Posted tagged ‘Business’

Keys to ERM – Adaptability

April 3, 2017


Deliberately cultivating adaptability is how ERM reduces exposure to unexpected surprises.

There are four ways that an ERM program encourages adaptability:

  1. Risk Identification
  2. Emerging Risks
  3. Reaction step of Control Cycle
  4. Risk Learning

Many risk managers tell RISKVIEWS that their bosses say that their objective is “No Surprises”.  While that is an unrealistic ideal objective, cultivating Adaptability is the most likely way to approach that ideal.

More on Adaptability at WILLIS TOWERS WATSON WIRE.

Updating your Risk Register

January 26, 2017

It is quite easy for an ERM program to become irrelevant.  All it takes is for it to stay the same for several years.  After just a few years, you will find that you risk management processes are focused upon the issues of several years ago.  You may be missing new wrinkles to your risks and also repeating mitigation exercises that are no longer effective or needed.

That is because the risk environment is constantly changing.  Some risks are become more dangerous while for others the danger is receding.  No firm anywhere has an unlimited budget for risk management.  So to remain effective, you need to constantly reshuffle priorities.

One place where that reshuffling is very much needed is in the risk register.  That is a hard message to sell.  Risk Identification is seen by most as the first baby step in initiating and ERM program.  How could a well developed, sophisticated ERM program need to go back to the first baby step.

But we do need to go back and somehow get people to seriously re-evaluate the Risks on the Risk Register.  That is because risk management is fundamentally a cycle rather than a a one way development process.  We are all brainwashed that constant growth and steady improvement is the fundamental nature of human enterprise.  For risk management to really work, we need that cycle model where we go back and do all of the same steps as last year all over again.

One way to freshen up the process of reviewing the risk register is to bring in outside information.  The link below provides some good outside information that you can use to stimulate your own review.

Willis Re took the top 15 risks from a dozen insurer risk registers and combined them to get 50+ unique risks.  Then over 100 insurer executives and risk management staff helped to rank those 50 risks.

2017’s most dangerous risks for insurers

We took a list of over 50 risks commonly found on insurer risk registers, and asked, “Which risks present the most danger to your firm in 2017?”

Take a look.  How does the resulting ranking look compared to your risk register?  Do any of the top 10 risks show up as middling priority in your program?  Are any of the bottom ten risks near the top of your priority ranking?  So your review can focus on a discussion of the most significant deviations between your ranking and the ranking from the link above. You need to convince yourself that you have good reasons for different priorities or change your priorities.

Risk Trajectory – Do you know which way your risk is headed?

July 25, 2016


Which direction are you planning on taking?

  • Are you expecting your risk to grow faster than your capacity to bare risk?
  • Are you expecting your risk capacity to grow faster than your risk?
  • Or are you planning to keep growth of your risk and your capacity in balance?

If risk is your business, then the answer to this question is one of just a few statements that make up a basic risk strategy.

RISKVIEWS calls this the Risk Trajectory.  Risk Trajectory is not a permanent aspect of a businesses risk strategy.  Trajectory will change unpredictably and usually not each year.

There are four factors that have the most influence on Risk Trajectory:

  1. Your Risk Profile – often stated in terms of the potential losses from all risks at a particular likelihood (i.e. 1 in 200 years)
  2. Your capacity to bare risk – often stated in terms of capital
  3. Your preferred level of security (may be factored directly into the return period used for Risk Profile or stated as a buffer above Risk Profile)
  4. The likely rewards for accepting the risks in your Risk Profile

If you have a comfortable margin between your Risk Profile and your preferred level of security, then you might accept a risk trajectory of Risk Growing Faster than Capacity.

Or if the Likely Rewards seem very good, you might be willing to accept a little less security for the higher reward.

All four of the factors that influence Risk Trajectory are constantly moving.  Over time, anything other than carefully coordinated movements will result in occasional need to change trajectory.  In some cases, the need to change trajectory comes from an unexpected large loss that results in an abrupt change in your capacity.

For the balanced risk and capacity trajectory, you would need to maintain a level of profit as a percentage of the Risk Profile that is on the average over time equal to the growth in Risk Profile.

For Capacity to grow faster than Risk, the profit as a percentage of the Risk Profile would be greater than the growth in Risk Profile.

For Risk to grow faster than Capacity, Risk profile growth rate would be greater than the profit as a percentage of the Risk Profile.

