Archive for the ‘Strategic Risk’ category

Delusions about Success and Failure

April 8, 2013

In his book, The Halo Effect: … and the Eight Other Business Delusions That Deceive Managers, author Phil Rosenzweig discusses the following 8 delusions about success:

1. Halo Effect: Tendency to look at a company’s overall performance and make attributions about its culture, leadership, values, and more.

2. Correlation and Causality: Two things may be correlated, but we may not know which one causes which.

3. Single Explanations: Many studies show that a particular factor leads to improved performance. But since many of these factors are highly correlated, the effect of each one is usually less than suggested.

4. Connecting the Winning Dots: If we pick a number of successful companies and search for what they have in common, we’ll never isolate the reasons for their success, because we have no way of comparing them with less successful companies.

5. Rigorous Research: If the data aren’t of good quality, the data size and research methodology don’t matter.

6. Lasting Success: Almost all high-performing companies regress over time. The promise of a blueprint for lasting success is attractive but unrealistic.

7. Absolute Performance: Company performance is relative, not absolute. A company can improve and fall further behind its rivals at the same time.

8. The Wrong End of the Stick: It may be true that successful companies often pursued highly focused strategies, but highly focused strategies do not necessarily lead to success.

9. Organizational Physics: Company performance doesn’t obey immutable laws of nature and can’t be predicted with the accuracy of science – despite our desire for certainty and order.

By Julian Voss-Andreae (Own work) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0)%5D, via Wikimedia Commons

A good risk manager will notice that all 8 of these delusions have a flip side that applies to risk analysis and risk management.

a.  Bad results <> Bad Culture – there are may possible reasons for poor results.  Culture is one possible reason for bad results, but by far not the only one.

b.  Causation and Correlation – actually this one need not be flipped.  Correlation is the most misunderstood statistic.  Risk managers would do well to study and understand what valuable and reliable uses that there are for correlation calculations.  They are very likely to find few.

c.  Single explanations  – are sometimes completely wrong (see c. above), they can be the most important of several causes, they can be the correct and only reason for a loss, or a correct but secondary reason.  Scapegoating is a process of identifying a single explanation and quickly moving on.  Often without much effort to determine which of the four possibilities above applies to the scapegoat.  Scapegoats are sometimes chosen that make the loss event appear to be non-repeatable, therefore requiring no further remedial action.

d.  Barn door solutions – looking backwards and finding the activities that seemed to lead to the worst losses at the companies that failed can provide valuable insights or it can lead to barn door solutions that fix past problems but have no impact on future situations.

e.  Data Quality – same exact issue applies to loss analysis.  GIGO

f.  Regression to the mean – may be how you describe what happens to great performing companies, but for most firms, entropy is the force that they need to be worried about.  A firm does not need to sport excellent performance to experience deteriorating results.

g.  Concentration risk – should be what a risk manager sees when strategy is too highly concentrated.

h.  Uncertainty prevails – precision does not automatically come from expensive and complicated models.

Why isn’t Strategic Risk included in ERM?

June 22, 2012

Many ERM systems exclude Strategic Risk.   The ERM systems usually include Market, Credit, Insurance and Operational Risk.  But not Strategic Risk.

Perhaps the assumption is that the ERM systems are about managing capital for the fluctuations and extreme losses of the business.

More likely, strategic risk is left out for two reasons.  First of all, the CEO and senior officers probably do not want to delegate this work.  Concerns about strategic risk are quite high in the priorities of a senior management team.  It is also a major concern of boards.

The second reason is that ERM has been highly focused on “measurable” risks and few feel that they can measure things like reputation risk and strategic risk.  So it may well be that risk managers are not asking to be given responsibility for helping with strategic risk.

But CROs need to remember that strategic risk is real, is very large and is not on their list of risks.  Because when they go to the board and top management with their “holistic” risk presentations, they will have a difficult time if the fail to ever even mention strategic risks.

In a the average company, their risk of failure averages between 2% for the largest and most secure firms and 5% for all other firms.  (Based upon studies of corporate longevity.  Fortune 500 firms have an average lifespan of about 40 years and an average firm only14.5 years.)

When other studies look at cause of major problems for firms, strategic risk make up about 70% of the events that result in a stock drop of 20% or more and operational risks, 20% and financial risks only 10%.

While those statistics are not widely known, it seems likely that a risk presentation that totally ignores strategic risk will strike board members who are generally aware of what causes problems for firms to wrinkle their brows with disbelief.

Now insurers, for example, have a different risk profile.  Their Financial and insurance risks are thought to be about 4 times as large as their operational risk.  Making a rough just ice adjustment to the figures above, one migh estimate that Insurance and Financial Risks are perhaps 55% of the total risk profile, Operational risk about 12% and Strategic risk about 33%.

So there is a range for thinking about strategic risk for insurers – between 33% and 70% of total risk.

Think about that before the next time you talk to your board about the firm’s risk profile.

Incorporating Risk into Planning and Strategy

May 31, 2011

Risk has traditionally been a minor part of strategy discussions in many firms.

Usually you get it out of the way at the very start with a Strengths, Weaknesses, Opportunities and Threats (SWOT) discussion.  As quickly as possible, the planners shift into concentrating on discussion of Opportunities.  That is what they are there for anyway – Opportunities.

Utility theory and the business education that flows from utility theory suggests very little consideration of risk.  Not none at all, but very little.  Opportunities where the gains from the expected opportunities exceed the losses from the expected threats are considered good.  That is one spot where risk creeps in.  In addition, risk might be also reflected as an externality – the capital required by a regulator or ratings agency.

Financial economics came along and offered a more complicated view of risk.  Instead of using a fuzzily determined present value of risk from utility theory, Financial Economics substitutes the market cost of risk.

Risk management suggests a completely different and potentially contradictory approach.

The risk management approach to bringing risk into planning and strategy is to make risk appetite central to strategy selection.  The internal risk appetite becomes the constraint instead of the external capital constraint.  For firms that were using that external capital constraint as a key factor in planning, this could be an easy switch.  But often is actually is not.

The boards and management of most firms have failed to choose their own risk appetite constraint.

Riskviews believes that this is because the folks who have spent their entire careers under and external constraint system are ill equipped to set their own limits.  They do not have the experience with trial and error of setting risk appetite unlike the long experience that they have with most of their other management decisions.  For most management decisions, they came up through the management ranks watching their predecessors make good and bad decisions and succeed or fail.  When they reached their current positions, they had a lifetime of experience with most of the types of decisions that they need to make.

Now risk managers and regulators and rating agencies and consultants tell them that they need to make an entirely new decision about risk appetite, and then lever all of their other important decisions off of that one decision.  And when they look back upon their education and experience there was no mention at all of this risk appetite stuff.

And as the discussion at the start of this post states, the business education did not include risk appetite either.

But there are other ways that risk can be incorporated into the planning and strategy.

  • Risk Profile.  A part of the statement of the impact that the plan will have on the company should be a before and after risk profile.  This will show how the plan either grows the larger risks of the firm or diversifies those risks.   Risk cannot be fully described by any one number and therefore there is not one single pie chart that is THE risk profile of the firm.  The risk profile should be presented so that it shows the key aspects of risk that are the consequences of the plan – intended or unintended.  That may mean showing the geographic risk profile, the product by product risk profile, the risk profile by distribution system or the risk profile by risk type.  By looking at these risk profiles, the planners will naturally be drawn to the strengths and weaknesses of the risk aspects of the plan.  They will see the aspects of risk that are growing rapidly and therefore need extra attention from a control perspective.  And even if there are none of those reactions, the exposure to the risk information will eventually lead to a better understanding of risk and a drift towards more risk aware planning.
  • Risk management view of gains and losses.  Planning usually starts with a review of recent experience.  The risk managers can prepare a review of the prior year that describes the experience for each risk in terms of the exceedence probability from the risk models.  This could lead to a discussion of the model calibration and possibly to either better credibility for the risk model or a different calibration that can be more credible.
  • Risk Controls review.  Each risk operated within a control system.  The above review of recent experience should include discussion of whether the control systems worked as expected or not.
  • Risk Pricing review.  The review of gains and losses can also be done as a review of the risk margins compared to the risks for each major business or product or risk type.  Comparison to a neutral index could be considered as well.  With this review, the question of whether the returns of the firm were a result of taking more risk or from better selection and management of the risks taken should be addressed.

Some management groups will be much more interested in one or another of these approaches.  The risk manager must seek to find the approach to discussing risk that fits management’s interests for risk to become a part of planning and strategy.  Without that match, any discussions of risk that take place to satisfy regulatory or rating agency pressures will be largely perfunctory.

 

Business Risks

December 22, 2010

US News and World Report had a recent feature “20 Companies that Cratered in 2010“.

Reading their article, I can only come up with four reasons why the 20 firms went bankrupt:

  1. Overconcentration in the mortgage backed securities market.  (Ambac)
  2. Failed to adapt to competition with a new approach to the business (Affiliated Media, Mareican Media, Penton Media, Blockbuster, Movie Gallery, Newsweek, Oriental Trading)
  3. Insufficient New Products (Hummer, Mercury, Pontiac, MGM)
  4. Insufficient resilience to recession due to excess debt (Inkeepers USA, Jennifer Convertibles, Loehmann’s, Mesa Air, Uno Restuarant Holdings, Urban Brands, Swoozies, A&P)

Fully 95%, 19 out of 20 of these bankruptcies are caused by business risks.

Meanwhile, risk managers in the insurance industry are off building risk management systems that assure that there is no more than a 1/200 chance of a loss large enough to cause a bankruptcy.

But Business Risk is not on the list of risks that are being considered in the Solvency II or Basel III regimes.

Fully 95% of US bankruptcies in 2010 were caused by business risks.  Does that mean that we are building a system that assures that we are 99.5% safe from 5% of the risks?

Does this give risk managers a hint as to why top management may only want to devote a small amount of their attention to the management of those 5% risks?

Are top management spending their time paying attention to those pesky risks of Competition, Products and Resilience?

Risk Managers can and should address those risks as well.  But rather than moving away from the risk management discipline, risk managers should be looking to see how the risk management processes can be of help with those risks.

Now, for the folks who think of risk management purely as a modeling exercize, this discussion is largely over.  But if you see your risk management program as a management control system, then there is much for you to bring to help with these risks.

These risks can be handled like any of the Operational risks that are difficult to model.  Key Risk indicators are identified and monitored.  Triggers can be set to initiate actions.  And actions taken to react to increasing indication of risks.

For the three big Business Risks that took down companies in 2010, there are particular concerns:

  • Competition – Business managers must move away from sports analogies.  They make companies particularly at risk for this type of competition.  In sports, the opposing team rarely starts playing a totally different game.  The football team will not be opposed by a hockey club.  But in business, there is often not anything to stop a competitor from starting to play a totally different game.  Risk management needs to be built from te premise that there really are very few rules restricting competitors.
  • Product Risk – in many cases that largest source of product risk is a successful product.  Especially a highly profitable successful product.  Firms with such often find it extremely difficult to justify the cost and risk and low profitability of new products.  The risk manager needs to consider addressing this risk from the point of view of revenue diversification.  Concentrations are often the most profitable and the most risky in the long term.
  • Resilience – This comes closer to regular risk management territory.  But often a major change in business volume either up or down is not a scenario that is factored into the risk model.  Most often, the level of business activity is taken as a constant!  How totally unrealistic is that?  The level of business activity is definitely NOT constant and NOT predictable.  It is at least as uncertain as any of the things that ARE being modeled.  Risk models can be used to evaluate the impact of simultaneous changes in the level of business along with other adverse events.   Perhaps it might make sense to also assume that if volumes are going up beyond a certain range, that selectivity might be going down.  Or that if volumes are decreasing, that margins might be squeezed in addition to the expense squeeze because of competition for the lower amount of business.

Risk managers can bring something to the table for discussions of Business Risk.  But it will take breaking out of their sometimes self imposed bounds.

Hierarchy of Corporate Needs and ERM

October 31, 2010

In psychology 101 class you heard about Maslow’s hierarchy of needs, They are:

  1. Physiological Needs
  2. Safety Needs
  3. Belonging
  4. Eswteem
  5. Self-Actualization

Corporations have needs as well.  The needs of firms is similar to the needs of the people in the firms.

Hierarchy of Corporate Needs

  • Sales

  • Profits

  • Security

  • Growth of Value

The ERM process can help companies to satisfy these needs.  In ways that no other business management process will. This is true for all businesses, but it is particularly true for financial services businesses like insurance and banking where every transaction can have a significant element of risk for the firm.

Sales

  • For a business to exist, it must have something that it can sell to some market.
  • ERM is usually thought of as “the Sales Prevention Department”.  But ERM can be instrumental in planning the sales process.  But let’s come back to that after discussing the other corporate needs.

Profits

  • Once a firm has mastered the ability to produce or otherwise provide something that some market will buy, they need to figure out how to deliver that product or service at a cost lower than the price that the market will pay.  This is a combination of managing costs and convincing the market of the price that the product/service is worth.
  • In businesses like insurance or banking, the fundamental transactions of the business involve risk taking in a way that is different from most other businesses.  Making a profit ultimately means getting the price right for risk and properly managing the risk so that it rarely gets out of hand.
  • That is the prime territory for ERM – evaluating and managing risks.  So to satisfy this second need of corporations, at least for the corporations in the risk business,  ERM is needed.
  • Without ERM, profits are hit or miss for firms in the risk business.

