methodology don’t matter.
6. Lasting Success: Almost all high-performing companies regress over time. The promise of a blueprint for lasting success is attractive but unrealistic.
7. Absolute Performance: Company performance is relative, not absolute. A company can improve and fall further behind its rivals at the same time.
8. The Wrong End of the Stick: It may be true that successful companies often pursued highly focused strategies, but highly focused strategies do not necessarily lead to success.
9. Organizational Physics: Company performance doesn’t obey immutable laws of nature and can’t be predicted with the accuracy of science – despite our desire for certainty and order.
A good risk manager will notice that all 8 of these delusions have a flip side that applies to risk analysis and risk management.
a. Bad results <> Bad Culture – there are may possible reasons for poor results. Culture is one possible reason for bad results, but by far not the only one.
b. Causation and Correlation – actually this one need not be flipped. Correlation is the most misunderstood statistic. Risk managers would do well to study and understand what valuable and reliable uses that there are for correlation calculations. They are very likely to find few.
c. Single explanations – are sometimes completely wrong (see c. above), they can be the most important of several causes, they can be the correct and only reason for a loss, or a correct but secondary reason. Scapegoating is a process of identifying a single explanation and quickly moving on. Often without much effort to determine which of the four possibilities above applies to the scapegoat. Scapegoats are sometimes chosen that make the loss event appear to be non-repeatable, therefore requiring no further remedial action.
d. Barn door solutions – looking backwards and finding the activities that seemed to lead to the worst losses at the companies that failed can provide valuable insights or it can lead to barn door solutions that fix past problems but have no impact on future situations.
e. Data Quality – same exact issue applies to loss analysis. GIGO
f. Regression to the mean – may be how you describe what happens to great performing companies, but for most firms, entropy is the force that they need to be worried about. A firm does not need to sport excellent performance to experience deteriorating results.
g. Concentration risk – should be what a risk manager sees when strategy is too highly concentrated.
h. Uncertainty prevails – precision does not automatically come from expensive and complicated models.
Central bankers have tools to help the economy, but for the most part, those tools all have the effect of lowering interest rates.
But there are consequences of overriding the market to change the price of something. The consequences are that every decision that uses the information from the affected market prices will be distorted.
Interest rates are a price for deferral of receiving cash. Low interest rates signal that there is very little risk to deferral of receiving cash. So one only has to pay a little extra to pay later rather than now.
This is helpful in stimulating consumption. People without the money right now can promise to pay later with low penalty for the deferral.
But is the risk from the deferral really lower? The interest rates are very low because the central bank is overwhelming the market demand. Not because anyone really believes that deferral of receipt of cash is low risk.
But anyone who simply uses the market interest rates is having their decision distorted. They are open to taking deferral risk without expecting to be reasonably compensated for that risk.
To purists who believe that the only usable value is the market price, this is the only real information.
But if you want to make good decisions about transactions that stretch out over a long time, you might want to consider making your own adjustment for the risk of deferral.
As I deal with a variety of industries, professionals, investors and even risk managers, it has become obvious that the first issue that needs to be addressed from a risk management context is to define the term “risk”. I generally get pushback on this, but what I find is that everyone has a strong definition in their own mind that varies from person to person. How you define risk drives both risk appetite and risk culture. One of the keys in many of the management classes I have attended over the years has been to recognize that others tend to not think like I do. This is important here too. Before reading further, how do you define risk? Let me know if you don’t see your personal high level definition below.
Knightian Risk
Probably the most interesting risk definition I have seen, and the one I had never considered in its extreme, was put forth by Frank Knight in his 1921 book Risk, Uncertainty and Profit. Risk is defined as uncertainty. It is best explained by an example. If you were to launch yourself into space with no protection against the cold and lack of oxygen that defines space, you know you would die. By this definition there is no risk. If there is no uncertainty, in any direction, there is no risk. Sure to fail, no risk. Sure to win, no risk. Most people consider this definition in moderation when managing risk, although most would override it with one of the definitions we will consider next.
Downside Risk
When managing a business or portfolio, many managers consider risk only with respect to something bad that could happen. Outcomes can be defined numerically as more of something is either good or bad, and less of something is the opposite. An additional nuance is needed, and it has been mentioned by others. I like to look at “good” outcomes and “bad” outcomes. To follow an example earlier in this thread, higher sales might initially be called a good outcome, but often it eventually becomes a bad outcome as it outstrips capital availability or flags a pricing issue. Keep in mind that what is important is the overall impact on the entity, so a good overall outcome should be encouraged even if some lines of business would call it a bad outcome for their silo. High mortality is an example of this, with a life insurance line saying it is a bad outcome and a payout annuity considering it a good outcome. This is an example of a natural hedge, provided by two lines with offsetting risks in their portfolio.
Most companies today are looking at risk from a one sided perspective to meet their regulatory compliance needs. Risk management is viewed as a fixed cost under this paradigm. This approach is useful and helps the company avoid bankruptcy. It also provides a base from which you can leverage your ERM efforts.
Volatility Risk
I often think of traders when considering a volatility driven definition of risk. Opportunities abound if prices move, no matter which direction. Those who look at risk from a two sided perspective, and are good at it, can provide an organization with a competitive advantage as enterprise risk management becomes a major part of the strategic planning process. Everything is on the table. This helps an organization grow and prosper, in addition to lowering the probability of ruin. Incorporating risk into decision making provides a competitive advantage in all environments. The downside of this approach is that many who think of volatility as risk also believe that risk can be modeled accurately. They are more prone to model risk.
Not everyone is capable of the two sided risk approach. Risk culture can get in the way, but you also need the right people in place to drive risk management opportunities to senior team members. A risk manager should try to nudge their firm in this direction, but trying to leap there all at once is not likely to work.
Which risk definition is the best one?
It will depend on firm culture and risk appetite to know which definition is most consistent within an entity, and employing people with each definition can help a firm avoid overfocusing on one of the definitions. This will allow the firm to make better decisions. Risk is Opportunity!
Warning: The information provided in this post is the opinion of Max Rudolph and is provided for general information only. It should not be considered investment advice. Information from a variety of sources should be reviewed and considered before decisions are made by the individual investor. My opinions may have already changed, so you don’t want to rely on them. Good luck!
Some Enterprise Risk management programs feature lists of 75 or more risks that the ERM program attends to.
This approach to ERM drastically reduces the potential power of ERM to help to focus attention to Enterprise Risks.
An Enterprise Risk is a class of events that could severely damage the capability of the enterprise to achieve its mission. No serious undertaking has 75 classes of events that could stop them in their tracks.
A serious undertaking might have 5 such risks. Usually less. Things that in spite of the best efforts of management could stop them in their tracks. There are probably another 5 or so risks that are potentially that serious, but that the firm has, for the most part, under control.
What Enterprise Risk Management is about is a constant effort to pay attention to those 10 or so top risks. To make sure that a new potential trouble is not creeping into that top 10. To make sure that they are not accidentally taking on much more of those risks. To find ways to mitigate that first group of top risks. To make sure that the controls on that second group of top risks are still sufficient. And to make sure that there are not any secondary risks outside of this list that are very highly correlated with the Enterprise Risks.
Dave Sandberg likes to classify risks into three classes:
Risks that threaten the earnings of the firm
Risks that threaten the capital of the firm
Risks that threaten the promises of the firm
A well managed firm will attend to all three types of risks, but the Enterprise Risks are the risks that threaten capital and promises that should be the concern of the Enterprise Risk Management program of the firm. They should be the concern of the top executives of the firm. Those risks should be the concern of the directors of the firm.
The name calling involved is a distraction from the real problem – the problem of how to keep our entire economic system working with the massive shifting of people into the non-productive retirement ages. Besides the imbalances in pay as you go programs like social security and medicare, there is the problem of who is going to buy the securities that the retirees will need to sell to pay for living expenses? What usually happens when the market knows that someone MUST sell something? What percentage of the stock market’s total holdings MUST be sold over the next 30 years?
Everyone keeps pretending that this is some sort of marginal change situation. It is definitely not.
What happens if the Boomers sell off causes the market to drop by another 25 – 30%?
Sounds crazy? But the charts below from the San Fran FRB tells a story…
The solid line represents the ratio of middle aged people (40 – 49) to Old Agers (60 – 69).
This picture shows a 30% drop in PE. If earnings are also challenged by the low or negative population growth during the same time period, the massive drop is stock prices is quite possible.
So even the people who did save for retirement may be woefully surprised that their money does not save them.
The stock market is but a large and often somewhated distorted mirror of the economy. If the stock market is challenged by the low growth of the population and the shift from production to consumption of the large retiree population, then that is a reflection that the economy could be challenged in just the same manner.
That is the REALLY BIG problem that needs to be solved.
The Social Security problem is not at all difficult to solve. According to the most recent actuarial report to the trustees, the shortfall in Social Security is 14% of projected benefits or 17% of projected revenues. So anyone who can do arithmetic can work out some combination of increases to taxes and decreases to benefits that would bring the program into balance over the 75 year projection period. Split it down the middle and decrease benefits by 7% and increase social security taxes by 8.5% and it is solved. But the fact of the matter is that there is no serious consideration being given to any solution, let alone a straightforward solution like the above that anyone could understand.
Perhaps the very act of declaring something a RISK FREE ASSET guarantees that it will not be such.
Underneath that declaration of RISK FREE is a presumption that the RISK FREE entity can absorb an unlimited amount of debt. When in fact, the thing that we are seeing over and over again is that it is the debt itself that causes the risk!
In insurance, if insurers allowed someone to insure a building that they own for five times its value in the event of a fire, we all understand that a fire becomes highly likely.
In banking, it is also a basic tenet of lending that if you lend someone much, much more than they could ever possibly repay, that they will not repay. But in banking, we have let the concept of RISK FREE creep into our heads and let that overcome the basic tenet about lending and repayment. Banks are actually encouraged to put more of their money into RISK FREE securities to make them more secure. But in the case of both the sub prime and the sovereign crises, the problem comes from assets that were improperly designated RISK FREE.
But what if it is the designation of RISK FREE itself that leads to the problems?
In the US Life insurance sector, the regulators provide a Risk Based Capital (RBC) regime. It assigns a level of capital based upon the regulators understanding of the risk of various activities. Most life insurance products at the time of the creation of the RBC regime in the early 1990’s involved a guarantee from the general account of the insurer to the beneficiaries of the insureds. Life insurers traditionally took large amounts of credit risk to support those guarantees. The RBC originally was focused first on the largest risk of the life insurers, credit.
Variable Annuities did not involve a guarantee from the general account and were therefore considered RISK FREE. Many insurers wrote that business and did not attribute any capital because the products were RISK FREE. From the start, insurers paid a fixed commission to brokers who wrote the business. Insurers did not directly charge the customers for those commissions, but instead recovered those payments from the accounts over time. Later, life insurers started to also add guarantees from the general account of the benefits from the variable annuities. The variable annuities were still considered to be RISK FREE so there was still no RBC charge.
It was not a surprise that valuable risk protection that was highly underpriced was attractive to buyers and these products became very heavy sellers for a dozen or more companies. So much so that attempts to later change the RBC to require proper capital amounts for the product were potentially critically damaging to some of those firms. Eventually, when the financial crisis hit, some of those dozen insurers that wrote large amounts of these products were looking for help from the TARP program
So perhaps we should be rethinking this concept of RISK FREE. When the activity deemed as RISK FREE starts to become risky, it starts (or in the case of the sub prime backed CDOs always) pays a higher return than the lowest risk activities. When the denominator for RISK FREE is zero or very near zero, very tiny amounts of excess returns from growing risk of the activity which is now designated RISK FREE in error will look to be fantastically profitable. A firm that is trying to optimize its return on capital will shift as much activity as possible into the improperly designated assets class.
As long as there is a RISK FREE class, there will be an incentive to shift as much activity as possible into any security in that class that is misclassified.
And because the capital requirements for risk free are zero, there is no limit to how much banks can move into that class. They actually look good if they leverage up to increase activity in RISK FREE.
We need to stop even saying that any class of investments is RISK FREE. As we see where that idea has led us, we need to leave it in the universities where it belongs and keep it out of the business world. They can keep it on a shelf right next to their bottles of perfect vacuum and along side their frictionless surfaces. That is where it belongs.
In the real world, there are no RISK FREE assets. The capital requirements need to be floored with a positive number and graded up with the level of returns. The market really is telling us something about risk when returns are higher, not about the brilliance of the companies that are able to find the misclassified RISK FREE investments.
Half a league, half a league, Half a league onward,
All in the valley of Death Rode the six hundred.
“Forward, the Light Brigade!
“Charge for the guns!” he said:
Into the valley of Death Rode the six hundred.
From Charge of the Light Brigade, by Alfred, Lord Tennyson
In about 30 minutes, over 2/3 of the British Light Brigade were slaughtered in 1854. Horsemen with swords charged cannon and rifles and grapeshot. Tennyson made it sound grand and brave and somehow an admirable thing. But Tennyson points out the the fact that it made no sense to do what they were doing – that the soldiers knew it.
“Forward, the Light Brigade!”
Was there a man dismay’d?
Not tho’ the soldier knew Someone had blunder’d:
Theirs not to make reply,
Theirs not to reason why,
Theirs but to do and die:
Into the valley of Death Rode the six hundred.
Military schools have used the story of the charge as an example of what can go wrong when intelligence is weak at the command center and when orders are ambiguous.
The Earl of Cardigan who was in command, reported to Parliament:
But what, my Lord, was the feeling and what the bearing of those brave men who returned to the position. Of each of these regiments there returned but a small detachment, two-thirds of the men engaged having been destroyed? I think that every man who was engaged in that disastrous affair at Balaklava, and who was fortunate enough to come out of it alive, must feel that it was only by a merciful decree of Almighty Providence that he escaped from the greatest apparent certainty of death which could possibly be conceived.
You might ask what this might have to do with Risk Management?
While the willingness to follow orders might have appealed to the Victorian English, those are not the sort of folks that you want handling risk. Following orders that are that far wrong is not what you want someone doing with the risks to your firm’s existence.
You want people in both your risk management area and in the front line areas where there is the most risk taking to be the sorts who question authority when they do not understand why a new order makes sense.
Risk needs to be attended to at both the center and the fringes. And thoughtfully attended to. When the risk seems high to someone, that should be a signal to reconsider.
Some of us are old enough to remember going to a playground without an adult trailing along to make sure that we played safely. Oh, there were always a few parents there, but they were with the pre-k aged kids. Anyone old enough to go to school was generally thought to be old enough to be able to play.
Well, thanks to the immense safety movement that has caused everything to be swathed in bubble wrap and foam padding, all of the risk is now gone from playgrounds. AND if you did go to a playground (and almost no one ever does anymore – they are no fun at all) you find that there is usually at least one and probably two adults supervising each child.
we may observe an increased neuroticism or psychopathology in society if children are hindered from partaking in age adequate risky play
Roll the experiences of the last generation of kids forward twenty years, when they start to run the world. They have been deprived of any chance at risk taking as kids. Not safe enough. They will also be living in a world dominated by the aged baby boomers.
Apply that picture to future risk appetites. Any discussion of risk appetite talks about the amount of risk that someone is comfortable taking.
The lesson that we have taught our kids is that ZERO risk is the only level that they should be comfortable with.
I imagine that it would be a good thing to invest in a company that makes that rubber stuff that lines the floor of the playground. That is much safer than concrete for sidewalks. It will be everywhere.
And business risk taking – forget about it. Your business may fall and skin its knee.
Kids and adults and businesses and current and future business leaders need to experience risks and get comfortable with the losses that sometimes come from risk taking. They need to learn that it is not the end of the world if they skin their knee. Or even break a leg. Maybe when that happens, we learn something new about ourselves and our ability to take risks in the world.
Because if someone believes that they are not taking any risks then the only risks that they have are risks that they are not aware of.
Riskviews was once asked by an insurance sector equity analyst for 10 questions that they could ask company CEOs and CFOs about ERM. Riskviews gave them 10 but they were trick questions. Each one would take an hour to answer properly. Not really what the analyst wanted.
Here they are:
What is the firm’s risk profile?
How much time does the board spend discussing risk with management each quarter?
Who is responsible for risk management for the risk that has shown the largest percentage rise over the past year?
What outside the box risks are of concern to management?
What is driving the results that you are getting in the area with the highest risk adjusted returns?
Describe a recent action taken to trim a risk position?
How does management know that old risk management programs are still being followed?
What were the largest positions held by company in excess of risk the limits in the last year?
Where have your risk experts disagreed with your risk models in the past year?
What are the areas where you see the firm being able to achieve better risk adjusted returns over the near term and long term?
They never come back and asked for the answer key. Here it is:
5. In the sub prime market prior to the crisis, investors were buying AAA securities but getting a little more yield. Since they were AAA rated, the capital required was minimal. So the return on equity could be attractive. Unless you held that story up to the light and freely admitted that your bank profits were bolstered by exploiting the fact that the market and the regulators had different opinions of the creditworthiness of the sub prime securities.
So, if the banks had answered honestly, they would have been saying that their profits were coming from regulatory arbitrage. There are only three possible outcomes from this situation. First, the market could wise up and the excess profits would disappear. Second, the regulators could wise up and suddenly the banks would find themselves needing lots more capital, and third, the market persists in its opinion of higher risk and it turns out the market is correct. But since under this third option, the bank is playing the regulators for the fools, as the risks stay the same or grow ever larger, the banks take more and more advantage of the stupid regulators. They pretend to their board that the bank is safe because they are holding the capital that the regulators require. The banks takes more and more risk – the compulsion to grow and grow earnings in the face of the shrinking spreads for everything with “normal” risk is an immutable imperative that requires banks to multiply their risk.
So one of the possible reasons that Risk Adjusted Return is high is that the risk adjustment is based upon regulatory requirements – not on an actual assessment of risk. And there are three possible outcomes of playing the regulatory arb game that are unfavorable.
Another reason for higher risk adjusted returns is a competitive advantage. Investors should be happy to hear about a competitive advantage. They should also do their own assessment about how permanent that advantage might be.
From the point of view of assessing an ERM system, the answer to this question should reveal how seriously that management takes the idea of risk management. High and unexpected returns are as good a signal as any of higher risk. In fact, in the financial markets, high returns are almost always a symptom of higher risk.
If you, like Riskviews, enjoys reading about risk, you will love the Cavalcade of Risk. The Cavalcade of Risk focuses on how people and businesses deal with the element of uncertainty in their lives, weekly presenting a wide ranging list of links to blogs and other places where all different aspects of risk are being discussed.
The WHO has just released a statement about possible cancer risk from cell phones.
Cell Phones are definitely dangerous. Just try walking down any street. Watch people suddenly stop walking or erratically change their pace of walking, even in a crowded sidewalk. Invariably they have a cell phone up to their ear. It is clear that cell phones suck the self preservation part of the brain right out of the ear.
And much more risky is the effect of cell phones on driving. Some safety experts attribute as many as half of the auto accidents in the US to cell phones. Cell phones seem to prevent people from noticing red lights, stop signs, stopped vehicles and pedestrians in their way. Thousands of deaths and millions of damage.
The cancer risk is the least part of the risk of cell phones.
What was the difference between the banks and insurers with high tech risk management programs that did extremely poorly in the GFC from those with equally high tech risk management programs who did less poorly?
One major difference was the degree to which they believed in their models. Some firms used their models to tell them exactly where the edge of the cliff was so that they could race at top speed right at the edge of the cliff. What they did not realie was that they did not know, nor could they know the degree to which the edge of that cliff was sturdy enough to take their weight. Their intense reliance on their models, most often models that focused like a lazer on the most important measure of risk, left other risks in the dark. And those other risks undermined the edge of the cliff.
Others with equally sophisticated models were not quite so willing to believe that it was perfectly safe right at the edge of the cliff. They were aware that there were things that they did not know. Things that they were not able to measure. Risks in the dark. They took the information from their models about the edge of the cliff and they decided to stay a few steps away from that edge.
They left something on the table. They did not seek to maximize their risk adjusted returns. Maximizing risk adjusted return in the ultimate sense involved identifying the opportunity with the highest risk adjusted return and taking advantage of that opportunity to the maximum extent possible, then looking to deploy remaining resources to the second highest risk adjusted return and so on.
The firms who had less losses in the crisis did not seek to maximize their risk adjusted return.
They did not maximize their participation in the opportunity with the highest risk adjusted return. They spread their investments around with a variety of opportunities. Some with the highest risk adjusted return choice and other amounts with lesser but usually acceptable return opportunities.
So when it came to pass that everyone found that their models were totally in error regarding the risk in that previously top opportunity, they were not so concentrated in that possibility.
They left something on the table and therefore had something left at the end of that round of the game.
Many people talk and write as if risk and reward were the true trade-offs in a capitalist system. It certainly makes risk management important if that were true.
But unfortunately for us risk managers, and fortunately for business managers, choosing among risky alternatives is not the best choice for business success.
In fact, the natural tendency of capitalism is directly away from risk and towards Competitive Advantage. If a business can find a competitive advantage, their first choice forever after is to strengthen that advantage and to reduce their risk.
A business with a total competitive advantage, also called a monopoly, is crazy to then take any risk. Economists call their income a rent. The income from risk taking is called a risk premium. All businesses prefer rents to risk premiums under that definition.
So the risk managers who talk all of the time about the risk and reward continuum and about the efficient frontier of risk taking are talking nonsense to any business person who knows the story of any of the most successful businesses. The most successful businesses all made fortunes for their founders by collecting rents.
What we should be talking about is the Rent / Risk continuum. If you want to be really successful, you need to find a way to collect rents. If you want to get mediocre returns, then you can go out and take risks.
Many years ago, Riskviews was producing risk reports for return on risk capital for an insurer. The insurer had some fee for service business. This business did not fit into the risk reward framework.
Investment Banks had at one time been mostly fee for services businesses. Then for a time, they decided that they could make more money taking risks. It turns out that they were largely wrong. The “profits” that they were recording on their risk taking were risk premiums for taking very large risks that were “in the dark“. According to Taleb, they were being massively underpaid for those large but infrequent risks.
Some reinsurers that make their business taking on large amounts of catastrophe risks can be shown to be taking a significant amount of their value from the “default put” that is created because they collect premiums for all expected claims under their reinsurance contracts, but they do not intend to pay off on the largest catastrophes because they will have defaulted.
Risk taking is a questionable way to make profits.
So risk managers need to work to identify rents and properly reflect the superior place that rents should have in business goals. Risk managers should be slow to claim that any risk taking behavior will make a profit and not just mistaken accounting of risks that are waiting in the dark and growing stronger to take back all of the so called profits from risk taking.
Michael Thompson often describes the situation where a person or group does not get the experience that they expect as Surprise. I have also heard that called Disappointment.
Probably Surprise is a better term.
What is going on is that people expect one sort of experience and get another.
In a recent published article, Ingram and Thompson describe the expectations of various environments as:
With those descriptions, Surprise/Disappointment is easier to describe. If you believe that the environment is in a Boom and the experience you get is moderate drift and volatility, then you will be surprised and probably disappointed. And similarly, if you expect a Bust environment and you experience high drift, then you will certainly be Surprised, but probably not Disappointed. Unless you were really counting on complaining and are disappointed about good fortune spoiling that.
Surprise is very different for those expecting an Uncertain environment. For them, it is surprising that they are able to notice any pattern, whether it be high, low or moderate drift and volatility. They are expecting unpredictable results, a high volatility as well as a high volatility of volatility. For them, a surprise would be if the experiences did have a reliable volatility.
The Surprise that many of us have been experiencing started out as a Disappointment. We thought that home prices had a large positive drift and low volatility. So as many of us started to count upon that expectation, the system reached its carrying capacity for home real estate. Which is hard to imagine, since with the loans that were over 100% of value, people were being paid by the financial sector to take new homes.
Suddenly, house prices stopped rising. Most stories about the financial crisis do not even try to give any explanation for that happening. But it is easy to picture that everyone who was willing to move had already done so recently. Even in a pay to take, there is a high personal time cost to move. So the hot market encouraged anyone who might be willing to move and move a year or two or three earlier than they would have otherwise. But not enough people were willing to do that year after year. And not enough people were crazy enough to take out mortgages that they had absolutely no chance to pay back. So the turnover faltered. Prices simply stopped rising. And the Surprise hit everyone.
After an extended period of freefall, the market has settled into a much longer period of uncertainty. No discernable pattern to drift or to volatility. There is a large and uneven volume of foreclosed real estate in the system. It comes to market and disrupts prices. Because the real estate market had relied upon a rather primitive price discovery mechanism, the foreclosures are very disruptive to the pricing of non-foreclosed housing. This is a major factor in the level of uncertainty of housing and it ripples through the entire financial system and the entire economy.
With this uncertainty, people who are expecting any of the three other patterns of risk are irregularly Surprised, and often Disappointed. As there are more and more disappointments, more and more people shift their coping strategy to one that makes sense in an Uncertain economy, the strategy of Diversification. That might sound to be a good thing, but in practice, it ends up meaning avoiding any large or lengthy commitments. It means a slow down in basic investment and usually a deferral of any of the major investments that would start to fuel the next positive economic cycle.
This Uncertain cycle will end slowly because of the immense amount of extra home real estate that is still in the foreclosure pipeline.
Such cycles usually end when the flip side of the process described above that drove the stoppage in the real estate boom. What stopped the boom was that people wore out of moving up in housing. What will stop the Uncertain market will be that people will wear out of not changing houses. The people who have had one more child will be fed up with the crowding in their smaller house and the people whose kids have moved away will get fed up with maintaining more house than they need. The people who do well enough to afford a bigger and better house will be fed up with waiting for things to settle down. And when that happens to enough people, the backlog of existing real estate will finally sell down and a new boom will start again.
And people who had adapted to uncertainty will be Surprised, but not disappointed that their house again finally starts to appreciate.
The message that windows gives when you are copying a large number of files gives a good example of an uncertain environment. That process recently took over 30 minutes and over the course of that time, the message box was constantly flashing completely different information about the time remaining. Over the course of one minute in the middle of that process the readings were:
8 minutes remaining
53 minutes remaining
45 minutes remaining
3 minutes remaining
11 minutes remaining
It is not true that the answer is random. But with the process that Microsoft has chosen to apply to the problem, the answer is certainly unknowable. For an expected value to vary over a very short period of time by such a range – that is what I would think that a model reflecting uncertainty would look like.
An uncertain situation could be one where you cannot tell the mean or the standard deviation because there does not seem to be any repeatable pattern to the experience.
Those uncertain times are when the regular model – the one with the steady mean and variance – does not seem to give any useful information.
The flip side of the uncertain times and the model with unsteady mean and variance that represents those times is the person who expects that things will be unpredictable. That person will be surprised if there is an extended period of time when experience follows a stable pattern, either good or bad or even a stable pattern centered around zero with gains and losses. In any of those situations, the competitors of that uncertain expecting person will be able to use their models to run their businesses and to reap profits from things that their models tell them about the world and their risks.
The uncertainty expecting person is not likely to trust a model to give them any advice about the world. Their model would not have cycles of predictable length. They would not expect the world to even conform to a model with the volatile mean and variance of their expectation, because they expect that they would probably get the volatility of the mean and variance wrong.
That is just the way that they expect it will happen. A new Black Swan every morning.
Correction, not every morning, that would be regular. Some mornings.
“The unprecedented scale of the earthquake and tsunami that struck Japan, frankly speaking, were among many things that happened that had not been anticipated under our disaster management contingency plans.” Japanese Chief Cabinet Secretary Yukio Edano.
In the past 30 days, there have been 10 earthquakes of magnitude 6 or higher. In the past 100 years, there have been over 80 earthquakes magnitude 8.0 or greater. The Japanese are reputed to be the most prepared for earthquakes. And also to experience the most earthquakes of any settled region on the globe. By some counts, Japan experiences 10% of all earthquakes that are on land and 20% of all severe earthquakes.
But where should they, or anyone making risk management decisions, draw the line in preparation?
In other words, what amount of safety are you willing to pay for in advance and what magnitude of loss event are you willing to say that you will have to live with the consequences.
That amount is your risk tolerance. You will do what you need to do to manage the risk – but only up to a certain point.
That is because too much security is too expensive, too disruptive.
You are willing to tolerate the larger loss events because you believe them to be sufficiently rare.
In New Zealand, that cost/risk trade off thinking allowed them to set a standard for retrofitting of existing structures of 1/3 of the standard for new buildings. But, they also allowed 20 years transition. Not as much of an issue now. Many of the older buildings, at least in Christchurch are gone.
But experience changes our view of frequency. We actually change the loss distribution curve in our minds that is used for decision making.
Risk managers need to be aware of these shifts. We need to recognize them. We want to say that these shifts represent shifts in risk appetite. But we need to also realize that they represent changes in risk perception. When our models do not move as risk perception moves, the models lose fundamental credibility.
In addition, when modelers do things like what some of the cat modeling firms are doing right now, that is moving the model frequency when people’s risk perceptions are not moving at all, they also lose credibility for that.
So perhaps you want scientists and mathematicians creating the basic models, but someone who is familiar with the psychology of risk needs to learn an effective way to integrate those changes in risk perceptions (or lack thereof) with changes in models (or lack thereof).
The idea of moving risk appetite and tolerance up and down as management gets more or less comfortable with the model estimations of risk might work. But you are still then left with the issue of model credibility.
What is really needed is a way to combine the science/math with the psychology.
Market consistent models come the closest to accomplishing that. The pure math/science folks see the herding aspect of market psychology as a miscalibration of the model. But they are just misunderstanding what is being done. What is needed is an ability to create adjustments to risk calculations that are applied to non-traded risks that allow for the combination of science & math analysis of the risk with the emotional component.
Then the models will accurately reflect how and where management wants to draw the line.
A.M. Best added a Supplemental Rating Questionnaire (SRQ) for insurers at the end of 2010. While it will provide interesting information that will aid the analyst develop questions for a face-to-face meeting, the mainly checklist format will limit its value. A better option would be for a company to utilize this SRQ to develop an internal risk management report that could be presented to the board and external stakeholders much as insurers generate an investment management report. The A.M. Best checklist could be a by-product of this process. A.M. Best’s statement that “each company’s need for ERM is different” is absolutely correct. Organizations with complex and varied product mixes should spend their time understanding both the silo risks and the interactions between those silos. Going into 2006 insurers (and rating agencies) did not have leading indicators in place to monitor housing prices, yet that proved to be the driver leading to the financial crisis. There is little in this questionnaire that is forward looking toward new and emerging risks.
Concentration
The questionnaire does not do enough to focus on concentration of exposures. No credit is awarded for a diversified group of independent risks. There is also no mention of counterparty risk with reinsurers. The financial crisis left reinsurers ever more entangled, and if one ever experiences financial difficulties a contagion effect could drag quite a few down with them. If that happens there is no reason to think that insurers would not batten down the hatches as banks did with their loan portfolios. Insurers should have a contingency plan for this possibility, along with performing other stress tests and board discussions.
Key Risk Indicators
The questionnaire refers to reporting risk metrics. This should be more specific. Financial statements do a pretty good job of reporting lagging indicators such as revenue and net income. What would be more useful when managing risk are leading indicators. What metric can I look at today to anticipate future revenue? Keeping track of metrics such as agent retention, applications received, or unemployment will allow the line manager to better understand the business line and the risk manager to better identify potential risks. Today, many insurers are developing this process but it is still evolving.
Risk Culture
In the risk culture section of the questionnaire, terms such as risk/return measures and reporting risk jump out at me. Not all risks can be measured, and many can’t be measured accurately. That does not mean they can’t, and certainly does not mean they should not, be managed. Examples would include the likelihood and severity of civil unrest around the world. It is not important to judge precisely how likely these events might be, but it is important to think about how you might react if such an event does occur. Options are generally limited after an event occurs, and time is often the critical factor. Reporting risk means many things to many people. It would be preferred to have a dialogue about risks, using a written report as a starting point.
Identifying Risks
In the Risk Identification/Measurement/Monitoring section of the questionnaire, A.M. Best asks “Who is the most responsible for identifying material risks to the company’s financial position?” This seems to be a no-win question, as no matter who is listed shortcomings will be associated with it. If you list the CEO, then the CRO is short-changed. If you list the CRO, the line managers wonder what their role is. Perhaps a better question would be to ask who is responsible for consolidating risks and looking at them holistically, scanning for emerging risks as well. It will be interesting to see what A.M. Best does with the table considering the largest potential threats to financial strength. There is no consistent approach to estimated potential impact. Two companies with the exact same exposure to a risk might report vastly different dollar figures. The higher number might be generated by the organization that better understands the risk.
Economic Capital
The most interesting question to me would be to ask how independent of results are the modelers? Who do they report to? How is their bonus determined? My perception is that there is subtle pressure put on modelers to hit certain results and that they should understand their models well enough to know which levers to pull that won’t raise a warning flag. At this point there is no audit requirement for an economic capital model.
Forward Looking
Missing in this questionnaire, as well as the NAIC’s Risk Focused Examinations, is a view of the future. In my opinion, if there is not an immediate solvency issue then the most interesting question is what could impair this organization in the future. For many insurance firms this will be related to selling profitable products and being flexible. It is hard to find distribution without giving away either options or returns. Consolidation in the insurance industry is likely. How many companies have considered their competitive position is their competitors merge? For distressed firms it is rarely a previously managed risk that takes them down. What environmental scanning is being done? What Risks are you Worried about Today? Risks that could be included in this type of analysis would be considered stress tests by many, but how many organizations would share more than they think their competitors are sharing? Here are some risks to ponder, along with their unintended consequences, in no order.
Low interest rate environment is replaced by an inflationary shock
A new competitor enters the insurance market with a known and trusted brand and new distribution channel (WalMart comes to mind)
A reinsurer becomes insolvent due to investment losses, stressing other reinsurers.
The insurance industry experiences higher trending mortality, with a flurry of 30-50 deaths due to obesity
Climate change results in changing weather patterns, with more volatile weather and crop patterns
A consolidator enters the industry, generating economies of scale that reduce potential returns by 2%.
Infrastructure around the world ends its useful lifetime and is not replaced.
Water wells are drilled in developed countries by farmers and local communities to access an aquifer.
Warning: The information provided in this newsletter is the opinion of Max Rudolph and is provided for general information only. It should not be considered investment advice. Information from a variety of sources should be reviewed and considered before decisions are made by the individual investor. My opinions may have already changed, so you don’t want to rely on them. Good luck! Warning: The information provided in this newsletter is the opinion of Max Rudolph and is provided for general information only. It should not be considered investment advice. Information from a variety of sources should be reviewed and considered before decisions are made by the individual investor. My opinions may have already changed, so you don’t want to rely on them. Good luck!
In insurance companies, where “production” consists of risk assumption and risk accumulation, measuring a company’s risk capacity and risk capacity utilization is not as straightforward as in companies that manufacture widgets. Like industrial companies, insurance companies need to measure and manage their “production” or rather “risk” (accumulation) capacity.
The recent crisis has demonstrated that insurance companies need to measure and manage their risk capacity utilization in relation to the amount of risk capacity lest they become overextended. In insurance companies, risk capacity needs to be determined so as to satisfy:
Solvency concerns of policyholders, for which insurance strength ratings assigned by the leading independent rating agencies and A.M. Best are generally accepted as proxies. Shareholders are also interested in these ratings, which they view as indicators of companies’ ability to attract and retain customers and achieve their financial objectives.
Maintenance of regulatory Risk Based Capital (RBC) adequacy ratios sufficient to prevent regulators from intervening in company management.
Risk capacity is most commonly a measure of an insurance company’s ability to accumulate risk exposures, on a going concern basis, while meeting risk tolerance constraints of solvency-focused stakeholders (policyholders, rating agencies and regulators). Risk concerns of these stakeholders are generally expressed as confidence levels at which a company is capable of meeting particular standards of performance, (e.g. maximum probability of default, maintenance of the capital needed to support a target rating or RBC adequacy level) over a defined time horizon.
A company’s risk capacity is customarily measured by its available capital and its risk capacity utilization is measured by the amount of capital needed to meet the risk tolerance constraints of credit-sensitive stakeholders, given its present portfolio of risk exposures. In order to gain the confidence of investors and customers and to enjoy a viable future, an insurance company needs to understand how its strategic plan impacts the prospective utilization of its risk capacity, and therefore the adequacy of its capital in relation to its projected financial performance and growth aspirations.
To perform this assessment, a company needs to estimate its prospective risk capacity utilization (i.e. capital required) for executing its strategic plan. To perform this analysis, it needs to project its risk profile over a three to five years planning horizon (approximating going concern conditions), under growth assumptions embedded in its strategic plan. A properly constructed risk profile should enable a company to consider the impact of extreme conditions, often scenarios that include multiple catastrophes or financial crises, as well as the contribution of earnings retention to risk capacity. This basic strategic planning exercise, completed in a risk-aware framework will demonstrate the risk capital (and, thus, capacity utilization) required to execute the strategic plan.
Ideally, the required financial models should be capable of producing i) full distributions of financial outcomes rather than tail sections of these distributions, ii) elements of the balance sheet and P&L statements needed to calculate earnings, earnings volatility, downside risk from planned earning amounts in future periods, iii) calculations of RBC, and associated capital adequacy ratios, including A.M. Best’s capital adequacy ratio (BCAR) and iv) financial performance reports developed under multiple accounting standards, including statutory and GAAP or IFRS, or on an economic basis. These data are needed for management to explore how capital requirements and thus also risk capacity utilization respond to changes in risk strategy and business strategy.
The company’s risk profile can be derived from the aggregation of the distributions of financial results of individual lines or business segments based on the amount and volatility characteristics of exposures, limits assumed, applicable reinsurance treaties, and asset mix, over a three to five year time horizon so as to approximate going concern conditions.
The use of multi-year solvency analyses of companies’ risk profile, instead of a one year horizon required under the regulatory provisions of many jurisdictions, typically results in significantly higher estimates of risk capital requirements and risk capacity utilization than those obtained under the one year horizon. As a result, companies that rely primarily on one year solvency analyses to assess the adequacy of their capital tend to understate their capital requirements and are more likely to overextend themselves. Importantly, the underlying assumption that capital shortfalls could be covered as and when needed by raising capital from investors has been shown to be unrealistic during the recent financial crisis, highlighting what may be a fundamental flaw in the widely touted Solvency II framework.
Note: This article is abstracted from the “Risk Management and Business Strategy in P/C Insurance Companies” briefing paper published by Advisen (www.advisen.com) and available at the Corner Store.
In the past two years, many firms and many investors have de-risked their world.
On the other hand, there is no shortage of advice that you should never seek to avoid all risk. Try typing the two words “Avoid Risk” into Google and more than half of the links that come up are discussions of why that is not a good strategy.
But one of the links that is on the first page is from the Chronicle of Higher Education. The headline is “Most Colleges Avoid Risk Management”
So you now have the classic two by two grid of choices:
Each of the four choices has adherents. But there are pluses and minuses to each choice.
1. Avoid Risk/Avoid Risk Management – a person or organization can do very well with this choice. Until – – – they are struck by a risk that they did no know that they were taking. The only risks that a person who avoids all risk takes are those risk that they are unaware of. This strategy also requires that the world not change too much. The largest risk to this choice is the risk that the person or organization will no longer have a viable strategy. By avoiding risk, they have saved themselves from the agony of failure but also from the joy of successfully developing new strategies – some of which might become the strategy for the future.
2. Avoid Risk/Risk Management – This was the Mubarak strategy. It was very successful for 30 years. Then, suddenly, it stopped working. It feel victim to the failure to adapt risk which is the second type mentioned above. But by practicing risk management, he was able to avoid the first risk above – the risk of taking risks unawares. A firm with a very successful product or business might take up this strategy, seeking to maximize value of that successful strategy.