RISKVIEWS would guess that all this is just as easy to do as juggling four balls that are a different and somewhat unpredictably different size, shape and weight when they come down compared to when you tossed them up.


Management by Onside Kick

June 6, 2016

Many American football fans can recall a game when their team drove the ball 80 or more yards in the waning moments of the game to pull within a touchdown of the team that had been dominating them. Then they call for the on side kick – recover the ball and charge to a win within a few more plays.

But according to NFL stats, that onside kick succeeds only 20% of the time in the waning minutes of the game.

Mid game onside kicks – that are surprises – work 60% of the time.

But mostly it is the successful onside kicks that make the highlights reel. RISKVIEWS guesses that on the highlights those kicks are 80% or more successful.

And if you look back on the games of the teams that make it to the Super Bowl, they probably were successful the few times that they called that play.

What does that mean for risk managers?

Be careful where you get your statistics. Big data is now very popular. Winners use Big Data. So many conclude that it will give better indications. But make sure that your data inputs are not from highlight reels or from the records of the best year for a company.

Many firms use default data collected by rating agencies for example to parameterize their credit models. But the rating agencies would point out that the data is from rated companies only. This makes little difference for rated Bonds. There the bonds are rated from issue to maturity or default. But if you want to build a default model of insurers or reinsurers then you need to know that many insurers and some reinsurers will drop their rating if it falls below a level where it hurts their business. So ratings transition statistics for insurers are more like the highlight reels below a certain level.

Some models of dynamic hedging strategies were in effect taking the mid game success rates and assuming that they would apply in bad times. But like the onside kick, things worked very different.

So realize that a business strategy and especially a risk mitigation strategy may work differently when things have gone all a mess.

And an onside kick is nothing more than putting the ball in play and praying that something good will happen.

Real World Risks

December 16, 2015

There are many flavors of Risk Management.  Each flavor of risk manager believes that they are addressing the Real World.

  • Bank risk managers believe that the world consists of exactly three sorts of risk:  Market, Credit and Operational.  They believe that because that is the way that banks are organized.  At one time, if you hired a person who was a banking risk manager to manage your risks, their first step would be to organize the into those three buckets.
  • Insurance Risk Managers believe that a company’s insurable risks – liability, E&O, D&O, Workers Comp, Property, Auto Liability – are the real risks of a firm.  As insurance risk managers have expanded into ERM, they have adapted their approach, but not in a way that could, for instance, help at all with the Credit and Market risk of a bank.
  • Auditor Risk Managers believe that there are hundreds of risks worth attention in any significant organization. Their approach to risk is often to start at the bottom and ask the lowest level supervisors.  Their risk management is an extension of their audit work.  Consistent with the famous Guilliani broken windows approach to crime.  However, this approach to risk often leads to confusion about priorities and they sometimes find it difficult to take their massive risk registers to top management and the board.
  • Insurer Risk Managers are focused on statistical models of risk and have a hard time imagining dealing with risks that are not easily modeled such as operational and strategic risks.  The new statistical risk managers often clash with the traditional risk managers (aka the underwriters) whose risk management takes the form of judgment based selection and pricing processes.
  • Trading Desk Risk Managers are focused on the degree to which any traders exceed their limits.  These risk managers have evolved into the ultimate risk takers of their organizations because they are called upon to sometime approve breaches when they can be talked into agreeing with the trader about the likelihood of a risk paying off.  Their effectiveness is viewed by comparing the number of days that the firm’s losses exceed the frequency predicted by the risk models.

So what is Real World Risk?

Start with this…

Top Causes of death

  • Heart disease
  • stroke
  • lower respiratory infections
  • chronic obstructive lung disease
  • HIV
  • Diarrhea
  • Lung cancers
  • diabetes

Earthquakes, floods and Hurricanes are featured as the largest insured losses. (Source III)

Cat LossesNote that these are the insured portion of the losses.  the total loss from the Fukishima disaster is estimated to be around $105B.  Katrina total loss $81B. (Source Wikipedia)

Financial Market risk seems much smaller.  When viewed in terms of losses from trading, the largest trading loss is significantly smaller than the 10th largest natural disaster. (Source Wikipedia)

Trading LossesBut the financial markets sometimes create large losses for everyone who is exposed at the same time.

