Risk Intelligence IV

Overcoming Biases

In a recent post, RISKVIEWS proposed that Risk Intelligence would overcome biases.  Here are some specifics…

• Anchoring – too much reliance on first experience
• Availability – overestimate likelihood of events that readily come to mind
• Confirmation Bias – look for information that confirms bias
• Endowment effect – overvalue what you already have
• Framing effect – conclusion depends on how the question is phrased
• Gambler’s Fallacy – Belief that future probabilities are impacted by past experience – reversion to mean
• Hindsight bias – things seem to be predictable after they happen
• Illusion of control – overestimate degree of control over events
• Overconfidence – believe own answers are more correct
• Status Quo bias – Expect things to stay the same
• Survivorship bias – only look at the people who finished a process, not all who started
• Ostrich Effect – Ignore negative information

Each of Education, Experience and Analysis should reduce all of these.

Experience should provide the feedback that most of these ideas are simply wrong.  The original work that started to identify these biases followed the standard psychology approach of excluding anyone with experience and would also prohibit anyone from trying any of the questions a second time.  So learning to identify and avoid these biases through experience has had limited testing.

Education for a risk manager should simply mention all of these biases directly and their adverse consequences.  Many risk managers receiving that education will ever after seek to avoid making those mistakes.

But some will be blinded by the perceptual biases and therefore resist abandoning their gut feel that actually follows the biases.

Analysis may provide the information to convince  some of these remaining holdouts.  Analysis, if done correctly, will follow the logic of economic rationality which is the metric that we used to identify the wrong decisions that were eventually aggregated as biases.

So there may still be some people who even in the face of:

• Experience of less than optimal outcomes
• Education that provides discussion and examples of the adverse impact of decision-making based upon the biases.
• Analysis that provides numerical back-up for unbiased decision making

Will still want to trust their own gut to make decisions regarding risk.

You can probably weed out those folks in hiring.

Advertisement

2019 Most Dangerous Risks

For 2019, a new poll on 180 insurance executives ranks four out of five of last year’s top risks again in the top 5.

See more details at https://blog.willis.com/2019/02/2019-most-dangerous-risks-to-insurers/ 

 

Risk Intelligence II

Somehow it worked.

Several psychologists stated that economists were rational and those who didn’t know what economists knew were irrational.

They collected data on how irrational folks are and analyzed that data and grouped it and gave cute names to various groups.

But I think that you could do the same thing with long division. Certainly with calculus. Compare answers of rubes on the sidewalk to math PhD s on a bunch of math questions and how well do you think the rubes would do?

Some of the questions that the psychologists asked were about risk. They proved that folks who rely solely on their gut to make decisions about risk were not very good at it.

I am sure that no-one with any Risk Intelligence would have bet against that finding.

Because Risk Intelligence consists of more than just trusting your gut. It also requires education regarding the best practices for risk management and risk assessment along with stories of how well (and sometimes ill) intentioned business managers went wrong with risk. It also requires careful analysis. Often statistical analysis. Analysis that is usually not particularly intuitive even with experience.

But Risk Intelligence still needs a well developed gut. Because history doesn’t repeat, analysis always requires simplification and assumptions to fill out a model where data is insufficient.

Only with all of Education, Experience and Analysis is Risk Intelligence achievable and even then it is not guaranteed.

And in addition, Education, Experience and Analysis are the cure for the irrational biases found by the psychologists. I would bet that the psychologists systematically excluded any responses from a person with Risk Intelligence. That would have invalidated their investigation.

Their conclusion could have been that many of us need basic financial and risk education, better understanding of how to accumulate helpful experiences and some basic analytical skills. Not as much fun as a long list of cutely names biases, but much more helpful.

Did the Three Pigs have different Risk Tolerances?

Or did they just have a different view of the degree of risk in their environment?

By Alex Proimos from Sydney, Australia – Three Little Pigs

Think about it?  Is there any evidence that the first pig, whose house was made off straw, was fine with the idea of losing his house?  Not really.  More likely, he thought that the world was totally benign.  He thought that there was no way that his straw house wouldn’t be there tomorrow and the next day.  He was not tolerant of the risk of losing his house.  He just didn’t think it would happen.  But he was wrong.  It could and did happen.

The second pig used sticks instead of straw.  Did that mean that the second pig had less tolerance for risk than the first pig?  Probably not.  The second pig probably thought that a house of sticks was sturdy enough to withstand whatever the world would send against it.  This pig thought that the world was more dangerous than the first pig.  He needed sticks, rather than straw to make the house sturdy enough to last.  He also was wrong.  Sticks were not enough either.

That third pig has a house of bricks.  That probably cost much more than sticks or straw and took longer to build as well.  The third pig thought that the world was pretty dangerous for houses.  And he was right.  Bricks were sturdy enough to survive.  At least on the day that the wolf came by.

The problem here was not risk tolerance, but inappropriate parameters for the risk models of the first two pigs.  When they parameterized their models, the first pig probably put down zero for the number of wolves in the area.  After all, the first pig had never ever seen a wolf.  The second pig, may have put down 1 wolf, but when he went to enter the parameter for how hard could the wolf blow, he put down “not very hard”.  He had not seen a wolf either.  But he had heard of wolves.  He didn’t know about the wind speed of a full on wolf huff and puff.  His model told him that sticks could withstand whatever a wolf could do to his house.  When the third pig built his risk model, he answered that there were “many” wolves around.  And when he filled in the parameter for how hard the wolf could blow, he put “very”.  When he was a wee tiny pig, he had seen a wolf blow down a house built of sticks that had a straw roof.  He was afraid of wolves for a reason.

 

 

Keys to ERM – Adaptability

Deliberately cultivating adaptability is how ERM reduces exposure to unexpected surprises.

There are four ways that an ERM program encourages adaptability:

1. Risk Identification
2. Emerging Risks
3. Reaction step of Control Cycle
4. Risk Learning

Many risk managers tell RISKVIEWS that their bosses say that their objective is “No Surprises”.  While that is an unrealistic ideal objective, cultivating Adaptability is the most likely way to approach that ideal.

More on Adaptability at WILLIS TOWERS WATSON WIRE.

Updating your Risk Register

It is quite easy for an ERM program to become irrelevant.  All it takes is for it to stay the same for several years.  After just a few years, you will find that you risk management processes are focused upon the issues of several years ago.  You may be missing new wrinkles to your risks and also repeating mitigation exercises that are no longer effective or needed.

That is because the risk environment is constantly changing.  Some risks are become more dangerous while for others the danger is receding.  No firm anywhere has an unlimited budget for risk management.  So to remain effective, you need to constantly reshuffle priorities.

One place where that reshuffling is very much needed is in the risk register.  That is a hard message to sell.  Risk Identification is seen by most as the first baby step in initiating and ERM program.  How could a well developed, sophisticated ERM program need to go back to the first baby step.

But we do need to go back and somehow get people to seriously re-evaluate the Risks on the Risk Register.  That is because risk management is fundamentally a cycle rather than a a one way development process.  We are all brainwashed that constant growth and steady improvement is the fundamental nature of human enterprise.  For risk management to really work, we need that cycle model where we go back and do all of the same steps as last year all over again.

One way to freshen up the process of reviewing the risk register is to bring in outside information.  The link below provides some good outside information that you can use to stimulate your own review.

Willis Re took the top 15 risks from a dozen insurer risk registers and combined them to get 50+ unique risks.  Then over 100 insurer executives and risk management staff helped to rank those 50 risks.

---

2017’s most dangerous risks for insurers We took a list of over 50 risks commonly found on insurer risk registers, and asked, “Which risks present the most danger to your firm in 2017?”

---

Take a look.  How does the resulting ranking look compared to your risk register?  Do any of the top 10 risks show up as middling priority in your program?  Are any of the bottom ten risks near the top of your priority ranking?  So your review can focus on a discussion of the most significant deviations between your ranking and the ranking from the link above. You need to convince yourself that you have good reasons for different priorities or change your priorities.

Risk Trajectory – Do you know which way your risk is headed?

Which direction are you planning on taking?

• Are you expecting your risk to grow faster than your capacity to bare risk?
• Are you expecting your risk capacity to grow faster than your risk?
• Or are you planning to keep growth of your risk and your capacity in balance?

If risk is your business, then the answer to this question is one of just a few statements that make up a basic risk strategy.

RISKVIEWS calls this the Risk Trajectory.  Risk Trajectory is not a permanent aspect of a businesses risk strategy.  Trajectory will change unpredictably and usually not each year.

There are four factors that have the most influence on Risk Trajectory:

1. Your Risk Profile – often stated in terms of the potential losses from all risks at a particular likelihood (i.e. 1 in 200 years)
2. Your capacity to bear risk – often stated in terms of capital
3. Your preferred level of security (may be factored directly into the return period used for Risk Profile or stated as a buffer above Risk Profile)
4. The likely rewards for accepting the risks in your Risk Profile

If you have a comfortable margin between your Risk Profile and your preferred level of security, then you might accept a risk trajectory of Risk Growing Faster than Capacity.

Or if the Likely Rewards seem very good, you might be willing to accept a little less security for the higher reward.

All four of the factors that influence Risk Trajectory are constantly moving.  Over time, anything other than carefully coordinated movements will result in occasional need to change trajectory.  In some cases, the need to change trajectory comes from an unexpected large loss that results in an abrupt change in your capacity.

For the balanced risk and capacity trajectory, you would need to maintain a level of profit as a percentage of the Risk Profile that is on the average over time equal to the growth in Risk Profile.

For Capacity to grow faster than Risk, the profit as a percentage of the Risk Profile would be greater than the growth in Risk Profile.

For Risk to grow faster than Capacity, Risk profile growth rate would be greater than the profit as a percentage of the Risk Profile.

RISKVIEWS would guess that all this is just as easy to do as juggling four balls that are a different and somewhat unpredictably different size, shape and weight when they come down compared to when you tossed them up.

Management by Onside Kick

Many American football fans can recall a game when their team drove the ball 80 or more yards in the waning moments of the game to pull within a touchdown of the team that had been dominating them. Then they call for the on side kick – recover the ball and charge to a win within a few more plays.

But according to NFL stats, that onside kick succeeds only 20% of the time in the waning minutes of the game.

Mid game onside kicks – that are surprises – work 60% of the time.

But mostly it is the successful onside kicks that make the highlights reel. RISKVIEWS guesses that on the highlights those kicks are 80% or more successful.

And if you look back on the games of the teams that make it to the Super Bowl, they probably were successful the few times that they called that play.

What does that mean for risk managers?

Be careful where you get your statistics. Big data is now very popular. Winners use Big Data. So many conclude that it will give better indications. But make sure that your data inputs are not from highlight reels or from the records of the best year for a company.

Many firms use default data collected by rating agencies for example to parameterize their credit models. But the rating agencies would point out that the data is from rated companies only. This makes little difference for rated Bonds. There the bonds are rated from issue to maturity or default. But if you want to build a default model of insurers or reinsurers then you need to know that many insurers and some reinsurers will drop their rating if it falls below a level where it hurts their business. So ratings transition statistics for insurers are more like the highlight reels below a certain level.

Some models of dynamic hedging strategies were in effect taking the mid game success rates and assuming that they would apply in bad times. But like the onside kick, things worked very different.

So realize that a business strategy and especially a risk mitigation strategy may work differently when things have gone all a mess.

And an onside kick is nothing more than putting the ball in play and praying that something good will happen.

Real World Risks

There are many flavors of Risk Management.  Each flavor of risk manager believes that they are addressing the Real World.

• Bank risk managers believe that the world consists of exactly three sorts of risk:  Market, Credit and Operational.  They believe that because that is the way that banks are organized.  At one time, if you hired a person who was a banking risk manager to manage your risks, their first step would be to organize the risk register into those three buckets.
• Insurance Risk Managers believe that a company’s insurable risks – liability, E&O, D&O, Workers Comp, Property, Auto Liability – are the real risks of a firm.  As insurance risk managers have expanded into ERM, they have adapted their approach, but not in a way that could, for instance, help at all with the Credit and Market risk of a bank.
• Auditor Risk Managers believe that there are hundreds of risks worth attention in any significant organization. Their approach to risk is often to start at the bottom and ask the lowest level supervisors.  Their risk management is an extension of their audit work.  Consistent with the famous Guilliani broken windows approach to crime.  However, this approach to risk often leads to confusion about priorities and they sometimes find it difficult to take their massive risk registers to top management and the board.
• Insurer Risk Managers are focused on statistical models of risk and have a hard time imagining dealing with risks that are not easily modeled such as operational and strategic risks.  The new statistical risk managers often clash with the traditional risk managers (aka the underwriters) whose risk management takes the form of judgment based selection and pricing processes.
• Trading Desk Risk Managers are focused on the degree to which any traders exceed their limits.  These risk managers have evolved into the ultimate risk takers of their organizations because they are called upon to sometime approve breaches when they can be talked into agreeing with the trader about the likelihood of a risk paying off.  Their effectiveness is viewed by comparing the number of days that the firm’s losses exceed the frequency predicted by the risk models.

So what is Real World Risk?

Start with this…

Top Causes of death

• Heart disease
• stroke
• lower respiratory infections
• chronic obstructive lung disease
• HIV
• Diarrhea
• Lung cancers
• diabetes

Earthquakes, floods and Hurricanes are featured as the largest insured losses. (Source III)

Note that these are the insured portion of the losses.  the total loss from the Fukishima disaster is estimated to be around $105B.  Katrina total loss $81B. (Source Wikipedia)

Financial Market risk seems much smaller.  When viewed in terms of losses from trading, the largest trading loss is significantly smaller than the 10th largest natural disaster. (Source Wikipedia)

But the financial markets sometimes create large losses for everyone who is exposed at the same time.

The largest financial market loss is the Global Financial Crisis of 2008 – 2009.  One observer estimates the total losses to be in the range of $750B to $2000B.  During the Great Depression, the stock market dropped by 89% over several years, far outstripping the 50% drop in 2009.  But some argue that every large drop in the stock market is preceded by an unrealistic run up in the value of stocks, so that some of the “value” lost was actually not value at all.

If your neighbor offers you $100M for your house but withdraws the offer before you can sell it to him and then you subsequently sell the house for $250k, did you lose $99.75M?  Of course not.  But if you are the stock market and for one day you trade at 25 time earnings and six months later you trade at 12 times earnings, was that a real loss for any investors who neither bought or sold at those two instants?

So what are Real World Risks?

Comments welcomed…

No Reward without Risk

Is that so? Well, only if you live in a textbook. And RISKVIEWS has not actually checked whether there really are text books that are that far divorced from reality.

Actually, in the world that RISKVIEWS has inhabited for many years, there are may real possibilities, for example:

• Risk without reward
• Reward without risk
• Risk with too little Reward
• Risk with too much Reward
• Risk with just the right amount of reward

The reason why it is necessary to engage nearly everyone in the risk management process is that it is very difficult to distinguish among those and other possibilities.

Risk without reward describes many operational risks.

Reward without risk is the clear objective of every capitalist business.  Modern authors call it a persistent competitive advantage, old school name was monopoly.  Reward without risk is usually called rent by economists.

Risk with too little reward is what happens to those who come late to the party or who come without sufficient knowledge of how things work.  Think of the poker saying “look around the table and if you cannot tell who is the chump, it is you.”  If you really are the chump, then you are very lucky if your reward is positive.

Risk with too much reward happens to some first comers to a new opportunity.  They are getting some monopoly effects.  Perhaps they were able to be price setters rather than price takers, so they chose a price higher than what they eventually learned was needed to allow for their ignorance.  Think of Apple in the businesses that they created themselves.  Their margins were huge at first, and eventually came down to …

Risk with just the right amount of reward happens sometimes, but only when there is a high degree of flexibility in a market – especially no penalty for entry and exit.  Sort of the opposite of the airline industry.

No Reward Without Risk

Comparing Eagles and Clocks

Original Title: Replacing Disparate Frequency Severity Pairs.  Quite catchy, eh?

But this message is important.  Several times, RISKVIEWS has railed against the use of Frequency Severity estimates as a basis for risk management.  Most recently

Just Stop IT! Right Now. And Don’t Do IT again.

But finally, someone asked…

What would you do instead to fix this?

And RISKVIEWS had to put up or shut up.

But the fix was not long in coming to mind.  And not even slightly complicated or difficult.

Standard practice is to identify a HML for Frequency and Severity for each risk.  But RISKVIEWS does not know any way to compare a low frequency, high impact risk with a medium frequency, medium impact risk.  Some people do compare the risks by rating the frequency and severity on a numerical scale and then adding or multiplying the values for frequency and severity for each risk to get a “consistent” factor.  However, this process is frankly meaningless.  Like multiplying the number of carrots times the number of cheese slices in your refrigerator.

But to fix it is very easy.

The fix is this…

For each risk, develop two values.  First is the loss expected over a 5 year period under normal volatility.  The second is the loss that is possible under extreme but not impossible conditions – what Lloyd’s calls a Realistic Disaster.

These two values then each represent a different aspect of each risk.  They can each be compared across all of the risks.  That is you can rank the risks according to how large a loss is possible under Normal Volatility and how large a loss is possible under a realistic disaster.

Now, if you are concerned that we are only looking at financial risks with this approach, you can go right ahead and compare the impact of each risk on some other non-financial factor, under both normal volatility and under a realistic disaster.  The same sort of utility is there for any other factor that you like.

If you do this carefully enough, you are likely to find that some risks are more of a problem under normal volatility and others under realistic disasters.  You will also find that some risks that you have spent lots of time on under the Disparate Frequency/Severity Pairs method are just not at all significant when you look at the consistently with other risks.

So you need to compare risk estimates where one aspect is held the same.  Like comparing two bikes:

Or two birds:

But you cannot compare a bird and a Clock:

And once you have those insights, you can more effectively allocate your risk management efforts!

“Adalberti 1” by Juan lacruz – Own work. Licensed under CC BY-SA 3.0 via Wikimedia Commons – https://commons.wikimedia.org/wiki/File:Adalberti_1.jpg#/media/File:Adalberti_1.jpg

ERM is not the End, It is the Means

As RISKVIEWS meets with more and more insurers over time, it becomes increasingly obvious that they all have lots of Risk Management.  Probably because they are the survivors.  Perhaps there was much less Risk Management in the failed insurers.

So if they already have Risk Management, why do they need ERM? 

There are four possible reasons:

1. Discipline -the sports teams with the most discipline win most championships.  The coach can count on the players to execute the same way every time.  In Risk Management, Discipline means doing the risk acceptance and risk mitigation the same way every time.  ERM expects that discipline, but ERM operates on a trust but verify approach.  Perhaps leaning more on the verify than the trust.  So when an Insurer adds ERM to its already pretty full Risk Management processes, they are opting for Risk Management that is totally reliable because it has discipline.
2. Transparency -much of the existing Risk Management in an insurer is a fairly private affair.  It is done by the folks who need to be doing it but they rarely talk about it.  When ERM comes along, it seems that the number of reports goes up.  Some of those reports are of absolutely no help to the folks who are doing Risk Management.  Those reports are to let everyone else know that the Risk Management is still going on and things in the Risk Management world are still working as expected.  In one sense, Risk Management is all about making sure that some things rarely or never happen.  This Transparency about the actions that result with that nothing happening are the records that need to be kept for the defense of the Risk Manager as well.
3. Alignment – most of existing Risk Management grew up as the insurer grew up.  That is a good thing because the Risk Management can be totally incorporated into all practices.  But one of the main goals of Risk Management is to make sure that the risks that are insufficiently managed do not disrupt the plans of the company.  The key element to that process is a Risk Tolerance.  With ERM, the Risk Tolerances can be Aligned with the current plans, not with the plans and tolerances of the managers at the time that an activity was first started or last overhauled.
4. Resiliency – system resilience is not a usual part of traditional Risk Management.  Traditional RIsk Management is most often about defending the status quo.  Resilience is all about figuring out how best to adapt.  Within ERM is a process called Emerging Risks Management.  Emerging Risks Management is all about preparing for the risks that are definitely not yet banking on the door.  They may be far down the road or around the bend.  Emerging Risks Management is an exercise process that builds Resilience Muscles.

Those are the Ends.  ERM is the means to get to those ends.

The Big C is behind every great Risk

Concentration, defined broadly, is the source of all risk.

In an unconcentrated pool of activities, all with potential for positive and negative outcomes, provides the Big D – Diversification.

So it seems simple to avoid C – just do D.

But we have so many ways to concentrate.  And concentration is particularly tempting.

• When things are going well, it makes sense to do more of whatever it is that is working best.  That increases concentration. 
• Once we learn how to do something right, it makes sense to do more.  That increases concentration.
• One supplier is almost always the cheapest, fastest and best quality.  So we give them more business.  That increases concentration. 
• That one product has better margins than the rest and it sells better too.  So we plan to increase our capacity to make that product.  That increases concentration. 
• Our best distributor runs rings around the rest.  We are working on giving her a larger territory.  That increases concentration. 

The alternative, the diversifying alternative just doesn’t sound so smart.

• Hold back when things are going well.
• Do more of the things that you haven’t quite mastered.
• Buy from the second and third best suppliers.
• Keep up capacity for the lower margin lower selling products.
• Restrict your best distributor from selling too much.

Remember Blockbuster?  There were Blockbuster stores everywhere fifteen years ago.  They did that one thing, rent physical videos through physical stores and did it so well that they drove out most of their competition.  But they were totally Concentrated.  When they were faced with a new competitor, Netflix, the CEO proposed changes to their business practices, including diversifying into online rentals.  Their board decided against going into a new lower margin product and fired the CEO.  Five years later, Blockbuster was toast.

Concentration risk is often strategic.

In the financial crisis, we found a new sort of concentration risk.  It was a network risk.  The banks were all highly concentrated in the financial sector – in exposure to other banks.  This network risk is now often called systemic risk.  But this risk is necessary because of the strategic choices of business models of the banks.  They all choose to do business in such a way to take up each other’s slack on a daily basis.  They all think that is much more efficient than operating with an irregular amount of slack resources.  In times running up to the financial crisis, the interdependency changed from just taking up each other’s overnight slack to some banks using that overnight facility from other banks to fund major fraction of their business activity.  (And woe is all that much of that business activity was fundamentally a loser. But that lack of underwriting by the banks of each other is a different story.)

Why is concentration risk so deadly?  The answer to that is pretty simple arithmetic.  If your conglomerate amounts to four similar sized separate divisions that do not interact so much, it is quite possible that if one of those businesses fails, that the conglomerate will be able to continue operating – wounded but fully able to operate the other three divisions.  But if your cousin’s venture has just one highly profitable, highly successful business, then his venture will either live or die with that one business.

In insurance, we see this concentration risk all of the time.  If you are an insurer that only writes business throughout the Pacific islands in the 1700’s, but you find that your best salesperson is on Easter Island and your highest margin product is business interruption insurance for the businesses that do the carving of the massive Moai statues.  So you do more and more business with your best salesperson selling your best product, until you are essentially a one product, one location insurer.  And then the last tree is used (or rats eat the roots).  All of your customers make claims at once.  You thought that you were diversified because you had 300 separate customers.  But those 300 customers all acted like just one when the trees were gone.

So diversification is not just about counting.  It is about understanding the differences or similarities of your risks.  And failure to understand those drivers will often lead to dangerous concentration.  Just ask those banks or that Easter Island insurer.

Berkshire Hathaway Risk Appetite

“we are far more conservative in avoiding risk than most large insurers. For example, if the insurance industry should experience a $250 billion loss from some mega-catastrophe – a loss about triple anything it has ever experienced – Berkshire as a whole would likely record a significant profit for the year because of its many streams of earnings. We would also remain awash in cash and be looking for large opportunities in a market that might well have gone into shock. Meanwhile, other major insurers and reinsurers would be far in the red, if not facing insolvency.”

Warren Buffett, Berkshire Hathaway Letter to Shareholders, 2014

So Berkshire is prepared to pay out claims on an event that is three times as large as anything that has ever happened.

What are Berkshire’s competitors prepared for?

Here is an excerpt from the Swiss Re 2013 Annual Report:

Risk tolerance and limit framework

Swiss Re’s risk tolerance is an expression of the extent to which the Board of Directors has authorised the Group and Business Units’ executive management to assume risk. It represents the maximum amount of risk that Swiss Re is willing to accept within the constraints imposed by its capital and liquidity resources, its strategy, its risk appetite, and the regulatory and rating agency environment within which it operates. Risk tolerance criteria are specified for the Group and Business Units, as well as for the major legal entities.

A key responsibility of Risk Management is to ensure that Swiss Re’s risk tolerance is applied throughout the business. As part of this responsibility, Risk Management ensures that our risk tolerance targets are a key basis for our business planning processes. Furthermore, both our risk tolerance and risk appetite – the types and level of risk we seek to take within our risk tolerance – are clearly reflected in a limit framework across all risk categories. The limit framework is approved at the Group EC level through the Group Risk and Capital Committee. The individual limits are established through an iterative process to ensure that the overall framework complies with our Group-wide policies on capital adequacy and risk accumulation.

So they have a number but they are not saying what it is.  But they are telling us what they do with that number.

Now here is the Risk Limit Framework from the 2013 Partner Re annual report.

They have a number and here it is.  But look at how much more Buffet has disclosed.  He told that for Berkshire, an event that is three times the largest event experienced by the insurance industry, the loss would be significantly less than the earnings from the investments of Berkshire’s insurance and reinsurance companies plus the earnings of its non-insurance businesses.

Partner Re, whose disclosure is light years more specific than almost any other (re)insurer, is not quite so helpful.  It is good to know that they have the disclosed limits, but they have not provided any information to tell us how much that this adds up to in their mind.  If RISKVIEWS adds them up, these limits come to $21.5B.  Adding like that is the same as assuming that they all happen at once.  If we make the opposie assumption, that they are totally independent, we get a little more than $10B.  Partner Re’s capital is $7.5B.  So when they accept these risks, they must not think that it is likely to pay out their full limit, even on a fully diversified independent risk scenario.

So even with more specific disclosure than almost any other insurer, Partner Re has not revealed how they think of their risk appetite.

On the other hand, while Berkshire has given a better sense of their risk appetite, Buffett hasn’t revealed any number.

But this seems to RISKVIEWS to be real progress.  Perhaps some combination of these three disclosures would be the whole story of risk appetite at a (re) insurer.

We shall wait and see if somehow this evolution continues until investors and policyholders can get the information to understand how well prepared a (re) insurer is to pay its claims and remain in business in a extreme situation.

 

 

Risk Reporting Conflict of Interest

We give much too little consideration to potential for conflict of interest in risk reporting.

Take for instance weather risk reporting.

"Sneeuwschuiver". Licensed under CC BY-SA 2.5 via Wikimedia Commons

Many of the people who report on Weather Risk have a financial interest in bad weather.  Not that they own snow plowing services or something.  But take TV stations for example.  Local TV station revenue is largely proportional to their number of viewers.  Local news and weather are often the sole part of their schedule that they produce themselves and therefore get all or almost all of the revenue.  And viewership for local news programs may double with an impending snowstorm.  So they have a financial interest in predicting more snow.  The Weather Channel has the same dynamic, but a wider area from which to draw to find extreme weather situations.  But if there is any hint of a possible extreme weather situation in a major metropolitan area with millions of possible viewers, they have a strong incentive to report the worst case possibility.

This past January, there were some terrible snow forecasts for New York and Philadelphia:

For the Big Apple, the great Blizzard of 2015 was forecast to rival the paralyzing 1888 storm, dubbed the White Hurricane. Up to three feet of snow was predicted. Reality: About 10 inches fell.

The forecast in Philadelphia wasn’t any better – and arguably worse. Up to 14 inches of snow were forecast. The City of Brotherly Love tallied roughly 2 inches, about the same as Washington, D.C.

Washington Post,  January 27, 2015

In other cases, we go to the experts to get information about possible disasters from diseases.  But their funding depends very much on how important their specialty is seen to be to the politicians who approve their funding.

In 2005, the Bird Flu was the scare topic of the year.

“I’m not, at the moment, at liberty to give you a prediction on numbers, but I just want to stress, that, let’s say, the range of deaths could be anything from 5 to 150 million.”

David Nabarro, Senior United Nations system coordinator for avian and human influenza

Needless to say, the funding for health systems can be strongly impacted by the fear of such a pandemic.  At them time that statement was made, worldwide Bird Flu deaths were slightly over 100.  Not 100 thousand, 100 – the number right after 99.

But the purpose of this post is not writing this to disparage weather reporters or epidemiologists.  It is to caution risk managers.

Sometimes risk managers get the idea that they are better off if everyone had more concern for risk.  They take on the roll of Dr. Doom, pointing out the worst case potential in every situation.

This course of action is usually not successful. Instead of building respect for risk, the result is more often to create a steady distrust of statements from the risk manager.  The Chicken Little effect results.

Instead, the risk manager needs to focus on being painstakingly realistic in reporting about risk.  Risk is about the future, so it is impossible to get it right all of the time.  That is not the goal.  The goal should be to make reports on risk that consistently use all of the information available at the time the report is made.

And finally, a suggestion on communicating risk.  That is that risk managers need to develop a consistent language to talk about the likelihood and severity of a risk.  RISKVIEWS suggests that risk managers use three levels of likelihood:

• Normal Volatility (as in within).  Each risk should have a range of favorable and unfavorable outcomes within the range of normal volatility.  This could mean within one standard deviation, or with a 1 in 10 likelihood. So normal volatility for the road that you drive to work might be for there to be one accident per month.
• Realistic Disaster Scenario.  This might be the worst situation for the risk that has happened in recent memory, or it might be a believable bad scenario that hasn’t happened for risks where recent experience has been fairly benign.  For that road, two accidents in a week might be a realistic disaster.  It actually happened 5 years ago.  For the similar road that your spouse takes to work, there haven’t been any two accident weeks, but the volume of traffic is similar, so the realistic disaster scenario for that road is also two accidents in a week.
• Worst case scenario.  This is usually not a particularly realistic scenario.  It does not mean worst case, like the sun blowing up and the end of the solar system.  It does mean something significantly worse than what you expect can happen. For the risk of car accidents on your morning commute, the worst case might be a month with 8 accidents.

So the 150 million number above for flu deaths is a worst case scenario.  As were the Great Blizzard predictions.  What actually happened was in line with normal volatility for a winter storm in those two cities.

If you, the risk manager, learn to always use language like the above, first of all, it will slow you down and make you think about what you are saying.  Eventually, your audience will get to learn what your terminology means and will be able to form their own opinion about your reliability.

And you will find that credibility for your risk reporting has very favorable impact on your longevity and compensation as a risk manager.

 

Out of Sight can lead to Out of Mind

Once you have outsourced a process, there is a tendency to forget about it. 

Outsourcing has become possibly the most popular management practice of the past 15 years.  Companies large and small have outsourced many of the non-essential elements of their business.

Many property and casualty (non-life, general) insurers have, for example, outsourced their investment processes.

Over time, if the insurer had any expertise regarding investments, that expertise withered away.  It is quite common that there is only one or two people at a P&C insurer who actually pay any attention to the investments of the firm.

But when Out of Sight becomes Out of Mind, outsourcing becomes dangerous.

Boeing had an outsourcing problem in 2012 and 2013 that resulted in the grounding of their latest jetliner.  Batteries produced by a third party were catching fire.  The ultimate cause of the problem was never identified, but it happened at the point of connection between an outsourced product and the jetliner systems manufactured by Boeing.

There are many possible causes of outsourcing problems.  RISKVIEWS believes that primary among them is the reluctance to recognize that outsourcing will require a higher spend for risk management of the outsourced process.

More on Outsourcing Risk at http://blog.willis.com/2015/02/emerging-erm-risk-of-2015-outsourcing/

The CRO is making a list and checking it twice

“You never said that you wanted me to do that”  is an answer that managers often get when they point out a shortfall in performance.  And in many cases it is actually true.  As a rule, some of us tend to avoid too much writing things down.  And that is also true when it comes to risk management

That is where ERM policies come in.  The ERM policy is a written agreement between various managers in a company and the board documenting expectations regarding risk management.

But too many people mistake a detailed procedure manual for a policy statement.  Often a policy statement can be just a page or two.

For Risk Management there are several places where firms tend to “write it down”:

• ERM Policy – documents that the firm is committed to an enterprise wide risk management system and that there are broad roles for the board and for management.  This policy is usually approved by the board.  The ERM Policy should be reviewed annually, but may not be changed but every three to five years.
• ERM Framework – this is a working document that lists many of the details of how the company plans to “do” ERM.  When an ERM program is new, this document many list many new things that are being done.  Once a program is well established, it will need no more or no less documentation than other company activities.  RISKVIEWS usually recommends that the ERM Framework would include a short section relating to each of the risk management practices that make up a Risk Management System.
• Risk Appetite & Tolerance Statement – may be separate from the above to highlight its importance and the fact that it is likely to be more variable than the Policy statement, but not as detailed as the Framework.
• Separate Risk Policies for major risk categories – almost all insurers have an investment policy.  Most insurers should consider writing policies for insurance risk.  Some firms decide to write operational risk policies as well.  Very few have strategic risk policies.
• Policies for Hedging, Insurance and/or Reinsurance – the most powerful risk management tools need to have clear uses as well as clear lines of decision-making and authority.
• Charter for Risk Committees – Some firms have three or more risk committees.  On is a board committee, one is at the executive level and the third is for more operational level people with some risk management responsibilities.  It is common at some firms for board committees to have charters.  Less so for committees of company employees.  These can be included in the ERM Framework, rather than as separate documents.
• Job Description for the CRO – Without a clear job description many CROs have found that they become the scapegoat for whatever goes wrong, regardless of their actual authority and responsibilities before hand.

With written policies in place, the board can hold management accountable.  The CEO can hold the CRO responsible and the CRO is able to expect that may hands around the company are all sharing the risk management responsibilities.

More on ERM Policies on WillisWire.

http://blog.willis.com/2015/01/erm-in-practice-risk-policies-and-standards/

http://blog.willis.com/2014/02/erm-practices-policies-and-standards/

 

The ERM Pioneers and the Settlers – Let’s not have another range war!

Most of the people with CRO jobs are pioneers of ERM.  They came into ERM from other careers and have been working out what makes up an ERM process and how to make it work by hard work, trial & error and most often a good deal of experience on the other side of the risk – the risk taking side.

As ERM becomes a permanent (or at least a long term) business practice, it is more likely that the next generation of CROs will have come up through the ranks of the Risk function.  It is even becoming increasingly likely that they will have had some training and education regarding the various technical aspects of risk management and especially risk measurement.

The only problem is that some of the pioneers are openly disdainful of these folks who are likely to become their successors.  They will openly say that they have little respect for risk management education and feel strongly that the top people in Risk need to have significant business experience.

This situation is a version of the range wars in the Wild West.  The Pioneers were the folks who went West first.  They overcame great hardships to fashion a life out of a wilderness.  The Settlers came later and were making their way in a situation that was much closer to being already tamed.

Different skills and talents are needed for successful Pioneers than for successful Settlers.  Top among them is the Settlers need to be able to get along in a situation where there are more people.  The Risk departments of today are large and filled with a number of people with a wide variety of expertise.

Risk will transition from the Pioneer generation to the Settler generation of leadership.  That transition will be most successful if the Pioneers can help develop their Settler successros.

How to Show the Benefits of Risk Management

From Harry Hall at www.pmsouth.com

Sometimes we struggle to illustrate the value of risk management. We sense we are doing the right things. How can we show the benefits?

Some products such as weight loss programs are promoted by showing a “before picture” and an “after picture.” We are sold by the extraordinary improvements.

The “before picture” and “after picture” are also a powerful way to make known the value of risk management.

We have risks in which no strategies or actions have been executed. In other words, we have a “before picture” of the risks. When we execute appropriate response strategies such as mitigating a threat, the risk exposure is reduced. Now we have the “after picture.”

Let’s look at one way to create pictures of our risk exposure for projects, programs, portfolios, and enterprises.

Say Cheese

The first step to turning risk assessments into pictures is to assign risk levels.

Assume that a Project Manager is using a qualitative rating scale of 1 to 10, 10 being the highest, to rate Probability and Impact. The Risk Score is calculated by multiplying Probability x Impact. Here is an example of a risk table with a level of risk and the corresponding risk score range.

Level of Risk	Risk Score
Very Low	< 20
Low	21 – 39
Medium	40 – 59
High	60 – 79
Very High	> 80

Figure 1: Qualitative Risk Table

Looking Good

Imagine a Project Manager facilitates the initial risk identification and assessment. The initial assessment results in fifteen Urgent Risks – eight “High” risks and seven “Very High” risks.

Figure 2: Number of Risk before Execution of Risk Response Strategies

We decide to act on the Urgent Risks alone and leave the remaining risks in our Watch List. The team develops risk response strategies for the Urgent Risks such as ways to avoid and mitigate threats.

Figure 3: Number of Risks after Execution of Risk Response Strategies

After the project team executes the strategies, the team reassesses the risks. We see a drop in the number of Urgent Risks (lighter bars). The team has reduced the risk exposure and improved the potential for success.

How to Illustrate Programs, Portfolios, or Enterprises

Now, imagine a Program Manager managing four projects in a program. We can roll up the risks of the four projects into a single view. Figure 4 below illustrates the comparison of the number of risks before and after the execution of the risk strategies.

Figure 4: Number of Program risks before and after the execution of risk response strategies

Of course, we can also illustrate risks in a like manner at a portfolio level or an enterprise level (i.e., Enterprise Risk Management).

Tip of the Day

When you ask team members to rate risks, it is important we specify whether the team members are assessing the “before picture” (i.e., inherent risks) or the “after picture” (i.e., residual risks) or both. Inherent risks are risks to the project in the absence of any strategies/actions that might alter the risk. Residual risks are risks remaining after strategies/actions have been taken.

Question: What types of charts or graphics do you use to illustrate the value of risk management?

New Year’s ERM Resolution – A Risk Diet Plan

Why do you need an aggregate risk limit?

For the same reason that a dieter needs a calorie limit.  There are lots and lots of fad diets out there.  Cottege Cheese diets, grapefruit diets, low carb, low fat, liquid.  And they might work, but only if you follow them exactly, with absolutely no deviation.  If you want to make some substitution, many diets do not have any way to help you to adapt.  Calories provide two things that are desparately needed to make a diet work.  Common currency for substitutions and a metric that can be applied to things not contemplated in the design of the diet.

So if you do a calorie counting diet, you can easily substitute one food for another with the same calorie count.  If some new food becomes available, you do not have to wait for the author of the diet book to come up with a new edition and hope that it includes the new food.  All you need to do is find out how much calories the new food has.

The aggregate risk limit serves the exact same role role for an insurer.  There may be an economic capital or other comprehensive risk measure as the limit.  That risk measure is the common currency.  That is the simple genius of VaR as a risk metric.  Before the invention of VaR by JP Morgan, the risk limit for each risk was stated in a different currency.  Premiums for one, PML for another, percentages of total assets for a third.  But the VaR thinking was to look at everything via its distribution of gains and losses.  Using a single point on that distribution.  That provided the common currency for risk.

The diet analogy is particularly apt, since minimizing weight is no more desirable than minimizing risk.  A good diet is just like a good risk tolerance plan – it contains the right elements for the person/company to optimum health.

And the same approach provided the method to consistently deal with any new risk opportunity that comes along.

So once an insurer has the common currency and ability to place new opportunities on the same risk basis as existing activities, then you have something that can work just like calories do for dieters.

So all that is left is to figure out how many calories – or how much risk – should make up the diet.

And just like a diet, your risk management program needs to provide regular updates on whether you keep to the risk limits.

 

Top 10 RISKVIEWS Posts of 2014 – ORSA Heavily Featured

RISKVIEWS believes that this may be the best top 10 list of posts in the history of this blog.  Thanks to our readers whose clicks resulted in their selection.

• Instructions for a 17 Step ORSA Process – Own Risk and Solvency Assessment is here for Canadian insurers, coming in 2015 for US and required in Europe for 2016. At least 10 other countries have also adopted ORSA and are moving towards full implementation. This post leads you to 17 other posts that give a detailed view of the various parts to a full ORSA process and report.
• Full Limits Stress Test – Where Solvency and ERM Meet – This post suggests a link between your ERM program and your stress tests for ORSA that is highly logical, but not generally practiced.
• What kind of Stress Test? – Risk managers need to do a better job communicating what they are doing. Much communications about risk models and stress tests is fairly mechanical and technical. This post suggests some plain English terminology to describe the stress tests to non-technical audiences such as boards and top management.
• How to Build and Use a Risk Register – A first RISKVIEWS post from a new regular contributor, Harry Hall. Watch for more posts along these lines from Harry in the coming months. And catch Harry on his blog, http://www.pmsouth.com
• ORSA ==> AC – ST > RCS – You will notice a recurring theme in 2014 – ORSA. That topic has taken up much of RISKVIEWS time in 2014 and will likely take up even more in 2015 and after as more and more companies undertake their first ORSA process and report. This post is a simple explanation of the question that ORSA is trying to answer that RISKVIEWS has used when explaining ORSA to a board of directors.
• The History of Risk Management – Someone asked RISKVIEWS to do a speech on the history of ERM. This post and the associated new permanent page are the notes from writing that speech. Much more here than could fit into a 15 minute talk.
• Hierarchy Principle of Risk Management – There are thousands of risks faced by an insurer that do not belong in their ERM program. That is because of the Hierarchy Principle. Many insurers who have followed someone’s urging that ALL risk need to be included in ERM belatedly find out that no one in top management wants to hear from them or to let them talk to the board. A good dose of the Hierarchy Principle will fix that, though it will take time. Bad first impressions are difficult to fix.
• Risk Culture, Neoclassical Economics, and Enterprise Risk Management – A discussion of the different beliefs about how business and risk work. A difference in the beliefs that are taught in MBA and Finance programs from the beliefs about risk that underpin ERM make it difficult to reconcile spending time and money on risk management.
• What CEO’s Think about Risk – A discussion of three different aspects of decision-making as practiced by top management of companies and the decision making processes that are taught to quants can make quants less effective when trying to explain their work and conclusions.
• Decision Making Under Deep Uncertainty – Explores the concepts of Deep Uncertainty and Wicked Problems. Of interest if you have any risks that you find yourself unable to clearly understand or if you have any problems where all of the apparent solutions are strongly opposed by one group of stakeholders or another.

How to Build and Use a Risk Register

From Harry Hall at www.pmsouth.com

Project managers constantly think about risks, both threats and opportunities. What if the requirements are late? What if the testing environment becomes unstable? How can we exploit the design skills of our developers?

Let’s consider a simple but powerful tool to capture and manage your risks – the Risk Register. What is it? What should it include? What tools may be used to create the register? When should risk information be added?

The Risk Register is simply a list of risk related information including but not limited to:

• Risk Description. Consider using this syntax: Cause -> Risk -> Impact. For example: “Because Information Technology is updating the testing software, the testing team may experience an unstable test environment resulting in adverse impacts to the schedule.”
• Risk Owner. Each risk should be owned by one person and that person should have the knowledge and skills to plan and execute risk responses.
• Triggers. Triggers indicate when a risk is about to occur or that the risk has occurred.
• Category. Assigning categories to your risks allows you to filter, group, analyze, and respond to your risks by category. Standard project categories include schedule, cost, and quality.
• Probability Risk Rating. Probability is the likelihood of risk occurring. Consider using a scale of 1 to 10, 10 being the highest.
• Impact Risk Rating. Impact, also referred to as severity or consequence, is the amount of impact on the project. Consider using a scale of 1 to 10, 10 being the highest.
• Risk Score. Risk score is calculated by multiplying probability x impact. If the probability is 8 and the impact is 5, the risk score is 40.
• Risk Response Strategies. Strategies for threats include: accept the risk, avoid the risk, mitigate the risk, or transfer the risk. Strategies for opportunities include: accept the risk, exploit the risk, enhance the risk, or share the risk.
• Risk Response Plan or Contingency Plan. The risk owner should determine the appropriate response(s) which may be executed immediately or once a trigger is hit. For example, a risk owner may take immediate actions to mitigate a threat. Contingency plans are plans that are executed if the risk occurs.
• Fallback Plans. For some risks, you may wish to define a Fallback Plan. The plan outlines what would be done in the event that the Contingency Plan fails.
• Residual Risks. The risk owner may reduce a risk by 70%. The remaining 30% risk is the residual risk. Note the residual risk and determine if additional response planning is required.
• Trends. Note if each risk is increasing, decreasing, or is stable.

The Risk Register may be created in a spreadsheet, database, risk management tool, SharePoint, or a project management information system. Make sure that the Risk Register is visible and easy to access by your project team members.

The risk management processes include: 1) plan risk management, 2) identify risks, 3) evaluate/assess risks, 4) plan risk responses, and 5) monitor and control risks.

The initial risk information is entered when identifying risks in the planning process. For example, PMs may capture initial risks while developing the Communications Plan or the project schedule. The initial risk information may include the risks, causes, triggers, categories, potential risk owners, and potential risk responses.

As you evaluate your risk in the planning process, you should assign risk ratings for probability and impact and calculate the risk scores.

Next, validate risk owners and have risk owners complete response plans.

Lastly, review and update your risks during your team meetings (i.e., monitoring and control). Add emerging risks. Other reasons for updating the risk register include change requests, project re-planning, or project recovery.

ERM: Who is Responsible?

The Board is Responsible.

The CEO is Responsible.

Top Management is Responsible.

The CRO is Responsible.

The Business Unit Heads are Responsible.

The CFO is Responsible.

And on and on…

But this sounds like a recipe for disaster.  When everyone is responsible, often no one takes responsibility.  And if everyone is responsible, how is a decision ever reached?

Everyone needs to have different responsibilities within an ERM program.  So most often, people are given partial responsibility for ERM depending upon their everyday job responsibilities.

And in addition, a few people are given special new responsibilities and new roles (usually part time) are created to crystallize those new roles and responsibilities.  Those new roles are most often called:

• Risk Owners
• Risk Committee Members

But there are lots and lots of ways of dishing out the partial responsibilities.  RISKVIEWS suggests that there is no one right or best way to do this.  But instead, it is important to make sure that every risk management task is being done and that there is some oversight to each task.  (Three Lines of Defense is nice, but not really necessary.  There are really only two necessary functions – doing and assurance.)

To read more about a study of the choices of 12 insurers http://goo.gl/yX0BQl  & http://goo.gl/BTZK4J

Transparency, Discipline and Allignment

Firms that have existed for any length of time are likely to have risk management.  Some of it was there from the start and the rest evolved in response to experiences.  Much of it is very efficient and effective while some of the risk management is lacking in either efficiency of effectiveness.  But some of the risk management that they might need is either missing or totally ineffective.  It is somewhat hard to know, because risk management is rarely a major subject of discussion at the firm.  Risk management happens in the background.  It may be done without thinking.  It may be done by people who do not know why they are doing it.  Some risks of the firm are very tightly controlled while others are not.  But the different treatment is not usually a conscious decision.  The importance of risk management differs greatly in the minds of different people in the firm and sometimes the actions taken to reduce risk actually work against the desired strategy of the firm.  The proponents of carefully managed risk may be thought of as the business prevention department and they are commonly found to be at war with the business expansion department.

---

 

Enterprise Risk Management (ERM) is an approach to risk management that provides three key advantages over traditional, ad hoc, evolved risk management.  Those advantages are:

Transparency

Discipline

Alignment

ERM takes risk management out of the background and makes it an open and transparent primary activity of the firm.  ERM does not push any particular approach to risk, but it does promote openly discussing and deciding and documenting and communicating the approach to each major risk.  The risk appetite and tolerances are decided and spoken out loud and in advance in an ERM process, rather than in arrears (and after a major loss) as is more often the case with a traditional risk management program.

Transparency is like the math teacher you had in high school who insisted that you show your work.  Even if you were one of those super bright math geeks who could just do it all in your head and immediately write down the correct answer.  When you wrote down all of the steps, it was transparent to the math teacher that you really did know what you were doing.  Transparency means the same sort of thing with ERM.  It means showing your work.  If you do not like having to slow down and show your work, you will not like ERM.

ERM is based upon setting up formal risk control cycles.  A control cycle is a discipline for assuring that the risk controlling process takes place.  A discipline, in this context, is a repeatable process that if you consistently follow the process you can expect that the outcomes from that process will be more reliable and consistent.

A pick-up sports team may or may not have talent, but it is guaranteed not to have discipline.  A school team may have a little talent or a lot and some school teams have some discipline as well.  A professional sports team usually has plenty of talent.  Often professional teams also have some discipline.  The championship sports teams usually have a little more talent than most teams (it is extremely difficult in most sports to have lots more talent than average), but they usually have much more discipline than the teams in the lower half of the league.  Discipline allows the team to consistently get the best out of their most talented players.  Discipline in ERM means that the firm is more likely to be able to expect to have the risks that they want to have.

ERM is focused on Enterprise Risks.  In RISKVIEWS mind, Enterprise Risks are those risks that could result in losses that would require the firm to make major, unexpected changes to plans or that would disrupt the firm (without necessarily causing losses) in such a way that the firm cannot successfully execute the plans.  Enterprise Risks need to be a major consideration in setting plans.  Through discussions of Risk Appetite and Tolerance and returns for risks and the costs of risk mitigations, ERM provides a focus on alignment of the risk management with the strategic objectives of the firm.

To use another sports analogy, picture the football huddle where the quarterback says “ok.  Everyone run their favorite play!”  Without ERM, that is what is happening, at least regarding ERM at some companies.

Alignment feeds off of the Transparency of ERM and Discipline provides the payback for the Alignment.

Decision Making Under Deep Uncertainty

The above is a part of the title of a World Bank report.  The full title of that report is

Investment Decision Making Under Deep Uncertainty – Application to Climate Change

While that report focuses upon that one specific activity – Investing, and one area of deep uncertainty – Climate Change, there are some very interesting suggestions contained there that can be more broadly applied.

First, let’s look at the idea of Deep Uncertainty.  They define it as:

deep uncertainty is a situation in which analysts do not know or cannot agree on (1) models that relate key forces that shape the future, (2) probability distributions of key variables and parameters in these models, and/or (3) the value of alternative outcomes.

In 1973, Horst W.J. Rittel and Melvin M. Webber, two Berkeley professors, published an article in Policy Sciences introducing the notion of “wicked” social problems. The article, “Dilemmas in a General Theory of Planning,” named 10 properties that distinguished wicked problems from hard but ordinary problems.

1. There is no definitive formulation of a wicked problem. It’s not possible to write a well-defined statement of the problem, as can be done with an ordinary problem.

2. Wicked problems have no stopping rule. You can tell when you’ve reached a solution with an ordinary problem. With a wicked problem, the search for solutions never stops.

3. Solutions to wicked problems are not true or false, but good or bad. Ordinary problems have solutions that can be objectively evaluated as right or wrong. Choosing a solution to a wicked problem is largely a matter of judgment.

4. There is no immediate and no ultimate test of a solution to a wicked problem. It’s possible to determine right away if a solution to an ordinary problem is working. But solutions to wicked problems generate unexpected consequences over time, making it difficult to measure their effectiveness.

5. Every solution to a wicked problem is a “one-shot” operation; because there is no opportunity to learn by trial and error, every attempt counts significantly. Solutions to ordinary problems can be easily tried and abandoned. With wicked problems, every implemented solution has consequences that cannot be undone.

6. Wicked problems do not have an exhaustively describable set of potential solutions, nor is there a well-described set of permissible operations that may be incorporated into the plan. Ordinary problems come with a limited set of potential solutions, by contrast.

7. Every wicked problem is essentially unique. An ordinary problem belongs to a class of similar problems that are all solved in the same way. A wicked problem is substantially without precedent; experience does not help you address it.

8. Every wicked problem can be considered to be a symptom of another problem. While an ordinary problem is self-contained, a wicked problem is entwined with other problems. However, those problems don’t have one root cause.

9. The existence of a discrepancy representing a wicked problem can be explained in numerous ways. A wicked problem involves many stakeholders, who all will have different ideas about what the problem really is and what its causes are.

10. The planner has no right to be wrong. Problem solvers dealing with a wicked issue are held liable for the consequences of any actions they take, because those actions will have such a large impact and are hard to justify.

These Wicked Problems sound very similar to Deep Uncertainty.

The World Bank report suggests that “Accepting uncertainty mandates a focus on robustness”.

A robust decision process implies the selection of a project or plan which meets its intended goals – e.g., increase access to safe water, reduce floods, upgrade slums, or many others– across a variety of plausible futures. As such, we first look at the vulnerabilities of a plan (or set of possible plans) to a field of possible variables. We then identify a set of plausible futures, incorporating sets of the variables examined, and evaluate the performance of each plan under each future. Finally, we can identify which plans are robust to the futures deemed likely or otherwise important to consider.

That sounds a lot like a risk management approach.  Taking your plans and looking at how your plans work under a range of scenarios.

This is a different approach from what business managers are trained to take.  And it is a clear example of the fundamental conflict between risk management thinking and the predominant thinking of company management.

What business managers are taught to do is to predict the most likely future scenario and to make plans that will maximize the results under that scenario.

And that approach makes sense when faced with a reliably predictable world.  But in those situations when you are faced with Deep Uncertainty or Wicked Problems, the Robust Approach should be the preferred approach.

Risk managers need to understand that businesses mainly need to apply the Robust/risk management techniques to these Wicked Problems and Deep Uncertainty.  It is a major waste of time to seek to apply the Robust Approach when the situation is not that extreme.  Risk managers need to develop skills and processes to identify these situations.  Risk managers need to “sell” this approach to top management.  Risks need to be divided into two classes – “normal” and “Deep Uncertain/Wicked” and the Robust Approach used for planning what to do regarding the business activities subject to that risk.  The Deep Uncertainty may not exist now, but the risk manager needs to have the credibility with top management when they bring their reasoning for identifying a new situation of Deep Uncertainty.

Communicating with CEOs

 The point of communication isn’t to speak. It’s to be heard and understood — to have influence and motivate action. Effective communication requires knowing what information you want to convey and what action you want to motivate, but that’s not enough. You must also know your audience — in this case CEOs—well enough to determine what factors will truly resonate and motivate them to take the desired action based on your information.

CEO’s often are not thinking about their key decisions in the same statistical terms that a risk manager or other quantitative analyst would favor.   Several different studies show that most experienced decision makers do not apply statistical thinking either.  Instead they apply a natural decision making process assisted liberally by heuristics. 

CEO’s and other leaders also commonly have different perspectives on priorities than risk managers and analysts.  Analysts will tend to see the world “realistically” with a balance between risks and rewards, while CEO’s may have reached their position, in part, because they see the world “optimisticslly” as containing plenty of opportunities where rewards are much more likely than overstated risks.  Of course, from the perspective of the CEO, the analysts are “pessimistic” and they themselves are “realistic”. 

To communicate with CEO’s, risk managers and analysts need to learn to frame the results of their work in terms that make sense to CEO’s.  That will often be in terms of Natural Decision Making, Heuristics and Opportunities. 

For more on this topic, see Actuarial Review “How to Talk to a CEO“. 

 

Risk Culture, Neoclassical Economics, and Enterprise Risk Management

Financial regulators, rating agencies and many commentators have blamed weak Risk Culture for many of the large losses and financial company failures of the past decade. But their exposition regarding a strong Risk Culture only goes as far as describing a few of the risk management practices of an organization and falls far short of describing the beliefs and motivations that are at the heart of any culture. This discussion will present thinking about how the fundamental beliefs of Neo Classical Economics clash with the recommended risk practices and how the beliefs that underpin Enterprise Risk Management are fundamentally consistent with the recommended risk management practices but differ significantly from Neo Classical Economics beliefs.

Paper submitted to the ERM Symposium

Risk Culture and Enterprise Risk Management (1/2 Day Seminar)

Afternoon of September 29 – at the ERM Symposium #ERMSYM

Bad risk culture has been blamed as the ultimate source of problems that have caused gigantic losses and corporate failures in the past 10 years. But is that a helpful diagnosis of the cause of problems or just a circular discussion? What is risk culture anyway? Is it a set of practices that a company can just adopt or does culture run deeper than that? How does risk culture vary between countries and continents? How do risk cultures go bad and can they be fixed? This is, of course, a discussion of the human side of Enterprise Risk Management. 

This half-day seminar (1 – 4:30 p.m.) will draw together materials from business organizational theorists, anthropologists, regulators, rating agencies, investors, corporations, insurers and auditors to help define risk culture and diagnose problem causes. The objective is to provide the attendees with multiple perspectives on risk culture to help them to survive and thrive within the potentially multiple risk cultures that they find themselves operating alongside – or against. In addition, the speakers will draw upon their own experiences and observations to provide a number of practical examples of how risk cultures can and do go wrong. This discussion may help you to identify the signs of devolving risk culture if they start to appear in your organization. Finally, the difficult topic of fixing a bad risk culture will be discussed. That part of the discussion will help attendees to attain a realistic perspective on that extremely difficult process. 

The seminar will be presented by three speakers from very diverse backgrounds. Andrew Bent, Risk Coordinator for Suncor Energy Inc. has also worked in multiple levels of government in New Zealand and Canada. Bent has co-authored several articles and papers on strategic risk assessment and the use of root cause analysis in risk management. Carol Clark is Senior Policy Advisor at the Federal Reserve Bank of Chicago where she has most recently been focused on operational risk issues associated with high speed trading. Her research has been published in the Journal of Payment Systems Law, the Federal Reserve Bank of Chicago’s Chicago Fed Letter and Economic Perspectives as well as Euromoney Books. Dave Ingram is Executive Vice President at Willis Re where he advises insurers on ERM practices. Ingram has worked extensively with both Life and Property and Casualty insurers on various aspects of risk management over the past 30 years. He has recently co-authored a series of articles and papers on risk culture and has had a number of experiences with the risk cultures of over 200 insurers.

Speakers: 
Andrew Bent, ARM-E, ARM-P, CCSA, CRMA, Risk Coordinator, Suncor Energy
Carol Clark, Senior Policy Advisor, Federal Reserve Bank of Chicago 
David Ingram, CERA, PRM, EVP, Willis Re

Registration

The History of Risk Management

Please find a new permanent page on RISKVIEWS – The History of Risk Management.  It is a simple list of major historical events that are important to Risk Management and ERM as it is practiced today.  This list was compiled with the help of INARM. 

Risk Management development has not followed a particularly straight line.  Practices have been adopted, ignored, misused.  Blow up have happened.  Some of those blow ups are mentioned on another page in RISKVIEWS – Risk Management Failures. 

But Risk Managers have learned from those blow ups and the next generation of Risk Management programs incorporated those learnings. 

The most important thing to know about risk management that we have learned from history is that risk management must be practiced in earnest.  No amount of good talks or fancy charts will take the place of roll up your sleeves and do it risk management.  Promoting that sort of Risk Management is the objective of this Blog. 

 

 

Too Much Risk

Risk Management is all about avoiding taking Too Much Risk.

And when it really comes down to it, there are only a few ways to get into the situation of taking too much risk.

1. Misunderstanding the risk involved in the choices made and to be made by the organization
2. Misunderstanding the risk appetite of the organization
3. Misunderstanding the risk taking capacity of the organization
4. Deliberately ignoring the risk, the risk appetite and/or the risk taking capacity

So Risk Management needs to concentrate on preventing these four situations.  Here are some thoughts regarding how Risk Management can provide that.

1. Misunderstanding the risk involved in the choices made and to be made by an organization

This is the most common driver of Too Much Risk.  There are two major forms of misunderstanding:  Misunderstanding the riskiness of individual choices and Misunderstanding the way that risk from each choice aggregates.  Both of these drivers were strongly in evidence in the run up to the financial crisis.  The risk of each individual mortgage backed security was not seriously investigated by most participants in the market.  And the aggregation of the risk from the mortgages was misunderestimated as well.  In both cases, there was some rationalization for the misunderstanding.  The Misunderstanding was apparent to most only in hindsight.  And that is most common for misunderstanding risks.  Those who are later found to have made the wrong decisions about risk were most often acting on their beliefs about the risks at the time.  This problem is particularly common for firms with no history of consistently and rigorously measuring risks.  Those firms usually have very experienced managers who have been selecting their risks for a long time, who may work from rules of thumb.  Those firms suffer this problem most when new risks are encountered, when the environment changes making their experience less valid and when there is turnover of their experienced managers.  Firms that use a consistent and rigorous risk measurement process also suffer from model induced risk blindness.  The best approach is to combine analysis with experienced judgment.

2.  Misunderstanding the risk appetite of the organization

This is common for organizations where the risk appetite has never been spelled out.  All firms have risk appetites, it is just that in many, many cases, no one knows what they are in advance of a significant loss event.  So misunderstanding the unstated risk appetite is fairly common.  But actually, the most common problem with unstated risk appetites is under utilization of risk capacity.  Because the risk appetite is unknown, some ambitious managers will push to take as much risk as possible, but the majority will be over cautious and take less risk to make sure that things are “safe”.

3.  Misunderstanding the risk taking capacity of the organization

 This misunderstanding affects both companies who do state their risk appetites and companies who do not.  For those who do state their risk appetite, this problem comes about when the company assumes that they have contingent capital available but do not fully understand the contingencies.  The most important contingency is the usual one regarding money – no one wants to give money to someone who really, really needs it.  The preference is to give money to someone who has lots of money who is sure to repay.  For those who do not state a risk appetite, each person who has authority to take on risks does their own estimate of the risk appetite based upon their own estimate of the risk taking capacity.  It is likely that some will view the capacity as huge, especially in comparison to their decision.  So most often the problem is not misunderstanding the total risk taking capacity, but instead, mistaking the available risk capacity.

4.  Deliberately ignoring the risk, the risk appetite and/or the risk taking capacity of the organization

A well established risk management system will have solved the above problems.  However, that does not mean that their problems are over.  In most companies, there are rewards for success in terms of current compensation and promotions.  But it is usually difficult to distinguish luck from talent and good execution in a business about risk taking.  So there is a great temptation for managers to deliberately ignore the risk evaluation, the risk appetite and the risk taking capacity of the firm.  If the excess risk that they then take produces excess losses, then the firm may take a large loss.  But if the excess risk taking does not result in an excess loss, then there may be outsized gains reported and the manager may be seen as highly successful person who saw an opportunity that others did not.  This dynamic will create a constant friction between the Risk staff and those business managers who have found the opportunity that they believe will propel their career forward.

So get to work, risk managers.

Make sure that your organization

1. Understands the risks
2. Articulates and understands the risk appetite
3. Understands the aggregate and remaining risk capacity at all times
4. Keeps careful track of risks and risk taking to be sure to stop any managers who might want to ignore the risk, the risk appetite and the risk taking capacity

Setting your Borel Point

What is a Borel Risk Point you ask?  Emile Borel once said

“Events with a sufficiently small probability never occur”.

Your Borel Risk Point (BRP) is your definition of “sufficiently small probability” that causes you to ignore unlikely risks.

Chances are, your BRP is set at much too high of a level of likelihood.  You see, when Borel said that, he was thinking of a 1 in 1 million type of likelihood.  Human nature, that has survival instincts that help us to survive on a day to day basis, would have us ignoring things that are not likely to happen this week.

Even insurance professionals will often want to ignore risks that are as common as 1 in 100 year events.  Treating them as if they will never happen.

And in general, the markets allow us to get away with that.  If a serious adverse event happens, the unprepared generally are excused if it is something as unlikely as a 1 in 100 event.

That works until another factor comes into play.  That other factor is the number of potential 1 in 100 events that we are exposed to.  Because if you are exposed to fifty 1 in 100 events, you are still pretty unlikely to see any particular event, but very likely to see some such event.

Governor Andrew Cuomo of New York State reportedly told President Obama,

New York “has a 100-year flood every two years now.”

Solvency II has Europeans all focused on the 1 in 200 year loss.  RISKVIEWS would suggest that is still too high of a likelihood for a good Borel Risk Point for insurers. RISKVIEWS would argue that insurers need to have a higher BRP because of the business that they are in.  For example, Life Insurers primary product (which is life insurance, at least in some parts of the world) pays for individual risks (unexpected deaths) that occur at an average rate of less than 1 in 1000.  How does an insurance company look their customers in the eye and say that they need to buy protection against a 1 in 1000 event from a company that only has a BRP of 1 in 200?

So RISKVIEWS suggest that insurers have a BRP somewhere just above 1 in 1000.  That might sound aggressive but it is pretty close to the Secure Risk Capital standard.  With a Risk Capital Standard of 1 in 1000, you can also use the COR instead of a model to calculate your capital needed.

Key Ideas of ERM

For a set of activities to be called ERM, they must satisfy ALL of these Key Ideas…

1. Transition from Evolved Risk Management to planned ERM
2. Comprehensive – includes ALL risks
3. Measurement – on a consistent basis allows ranking and…
4. Aggregation – adding up the risks to know total
5. Capital – comparing sum of risks to capital – can apply security standard to judge
6. Hierarchy – decisions about risks are made at the appropriate level in the organization – which means information must be readily available

Risk management activities that do not satisfy ALL Key Ideas may well be good and useful things that must be done, but they are not, by themselves ERM.

Many activities that seek to be called ERM do not really satisfy ALL Key Ideas.  The most common “fail” is item 2, Comprehensive.  When risks are left out of consideration, that is the same as a measurement of zero.  So no matter how difficult to measure, it is extremely important to really, really be Comprehensive.

But it is quite possible to “fail” on any of the other Key Ideas.

The Transition idea usually “fails” when the longest standing traditional risk management practices are not challenged to come up to ERM standards that are being applied to other risks and risk management activities.

Measurement “fails” when the tails of the risk model are not of the correct “fatness“.  Risks are significantly undervalued.

Aggregation “fails” when too much independence of risks is assumed.  Most often ignored is interdependence caused by common counter parties.

Capital “fails” when the security standard is based upon a very partial risk model and not on a completely comprehensive risk model.

Hierarchy “fails” when top management and/or the board do not personally take responsibility for ERM.  The CRO should not be an independent advocate for risk management, the CRO should be the agent of the power structure of the firm.

In fact Hierarchy Failure is the other most common reason for ERM to fail.

Is it rude to ask “How fat is your tail?”

In fact, not only is it not rude, the question is central to understanding risk models.  The Coefficient of Riskiness(COR) allows us for the first time to talk about this critical question.

You see, “normal” sized tails have a COR of three. If everything were normal, then risk models wouldn’t be all that important. We could just measure volatility and multiply it by 3 to get the 1 in 1000 result. If you instead want the 1 in 200 result, you would multiply the 1 in 1000 result by 83%.

Amazing maths fact – 3 is always the answer.

But everything is not normal. Everything does not have a COR of 3. So how fat are your tails?

RISKVIEWS looked at an equity index model. That model was carefully calibrated to match up with very long term index returns (using Robert Shiller’s database). The fat tailed result there has a COR of 3.5. With that model the 2008 S&P 500 total return loss of 37% is a 1 in 100 loss.

So if we take that COR of 3.5 and apply it to the experience of 1971 to 2013 that happens to be handy, the mean return is 12% and the volatility is about 18%. Using the simple COR approach, we estimate the 1 in 1000 loss as 50% (3.5 times the volatility subtracted from the average). To get the 1/200 loss, we can take 83% of that and we get a 42% loss.

RISKVIEWS suggests that the COR can be an important part of Model Validation.

 Looking at the results above for the stock index model, the question becomes why is 3.5 then the correct COR for the index? We know that in 2008, the stock market actually dropped 50% from high point to low point within a 12 month period that was not a calendar year. If we go back to Shiller’s database, which actually tracks the index values monthly (with extensions estimated for 50 years before the actual index was first defined), we find that there are approximately 1500 12 month periods. RISKVIEWS recognizes that these are not independent observations, but to answer this particular question, these actually are the right data points. And looking at that data, a 50% drop in a 12 month period is around the 1000^th worst 12 month period. So a model with a 3.5 COR is pretty close to an exact fit with the historical record. And what if you have an opinion about the future riskiness of the stock market? You can vary the volatility assumptions if you think that the current market with high speed trading and globally instantaneously interlinked markets will be more volatile than the past 130 years that Schiller’s data covers. You can also adjust the future mean. You might at least want to replace the historic geometric mean of 10.6% for the arithmetic mean quoted above of 12% since we are not really taking about holding stocks for just one year. And you can have an opinion about the Riskiness of stocks in the future. A COR of 3.5 means that the tail at the 1 in 1000 point is 3.5 / 3 or 116.6% of the normal tails. That is hardly an obese tail.

The equity index model that we started with here has a 1 in 100 loss value of 37%. That was the 2008 calendar total return for the S&P 500. If we want to know what we would get with tails that are twice as fat, with the concept of COR, we can look at a COR of 4.0 instead of 3.5. That would put the 1 in 1000 loss at 9% worse or 59%. That would make the 1 in 200 loss 7% worse or 49%.

Those answers are not exact. But they are reasonable estimates that could be used in a validation process.

Non-technical management can look at the COR for each model can participate in a discussion of the reasonability of the fat in the tails for each and every risk.

RISKVIEWS believes that the COR can provide a basis for that discussion. It can be like the Richter scale for earthquakes or the Saffir-Simpson scale for hurricanes. Even though people in general do not know the science underlying either scale, they do believe that they understand what the scale means in terms of severity of experience. With exposure, the COR can take that place for risk models.

Chicken Little or Coefficient of Riskiness (COR)

Running around waving your arms and screaming “the Sky is Falling” is one way to communicate risk positions.  But as the story goes, it is not a particularly effective approach.  The classic story lays the blame on the lack of perspective on the part of Chicken Little.  But the way that the story is told suggests that in general people have almost zero tolerance for information about risk – they only want to hear from Chicken Little about certainties.

But insurers live in the world of risk.  Each insurer has their own complex stew of risks.  Their riskiness is a matter of extreme concern.  Many insurers use complex models to assess their riskiness.  But in some cases, there is a war for the hearts and minds of the decision makers in the insurer.  It is a war between the traditional qualitative gut view of riskiness and the new quantitative view of riskiness.  One tactic in that war used by the qualitative camp is to paint the quantitative camp as Chicken Little.

In a recent post, Riskviews told of a scale, a Coefficient of Riskiness.  The idea of the COR is to provide a simple basis for taking the argument about riskiness from the name calling stage to an actual discussion about Riskiness.

For each risk, we usually have some observations.  And from those observations, we can form the two basic statistical facts, the observed average and observed volatility (known as standard deviation to the quants).  But in the past 15 years, the discussion about risk has shifted away from the observable aspects of risk to an estimate of the amount of capital needed for each risk.

Now, if each risk held by an insurer could be subdivided into a large number of small risks that are similar in riskiness for each (including size of potential loss) and where the reasons for the losses for each individual risk were statistically separate (independent) then the maximum likely loss to be expected (99.9%tile) would be something like the average loss plus three times the volatility.  It does not matter what number is the average or what number is the standard deviation.

RISKVIEWS has suggested that this multiple of 3 would represent a standard amount of riskiness and become the index value for the Coefficient of Riskiness.

This could also be a starting point in looking at the amount of capital needed for any risks.  Three times the observed volatility plus the observed average loss.  (For the quants, this assumes that losses are positive values and gains negative.  If you want losses to be negative values, then take the observed average loss and subtract three times the volatility).

So in the debate about risk capital, that value is the starting point, the minimum to be expected.  So if a risk is viewed as made up of substantially similar but totally separate smaller risks (homogeneous and independent), then we start with a maximum likely loss of average plus three times volatility.  Many insurers choose (or have chosen for them) to hold capital for a loss at the 1 in 200 level.  That means holding capital for 83% of this Maximum Likely Loss.  This is the Viable capital level.  Some insurers who wish to be at the Robust level of capital will hold capital roughly 10% higher than the Maximum Likely Loss.  Insurers targeting the Secure capital level will hold capital at approximately 100% of the Maximum Likely Loss level.

But that is not the end of the discussion of capital.  Many of the portfolios of risks held by an insurer are not so well behaved.  Those portfolios are not similar and separate.  They are dissimilar in the likelihood of loss for individual exposures, they are dissimilar for the possible amount of loss.  One way of looking at those dissimilarities is that the variability of rate and of size result in a larger number of pooled risks acting statistically more like a smaller number of similar risks.

So if we can imagine that evaluation of riskiness can be transformed into a problem of translating a block of somewhat dissimilar, somewhat interdependent risks into a pool of similar, independent risks, this riskiness question comes clearly into focus.  Now we can use a binomial distribution to look at riskiness.  The plot below takes up one such analysis for a risk with an average incidence of 1 in 1000.  You see that for up to 1000 of these risks, the COR is 5 or higher.  The COR gets up to 6 for a pool of only 100 risks.  It gets close to 9 for a pool of only 50 risks.

 

 

There is a different story for a risk with average incidence of 1 in 100.  COR is less than 6 for a pool as small as 25 exposures and the COR gets down to as low as 3.5.

In producing these graphs, RISKVIEW notices that COR is largely a function of number of expected claims.  So The following graph shows COR plotted against number of expected claims for low expected number of claims.  (High expected claims produces COR that is very close to 3 so are not very interesting.)

You see that the COR stays below 4.5 for expected claims 1 or greater.  And there does seem to be a gently sloping trend connecting the number of expected claims and the COR.

So for risks where losses are expected every year, the maximum COR seems to be under 4.5.  When we look at risks where the losses are expected less frequently, the COR can get much higher.  Values of COR above 5 start showing up with expected losses that are in the range of .2 and values above .1 are even higher.

What sorts of things fit with this frequency?  Major hurricanes in a particular zone, earthquakes, major credit losses all have expected frequencies of one every several years.

So what has this told us?  It has told us that fat tails can come from the small portfolio effect.  For a large portfolio of similar and separate risks, the tails are highly likely to be normal with a COR of 3.  For risks with a small number of exposures, the COR, and therefore the tail, might get as much as 50% fatter with a COR of up to 4.5. And the COR goes up as the number of expected losses goes down.

Risks with very fat tails are those with expected losses less frequent than one per year can have much fatter tails, up to three times as fat as normal.

So when faced with those infrequent risks, the Chicken Little approach is perhaps a reasonable approximation of the riskiness, if not a good indicator of the likelihood of an actual impending loss.

 

Quantitative vs. Qualitative Risk Assessment

There are two ways to assess risk.  Quantitative and Qualitative.  But when those two words are used in the NAIC ORSA Guidance Manual, their meaning is a little tricky.

In general, one might think that a quantitative assessment uses numbers and a qualitative assessment does not.  The difference is as simple as that.  The result of a quantitative assessment would be a number such as $53 million.  The result of a qualitative assessment would be words, such as “very risky” or “moderately risky”.

But that straightforward approach to the meaning of those words does not really fit with how they are used by the NAIC.  The ORSA Guidance Manual suggests that an insurer needs to include those qualitative risk assessments in its determination of capital adequacy.  Well, that just will not work if you have four risks that total $400 million and three others that are two “very riskys” and one “not so risk”.  How much capital is enough for two “very riskys”, perhaps you need a qualitative amount of surplus to provide for that, something like “a good amount”.

RISKVIEWS believes that then the NAIC says “Quantitative” and “Qualitative” they mean to describe two approaches to developing a quantity.  For ease, we will call these two approaches Q1 and Q2.

The Q1 approach is data and analysis driven approach to developing the quantity of loss that the company’s capital standard provides for.  It is interesting to RISKVIEWS that very few participants or observers of this risk quantification regularly recognize that this process has a major step that is much less quantitative and scientific than others.

The Q1 approach starts and ends with numbers and has mathematical steps in between.  But the most significant step in the process is largely judgmental.  So at its heart, the “quantitative” approach is “qualitative”.  That step is the choice of mathematical model that is used to extrapolate and interpolate between actual data points.  In some cases, there are enough data points that the choice of model can be based upon somewhat less subjective fit criteria.  But in other cases, that level of data is reached by shortening the time step for observations and THEN making heroic (and totally subjective) assumptions about the relationship between successive time periods.

These subjective decisions are all made to enable the modelers to make a connection between the middle of the distribution, where there usually is enough data to reliably model outcomes and the tail, particularly the adverse tail of the distribution where the risk calculations actually take place and where there is rarely if ever any data.

There are only a couple of subjective decisions possibilities, in broad terms…

• Benign – Adverse outcomes are about as likely as average outcomes and are only moderately more severe.
• Moderate – Outcomes similar to the average are much more likely than outcomes significantly different from average.  Outcomes significantly higher than average are possible, but likelihood of extremely adverse outcomes are extremely highly unlikely.
• Highly risky – Small and moderately adverse outcomes are highly likely while extremely adverse outcomes are possible, but fairly unlikely.

The first category of assumption, Benign,  is appropriate for large aggregations of small loss events where contagion is impossible.  Phenomenon that fall into this category are usually not the concern for risk analysis.  These phenomenon are never subject to any contagion.

The second category, Moderate, is appropriate for moderate sized aggregations of large loss events.  Within this class, there are two possibilities:  Low or no contagion and moderate to high contagion.  The math is much simpler if no contagion is assumed.

But unfortunately, for risks that include any significant amount of human choice, contagion has been observed.  And this contagion has been variable and unpredictable.  Even more unfortunately, the contagion has a major impact on risks at both ends of the spectrum.  When past history suggests a favorable trend, human contagion has a strong tendency to over play that trend.  This process is called “bubbles”.  When past history suggests an unfavorable trend, human contagion also over plays the trend and markets for risks crash.

The modelers who wanted to use the zero contagion models, call this “Fat Tails”.  It is seen to be an unusual model, only because it was so common to use the zero contagion model with the simpler maths.

RISKVIEWS suggests that when communicating that the  approach to modeling is to use the Moderate model, the degree of contagion assumed should be specified and an assumption of zero contagion should be accompanied with a disclaimer that past experience has proven this assumption to be highly inaccurate when applied to situations that include humans and therefore seriously understates potential risk.

The Highly Risky models are appropriate for risks where large losses are possible but highly infrequent.  This applies to insurance losses due to major earthquakes, for example.  And with a little reflection, you will notice that this is nothing more than a Benign risk with occasional high contagion.  The complex models that are used to forecast the distribution of potential losses for these risks, the natural catastrophe models go through one step to predict possible extreme events and the second step to calculate an event specific degree of contagion for an insurer’s specific set of coverages.

So it just happens that in a Moderate model, the 1 in 1000 year loss is about 3 standard deviations worse than the mean.  So if we use that 1 in 1000 year loss as a multiple of standard deviations, we can easily talk about a simple scale for riskiness of a model:

So in the end the choice is to insert an opinion about the steepness of the ramp up between the mean and an extreme loss in terms of multiples of the standard deviation.  Where standard deviation is a measure of the average spread of the observed data.  This is a discussion that on these terms include all of top management and the conclusions can be reviewed and approved by the board with the use of this simple scale.  There will need to be an educational step, which can be largely in terms of placing existing models on the scale.  People are quite used to working with a Richter Scale for earthquakes.  This is nothing more than a similar scale for risks.  But in addition to being descriptive and understandable, once agreed, it can be directly tied to models, so that the models are REALLY working from broadly agreed upon assumptions.

*                  *                *               *             *                *

So now we go the “Qualitative” determination of the risk value.  Looking at the above discussion, RISKVIEWS would suggest that we are generally talking about situations where we for some reason do not think that we know enough to actually know the standard deviation.  Perhaps this is a phenomenon that has never happened, so that the past standard deviation is zero.  So we cannot use the multiple of standard deviation method discussed above.  Or to put is another way, we can use the above method, but we have to use judgment to estimate the standard deviation.

*                  *                *               *             *                *

So in the end, with a Q1 “quantitative” approach, we have a historical standard deviation and we use judgment to decide how risky things are in the extreme compared to that value.  In the Q2 “qualitative” approach, we do not have a reliable historical standard deviation and we need to use judgment to decide how risky things are in the extreme.

Not as much difference as one might have guessed!

Risk Appetite is the Boundary

Actually, it is two boundaries.

First, it is the boundary between Management and the Board with regard to risk.

• If risk taking is within the risk appetite, then Management can tell the board about that activity after the fact.
• If risk taking is outside the risk appetite, then Management needs to talk to the board in advance and get agreement with the risk taking plans.  (We say outside, rather than above, because for firms in the risk taking business, risk appetite should involve a minimum AND a maximum.)

 

Second, it is the boundary between everyday risk mitigation practices and extraordinary mitigations.

• Everyday mitigations are the rules for accepting risk (underwriting) and the rules for trimming risk (ALM, hedging and reinsurance)
• Extraordinary mitigations are those special actions that are taken when risk is seen to be out of acceptable bounds (stopping or limiting new risk taking, bulk divestitures or acquisitions of risks, capital raising, etc.)

Firms that struggle with naming their risk appetite might try to think of where these two boundaries lie.  And set their risk appetite to be near or even at those boundaries.

Just Stop IT! Right Now. And Don’t Do IT again.

IT is a medieval, or possibly pre-medieval practice for evaluating risks.  That is the assignment of a single Frequency and Severity pair to each risk and calling that a risk evaluation.

In the mid 1700’s Daniel Bernoulli wrote:

EVER SINCE mathematicians first began to study the measurement of risk there has been general agreement on the following proposition: Expected values are computed by multiplying each possible gain by the number of ways in which it can occur, and then dividing the sum of these products by the total number of possible cases where, in this theory, the consideration of cases which are all of the same probability is insisted upon. If this rule be accepted, what remains to be done within the framework of this theory amounts to the enumeration of all alternatives, their breakdown into equi-probable cases and, finally, their insertion into corresponding classifications.

Many modern writers attribute this process to Bernoulli but this is the very first sentence of his “Exposition of a New Theory for Measuring Risk” published in 1738.  He suggests that the idea is so common in his time that he does not cite an original author.  His work is not to prove that this basic idea is correct, but to propose a new methodology for implementing.

It is hard to say how the single pair idea (i.e. that a risk can be represented by a sing frequency/severity pair of values) has crept into basic modern risk assessment practice, but it has. And it is firmly established.  But in 1738, Bernoulli knew that each risk has many possible gain amounts.  NOT A SINGLE PAIR.

But let me ask you this…

How did you pick the particular pair of values that you use to characterize any of your risks?

You see, as far as RISKVIEWS can tell, Bernoulli was correct – each and every risk has an infinite number of such pairs that are valid.  So how did you pick the one that you use?

Take for an example, the risk of a fire.  There are an infinite number of possible fires that could happen.  Some more likely and some less likely.  Some would do lots of damage some only a little.  The likelihood of a fire is not actually always related to the damage.  Some highly unlikely fires might be very small and low damage.  Hopefully, you do not have the situation of a likely high damage fire.  But all by itself, you could make up a frequency severity heat map for any single risk with many points on the chart.

So RISKVIEWS asks again, how do you pick which point from that chart to be the one single point for your main risk report and heat map?

And those heat maps that you are so fond of…

Do you realize that the points on the heat map are not rationally comparable?  That is because there is no single criteria that most risk managers use to pick the pairs that they use.  To compare values they need to have been selected by applying the same exact criteria.  But usually the actual criteria for choosing the pairs is not clearly articulated.

So here you stand, you have a risk register that is populated with these bogus statistics.  What can you do to move away towards a more rational view of your risks?

You can start to reveal to people that you are aware that your risks are NOT fully measured by that single statistic.  Try revealing some additional statistics about each risk on your risk register:

• The Likelihood of zero (or an inconsequential low amount) loss from each risk in any one year
• The Likelihood of a loss of 1% of earnings or more
• The expected loss at a 1% likelihood (or 1 in 100 year expected loss)

Try plotting those values and show how the risks on your risk register compare.  Create a heat map that plots likelihood of zero loss against expected loss at a 1% likelihood.

Those values are then comparable.

So stop IT.  Stop misinforming everyone about your risks.  Stop using frequency severity pairs to represent your risks.

 

Supporting Success with Risk Management

Risk Management is often seen as the Business Prevention Department and the Chief Risk Officer as the Wizard of NO.

But in some ways that can be seen as a glass half full, half empty sort of thing.

A major and sometimes neglected aspect of risk management relates to dealing with the planning for and execution of major changes.  We call this CHANGE RISK MANAGEMENT.

If we think of the Control Cycle as the major manifestation of risk management, Change Risk Management is the special process that is followed to make sure that important new things get on to the Control Cycle without stumbling.

Many times, these changes are the future of the company.  They are the new products, new distribution systems, new territories and acquisitions that will change the course of the company’s path forward.

The Change Risk management process can be performed as Business Prevention or it can be a support to the success of the company.  A good Change Risk Management process will help to identify the ways that the new activity might fail or might harm the firm.  If the Change Risk Management process is designed properly, the Risk Management inputs of that sort can be brought into the process in plenty of time to correct the problems that cause the concerns.  In that sense, fixing those problems adds to the potential success of the company.

But if Risk Management is brought very late to the process, many people have become invested in the change as it is currently planned and any input from risk management that something might go wrong is seen as an attempt to scuttle the project.

So timing and attitude are the two things that make the Change Risk Management process something that supports the success of the company.

 

 

What is Real?

Two quotes about what is real…

“A fundamental part of every culture is a set of assumptions about what is real and how one determines or discovers what is real.  These assumptions do, of course, relate to other assumptions … the focus here is about how members of a group determine what is relevant information, how they interpret information, how they determine whether or not to act, and what action to take.”

Edgar Shein

“Reality is that which, when you stop believing in it, doesn’t go away.”

Phillip K Dick

Both of these quotes are highly applicable to Risk.

Risk, you see is not Real in the sense that Philip Dick defines reality.  But Risk is real in the Edgar Shein version of reality.

Because Risk is never there later.  Risk is a potential for a loss.  Later you have either had the loss or not.

You can never tell, even later, after the bets are settled, whether something was risky or not.  You can only tell whether you won or lost.  The outcome could have been a certainty, driven by factors that those who thought it was risky are unaware.

 

 

 

The Risk Balancing Act

All firms are performing a difficult balancing act.  They are balancing the need to go out and take risks by doing something to expand their businesses with the need to be safe and secure.  Most firms have found a happy spot – at least for now – in that balancing act.

Firms in the risk business are doing a double balancing act.  They always have the same sort of risk of failure that all businesses have – that is the risk that they will not have enough customers.  In addition, they have the risk that the business that they have captured may just blow up in their faces with claims or losses far in excess of their expectations.

So when a firm in the risk taking business learns how to survive their dual balancing act, they will be very sensible if they are very, very reluctant to make changes to their process for balancing.  They are going to be extremely skeptical if the advice for change comes from someone – a regulator or member of their own company’s risk management team – who has not real world experience of this balancing.

To most of the successful managers of risk taking firms, ERM seems like an awkward and unnatural process.  To them, ERM manuals read like a book of detailed instructions on how to breathe.

That is because these firms all have plenty of risk management already.

However, the ERM imperative from the regulators and rating agencies requires that they explain that risk management and that they adopt some formal processes and documentation that was not, in their opinion, needed.

There are two approaches to achieving the ERM that is wanted by these outside forces:

• Clean Slate – work to install a comprehensive ERM program as if on a clean slate, ignoring or replacing all existing risk management activities.  This results in a complete ERM program that will fulfill all of the external requirements.
• Augmentation – work to carefully understand the existing risk management system.  Start by documenting the strengths of that system.  Next move to identifying the weaknesses of that system and then making adjustments and additions to improve risk management performance in those areas of weakness.

RISKVIEWS strongly favors the second approach.  RISKVIEWS has observed that many firms following the Clean Slate approach never complete the installation of the new ERM system, or if they do complete it, they abandon it after a short time period.  Firms following the Augmentation approach also will falter with installation but they have usually added to their ability to explain what they already do well and may have added a few new risk management practices that actually enhance their business.

The first step in the Augmentation approach is to develop an understanding of the possibilities that an ERM program presents and to choose from those possibilities the practices that the firm will want to include in its ERM program.  Those possibilities include:

• A strict control process for risks that the firm has a zero tolerance for.
• Risk measurement and tracking for control of the risks that the firm wants to limit exposures.
• Risk based pricing for those risks that the firm takes to make its profits to assure that the sales that are one of the primary objectives of the firm are supporting the long term performance of the enterprise.
• A risk profile that communicates the relationship between plans and risks taking over time.
• A process for assessing and maintaining adequate capital for the risks taken by the firm.
• Risk capital allocation to support the process of optimization of risk adjusted returns.
• Communication of risk management processes for the board and outside audiences.
• An assurance process regarding continuous implementation of the risk management program.

Once management selects the ERM practices that they want for their ERM program, they then need to go through the self assessment exercise.

More on that in a following post…..

Integration of ERM into a Corporate Environment

By Max J. Rudolph, FSA CFA CERA MAAA

This is an excerpt from a paper that was submitted to the North American CRO Council 2013 Call for Papers on October 11, 2013.

 

Enterprise risk management can be an exercise in adding value or simply another in a long list of buzz words popular with directors, investors and rating agencies. It may even be seen as a roadblock and interventionist tool by company management. An appropriate balance must be maintained. What is the right mix of constraints versus growth, qualitative versus quantitative analysis, and short versus long time horizons? These are all questions that the successful ERM process must resolve to build transparency around all risks and build firm resilience.

 

Company resources are tight, and ERM is viewed by some simply as a cost. In the annual Survey of Emerging Risks that I author we continually find more being asked of risk managers, but without commensurate resources being added. Risk culture is the driver here. Where risk is embedded in a firm, both top-down and bottom-up, it is recognized that better decisions are made by considering all types of risks.

 

Unfortunately many Risk Departments are set up to fail by focusing entirely on constraints, being able to stop a project but not being viewed as a partner who understands how risks aggregate and interact to increase returns. The prior reputation of the risk team predetermines its success, and this is driven from the top. If senior management involves the risk team early in new product development, for example, they are able to suggest adjustments that may lead to a more stable product or provide an internal hedge against a product sold in another part of the company. If the CEO (Chief Executive Officer) views the risk team as a cost center then they will not be successful.

 

Organizational Structure

Each company must integrate the risk team into an existing organizational chart based on the underlying risk culture. At some companies the primary risks, typically at manufacturing or service focused firms, can be covered by insurance. The Chief Risk Officer (CRO) becomes a coordinator who seeks out competitive rates and coordinates insurer expertise with in-house risk mitigation. In this situation the CRO might report to the Chief Financial Officer (CFO) or Treasurer and be a low level officer or high level manager. The position rarely gets involved in strategic planning discussions and reports to the board are generally canned and informational, covering tactical plans and recent results. Key risk indicators typically provide lagging data.

 

Small firms will likely add the CRO duties, and sometimes the title, to the CFO as he is the primary provider of oversight at such firms. Reports to the board are part of normal financial disclosures and can incorporate strategic topics. Key risk indicators provide lagging information but can incorporate leading indicators as well.

Many larger financial firms, with higher levels of financial risk relative to operational risk, have a CRO position that reports to the board, with a dotted line to someone on the senior management team. This position often focuses on data collection and board presentations designed mostly to make the board able to say they have considered risks, or they can be a key management team member that engages the board to understand how the firm’s risk profile is evolving and the potential implications. Done right the focus is on leading risk indicators and brainstorming between areas. This has added benefits of oversight and succession planning.

 

Unfortunately, many firms rely primarily on quantitative data collected from experts in the business units rather than filling the risk team with business experts and experienced practitioners who can qualitatively question specific practices before they get out of control.

 

Large firms have an additional hurdle as they tend to be bureaucracies, and those who rise through the ranks have often avoided stressful challenges rather than acting as providers of useful contrarian advice. A small firm may have better risk management practices because the CRO has business experience that drives qualitative analysis rather than an overreliance on quantitative models. The largest companies tend to fall into a trap where complex models are developed and the shortcomings of those models are ignored or included in small print as a footnote. While quantitative analysis is important, everything that counts can’t be counted.

Best practice org chart: firms that want to improve their decision making should segment their risk management team between data collectors, where a consistent ERM process is developed and implemented, and strategic planning. The CRO should manage the planning process, making sure that consistent assumptions and models are input to consistent models. Interactions between areas, transparency and concentration risk should be considered. This position should report directly to the CEO, and perhaps not to the board, and be the primary source of common sense oversight to the management team. This natural skeptic must be protected politically by the CEO or it won’t work. Interestingly, this role could be filled externally by a consultant who provides honest feedback. Many firms will place employees with this type of expertise in senior management roles running a line or as CFO.

©2013 Rudolph Financial Consulting, LLC

The remainder of this essay is available here.

Attributes of Unsuccessful Companies

from Mike Cohen

(whether they have gone out of business or have underperformed)

1) Goals (most importantly financial) have not been clearly identified or calibrated, with a number of damaging consequences:

• It is not clear whether strategies being pursued will lead to the company achieving desired results
• Companies may not be able to quantify and qualify the potential impact of the risks they are taking relative to the goals they are trying to accomplish (Many firms!)
• The goals may not be realistic, and the company could be stretching beyond its capabilities and risk tolerance to attempt to achieve those goals (possibly becoming desperate)

2) Company does not have the necessary expertise or reputation to operate successfully in its chosen lines, for various reasons:

• Leading competitors have set standards that are not attainable by the company (Many firms, for example those pursuing the ‘Financial services supermarket’ model)
• Smaller companies seeking to compete ‘toe-to-toe’ with larger companies as opposed to executing niche strategies in segments the larger firms are not interested in
• Core competencies aren’t sufficiently robust (Many firms!)
• Competitive advantages are overstated (Many firms!)

3) Not accurately understanding the customer (product pushers are particularly susceptible)

• Being out of touch with current trends, needs, wants, attitudes, demographics
• Customers may not know what they want, exacerbating the problem (Steve Jobs’ theory, executed extremely successfully at Apple!). Following on this thought, can focus groups provide accurate, actionable input? The quip about ‘quality’ also comes to mind: “I can’t define quality, but I’ll know it when I see it”

4) Product performance is materially poorer than projected

• Pricing assumptions are missed, leading to lower margins or necessitating reserve strengthening
• Product features cause benefits to be paid that are much greater than anticipated (Variable annuities)
• Product guarantees are not effectively hedged (Again, variable annuities)

5) Risk management practices do not adequately address the company’s most important potential exposures, leading to:

• Taking risks that do not have commensurate returns
• Pursuing strategies or entering into transactions that have not been exhaustively vetted
• Inaccurately calibrating the potential adverse impact of risks taken (General American – Funding Agreements, AIG – Credit Default Swaps)
• Overestimating the company’s tolerance for risk, and underestimating stakeholders’ reactions to outsized risk exposures
• Weakened capital
• Suppressed earnings
• Asset-related issues: Erosion of principal, poor returns, constrained liquidity

6) Decision making culture and processes producing poor choices

• Inwardly focused decision making, placing greater value on what has been created internally than on what others (externally) have done, either individually or collectively, potentially missing out on higher-order thinking generated by groups and on critical perspectives of others
• Not recognizing dislocations, changed paradigms and fundamentals; slow and cautious reactions to new information
• Getting bad advice (including faulty research) or no advice (not realizing when they are at an information disadvantage), and not differentiating between helpful and harmful experts ahead of time
• Defensive attitude: Arrogance, cowardice, lack of openness to other ideas
• Ineffective problem solving
• Working only on problems that seemingly can be solved and avoiding those that appear difficult to solve
• Not admitting mistakes or misassumptions, tending to blame others for poor results as opposed to studying the causes for their own mistakes and fixing them.
• Not making corrections decisively, or overreacting
• Penalizing (punishing) associates for raising troublesome issues (Many companies!)

• Following the herd

Conclusion

• There probably isn’t a single attribute leading to company underperformance that couldn’t be successfully addressed if the company was so inclined.
• It is instructive to note that the causes leading to underperformance are not the ‘opposites’ of the attributes of successful companies. Every company strives to be successful, but unfortunately many haven’t realized their aspirations.

Michael A. Cohen, Principal of Cohen Strategic Consulting

Risk Culture gets the Blame

Poor Risk Culture has been often blamed for some of the headline corporate failures of the past several years.  Regulators and rating agencies have spoken out about what they would suggest as important elements of a strong risk culture and the following 10 elements all show up on more than one of those lists:

1.      Risk Governance – involvement of the board in risk management

2.      Risk Appetite – clear statement of the risk that the organization would be willing to accept

3.      Compensation – incentive compensation does not conflict with goals of risk management

4.      Tone at the Top – board and top management are publically vocal in support of risk management

5.      Accountability – Individuals are held accountable for violations of risk limits

6.      Challenge – it is acceptable to publically disagree with risk assessments

7.      Risk Organization – individuals are assigned specific roles to facilitate the risk management program, including a lead risk officer

8.      Broad communication /participation in RM – risk management is everyone’s job and everyone knows what is happening

9.      RM Linked to strategy – risk management program is consistent with company strategy and planning considers risk information

10.    Separate Measurement and Management of risk – no one assesses their own performance regarding risk and risk management

Those are all good things for a firm to do to make it more likely for their risk management to succeed, but this list hardly makes up a Risk Culture.

The latest WillisWire post in the ERM Practices series talks about Risk Culture from the perspective of the fundamental beliefs of the people in the organization about risk.

And RISKVIEWS has made over 50 posts about various aspects of risk culture.

Risk Culture Posts in RISKVIEWS

What if there are no clocks?

RISKVIEWS recently told someone that the idea of a Risk Control Cycle was quite simple.  In fact, it is just as simple as making an appointment and keeping it.

But what if you are in a culture that has no clocks?

Imagine how difficult the conversation might be about an appointment for 9:25 tomorrow morning.

That is the situation for companies who want to learn about adopting a risk control cycle who have no tradition of measuring risk.

The companies who have dutifully followed a regulatory imperative to install a capital model may think that they have a risk measurement system.  But that system is like a clock that they only look at once per month.  Not very helpful for making and keeping appointments.

Risk control needs to be done with risk measures that are available frequently.  That probably will mean that the risk measure that is most useful for risk control might not be as spectacularly accurate as a capital model.  The risk control process needs a quick measure of risk that can be available every week or at least every month.  Information at the speed of your business decision making process.

But none of us are really in a culture where there are no clocks.  Instead, we are in cultures where we choose not to put any clocks up on the walls.  We choose not to set times for our appointments.

I found that if you have a goal, that you might not reach it. But if you don’t have one, then you are never disappointed. And I gotta tell ya… it feels phenomenal.

from the movie Dodgeball

Who should do ERM?

Stress to reduce Distress

Distress lurks. Just out of sight. Perhaps around a corner, perhaps down the road just past your view.
For some their rule is “out of sight, out of mind”. For them, worry and preparation can start when, and if, distress comes into sight.

But risk managers see it as our jobs to look for and prepare for distress. Whether it is in sight or not. Especially because some sorts of distress come on so very quickly and some methods of mitigation take effect so slowly.
Stress testing is one of the most effective tools, both for imagining the potential magnitude of distresses, but almost more importantly, in developing compelling stories to communicate about that distress potential.

This week, Willis Wire is featuring a piece about Stress Testing in the “ERM Practices” series;

ERM Practices:  Stress Testing

RISKVIEWS has features many posts related to Stress Testing:

RISKVIEWS Archive of Posts related to Stress Testing

Whose Job is it to do ERM?

“We are not big enough to need ERM.” says the smaller company CEO.  “So we all do it together.”

But what is everyone’s job, is no one’s responsibility.  No one is held accountable for how or even whether ERM functions actually happen.

If a company wants to have ERM, then they must make assignments – assignments to individuals.

This process, these assignments, are what RISKVIEWS calls Risk Organization.  Everyone does not need the same Risk Organization, but everyone who is serious about ERM needs to clearly assigning responsibility for the risk identification, measurement and management of risks.

This week’s post on the WillisWire series on ERM Practices is about Risk Organization:

ERM Practices: Risk Organization

This is Part 4 of a 14 part series on the ERM practices that support an ORSA. The other pieces in that series so far are:

Risk Identification

Risk Measurement

Risk Limits and Controls

RISKVIEWS has also posted discussions of Risk Organization.  Here are a few examples:

Risk Organization

CEO is still the Real CRO

Chief Scapegoat in Waiting

Tug of War

Doing ERM is the Control Cycle

RISKVIEWS has commented many times that Risk MANAGEMENT is not a spectator sport.  It is all about DOING.

If Risk Management never results in the firm DOING something different than what would have been done before Risk Management  – then STOP IMMEDIATELY.  You are wasting your time and money.

The DOING part of Risk Management is not particularly tricky or difficult.  Doing ERM is accomplished with a Control Cycle.

In fact Doing ERM is accomplished with one control cycle for each major risk and one control cycle over all risks in total.

WillisWire has recently featured a piece on risk limits and the risk control cycle that would apply to each major risk.

ERM Practices: Risk Limits and Controls

Which is from the 14 part ERM Practices for Insurance Company ORSA series.  The other pieces in that series so far are:

Risk Identification  and

Risk Measurement

RISKVIEWS has often posted about Control Cycles as well.  Here are two examples:

Controlling with a Cycle about the control cycles for each risks and

ERM Control Cycle about the overall ERM control of total risk

You need good Risk Sense to run an insurance company

It seems to happen all too frequently.

A company experiences a bad loss and the response of management is that they were not aware that the company had such a risk exposure.

For an insurance company, that response just isn’t good enough.  And most of the companies where management has given that sort of answer were not insurers.

At an insurance company, managers all need to have a good Risk Sense.

Risk Sense is a good first order estimate of the riskiness of all of their activities. 

Some of the companies who have resisted spending the time, effort and money to build good risk models are the companies whose management already has an excellent Risk Sense.  Management does not see the return for spending all that is required to get what is usually just the second digit.

By the way, if you think that your risk model provides reliable information beyond that second digit, you need to spend more time on model validation.

To have a reliable Risk Sense, you need to have reliable risk selection and risk mitigation processes.  You need to have some fundamental understanding of the risks that are out there in the areas in which you do business.  You also need to  be constantly vigilant about changes to the risk environment that will require you to adjust your perception of risk as well as your risk selection and mitigation practices.

Risk Sense is not at all a “gut feel” for the risk.  It is instead more of a refined heuristic.  (See Evolution of Thinking.)  The person with Risk Sense has the experience and knowledge to fairly accurately assess risk based upon the few really important facts about the risks that they need to get to a conclusion.

The company that needs a model to do basic risk assessment, i.e. that does not have executives who have a Risk Sense, can be highly fragile.  That is because risk models can be highly fragile.  Good model building actually requires plenty of risk sense.

The JP Morgan Chase experiences with the “London Whale” were a case of little Risk Sense and staff who exploited that weakness to try to get away with excessive risk taking.  They relied completely on a model to tell them how much risk that they were taking.  No one looked at the volume of activity and had a usual way to create a good first order estimate of the risk.  The model that they were using was either inaccurate for the actual situation that they were faced with or else it was itself gamed.

A risk management system does not need to work quite so hard when executives have a reliable Risk Sense.  If an executive can look at an activity report and apply their well honed risk heuristics, they can be immediately informed of whether there is an inappropriate risk build up or not.  They need control processes that will make sure that the risk per unit of activity is within regular bounds.  If they start to have approved activities that involve situations with much higher levels of risk per unit of activity, then their activity reports need to separate out the more risky activities.

Models are too fragile to be the primary guide to the level of risk.  Risk taking organizations like insurers need Risk Sense.

Can’t skip measuring Risk and still call it ERM

Many insurers are pushing ahead with ERM at the urging of new executives, boards, rating agencies and regulators.  Few of those firms who have resisted ERM for many years have a history of measuring most of their risks.

But ERM is not one of those liberal arts like the study of English Literature.  In Eng Lit, you may set up literature classification schemes, read materials, organize discussion groups and write papers.  ERM can have those elements, but the heart of ERM is Risk Measurement.  Comparing those risk measures to expectations and to prior period measures.  If a company does not have Risk Measurement, then they do not have ERM.

That is the tough side of this discussion, the other side is that there are many ways to measure risks and most companies can implement several of them for each risk without the need for massive projects.

Here are a few of those measures, listed in order of increasing sophistication:

1. Risk Guesses (AKA Qualitative Risk Assessment)
– Guesses, feelings
– Behavioral Economics Biases
2. Key Risk Indicators (KRI)
– Risk is likely to be similar to …
3. Standard Factors
– AM Best,  S&P, RBC
4. Historical Analysis
– Worst Loss in past 10 years as pct of base (premiums,assets).
5. Stress Tests
– Potential loss from historical or hypothetical scenario
6. Risk Models
– If the future is like the past …
– Or if the future is different from the past in this way …

More discussion of Risk Measurement on WillisWire:

Guide to ERM: Risk Measurement & Reporting

     Part 2 of a 14 part series

Start with a Risk Profile

And on RISKVIEWS:

Measuring Risks

Risk Assessment –  55 other posts relating to risk measurement and risk assessment.