“People who don’t take risks generally make about two big mistakes a year. People who do take risks generally make about two big mistakes a years.” – Peter F. Drucker
3. Take Risks/ Avoid Risk Management – On its face, this choice seems clearly irrational. However, it is widely practiced and sometimes by people that are held to be highly successful geniuses in their fields. What we fail to recognize is that some of these folks are simply lucky and the rest might well be geniuses. The lucky are noticed because of survivor bias. So if you choose this strategy, you are following in the footsteps of some of the most famous. And in your own experience, you have probably worked with people who got where they are because of luck. Someone has to get 8 tails in a row flipping coins. And if you award a senior vice presidency to everyone who does …
4. Take Risks / Risk Management – this seems like the most sensible choice. You are then left with the decision of how to choose the risks that you take and which sort of risk management to practice. Which are the main topics of this blog.
In my experience, I have found that some people define risk taking as 3 above – that is diving off the board without looking down first. When they say “you must take risks to get the rewards” they are thinking about the blind risk taking of 3. I can only suggest that a firm should seek to avoid applying strategy 3 to something on which the survival of the firm depends.
It is very difficult to strike the right note looking backwards and talking about risk and risk management. The natural tendency is to talk about the right and wrong “picks”. The risks that you decided not to hedge or reinsure that did not develop losses and the ones that you did offload that did show losses.
There are other important and useful topics that we can address. One of those is the changing risk environment over the year. In addition, we can try to assess the prevailing views of the risk environment throughout the year.
VIX is an interesting indicator of the prevailing market view of risk throughout the year. VIX is in indicator of the price of insurance against market volatility. The price goes up when the market believes that future volatility will be higher or alternately when the market is simply highly uncertain about the future.
Uncertain is the word used most throughout the year to represent the economic situation. But one insight that you can glean from looking at VIX over a longer time period is that volatility in 2010 was not historically high.
If you look at the world in terms of long term averages, a single regime view of the world, then you see 2010 as an above average year for volatility. But if instead of a single regime world, you think of a multi regime world, then 2010 is not unusual for the higher volatility regimes.
So for stocks, the VIX indicates that 2010 was a year when market opinions were for a higher volatility risk environment. Which is about the same as the opinion in half of the past 20 years.
That is what everyone believed.
Here is what happened:
Return
December
6.0%
November
-0.4%
October
3.5%
September
8.7%
August
-5.3%
July
6.8%
Jun
-5.2%
May
-8.3%
April
1.3%
March
5.8%
February
2.8%
January
-3.8%
Average
1.0%
Std Dev
5.6%
That looks pretty volatile. And comparing to the past several years, we see below that 2010 was just a little less actually volatile than 2008 and 2009. So we are still in a regime of high volatility.
So we can conclude that 2010 was a year of both high expected and high actual volatility.
If an exercize like this is repeated each year for each important risk, eventually insights of the possibilities for both expectations and actual risk levels can be formed and strategies and tactics developed for different combinations.
The other thing that we should do when we look back at a year is to note how the year looked in the artificial universe of our risk model.
For example, when many folks looked back at 2008 stock market results in early 2009, many risk manager had to admit that their models told them that 2008 was a 1 in 250 to 1 in 500 year. That did not quite seem right, especially since losses of that size had occurred two or three times in the past 125 years.
What many risk managers decided to do was to change the (usually unstated) assumption that things had permanently changed and that the long term experience with those large losses was not relevant. Once they did that, the risk models were recalibrated and 2008 became something like a 1 in 75 to 1 in 100 year event.
For the stock market, the 15.1% total return was not unusual and causes no concern for recalibration.
But there are many other risks, particularly when you look at general insurance risks, that had higher than expected claims. Some were frequency driven and some were severity driven. Here is a partial list:
Each insurer and reinsurer can look at their losses and see, in the aggregate and for each peril separately, what their models would assign as likelihood for 2010.
The final topic for the year in risk is Systemic Risk. 2010 will go down as the year that we started to worry about Systemic Risk. Regulators, both in the US and globally are working on their methods for inoculating the financial markets against systemic risk. Firms around the globe are honing their arguments for why they do not pose a systemic threat so that they can avoid the extra regulation that will doubtless befall the firms that do.
Riskviews fervently hopes that those who do work on this are very open minded. As Mark Twain once said,
“History does not repeat itself, but it does rhyme.”
And for Systemic Risk, my hope is that the resources and necessary drag from additional regulation are applied, not to prevent an exact repeat of the recent events, while recognizing the possibility of rhyming as well as what I would think would be the most likely systemic issue – that financial innovation will bring us an entirely new way to bollocks up the system next time.
Running a successful business requires doing something almost constantly.
But successful risk management may require doing very little for long stretches of time.
“Just because they say “ACTION” doesn’t mean you have to do anything” Al Pacino
Good risk management means picking your times and picking your actions.
But there is much for the new risk manager to do between the day when they are first given their charge (the call of ACTION) and the day when they must take their first ACTION.
Many new risk managers get completely caught up in the process of creating a risk management system and the idea of ACTION gets moved into some sort of bureaucratic haze. The risk management systems that are described in many textbooks and articles make it seem like ACTIONs will simply happen on their own if the system is all in place.
But any risk manager who has worked through the financial crisis or through any other major loss making crisis will tell you that the ACTIONs that take care of themselves through the system are only the easiest part of the ACTION that is really needed, that really adds value to the organization. The really difficult ACTIONs are the ones that are not so clearly indicated, or the ACTIONs that come after a long period of inaction.
Those actions include things like stopping the growth of a profitable risk, stopping writing a particular risk or even shrinking risk positions.
“Every great mistake has a halfway moment, a split second when it can be recalled and perhaps remedied.”
Pearl Buck
There is a time as well when it is too late for the ACTION. That is because it is usually in the late stages of a boom that the firm takes on the risks that end up making the largest losses.
And when the problem starts to become evident, it is usually much too expensive to lay off the risk positions. The best you can hope for is to stop growing the positions.
So there are times, during a boom, when the most important but most difficult ACTION for a risk manager to take is to stop the growth of an overheated risk.
But there are many other times when the risk manager can concentrate on inaction. Just letting the risk control system do its work.
“put all your eggs in one basket. and then watch that basket”
It seems impossible on first thought to think of that as a view consistent with risk management. But Carnegie was phenomenally successful. Is it possible that he did that flaunting risk management?
Garry Kasparov – World Chess Champ (22 years) put it this way…
“You have to rely on your intuition. My intuition was wrong very few times.”
George Soros has said that he actually gets an ache in his back when the market is about to turn, indicating that he needs to abruptly change his strategy.
Soros, Kasparov, Carnegie are not your run of the mill punters. They each had successful runs for many years.
My theory of their success is that the intuition of Kasparov actually does take into account much more than the long hard careful consideration of a middling chess master. Carnegie and Soros also knew much more about their markets than any other person alive in their time.
While they may not have consciously been following the rules, they were actually incorporating all of the drivers of those rules into their decisions. Most of those rules are actually “heuristics” or shortcuts that work as long as things are what they have been but are not of much use when things are changing. In fact, those rules may be what is getting one into trouble during shifts in the world.
Risk models embody an implicit set of rules about how the market work. Those models fail when the market fails to conform to the rules embedded in the model. That is when things change, when your thinking needs to transcend the heuristics.
So where does that leave the risk manager?
The insights of the ultra successful types that are cited above can be seen to refute the risk management approach, OR they can be seen as a goal for risk managers.
The basket that Carnegie was putting all of his eggs into was steel. His insight about steel was correct, but his statement about eggs and baskets is not particularly applicable to situations less transformational than steel. It is the logic that many applied during the dot com boom, much to their regret in 2001/2002.
The risk manager should look at statements and positions like those above as levels of understanding to strive for. If the risk managers work starts and remains a gigantic mass of data and risk positions without ever reaching any insights about the underlying nature of the risks that are at play, then something is missing.
Perhaps the business that the risk manager works for is one that by choice and risk tolerance insists on plodding about the middle of the pack in risk.
But the way that the risk manager can add the most value is when they are able to provide the insights about the baskets that can handle more eggs. And can start to have intuitions about risks that are reliable and perhaps are accompanied by unmistakable physical side effects.
If you were told that someone had flipped a coin 60 times and had found that heads were the results 2/3 of the time, you might have several reactions.
You might doubt whether the coin was a real coin or whether it was altered.
You might suspect that the person who got that result was doing something other than a fair flip.
You might doubt whether they are able to count or whether they actually counted.
You doubt whether they are telling the truth.
You start to calculate the likelihood of that result with a fair coin.
Once you take that last step, you find that the story is highly unlikely, but definitely not impossible. In fact, my computer tells me that if I lined up 225 people and had them all flip a coin 60 times, there is a fifty-fifty chance that at least one person will get that many heads.
So how should you evaluate the risk of getting 40 heads out of 60 flips? Should you do calculations based upon the expected likelihood of heads based upon an examination of the coin? You look at it and see that there are two sides and a thin edge. You assess whether it seems to be uniformly balanced. Then you conclude that you are fairly certain of the inherent risk of the coin flipping process.
Your other choice to assess the risk is to base your evaluation on the observed outcomes of coin flips. This will mean that the central limit theorem should help us to eventually get the right number. But if your first observation is that person described above, then it will be quite a few additional observations before you find out what the Central Limit Theorem has to tell you.
The point being that a purely observation based approach will not always give you the best answer. Good to make sure that you understand something about the intrinsic risk.
If you are still not convinced of this, ask the turkey. Taleb uses that turkey story to explain a Black Swan. But if you think about it, many Black Swans are nothing more than ignorance of intrinsic risk.
In psychology 101 class you heard about Maslow’s hierarchy of needs, They are:
Physiological Needs
Safety Needs
Belonging
Eswteem
Self-Actualization
Corporations have needs as well. The needs of firms is similar to the needs of the people in the firms.
Hierarchy of Corporate Needs
Sales
Profits
Security
Growth of Value
The ERM process can help companies to satisfy these needs. In ways that no other business management process will. This is true for all businesses, but it is particularly true for financial services businesses like insurance and banking where every transaction can have a significant element of risk for the firm.
Sales
For a business to exist, it must have something that it can sell to some market.
ERM is usually thought of as “the Sales Prevention Department”. But ERM can be instrumental in planning the sales process. But let’s come back to that after discussing the other corporate needs.
Profits
Once a firm has mastered the ability to produce or otherwise provide something that some market will buy, they need to figure out how to deliver that product or service at a cost lower than the price that the market will pay. This is a combination of managing costs and convincing the market of the price that the product/service is worth.
In businesses like insurance or banking, the fundamental transactions of the business involve risk taking in a way that is different from most other businesses. Making a profit ultimately means getting the price right for risk and properly managing the risk so that it rarely gets out of hand.
That is the prime territory for ERM – evaluating and managing risks. So to satisfy this second need of corporations, at least for the corporations in the risk business, ERM is needed.
Without ERM, profits are hit or miss for firms in the risk business.
Security
Once a business has a product that they can reliably sell to a market and has figured out a way to reliably deliver that product at a profit, then that business has value. And the third need becomes important; Security.
This is the case not just for companies in the risk business, but for all types of firms. Once they get used to making money, there is a strong need to keep that happening.
But there are many, many things that can go wrong and put an end to that profitable business. As a general class, we call those things RISKS.
So risk management is applied by firms to deal with those things that might go wrong and end the stream of profits – separately, risk by risk as management becomes aware of those risks.
Enterprise Risk Management provides a different approach, and one that should appeal to those who are fundamentally interested in the security of the firm. While risk management seeks to prevent outsized losses from one cause or another, ERM seeks to manage outsized losses from ANY and ALL sources.
Growth of Value
Once a business has Sales, Profits and Security the focus shifts. And it shifts to growing the value of the firm.
Some firms focus on growing their value by making more of the sales that they mastered at the outset of their existence. Others seek to grow value by increasing their efficiency and increasing the profitability of their business. A few are able to focus on both at the same time.
However, the value of the firm, by some reckonings is the present value of future earnings. Those future earnings can be higher because sales grow or because profits per unit grow. But that future will be discounted by the market. Discounted for both risk and for time.
Since Risk is a major component to value, growing value means managing risk. SO we are again back to ERM. ERM helps management to see the trade-offs, the risk reward trade-offs, that will influence value.
Sales
And so, back to sales. What you find when you look to manage value with ERM is that it helps you to see the value of sales. And what you see will be that different sales have a different impact on the value of the firm.
So ERM can halp to guide the sales planning process, shedding light on which sales to plan to grow the most and which to limit.
So ERM can play a major role in the achievement of all four of the main Corporate Needs.
2: someone or something that creates or suggests a hazard
3: the chance of loss or the perils to the subject matter of an insurance contract; also: the degree of probability of such loss b: a person or thing that is a specified hazard to an insurer c: an insurance hazard from a specified cause or source <war risk>
4: the chance that an investment (as a stock or commodity) will lose value
These are the only four definitions offered.
So if you build an ERM system and want to use the definition of risk that is popular with ERM folks:
Risk is a deviation from expected.
It is almost certain that among an English speaking non-risk manager management audience, your program will start out with at one count of DOUBLESPEAK against you.
The definition of DOUBLESPEAK, per Wikipedia is:
Doublespeak (sometimes called doubletalk) is language that deliberately disguises, distorts, or reverses the meaning of words. Doublespeak may take the form of euphemisms (e.g., “downsizing” for layoffs), making the truth less unpleasant, without denying its nature. It may also be deployed as intentional ambiguity, or reversal of meaning (for example, naming a state of war “peace”). In such cases, doublespeak disguises the nature of the truth, producing a communication bypass.
You start your discussion of Risk Management by telling everyone that UP is DOWN and HOT is COLD. That OPPORTUNITIES are RISKS.
There is a common English meaning of the word risk that works very well to support Risk Management activities.
The objective of that other DOUBLESPEAK meaning of the word risk is to convey that risk managers can help to find and support opportunities.
Just say that. Say that you can help to find and support opportunities.
It will come off much better than redefining words that everyone knows the meaning of at the outset of your discussion.
Usually risk managers do not think of themselves as being at war. But a risk manager is facing a number of foes. And failure to succeed against those foes can result in the end of the enterprise. So maybe the risk manager can learn from The Art of War.
Sun Tzu’s The Art of War has 11 chapters. Each of these topics can be seen to have a lesson for risk managers.
Laying Plans explores the five fundamental factors that define a successful outcome (the Way, seasons, terrain, leadership, and management). By thinking, assessing and comparing these points you can calculate a victory, deviation from them will ensure failure. Remember that war is a very grave matter of state. The risk manager of course needs plans. Remember that risk management is a grave matter for the enterprise.
Waging War explains how to understand the economy of war and how success requires making the winning play, which in turn, requires limiting the cost of competition and conflict. Risk management does not run on an unlimited budget. In some cases risk managers have not completed their preparations because they have gone forward as if they could spend whatever it took to fulfill their vision for risk management. Of course risk management spending needs to be at a sensible level for the enterprise. Excessive risk management spending can harm an enterprise just as much as an unexpected loss.
Attack by Stratagem defines the source of strength as unity, not size, and the five ingredients that you need to succeed in any war. The risk manager succeeds best if they are able to get the entire organization to support the risk management efforts, not just a large corporate risk management department.
Tactical Dispositions explains the importance of defending existing positions until you can advance them and how you must recognize opportunities, not try to create them. The risk manager needs to build organizational strength to support risk management opportunistically. A risk management program that does not wait for the right opportunities will create internal enemies and will then be fighting both the external risks as well as the internal enemies.
Energy explains the use of creativity and timing in building your momentum. The risk manager also needs to be creative and needs to build momentum. The best risk management program fits well with the culture of the organization. That fit will need to be developed by creatively combining the ideas of risk management with the written and unwritten parts of the organizational imperatives.
Weak Points & Strong explains how your opportunities come from the openings in the environment caused by the relative weakness of your enemy in a given area. Quite often the risk manager will know the right thing to do but will not be able to execute except at extreme danger to their position in the firm. The openings for a risk manager to make the moves that will really lake a difference in the future of the firm come infrequently and without warning. The Risk manager must be looking at these openings and be ready and able to act.
Maneuvering explains the dangers of direct conflict and how to win those confrontations when they are forced upon you. Some thing that the risk managers job is the direct conflict with the important people in the firm who would put the firm in an excessively risky position. This in inadvisable
Variation in Tactics focuses on the need for flexibility in your responses. It explains how to respond to shifting circumstances successfully. Risk Management tactics will be the most successful if they are alligned with the actual risk environment. SeePlural Rationalities and ERM.
The Army on the March describes the different situations in which you find yourselves as you move into new enemy territories and how to respond to them. Much of it focuses on evaluating the intentions of others. Rational Adaptability is the process of assessing the risk environment and selecting the risk management strategy that will work best for the environment.
Terrain looks at the three general areas of resistance (distance, dangers, and barriers) and the six types of ground positions that arise from them. Each of these six field positions offer certain advantages and disadvantages. The risk environment has four main stages, Boom, Bust, Moderate and Uncertain.
The Nine Situations describe nine common situations (or stages) in a campaign, from scattering to deadly, and the specific focus you need to successfully navigate each of them. Companies must determine their risk taking strategy and their risk appetite by looking at the risk environment as well as at their risk taking capacity.
The Attack by Fire explains the use of weapons generally and the use of the environment as a weapon specifically. It examines the five targets for attack, the five types of environmental attack, and the appropriate responses to such attack.
The Use of Spies focuses on the importance of developing good information sources, specifically the five types of sources and how to manage them.
The hunters had come back to the village empty handed after a particularly difficult day. They talked through the evening around the fire about what had happened. They needed to make sense out of their experience, so that they could go back out tomorrow and feel that they knew how the world worked well enough to risk another hunt. This day, they were able to convince themselves that what had happened was similar to another day many years ago and that it was an unusually bad day, but driven by natural forces that they could expect and plan for in the future.
Other days, they could not reconcile an unusually bad day and they attributed their experience to the wrath of one or another of their gods.
Risk managers still do the same thing. They have given this process a fancy name, Bayesian inference. The very bad days, we now call Black Swans instead of an act of the gods.
Where we have truly advanced is in our ability to claim that we can reverse this process. We claim that we can create the stories in advance of the experience and thereby provide better protection.
But we fail to realize that underneath, we are still those hunters. We tell the stories to make ourselves feel better, to feel safe enough to go back out the next day. Once we have gone through the process of a posteriori creation of the framework, the past events fit neatly into a framework that did not really exist when those same events were in the future.
If you do not believe that, think about how many risk models have had to be significantly recalibrated in the last 10 years.
To correct for this, we need to go against 10,000 or more years of human experience. The correction can be summed up with the line from the movie The Fly,
Be afraid. Be very afraid.
There is another answer. That answer is
Be smart. Be very smart.
That is because it is not always the best or even a very good strategy to be very afraid. Only sometimes. So you need to become smart enough to:
Know when it is really important to mistrust the models and to be very afraid
Have built up the credibility and trust so that you are not ignored.
While you are doing that,be careful with the a posteriori creations. The better people get with explaining away the bad days, the harder it will be for you to convince them that a really bad day is at hand.
Is that idea really understood by top management and the board?
Does the board leave every meeting certain that the firm will still be in business when the next scheduled board meeting comes around? How did they get to that certainty?
Can management tell them exactly what sorts of events could put the firm out of business? Have they discussed the sorts of “highly unlikely” events that might take the firm down if they suddenly did happen?
Those are, of course, the conversations that the board might well demand to have if they really understood that Survival is not Mandatory.
That is where the risk manager really earns their money.
The risks that are coming straight down the road, well that is important to pay attention to them. But those are the obvious risks. I would not pay very much for help in avoiding serious accidents from those risks.
But those round the corner risks, that would be very valuable, to have someone who can help to make sure that those out of sight risks do not ruin things.
However, what any risk manager who has tried to focus attention on the Around the Corner Risks has learned is that attending to such risks is often seen as spoiling the game.
In the Black Swan, Nassim Taleb talks about the degree to which businesses are in effect selling out of the money puts and pocketing the risk premium as if it is pure profits.
And that is often the case. Risk managers should extend their view to include analysis of the actual source of profits of the various endeavors of their firms. Any place where the profits are larger than can be explained is a place where the firm might well be getting paid for selling those puts.
The risk manager needs to be able to take that analysis of sources of profits back to top management to have a frank discussion of those unexplained sources of profits.
In most cases, those situations are risks to the firm, either because they represent risk premium for out of the money puts or because they represent temporary inefficiencies. The risk from the temporary inefficiencies is that if management mistakenly assumes that those inefficiencies are permanent, then the firm may over-invest in that activity. That over-investment may then eventually lead to the creation of those our of the money puts as a way to sustain profits when the inefficiencies are extinguished by the market.
An example of this situation is the Variable Annuity market in the US. In the early 1990’s firms were able to achieve good profits from this business largely because there were too few companies in the market. Every market participant could show good profits and growth in this new market without resorting to price competition. This situation attracted many additional insurers into the market, flattening the profitability. The next phase in the market was to offer additional benefits to customers at prices below market cost. These additional benefits were in the form of out of the money puts – guarantees against adverse experience of the investments underlying the product. And the risk premium charged for these benefits was often booked as a profit.
One of the reasons for the confusion between risk premium and profit is the way in which we recognize profits on risks where the period of the risk occurrence is much longer than the period for financial reporting.
The analysis of source of profits can be a powerful tool to help risk managers to both see those around the corner risks and to communicate the possible around the corner risks before them become immanent.
If something happens more or less the same way for any extended period of time, the normal reaction of humans is consider that phenomena as constant and to largely filter it out. We do not then even try to capture new information about changes to that phenomena because our senses tell us that that input is “pure noise” with no signal. Hence the famous story about boiling frogs. Which may or may not be actually true about frogs, but it definitely reveals something about the way that humans take in information about the world.
But things can and do actually change. Even things that are more or less the same for a very long time.
In the book, “This Time It’s Different”, the authors state that
“The median inflation rates before World War I were well below those of the more recent period: 0.5% per annum for 1500 – 1799 and 0.71% for 1800 – 1913, in contrast with 5% for 1914 – 2006.”
Imagine that. Inflation averaged below 0.75% for about 300 years. Since there is no history of extended periods of negative inflation, to get an average that low, there must be a very low standard deviation as well. Inflation at a level of 3 or 4% is probably a one in a million situation. Or so intelligent financial analysts before WWI must have thought that they could make plans without any concern for inflation.
But in the years following WWI, governments found a new way to default on their debts, especially their internal debts. Reinhart and Rogoff point out that almost all of the discussion by economists regarding sovereign default is about external debt. But they show that internal debt is very important to the situations of sovereign defaults. Countries with high levels of internal debt and low external debt will usually not default, but countries with high levels of both internal and external debt will often default.
So as we contemplate the future of the aging western economies, we need to be careful that we do not exclude the regime changes that could occur. And which regime changes that we should be concerned about becomes clearer when we look at all of the entitlements to retirees as debt (is there any effective difference between debt and these obligations?). When we do that we see that there are quite a few western nations with very, very large internal debt. And many of those countries have indexed much of that debt, taking the inflation option off of the table.
Reinhart and Rogoff also point out the sovereign default is usually not about ability to pay, it is about willingness to make the sacrifices that repayment of debt would entail.
So Risk Managers need to think about possible drastic regime changes, in addition to the seemingly highly unlikely scenario that the future will be more or less like the past.
Who should have responsibility for risk management?
Is it the CRO? Is it the Business Unit Heads? Is it everyone? or is it the CEO (As Buffet suggests)?
My answer to those questions is YES. Definitely.
You see, there is plenty of risk to go around.
The CEO should be responsible for the Firm Killing Risks. He/She should be the sole person who is able to commit the firm to an action that creates or adds to a firm killing risk position. He/She should have control systems in place so that they know that no one else is taking and Firm Killing Risks. He/She should be in a constant dialog with the board about these risks and the necessity for the risks as well as the plans for managing those sorts of risks.
At the other end of the spectrum, there are the Bad Day Risks. Everyone should be responsible for their share of the Bad Day Risks.
And somewhere in the middle are the risks that the CRO and Business Unit Heads should be managing. Those might be the Bad Quarter Risks or the Bad Year Risks.
As the good book says, “To each according to his ability”. That is how Risk Management responsibility should be distributed.
Google the term crippled epistemology and you get lots of articles and blog posts about extremists and fanatics and also some blog posts BY the extremists and fanatics.
Crippled epistemology means that someone cannot see the truth.
Daniel Patrick Moynahan is reported as saying “Everyone is entitled to his own opinion, but not his own facts.”
But there are just too many facts. Any one person cannot attend to ALL of the facts. They must filter the facts, choose the facts that are more important. We all filter the facts that we pay attention to.
But sometimes, those filters become too strong. Things went along in a certain pattern for a length of time, so we filtered out of our consideration many of those things that either failed to evidence any variability or that had totally predictable variability.
Those filters take on the aspect of a crippling epistemology. Our approach to knowledge keeps us from understanding what is actually happening.
Sounds pretty esoteric. But in fact it is one of the most important issues in risk management.
We need to have systems that work on a real time basis to provide the information that drives our risk decisions. But we must be careful that that expensive and impressive risk information system does not actually obscure the information that we really need.
For the investors in sub prime mortgages prior to 2007, they had developed an epistemology, an approach to their knowledge of the markets. Ultimately that epistemology crippled them, because it did not allow them to see the real underlying weakness to that market.
So a very important step to be performed periodically for risk managers is an Epistemology Review. Making sure that the risk systems actually are capturing the needed information about the risks of the firm.
Once you think of it, it seems obvious. Risk Managers need humility.
If you are dealing with any killer physical risk, there are two types of people who work close to that risk, the humble and the dead.
Being humble means that you never lose sight of the fact that RISK may at any time rise up in some new and unforeseen way and kill you or your firm.
Risk managers should read the ancient Greek story of Icarus.
Risk managers without humility will suffer the same fate.
Humility means remembering that you must do every step in the risk management process, every time. The World Cup goalkeeper Robert Green who lets an easy shot bounce off of his hands and into the goal has presumed that they do not need to consciously attend to the mundane task of catching the ball. They can let their reflexes do that and their mind can move on to the task of finding the perfect place to put the ball next.
But they have forgotten their primary loss prevention task and are focusing on their secondary offense advancement task.
The risk managers with humility will be ever watchful. They will be looking for the next big unexpected risk. They will not be out there saying how well that they are managing the risks, they will be more concerned about the risks that they are unprepared for.
Risk managers who are able to say that they have done all that can be done, who have taken all reasonable precautions, who can help their firm to find the exact right level and mix of risks to optimize the risk reward of the firm are at serious risk of having the wax holding their feathers melt away and of falling to earth.
Discussions with senior executives have suggested that decision signals from ERM would be more credible and that ERM would be a more effective management process if ERM were shown to reconcile the risk concerns of policyholders and shareholders.
Creditors, including policyholders, and rating agencies or regulators whose mission it is to protect creditors, and shareholders are all interested in the financial health of an insurer, but in different ways. Creditors want to be assured that an insurance company will be able to honor its obligations fully and in a timely manner. For creditors, the main risk question is: what is the risk ofthe business? This is another way to ask whether the company will remain solvent.
Shareholders, however, are interested in the value of the business as a going concern, in how much this value might increase and by how much it might decline. For shareholders, the main risk question is: what is the risk tothe business? Shareholders are interested in what ERM can do to increase and protect the value of their investment in a company. While both creditors and shareholders are interested in the tail of the distribution of financial results, as an indicator of solvency risk, shareholders are also very interested in the mean of these financial results and their volatility, which could have an adverse impact on the value of their investment.
Policyholders and shareholders’ views are different but not incompatible: a company could not stay in business if it were not able to persuade regulators that it will remain solvent and should be allowed to keep its license, or obtain from rating agencies a rating suitable for the business it writes. Its value to investors would be significantly impaired..
Insurers recognize that the main drivers of their risk profile are financial risks, including insurance risk accumulations and concentrations, and the related market risk associated with their investment activities. They understand that resulting risks are best controlled at the point of origination through appropriate controls on underwriting and pricing and through reinsurance and asset allocation strategies that limit the volatility of financial outcomes. Stochastic modeling is being used more broadly by companies to understand how such risks accumulate, interact and develop over time and to evaluate strategies that enhance the stability of outcomes. Capital adequacy is the ultimate defense against severe risk “surprises” from insurance and investment activities. It is of interest to policyholders who want to be certain to collect on their claims, but also to shareholders who want assurance that a company can be viewed as a going concern that will write profitable business in the future.
Methodologies used by rating agencies on behalf of creditors describe in detail how the rating process deals with the three main drivers of a company’s financial position and of the volatility (risk) of this position. In response to rating agency concerns, insurance companies focus on determining how much “economic capital” they need to remain solvent, as a first step toward demonstrating the adequacy of their capital. Analyses they perform involve calculation of the losses they can suffer under scenarios that combine the impact of all the risks to which they are exposed. This “total risk” approach and the related focus on extreme loss scenarios (“high severity/low frequency” scenarios) are central to addressing creditors’ concerns.
To address the solvency concerns of creditors, rating agencies and regulators and the value risk of shareholders, insurance companies need to know their complete risk profile and to develop separate risk metrics for each group of constituents. Knowledge of this risk profile enables them to identify the distinct risk management strategies that they need to maintain high ratings while also protecting the value of their shareholders’ investment. Leading ERM companies have become well aware of this requirement and no longer focus solely on tail scenarios to develop their risk management strategies.
There has always been an issue with TRUTH with regard to risk. At least there is when dealing with SOME PEOPLE.
The risk analyst prepares a report about a proposal that shows the new proposal in a bad light. The business person who is the champion of the proposal questions the TRUTH of the matter. An unprepared analyst can easily get picked apart by this sort of attack. If it becomes a true showdown between the business person and the analyst, in many companies, the business person can find a way to shed enough doubt on the TRUTH of the situation to win the day.
The preparation needed by the analyst is to understand that there is more than one TRUTH to the matter of risk. I can think of at least four points of view. In addition, there are many, many different angles and approaches to evaluating risk. And since risk analysis is about the future, there is no ONE TRUTH. The preparation needed is to understand ALL of the points of view as well many of the different angles and approaches to analysis of risk.
The four points of view are:
Mean Reversion – things will have their ups and downs but those will cancel out and this will be very profitable.
History Repeats – we can understand risk just fine by looking at the past.
Impending Disaster – anything you can imagine, I can imagine something worse.
Unpredictable – we can’t know the future so why bother trying.
Each point of view will have totally different beliefs about the TRUTH of a risk evaluation. You will not win an argument with someone who has one belief by marshalling facts and analysis from one of the other beliefs. And most confusing of all, each of these beliefs is actually the TRUTH at some point in time.
For periods of time, the world does act in a mean reverting manner. When it does, make sure that you are buying on the dips.
Other times, things do bounce along within a range of ups and downs that are consistent with some part of the historical record. Careful risk taking is in order then.
And as we saw in the fall of 2008 in the financial markets there are times when every day you wake up and wish you had sold out of your risk positions yesterday.
But right now, things are pretty unpredictable with major ups and downs coming with very little notice. Volatility is again far above historical ranges. Best to keep your exposures small and spread out.
So understand that with regard to RISK, TRUTH is not quite so easy to pin down.
The ERM Symposium is now 8 years old. Here are some ideas from the 2010 ERM Symposium…
Survivor Bias creates support for bad risk models. If a model underestimates risk there are two possible outcomes – good and bad. If bad, then you fix the model or stop doing the activity. If the outcome is good, then you do more and more of the activity until the result is bad. This suggests that model validation is much more important than just a simple minded tick the box exercize. It is a life and death matter.
BIG is BAD! Well maybe. Big means large political power. Big will mean that the political power will fight for parochial interests of the Big entity over the interests of the entire firm or system. Safer to not have your firm dominated by a single business, distributor, product, region. Safer to not have your financial system dominated by a handful of banks.
The world is not linear. You cannot project the macro effects directly from the micro effects.
Due Diligence for mergers is often left until the very last minute and given an extremely tight time frame. That will not change, so more due diligence needs to be a part of the target pre-selection process.
For merger of mature businesses, cultural fit is most important.
For newer businesses, retention of key employees is key
Modelitis = running the model until you get the desired answer
Most people when asked about future emerging risks, respond with the most recent problem – prior knowledge blindness
Regulators are sitting and waiting for a housing market recovery to resolve problems that are hidden by accounting in hundreds of banks.
Why do we think that any bank will do a good job of creating a living will? What is their motivation?
We will always have some regulatory arbitrage.
Left to their own devices, banks have proven that they do not have a survival instinct. (I have to admit that I have never, ever believed for a minute that any bank CEO has ever thought for even one second about the idea that their bank might be bailed out by the government. They simply do not believe that they will fail. )
Economics has been dominated by a religious belief in the mantra “markets good – government bad”
Non-financial businesses are opposed to putting OTC derivatives on exchanges because exchanges will only accept cash collateral. If they are hedging physical asset prices, why shouldn’t those same physical assets be good collateral? Or are they really arguing to be allowed to do speculative trading without posting collateral? Probably more of the latter.
it was said that systemic problems come from risk concentrations. Not always. They can come from losses and lack of proper disclosure. When folks see some losses and do not know who is hiding more losses, they stop doing business with everyone. None do enough disclosure and that confirms the suspicion that everyone is impaired.
Systemic risk management plans needs to recognize that this is like forest fires. If they prevent the small fires then the fires that eventually do happen will be much larger and more dangerous. And someday, there will be another fire.
Sometimes a small change in the input to a complex system will unpredictably result in a large change in the output. The financial markets are complex systems. The idea that the market participants will ever correctly anticipate such discontinuities is complete nonsense. So markets will always be efficient, except when they are drastically wrong.
Conflicting interests for risk managers who also wear other hats is a major issue for risk management in smaller companies.
People with bad risk models will drive people with good risk models out of the market.
Inelastic supply and inelastic demand for oil is the reason why prices are so volatile.
It was easy to sell the idea of starting an ERM system in 2008 & 2009. But will firms who need that much evidence of the need for risk management forget why they approved it when things get better?
If risk function is constantly finding large unmanaged risks, then something is seriously wrong with the firm.
You do not want to ever have to say that you were aware of a risk that later became a large loss but never told the board about it. Whether or not you have a risk management program.
Game Theory suggests that you can get pretty far simply looking at expected values. But the expected values need to be done right, looking at both upside and downside.
Looking at the consequences of the compensation paid by financial institutions suggests that boards who approved the compensation did not do their Game Theory homework. Management is given a huge share of the upside and their incentives are thought to be aligned with shareholders because of a stock component to their compensation.
Maybe that works, maybe not. The math is simple enough. They should check. A Game Theory, risk adjusted compensation analysis (simplified for this post) would look like this:
Proposed Transaction:
Upside: $100,000,000 – likelihood 60%
Downside: ($100,000,000) – likelihood 40%
Expected Value: $20,000,000
So far so good. Now the firm already has a risk adjusted compensation system. Under that system, there is a cost of capital charge assessed against profits before calculating bonus. In this case, the capital is based upon the $100,000,000 downside. The cost of capital is 5%, so the “risk adjustment” is 5%. The bonus formula will pay out 40% of the risk adjusted gain, half in cash and half in stock. In the past, the compensation committee has seen this process and stopped there. It seems that they took care of every angle.
But this year, one comp committee member hears a lecture on Game Theory and asks for additional analysis:
Risk Adjusted Expected Value Analysis:
Management:
Upside: 40% of $100,000,000 less $5,000,000 equals $38,000,000. Pay $19,000,000 cash and $19,000,000 stock. Stock is purchased at time of award. Likelihood 60%
Downside: Zero Current award. Loss in value of stock holdings from past awards. Back to that in a minute.
Shareholders:
Upside: $62,000,000 of gains plus risk charge times 10 equals $620 million. Likelihood of 60%
Downside $$100,000,000 of losses times 10 equals ($1 Billion). Likelihood of 40%
Expected value: ($2.8 million)
Now back to the employees…
The downside from their 0.1% of stock is ($1 million) so their expected value is $22 million positive.
So a real Game Theory based risk adjusted analysis would show that there is huge upside to management for risky deals and much smaller risk adjusted expectation for the shareholders. (In this example an expected loss).
Perhaps every deal should be presented on this risk adjusted basis. It might take a few of these presentations, but sooner or later the lopsided deal will sink in.
But then the game will shift. Already, the game is to present these deals optimistically, so that the likelihood of upside is overstated and the downside is underestimated. If compensation is skewed as drastically as the above example, highly risky deals look just fine on a risk adjusted expected value basis to employees. If the board insists that the shareholders really have a positive expected value, then the deals will need to be much less risky – at least on paper.
The stress testing that is being promoted as a major risk management tools (in part because of this very problem of over optimistic risk models) needs to then also be done to the risk adjusted compensation analysis. The stress tests for this purpose do not need to be as drastic as the stress tests for solvency management. What you should be looking for is the inflection point where the deal starts to fall into the situation where the management and shareholders are no longer on the same side, where their expected values are of opposite signs. If that inflection point is found with a stress test that is somewhat close to the base model assumptions, then that is a flashing red light for the risk manager and the board.
When I was a kid in the 1960’s, I was sick and tired of how much time on TV and movies was taken up with stories of WWII. Didn’t my parent’s generation get it? WWII was ancient history. It was done. Move on. Join the real world that was happening now.
From that statement, you can tell that I am a Boomer. But I am already sick and tired of how much ink and TV and movies and Web time is devoted to the passing of the world as the Boomers remember the golden age of our youth. Gag me. Am I going to have to hear this the entire rest of my life? Get over it. Move on. Live in the current world.
Risk managers need to carefully convey that message to the folks who run their companies as well. What ever way the world was in the “Glory Days” of the CEO or Business Unit manager’s career, things are different. Business is different. Risks are different. Strategies and companies must adapt. Adapt, Burn Out or Fade Away are the choices. Better to Adapt.
I saw this happen once before in my career. Interest rates steadily rose from the late 1940’s through the early 1980’s. A business strategy that emphasized amassing cash, locking in a return promise and investing it in interest bearing instruments could show a steady growth in profits almost every single year without too much difficulty. Then suddenly in the mid-1980’s that didn’t work anymore. Interest rates went down more than up for a decade and have since stayed low. Firms either adapted, burned out or faded away.
We have just concluded a (thankfully) brief period of massive financial destruction and are in an uncertain period. When we come out of this uncertainty, some of the long held strategies of firms will not work. Risks will be different.
The risk manager needs to be one of the voices that helps to make sure that this is recognized.
In addition, the risk manager needs to recognize that one or many of the risk models that were used to assess risk in past periods will no longer work well. The risk manager needs to stand ready to adapt or fade away.
And the models need to be calibrated to the new world, not the old. Calibrating to include the worst of the recent past might seem like prudent risk management, but it may well not be realistic. If the world reverts to a reasonable growth pattern, the next such event may well not happen for 75 years. Does your firm really need to avoid exposures to the sorts of things that lost money in 2008 for 75 years? Or would that mean forgoing most of the business opportunities of that period?
Getting the correct answers to those questions will mean the different between Growth, burn out or fading away for your firm.
Risk management is sometimes summarized as a short set of simply stated steps:
Identify Risks
Evaluate Risks
Treat Risks
There are much more complicated expositions of risk management. For example, the AS/NZ Risk Management Standard makes 8 steps out of that.
But I would contend that those three steps are the really key steps.
The middle step “Evaluate Risks” sounds easy. However, there can be many pitfalls. A new report [CARE] from a working party of the Enterprise and Financial Risks Committee of the International Actuarial Association gives an extensive discussion of the conceptual pitfalls that might arise from an overly narrow approach to Risk Evaluation.
The heart of that report is a discussion of eight different either or choices that are often made in evaluating risks:
MARKET CONSISTENT VALUE VS. FUNDAMENTAL VALUE
ACCOUNTING BASIS VS. ECONOMIC BASIS
REGULATORY MEASURE OF RISK
SHORT TERM VS. LONG TERM RISKS
KNOWN RISK AND EMERGING RISKS
EARNINGS VOLATILITY VS. RUIN
VIEWED STAND-ALONE VS. FULL RISK PORTFOLIO
CASH VS. ACCRUAL
The main point of the report is that for a comprehensive evaluation of risk, these are not choices. Both paths must be explored.
Half a league onward,
Riskviews 