The largest financial market loss is the Global Financial Crisis of 2008 – 2009.  One observer estimates the total losses to be in the range of $750B to $2000B.  During the Great Depression, the stock market dropped by 89% over several years, far outstripping the 50% drop in 2009.  But some argue that every large drop in the stock market is preceded by an unrealistic run up in the value of stocks, so that some of the “value” lost was actually not value at all.

If your neighbor offers you $100M for your house but withdraws the offer before you can sell it to him and then you subsequently sell the house for $250k, did you lose $99.75M?  Of course not.  But if you are the stock market and for one day you trade at 25 time earnings and six months later you trade at 12 times earnings, was that a real loss for any investors who neither bought or sold at those two instants?

So what are Real World Risks?


Comments welcomed…


No Reward without Risk

September 29, 2015

Is that so? Well, only if you live in a textbook. And RISKVIEWS has not actually checked whether there really are text books that are that far divorced from reality.

Actually, in the world that RISKVIEWS has inhabited for many years, there are may real possibilities, for example:

  • Risk without reward
  • Reward without risk
  • Risk with too little Reward
  • Risk with too much Reward
  • Risk with just the right amount of reward

The reason why it is necessary to engage nearly everyone in the risk management process is that it is very difficult to distinguish among those and other possibilities.

Risk without reward describes many operational risks.

Reward without risk is the clear objective of every capitalist business.  Modern authors call it a persistent competitive advantage, old school name was monopoly.  Reward without risk is usually called rent by economists.

Risk with too little reward is what happens to those who come late to the party or who come without sufficient knowledge of how things work.  Think of the poker saying “look around the table and if you cannot tell who is the chump, it is you.”  If you really are the chump, then you are very lucky if your reward is positive.

Risk with too much reward happens to some first comers to a new opportunity.  They are getting some monopoly effects.  Perhaps they were able to be price setters rather than price takers, so they chose a price higher than what they eventually learned was needed to allow for their ignorance.  Think of Apple in the businesses that they created themselves.  Their margins were huge at first, and eventually came down to …

Risk with just the right amount of reward happens sometimes, but only when there is a high degree of flexibility in a market – especially no penalty for entry and exit.  Sort of the opposite of the airline industry.

No Reward Without Risk

Comparing Eagles and Clocks

August 11, 2015

Original Title: Replacing Disparate Frequency Severity Pairs.  Quite catchy, eh?

But this message is important.  Several times, RISKVIEWS has railed against the use of Frequency Severity estimates as a basis for risk management.  Most recently

Just Stop IT! Right Now. And Don’t Do IT again.

But finally, someone asked…

What would you do instead to fix this?

And RISKVIEWS had to put up or shut up.

But the fix was not long in coming to mind.  And not even slightly complicated or difficult.

Standard practice is to identify a HML for Frequency and Severity for each risk.  But RISKVIEWS does not know any way to compare a low frequency, high impact risk with a medium frequency, medium impact risk.  Some people do compare the risks by rating the frequency and severity on a numerical scale and then adding or multiplying the values for frequency and severity for each risk to get a “consistent” factor.  However, this process is frankly meaningless.  Like multiplying the number of carrots times the number of cheese slices in your refrigerator.

But to fix it is very easy.

The fix is this…

For each risk, develop two values.  First is the loss expected over a 5 year period under normal volatility.  The second is the loss that is possible under extreme but not impossible conditions – what Lloyd’s calls a Realistic Disaster.

These two values then each represent a different aspect of each risk.  They can each be compared across all of the risks.  That is you can rank the risks according to how large a loss is possible under Normal Volatility and how large a loss is possible under a realistic disaster.

Now, if you are concerned that we are only looking at financial risks with this approach, you can go right ahead and compare the impact of each risk on some other non-financial factor, under both normal volatility and under a realistic disaster.  The same sort of utility is there for any other factor that you like.

If you do this carefully enough, you are likely to find that some risks are more of a problem under normal volatility and others under realistic disasters.  You will also find that some risks that you have spent lots of time on under the Disparate Frequency/Severity Pairs method are just not at all significant when you look at the consistently with other risks.

So you need to compare risk estimates where one aspect is held the same.  Like comparing two bikes:


Or two birds:


But you cannot compare a bird and a Clock:



And once you have those insights, you can more effectively allocate your risk management efforts!

“Adalberti 1” by Juan lacruz – Own work. Licensed under CC BY-SA 3.0 via Wikimedia Commons –

%d bloggers like this: