Over the past several years, an anthropologist (Thompson), a control engineer (Beck) and an actuary (Ingram) have formed an unlikely collaboration that has resulted in countless discussions among the three of us along with several published (and posted) documents.
Our work was first planned in 2018. One further part of what was planned is still under development — the application of these ideas to economic thinking. This is previewed in document (2) below, where it is presented as Institutional Evolutionary Economics.
Here are abstracts and links to the existing documents:
Model Governance and Rational Adaptability in Enterprise Risk Management, January 2020, AFIR-ERM section of the International Actuarial Association. The problem context here is what has been called the “Insurance Cycle”. In this cycle we recognize four qualitatively different risk environments, or seasons of risk. We address the use of models for supporting an insurer’s decision making for enterprise risk management (ERM) across all four seasons of the cycle. In particular, the report focuses expressly on: first, the matter of governance for dealing with model risk; and, second, model support for Rational Adaptability (RA) at the transitions among the seasons of risk. This latter examines what may happen around the turning points in the insurance cycle (any cycle, for that matter), when the risk of a model generating flawed foresight will generally be at its highest.
Modeling the Variety of Decision Making, August 2021, Joint Risk Management Section. The four qualitatively different seasons of risk call for four distinctly different risk-coping decision rules. And if exercising those strategies is to be supported and informed by a model, four qualitatively different parameterizations of the model are also required. This is the variety of decision making that is being modeled. Except that we propose and develop in this work a first blueprint for a fifth decision-making strategy, to which we refer as the adaptor. It is a strategy for assisting the process of RA in ERM and navigating adaptively through all the seasons of risk, insurance cycle after insurance cycle. What is more, the variety of everyday risk-coping decision rules and supporting models can be substituted by a single corresponding rule and model whose parameters vary (slowly) with time, as the model tracks the seasonal business and risk transitions.
The Adaptor Emerges, December 2021, The Actuary Magazine, Society of Actuaries. The adaptor strategy focuses on strategic change: on the chops and changes among the seasons of risk over the longer term. The attention of actuaries coping with everyday risk is necessarily focused on the short term. When the facts change qualitatively, as indeed they did during the pandemic, mindsets, models, and customary everyday rules must be changed. Our adaptor indeed emerged during the pandemic, albeit coincidentally, since such was already implied in RA for ERM.
An Adaptor Strategy for Enterprise Risk Management, April 2022, Risk Management Newsletter, Joint Risk Management Section. In our earlier work (2009-13), something called the “Surprise Game” was introduced and experimented with. In it, simulated businesses are obliged to be surprised and shaken into eventually switching their risk-coping decision strategies as the seasons of risk undergo qualitative seasonal shifts and transitions. That “eventually” can be much delayed, with poor business performance accumulating all the while. In control engineering, the logic of the Surprise Game is closely similar to something called cascade control. We show how the adaptor strategy is akin to switching the “autopilot” in the company driving seat of risk-coping, but ideally much more promptly than waiting (and waiting) for any eventual surprise to dawn on the occupant of the driving seat.
An Adaptor Strategy for Enterprise Risk Management(Part 2), July 2022, Risk Management Newsletter, Joint Risk Management Section. Rather than its switching function, the priority of the adaptor strategy should really be that of nurturing the human and financial resources in the makeup of a business — so that the business can perform with resilience, season in, season out, economic cycle after economic cycle. The nurturing function can be informed and supported by an adaptor “dashboard”. For example, the dashboard can be designed to alert the adaptor to the impending loss or surfeit of personnel skilled in implementing any one of the four risk-coping strategies of RA for ERM. We cite evidence of such a dashboard from both the insurance industry and an innovation ecosystem in Linz, Austria.
Adaptor Exceptionalism:Structural Change & Systems Thinking, March 2022, RISKVIEWS, Here we link Parts 1 and 2 of the Risk Management Newsletter article ((4) and (5) above). When we talk of “when the facts change, we change our mindsets”, we are essentially talking about structural change in a system, most familiarly, the economy. One way of grasping the essence of this, hence the essence of the invaluable (but elusive) systemic property of resilience, is through the control engineering device of a much simplified model of the system with a parameterization that changes relatively slowly over time — the adaptor model of document (2) above, in fact. This work begins to show how the nurturing function of the adaptor strategy is so important for the achievement of resilient business performance.
Adaptor Strategy: Foresight, May 2022, RISKVIEWS. This is a postscript to the two-part Newsletter article and, indeed, its linking technical support material of document (6). It identifies a third possible component of an adaptor strategy: that of deliberately probing the uncertainties in business behaviour and its surrounding risk environment. This probing function derives directly from the principle of “dual adaptive control” — something associated with systems such as guided missiles. Heaven forbid: that such should be the outcome of a discussion between the control engineer, the actuary, and the anthropologist!
Still to be completed is the full exposition of Institutional Evolutionary Economics that is previewed in Section 1 of Modeling the Variety of Decision Making (Item 2 above).
In 1952, Harry Markowitz wrote the article “Portfolio Selection” which became the seed for the theory called Modern Portfolio Theory. Modern Portfolio Theory (MPT) promises a path to follow to achieve the maximum return for a given level of risk for an investment portfolio.
It is not clear who first thought to apply the MPT ideas to a portfolio of risks in an insurer. In 1974, Gustav Hamilton of Sweden’s Statsforetag proposed the “risk management circle” to describe the interaction of all elements in the risk management process, including assessment, control, financing and communication. In 1979, Randell Brubaker wrote about “Profit Maximization for a multi line Property/Liability Company.” Since then, the idea of risk and reward optimization has become to many the actual definition of ERM.
In 2005, Standard & Poor’s called the process “Strategic Risk Management”.
“Strategic Risk Management is the Standard & Poor’s term for the part of ERM that focuses on both the risks and returns of the entire firm. Although other aspects of ERM mainly focus on limiting downside, SRM is the process that will produce the upside, which is where the real value added of ERM lies.“
The Risk Reward Management process is nothing more or less than looking at the expected reward and loss potential for each major profit-making activity of an insurer and applying the Modern Portfolio Management ideas of portfolio optimization to that risk and reward information.
At the strategic level, insurers will leverage the risk and reward knowledge that comes from their years of experience in the insurance markets as well as from their enterprise risk management (ERM) systems to find the risks where their company’s ability to execute can produce better average risk-adjusted returns. They then seek to optimize the risk/reward mix of the entire portfolio of insurance and investment risks that they hold. There are two aspects of this optimization process. First is the identification of the opportunities of the insurer in terms of expected return for the amount of risk. The second aspect is the interdependence of the risks. A risk with low interdependency with other risks may produce a better portfolio result than another risk with a higher stand alone return on risk but higher interdependence.
Proposals to grow or shrink parts of the business and choices to offset or transfer different major portions of the total risk positions can be viewed in terms of risk-adjusted return. This can be done as part of a capital budgeting/strategic resource allocation exercise and can be incorporated into regular decision-making. Some firms bring this approach into consideration only for major ad hoc decisions on acquisitions or divestitures and some use it all the time.
There are several common activities that may support the macro- level risk exploitation.
Economic Capital Economic capital (EC) is often calculated with a comprehensive risk model consistently for all of the actual risks of the company. Adjustments are made for the imperfect correlation of the risks. Identification of the highest-concentration risks as well as the risks with lower correlation to the highest-concentration risks is risk information that can be exploited. Insurers may find that they have an advantage when adding risks to those areas with lower correlation to their largest risks if they have the expertise to manage those risks as well as they manage their largest risks.
Risk-adjusted product pricing Another part of the process to manage risk reward involves the Consideration principle. Product pricing is “risk-adjusted” using one of several methods. One such method is to look at expected profits as a percentage of EC resulting in an expected return-to-risk capital ratio. Another method reflects the cost of capital associated with the economic capital of the product as well as volatility of expected income. The cost of capital is determined as the difference between the price to obtain capital and the rate of investment earnings on capital held by the insurer. Product profit projections then will show the pure profit as well as the return for risk of the product. Risk-adjusted value added is another way of approaching risk-adjusted pricing.
Capital budgeting The capital needed to fulfill proposed business plans is projected based on the economic capital associated with the plans. Acceptance of strategic plans includes consideration of these capital needs and the returns associated with the capital that will be used. Risk exploitation as described above is one of the ways to optimize the use of capital over the planning period. The allocation of risk capital is a key step in this process.
Risk-adjusted performance measurement (RAPM) Financial results of business plans are measured on a risk-adjusted basis. This includes recognition of the cost of holding the economic capital that is necessary to support each business as reflected in risk-adjusted pricing as well as the risk premiums and loss reserves for multi-period risks such as credit losses or casualty coverages. This should tie directly to the expectations of risk- adjusted profits that are used for product pricing and capital budgeting. Product pricing and capital budgeting form the expectations of performance. Risk-adjusted performance measurement means actually creating a system that reports on the degree to which those expectations are or are not met.
For non-life insurers, Risk Reward Management involves making strategic trade-offs between insurance, credit (on reinsurance ceded) and all aspects of investment risk based on a long-term view of risk-adjusted return for all of their choices.
Insurers that do not practice Risk Reward Management usually fail to do so because they do not have a common measurement basis across all of their risks. The decision of many insurers to develop economic capital models provides a powerful tool that can be used as the common risk measure for this process. Economic capital is most often the metric used to define risk in the risk/reward equation of insurers.
Some insurers choose not to develop an EC model and instead rely upon rating agency or regulatory capital formulas. The regulatory and rating agency capital formulas are by their nature broad market estimates of the risk capital of the insurer. These formulae will over-state the capital needs for some of the insurer’s activity and understate the needs for others. The insurer has the specific data about their own risks and can do a better job of assessing their risks than any outsider could ever do. In some cases, insurers took high amounts of catastrophe exposure or embedded guarantee and option risks, which were not penalized in the generic capital formulas. In the end, some insurers found that they had taken much more risk than their actual loss tolerance or capacity.
Risk Reward Management provides insurers with the framework to take full advantage of the power of diversification in their risk selection. They will look at their insurance and investment choices based on the impact, after diversification, on their total risk/reward profile. These insurers will also react to the cycles in risk premium that exist for all of their different insurance risks and for all of their investment risks in the context of their total portfolio.
Sales of most insurance company products result in an increase in the amount of capital needed by the business due to low or negative initial profits and the need to support the new business with Economic Capital. After the year of issue, most insurance company products will show annual releases of capital both due to the earnings of the product as well as the release of supporting capital that is no longer needed due to terminations of prior coverages. The net capital needs of a business arise when growth (new sales less terminations) is high and/or profits are low and capital is released when growth is low and/or profits are high.
The definition of the capital needs for a product is the same as the definition of distributable earnings for an entire business: projected earnings less the increase in Economic Capital. The capital budgeting process will then focus on obtaining the right mix of short and long term returns for the capital that is needed for each set of business plans.
Both new and existing products can be subjected to this capital budgeting discipline. A forecast of capital usage by a new product can be developed and used as a factor in deciding which of several new products to develop. In considering new and existing products, capital budgeting may involve examining historic and projected financial returns.
This multi year view of capital usage does in fact apply to non-life products where the claims are not fully settled in the calendar year of issue.
Pitfalls of Risk Reward Management
In theory, optimization processes can be shown to produce the best results for practitioners. And for periods of time when fluctuations of experience are moderate and fall comfortably within the model parameters, continual fine tuning and higher reliance on the modeled optimization recommendations produce ever growing rewards for the expert practitioner. However, model errors and uncertainties are magnified when management relies upon the risk model to lever up the business. And at some point, the user of complex risk models will see that levering up their business seems to be a safe and profitable way to operate. When volatility shifts into a less predictable and/or higher level, the highly levered company can find it self quickly in major trouble.
Even without major deviations of experience, the Risk Reward Management principles can lead to major business disruptions. When an insurer makes a major change in its risk profile through an acquisition or divestiture of a large part of their business, the capital allocation of all other activities may shift drastically. Strict adherence to theory can whipsaw businesses as the insurer makes large changes in business.
Insurers need to be careful to use the risk model information to inform strategic decisions without overreliance and abdication of management judgment. Management should also push usage of risk and reward thinking throughout the organization. The one assumption that seems to cause the most trouble is correlation. The saying goes that “in a crisis, all correlations go to one”. If the justification for a major strategic decision is that correlations are far from one, management should take note of the above saying and prepare accordingly. In addition, management should study the variability of correlations over time. They will find that correlations are often highly unreliable and this should have a major impact on the way that they are used in the Risk Reward Management process.
The Joint Risk Management Section of the Canadian Institute of Actuaries, the Casualty Actuarial Society, and the Society of Actuaries will oversee an online survey to help understand individual risk managers’ perspectives on emerging risks. We value insights from all levels of experience and background and invite you to participate in this annual survey. Please complete this survey by Nov. 22nd. It should take about 15 minutes to complete. We hope you will share your thoughts and experiences in comment boxes. Responses from more than one risk manager within the same company are encouraged. All responses are anonymous. Thanks to the SOA Reinsurance and Financial Reporting Sections for supporting this research. If you have questions about the survey, please contact Jan Schuh at the SOA Research Institute, jschuh@soa.org.
Larger organizations with mature ERM programs tend to have evolved a short list of major risk management specific roles; many of which are part-time additions to already full time positions, while some are full time risk management only roles. Smaller organizations tend to need an ERM operation with all part-timers. We will call the former “Group ERM” programs and the latter “Company ERM”.
The organizing process always begins with two roles – the senior sponsor and the risk officer. During the developmental phase, these two roles are very similar to those of Executive Sponsor and Project Manager as defined for normal project management[1]. The Executive Sponsor initiates a project and gets appropriate resources and budget for the project. The Project Manager runs the project on a day-to-day basis. During implementation, the Project Manager will keep the Executive Sponsor informed of progress and setbacks. When problems are outside of the Project Manager’s authority, the Executive Sponsor will help by bringing in assistance or removing blockages from outside of the project team.
Chief Risk Officer
The risk officer role that was the project manager for the initial development of a new ERM function will usually grow into a senior management role with the title of Chief Risk Officer (CRO).
The CRO differs from organization to organization, but generally have some or all of these responsibilities:
Head the Risk Management Function
Chair the Risk Committee
Report to the Board on ERM
Report to shareholders on risk and capital management
Communicate risk and risk management matters to other stakeholders including rating agencies, employees, regulators
Each of these will be discussed in following sections of this chapter.
The Chief Risk Officer may report directly to the CEO or, more often to the Chief Financial Officer. Or else, the CRO role is handled by another senior officer such as the Internal Auditor, or, in an insurer, the Chief Underwriting Officer or Chief Actuary.
The CRO has a wide variety of roles. First and foremost, the CRO provides leadership and vision for the organization’s ERM program. They must have a clear idea of the ERM objectives and the ability to direct a diverse group of employees throughout the organization, most of whom do not officially report to the CRO, to follow that vision. The CRO is the point person in establishing and updating the ERM Framework, the ERM Policies and the Risk Appetite/Tolerance/Limit system. This requires the CRO to understand the degree to which formal documents and processes fit with the organization’s culture. The CRO is always the champion of intelligent risk management – risk management that fits the objectives, needs and budget of the organization. The CRO may be the owner of the Enterprise Risk Model or that model may be owned by the Chief Actuary.
The CRO will lead the discussion that leads to the formation and updating of the Risk Appetite and Tolerance. This discussion will be based upon a single risk metric that is common to all risks; in countries that have adopted Solvency II, that single metric for insurers is almost always related to capital. This is a source of conflict between the regulatory process and the management culture, especially in for-profit insurers, because otherwise, the preference for risk metric would likely be tied to earnings shortfalls rather than capital.
The CRO is the leader of value added risk management. That means using the information from the ERM system to help the growth of the firm’s risk adjusted value. That requires some version of risk-adjusted financial results for various business units, territories and/or products. The risk-adjustment is most often made based on Economic Capital either via a cost-of-capital adjustment to earnings, or through the reliance on a return on risk capital ratio.
The CRO is the champion for the Value Added ERM, a major part of the implementation, as well as in explaining the idea and the results to stakeholders. A major step in that process is the development and implementation of the analytic platform for Economic Capital Allocation. The CRO may be responsible to perform analysis of risk-adjusted plan proposals and act as a resource to business units for developing risk-adjusted proposals. As time progresses, the CRO will also work with the CFO to provide monitoring of plan vs. actual performance.
The CRO’s wide range of responsibilities means that there is no single route to the position. A Canadian survey[2] of twenty-one CROs found that, in their opinion, CROs needed to be skilled in Math, Finance, Communication and Accounting.
Management Risk Committee
Most organizations form one or more risk management committees with a major role in the ERM framework. There are three main reasons: To provide support and assistance for the CRO, to help keep the ERM process realistic (i.e. Intelligent ERM above); and, to direct the application of resources for ERM activities that are outside of the risk management department.
Most often, the Risk Committee will focus first on the ERM reports to the board, reviewing the draft reports prepared by the risk management department for quality assurance, to make sure that the CRO will be able to tell the story that goes with the report, and that both the CRO and the risk committee members can answer any questions raised by the ERM report. The Risk Committee is the nexus of Risk Culture for the organization – each area of the organization that has a major role in risk taking and risk management is usually represented on the risk committee.
The exact responsibilities of the Risk Committee will vary by organization. The four most common and most important responsibilities are:
Setting Risk Appetite and Tolerance
Approving Risk framework and policies
Allocating Risk Appetite & Setting Risk Limits
Setting standards for risk assessment and economic capital
The Risk Committee is usually responsible for setting (or recommending for approval by the board) the Risk Appetite and Tolerance for the organization. This is a difficult and often tentative process the first time; mainly because the Risk Committee, like most of the management team, has little experience with the concepts behind Risk Appetite and Tolerance, and is wary about possibly making a mistake that will end up damaging the organization. Once an initial Risk Appetite and Tolerance are set, making adjustments for early imperfections and updates for changing plans and circumstances become much more routine exercises.
The Risk committee usually approves the Risk Framework and Risk Policies – in some cases, they are recommended for approval to the Board. These will lay out the responsibilities of the CRO, Risk Committee, Risk Owners and ERM Department. The Risk Committee should review these documents to make sure that they agree with the suggested range of responsibilities and authorities of the CRO. The new responsibilities and authorities of the CRO are often completely new activities for an organization, or, they may include carving some responsibilities and authorities out of existing positions. The Risk Committee members are usually top managers within the organization who will need to work with the CRO, not just in the Risk Committee context, but also in the ways that the CRO’s new duties overlap with their business functions. The committee members will also be concerned with the amount of time and effort that will be required of the Risk Owners, who for the most part will either be the Risk Committee members or their senior lieutenants.
In some organizations, the allocation of Risk Appetite and setting of risk limits is done in the planning process; but most often, only broad conclusions are reached and the task of making the detailed decisions is left to the Risk Committee. For this, the Risk Committee usually relies upon detailed work performed by the Risk Department or the Risk Owners. The process is usually to update projections of risk capital requirements to reflect the final planning decisions and then to adjust Risk Appetite for each business unit or risk area and recommend limits that are consistent with the Risk Appetite.
Many ERM programs have legacy risk assessment and economic capital calculation standards that may or may not be fully documented. As regulatory processes have intruded into risk assessment, documentation and eventually consistency are required. In addition, calls for consistency of risk assessment often arise when new products or new risks are being considered. These discussions can end up being as much political as they are analytical, since the decision of what processes and assumptions make a risk assessment consistent with existing products and risks often determines whether the new activity is viable. And since the Risk Committee members are usually selected for their position within the organization’s hierarchy, rather than their technical expertise, they are the right group to resolve the political aspects of this topic.
Other topics that may be of concern to the Risk Committee include:
Monitoring compliance with limits and policies
Reviewing risk decisions
Monitoring risk profile
Proposing risk mitigation actions
Coordinate the risk control processes
Identify emerging risks
Discussing the above with the Board of Directors as agreed
Larger organizations often have two or more risk committees – most common is to have an executive risk committee made up of most or all of the senior officers and a working risk committee whose members are the people responsible for implementing the risk framework and policies. In other cases, there are separate risk committees for major risk categories, which sometimes predate the ERM program.
Risk Owners
Many organizations assign a single person the responsibility for each major risk. Going beyond an organizational chart, a clear organizational structure includes documented responsibilities and clear decision making and escalation procedures. Clarity on roles and responsibilities—with regard to oversight and decision-making—contributes to improvement capability and expertise to meet the changing needs of the business[3].
Specifically, the Risk Owner is the person who organizationally resides in the business and is responsible for making sure that the risk management is actually taking place as risks are taken, which most of ten should the most effective way to manage a risk.
The Risk Owner’s role varies considerably depending upon the characteristics of the risk.
Insurance and Investment risks are almost always consciously accepted by organizations, and the process of selecting the accepted risks is usually the most important part of risk management. That is why insurance risk owners are often Chief Underwriting Officers, and Chief Investment officers are often the owners of Investment risks. However, risk structuring, in the form of setting the terms and conditions of the insurance contract is a key risk mitigation effort, and may not be part of the Chief Underwriter role. On the other hand, structuring of investments, in situations where investments are made through a privately structured arrangement, is usually done within the Investment area. Other risk mitigations, through reinsurance and hedging could also be within or outside of these areas. Because of the dispersion of responsibilities for different parts of the risk management process, exercise of the Risk Owner responsibilities for Insurance Risks are collaborative among several company officers. In some firms, there is a position of Product Manager who is the natural Risk Owner of a product’s risks. The specialization of various investment types means that in many firms, a different lieutenant of the Chief Investment Officer is the risk owner for Equity risk, Credit Risk, Interest Rate Risk and risks from Alternative investments.
Operational risks are usually accepted as a consequence of other decisions; the opportunities for risk selection are infrequent as processes are updated. Often the risk owners for Operational risks are managers in various parts of the organization.
Strategic risks are usually accepted through a firm’s planning process. Usually the risk owners are the members of the top management team (management board) who are closest to each strategic risk, with the CEO taking the Risk Owner position for the risk of failure of the primary strategy of the firm.
The Risk Owner may be responsible to make a periodic Report on the status of their risk and Risk Management to the governing Board. This report may include:
Plans for Exposure to risk and Risk Strategy
Plans to exploit and mitigate
Changes to Exposures taken and Remaining after mitigation
Adequacy of resources to achieve plans
Risk Management Department
In all but the smallest organizations, the CRO’s responsibilities require more work and attention than can be provided by a single person. The CRO will gain an assistant and eventually an entire department. The risk management department serves primarily as support staff for the CRO and Risk Committee. In addition, they may also be subject matter experts on risk management to assist Risk Owners. Usually, the risk management department also compiles the risk reports for the risk committees and Board. They are also usually tasked to maintain the risk register as well as the risk management framework and risk policies.
Internal Audit
Internal Audit often has an assurance role in ERM. They will look to see that there is effective and continual compliance with Policies and Standards, and tracking and handling of risk limit breaches.
If there is no Internal Audit involvement, this compliance assurance responsibility falls to the risk management department; that may create a conflict between compliance role and advisory role of the risk management department. Compliance is the natural role of Internal Audit and giving this role to Internal Audit allows risk management to have more of a consultative and management information role.
In many firms, the roles for risk owners, the risk management department, along with internal audit, have been formalized under the title “Three Levels of Defense.”
This approach is often coupled with a compliance role for the board audit committee.
When internal audit is involved in this manner, there is sometimes a question about the role’s scope. That question is: whether internal audit should limit its role to assurance of compliance with the ERM Framework and policies, or should it also have a role reviewing the ERM Framework itself? To answer that question, the organization must assess the experience and capabilities of internal audit in enterprise risk management against the cost of engaging external experts to perform a review[4].
CEO Role in ERM
It is fairly common for a description of ERM roles at a bank or insurer to talk about roles for the board,CRO, and front line management, but not to mention any specific part for the CEO.
“No one has any business running a huge financial institution unless they regard themselves as the Chief Risk Officer” – Warren Buffett, speaking at the New School (2013)
Warren Buffett, the CEO of Berkshire Hathaway, has said many times that he is the Chief Risk Officer of his firm and that he does not believe that it would be a good idea to delegate that responsibility to another individual. While his position is an extreme that is not accepted by most CEO’s of financial institutions, there is an important role for the CEO that is very close to Buffett’s idea.
For the CRO and the ERM program to be effective, the organization needs clarity on the aspects of risk management which the CEO is directly delegating his or her authority to the CRO, which are being delegated to the Risk Committee, and which risk management decisions are being delegated to the Risk Owners. Leading up to the financial crisis of 2008, the authority for some risk decisions were not clearly delegated to either the CRO or the Risk Owners in some banks, and CEO’s remained aloof from resolving the issue[5].
[1] Executive Engagement: The Role of the Sponsor, Project Management Institute,
[2] “A Composite Sketch of a Chief Risk Officer”, Conference Board of Canada, 2001
[3] CRO Forum, Sound Risk Culture in the Insurance Industry, (2015)
[4] Institute of Internal Auditors, The Three Lines of Defense In Effective Risk Management And Control, (2013)
[5] Senior Supervisors Group, Risk Management Lessons from the Global Banking Crisis of 2008 (2009)
Peter Drucker is reported to have once said “what gets measured, gets managed.” That truism of modern management applied to risk as well as it does to other more commonly measured things like sales, profits and expens es .
Regulators take a similar view; what gets measured should get managed. ORSA f rameworks aim to support prospective solvency by giving management a clear view of their on-going corporate risk positions.
This in turn should reduce the likelihood of large unanticipated losses if timely action can be taken when a risk limit is breached.
From a regulatory perspective, each identified risk should have at least one measurable metric that is reported upwards, ultimately to the board.
The Need to Measure Up
Many risk management programs build up extensive risk registers but are stymied by this obvious next step – that of measuring the risks that have been identif ied.
Almost every CEO can cite the company’s latest f igures f or sales, expenses and profits, but very few know what the company’s risk position might be.
Risks are somewhat more difficult to measure than profits due to the degree to which they depend upon opinions.
Insurance company profits are already seen as opaque by many non-industry observers because profits depend on more than just sales and expenses:profits depend upon claims estimates, which are based on current (and often incomplete) information about those transactions.
Risk, on the other hand, is all about things that might happen in the f uture: specif ically, bad things that might happen in the f uture.
Arisk measure reflects an opinion about the size of the exposure to f uture losses. All risk measures are opinions; there are no f acts about the f uture. At least not yet.
Rationalizing Risk
There are, however, several ways that risk can be measured to facilitate management in the classical sense that Drucker was thinking of.
That classic idea is the management control cycle, where management sets a plan and then monitors emerging experience in comparison to that plan.
To achieve this objective, risk measures need to be consistent from period to period. They need to increase when volume of activity increases, but they also need to reflect changes in the riskiness of activities as time passes and as the portfolio of the risk taker changes .
Good risk measures provide a projected outcome; but in some cases, such calculations are not available and risk indicators must be used instead.
Risk indicators measure something that is closely related to the risk and so can be expected to vary similarly to an actual risk measure, if one were available.
For insurers, current state-of-the-art risk measures are based upon computer models of the risk taking act ivit ies .
With these models, risk managers can determine a broad range of possible outcomes for a risk taking activity and then define the risk measure as some subset of those outcomes.
Value at Risk
The most common such measure is called value at risk (VaR). If the risk model is run with a random element, usually called a Monte Carlo or stochastic model, a 99% VaR would be the 99th worst result in a run of 100 outcomes, or the 990th worst out of 1000.
Contingent Tail Expectation
This value might represent the insurer’s risk capital target.Asimilar risk measure is the contingent tail expectation (CTE), which is also called the tail value at risk (TVaR).
The 99% CTE is the average of all the values that are worse than the 99% VaR. You can think of these two values in this manner: if a company holds capital at the 99% VaR level, then the 99% CTE minus the 99% VaR is the average amount of loss to policyholders should the company become insolvent.
Rating agencies, and increasingly regulators, require companies to provide results of risk measures from stochastic models of natural catastrophes.
Stochastic models are also used to estimate other risk exposures, including underwriting risk from other lines of insurance coverage and investment risk.
In addition to stochastic models, insurers also model possible losses under single well-defined adverse scenarios. The results are often called stress tests.
Regulators are also increasingly calling for stress tests to provide risk measures that they feel are more easily understood and compared among companies.
Key Risk Indicators
Most other risks, especially strategic and operational risks, are monitored by key risk indicators (KRIs). For these risks, good measures are not available and so we must rely on indicators.
For example, an economic downturn could pose risk to an insurer’s growth strategy. While it may be dif f icult to measure the likelihood of a downturn or the extent to which it would impair growth, the insurer can use economic f orecasts as risk indicators.
Of course,simplymeasuringriskisinsufficient.Theresultsof themeasurementmustbecommunicatedto people who can and will use the risk information to appropriately steer the future activity of the company.
Risk Dashboard
Simple charts of numbers are sufficient in some cases, but the state of the art approach to presenting risk measurement information is the risk dashboard.
With a risk dashboard, several important charts and graphs are presented on a single page, like the dashboard of a car or airplane, so that the user can see important information and trends at a glance.
The risk dashboard is often accompanied by the charts of numbers, either on later pages of a hard copy or on a click-through basis for on-screen risk dashboards.
Several psychologists stated that economists were rational and those who didn’t know what economists knew were irrational.
They collected data on how irrational folks are and analyzed that data and grouped it and gave cute names to various groups.
But I think that you could do the same thing with long division. Certainly with calculus. Compare answers of rubes on the sidewalk to math PhD s on a bunch of math questions and how well do you think the rubes would do?
Some of the questions that the psychologists asked were about risk. They proved that folks who rely solely on their gut to make decisions about risk were not very good at it.
I am sure that no-one with any Risk Intelligence would have bet against that finding.
Because Risk Intelligence consists of more than just trusting your gut. It also requires education regarding the best practices for risk management and risk assessment along with stories of how well (and sometimes ill) intentioned business managers went wrong with risk. It also requires careful analysis. Often statistical analysis. Analysis that is usually not particularly intuitive even with experience.
But Risk Intelligence still needs a well developed gut. Because history doesn’t repeat, analysis always requires simplification and assumptions to fill out a model where data is insufficient.
Only with all of Education, Experience and Analysis is Risk Intelligence achievable and even then it is not guaranteed.
And in addition, Education, Experience and Analysis are the cure for the irrational biases found by the psychologists. I would bet that the psychologists systematically excluded any responses from a person with Risk Intelligence. That would have invalidated their investigation.
Their conclusion could have been that many of us need basic financial and risk education, better understanding of how to accumulate helpful experiences and some basic analytical skills. Not as much fun as a long list of cutely names biases, but much more helpful.
As RISKVIEWS meets with more and more insurers over time, it becomes increasingly obvious that they all have lots of Risk Management. Probably because they are the survivors. Perhaps there was much less Risk Management in the failed insurers.
So if they already have Risk Management, why do they need ERM?
There are four possible reasons:
Discipline -the sports teams with the most discipline win most championships. The coach can count on the players to execute the same way every time. In Risk Management, Discipline means doing the risk acceptance and risk mitigation the same way every time. ERM expects that discipline, but ERM operates on a trust but verify approach. Perhaps leaning more on the verify than the trust. So when an Insurer adds ERM to its already pretty full Risk Management processes, they are opting for Risk Management that is totally reliable because it has discipline.
Transparency -much of the existing Risk Management in an insurer is a fairly private affair. It is done by the folks who need to be doing it but they rarely talk about it. When ERM comes along, it seems that the number of reports goes up. Some of those reports are of absolutely no help to the folks who are doing Risk Management. Those reports are to let everyone else know that the Risk Management is still going on and things in the Risk Management world are still working as expected. In one sense, Risk Management is all about making sure that some things rarely or never happen. This Transparency about the actions that result with that nothing happening are the records that need to be kept for the defense of the Risk Manager as well.
Alignment – most of existing Risk Management grew up as the insurer grew up. That is a good thing because the Risk Management can be totally incorporated into all practices. But one of the main goals of Risk Management is to make sure that the risks that are insufficiently managed do not disrupt the plans of the company. The key element to that process is a Risk Tolerance. With ERM, the Risk Tolerances can be Aligned with the current plans, not with the plans and tolerances of the managers at the time that an activity was first started or last overhauled.
Resiliency – system resilience is not a usual part of traditional Risk Management. Traditional RIsk Management is most often about defending the status quo. Resilience is all about figuring out how best to adapt. Within ERM is a process called Emerging Risks Management. Emerging Risks Management is all about preparing for the risks that are definitely not yet banking on the door. They may be far down the road or around the bend. Emerging Risks Management is an exercise process that builds Resilience Muscles.
Those are the Ends. ERM is the means to get to those ends.
Once you have outsourced a process, there is a tendency to forget about it.
Outsourcing has become possibly the most popular management practice of the past 15 years. Companies large and small have outsourced many of the non-essential elements of their business.
Many property and casualty (non-life, general) insurers have, for example, outsourced their investment processes.
Over time, if the insurer had any expertise regarding investments, that expertise withered away. It is quite common that there is only one or two people at a P&C insurer who actually pay any attention to the investments of the firm.
But when Out of Sight becomes Out of Mind, outsourcing becomes dangerous.
Boeing had an outsourcing problem in 2012 and 2013 that resulted in the grounding of their latest jetliner. Batteries produced by a third party were catching fire. The ultimate cause of the problem was never identified, but it happened at the point of connection between an outsourced product and the jetliner systems manufactured by Boeing.
There are many possible causes of outsourcing problems. RISKVIEWS believes that primary among them is the reluctance to recognize that outsourcing will require a higher spend for risk management of the outsourced process.
Project managers constantly think about risks, both threats and opportunities. What if the requirements are late? What if the testing environment becomes unstable? How can we exploit the design skills of our developers?
Let’s consider a simple but powerful tool to capture and manage your risks – the Risk Register. What is it? What should it include? What tools may be used to create the register? When should risk information be added?
The Risk Register is simply a list of risk related information including but not limited to:
Risk Description. Consider using this syntax: Cause -> Risk -> Impact. For example: “Because Information Technology is updating the testing software, the testing team may experience an unstable test environment resulting in adverse impacts to the schedule.”
Risk Owner. Each risk should be owned by one person and that person should have the knowledge and skills to plan and execute risk responses.
Triggers. Triggers indicate when a risk is about to occur or that the risk has occurred.
Category. Assigning categories to your risks allows you to filter, group, analyze, and respond to your risks by category. Standard project categories include schedule, cost, and quality.
Probability Risk Rating. Probability is the likelihood of risk occurring. Consider using a scale of 1 to 10, 10 being the highest.
Impact Risk Rating. Impact, also referred to as severity or consequence, is the amount of impact on the project. Consider using a scale of 1 to 10, 10 being the highest.
Risk Score. Risk score is calculated by multiplying probability x impact. If the probability is 8 and the impact is 5, the risk score is 40.
Risk Response Strategies. Strategies for threats include: accept the risk, avoid the risk, mitigate the risk, or transfer the risk. Strategies for opportunities include: accept the risk, exploit the risk, enhance the risk, or share the risk.
Risk Response Plan or Contingency Plan. The risk owner should determine the appropriate response(s) which may be executed immediately or once a trigger is hit. For example, a risk owner may take immediate actions to mitigate a threat. Contingency plans are plans that are executed if the risk occurs.
Fallback Plans. For some risks, you may wish to define a Fallback Plan. The plan outlines what would be done in the event that the Contingency Plan fails.
Residual Risks. The risk owner may reduce a risk by 70%. The remaining 30% risk is the residual risk. Note the residual risk and determine if additional response planning is required.
Trends. Note if each risk is increasing, decreasing, or is stable.
The Risk Register may be created in a spreadsheet, database, risk management tool, SharePoint, or a project management information system. Make sure that the Risk Register is visible and easy to access by your project team members.
The risk management processes include: 1) plan risk management, 2) identify risks, 3) evaluate/assess risks, 4) plan risk responses, and 5) monitor and control risks.
The initial risk information is entered when identifying risks in the planning process. For example, PMs may capture initial risks while developing the Communications Plan or the project schedule. The initial risk information may include the risks, causes, triggers, categories, potential risk owners, and potential risk responses.
As you evaluate your risk in the planning process, you should assign risk ratings for probability and impact and calculate the risk scores.
Next, validate risk owners and have risk owners complete response plans.
Lastly, review and update your risks during your team meetings (i.e., monitoring and control). Add emerging risks. Other reasons for updating the risk register include change requests, project re-planning, or project recovery.
But this sounds like a recipe for disaster. When everyone is responsible, often no one takes responsibility. And if everyone is responsible, how is a decision ever reached?
Everyone needs to have different responsibilities within an ERM program. So most often, people are given partial responsibility for ERM depending upon their everyday job responsibilities.
And in addition, a few people are given special new responsibilities and new roles (usually part time) are created to crystallize those new roles and responsibilities. Those new roles are most often called:
Risk Owners
Risk Committee Members
But there are lots and lots of ways of dishing out the partial responsibilities. RISKVIEWS suggests that there is no one right or best way to do this. But instead, it is important to make sure that every risk management task is being done and that there is some oversight to each task. (Three Lines of Defense is nice, but not really necessary. There are really only two necessary functions – doing and assurance.)
Financial regulators, rating agencies and many commentators have blamed weak Risk Culture for many of the large losses and financial company failures of the past decade. But their exposition regarding a strong Risk Culture only goes as far as describing a few of the risk management practices of an organization and falls far short of describing the beliefs and motivations that are at the heart of any culture. This discussion will present thinking about how the fundamental beliefs of Neo Classical Economics clash with the recommended risk practices and how the beliefs that underpin Enterprise Risk Management are fundamentally consistent with the recommended risk management practices but differ significantly from Neo Classical Economics beliefs.
Afternoon of September 29 – at the ERM Symposium #ERMSYM
Bad risk culture has been blamed as the ultimate source of problems that have caused gigantic losses and corporate failures in the past 10 years. But is that a helpful diagnosis of the cause of problems or just a circular discussion? What is risk culture anyway? Is it a set of practices that a company can just adopt or does culture run deeper than that? How does risk culture vary between countries and continents? How do risk cultures go bad and can they be fixed? This is, of course, a discussion of the human side of Enterprise Risk Management.
This half-day seminar (1 – 4:30 p.m.) will draw together materials from business organizational theorists, anthropologists, regulators, rating agencies, investors, corporations, insurers and auditors to help define risk culture and diagnose problem causes. The objective is to provide the attendees with multiple perspectives on risk culture to help them to survive and thrive within the potentially multiple risk cultures that they find themselves operating alongside – or against. In addition, the speakers will draw upon their own experiences and observations to provide a number of practical examples of how risk cultures can and do go wrong. This discussion may help you to identify the signs of devolving risk culture if they start to appear in your organization. Finally, the difficult topic of fixing a bad risk culture will be discussed. That part of the discussion will help attendees to attain a realistic perspective on that extremely difficult process.
The seminar will be presented by three speakers from very diverse backgrounds. Andrew Bent, Risk Coordinator for Suncor Energy Inc. has also worked in multiple levels of government in New Zealand and Canada. Bent has co-authored several articles and papers on strategic risk assessment and the use of root cause analysis in risk management. Carol Clark is Senior Policy Advisor at the Federal Reserve Bank of Chicago where she has most recently been focused on operational risk issues associated with high speed trading. Her research has been published in the Journal of Payment Systems Law, the Federal Reserve Bank of Chicago’s Chicago Fed Letter and Economic Perspectives as well as Euromoney Books. Dave Ingram is Executive Vice President at Willis Re where he advises insurers on ERM practices. Ingram has worked extensively with both Life and Property and Casualty insurers on various aspects of risk management over the past 30 years. He has recently co-authored a series of articles and papers on risk culture and has had a number of experiences with the risk cultures of over 200 insurers.
Speakers: Andrew Bent, ARM-E, ARM-P, CCSA, CRMA, Risk Coordinator, Suncor Energy Carol Clark, Senior Policy Advisor, Federal Reserve Bank of Chicago David Ingram, CERA, PRM, EVP, Willis Re
Please find a new permanent page on RISKVIEWS – The History of Risk Management. It is a simple list of major historical events that are important to Risk Management and ERM as it is practiced today. This list was compiled with the help of INARM.
Risk Management development has not followed a particularly straight line. Practices have been adopted, ignored, misused. Blow up have happened. Some of those blow ups are mentioned on another page in RISKVIEWS – Risk Management Failures.
But Risk Managers have learned from those blow ups and the next generation of Risk Management programs incorporated those learnings.
The most important thing to know about risk management that we have learned from history is that risk management must be practiced in earnest. No amount of good talks or fancy charts will take the place of roll up your sleeves and do it risk management. Promoting that sort of Risk Management is the objective of this Blog.
For a set of activities to be called ERM, they must satisfy ALL of these Key Ideas…
Transition from Evolved Risk Management to planned ERM
Comprehensive – includes ALL risks
Measurement – on a consistent basis allows ranking and…
Aggregation – adding up the risks to know total
Capital – comparing sum of risks to capital – can apply security standard to judge
Hierarchy – decisions about risks are made at the appropriate level in the organization – which means information must be readily available
Risk management activities that do not satisfy ALL Key Ideas may well be good and useful things that must be done, but they are not, by themselves ERM.
Many activities that seek to be called ERM do not really satisfy ALL Key Ideas. The most common “fail” is item 2, Comprehensive. When risks are left out of consideration, that is the same as a measurement of zero. So no matter how difficult to measure, it is extremely important to really, really be Comprehensive.
But it is quite possible to “fail” on any of the other Key Ideas.
The Transition idea usually “fails” when the longest standing traditional risk management practices are not challenged to come up to ERM standards that are being applied to other risks and risk management activities.
Measurement “fails” when the tails of the risk model are not of the correct “fatness“. Risks are significantly undervalued.
Aggregation “fails” when too much independence of risks is assumed. Most often ignored is interdependence caused by common counter parties.
Capital “fails” when the security standard is based upon a very partial risk model and not on a completely comprehensive risk model.
Hierarchy “fails” when top management and/or the board do not personally take responsibility for ERM. The CRO should not be an independent advocate for risk management, the CRO should be the agent of the power structure of the firm.
In fact Hierarchy Failure is the other most common reason for ERM to fail.
What kind of future were you thinking of when you constructed your stress tests? Here are six different visions of the stressed future that have been the basis for stress tests.
Historical Worst Case – Worst experience in the past 20 – 25 years
Normal Variability – Stress falls within expected range for a normal five year period
Adverse Environment Variability – Stress falls within expected range for a five year period that includes general deterioration such as recession or major weather/climate deviation
Future Realistic Disaster – Worst experience that is reasonably expected in the future (even if it has never happened)
Adverse Environment Disaster – Worst experience that is reasonably expected in the future if the future is significantly worse than the past
Future Worst Case – Maximum plausible loss that could occur even if you believe that likelihood is extremely remote
Here are a long list of stress scenarios that comes from the exposure draft of the NAIC document for ORSA reviewers:
1. Credit
• Counterparty exposure (loss of specified amount to reinsurer, derivatives party, supplier)
• Equity securities (40%/50% drop, no growth in stocks in 3 years)
• General widening of credit spreads (increase in defaults)
• Other risk assets
2. Market
• 300 basis point pop up in interest rates
• Prolonged low interest rates (10 year treasury of 1%)
• Material drop in GDP & related impacts
• Stock market crash or specific extreme condition (Great Depression)
• Eurozone collapse
• U.S. Treasury collapse
• Foreign currency shocks (e.g. percentages)
• Municipal bond market collapse
• Prolonged multiple market downturn (e.g. 2008/2009 crisis/or 1987 stock market drop-or 50% drop in equities, 150bp of realized credit losses)
3. Pricing/Underwriting
• Significant drop in sales/premiums due to varying reasons
• Impact of 20% reduction in mortality rates on annuities
• Material product demonstrates specific losses (e.g. 1 in 20 year events)
• Severe pandemic (e.g. Avian bird flu based upon World Health Organization mortality assumption)
• California and New Madrid earthquakes, biological, chemical or nuclear terrorist attacks in locations of heaviest coverage (consider a specified level of industry losses)
• Atlantic hurricane (consider a specified level of industry losses previously unseen/may consider specified levels per different lines of coverage) in different areas (far northeast, northeast, southeast, etc.)
• U.S. tornado over major metropolitan area with largest exposure
• Japanese typhoon/earthquake (consider a specified level of industry losses previously unseen)
• Major aviation/marine collision
• Dirty bomb attack
• Drop in rating to BB
4. Reserving
• Specified level of adverse development (e.g. 30%)
• Regulatory policy change requires additional reserves (e.g. 30%)
5. Liquidity • Catastrophe results in material immediate claims of 3X normalized amounts
• Call on any existing debt
• Material spike in lapses (e.g. 3X normal rates)
• Drop in rating to BB
6. Operational
• Loss of systems for 30 days
• Terrorist act
• Cybercrime
• Loss of key personnel
• Specified level of fraud within claims
7. Legal
• Material adverse finding on pending claim
• Worst historical 10 year loss is multiplied at varying levels
8. Strategic
• Product distribution breakup
9. Reputational
• PR crisis
• Drop in rating to BB
These seem to RISKVIEWS to fall into all six of the categories. Many of these scenarios would fall into the “Normal Volatility” category for some companies and into the worst historical for others. A few are in the area of “Future Worst Case” – such as the Treasury Collapse.
RISKVIEWS suggests that when doing Stress Testing, you should decide what sort of Stress you are intending. You may not agree with RISKVIEWS categories, but you should have your own categories. It might be a big help to the reader of your Stress Test report to know which sort of stress you think that you are testing. They may or may not agree with you on which category that your Stress Scenario falls into, and that would be a valuable revealing discussion.
Risk models can be used primarily to answer two very important questions for an enterprise whose primary activity is the risk business.
How did we do?
What should we do?
The “how did we do” question looks backwards on the past, usually for 90 days or a full year. For answering that question properly for a firm in the risk business it is absolutely necessary to have information about the amount of risk that the firm is exposed to during that period.
The “what should we do” question looks forward on the future. The proper time period for looking forward is the same as the length of the shadow into the future of the decision. Most decisions that are important enough to be brought to the attention of top management or the board of a company in the risk business have a shadow that extends past one year.
That means that the standard capital model with its one year time frame should NOT be the basis for making WHAT SHOULD WE DO? decisions. That is, unless you plan on selling the company at the end of the year.
Let’s think about it just a little bit.
Suppose the decision is to buy a laptop computer for the business use of one of the employees of an insurer. You can use two streams of analysis for that decision. You can assume that the only use of that computer is what utility that can be had from the computer during the calendar year of purchase and then you plan to sell the computer, along with the rest of the company, at the end of the calendar year. The computer is valued at the end of the year at a fair market value. Or you can project forward, the utility that you will get from that employee having a computer over its useful life, perhaps three years.
The first calculation is useful. It tells us “HOW DID WE DO?” at the end of the calendar year. But it not a sensible basis to make the decision about whether to buy the computer or not. The reason for that is not because there is anything wrong with the calendar year calculation. In theory, you could even run your company by deciding at the end of each calendar year, whether you wanted to continue running the company or not. And then if you decide to continue, you then must decide whether to sell every laptop or not, and similarly to sell every part of your business or not.
Most companies will automatically make the decision to continue, will not consider selling every part of their company, even if they have gone through the trouble of doing a “for sale” valuation of everything. That approach fits better with Herbert Simon’s “Satisficing” idea than with the theory of maximizing value of the enterprise.
But from a less theoretical point of view, putting absolutely everything on the table for a decision could be very time consuming. So what most companies is to imagine a set of conditions for the future when a decision is made and then as the future unfolds, it it does not deviate significantly from those assumptions, decisions are not reopened. But unfortunately, at many companies, this process is not an explicit conscious process. It is more vague and ad hoc.
Moving away from laptops to risk. For a risk decision, first notice that almost all risk decisions made by insurers will have an effect for multiple years. But decision makers will often look forward one year at financial statement impact. They look forward one year at a projection of the answer to the “How DID WE DO? question. This will only produce a full indication of the merit of a proposal if the forward looking parts of the statement are set to reflect the full future of the activity.
The idea of using fair value for liabilities is one attempt to put the liability values on a basis that can be used for both the “How did we do?” and the “What should we do?” decisions.
But it is unclear whether there is an equivalent adjustment that can be made to the risk capital. To answer “How did we do?” the risk capital needed has been defined to be the capital needed right now. But to determine “What should we do?”, the capital effect that is needed is the effect over the entire future. There is a current year cost of capital effect that is easily calculated.
But there is also the effect of the future capital that will be tied up because of the actions taken today.
The argument is made that by using the right current year values, the decisions can really be looked at as a series of one year decisions. But that fails to be accurate for at least two reasons:
Friction in selling or closing out of a long term position. The values posted, even though they are called fair value rarely reflect the true value less transaction costs that could be received or would need to be paid to close out of a position. It is another one of those theoretical fictions like a frictionless surface. Such values might be a good starting point for negotiating a sale, but anyone who has ever been involved in an actual transaction knows that the actual closing price is usually different. Even the values recorded for liquid assets like common equity are not really the amounts that can be achieved at sale tomorrow for anyone’s actual holdings. If the risk that you want to shed is traded like stocks AND your position is not material to the amounts normally traded, then you might get more or less than the recorded fair value. However, most risk positions that are of concern are not traded in a liquid market and in fact are usually totally one of a kind risks that are expensive to evaluate. A potential counterparty will seek through a hearty negotiation process to find your walk away price and try to get just a litle bit more than that.
Capital Availability – the series of one year decisions idea also depends on the assumption that capital will always be available in the future at the same cost as it is currently. That is not always the case. In late 2008 and 2009, capital was scarce or not available. Companies who made commitments that required future capital funding were really scrambling. Many ended up needing to change their commitments and others who could not had to enter into unfavorable deals to raise the capital that they needed, sometimes needing to take on new partners on terms that were tilted against their existing owners. In other time, cheap capital suddenly becomes dear. That happened when letters of credit that had been used to fulfill offshore reinsurer collateral requirements suddenly counted when determining bank capital which resulted in a 300% increase in cost.
RISKVIEWS says that the one year decision model is also just a bad idea because it makes no sense for a business that does only multi year transactions to pretend that they are in a one year business. It is a part of the general thrust in financial reporting and risk management to try to treat everything like a bank trading desk. And also part of a movement led by CFOs of the largest international insurers to seek to only have one set of numbers used for all financial decision-making. The trading desk approach gave a theoretical basis for a one set of numbers financial statement. However, like much of financial economics, the theory ignores a number of major practicalities. That is, it doesn’t work in the real world at all times.
So RISKVIEWS proposes that the solution is to acknowledge that the two decisions require different information.
Yes, that is right. Just buying a treadmill has absolutely no health benefits.
And in the same vein, just creating a risk management system does not provide any benefit. You actually have to activate that system and pay attenion to the signals that it sends.
And you can count on the risk management system being disruptive. In fact, if it is not disruptive, then you should shut it down.
The risk management system is a waste of time and money if it just stays out of the way and you end up doing exactly what you would have done without it. But, in at least 2/3 of the companies that claim to be running a risk management system, they have trouble coming up with even one story of how they changed what they were planning to do because of the risk management system.
Usually, in a company that is really running a risk management system, the stories of the impact of risk management are of major clashes.
Risk management is a control system that focuses on three things:
Riskiness of accepted risks
Volume of accepted risks
Return from accepted risks
The disruptions caused by an actual active risk management system fall into those three categories:
Business that would have been accepted prior to risk management system is now deemed to be unacceptable because it is too risky. Rejection of business or mitigation of the excess risk is now required.
Growth of risky business that may not have been restricted before the risk management system is now seen to be excessive. Rejection of business or mitigation of the excess risk is now required.
Return from business where the risk was not previously measured is now seen to be inadequate compared to the risk involved. Business emphasis is now shifted to alternatives with a better return for risk.
Some firms will find the disruptions less than others, but there will almost always be disruptions.
The worst case scenario for a new risk management system is that the system is implemented and then when a major potentially disruptive situation arises, an exception to the new risk management system is granted. That is worst case because those major disruptive situations are actually where the risk management system pays for itself. If the risk management only applies to minor business decisions, then the company will experience all of the cost of the system but very little of the benefits.
[The material below is the work of an ad hoc IAA working group. It was produced in 2011 but never completed or published. RISKVIEWS is sharing so that this good work can be viewed.]
Culture is the combination of the behaviours of people in the company – often described as “the way we do things around here”. All organisations have a risk management culture. Risk culture is the shared attitudes, values and practices that characterize how a company considers risk in its day-to-day activities. For some companies, the risk culture flows from an explicit risk philosophy and risk appetite. The risk culture should support the goals, activities and desired outcomes of the company while mitigating the risks of not achieving desired outcomes. Appropriate risk management behaviours may vary according to the organisation, the industry context, the location of operations both within and across national boundaries together with the resultant jurisdictional requirements. However behaviours that allow , that inspire a culture of fear or retribution, that allow “shooting the messenger” or that help “bad news to travel slowly” are not likely to be conducive to good risk management.
Desired actions/features of risks management by category:
Ad Hoc
1. Each part of the company has their own risk language.
2. There is very little cross discipline communications and discussion of risk and risk management issues.
3. Risk decisions are almost always made individually, without reference to any corporate goals or objectives for risk.
4. Responsibility for dealing with risks is unclear.
5. There is an expectation of negative consequences for those associated with any activity that makes unexpected losses.
6. There is a possibility of negative consequences for those who report bad news.
7. There is little discussion of past problems or losses either at the time or subsequently.
8. Senior Management and Board at best pay lip service to an idea that a company has a culture.
Basic
1. Company has a formal risk management program that follows an outside standard or requirement.
2. Company has not adapted that program to the specific culture of the firm in any significant way.
3. Risk management responsibility and discussion are concentrated with a small number of “risk management staff”.
4. Risk culture is acknowledged as important by senior management and Board.
Standard
1. There is a common specific risk language at the company.
2. Company has communication tools, cross-functional discussions about management of risks, reporting tools and risks matrices.
3. There are common techniques for risk assessment and risk treatment methodologies.
4. There is a consistent point of view from the enterprise and business levels with regard to risk management.
5. There are common understandings of the corporate goals and objectives for risk management.
6. Company usually carefully reviews unexpected losses seeking to learn from experiences.
7. Incentive compensation scheme support the achievement of risk management objectives
8. Risk culture is actively promoted by senior management and the Board.
Advanced – in addition to the Standard Practices:
1. Cultural is reinforced by frequent communications and training programs, and by senior management and Board being seen to act in line with corporate risk culture.
2. The degree of employee knowledge application of the corporate risk culture is periodically monitored.
3. The communications and training programs are updated in reaction to the monitoring inputs.
4. ERM thinking is automatically incorporated in to all management decision making
RISKVIEWS just noticed that this blog had exactly 150,000 hits as of today!
In the scheme of things on the web that is an extremely small number. But this is a blog about risk management that has no particular marketing scheme, not any idea of making anyone any money. RISKVIEWS also writes for the WillisWire blog and a post there will get 25,000 hits in a week.
But from RISKVIEWS point of view, 150,000 is an amazing number of hits. It is really hard to imagine.
WordPress has a statistical package that tells me that RISKVIEWS has had 107 hits today and 242 on the day with the most hits.
Over half the hits to RISKVIEWS are folks looking at the collection of Risk Management Quotes.
But there is a surprising degree to which visitors are looking at many of the old posts on the blog. That is gratifying. Only a few posts are in any way time sensitive. It is good to know that old posts are still seen as potential worthwhile by visitors.
So if you ended up on this page and were expecting some wise words about risk and risk management, feel free to brouse the categories listed on the right. I would recommend that you try Uncertainty. RISKVIEWS always likes writing about that.
And by the time RISKVIEWS was done typing this, the count was up to 150,005.
CRO needs to have a 360 degree view of risk. #ermsymposium
from Chicago, IL Dave Ingram @dingramerm 24 Apr
New risk: longevity risk transfer products take a risk that was regulated into non-regulated areas. S Wason #ermsymposium from Chicago, IL Dave Ingram @dingramerm 24 Apr
Companies do not always believe in their own mortality which undermines any risk mgt culture. #ermsymposium
from Chicago, IL Dave Ingram @dingramerm 24 Apr
Interconnectedness is THE issue for financial regulation going forward. #ermsymposium from Chicago, IL Dave Ingram @dingramerm 24 Apr
CEO needs to be very hands on with risk. Deniability is not an option. S Bair #ermsymposium from Chicago, IL Dave Ingram @dingramerm 24 Apr
Predictive analytics in US healthcare #ermsymposium from Illinois, US Dave Ingram @dingramerm 24 Apr
Canadians using ERM to improve financial management of health firms. #ermsymposium Dave Ingram @dingramerm 23 Apr
Professional Standards for Actuarial Risk Managers effective May 1, 2013 http://lnkd.in/mYwr6d Dave Ingram @dingramerm 23 Apr
Too many think the risk equations are a closed form solution for the future when they are really about the past. M McCarthy #ermsymposium Dave Ingram @dingramerm 23 Apr
When you crossed a limit you HAD to take an ACTION. B Mark #ermsymposium from Chicago, IL Dave Ingram @dingramerm 23 Apr
Key goal of regulators is now financial stability. Zero tolerance for “fat tailed” failure. C Lawrence #ermsymposium
from Chicago, IL Dave Ingram @dingramerm 23 Apr
Bank returns jumped from 7% to 20% in 1970s & believed that risk was under control. C Lawrence #ermsymposium Dave Ingram @dingramerm 23 Apr
Biggest risks are when we choose not know about potential problems that we did know about. Turning off fire alarms. W Fisher #ermsymposium Dave Ingram @dingramerm 23 Apr
ERM can find offsetting risks and notionally create capital and opportunity. This gets enthusiastic buy in from mgt. M Stein #ermsymposium Dave Ingram @dingramerm 23 Apr
The ERM program needs to show success on the opportunity side ot risk. J Kollar #ermsymposium Dave Ingram @dingramerm 23 Apr
Accounting can cloud risk issues. Challenge to reconcile different statement. M Stein #ermsymposium from Chicago, IL Dave Ingram @dingramerm 23 Apr
Disconnect between economics and accounting a challenge for ERM. Makes it harder to get buy in for ERM C Gilbert #ermsymposium Dave Ingram @dingramerm 23 Apr
CRO Council papers Model Validation & Emerging Risks M Stein #ermsymposium Dave Ingram @dingramerm 23 Apr
Key for CRO to be able to create a coherent summary of risk information for board M Stein #ermsymposium Dave Ingram @dingramerm 23 Apr
Get board involved asking the risk questions. This create engagement in the organization to answer those questions W Fisher #ermsymposium Dave Ingram @dingramerm 23 Apr
Wayne Fisher addressing Risk Profile at CRO panel #ermsymposium
But even with all those tweets, #ermsymposium did not make it to the top list of trending categories
Next to the steps of setting Considerations and Underwriting the risks. These steps are sometimes operated together and sometimes separate, usually depending upon the degree to which the risks are small and homogeneous or large and unique.
The Risk Control cycle is then applied to the risks that have been accepted. That step is needed because even if a risk is properly priced and appropriately accepted, the insurer will want to manage the aggregate amount of such risks. Within the risk control cycle, there is a risk mitigation step and within that step an insurer may choose to reduce their total risk or to increase their risk taking capacity.
Risks that have been accepted through the underwriting process and that the insurer is retaining after the risk control cycle process must be assessed for Provisioning, both for reserve and capital.
Finally, for this discussion of the ERM Cycle, the insurer needs to consider whether there are additional risks that have been unknowingly accepted that may emerge in the future. The Future risk principle provides a path for that step.
For the ERM Cycle, there is actually no such thing as FINALLY. As a cycle, it repeats infinitely. The picture above has many two headed arrows in addition to the one way arrows that represent a single circular process.
The ERM idea sits in the middle of these seven principles. The ERM idea is the idea that an insurer will follow a cycle like this for all of the risks of the insurer and in addition for the aggregation of all risks. This will be done to protect all of the stakeholders of the insurers, policyholders, stockholders, bondholders, management, employees and communities to the greatest extent that their sometimes contradictory interests allow.
Most firms will put different degrees of emphasis on different elements. Some will have very faint arrows between ERM and some of the other principles. Some insurers will neglect some of these principles completely.
It may be that the choice of which principles to emphasize are tightly linked with their view of the risk environment.
The 2013 ERM Symposium goes back to Chicago this year after a side trip to DC for 2012. This is the 11th year for the premier program for financial risk managers. April 23 and 24th.
This year’s program has been developed around the theme, ERM: A Critical Self-Reflection, which asks:
Has the risk profession become a spectator sport? One in which we believe we are being proactive, yet not necessarily in the right areas.
For the most significant headlines during the past year, how was the risk management function involved?
Since the financial crisis, has there been genuine learning and changes to how risk management functions operate?
What are the lessons that have been learned and how are they shaping risk management today? If not, why?
Does risk management have a seat at the table, at the correct table?
Are risk managers as empowered as they should be?
Is risk management asking the right questions?
Is risk management as involved in decision making and value creation as it should be, at inception of ideas and during follow through?
On Wednesday, April 24 Former FDIC Chairman Sheila Bair will be the featured luncheon speaker
Sheila C. Bair served as the 19th chairman of the Federal Deposit Insurance Corporation for a five-year term, from June 2006 through July 2011. Bair has an extensive background in banking and finance in a career that has taken her from Capitol Hill to academia to the highest levels of government. Before joining the FDIC in 2006, she was the dean’s professor of financial regulatory policy for the Isenberg School of Management at the University of Massachusetts-Amherst since 2002.
The ERM Symposium and seminars bring together ERM knowledge from the insurance, energy and financial sectors. Now in its 11th year, this premier global conference on ERM will offer: sessions featuring top risk management experts; seminars on hot ERM issues; ERM research from leading universities; exhibitors demonstrating their ERM services. This program has been developed jointly by the Casualty Actuarial Society (CAS), the Professional Risk management International Association (PRMIA) and the Society of Actuaries (SOA).
Riskviews will be a speaker at three sessions out of more than 20 offered:
Regulatory Reform: Responding to Complexity with Complexity – Andrew Haldane, executive director of Financial Stability at the Bank of England, recently made a speech at the Federal Reserve Bank of Kansas City’s Jackson Hole Economic Policy Symposium titled “The Dog and the Frisbee” warning that the growing complexity of markets and banks cannot be controlled with increasingly complex regulations. In fact, by attempting to solve the problem of complexity with additional complexity created by increased regulation, we may be missing the mark—perhaps simpler metrics and human judgment may be superior. Furthermore, in attempting to solve a complex problem with additional complexity, we may not have clearly defined or understand the problem. How does ERM fit into the solutions arsenal? Are there avenues left unexplored? Is ERM adding or minimizing complexity?
We are drowning in data, but can’t hope to track all the necessary variables, nor understand all or even the most important linkages. Given the wealth of data available, important signals may be lost in the overall “noise.”
Unintended consequences maybe lost/hidden in the maze of complexity thereby magnifying the potential impact of future events.
The importance of key variables changes throughout time and from situation to situation, so it’s not possible to predict in advance which ones will matter most in the next crisis.
We experience relatively few new crises that are mirror images of prior crises, so we really have limited history to learn how to prevent or to cure them.
Complex rules incent companies and individuals to “manage to the rules” and seek arbitrage, perhaps seeding the next crisis.
Actuarial Professional Risk Management – The new actuarial standards for Risk Evaluation and Risk Treatment bring new help and new issues to actuaries practicing in the ERM field. For new entrants, the standards are good guidelines for preparing comprehensive analyses and reports to management. For more experienced practitioners, the standards lay out expectations for a product worthy of the highly-qualified actuary. However, meeting the standards’ expectations is not easy. This session focuses on clarifying key aspects of the standards.
Enterprise Risk Management in Financial Intermediation – This session provides a framework for thinking about the rapidly evolving, some would say amorphous, subject of ERM, especially as applied at financial institutions and develops seven principles of ERM and considers their (mis)application in a variety of organizational settings. The takeaways are both foundational and practical.
There are records showing that the power of diversification of risks was known to the ancients. Investors who financed trading ships clearly favored taking fractions of a number of ships to owning all of a single ship.
The benefits of diversification are clear. The math is highly compelling. A portfolio of n risks of the same size A that truly independent have a volatility that is a fraction of the volatility of totally dependent risks.
Here is a simple example. There is a 1 in 200 chance that a house will be totally destroyed by fire. Company A writes an insurance policy on one $500,000 house that would pay for replacement in the event of a total loss. That means that company A has a 1 in 200 chance of paying a $500,000 claim. Company B decides to write insurance that pays a maximum of $50,000 in the event of a total loss. How many policies do you think that Company B needs to write to have a 1 in 200 chance of paying $500,000 of claims if the risks are all totally independent and exactly as prone to claims as the $500k house?
The answer is an amazing 900 policies or 90 times as much insurance!
When an insurer is able to write insurance on independent risks, then with each additional risk, the relative volatility of the book of insurance decreases. Optimal diversification occurs when the independent risks are all of the same size. For insurers, the market is competitive enough that the company writing the 900 policies is not able to get a profit margin that is proportionate to the individual risks. The laws of micro economics work in insurance to drive the profit margins down to a level that is at or below the level that makes sense for the actual risk retained. This provides the most compelling argument for the price for insurance for consumers, they are getting most of the benefit of diversification through the competitive mechanism described above. Because of this, things are even worse for the first insurer with the one policy. To the extent that there is a competitive market for insurance for that one $500k house, that insurer will only be able to get a profit margin that is commensurate with the risk of a diversified portfolio of risks.
It is curious to note than in many situations, both insurers and individuals do not diversify. RISKVIEWS would suggest that may be explained by imagining that they either forget about diversification when making single decisions (they are acting irrationally), or that they are acting rationally and believe that the returns for the concentrated risk that they undertake are sufficiently large to justify the added risk.
The table below shows the degree to which individuals in various large companies are acting against the principle of diversification.
From a diversification point of view, the P&G folks above are mostly like the insurer above that writes the one $500k policy. They may believe that P&G is less risky than a diversified portfolio of stocks. Unlike the insurer, where the constraint on the amount of business that they can write is the 1/200 loss potential, the investor in this case is constrained by the amount of funds to be invested. So if a $500k 401k account with P&G stock has a likelihood of losing 100% of value of 1/200, then a portfolio of 20 $25k positions in similarly risky companies would have a likelihood of losing 15% of value of 1/1000. Larger losses would have much lower likelihood.
With that kind of math in its favor, it is hard to imagine that the holdings in employer stock in the 401ks represents a rational estimation of higher returns, especially not on a risk adjusted basis.
People must just not be at all aware of how diversification benefits them.
Or, there is another explanation, in the case of stock investments. It can be most easily framed in terms of the Capital Asset Pricing Theory(CAPM) terms. CAPM suggests that stock market returns can be represented by a market or systematic component (beta) and company specific component (alpha). Most stocks have a significantly positive beta. In work that RISKVIEWS has done replicating mutual find portfolios with market index portfolios, it is not uncommon for a mutual fund returns to be 90% explained by total market returns. People may be of the opinion that since the index represents the fund, that everything is highly correlated to the index and therefore not really independent.
The simplest way to refute that thought is to show the variety of returns that can be found in the returns of the stocks in the major sectors:
The S&P 500 return for 2012 was 16%. Clearly, all sectors do not have returns that are closely related to the index, either in 2012 or for any other period shown here.
Both insurance companies and investors can have a large number of different risks but not be as well diversified as they would think. That is because of the statement above that optimal diversification results when all risks are equal. Investors like the 401k participants with half or more of their portfolio in one stock may have the other half of their money in a diversified mutual fund. But the large size of the single position is difficult to overcome. The same thing happens to insurers who are tempted to write just one, or a few risks that are much larger than their usual business. The diversification benefit of their large portfolio of smaller risks disappears quickly when they add just a few much larger risks.
Diversification is the universal power tool of risk management. But like any other tool, it must be used properly to be effective.
Many people are familiar with the Myers-Briggs Personality Type Indicator. It is widely used by businesses. What a shocker to read in the Washington Post last week that psychologists are not particularly fond of it.
The Myers-Briggs Personality types were developed directly from the work of Carl Jung, who is not highly regarded by modern psychologists according to the Washington Post story.
Psychologists have their own personality types. The chart below is from The Personal Growth Library, and is called the Five Factor Model.
You may be able to find options here that would allign with your ERM program.
Stability – You may seek Resilience, and settle for Responsiveness.
Originality – You may want to be an Explorer, but much more likely, your ERM program is a Preserver.
Accommodation – Your goal is to be a Challenger, you end up a Negotiator.
Consolidation – You should be able to achieve a Focused ERM program, but pressures of business and the never ending crises force you to be Flexible much too often.
That seems to provide some valuable introspection.
Next you need to look at the overall enterprise personality. Many successful companies will have a personality that is very different from the choices that you want to steer towards as the risk manager for your program. You should check it out and see.
If there is an actual allignment between your overall organization’s personality and the personality that you aspire to for your ERM program, then you will be running downhill to get that development accomplished.
What does that mean when the personality that you want for your ERM program is almost totally different from the personality of your organization? It means that you will be pulled constantly towards the corporate personallity and away from what you believe to be the most effective ERM personality. You then have to choose whether to run your ERM program as a bunch of outsiders. You then will need to form a tight knit support group for your outsiders. And make sure that you watch the movie Seven Samuri or The Magnificant Seven.
Or you can rethink the idea you have of ERM. Think of a version of ERM that will fit with the personality of your company. Take a look at The Fabric of ERM for some ideas. Along with the rest of the Plural Rationality materials.
RISKVIEWS has published this list before. You will notice that it is different from many other lists of the parts of ERM. That is because we do not presume that there is some sort of risk management process already in place that “automatically” takes care of several of these things. Many writers implicitly make that assumption so that they can focus solely upon the new, more exciting things, especially number 6 on the list below. But in fact, ERM must include all seven of these things to actually work to manage risk as most managers expect.
DIVERSIFICATION: Risks must be diversified. There is no risk management if a firm is just taking one big bet.
UNDERWRITING:These must be a process for risk acceptance that includes an assessment of risk quality. Firm needs to be sure of the quality of the risks that they take. This implies that multiple ways of evaluating risks are needed to maintain quality, or to be aware of changes in quality. There is no single source of information about quality that is adequate.
CONTROL CYCLE: There must be a control cycle to manage the amount of risk taken. This implies measurements, appetites, limits, treatment actions, reporting, feedback
CONSIDERATION:There must be a process for assuring that the consideration received for accepting risk is adequate. For risks that are not traded, such as operational risks, the benefit of the risk needs to exceed the cost in terms of potential losses.
PROVISIONING: There must be appropriate provisions held for retained risks, in terms of set asides (reserves) for expected losses and capital for excess losses.
PORTFOLIO: There must be an awareness of the interdependencies within the portfolio of risks that are retained by the insurer. This would include awareness of both risk concentrations and diversification effects. An insurer can use this information to take advantage of the opportunities that are often associated with its risks through a risk reward management process.
FUTURE RISKS:There must be a process for identifying and preparing for potential future emerging risks. This would include identification of risks that are not included in the processes above, assessment of the potential losses, development of leading indicators of emergence and contingent preparation of mitigation actions.
The Law of Risk and Light applies to these aspects of risk management just as it applies to aspects of risk. The risk management that you do is in the light, the risk management that you skip is in the dark. When parts of a full risk management program are in the dark, the risk that part of the risk management process would have protected you from will accumulate in your organization.
Future posts will explain these elements and focus on why ALL of these principles are essential.
Embedded assumptions are dangerous. That is because we are usually unaware and almost always not concerned about whether those embedded assumptions are still true or not.
One embedded assumption is that looking backwards, at the last year end, will get us to a conclusion about the financial strength of a financial firm.
We have always done that. Solvency assessments are always about the past year end.
But the last year end is over. We already know that the firm has survived that time period. What we really need to know is whether the firm will have the resources to withstand the next period. We assess the risks that the firm had at the last year end. Without regard to whether the firm actually is still exposed to those risks. When what we really need to know is whether the firm will survive the risks that it is going to be exposed to in the future.
We also apply standards for assessing solvency that are constant. However, the ability of a firm to take on additional risk quickly varies significantly in different markets. In 2006, financial firms were easily able to grow their risks at a high rate. Credit and capital were readily available and standards for the amount of actual cash or capital that a counterparty would expect a financial firm to have were particularly low.
Another embedded assumption is that we can look at risk based upon the holding period of a security or an insurance contract. What we fail to recognize is that even if every insurance contract lasts for only a short time, an insurer who regularly renews those contracts is exposed to risk over time in almost exactly the same way as someone who writes very long term contracts. The same holds for securities. A firm that typically holds positions for less than 30 days seems to have very limited exposure to losses that emerge over much longer periods. But if that firm tends to trade among similar positions and maintains a similar level of risk in a particular class of risk, then they are likely to be all in for any systematic losses from that class of risks. They are likely to find that exiting a position once those systematic losses start is costly, difficult and maybe impossible.
There are embedded assumptions all over the place. Banks have the embedded assumptions that they have zero risk from their liabilities. That works until some clever bank figures out how to make some risk there.
Insurers had the embedded assumption that variable products had no asset related risk. That embedded assumption led insurers to load up with highly risky guarantees for those products. Even after the 2001 dot com crash drove major losses and a couple of failures, companies still had the embedded assumption that there was no risk in the M&E fees. The hedged away their guarantee risk and kept all of their fee risk because they had an embedded assumption that there was no risk there. In fact, variable annuity writers faced massive DAC write-offs when the stock markets tanked. There was a blind spot that kept them from seeing this risk.
Many commentators have mentioned the embedded assumption that real estate always rose in value. In fact, the actual embedded assumption was that there would not be a nationwide drop in real estate values. This was backed up by over 20 years of experience. In fact, everyone started keeping detailed electronic records right after…… The last time when there was an across the board drop in home prices.
The blind spot caused it to take longer than it should have for many to notice that prices actually were falling nationally. Each piece of evidence was fit in and around the blind spots.
So a very important job for the risk manager is to be able to identify all of the embedded assumptions / blind spots that prevail in the firm and set up processes to continually assess whether there is a danger lurking right there – hiding in a blind spot.
The Joint Risk Management Section, sponsored by the Casualty Actuarial Society, Canadian Institute of Actuaries, and the Society of Actuaries, is interested in better understanding how risk managers deal with emerging risks. The objective of this effort is to examine and ultimately give guidance to risk managers on how to deal with these unknown and developing risks.
To achieve this, we have designed an online survey to gather information about emerging risks and related issues. This survey is a follow-up to earlier surveys on emerging risks and will help to provide insight to changes and trends in this evolving field.
We would greatly appreciate you taking the time to complete the survey by October 26. It should take less than 10 minutes to complete the basic survey, but we hope you will share your thoughts in comment boxes, as well. Please share this survey link with other risk managers (internal and external) who might be interested in sharing their thoughts. We hope to gather a wide variety of perspectives from the survey.
It is our hope that the results of this survey will help risk managers deal with information that exists outside historical data sets. We assure you that results will be reported anonymously and that your specific responses will be held under the strictest confidence.
If you have questions about the survey, please contact Barbara Scott.
Thanks very much for your consideration! We expect to report results in December.
At its September meeting, the ASB adopted ASOP No. 46, Risk Evaluation in Enterprise Risk Management. The ASOP provides guidance to actuaries when performing professional services with respect to risk evaluation systems used for the purposes of enterprise risk management, including designing, developing, implementing, using, maintaining, and reviewing those systems. An ASOP providing guidance for activities related to risk treatment is being addressed in a proposed ASOP titled, Risk Treatment in Enterprise Risk Management, which will be released in late 2012. The topics of these two standards were chosen because they cover the most common actuarial services performed within risk management systems of organizations. ASOP No. 46 will be effective May 1, 2013 and can be viewed under the tab, “Current Actuarial Standards of Practice.”
In that article Rachel Wolcott suggests that the CRO needs to be powerful enough to buck the most powerful traders.
What she fails to recognize is that the CRO and the trader are both acting out the orders of the CEO. If the CEO is telling the CRO to enforce a risk limit and also telling the trader that he is free to break the limit, then it is not the power of the CRO that is the problem.
It is a CEO that wants the appearance of risk management and the profits from excessive risk both at the same time.
CEOs will often allow underlings to “fight it out” rather than making all of the decisions in the company. In this case, however, everyone must realize that when it appears the CRO is too weak to do their job, that means that the CEO is not standing behind them and is completely responsible for the risk that is being taken by the overaggressive traders.
– How much risk to take compared to their capacity to absorb risk via their level of average earnings and their capital position. They have a basket. Each basket is different. It can easily hold so much. Sometimes, you decide to put a little more in the basket, sometimes a little less. They should know when they have stacked their risk far over the top of the basket.
– What kinds of risk to take. They have a plan for how much of each major class of risk they they will pick up to use up the capacity of their basket.
– Then when the actually go to fill the basket, they need to carefully choose each and every risk that they put into the basket.
– And as long as they have those risks in the basket, they need to pay attention and make sure that none of the risks are spoiling themselves and especially that they are not spoiling the entire basket of fruit or ruining the basket itself.
But that is not what a successful business is all about. They are not in business to be careful with their basket of risks. They are in business to make sure that their basket makes a profit.
+ So how much risk to take is informed by the level of profit to be had for risk in the marketplace. Some business managers do it backwards. If they are not being paid much for risk, they fill up the basket higher and higher. That is what many did just prior to the financial crisis. In insurance terms, they grew rapidly at the peak of the soft market. Just prior to the cirsis, risk margins for most financial market risks were at cyclical lows. What makes sense for a business that wants to get the best reward for the risk taken would be to take the most risk when the reward for risk is the highest. Few do that. However, the problem faced by firms whose primary business is risk taking is that taking less risk in times of low reward for risk creates even more pressure on their income because of decreased expense coverage. This problem seems to indicate that businesses in such cyclical markets should be very careful to manage their level of fixed expenses.
+ What types of risk to take is also informed very much by the margins. But it also needs to be informed by diversification principles. Short term thinking suggests that risk taking shift all to the particular risk with the immediate best risk adjusted margin. Long term thinking suggests something very different. Long term thinking realizes that the business needs to have alternatives. For most markets, the alternatives are only maintained if a presence in multiple risks is maintained in good times and bad. Risk and reward needs to develop a balance between short term and long term. To allow for exploiting particularly rich markets while maintaining discipline in other markets.
+ Which specific risks to select needs to incorporate a clear view of actual profitability. It is very easy on a spreadsheet to take your sales projection and profit projections and multiply both numbers by two. However, it is only through careful selection of individual risks that something even remotely like that simple minded projection can be achieved. The profit opportunity from each risk for the additional sales may be at the same rate as the original margins, it may be higher (unlikely) and it may well be lower. The risk reward system needs to be sensitive to all of these three possibilities and ready to react accordingly.
This story reveals several things about the nature of risk and the CRO job.
First, the nature of risk. Risk is always about the future. There will always be disagreements about the level of risk. True disagreements. People believing completely different things. And it is the future we are talking about. No one KNOWS for certain about the future. And also, risk is potential for loss. In many cases, even after the fact, no one can know how much risk that there was. A severe adverse event that had a likelihood of 10% might not happen in the coming year. Another equally severe event with a 0.1% likelihood migh happen. Exposure to the 10% event was certainly riskier than an equal sized exposure to the 0.1% event. Even if the less risky exposure produced a loss while the more risky exposure did not.
So the fact that the MF Global position produced a large, firm ending loss does not prove that the CRO was right.
In fact, what other stories reveal is that the board thought that the positions were more risky than Corzine. And that is pretty typical of what you will see at financial services firms. The top executives generally have the opinion that the environment is somewhat less risky than the board sees it while the non-executive employees generally see much, much more risk that either the executives or the board.
This tends to create exactly the dynamic that played out at MF Global where the CEO ignored the CRO warnings and the board very slightly restricted the CEO.
About the CRO
Many people forget that the Chief Risk Officer is usually not independent of the CEO. If there is a company where the CEO does not think that they are totally responsible for risk, then the CRO will not have enough power or influence with the board to remedy that problem. And if a CEO is aware that they are responsible for company results, good or bad, then clearly the job of the CRO, for better or for worse, is to execute the risk strategy of the CEO. NOT to critique that policy to the board.
RISKVIEWS tends to think of the risk appetite as the expression of the objective of the risk management system. The CRO should not be setting their own objective. So at MF Global, if the risk appetite was expressed as some sort of broad statement about corporate security, then the conflict became what is described above – a disagreement about the calibration of the risk model.
But the story says that the board approved some of the positions and disapproved a proposal to increase those positions even more that was made by the CEO. That makes it sound like there was a risk appetite and that the board, even if they did not say it in advance, knew when it was exceeded.
So the CROs job is not to stand in judgment of both the CEO and the Board. The CROs job is to work within the risk appetite of the board.
Some Enterprise Risk management programs feature lists of 75 or more risks that the ERM program attends to.
This approach to ERM drastically reduces the potential power of ERM to help to focus attention to Enterprise Risks.
An Enterprise Risk is a class of events that could severely damage the capability of the enterprise to achieve its mission. No serious undertaking has 75 classes of events that could stop them in their tracks.
A serious undertaking might have 5 such risks. Usually less. Things that in spite of the best efforts of management could stop them in their tracks. There are probably another 5 or so risks that are potentially that serious, but that the firm has, for the most part, under control.
What Enterprise Risk Management is about is a constant effort to pay attention to those 10 or so top risks. To make sure that a new potential trouble is not creeping into that top 10. To make sure that they are not accidentally taking on much more of those risks. To find ways to mitigate that first group of top risks. To make sure that the controls on that second group of top risks are still sufficient. And to make sure that there are not any secondary risks outside of this list that are very highly correlated with the Enterprise Risks.
Dave Sandberg likes to classify risks into three classes:
Risks that threaten the earnings of the firm
Risks that threaten the capital of the firm
Risks that threaten the promises of the firm
A well managed firm will attend to all three types of risks, but the Enterprise Risks are the risks that threaten capital and promises that should be the concern of the Enterprise Risk Management program of the firm. They should be the concern of the top executives of the firm. Those risks should be the concern of the directors of the firm.
A great piece from ABC News lists 10 things that we should have but didn’t learn from Enron, on the 10th anniversary…
1. Conflicts of interest continue to occur
2. If it’s too good to be true, it probably isn’t
3. Regulators and the regulated continue their dance
4. Transparency is vital
5. More capital is better
6. Excessive leverage is as dangerous as a bad bet
7. Corporate leadership makes all the difference in the world–for good and for bad
8. Preferred stockholders get preferred treatment
9. Still building fragile financial structures
10. Important names make mistakes too
Riskviews comments:
1. Conflicts – The risk manager should be aware of who benefits from each major program of the firm and who stands to lose if a program runs into trouble. If those two parties are different, then there are strong incentives for abuse of the program. Suggestions from a party that could benefit but not be at risk to change the program should be viewed very carefully.
2. Too Good to be True – But this time is different!!! The four most dangerous words.
3. Regulators – someone needs to be able to identify and change situations where the regulators are too cozy with the regulated. The myth that firms will self regulate was exposed to be a total falsehood in the 2008 Financial crisis. Real regulation is needed in the financial services business where firms are primarily selling promises. Whether you are Madoff or Lehman Brothers, the most lucrative approach for managers of a financial services firm is to make promises and not make sufficient provision for satisfying those promises. Regulators need to assure the customers that a clear standard is maintained for security of those promises.
4. Transparency – in RISKVIEWS opinion, real transparency is much better than supervision. Market discipline is much more sure than regulatory discipline. Because market counterparties have skin in the game. Regulators actually have multiple agendas. To date, transparency has never been tried, however. But there are rumours that current depressed bank valuations are in part a market reaction to the fundamental lack of transparency of the banks. RISKVIEWS hopes that one of the banks tries to be transparent and shows the rest of the sector what happens to their valuation. US insurers have operated with extremely high transparency for some risks but total lack of transparency for others. RISKVIEWS hopes that the insurance regulators will stop being agreeable to that situation.
5. More Capital &
6. Excessive Leverage – these two points are the same. More capital is less risky, More leverare is more risky.
7. Leadership – In most companies, leadership is more aggressive than the rank and file of the firm. And the risk reward equation for top management and the rank and file is totally different as well. See #1, above.
8. Preferred Treatment – Why doesn’t the SEC simply mandate disclosure of who gets paid what under different scenarios. And mandate that be disclosed to new purchasers of a security? At least to those who intend to hold the security for more than 15 minutes.
9. Fragile structures – Insurers and banks are being asked to present “stress to failure” tests to show regulators what degree of stress would cause them to fail. Perhaps that would be a good disclosure for investors as well. What sort of stress causes a structure to fail?
10. Mistakes – This is a good reason for diversification. Into totally different sorts of investments in totally different sectors. Mistakes can be made from entire secotrs, as we saw in the financial crisis.
But read the ABC comments. They are all good as well.
Most people who know that they are walking on thin ice will proceed very slowly and carefully.
That is also the effect that we get when we fail to recognize losses. Everyone HOPES that things will turn out ok and either the losses will eventually emerge at a lower value (i.e. less loss) than expected or that while we defer recognition, other earnings will make up for the losses.
Loss recognition is an important step in getting off of the thin ice. Firms need to have a disciplined loss recognition process so that they can avoid getting into the thin ice situation.
One important concept in risk management was stated by Nassim Taleb in his “Black Swan Free World” piece – that failures should be frequent and small. That principles applies to losses as well. A good risk management program should encourage small and frequent losses.
A firm that rarely recognizes losses is either (a) not taking any real amount of risk or (b) failing to recognize the losses that it has.
RISKVIEWS was recently asked “How do insurers Optimize Risk and Reward?”
The response was “That is dangerous. Why do you want to know that?” You see, a guru must always answer a question with a question. And in this case, RISKVIEWS was being treated as a guru.
Optimizing risk and reward is dangerous because it is done with a model. Not all things that use a model are dangerous. But Optimizing is definitely dangerous.
One definition of optimizing is
“to make as perfect as possible.”
Most often, optimization means taking maximum possible advantage of the diversification effect. You will often hear someone talking about the ability to add risk without adding capital. Getting a free ride on risk.
There are two reasons that optimizing ends up being dangerous…
The idea of adding risk without adding capital is a misunderstanding. Adding risk always adds risk. It may well not add to a specific measure of risk because of either size or correlation or both, but the risk is there. The idea that adding a risk that is low correlation with the firm’s predominant risk is a free ride will sooner or later seep into the minds of the people who ultimately set the prices. They will start to think that it is just fine to give away some or all of the risk premium and eventually to give up most of the risk margin because there is thought to be no added risk. This free risk idea will also lead to possibly taking on too much of that uncorrelated risk. More than one insurer has looked at an acquisition of a large amount of the uncorrelated risk where the price for the acquisition only makes sense with a diminished risk charge. But with the acquisition, the risk becomes a major concentration of loss potential and suddenly, the risk charge is substantial.
In almost all cases, the best looking opportunities, based on the information that you are getting out of the model are the places where the model is in error, where the model is missing one or more of the real risks. Those opportunities will look to have unusually fat risk premiums. To the insurer with the incorrect model, those look like extra margin. This is exactly what happened with the super senior tranches of sub prime mortgage securities. If you believed the standard assumption that house prices would never go down, there was no risk in the super senior, but they paid 5 – 10 bps more than a risk free bond.
The reliance on a model for optimization is dangerous.
That does not mean that the model is always dangerous. The model only becomes dangerous when there is undue reliance is placed upon the exact accuracy of the model, without regard for model error and/or parameter uncertainty.
The proper use of the model is Risk Steering. The model helps to determine the risks that should be held steady, which risks would be good to grow (as long as the environment stays the same as what the model assumes) and which risk to reduce.
Talk to CROs and all the nice theories about risk management get put in their place. In real companies, the loudest and most influential voice is usually the people who want to add risks.
A real CRO is not often struggling with issues of risk theory. They are totally immersed in the reality of corporate power politics.
In some firms, the CEO will set up the CRO in a position where risk concerns will trump all else. The CRO will have authority to stop or curtail any activity that s/he feels is excessively risky.
In other firms, the CEO will set up the CRO to be one of many voices that are clamoring for attention and for their point of view to be heard.
And a third set of firms has the CRO as purely a reporting function, not directly involved in the actual decision making of the firm.
The first case sounds ideal, until the CRO and the CEO go head to head on a major decision. The battle is not usually long. The CEO’s view will will. In these firms, it is usually true that the CRO and the CEO see eye to eye on most things. The CEO in these firms has the opinion that the business units would take enough risk to imperil the firm if left alone. But the CEO is still responsible to make sure that the firm is able to grow profitably. And a CRO who gets used to power over risk decisions, sometimes forgets that power comes solely from the CEO. But for the most part, the CRO in this firm gets to implement the risk management system that works the way that they thinks is best.
The second case sounds much more common. The CEO is not saying exactly how much s/he supports ERM. The CEO will decide in each situation whether to support the CRO or a business unit head on any risk related major decision. The risk management system in this firm exists in a grey area. It might look like the risk management system of the first firm, but it does not always have the same amount of authority. Managers will find out quickly enough that it is usually better to ask for forgiveness rather than follow the rules in the times when they see an important opportunity. The CRO in this firm will be seeking to make a difference but has to define their goals as all relative. Are they able to make a noticeable shift in the way that the firm takes risk. That shift may not go all the way to an optimal risk taking approach, but it will be a shift towards that situation. Over time they can hope to educate the business unit management to the risk aware point of view with the expectation that they will gradually shift to more and more comfort with the risk management system.
In some of these firms, the risk management system will look more like the system of the third case below – a Risk Information system. The approach is to keep all of the negotiation and confrontation that is involved with managing risk limits and standards to be verbal rather than on paper.
In third case, the risk management system exists to placate some outside audience. The CEO has no intention of letting this process dictate or even change any of the decisions that s/he intends to make. The most evident part of an ERM system is the reports, so the risk management system in these firms will consist almost entirely of reporting. These firms will be deliberately creating an ERM Entertainment system. The best hope in these firms is that eventually, the information itself will lead management to better decisions.
What is working against the CRO in the second and third cases are the risk attitudes of the different members of management. If the CRO is targeting the ERM system and/or reports to the Manager risk attitude then it might be a long time before the executives with other risk attitudes see any value in ERM.
The real risk that your $10 million machine that is at the heart of your production line will fail needs to be managed. There are several ways that real companies manage this sort of real risk:
Wait til it breaks and then fix it,
Replace the machine when it is old enough that there is an x% probability that it has reached the end of its useful life, based upon statistics for all users of the same machine and the passage of time.
Replace the machine when it has been used so much that it has reached an x% probability of failure, based upon statistics for all users of the same machine and the actual usage you make of the machine.
Repair the machine when one of dozens of sensors placed within the machine indicates that some part of the machine is starting to operate outside of desired specs. Replace the machine when such repairs are not cost effective.
This list seems to have a clear analogy for financial firms and their risk management programs:
No risk management program – let the losses happen and mop up afterward.
Manage to some broad industry standard, like premium to surplus ratio or assets to surplus ratio.
Manage to some risk adjusted industry standard like BCAR or RBC.
Manage to a detailed and carefully updated comprehensive risk model.
Of course, 4 is the most expensive course, for both the “real” companies and the financial firms. Which course you pick depends upon how devastating an event it is for your machine to break down unexpectedly. If your business can stand a few days/weeks/months without the machine, then maybe the very low cost path 1 is fine for you.
For financial firms, the question is the cost of an unexpected and large excess loss. How disruptive will it be to have to either curtail business activity until you are able to build back capital or to raise the capital to replace what you lost with new capital? Can you keep doing business while you settle that question? What is the opportunity cost of not being able to write business right after a big loss?
The analogy is a pretty good fit. Feel free to use it when you have to argue for more risk management spend.
European leaders are in conference as this is being written. Their sole concern is to determine the shares of the Losers from the lending boom. Candidates for Loser shares include:
The Greek citizens – this has been the first place that they wanted to go. But so far the Greeks have shrugged off attempts to get them to even stop running up additional debt, let alone repaying any old debt. Realists are now struggling with trying to determine who else they can find to take the Loser shares. The efforts of the Greek government have all been to slow the rate of new borrowing, and those have fallen short of goals.
The non-Greek Europeans – this approach is accomplished through a government to government or government to ECB to government transfer of money. This has been the central approach to date. This approach is limited because of the reluctance of the German people (and therefore their politicians) to take a larger Loser share. Their concern is that the Greek citizens have been the winners (through excessive government spending and salaries) so the Germans who have been frugal and prudent should not be providing a larger share than the Winners.
The banks – who all somehow managed to own greater or lesser amounts of Greek debt. Unfortunately, these banks are mostly European. And if forced to bare the bulk of the losses might find themselves in need of government bailouts. Back to the non-Greek Europeans. But it is worthwhile to think for a minute what making the banks taking a large Loser share would involve. If the banks take a large Loser share, they have to decide who among six parties will they then spread the share to. Those parties are: bondholders, stockholders, management, employees, customers and other counterparties.
Non- Europeans – enter the IMF which has made smaller contributions to this situation than the Europenas, but not insignificant contributions. The involvement of the IMF creates interesting precedents for future situations. The Greeks are proving that there is no reason whatsoever to ever comply with international financial covenants. The IMF was famous for imposing draconian requirements on those to whom it lends. But that story is being rewritten by the Europeans. To some it appears that there are two sets of rules when it comes to loans from the IMF. And where you live determines which set of rules apply.
So back to the negotiating table. History of the past 10 years has shown that the Greek government will agree to any terms, but will have trouble delivering on anything. Countries have not recently tried living without banks. But most assume that would be fairly difficult. So in the end, the European people will pick up the tab. It seems makes sense to settle this sooner rather than later so that it will be possible to put a stop to further Greek overspending. But that sensible concern does not seem to be moving the leaders to doing the difficult work of assigning the Loser shares.
Clearly, there was not any realistic discussion of this possible situation BEFORE the crisis. The Greeks promised repeatedly not to ever get close to this sort of mess. The banks have rules against lending to entities who are not likely to repay and they have regulators whose job it is to make sure that they do not get in over their head. Governments presumed, perhaps without any basis in reality, to believe that those three lines of defense would be more than enough.
The response ultimately needs to be something other than adding two more nevers to the promise to never, never, never, never let this happen again.
An actuary from one insurer often tells the story that his firm will always want to understand how a new product might fail before they agree to start selling that product.
Perhaps that is what is needed for countries and their banking systems. They need to think through how things might break and say in advance who will bare the Loser shares. In really having that discussion, perhaps it will become clear that it is much easier to distribute losses when they are smaller and that their main task needs to be to identify and deal with Loser shares when they are smaller rather than the recent strategy of hoping that they would go away.
Some might suggest that there are a set of rules in place for that. But the evidence is clear that those rules are insufficient. We all need to get realistic about these situations and develop a new set of rules that might carry us for another 50+ years. Rather than solutions that work for a few months.
The Yellow light was invented in 1920. Almost 100 years later. 85% of drivers have no idea what to do when they see one.
A risk management system needs yellow lights. Signals that automatically tell people to “Proceed with Caution”. These signals need to be sensitive to both outside changes in the risk environment and to inside decisions about risk.
In the outside world, the level of risk is changing all of the time. Everyone anywhere a hurricane zone knows the annual season for those storms. They make sure that they are prepared during that season and don’t worry so much in the off season. Most risks do not have clear regular seasons, like hurricanes. (And in fact hurricanes are not really completely bound by those rules either.)
A good risk management program needs to have a system that looks for the conditions that mean that it is hurricane season for each of the major risks. And it needs to have plans for what needs to to done in each part of the firm so that they “Proceed with Caution”. And the managers of the affected areas need to know those plans and their own roles. And there needs to be a Yellow (or Amber) light that flashes somewhere. And then the managers need to act, they need to execute the plans to Proceed with Caution.
The same thing applies to the other reason that might trigger a yellow light. That would be company actions. Most firms have risk limits. Some of those risk limits are “soft” limits. That means that the limit itself is a Yellow Light. Hitting the limit in these firms means that you must “Proceed with Caution”.
More commonly, the limits are HARD; either Red Lights, Cement Barriers or Brick Walls. A red Light risk limit, means that when you get to the limit, you must stop and wait for someone to tell you that you can proceed. A cement barrier risk limit means that you are prohibited from proceeding when you hit a limit. A brick wall risk limits means that if you hit the limit, you are likely to be terminated. In these three sorts of control systems, there are often informal Yellow Lights and occasionally formal caution signals. RISKVIEWS suggests that all firms that use HARD limits should create a formal Yellow Light system with a process that identifies an official Caution point along with suggestions or rules or plans of how to proceed when the Yellow Light goes on.
On the highway, Yellow Lights cause problems because there are really three different understandings. One group believes that it means “Speed Up to avoid the Red Light”, while another group thinks it means “Stop now and Avoid having to make an Emergency Stop when the Red Light comes on”.
The third group knows that what the Yellow Light really means is
In April 2009, someone said to RISKVIEWS, why don’t you try blogging.
From April to August, the RISKVIEWS website consistently drew at least 600 hits per month to the Risk Management Quotes. Then the blogging started.
Someone recently asked “How does this fit into your career plan?” Interesting question.
Posting is now just a habit. It happens in bursts. Some weeks there are no good ideas, others there are many. At least many ideas. Over time there are even a few really good posts.
To survive such situations, it seems that the ability to quickly assess new situations, especially ones that look like old tried and true but that are seriously more dangerous, and to change what the organization is doing in response to these risks is key.
Something as massive as the current financial crisis is much too large to have one or two or even three simple drivers. There were many, many mistakes made by many different people. My mother, who was never employed in the financial world, would have cautioned against many of those mistakes.
According to the site stats that I get, these posts have been read a total of less than 30 times.
So on a day like today, check one of them out. Chances are you did not see it already.
The good news for risk managers is that times have been tough, so that company management is listening more and more to your message.
The bad news for risk managers is that times have been tough, so there is not much budget for anyone, let alone an area where there is no hope of new revenue generation.
So risk managers are being asked to do more and more with less and less.
Here are some tips for how to manage to meet expectations without crashing the budget:
Identify the area or activity that now has the most expensive risk oversight process. Identify the reason for that expense and make sure that a) there really is a need for that much oversight, b) if so, that the profit margins of the activity support the expense of the oversight and c) if there is a way that the riskiest 20% of that activity produces a high proportion of the profits. Can a shift in the risk acceptance criteria or the risk limits make a drastic change in oversight needs without a drastic change in profitability?
Get more people involved in risk management. This seems counter to the idea of decreasing costs of risk management, but in fact it can work well. Study the things that the risk management staff is spending time on and determine which of those activities can be transfered to the business unit staff who can do the oversight on a very part time basis. Your risk management staff can then shift to periodic review of their activities instead. This should be promoted as a natural evolution of risk management. Ultimately, the business units should be managing their own risk anyway.
Find out which risk reports are not being used and eliminate them. Constructing management information reports can be a very time consuming part of your staff’s time. Some of those reports are hopefully being relied upon for major decisions, but there may be some that just sit unread in the in boxes.
Reduce staff support for risk management in areas where activity levels are falling. It is very important that risk management be ramped up with volumes and just as important that it be seen to ramp down with volumes.
Leverage outside resources. In fat times, you may be declining free support from vendors and other business partners. In lean times, they may be even more happy to provide their support. Just make sure that the help that they give supports your needs.
Reduce frequency of time consuming model runs for risks that just do not change that much from run to run or that change proportionately with volumes of business. See recent post on model accuracy.
Expand your own personal capacity by delegating more of the matters that have become more routine. There is a natural tendency for the leader to be involved in everything that is new and important. Sometimes, you forget to transfer those responsibilities to someone on your staff or even someone outside your staff once you are sure that it is up and going smoothly. Let go. Make sure that you have the time that will be needed to take up the next new thing. Lean times will not last forever and you need to be available to pay attention to the thing that will pull your firm forward into the next stage of robust growth.
These are all the sorts of things that every manager in your firm should be thinking about. Risk managers should be doing the same sorts of thinking. You and your function are another natural part of the business environment of the firm. You will not be immune from the pressures of business, nor should you expect to be.
Joshua Brown wrote “Ten Commandments for a Crash” – his advice for stock traders in a stock market crash. Most of his ideas can be generalized to refer to any situation where large losses or even the threat of large losses occurs.
1. Acknowledge that its a crash.
This is first and most difficult. The natural impulse of humans when things look worse than they ever imagined is to close your eyes and hope that it was a dream. To wait for things to come back to normal. But sometimes the only survivors are the people who stopped imagining a return to normal first and accepted the bad news as reality.
2. Pencils Down!
This means abandoning your research based upon the previous paradigm. Do not run the model one more time to see what it says. All of the model parameters are now suspect. You do not usually know enough to say which ones are still true.
3. Don’t listen to “stockpickers” or sell-side equity analysts.
Get your head out of the nits. Your usual business may require that you are a master of the details of your markets. You are looking to build your year’s result up over 52 weeks, looking to create 1/52 of your target return each week. But when the crisis hits, the right macro decisions can change your results by half a year’s worth of normal business.
4. Ignore the asset-gatherers and the brokerage firm strategists,
Know the bias of the people you are getting advice from. They may be saying what is necessary for THEIR firm to make it through the crash, no matter what their advice would do to you.
5. Make sacrifices
You are going to need to let go of one or several of the things that you were patiently nursing along in hopes of a big payoff later on when they came around. Make these decisions sooner rather than later. Otherwise, they will be dragging you down along with everything else. Think of it as a scale change. The old long term opportunities mostly become losers while some of the marginally profitable situations become your new opportunities. Choose fast.
6. Make two lists.
Those are the lists of things that you might now want to start doing if the terms suddenly get sweeter and the things where you plan to dump unless you can tighten the terms. Keep updating the list every day as you get new information. Act on the list as opportunities change.
7. Watch sentiment more closely
This is the flip side to #1 above. The analysis may no longer be of help, but a good handle on the sentiment of your market will be invaluable. It will tell you when it is time to press for the stricter terms from your list #6.
8. Abandon any hope or intention of catching the bottom.
This may be an excuse for not making decisions when things are unclear. Guess what? THe bottom is only ever clear afterwards.
9. Suspend disbelief.
Any opinions that you have that some aspect of your business environment will never get “that” bad will often be trashed by reality. In case you have been asleep for the last decade, each crisis results in new bigger losses than ever before. The sooner you get off the illusion that you know exactly how bad it can get, the sooner you will be making the right decisions and avoiding totally wrongly timed moves.
10. Stop being a know-it-all and shut up.
Everyone out there seems to know a small part of what is happening that no one else knows and is totally ignorant of most of what is going on from their own internal sources. If you talk all of the time, you will never learn those other pieces of the puzzle.
A good list. Some things to think about. A challenge to work these ideas into your planning for emerging risks. Need to practice adopting this point of view.
The pursuit of risk management is in some respects like climbing a mountain.
Your choice of the risks that you will plan to manage (rather than avoiding or eliminating) is like your choice of mountain. Some mountains will be more difficult to climb than others. Some have well worn paths to the top. And sometimes there is a shift in the weather than makes even the most traveled path unusually dangerous.
Some folks have been living on the side of their mountain for generations. They considered that they are the experts of that particular mountain. But then one day, a band of outlanders shows up with new equipment and takes a new route that takes them higher up the mountain than any of the locals have ever gone. Sometimes, however, those outsiders only look like they are going straight to the top. Sometimes they are stopped short by perils that the locals knew well. With risk management, there have been firms managing some risks for a long time who have been brushed aside by competitors with rocket scientists. Some of those rockets took the firms right to the top, others flamed out along the way.
There are many ways to approach climbing a mountain. Some choose the southern route, others the northern. And many different places to stop the climb and declare success. For some risk managers, the climb may stop when the largest one or two risks of the firm are separately under control. Others will seek to reach the spot on the mountain where the capital model can be found. They undertook climbing risk management mountain to get a handle on managing their capital. A third group will stay unswervingly on the path that is laid out with the railings and signs put there by the regulators. They seek only to achieve the point on the mountain of regulatory compliance. They do not seem to care that standing for too long on that spot may not be safe in all weather either. The final group is looking to get to the top of the mountain, to stand on the highest pinnacle. They feel that mastering risk management can only be done if they are standing on top of all of their risks at once. They feel that any other spot on the risk management mountain is not for them.
Having spotted the place where they want to end up, many people stand transfixed by the immense task ahead of them and fail to start. They do not see any way that they can get from where they are to that remote point up the mountain that is partially obscured by the clouds. They see some others already at those points and cannot figure out how to jump right up to join them.
They sometimes do not realize that those who are already far up the path got there most often by focusing instead on the next step, rather than on the endpoint. Some of those who are far up the mountain may in fact have started out to reach a different point and made corrections to their ascent path as the realized the conditions as well as their own capabilities.
Others who already live part way up the mountain are confused. They are looking at the instruction manual for climbing this mountain. The book always starts at the bottom of the mountain. And it assumes that you are someone who does not already own some (possibly most) of the equipment needed for climbing. The whole thing seems impossible to make sense out of for you. You are not even going to consider going to the bottom of the mountain and leaving all of your equipment and expertise behind.
Most insurers are in the position of the villagers living on the side of the mountain. They are getting instructions to start at the bottom of the south side of Risk Management Mountain, while they live on the north. What they need is not generic instructions. What they need is instructions that start with what they know and with the equipment and experience that they have. They need to know the best path to get to the place where they want to go from where they are.
Everyone struggles with choosing a risk appetite. But that is the first mistake. Risk appetite will not be singular. Risk Appetite is plural. It refers to any aspect of risk that goes beyond what you will comfortably accept.
In the paper Risk and Light, it mentions a number of aspects of risk:
Type A Risk – Short Term Volatility of cash flows in 1 year
Type B Risk – Short Term Tail Risk of cash flows in 1 year
Type C Risk – Uncertainty Risk (also known as parameter risk)
Type D Risk – Inexperience Risk relative to full multiple market cycles
Type E Risk – Correlation to a top 10
Type F Risk – Market value volatility in 1 year
Type G Risk – Execution Risk regarding difficulty of controlling operational losses
Type H Risk – Long Term Volatility of cash flows over 5 or more years
Type J Risk – Long Term Tail Risk of cash flows over 5 years or more
Type K Risk – Pricing Risk (cycle risk)
Type L Risk – Market Liquidity Risk
Type M Risk – Instability Risk regarding the degree that the risk parameters are stable
It is quite possible that a full risk appetite would could address each of these aspects of risk and more.
But a more difficult hurdle is the fact that in many cases risk exposure is not consciously known. In some cases, that is because of a confusion between RISK and LOSS. Some of that is because of the overuse of the word risk. In many situations, risk is used to mean an expected loss.
But for risk appetite, it is never the expected loss or even the actual losses that is of concern for a risk appetite. The risk that matters is the potential for future loss.
But to have any idea of how much risk that a person or a firm might be comfortable with, they need to have experience with risk. To have an articulate risk appetite, that experience must have been quantified.
How much was the risk exposure last year? How much was it the previous year?
And when we try to think of how much risk, we need to recognize that risk has many aspects that may need to be quantified. Risk is complicated. It does not reside in a single number.
Why would we think that it did? Try to name anything important that can be represented with a single number. Can you represent your car with a single number? Can you represent your brother with a single number? Can you represent a book with a single number? Risk is a potential for future loss, that potential has many more possibilities than an existing physical object. The object needs to represented by many different numbers.
But not all of the aspects of risk are ultimately important in most situations.
But before anyone or any business can form a risk appetite, they need to identify the characteristics of risk that are most important to them and then they need to build an experience base. They need to know how much risk that they have taken in the past. They need to know how much they can get paid for taking the risk. They need to know when they were at risk of having their lights put out.
Better to have this experience in real time. But second best is to work backwards into the past.
Faced with real information, matched up to real experience, then the stories of how to create a risk attitude will then start to make sense.
In reality, there is no accurate way to calibrate a risk model right after a major loss event. That is because there is always a good chance that the world will change as a result of the experiences of the event.
In Japan, the rebuilding after the losses from the earthquake/tsunami will not replace what was there. The buyers of the products that were manufactured in Japan who were disrupted by the event have all found alternatives. And they have learned from the even to diversify their suppliers or at least deal with a supplier who has diversified exposure to risk. The Japan after the event will not be the same Japan as before.
A market or an industry, a company or a people rarely go back to doing things exactly the same way after a major crisis.
They may become much more conservative about the risk that caused the crisis. They may just move on, like New Orleans which is now less than one third its pre-Katrina size. They may adopt many new rules and regulations like Sarbanes-Oxley or Dodd-Frank. Or they may finally start listening to their risk managers or even hire new CROs.
If you want to have a model that includes the year after a crisis, then you will need to study past crises and the reactions to those events. What that may mean is that there are ripple effects of the crisis in the model. Not just another random year. Because regardless of what the theories say, the world displays multi year effects. Events are not over simply because the model turns to another time slot.
During the Crisis, the most important thing is that you are able to assess the situation, choose the appropriate action and finally and most importantly ACT.
Many people are prone to freeze during a crisis. They go into a daze because some main steady thing in their life is no longer there and working.
On the anniversary of 911, it is interesting to notice that an article A Survival Guide to Catastrophe from 2008 is the most popular article today at Time.com.
It tells the story of how several people escaped several famous catastrophes. In each case, some of the people who died in those situations were frozen.
The human brain goes through three stages during a crisis: disbelief, deliberation and action. The frozen people have stuck on the disbelief or deliberation stages.
That is where the Preparation phase is important. With proper preparation, people can be taught to quickly identify the reality of the crisis and to know in advance their best options. The purpose of the preparation is then to shorten the time to get to the third stage. ACTION. And to make sure that when you get there, you take the right action.
During the World Trade Center crisis, some people did act quickly, and climbed the stairs right up to the roof. Others made the right choice and went down the stairs.
This Crisis Management thinking does not just refer to physical crises. Financial firms are faced with financial crises. In those situations, managers of the firm go through the exact same stages: disbelief, deliberation and action. They can get stuck in either of the first two stages until it is too late. They can also choose the wrong action.
Much of risk management literature seems to be about the risk management things that are needed during the moderately risky, normal times. But risk management is also needed in the midst of the crisis. The risk mitigation tactics that work best in moderately risky, normal times may not even be available in a crisis. There needs to be preparation for a possible crisis so that managers will promptly identify the crisis and know in advance the types of options that they may have and also know how to go about choosing the best options.
Firms that provide property insurance to disaster prone areas have learned that it is much more than good customer service to have claims people on the ground to start writing checks as soon as possible after the disaster. Firms that trade in financial markets have learned, if they did not know already, that trading is not always continuous.
Whatever your firm does, the risk manager should be developing and training managers about crisis plans.
The lines on the graph represent the paths of the 50 most deadly US hurricanes on record. The numbers on the lines are the number of deaths.
One important thing to notice is that there is nowhere on the eastern or southern coasts of the US coast that has not experienced deadly hurricanes.
That suggests two strategies for dealing with hurricane risk for an individual.
Avoiding it by moving well inside the lines.
Building up a residential system that is resilient to the forces of hurricanes.
The first strategy is suspect until you study the risks of those areas. The area just outside the lines includes the New Madrid fault and an area that has experienced major inland windstorms, hailstorms and floods in the recent past. So there is no guarantee of safety by risk avoidance.
That leaves resilience as the best bet. Resilience will involve learning about safety measures, setting a risk tolerance and finding out how strong of a storm fits within the risk tolerance.
In Japan, they set their risk tolerance to be that they would not accept a risk of a storm that is within the range of all past experience. They thought of that as a zero risk tolerance. They learned on 311 that their actual risk tolerance (storms within the historical observations) and their notional risk tolerance (zero) were not the same thing.
For an insurer or a business, there are very different options. Diversification and insurance/reinsurance may be chosen instead of resiliency.
The idea of the Limited Liability Corporation is one of the innovations that is credited with making capitalism work. The structure allows a person or group to form a business without risking their entire fortune. That is the way that economics textbooks say it. It sounds like all upside.
But wait a minute. Think about it like a risk manager. A real risk manager, not the hucksters who sold the “risk goes away if you split it fine enough” or the “no increase in total risk because of diversification benefits” stories.
A real risk manager knows that a loss is a loss. A dollar (or euro, or pound) is a dollar. Losses do not disappear EVER. Unless you do the work to prevent them.
And limited liability is NOT a loss prevention program. It prevents losses from transmitting to a certain party. The owner of the company. But someone always gets those losses.
Think about it for just a fraction of a second. If a company has obligations that it cannot pay, who has a loss? You figured it out; their counterparties take the loss. It might be customers, suppliers, subcontractors, their bank, or bondholders. The limited liability idea protects only one group – the owners/shareholders. Everyone else has unlimited liability!
What we saw in the crisis, if you owe the bank $100,000 they own you. If you owe the bank $10,000,000 then you own the bank.
This limited liability idea is totally embedded now. Everyone believes that they have the RIGHT to create problems for everyone else that deals with them and JUST WALK AWAY.
In ancient times, the ultimate collateral was the debtor’s personal freedom. A person who defaulted on a debt became an indentured servant of the lender in the case of default. This idea persisted in one form or another until the 1800s when debtors prisons became out of favor. The US was one country that led the way on this movement. The US has always had a much easier attitude to bankruptcy. There has always been much less stigma attached to bankruptcy along with the easier legal climate.
So the system works this way – people and businesses can go bankrupt easily and put their excess losses onto their counterparties. And in reaction to this, counterparties must be careful who they do business with.
That means that Credit Risk Management is a fundamental aspect of the business environment.
However, when you recognize the underlying fundamental reason for that statement, you may question whether the new statistical based Credit Risk Management that has developed over the past 25 years actually satisfies the fundamental need of the system.
Under the statistical approach to CRM, diversification is the key risk management tool. This has replaced the time consuming and labor intensive credit underwriting process.
But it is the underwriting process that works to counter balance the default put that is implicit in the bankruptcy rules.
Without the underwriting, the statistical process will simply not work. It will give totally wrong information. That is because statistics does not work on any old bunch of numbers. Statistics only works on homogeneous sets of numbers.
Let’s review. The default put creates a situation where a person or a firm can take on obligations that they cannot repay AND they will not be held responsible to repay. When people or businesses operate AS IF they were going to pay obligations, then they can receive value from counterparties that is in excess of the value that they will repay. So their counterparties need to police this imbalance.
Statistical CRM means that the lender will make many loans with the expectation that only a few will fail to repay and there will be limited losses from those failures. But once borrowers notice this (or intermediaries who have a better chance to notice) their best outcome is to borrow as much as they can, to leverage up as much as possible. Their upside in the event that everything turns out well is then enormous and they suffer none of the downside.
So statistical CRM leads directly to deterioration in credit quality through excess leverage. No one is actually watching to make sure that the credit risk per loan is staying constant.
And the main risk management tool of diversification fails when the loans themselves become the major source of risk. The correlation between excessive lending and defaults is very high. It is different from the correlation between loans that can be repaid easily.
All this results directly from that default put. You need to understand the true dynamics of the system if you want to get your risk management right.
Neil Cantle 
Max Rudolph 
Dave Ingram 
K Andemichael 
Milliman, Inc. 
Risk Institute 
Riskviews 