Security

  • Once a business has a product that they can reliably sell to a market and has figured out a way to reliably deliver that product at a profit, then that business has value.  And the third need becomes important; Security.
  • This is the case not just for companies in the risk business,  but for all types of firms.  Once they get used to making money, there is a strong need to keep that happening.
  • But there are many, many things that can go wrong and put an end to that profitable business.  As a general class, we call those things RISKS.
  • So risk management is applied by firms to deal with those things that might go wrong and end the stream of profits – separately, risk by risk as management becomes aware of those risks.
  • Enterprise Risk Management provides a different approach, and one that should appeal to those who are fundamentally interested in the security of the firm.  While risk management seeks to prevent outsized losses from one cause or another, ERM seeks to manage outsized losses from ANY and ALL sources.

Growth of Value

  • Once a business has Sales, Profits and Security the focus shifts.  And it shifts to growing the value of the firm.
  • Some firms focus on growing their value by making more of the sales that they mastered at the outset of their existence.  Others seek to grow value by increasing their efficiency and increasing the profitability of their business.  A few are able to focus on both at the same time.
  • However, the value of the firm, by some reckonings is the present value of future earnings.  Those future earnings can be higher because sales grow or because profits per unit grow.  But that future will be discounted by the market.  Discounted for both risk and for time.
  • Since Risk is a major component to value, growing value means managing risk.  SO we are again back to ERM.  ERM helps management to see the trade-offs, the risk reward trade-offs, that will influence value.

Sales

  • And so, back to sales.  What you find when you look to manage value with ERM is that it helps you to see the value of sales.  And what you see will be that different sales have a different impact on the value of the firm.
  • So ERM can halp to guide the sales planning process, shedding light on which sales to plan to grow the most and which to limit.

So ERM can play a major role in the achievement of all four of the main Corporate Needs.

Managing Operational Risk

June 13, 2010

By Jean-Pierre Berliet

Discussions with senior executives have suggested that decision signals from ERM would be more credible and that ERM would be a more effective management process if ERM were shown to support management of operational risk

Operational risk comprises two different types of risks: execution risk and strategic risk.

These two categories of operational risk are important to policyholders and shareholders because they can reduce both the insurance strength and the value of insurance companies.

Strategic risk stems from external changes that can undermine the profitability and growth expectations of a company’s business model and strategy, and therefore have a significant impact on its value. Execution risk originates in internal failures to manage the operations of a company competently, with the needed level of foresight, prudence, risk awareness, and preparedness. Execution and strategic risks impact insurance companies differently and, as a result, call for distinct mitigation strategies.

Execution risks

Although financial risks are the primary determinant of the volatility of financial results of insurance companies, execution risks can also cause material adverse deviations from expected financial results

Execution risks include, for example,   economic losses resulting from i) delays in alleviating adverse consequences of changes in the volume of activity (mismanagement), ii) events that can interrupt business operations whether man made or natural (lack of preparedness), and iii) failures in controls that cause economic losses, create liabilities or damage the company’s reputation (market conduct, regulatory compliance, bad faith in claim management, fraud, IT security, etc..).

Execution risks reduce current financial performance and company valuation. Company valuation is reduced because i) investors often view negative earnings  deviations as predictors of future decline in profitability and ii) performance volatility can derail the execution of a company’s growth strategy

Execution risks are relatively easy to identify, if not to mitigate for company management. Although stochastic modeling tools and event databases could be used to simulate the impact of execution risks on financial performance, and fine tune mitigation strategies, undertaking such modeling is very costly, and may be of limited value. Company management has fiduciary obligations to set in place processes designed to avoid executions risks, establish post event recovery procedures, and to ensure compliance.

Both policyholders and shareholders need to note that

  • Execution risks can impact financial performance significantly in the year or period of occurrence but may have a more or less pronounced impact on performance in subsequent periods and company valuation, depending on the availability of recovery strategies and the preparedness of a company.
  • The impact of execution risks on a company’s market value can be derived from estimated adjustments to free cash flow projections.  This is particularly significant in connection with risk events that erode a company’s competitive advantage or damage its reputation. Such events can reduce the market value of a company significantly by reducing its volume of business or its pricing flexibility.

Management processes and management action, not capital, are the natural remedy for execution risks. Board of Directors or Audit Committees of such boards have become increasingly involved in exercising oversight of execution risks and their management by operating executives.

Strategic Risks

Strategic risks can undermine the economic viability of the business model and future financial performance of insurance companies. They can have a significant adverse effect on i) a company’s insurance ratings and the credit worthiness of its debt and ii) its market capitalization. Strategic risks can cause otherwise solvent companies to lose a substantial share of their market value in a short time, provoke legal action by disgruntled shareholders, inflict serious economic losses to Directors, senior executives and other employees, and induce potential raiders to attempt a take over.

Strategic risks are also very important to policyholders, (especially those who have bought protection against slowly emerging liabilities or policies that provide indemnification benefits in the form of annuity payments), because strategic risks that undermine the ability of companies to earn formerly expected returns also reduce the credit worthiness of these companies. Strategic risks stem from external changes in the regulations, institutional arrangements, competition, technology or demand that can erode the competitive advantage of an insurance company and its ability to operate credibly and profitably as a going concern in the future.

Strategic risks do not receive as much attention as they should because they are difficult to identify and assess, and are often viewed as “uncontrollable”. At any point in time, it can be very difficult to assess whether a quantum change in any element of strategic risks is close to happening. When such a change occurs, however, its impact on future performance can cause a swift decline in the market values of a company.

To identify and manage strategic risks, companies need to:

  • Conduct and challenge a periodic defensibility analysis of their business model and competitive advantage
  • Monitor market developments for emerging trends with potential adverse effects (loss of business to competitors, emergence of new risk transfer technologies or product innovations, regulatory developments, etc.)
  • Develop appropriate responses to adverse developments through adjustment in capabilities, redeployment of capacity, change in composition and level of service provided, industry level lobbying of lawmakers and regulators, sponsorship of and participation in industry associations, etc…
  • Communicate reasons for and objectives of needed changes to both customers and shareholders.
  • Integrate the planned strategic response into action plans, budgets and objectives of business units

Insurance companies need to include in ERM a process that provides consistent and updateable insights into strategic risks to which they are exposed. Because the insurance industry has been highly regulated, many insurance companies have not developed deep strategy development and assessment skills. It will be a challenge at first for such companies to establish strategic risk assessment frameworks powerful enough to yield robust insights but simple enough to be user friendly.

A number of companies that have already implemented comprehensive  frameworks to manage financial risks have begun addressing operational risks more formally. They believe that the introduction in operations management of specific risk management control components will create value by:

  • Enhancing the level and the stability of their financial results
  • Reducing the probability of serious value losses caused execution risks and strategic risks.

The establishment of operational effective risk management frameworks and processes within ERM is of critical importance to all constituents of insurance companies.

©Jean-Pierre Berliet

Berliet Associates, LLP

(203) 247 6448

jpberliet@att.net

May 22, 2010

Uncertain Decisions

June 7, 2010

There have been many definitions of ERM.  Most suffer from the “too many words” syndrome.  They are too long, making it likely that a casual reader will suffer reading fatigue before completing and therefore will decide that the topic is too complicated to be useful.

Here is a try at a very crisp definition:

ERM is a system for enhancing decision making under uncertainty that requires consideration of ALL of the risks of the enterprise.

And also for plain “Risk Management”

Risk Management is a system for enhancing decision making under uncertainty that focuses on risks as well as returns.

Fundamentally linking ERM and Risk Management to decision making is important, vitally important.  Otherwise funders of ERM programs will be quickly disenchanted with the expensive staffs and systems needed to support a Risk Management Entertainment System.

All ERM and Risk Management activities should be judged in terms of how well they support important decisions.

The important decisions that can be supported by ERM and Risk Management are many. Primary among them are:

  1. How much risk should the company take?
  2. How best to transition from the risk level that the company is taking to the risk level that the company should be taking?
  3. How to assure that the company takes no more risk than it should take?
  4. Which Risks should the company take?
  5. How best to transition from the risks that the company is taking to the risks that the company should be taking?
  6. How to manage the likelihood that the company will fall short of its earnings targets?

If a firm already has complete processes in place to make all of those decisions, then it already has ERM.  With the rising calls for ERM from regulators, rating agencies and boards, those firms will need to make sure that they can fully articulate the processes that they use to make those decisions.

If, on the other hand, a firm generally makes one or several of those decisions by default, as a fallout from other decisions or on a totally flexible basis as it happens in response to various market forces or on a purely momentum based process that ultimately relies upon some past decisions that may or may not have been made with any concern for risk; then future development of ERM could be vitally important.

The support that ERM provides to all of these decisions is of the nature of an eyes open approach to risk.  This general theme is perhaps the reason why ERM often seems to be a massive management information exercize.

But management information about risk is the means to supporting risk focused decision making, not the ends.


%d bloggers like this: