Posted tagged ‘ERM’

Risk Reward Management

January 25, 2022

In 1952, Harry Markowitz wrote the article “Portfolio Selection” which became the seed for the theory called Modern Portfolio Theory. Modern Portfolio Theory (MPT) promises a path to follow to achieve the maximum return for a given level of risk for an investment portfolio.

It is not clear who first thought to apply the MPT ideas to a portfolio of risks in an insurer. In 1974, Gustav Hamilton of Sweden’s Statsforetag proposed the “risk management circle” to describe the interaction of all elements in the risk management process, including assessment, control, financing and communication. In 1979, Randell Brubaker wrote about “Profit Maximization for a multi line Property/Liability Company.” Since then, the idea of risk and reward optimization has become to many the actual definition of ERM.

In 2005, Standard & Poor’s called the process “Strategic Risk Management”.

“Strategic Risk Management is the Standard & Poor’s term for the part of ERM that focuses on both the risks and returns of the entire firm. Although other aspects of ERM mainly focus on limiting downside, SRM is the process that will produce the upside, which is where the real value added of ERM lies.“

The Risk Reward Management process is nothing more or less than looking at the expected reward and loss potential for each major profit-making activity of an insurer and applying the Modern Portfolio Management ideas of portfolio optimization to that risk and reward information.

At the strategic level, insurers will leverage the risk and reward knowledge that comes from their years of experience in the insurance markets as well as from their enterprise risk management (ERM) systems to find the risks where their company’s ability to execute can produce better average risk-adjusted returns. They then seek to optimize the risk/reward mix of the entire portfolio of insurance and investment risks that they hold. There are two aspects of this optimization process. First is the identification of the opportunities of the insurer in terms of expected return for the amount of risk. The second aspect is the interdependence of the risks. A risk with low interdependency with other risks may produce a better portfolio result than another risk with a higher stand alone return on risk but higher interdependence.

Proposals to grow or shrink parts of the business and choices to offset or transfer different major portions of the total risk positions can be viewed in terms of risk-adjusted return. This can be done as part of a capital budgeting/strategic resource allocation exercise and can be incorporated into regular decision-making. Some firms bring this approach into consideration only for major ad hoc decisions on acquisitions or divestitures and some use it all the time.

There are several common activities that may support the macro- level risk exploitation.

Economic Capital
Economic capital (EC) is often calculated with a comprehensive risk model consistently for all of the actual risks of the company. Adjustments are made for the imperfect correlation of the risks. Identification of the highest-concentration risks as well as the risks with lower correlation to the highest-concentration risks is risk information that can be exploited. Insurers may find that they have an advantage when adding risks to those areas with lower correlation to their largest risks if they have the expertise to manage those risks as well as they manage their largest risks.

Risk-adjusted product pricing
Another part of the process to manage risk reward involves the Consideration principle. Product pricing is “risk-adjusted” using one of several methods. One such method is to look at expected profits as a percentage of EC resulting in an expected return-to-risk capital ratio. Another method reflects the cost of capital associated with the economic capital of the product as well as volatility of expected income. The cost of capital is determined as the difference between the price to obtain capital and the rate of investment earnings on capital held by the insurer. Product profit projections then will show the pure profit as well as the return for risk of the product. Risk-adjusted value added is another way of approaching risk-adjusted pricing.

Capital budgeting
The capital needed to fulfill proposed business plans is projected based on the economic capital associated with the plans. Acceptance of strategic plans includes consideration of these capital needs and the returns associated with the capital that will be used. Risk exploitation as described above is one of the ways to optimize the use of capital over the planning period. The allocation of risk capital is a key step in this process.

Risk-adjusted performance measurement (RAPM)
Financial results of business plans are measured on a risk-adjusted basis. This includes recognition of the cost of holding the economic capital that is necessary to support each business as reflected in risk-adjusted pricing as well as the risk premiums and loss reserves for multi-period risks such as credit losses or casualty coverages. This should tie directly to the expectations of risk- adjusted profits that are used for product pricing and capital budgeting. Product pricing and capital budgeting form the expectations of performance. Risk-adjusted performance measurement means actually creating a system that reports on the degree to which those expectations are or are not met.

For non-life insurers, Risk Reward Management involves making strategic trade-offs between insurance, credit (on reinsurance ceded) and all aspects of investment risk based on a long-term view of risk-adjusted return for all of their choices.

Insurers that do not practice Risk Reward Management usually fail to do so because they do not have a common measurement basis across all of their risks. The decision of many insurers to develop economic capital models provides a powerful tool that can be used as the common risk measure for this process. Economic capital is most often the metric used to define risk in the risk/reward equation of insurers.

Some insurers choose not to develop an EC model and instead rely upon rating agency or regulatory capital formulas. The regulatory and rating agency capital formulas are by their nature broad market estimates of the risk capital of the insurer. These formulae will over-state the capital needs for some of the insurer’s activity and understate the needs for others. The insurer has the specific data about their own risks and can do a better job of assessing their risks than any outsider could ever do. In some cases, insurers took high amounts of catastrophe exposure or embedded guarantee and option risks, which were not penalized in the generic capital formulas. In the end, some insurers found that they had taken much more risk than their actual loss tolerance or capacity.

Risk Reward Management provides insurers with the framework to take full advantage of the power of diversification in their risk selection. They will look at their insurance and investment choices based on the impact, after diversification, on their total risk/reward profile. These insurers will also react to the cycles in risk premium that exist for all of their different insurance risks and for all of their investment risks in the context of their total portfolio.

Sales of most insurance company products result in an increase in the amount of capital needed by the business due to low or negative initial profits and the need to support the new business with Economic Capital. After the year of issue, most insurance company products will show annual releases of capital both due to the earnings of the product as well as the release of supporting capital that is no longer needed due to terminations of prior coverages. The net capital needs of a business arise when growth (new sales less terminations) is high and/or profits are low and capital is released when growth is low and/or profits are high.

The definition of the capital needs for a product is the same as the definition of distributable earnings for an entire business: projected earnings less the increase in Economic Capital. The capital budgeting process will then focus on obtaining the right mix of short and long term returns for the capital that is needed for each set of business plans.

Both new and existing products can be subjected to this capital budgeting discipline. A forecast of capital usage by a new product can be developed and used as a factor in deciding which of several new products to develop. In considering new and existing products, capital budgeting may involve examining historic and projected financial returns.

This multi year view of capital usage does in fact apply to non-life products where the claims are not fully settled in the calendar year of issue.

Pitfalls of Risk Reward Management

In theory, optimization processes can be shown to produce the best results for practitioners. And for periods of time when fluctuations of experience are moderate and fall comfortably within the model parameters, continual fine tuning and higher reliance on the modeled optimization recommendations produce ever growing rewards for the expert practitioner. However, model errors and uncertainties are magnified when management relies upon the risk model to lever up the business. And at some point, the user of complex risk models will see that levering up their business seems to be a safe and profitable way to operate. When volatility shifts into a less predictable and/or higher level, the highly levered company can find it self quickly in major trouble.

Even without major deviations of experience, the Risk Reward Management principles can lead to major business disruptions. When an insurer makes a major change in its risk profile through an acquisition or divestiture of a large part of their business, the capital allocation of all other activities may shift drastically. Strict adherence to theory can whipsaw businesses as the insurer makes large changes in business.

Insurers need to be careful to use the risk model information to inform strategic decisions without overreliance and abdication of management judgment. Management should also push usage of risk and reward thinking throughout the organization. The one assumption that seems to cause the most trouble is correlation. The saying goes that “in a crisis, all correlations go to one”. If the justification for a major strategic decision is that correlations are far from one, management should take note of the above saying and prepare accordingly. In addition, management should study the variability of correlations over time. They will find that correlations are often highly unreliable and this should have a major impact on the way that they are used in the Risk Reward Management process.

Risk Measurement & Reporting

October 18, 2021

Peter Drucker is reported to have once said “what gets measured, gets managed.” That truism of modern management applied to risk as well as it does to other more commonly measured things like sales, profits and expens es .

Regulators take a similar view; what gets measured should get managed. ORSA f rameworks aim to support prospective solvency by giving management a clear view of their on-going corporate risk positions.

This in turn should reduce the likelihood of large unanticipated losses if timely action can be taken when a risk limit is breached.

From a regulatory perspective, each identified risk should have at least one measurable metric that is reported upwards, ultimately to the board.

The Need to Measure Up

Many risk management programs build up extensive risk registers but are stymied by this obvious next step – that of measuring the risks that have been identif ied.

Almost every CEO can cite the company’s latest f igures f or sales, expenses and profits, but very few know what the company’s risk position might be.

Risks are somewhat more difficult to measure than profits due to the degree to which they depend upon opinions.

Insurance company profits are already seen as opaque by many non-industry observers because profits depend on more than just sales and expenses:profits depend upon claims estimates, which are based on current (and often incomplete) information about those transactions.

Risk, on the other hand, is all about things that might happen in the f uture: specif ically, bad things that might happen in the f uture.

Arisk measure reflects an opinion about the size of the exposure to f uture losses. All risk measures are opinions; there are no f acts about the f uture. At least not yet.

Rationalizing Risk

There are, however, several ways that risk can be measured to facilitate management in the classical sense that Drucker was thinking of.

That classic idea is the management control cycle, where management sets a plan and then monitors emerging experience in comparison to that plan.

To achieve this objective, risk measures need to be consistent from period to period. They need to increase when volume of activity increases, but they also need to reflect changes in the riskiness of activities as time passes and as the portfolio of the risk taker changes .

Good risk measures provide a projected outcome; but in some
cases, such calculations are not available and risk indicators must be used instead.

Risk indicators measure something that is closely related to the risk and so can be expected to vary similarly to an actual risk measure, if one were available.

For insurers, current state-of-the-art risk measures are based upon computer models of the risk taking act ivit ies .

With these models, risk managers can determine a broad range of possible outcomes for a risk taking activity and then define the risk measure as some subset of those outcomes.

Value at Risk

The most common such measure is called value at risk (VaR). If the risk model is run with a random element, usually called a Monte Carlo or stochastic model, a 99% VaR would be the 99th worst result in a run of 100 outcomes, or the 990th worst out of 1000.

Contingent Tail Expectation

This value might represent the insurer’s risk capital target.Asimilar risk measure is the contingent tail expectation (CTE), which is also called the tail value at risk (TVaR).

The 99% CTE is the average of all the values that are worse than the 99% VaR. You can think of these two values in this manner: if a company holds capital at the 99% VaR level, then the 99% CTE minus the 99% VaR is the average amount of loss to policyholders should the company become insolvent.

Rating agencies, and increasingly regulators, require companies to provide results of risk measures from stochastic models of natural catastrophes.

Stochastic models are also used to estimate other risk exposures, including underwriting risk from other lines of insurance coverage and investment risk.

In addition to stochastic models, insurers also model possible losses under single well-defined adverse scenarios. The results are often called stress tests.

Regulators are also increasingly calling for stress tests to provide risk measures that they feel are more easily understood and compared among companies.

Key Risk Indicators

Most other risks, especially strategic and operational risks, are monitored by key risk indicators (KRIs). For these risks, good measures are not available and so we must rely on indicators.

For example, an economic downturn could pose risk to an insurer’s growth strategy. While it may be dif f icult to measure the likelihood of a downturn or the extent to which it would impair growth, the insurer can use economic f orecasts as risk indicators.

Of course,simplymeasuringriskisinsufficient.Theresultsof themeasurementmustbecommunicatedto people who can and will use the risk information to appropriately steer the future activity of the company.

Risk Dashboard

Simple charts of numbers are sufficient in some cases, but the state of the art approach to presenting risk measurement information is the risk dashboard.

With a risk dashboard, several important charts and graphs are presented on a single page, like the dashboard of a car or airplane, so that the user can see important information and trends at a glance.

The risk dashboard is often accompanied by the charts of numbers, either on later pages of a hard copy or on a click-through basis for on-screen risk dashboards.

Dashboard Example

2019 Most Dangerous Risks

March 1, 2019

top5

For 2019, a new poll on 180 insurance executives ranks four out of five of last year’s top risks again in the top 5.

See more details at https://blog.willis.com/2019/02/2019-most-dangerous-risks-to-insurers/ 

 

Too Much Logic

March 13, 2018

Someone recently told RISKVIEWS that before a company could start a project to revitalize their risk governance structures they MUST update their Risk Appetite and Tolerance.  Because everything in an ERM program flows from Risk Appetite and Tolerance.  That suggestion is likely to be too much logic to succeed.

What many organizations have found is that if they are not ready to update their Risk Appetite and Tolerance, there are two likely outcomes of an update project:

  1. The update project will never be completed.
  2. The update project will be completed but the organization will ignore the updated Risk Appetite and Tolerance.

An organization will make a change when the pain of continuing on the existing course exceeds the pain of change.  (paraphrased from Edgar Shein)

So if an organization is not yet thoroughly dissatisfied with their current Risk Appetite and Tolerance, then they are not likely to change.

So you can think of the ERM program as the combination of several subsystems:

  • Governance – the people who have ERM responsibilities and their organizational positions – all the way up to the board.
  • Measurement – the models and other methods used to measure risk
  • Selection, Mitigation and Control – the processes that make up the every day activities of ERM
  • Capital Management – the processes that control aggregate risk including the ORSA.
  • Risk Reward Management – the processes that relate risk to prices and profits

When management of an organization is dissatisfied enough with any one of these sub systems, then they should undertake to revise/replace/improve those sub systems.

These sub systems are highly interconnected, so an improvement to one sub system is likely to increase dissatisfaction with another sub system.

For example, if the Governance sub system is not working.  People are not fulfilling their ERM related responsibilities which they may not really understand.  When this subsystem is set right,  people are aware of their ERM responsibilities and then they find out that some of the other sub systems do not provide sufficient support for them.  They get dissatisfied and urge an upgrade to another sub system.  And so on.

This might well result in a very different order for updating an ERM program than the logical order.

However, if the update follows the wave of dissatisfaction, the changes are much more likely to be fully adopted into ongoing company practice and to be effective.

WaveBy Malene Thyssen – Own work, CC BY-SA 3.0,https://commons.wikimedia.org/w/index.php?curid=651071

Keys to ERM – Adaptability

April 3, 2017

keys

Deliberately cultivating adaptability is how ERM reduces exposure to unexpected surprises.

There are four ways that an ERM program encourages adaptability:

  1. Risk Identification
  2. Emerging Risks
  3. Reaction step of Control Cycle
  4. Risk Learning

Many risk managers tell RISKVIEWS that their bosses say that their objective is “No Surprises”.  While that is an unrealistic ideal objective, cultivating Adaptability is the most likely way to approach that ideal.

More on Adaptability at WILLIS TOWERS WATSON WIRE.

Updating your Risk Register

January 26, 2017

It is quite easy for an ERM program to become irrelevant.  All it takes is for it to stay the same for several years.  After just a few years, you will find that you risk management processes are focused upon the issues of several years ago.  You may be missing new wrinkles to your risks and also repeating mitigation exercises that are no longer effective or needed.

That is because the risk environment is constantly changing.  Some risks are become more dangerous while for others the danger is receding.  No firm anywhere has an unlimited budget for risk management.  So to remain effective, you need to constantly reshuffle priorities.

One place where that reshuffling is very much needed is in the risk register.  That is a hard message to sell.  Risk Identification is seen by most as the first baby step in initiating and ERM program.  How could a well developed, sophisticated ERM program need to go back to the first baby step.

But we do need to go back and somehow get people to seriously re-evaluate the Risks on the Risk Register.  That is because risk management is fundamentally a cycle rather than a a one way development process.  We are all brainwashed that constant growth and steady improvement is the fundamental nature of human enterprise.  For risk management to really work, we need that cycle model where we go back and do all of the same steps as last year all over again.

One way to freshen up the process of reviewing the risk register is to bring in outside information.  The link below provides some good outside information that you can use to stimulate your own review.

Willis Re took the top 15 risks from a dozen insurer risk registers and combined them to get 50+ unique risks.  Then over 100 insurer executives and risk management staff helped to rank those 50 risks.


2017’s most dangerous risks for insurers

We took a list of over 50 risks commonly found on insurer risk registers, and asked, “Which risks present the most danger to your firm in 2017?”


Take a look.  How does the resulting ranking look compared to your risk register?  Do any of the top 10 risks show up as middling priority in your program?  Are any of the bottom ten risks near the top of your priority ranking?  So your review can focus on a discussion of the most significant deviations between your ranking and the ranking from the link above. You need to convince yourself that you have good reasons for different priorities or change your priorities.

Risk Trajectory – Do you know which way your risk is headed?

July 25, 2016

Arrows

Which direction are you planning on taking?

  • Are you expecting your risk to grow faster than your capacity to bare risk?
  • Are you expecting your risk capacity to grow faster than your risk?
  • Or are you planning to keep growth of your risk and your capacity in balance?

If risk is your business, then the answer to this question is one of just a few statements that make up a basic risk strategy.

RISKVIEWS calls this the Risk Trajectory.  Risk Trajectory is not a permanent aspect of a businesses risk strategy.  Trajectory will change unpredictably and usually not each year.

There are four factors that have the most influence on Risk Trajectory:

  1. Your Risk Profile – often stated in terms of the potential losses from all risks at a particular likelihood (i.e. 1 in 200 years)
  2. Your capacity to bear risk – often stated in terms of capital
  3. Your preferred level of security (may be factored directly into the return period used for Risk Profile or stated as a buffer above Risk Profile)
  4. The likely rewards for accepting the risks in your Risk Profile

If you have a comfortable margin between your Risk Profile and your preferred level of security, then you might accept a risk trajectory of Risk Growing Faster than Capacity.

Or if the Likely Rewards seem very good, you might be willing to accept a little less security for the higher reward.

All four of the factors that influence Risk Trajectory are constantly moving.  Over time, anything other than carefully coordinated movements will result in occasional need to change trajectory.  In some cases, the need to change trajectory comes from an unexpected large loss that results in an abrupt change in your capacity.

For the balanced risk and capacity trajectory, you would need to maintain a level of profit as a percentage of the Risk Profile that is on the average over time equal to the growth in Risk Profile.

For Capacity to grow faster than Risk, the profit as a percentage of the Risk Profile would be greater than the growth in Risk Profile.

For Risk to grow faster than Capacity, Risk profile growth rate would be greater than the profit as a percentage of the Risk Profile.

RISKVIEWS would guess that all this is just as easy to do as juggling four balls that are a different and somewhat unpredictably different size, shape and weight when they come down compared to when you tossed them up.

Knowing the results from Stress Tests in Advance

July 13, 2015

Insurers and regulators need to adopt the idea of characterizing stress tests scenario frequency as:

 

Normal Volatility

Realistic Disaster

Worst Case

 

Or something equivalent.

 

With the idea that it is reasonable for an insurer to prepare for a Realistic Disaster Scenario, but not practical to be prepared for all Worst Case scenarios. Not practical because the insurance would cost too much and less insurance would be sold.

 

With such a common language about frequency relating to stress tests, the results of the stress testing and the response to those results can make much more sense.

 

The outcomes of stress testing then fall into a pattern as well.

 

  • An insurer should be able to withstand normal volatility without any lasting reduction to capital.

 

  • An insurer should be able to withstand a Realistic Disaster for most of their risks without a game changing impairment of capital, i.e. it would be realistic for them to plan to earn their way back to their desired level of capital. For the most significant one or two risks, a Realistic Disaster may result in Capital impairment that requires special actions to repair. Special actions may include a major change to company strategy.

 

  • An insurer can usually withstand a Worst Case scenario for most of their risks with the likelihood that for some, there will be an impairment to capital that requires special actions to repair. For the largest one or two risks, the insurer is unlikely to be able to withstand the Worst Case scenario.

 

Those three statements are in fact a requirement for an insurer to be said to be effectively managing their risks.

So the ORSA and any other stress testing process should result in the development of the story of what sorts of stresses require special management actions and what types result in failure of the insurer.  And for an insurer with a risk management program that is working well, those answers should be known for all but one or two of their risks.  Those would the second and third largest risks.  An insurer with a perfect risk management program will not have very much daylight between their first, second and third largest risks and therefore may well be able to survive some worst case scenarios for even their largest risks.

Hierarchy Principle of Risk Management

September 8, 2014

The purpose of ERM is NOT to try to elevate all risk decisions to the highest possible level, but to master discerning the best level for making each risk decision and for getting the right information to the right person in time to make a good risk decision.

This is the Hierarchy Principle as it applies to ERM.  It is one of the two or three most important principles of ERM.  Why then, might you ask, haven’t we ever heard about it before, even from RISKVIEWS.

But most insurers follow the hierarchy principle for managing their Underwriting process for risk acceptance of their most important risks.  

You could argue that many of the most spectacular losses made by banks have been in situations where they did not follow the hierarchy principle.  

  • Nick Leeson at Barings Bank was taking risks at a size that should have been decided (and rejected) by the board.
  • Jerome Kerviel at Soc Gen was doing the same.
  • The London Whale at JP Morgan is also said to have done that.  

On the other hand, Jon Corzine was taking outsized risks that eventually sank MF Global with the full knowledge and approval of the board.  Many people suggest that the CRO should have stopped that.  But RISKVIEWS believes that the Hierarchy Principle was satisfied.  

ERM is not and cannot be held responsible for bad decisions that are made at the very top of the firm, unless the risk function was providing flawed information that supported those decisions.  If, as happened at MF Global, the board and top management were making risk decisions with their eyes fully open and informed by the risk function, then ERM worked as it should.  

ERM does not prevent mistakes or bad judgment.

What ERM does that is new is that

  1. it works to systematically determine the significance of all risk decisions, 
  2. it ranks the significance and uses that information, along with other information such as risk velocity and uncertainty, to determine a recommendation of the best level to make decisions about each risk,
  3. it assesses the ability of the firm to absorb losses and the potential for losses within the risks that are being held by the firm at any point in time,
  4. it works with management and the board to craft a risk appetite statement that links the loss absorbing capacity of the firm with the preferences of management and the board for absorbing losses.

ERM does not manage the firm.  ERM helps management to manage the risks of the firm mainly by providing information about the risks.  

So why have we not heard about this Hierarchy Principle before?  

For many years, ERM have been fighting to get any traction, to have a voice.  The Hierarchy Principle complicates the message, so was left out by many early CROs and other pioneers.  A few were pushing for the risk function to be itself elevated as high as possible and they did not want to limit the risk message, deeming everything about risk to be of highest importance. But RISKVIEWS believes that it was mostly because the Hierarchy Principle is pretty fundamental to business management and is usually not explicitly stated anywhere else, even though it is applied almost always.

ERM now receives a major push from regulators, to a large extent from the ORSA.  In writing, the regulators do not require that ERM elevate all risk decisions.  But in practice, they are seeing some insurers who have been elevating everything and the regulators are adopting those examples as their standard for best in class.  

Just one more way that the regulatory support for ERM will speed its demise.  If regulators advocate for consistent violation of the Hierarchy principle, then ERM will be seen mainly as a wasteful burden.  

 

Insurers need to adapt COSO/ISO Risk Management to achieve ERM

July 29, 2014

Both the COSO and ISO risk management frameworks describe many excellent practices.  However, in practice, insurers need to make two major changes from the typical COSO/ISO risk management process to achieve real ERM.

  1. RISK MEASUREMENT – Both COSO and ISO emphasize what RISKVIEWS calls the Risk Impressions approach to risk measurement.  That means asking people what their impression is of the frequency and severity of each risk.  Sometimes they get real fancy and also ask for an impression of Risk Velocity.  RISKVIEWS sees two problems with this for insurers.  First, impressions of risk are notoriously inaccurate.  People are just not very good at making subjective judgments about risk.  Second, the frequency/severity pair idea does not actually represent reality.  The idea properly applies to very specific incidents, not to risks, which are broad classes of incidents.  Each possible incident that makes up the class that we call a risk has a different frequency severity pair.   There is no single pair that represents the class.  Insurers risks are in one major way different from the risks of non-financial firms.  Insurers almost always buy and sell the risks that make up 80% or more of their risk profile.  That means that to make those transactions they should be making an estimate of the expected value of ALL of those frequency and severity pairs.  No insurance company that expects to survive for more than a year would consider setting its prices based upon something as lacking in reality testing as a single frequency and severity pair.  So an insurer should apply the same discipline to measuring its risks as it does to setting its prices.  After all, risk is the business that it is in.
  2. HIERARCHICAL RISK FOCUS – Neither COSO nor ISO demand that the risk manager run to their board or senior management and proudly expect them to sit still while the risk manager expounds upon the 200 risks in their risk register.  But a highly depressingly large number of COSO/ISO shops do exactly that.  Then they wonder why they never get a second chance in front of top management and the board.  However, neither COSO nor ISO provide strong enough guidance regarding the Hierarchical principal that is one of the key ideas of real ERM.    COSO and ISO both start with a bottoms up process for identifying risks.  That means that many people at various levels in the company get to make input into the risk identification process.  This is the fundamental way that COSO/ISO risk management ends up with risk registers of 200 risks.  COSO and ISO do not, however, offer much if any guidance regarding how to make that into something that can be used by top management and the board.  In RISKVIEWS experience, the 200 item list needs to be sorted into no more than 25 broad categories.  Then those categories need to be considered the Risks of the firm and the list of 200 items considered the Riskettes.  Top management should have a say in the development of that list.  It should be their chooses of names for the 25 Risks. The 25 Risks then need to be divided into three groups.  The top 5 to 7 Risks are the first rank risks that are the focus of discussions with the Board.    Those should be the Risks that are most likely to cause a financial or other major disruption to the firm.   Besides focusing on those first rank risks, the board should make sure that management is attending to all of the 25 risks.  The remaining 18 to 20 Risks then can be divided into two ranks.  The Top management should then focus on the first and second rank risks.  And they should make sure that the risk owners are attending to the third rank risks.  Top management, usually through a risk committee, needs to regularly look at these risk assignments and promote and demote risks as the company’s exposure and the risk environment changes.  Now, if you are a risk manager who has recently spent a year or more constructing the list of the 200 Riskettes, you are doubtless wondering what use would be made of all that hard work.  Under the Hierarchical principle of ERM, the process described above is repeated down the org chart.  The risk committee will appoint a risk owner for each of the 25 Risks and that risk owner will work with their list of Riskettes.  If their Riskette list is longer than 10, they might want to create a priority structure, ranking the risks as is done for the board and top management.  But if the initial risk register was done properly, then the Riskettes will be separate because there is something about them that requires something different in their monitoring or their risk treatment.  So the risk register and Riskettes will be an valuable and actionable way to organize their responsibilities as risk owner.  Even if it is never again shown to the Top management and the board.

These two ideas do not contradict the main thrust of COSO and ISO but they do represent a major adjustment in approach for insurance company risk managers who have been going to COSO or ISO for guidance.  It would be best if those risk managers knew in advance about these two differences from the COSO/ISO approach that is applied in non-financial firms.

Key Ideas of ERM

July 24, 2014

For a set of activities to be called ERM, they must satisfy ALL of these Key Ideas…

  1. Transition from Evolved Risk Management to planned ERM
  2. Comprehensive – includes ALL risks
  3. Measurement – on a consistent basis allows ranking and…
  4. Aggregation – adding up the risks to know total
  5. Capital – comparing sum of risks to capital – can apply security standard to judge
  6. Hierarchy – decisions about risks are made at the appropriate level in the organization – which means information must be readily available

Risk management activities that do not satisfy ALL Key Ideas may well be good and useful things that must be done, but they are not, by themselves ERM.

Many activities that seek to be called ERM do not really satisfy ALL Key Ideas.  The most common “fail” is item 2, Comprehensive.  When risks are left out of consideration, that is the same as a measurement of zero.  So no matter how difficult to measure, it is extremely important to really, really be Comprehensive.

But it is quite possible to “fail” on any of the other Key Ideas.

The Transition idea usually “fails” when the longest standing traditional risk management practices are not challenged to come up to ERM standards that are being applied to other risks and risk management activities.

Measurement “fails” when the tails of the risk model are not of the correct “fatness“.  Risks are significantly undervalued.

Aggregation “fails” when too much independence of risks is assumed.  Most often ignored is interdependence caused by common counter parties.

Capital “fails” when the security standard is based upon a very partial risk model and not on a completely comprehensive risk model.

Hierarchy “fails” when top management and/or the board do not personally take responsibility for ERM.  The CRO should not be an independent advocate for risk management, the CRO should be the agent of the power structure of the firm.

In fact Hierarchy Failure is the other most common reason for ERM to fail.

Who should do ERM?

February 25, 2014

Risk Identification – don’t just mail it in

January 9, 2014

ERM programs all start out with a suggestion that you must identify your risks.

Many folks take this as a trivial exercize.  But it is not.  There are two important reasons why not:

  1. Everyone has risks in the same major categories, but the way that those categories are divided into the action level is important.  All insurers have UNDERWRITING RISK.  But almost all insurers should be subdividing their UDERWRITING RISK into major subcategories, usually along the lines that they manage their insurance business.  Even the very smallest single line single state insurers sub divide their insurance business.  Risks should also be subdivided.
  2. Names are important.  Your key risks must have names that are consistent with how everyone in the company talks.

Best practice companies will take the process of updating very seriously.  They treat it as a discovery and validation process.

To read more about Risk identification, see the WillisWire post

(This is the first of a 14 part series about the ERM practices that are needed to support the new ORSA Process)

and the RISKVIEWS post

Identifying Risks

Most Popular Posts of 2013

December 30, 2013

RISKVIEWS made 66 new posts in 2013.  You can visit all 66 using the links at the right of the page for Archives, which link to the new posts for each month.

For total traffic in 2013, posts from 2013, 2012, 2011 and 2010 were the most popular,  led by

  1. Getting Started in a Risk Management Career  from November 2012
  2. Avoiding Risk Management  from February 2012
  3. Five components of resilience – robustness, redundancy, resourcefulness, response and recovery  from January 2013
  4. REDUCING MORAL HAZARD  from July 2010
  5. Frequency vs. Likelihood  from June 2011

And here are ten posts that RISKVIEWS recommends that you may have missed:

Inflationary Expectations
Changing Your Attitude
Skating Away on the Thin Ice of the New Day
Full Spectrum Risk Management
Focusing on the Extreme goes Against the Grain
Maybe it is not as obvious as you think…
Capabilities
The World is not the Same – After
Uncertain Decisions
Murphy was a Risk Manager!

ERM on WillisWire

December 3, 2013

Risk Management: Adaptability is Key to Success

swiss-army-knife_645x400

There is no single approach to risk management that will work for all risks nor, for any one risk, is there any one approach to risk management that will work for all times. Rational adaptability is the strategy of altering … Continue reading →


Resilience for the Long Term

Resilient Sprout in Drought

In 1973, CS Holling, a biologist, argued that the “Equilibrium” idea of natural systems that was then popular with ecologists was wrong.He said that natural systems went through drastic, unpredictable changes – such systems were “profoundly affected by random events”.  … Continue reading →


Management is Needed: Not Incentive Compensation

Bizman in Tie

Many theoreticians and more than a few executives take the position that incentive compensation is a powerful motivator. It therefore follows that careful crafting of the incentive compensation program is all that it takes to get the most out of a … Continue reading →


A Gigantic Risk Management Entertainment System

game-controller-in-room_645x400

As video gaming has become more and more sophisticated, and as the hardware to support those games has become capable of playing movies and other media, video game consoles have now become “Entertainment Systems”.  Continue reading →


Panel at ERM Symposium: ERM for Financial Intermediaries

SS Meaning of Risk Mgmt  77408059 April 23 12

Insurance company risk managers need to recognize that traditional activities like underwriting, pricing and reserving are vitally important parts of managing the risks of their firm. Enterprise risk management (ERM) tends to focus upon only two or three of the … Continue reading →


ERM Symposium Panel: Actuarial Professional Risk Management

SS Risk Button - Blank Keys  53606569 April 23

In just a few days, actuaries will be the first group of Enterprise Risk Management (ERM) professionals to make a commitment to specific ERM standards for their work. In 2012, the Actuarial Standards Board passed two new Actuarial Standards of … Continue reading →


Has the Risk Profession Become a Spectator Sport?

The 2013 ERM Symposium goes back to Chicago this year after a side trip to DC for 2012. This is the 11th year for the premier program for financial risk managers. Continue reading →


What to Do About Emerging Risks…

snake-hatching_645x400

WillisWire has on several occasions featured opinions from a large number of our contributors about what might be the next emerging risk in various sectors. But what can be done once you have identified an emerging risk? Continue reading →


U.S. Insurers Need to Get Ready for ORSA

paperwork

Slowly, but surely, and without a lot of fanfare, U.S. insurance regulators have been orchestrating a sea change in their interaction with companies over solvency.  Not as dramatic as Solvency II in Europe, but the U.S. changes are actually happening … Continue reading →


Resiliency vs. Fragility

TREES_645_400(2)

Is there really a choice?  Who would choose to be Fragile over Resilient? Continue reading →

– See more at: http://blog.willis.com/author/daveingram/#sthash.xxAR1QAP.dpuf

Reviewing Risk Appetite

November 19, 2013

[The material below is the work of an ad hoc IAA working group.  It was produced in 2011 but never completed or published.  RISKVIEWS is sharing so that this good work can be viewed.]

Risk appetite setting and its implication on business strategy. 

Risk appetite is a high-level view of the risks the organization is willing to accept in pursuit of value. When an insurer defines the optimal level of risk, a common view of the ultimate priority is to serve shareholder’s benefits. This will facilitate the decision on the types of risks and magnitudes of the risks to be taken that are consistent with business strategies and market situation. At the same time, the desired risk profile should satisfy the explicit and implicit constraints set by other parties such as regulators, rating agencies, policyholders, debt holders, senior management, and employees. Some external changes have also expedited the process. S&P has required a clear statement of risk appetite as a foundation of “strong” or “excellent” ERM rating. Solvency II also requires insurers to explicitly consider their risk appetite.

Risk appetite framework normally includes three levels.

Enterprise risk tolerance: The aggregate amount of risk the company is willing to take, expressed in terms of

  1. capital adequacy
  2. earnings volatility
  3. credit rating target

It represents the company’s long term target and shall be revised only if there are fundamental changes to the company’s financial profile, market situation and strategic objective. Risk appetite helps prevent default by preserving capital position. This is required by regulators, rating agencies, policyholders, and debtholders. These stakeholders show little or no interest in the upside from risk taking. On the other hand, shareholders are interested in the upside resulted from risk taking and low earnings volatility.

Risk appetite for each risk category: Enterprise risk tolerance needs to be allocated to risk appetite for specific risk categories and business activities. For example, selling life insurance policies or underwriting property and casualty risks. Or taking more market risk versus credit risk. By doing this, the company’s resources, like capital, can be allocated to the areas that the company feels comfortable with, or has competitive advantages.  When determining or updating risk appetite for different risk categories, in addition to considering the constraints set by enterprise risk tolerance, it should aim to maximize the risk-adjusted return of risk-taking activities.

Risk limit: Risk limits are the most granular level which is used for business operation. It translates enterprise risk tolerance and risk appetite for each risk category into risk monitoring measures. The consistency between risk limit and enterprise risk tolerance help the company realize its risk objective and maximize risk adjusted return.

Risk appetite not only protects value, but also creates value for the business. It helps senior management make informed decisions to maximize risk adjusted return for the shareholder. Ensuring the consistency between risk appetite and risk limits is very important. Both rating agencies and investors are concerned about whether risk appetite is properly aligned with the risk limits being set for business operation. A sound risk management practice requires risk appetite being integrated into business strategy and corporate culture.

Desired actions/features of risks management by category:

Ad Hoc

1. Unsystematic description of the company’s willingness to take risk. This could possibly be by an answer to investors, regulators or rating agencies’ inquiry and not fully linked with the company’s ability to take risk.

Basic

  1. The company has a formal statement of enterprise risk tolerance which has been approved by Board of Directors (BOD). The statement should at least include target credit rating, capital adequacy, earnings volatility, and attitude to operational risk such as reputation risk and legal risk.
  2. Risk appetite statement is incorporated in the risk management policy and will be reviewed annually by risk management committee and BOD.
  3. When making a strategic decision, the impact is sometimes checked against enterprise risk tolerances to make sure they are not breached.

Standard

  1. The company has a well established risk appetite framework which includes enterprise risk tolerance, risk appetite for each identified risk category and risk limits. Those are reviewed and approved by BOD and updated at least annually or in market turmoil.
  2. The risk appetite framework considers all the constraints the company faces and reflects key stakeholders’ risk preference. They include regulators both at group level and local level, shareholders, debtors, and management.
  3. There exists a consistent framework to align risk limits with enterprise risk tolerance. This is essential to make sure all the business decision is made within the company’s tolerance of risk.
  4. Integration of risk appetite and strategic planning. Risk appetite framework plays an active role in providing information about risk exposures of business activities and risk reward trade off. Asset allocation and product mix are the two key areas.
  5. The whole company is involved in risk appetite framework to facilitate risk identification and foster a healthy risk culture.

Advanced

  1. Risk appetite framework is integrated with all the business decision, including business operation constrained by risk limits and strategic decision to fit into enterprise risk tolerance. Strategic decisions include, but are not limited to strategic asset allocation, tactic asset allocation, new business planning, capital allocation, and risk management strategies.
  2. Performance measurement of management is linked to risk adjusted return or risk adjusted value.
  3. Effective and company wide education and communication of risk appetite framework are in place and regularly scheduled.
  4. Back testing of risk appetite framework is conducted to identify new risks, key assumption errors, and model errors.
  5. Risk appetite framework is considered more of strategic risk management than risk limit system.
  6. Risk appetite framework puts more efforts on emerging risks or risks hard to identify and quantify. Qualitative analysis becomes critical in corporate strategic decision.

Capital Allocation – Different Questions

November 18, 2013

RISKVIEWS has been confused by the vehemence of some people about the topic of capital allocation.

Some people feel that capital MUST be allocated to facilitate proper management.

Other feel that capital MUST NEVER be allocated because it leads to incorrect decisions.

But RISKVIEWS suspect that they may be talking about two different questions.

Those who think that they MUST allocate capital are trying to answer the question “How DID we do?”

Those who think that they MUST NEVER allocate capital are focused on the question “What SHOULD we do?”

Of course, the two questions often get mixed up.  But one is about the past and the other one is about the future.  The problem that folks who object to capital allocation are afraid of is that if capital is allocated for the purposes of answering the “How DID we do?” question, then the same sort of allocation will be used to answer the “What SHOULD we do?” question.

And that IS a problem.  The “What SHOULD we do?” question needs to be answered with projections of the future.  Many decisions that are worth worrying about do not settle within a single year, so the projections need to be multi year.

But the problem that they are worried about is the problem of making a multi year decision with a single year projection.  Whether capital is allocated or not, that is a poor way to go.

Multi year decisions need multi year projections.  The multi year capital impact needs to be included.  That can be done with a cost of capital factor or be a carefully constructed model that reflects capital inflows and outflows and then implicitly charges a cost for capital held.   The multi year calculation usually needs to be discounted at an appropriate risk adjusted discount rate.

RISKVIEWS rule of thumb for selecting a discount rate is that all risks should be included ONCE and only ONCE in the entire calculation.  So if the calculation is a stochastic one that includes scenarios that reflect the possible adverse effects of a risk, then the discount rate should not also include a charge for that risk.  If your projection includes ALL possible risks, then a risk free rate is an appropriate discount.  Remember that the market charges a risk premium for its perception of emerging risks.  And for the risk of strategic failure.

So RISKVIEWS concludes that there is no harm from allocating capital.  There is a harm from making multi year decisions with a one year projection.  Whether or not capital is allocated.  And multi year decisions need to include the effect of capital usage.

Seven Choices

September 23, 2013

Risk Management literature often portrays four choices for risk managers, avoid, transfer, mitigate or accept.
On The Southern Project Manager, Harry Hall suggests that there are actually seven choices:

sevenchoices

The additions are all variations on the original four choices, but they are valuable alterations in point of view.  Away from the totally negative view that looks at risk as something bad that you want to get away from if at all possible.

RISKVIEWS particularly likes the choice of ENHANCE.  That means to improve your upside, usually by adding resources to make execution more effective.

A worthwhile read!

Open or Closed?

July 9, 2013

Moorad Choudry provides a good description of how banks think about ALM in a new article in The Actuary, Asset/liability management: solid as a rock?.  

But he misses one very important point that to RISKVIEWS explains the difference between banks and insurer/pension plans with regard to ALM.  That difference is the title of this piece.

The bank ALM model assumes that the bank will remain Open.  Therefore, the bank always has the option to obtain the funds that are needed to pay near term liabilities.  Unless the unfortunate occurrence of a liquidity problem.  The second part of this story is that banks do not mark their banking book of assets to market.  The banking book supports their “maturity transformation” business.  By keeping from that MTM step the bank keeps its large mismatch “off the books”.  This position has been the case, according to Choudry, since the the first banks.

Insurer and Pension ALM assumes that the company/fund becomes Closed and no longer has any access to new funds.  The new idea, that is a part of IFRS accounting that an insurer will mark everything to market is entirely consistent with the assumption that the company is assumed to be Closed.

That Closed company assumption along with the approach to ALM that insurers now use crept into insurance practice in the past 40 years with application of ideas that were no more than 75 years old.  One source speaks of these ideas as Anglo-American practices.  And in the discussions of Solvency II, one of the thorny topics goes back to this assumption since the German life insurance industry tends to favor an Open company approach.

The insurance company adoption of Closed company ALM started after some insurers suddenly went into the maturity transformation business in a big way only to learn that there was a definite limit to the amount of maturity transformation that could be done by an insurer relative to the capital and operations of the insurer.  Some insurers, notably The Equitable, experienced very large losses and had their business severely disrupted.  Almost 20 years later, as if to prove the necessity of the Closed company approach, General American also experienced massive losses when most funds were withdrawn from their maturity transformation business.

Looking at the ALM topic in this manner allows one to see the real and fundamental difference between the two approaches and in a non-pejorative manner.

In one sense, the insurers seem to be much too restrictive, too risk adverse, in their approach to ALM by adopting a full Closed.  Of course, insurers are not all planning on Closing,  on going out of business.  So preparing for this risk as if they were seems like extreme over caution.

On the other hand, banks, over the centuries have been subject to numerous runs and mass failures.  The Open company approach leaves a bank subject to a large contagion risk.  Once one bank has a problem, all banks may become subject to excessive withdrawals and all but the most secure banks that had been run with an Open company approach will experience severe trouble which could lead to a cascade of failures.  That is the reason why one of the fundamental functions of the Central Banks is to provide emergency liquidity to banks that are fundamentally sound.

If insurers shifted to an Open company approach to ALM, then insurers would also be subject to the same sort of fragility as the banks.  Insurers are in a different business from banks, usually providing longer term promises that require a much higher degree of confidence in their ability to be able to fulfill those promises under extremely stressful circumstances.  If insurers were operated with the same degree of fragility as banks, it is quite possible that their business model would fail completely.

Summer ERM Readings

July 3, 2013

Beach Choroni in Venezuela

This Summer – Sun and Fun and ERM can all go together. Eight short ERM stories for the beach.

What to Do About Emerging Risks…

Managing emerging risks requires more than just blue sky sessions to identify the black swans and unknown unknowns in the imagination.   Actions must be taken to evaluate the potential impact of these risk and plan for their emergence and track their approach. 

http://blog.willis.com/2013/04/what-to-do-about-emerging-risks/

ERM in the Hierarchy of Corporate Needs

Businesses have a hierarchy of needs just like individuals.  ERM helps to provide for one of those needs, but not the highest need. This puts the importance of risk management into the perspective that boards and executives may have. 

http://www.soa.org/Library/Newsletters/The-Actuary-Magazine/2013/june/act-2013-vol10-iss3-ingram.pdf

Creating a Risk Management Culture

Often risk culture is talked about as the tone at the top. To make that tone permeate the entire corporate culture, executives and managers need to talk the risk talk constantly.

http://www.soa.org/Library/Newsletters/The-Actuary-Magazine/2013/april/act-2013-vol10-iss2-ingram.pdf

Discovering empirical risk appetite

More than half of all insurance companies lack a fully formed risk appetite statement.  But in the course of normal operations, many decisions and actions are taken that if examined properly will reveal an empirical risk appetite. 

http://wp.me/aevO4-15W

Get Ready for ORSA

US insurers need to learn a new word – ORSA.  It stands for Own Risk and Solvency Assessment.  By 2015, all insurers with more than $500M of premiums need to prepare an ORSA report to be filed with their state regulator.  A few are ready for this but most will need to do significant preparation.  

http://blog.willis.com/2013/02/u-s-insurers-need-to-get-ready-for-orsa/

Help Wanted: Risk Tolerance

Only the experienced need apply.  Insurers with a history of risk measurement have a much easier time with forming their initial risk appetite statement.  Firms without that experience will have a hard time coming to a final conclusion. 

http://www.soa.org/Library/Newsletters/The-Actuary-Magazine/2013/february/act-2013-vol10-iss1-toc.aspx

A framework for validating your Economic Capital Model

In the last several years, economic capital models have become ubiquitous for larger, complex insurers and now a broader swath of the industry is beginning to examine the potential benefits.  The users of model outputs need assurance that the economic capital model adheres to its guiding conceptual principles, aligns with prior editions of the same model, and conforms to standards imposed by the regulator.   Model validation is the process of confirming these qualities.

http://wp.me/aevO4-15V

Trifurcation:Divide to Conquer Risk

Risk analytics often portray risk as a single quantity.  But risk has many aspects.  By splitting the projected future possibilities into three tranches, some new insights into the impact of different risk mitigation alternatives can be found. 

http://www.soa.org/library/newsletters/risk-management-newsletter/2012/december/jrm-2012-iss26-ingram.aspx

The Risk Management Circle

June 16, 2013

 

ERM Control CycleERM at its best can a process for overseeing all of the financial management processes of the firm.

To accomplish this, ERM needs to be a light touch in the picture above where the arrows in and out of ERM indicate the movement of information from the various processes and the facilitation of coordination and quality control moving back.  ERM can provide help to those responsible for the processes by sharing insights gained from a cross business enterprise perspective and expertise from a subject matter concentration.  ERM can help to build out these processes when they are weak or missing but to be fully effective, ERM needs to stay lean by passing the management of those processes to other areas.

At its worst, it is a drag on as many of those processes that it actually touches.

When ERM is a drag, the arrows around the outside of the diagram above are removed or weakened substantially so that everything flows through ERM.  At first, only a few of the outside arrows are missing but over time ERM takes on a more and more central role to all financial decision making.  This creates a dual management structure.

Or it can merely be a waste of time and money that does not disrupt the rest of the firm.

Under this scenario, the lines between ERM and the important financial functions are partially or totally missing.  ERM has an autonomous role, for example to create and maintain an internal model for compliance purposes.

 

Does Anyone Care about Risk Appetite?

April 24, 2013

RISKVIEWS got a private comment on the Risk Portfolio post. The comment can be summed up by the title above.

And if you think about the insights about ERM from the Plural Rationality discussion, you might echo that question.

FOUR STRATEGIES

If your risk attitude is what we call MAXIMIZER, then you will believe that you should be able to accept as much adequately priced risk as you can find.

If your risk attitude is what we call CONSERVATOR, then you will believe that you should mostly accept only risks that are very similar to what you write already, to what you are comfortable with.  You might fear that setting an appetite would improperly encourage folks to take more risk even it it does not really fit that very stringent criteria.

If your risk attitude is what we call PRAGMATIST, then you will believe that it is a waste of time to set down a rule like that in advance.  How would you know what the opportunities will be in the future?  You might easily want to accept much more or much less.  You would think that it is a waste of time to worry about such an unknowable issue.

Only the companies that are driven by what we call the MANAGERS would embrace the risk appetite idea.  They would say that you must have a risk appetite for your ERM program to have any meaning.  Many regulators have the same MANAGER risk attitude.  They agree with the fundamental idea of ERM, with the idea that risk managers are needed to assist insurance company managers, to assess risks and to make sure that the insurer does not take too much risk.  The risk managers should also be able to help the top management of the company to select the corporate strategic balance, reflecting the best combination of risks to optimize the risk reward balance of the company.

And MANAGERS will do the best for the company when they manage the risks of the firm during times of moderate volatility.  Then their choices of risks will likely perform just as their models will predict.  However in times when opportunities are best, the MANAGERS will doubtless hold the company back from the sort of gains in profitable business that the MAXIMIERS will achieve in the companies that they run.  And in times when the red ink is running all over, the MANAGERS will urge insufficient caution and will see larger losses than their models would indicate.

In the sort of uncertain times that we have lived with for 5 years now, the MANAGER’s models will not be able to adequately point the way either.  Results will languish or bounce unexpectedly.

But it is just not true that nobody cares about Risk Appetite.

Risk Portfolio Management

April 18, 2013

In 1952, Harry Markowitz wrote the article “Portfolio Selection” which became the seed for the theory called Modern Portfolio Theory. Modern Portfolio Theory (MPT) promises a path to follow to achieve the maximum return for a given level of risk for an investment portfolio.

It is not clear who first thought to apply the MPT ideas to a portfolio of risks in an insurer. In 1974, Gustav Hamilton of Sweden’s Statsforetag proposed the “risk management circle” to describe the interaction of all elements in the risk management process, including assessment, control, financing and communication. In 1979, Randell Brubaker wrote about “Profit Maximization for a multi line Property/Liability Company.” Since then, the idea of risk and reward optimization has become to many the actual definition of ERM.

Standard & Poor’s calls the process “Strategic Risk Management”.

“Strategic Risk Management is the Standard & Poor’s term for the part of ERM that focuses on both the risks and returns of the entire firm. Although other aspects of ERM mainly focus on limiting downside, SRM is the process that will produce the upside, which is where the real value added of ERM lies.“

The Risk Portfolio Management process is nothing more or less than looking at the expected reward and loss potential for each major profit making activity of an insurer and applying the Modern Portfolio Management ideas of portfolio optimization to that risk and reward information.

At the strategic level, insurers will leverage the risk and reward knowledge that comes from their years of experience in the insurance markets as well as from their enterprise risk management (ERM) systems to find the risks where their company’s ability to execute can produce better average risk-adjusted returns. They then seek to optimize the risk/reward mix of the entire portfolio of insurance and investment risks that they hold. There are two aspects of this optimization process. First is the identification of the opportunities of the insurer in terms of expected return for the amount of risk. The second aspect is the interdependence of the risks. A risk with low interdependency with other risks may produce a better portfolio result than another risk with a higher stand alone return on risk but higher interdependence.

Proposals to grow or shrink parts of the business and choices to offset or transfer different major portions of the total risk positions can be viewed in terms of risk-adjusted return. This can be done as part of a capital budgeting/strategic resource allocation exercise and can be incorporated into regular decision-making. Some firms bring this approach into consideration only for major ad hoc decisions on acquisitions or divestitures and some use it all the time.

There are several common activities that may support the macro- level risk exploitation.

Economic Capital
Economic capital (EC) flows from the Provisioning principle. EC is often calculated with a comprehensive risk model consistently for all of the actual risks of the company. Adjustments are made for the imperfect correlation of the risks. Identification of the highest-concentration risks as well as the risks with lower correlation to the highest-concentration risks is risk information that can be exploited. Insurers may find that they have an advantage when adding risks to those areas with lower correlation to their largest risks if they have the expertise to manage those risks as well as they manage their largest risks.

Risk-adjusted product pricing
Another part of the process to manage risk portfolio risk reward involves the Consideration principle. Product pricing is “risk-adjusted” using one of several methods. One such method is to look at expected profits as a percentage of EC resulting in an expected return-to-risk capital ratio. Another method reflects the cost of capital associated with the economic capital of the product as well as volatility of expected income. The cost of capital is determined as the difference between the price to obtain capital and the rate of investment earnings on capital held by the insurer. Product profit projections then will show the pure profit as well as the return for risk of the product. Risk-adjusted value added is another way of approaching risk-adjusted pricing.

Capital budgeting
The capital needed to fulfill proposed business plans is projected based on the economic capital associated with the plans. Acceptance of strategic plans includes consideration of these capital needs and the returns associated with the capital that will be used. Risk exploitation as described above is one of the ways to optimize the use of capital over the planning period. The allocation of risk capital is a key step in this process.

Risk-adjusted performance measurement (RAPM)
Financial results of business plans are measured on a risk-adjusted basis. This includes recognition of the cost of holding the economic capital that is necessary to support each business as reflected in risk-adjusted pricing as well as the risk premiums and loss reserves for multi-period risks such as credit losses or casualty coverages. This should tie directly to the expectations of risk- adjusted profits that are used for product pricing and capital budgeting. Product pricing and capital budgeting form the expectations of performance. Risk-adjusted performance measurement means actually creating a system that reports on the degree to which those expectations are or are not met.

For non-life insurers, Risk Portfolio Management involves making strategic trade-offs between insurance, credit (on reinsurance ceded) and all aspects of investment risk based on a long-term view of risk-adjusted return for all of their choices.

Insurers that do not practice Portfolio Risk Management usually fail to do so because they do not have a common measurement basis across all of their risks. The recent move of many insurers to develop economic capital models provides a powerful tool that can be used as the common risk measure for this process. Economic capital is most often the metric used to define risk in the risk/reward equation of insurers.

Some insurers choose not to develop an EC model and instead rely upon rating agency or regulatory capital formulas. The regulatory and rating agency capital formulas are by their nature broad market estimates of the risk capital of the insurer. These formulae will over-state the capital needs for some of the insurer’s activity and understate the needs for others. The insurer has the specific data about their own risks and can do a better job of assessing their risks than any outsider could ever do. In some cases, insurers took high amounts of catastrophe exposure or embedded guarantee and option risks, which were not penalized in the generic capital formulas. In the end, some insurers found that they had taken much more risk than their actual loss tolerance or capacity.

Risk Portfolio management provides insurers with the framework to take full advantage of the power of diversification in their risk selection. They will look at their insurance and investment choices based on the impact, after diversification, on their total risk/reward profile. These insurers will also react to the cycles in risk premium that exist for all of their different insurance risks and for all of their investment risks in the context of their total portfolio.

Sales of most insurance company products result in an increase in the amount of capital needed by the business due to low or negative initial profits and the need to support the new business with Economic Capital. After the year of issue, most insurance company products will show annual releases of capital both due to the earnings of the product as well as the release of supporting capital that is no longer needed due to terminations of prior coverages. The net capital needs of a business arise when growth (new sales less terminations) is high and/or profits are low and capital is released when growth is low and/or profits are high.

The definition of the capital needs for a product is the same as the definition of distributable earnings for an entire business: projected earnings less the increase in Economic Capital. The capital budgeting process will then focus on obtaining the right mix of short and long term returns for the capital that is needed for each set of business plans.

Both new and existing products can be subjected to this capital budgeting discipline. A forecast of capital usage by a new product can be developed and used as a factor in deciding which of several new products to develop. In considering new and existing products, capital budgeting may involve examining historic and projected financial returns.

Pitfalls of Risk Portfolio Management

In theory, optimization processes can be shown to produce the best results for practitioners. And for periods of time when fluctuations of experience are moderate and fall comfortably within the model parameters, continual fine tuning and higher reliance on the modeled optimization recommendations produce ever growing rewards for the expert practitioner. However, model errors and uncertainties are magnified when management relies upon the risk model to lever up the business. And at some point, the user of complex risk models will see that levering up their business seems to be a safe and profitable way to operate. When volatility shifts into a less predictable and/or higher level, the highly levered company can find it self quickly in major trouble.

Even without major deviations of experience, the Risk Portfolio Management principles can lead to major business disruptions. When an insurer makes a major change in its risk profile through an acquisition or divestiture of a large part of their business, the capital allocation of all other activities may shift drastically. Strict adherence to theory can whipsaw businesses as the insurer makes large changes in business.

Insurers need to be careful to use the risk model information to inform strategic decisions without overreliance and abdication of management judgment. Management should also push usage of risk and reward thinking throughout the organization. The one assumption that seems to cause the most trouble is correlation. The saying goes that “in a crisis, all correlations go to one”. If the justification for a major strategic decision is that correlations are far from one, management should take note of the above saying and prepare accordingly. In addition management should study the variability of correlations over time. They will find that correlations are often highly unreliable and this should have a major impact on the way that they are used in the Risk Portfolio Management process.

Risk Portfolio Management is one of the Seven ERM Principles for Insurers

Delusions about Success and Failure

April 8, 2013

In his book, The Halo Effect: … and the Eight Other Business Delusions That Deceive Managers, author Phil Rosenzweig discusses the following 8 delusions about success:

1. Halo Effect: Tendency to look at a company’s overall performance and make attributions about its culture, leadership, values, and more.

2. Correlation and Causality: Two things may be correlated, but we may not know which one causes which.

3. Single Explanations: Many studies show that a particular factor leads to improved performance. But since many of these factors are highly correlated, the effect of each one is usually less than suggested.

4. Connecting the Winning Dots: If we pick a number of successful companies and search for what they have in common, we’ll never isolate the reasons for their success, because we have no way of comparing them with less successful companies.

5. Rigorous Research: If the data aren’t of good quality, the data size and research methodology don’t matter.

6. Lasting Success: Almost all high-performing companies regress over time. The promise of a blueprint for lasting success is attractive but unrealistic.

7. Absolute Performance: Company performance is relative, not absolute. A company can improve and fall further behind its rivals at the same time.

8. The Wrong End of the Stick: It may be true that successful companies often pursued highly focused strategies, but highly focused strategies do not necessarily lead to success.

9. Organizational Physics: Company performance doesn’t obey immutable laws of nature and can’t be predicted with the accuracy of science – despite our desire for certainty and order.

By Julian Voss-Andreae (Own work) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0)%5D, via Wikimedia Commons

A good risk manager will notice that all 8 of these delusions have a flip side that applies to risk analysis and risk management.

a.  Bad results <> Bad Culture – there are may possible reasons for poor results.  Culture is one possible reason for bad results, but by far not the only one.

b.  Causation and Correlation – actually this one need not be flipped.  Correlation is the most misunderstood statistic.  Risk managers would do well to study and understand what valuable and reliable uses that there are for correlation calculations.  They are very likely to find few.

c.  Single explanations  – are sometimes completely wrong (see c. above), they can be the most important of several causes, they can be the correct and only reason for a loss, or a correct but secondary reason.  Scapegoating is a process of identifying a single explanation and quickly moving on.  Often without much effort to determine which of the four possibilities above applies to the scapegoat.  Scapegoats are sometimes chosen that make the loss event appear to be non-repeatable, therefore requiring no further remedial action.

d.  Barn door solutions – looking backwards and finding the activities that seemed to lead to the worst losses at the companies that failed can provide valuable insights or it can lead to barn door solutions that fix past problems but have no impact on future situations.

e.  Data Quality – same exact issue applies to loss analysis.  GIGO

f.  Regression to the mean – may be how you describe what happens to great performing companies, but for most firms, entropy is the force that they need to be worried about.  A firm does not need to sport excellent performance to experience deteriorating results.

g.  Concentration risk – should be what a risk manager sees when strategy is too highly concentrated.

h.  Uncertainty prevails – precision does not automatically come from expensive and complicated models.

Risk and Return – A Balancing Act

April 5, 2013

From Max Rudolph

There are similarities between value investing and enterprise risk management (ERM) methods. For some, especially portfolio managers, this may be obvious. These investors come to the table with experience using risk as a constraint while trying to optimize returns. Years of experience have taught this group that risk balances return, and that return balances risk. Value is added by creating favorable imbalances. The investor with high returns and average risk has succeeded, as has the investor reporting average returns and low risk.
Many concepts are shared between ERM and value investing. When defining risk, which is generally unique to the individual, an analyst considers uncertainty, downside risk, and optimization. Value investors look at concepts like conservative assumptions, margin of safety, and asset allocation. These concepts are comparable, and this paper uses the International Actuarial Association’s Note on enterprise risk management (ERM) for capital and solvency purposes in the insurance industry to take the reader through general ERM topics. This is followed by a comparable value investing discussion and a comparison of the two practice areas.

In some firms, a risk manager is placed in a position with little authority, limiting the benefits of ERM. A process driven ERM function can identify risks and risk owners, create a common language, and send useful reports to the Board. A stronger risk officer adds value by using transparency to understand risk interactions, scanning for emerging risks and generally keeping a focus on how an entity’s risk profile is evolving.

Continued in Value Investing and Enterprise Risk Management: Two Sides of the Same Coin

Has the risk profession become a spectator sport?

April 3, 2013

The 2013 ERM Symposium goes back to Chicago this year after a side trip to DC for 2012. This is the 11th year for the premier program for financial risk managers.   April 23 and 24th.

This year’s program has been developed around the theme, ERM: A Critical Self-Reflection, which asks:

  • Has the risk profession become a spectator sport? One in which we believe we are being proactive, yet not necessarily in the right areas.
  • For the most significant headlines during the past year, how was the risk management function involved?
  • Since the financial crisis, has there been genuine learning and changes to how risk management functions operate?
  • What are the lessons that have been learned and how are they shaping risk management today? If not, why?
  • Does risk management have a seat at the table, at the correct table?
  • Are risk managers as empowered as they should be?
  • Is risk management asking the right questions?
  • Is risk management as involved in decision making and value creation as it should be, at inception of ideas and during follow through?

On Wednesday, April 24 Former FDIC Chairman Sheila Bair will be the featured luncheon speaker

Sheila C. Bair served as the 19th chairman of the Federal Deposit Insurance Corporation for a five-year term, from June 2006 through July 2011. Bair has an extensive background in banking and finance in a career that has taken her from Capitol Hill to academia to the highest levels of government. Before joining the FDIC in 2006, she was the dean’s professor of financial regulatory policy for the Isenberg School of Management at the University of Massachusetts-Amherst since 2002.

The ERM Symposium and seminars bring together ERM knowledge from the insurance, energy and financial sectors.  Now in its 11th year, this premier global conference on ERM will offer: sessions featuring top risk management experts; seminars on hot ERM issues; ERM research from leading universities; exhibitors demonstrating their ERM services.  This program has been developed jointly by the Casualty Actuarial Society (CAS), the Professional Risk management International Association (PRMIA) and the Society of Actuaries (SOA).

Riskviews will be a speaker at three sessions out of more than 20 offered:

  • Regulatory Reform: Responding to Complexity with Complexity – Andrew Haldane, executive director of Financial Stability at the Bank of England, recently made a speech at the Federal Reserve Bank of Kansas City’s Jackson Hole Economic Policy Symposium titled “The Dog and the Frisbee” warning that the growing complexity of markets and banks cannot be controlled with increasingly complex regulations. In fact, by attempting to solve the problem of complexity with additional complexity created by increased regulation, we may be missing the mark—perhaps simpler metrics and human judgment may be superior. Furthermore, in attempting to solve a complex problem with additional complexity, we may not have clearly defined or understand the problem. How does ERM fit into the solutions arsenal? Are there avenues left unexplored? Is ERM adding or minimizing complexity?
    • We are drowning in data, but can’t hope to track all the necessary variables, nor understand all or even the most important linkages. Given the wealth of data available, important signals may be lost in the overall “noise.”
    • Unintended consequences maybe lost/hidden in the maze of complexity thereby magnifying the potential impact of future events.
    • The importance of key variables changes throughout time and from situation to situation, so it’s not possible to predict in advance which ones will matter most in the next crisis.
    • We experience relatively few new crises that are mirror images of prior crises, so we really have limited history to learn how to prevent or to cure them.
    • Complex rules incent companies and individuals to “manage to the rules” and seek arbitrage, perhaps seeding the next crisis.
  • Actuarial Professional Risk Management  –  The new actuarial standards for Risk Evaluation and Risk Treatment bring new help and new issues to actuaries practicing in the ERM field. For new entrants, the standards are good guidelines for preparing comprehensive analyses and reports to management. For more experienced practitioners, the standards lay out expectations for a product worthy of the highly-qualified actuary. However, meeting the standards’ expectations is not easy. This session focuses on clarifying key aspects of the standards.
  • Enterprise Risk Management in Financial Intermediation  –  This session provides a framework for thinking about the rapidly evolving, some would say amorphous, subject of ERM, especially as applied at financial institutions and develops seven principles of ERM and considers their (mis)application in a variety of organizational settings. The takeaways are both foundational and practical.

Please join us for some ERM fun and excitement.

 

 

2012 Survey for Japanese Risk Managers

January 25, 2013

The following is an excerpt from the Executive Summary of the report:

Defining Risk Management within an Organization:

Results of the 2012 Survey for Japanese Risk Managers

by Kenji Fujii and Yuji Morimoto

This survey was conducted early this year by the Tokyo Risk Managers Association (TRMA) as a follow-up to the TRMA financial crisis questionnaire in 2009. 

Following is the summary of what we learned from the survey result.

  • First of all, the involvement of senior management in risk management has increased.
  • On the other hand, there were many responses stating that effective discussions at Risk Management Committee meetings had not progressed very much; that the status and authority of Chief Risk Officers (CRO) had not been strengthened very much; and that sufficient resources are still not being allocated to Risk Management Divisions. These responses suggest that although senior management are expressing an increased interest in risk management, this interest does notnecessarily tie into concrete reinforcements.
  • Regarding the risk appetite, more than half of respondents were of the opinion that risk should be used as a standard when creating business plans, but at the same time, it became clear that this approach has not penetrated or become entrenched as part of actual operations.
  • Regarding capital management, two opinions were at odds; the opinion that regulatory capital and economic capital are approaching one another, and the opinion that they are drifting apart. Responses also indicated continued struggles with regard to the structure of approaches and frameworks regarding capital management, and a greater number of respondents expressed the opinion that there is meaning in creating recovery and resolution plans.
  • Regarding stress tests, there were indications that integrated stress tests are being employed more broadly, and it appears that reports to management on test results have already become commonplace. The issue raised most frequently with regard to stress tests was the “establishing appropriate scenarios.”
  • Although many respondents indicated that liquidity risk management has improved, these opinions were not yet in the majority. There were also conflicting opinions regarding whether or not the strengthening of liquidity risk regulations reduced liquidity risks.
  • Regarding risk data, although many respondents said that there have been improvements, it became clear that many members are concerned about the fact that this data continues to be stored in various systems in a scattered fashion.

The entire paper is available here.

An ERM Carol

December 22, 2012

You awake with a start.  There is an eerie presence in your bedroom.  A voice says “Come with me!”

You see yourself, many years ago, starting out in your career.  With an interest in risk, you feel lucky that you were able to land a position in an insurance company.  You are encouraged when you hear your boss say “its all about risk and reward”.  But it didn’t take you too long to find out that while there were daily, weekly, monthly, quarterly, annual and special reports about the rewards that the company was experiencing, there was not one single report about risk.  You confront your manager about this and he tells you that “risk isn’t something that you measure”, it is in your gut.  You just know when something is risky. “.  He advised that once you were more experienced, you too would be able to tell when something was risky or not.  

You drift back to sleep when a second voice calls you to “Behold!”.  You see yourself a manager in an insurance company:

You are being told that risk is very important. Your company takes risk management very seriously. Several years ago, the company spent millions to build a state of the art Economic Capital Model.  Now, all plans and all performance is viewed in terms of the amount of risk associated with each and every activity.  And you hate the whole thing!

To you, this has become a technocratic nightmare.  Your performance is judged by a computer using an algorithm that seems to be spewing forth somewhat random values.  It seems like your promotions and bonuses are being determined by a slot machine, but a slot machine with no window to see what is happening inside.

The high priests of risk operate the model.  But they are too busy to actually explain what is going on in a manner that could help the business.

So if somehow, you are lucky enough to get to the top, that will be the last day for that complex risk model.

And you pull the covers up over your head.  This is too much like a workday.  You need your sleep.  But before long, a third voice wakes you again.   “This way…”

You are on the hot seat.  The board wants to know how the company was able to get into such a problem.  Didn’t you see that there were such enormous build ups of exposures to that risky indoor snow experience sector?  The frostbite claims were double what they were last year.  Dividends will have to be eliminated.  And we probably need to turn down the corporate air conditioners.  No longer could the offices be kept at a tolerable 31 degrees.  Next summer would be unbearable.  Your only defense is that your gut told you that there was little risk and big rewards in the indoor snow business.  But that is not how it went.  They end the meeting by letting you go.  The inglorious end to your career as a risk manager. 

You wake up shouting that it was not your fault.  And you see the light coming in the window.  You turn on the TV to find that all this happened in one night.  You get dressed and go back into the office.  You are finishing up your staff meeting and you direct your attention to your risk management staff.

Starting today, I want you to spend more of your time making your models more transparant and the findings more actionable.  I am tired of risk being something that comes at us after the fact to tell us that something was wrong.  We need to focus on leading indicators that all of the managers can use in real time to manage the business.  You can still use that fancy model that you all so love, but I only want to hear about the model when it actually explains something about the business that I can use next quarter to do a better job of managing my risk and reward.

And with that, we ended the meeting and all went to our holiday party.  Next year will be interesting…..

Principles of ERM for Insurance Organizations

December 16, 2012

RISKVIEWS has published this list before.  You will notice that it is different from many other lists of the parts of ERM.  That is because we do not presume that there is some sort of risk management process already in place that “automatically” takes care of several of these things.  Many writers implicitly make that assumption so that they can focus solely upon the new, more exciting things, especially number 6 on the list below.  But in fact, ERM must include all seven of these things to actually work to manage risk as most managers expect.

  1. DIVERSIFICATION: Risks must be diversified. There is no risk management if a firm is just taking one big bet.
  2. UNDERWRITING: These must be a process for risk acceptance that includes an assessment of risk quality.  Firm needs to be sure of the quality of the risks that they take. This implies that multiple ways of evaluating risks are needed to maintain quality, or to be aware of changes in quality. There is no single source of information about quality that is adequate.
  3. CONTROL CYCLE: There must be a control cycle to manage the amount of risk taken. This implies measurements, appetites, limits, treatment actions, reporting, feedback
  4. CONSIDERATION: There must be a process for assuring that the consideration received for accepting risk is adequate.  For risks that are not traded, such as operational risks, the benefit of the risk needs to exceed the cost in terms of potential losses.
  5. PROVISIONING: There must be appropriate provisions held for retained risks, in terms of set asides (reserves) for expected losses and capital for excess losses.
  6. PORTFOLIO:  There must be an awareness of the interdependencies within the portfolio of risks that are retained by the insurer.  This would include awareness of both risk concentrations and diversification effects.  An insurer can use this information to take advantage of the opportunities that are often associated with its risks through a risk reward management process.
  7. FUTURE RISKS: There must be a process for identifying and preparing for potential future emerging risks.   This would include identification of risks that are not included in the processes above, assessment of the potential losses, development of leading indicators of emergence and contingent preparation of mitigation actions.

The Law of Risk and Light applies to these aspects of risk management just as it applies to aspects of risk.  The risk management that you do is in the light, the risk management that you skip is in the dark.  When parts of a full risk management program are in the dark, the risk that part of the risk management process would have protected you from will accumulate in your organization.

Future posts will explain these elements and focus on why ALL of these principles are essential.

The End of ERM

October 16, 2012

In essence, if ERM is to be implemented in a way which helps an entity get to where it wants to go, it needs to have a bias toward action which many applications currently lack.   “The End of Enterprise Risk Management”  David Martin and Michael Power

In 2007, Martin and Power argued that the regulatory based Enterprise Risk Management programs that were COSO based provided the illusion of control, without actually achieving anything.  Now if you are an executive of a firm and you believe that things are being done just fine, thank you very much, then an ineffective ERM program is just what you want.  But if you really want ERM, the something else is needed.  Martin and Power suggest that the activities of ERM are focused much too much on activities that do not reault in actions to actually change the risks of the firm.  This is a favorite topic of RISKVIEWS as well.  See Beware the Risk Management Entertainment System

RISKVIEWS always tells managers who are interested in developing ERM systems that if some part of an ERM program cannot be clearly linked to decisions to take actions that would not have been taken without ERM, then they are better off without that part of ERM. 

Martin and Power go on to suggest that ERM that uses just one risk measure (usually VAR) is difficult to get right because of limitations of VAR.  RISKVIEWS would add that an ERM program that uses only one risk measure, no matter what that measure is, will be prone to problems.  See Law of Risk and Light. 

It is very nice to find someone who says the same things that you say.  Affirming.  But even better to read something that you haven’t said.  And Martin and Power provide that. 

Finally, there is a call for risk management that is Reflexive.  That reacts to the environment.  Most ERM systems do not have this Reflexive element.  Risk limits are set and risk positions are monitored most often assuming a static environment.  The static environment presumption in a risk management system works if you are operating in an environment that changes fairly infrequently.  In fact, it works best if the frequency of change to your environment is less then the frequency of your update to the risk factors that you use.  That is, if your update includes studying the environment and majing environment driven changes. 

RISKVIEWS has worked in ERM systems that were based upon risk assessment based upon “eternal” risk factors.  Eternal Risk factors are assumed to be good “for all time”.  The US RBC factors are such.  Those factors are changed only when there is a belief that the prior factors were inadequate in representing the full range of risk “for all time”. 

But firms would be better off looking at their risks in the light of a changing risk environment.  Plural Rationality theory suggests that there are four different risk environments.  If a company adopts this idea, then they need to look for signs that the environment is shifting and when it seems to be likely to be shifting, to consider how to change their risk acceptance and risk mitigation in the light of the expected new risk environment.  The idea of repeatedly catching this wave and correctly shifting course is called Rational Adaptability

So RISKVIEWS also strongly agrees with Martin and Powers that a risk management system needs to be reflexive. 

In “The End of ERM” Martin and Powers really mean the end of static ERM that is not action oriented and not reflexive with the environment.  With that RISKVIEWS can heartily agree.

Align Risk Management with Strategic Goals

June 7, 2012

The Project Management Institute says that projects are 20% more successful if they seek to support company strategic goals rather than project specific goals as their primary focus.

That sounds like something that may be an extremely important idea to bring into risk management.

Risk Management should focus primarily upon company strategic goals rather than specific risk goals.

How does that sound to you?  Riskviews imagines that at least some readers are immediately reacting that this idea will not work because the company does not have a strategic goal that would support their function.

And that sounds like a major insight about organizational engagement in and support for risk management.  If risk management does not directly support one or more of the strategic goals of the firm, that speaks volumes about what will happen when there is a conflict between something that IS aligned with the strategic goals and risk management.

The story of MF Global is an extreme example of this conflict.  The management (read CEO) actions of MF Global were totally outside of the agreed upon risk appetite.  The CRO brought that to the board attention and the board decided that those actions supported the goals of the organization, while adherence to the risk appetite was of lesser importance.  The CRO left and the actions eventually led to the destruction of the firm.

Here is an example of the Mission and Vision Statements of an insurer

Mission Statement

Providing financial security by keeping our promises.

Vision Statement

To build a thriving financial services organization that stands the test of time.

Risk management definitely has plenty of room in that firm to align with the mission and vision of the firm.  “keeping our promises” and “standing the test of time” are both clearly statements about how the organization intends to handle risk.  The mission and vision of that firm cannot be met without risk management.

Here is the mission and vision statements of JP Morgan Chase

“At JPMorgan Chase, we want to be the best financial services company in the world. Because of our great heritage and excellent platform, we believe this is within our reach.”
“To provide unparalleled service to our clients by empowering them with strong analytical insights that enable them to more effectively manage their human assets.

It is not clear to Riskviews whether or not risk management activities are called for at all with that mission and vision statement.

So if you are wondering what might happen when there is a conflict between risk management and a business activity look to your firm’s mission, vision and strategic objectives.  If you do not see risk management there, you have your answer well in advance of any future conflict.

A Simple Alternative to the Volker Rule

June 2, 2012

There are several broad ways to regulate risky behavior. One is to limit or entirely prohibit certain behavior. Another is to require the risk takers to hold capital for the risks.

For some strange and unknown reason, banking regulators have not considered asking banks to hold appropriate capital for trading losses. The evidence is extremely clear that banks can lose much more than the VaR measure suggests.

There is a very simple way to correct this matter. Banks have reasonable capital requirements for credit operations. These requirements are based upon observations over multiple credit cycles, not small parts of a cycle as is VaR.

All bank capital requirements need to be based upon multiple cycle observations.

But some would say that most derivatives have not existed for multiple market cycles.

There is a simple solution for that. One of the primary rules of modern finance is the law of one price. Regulators should insist that law be applied to capital requirements as well.

Right now, a bank that borrows money to buy a bond of a company would hold capital based upon the probability of default of the bond and the expected loss given default. If the trading desk buys a CDS with the exact same expected net cash flow, they hold capital based upon the recent short term fluctuations in market price of the CDS. In some cases, as little as 10% the capital of the replicating assets.

That means that with the same amount of capital, the trading desk can take 10x the risk.

The VaR calculation used for derivative positions rarely captures the same amount of risk as a replication of the position.

The alternative to the Volker Rule would be to require capital that is:

Based upon volatility over several market cycles and

Consistent with the law of one price.

It’s the job of a CEO to be the Chief Risk Officer

May 8, 2012

At his annual shareholder’s meeting Warren Buffet repeated his belief that there is no substitute for CEO attention to risk.

Anyone who has tried to do the CRO job without full unwavering support of the CEO would doubtless agree.  The CRO job, just like the COO and CMO and other C suite officers job is delegated responsibility of the CEO.  It is not independent of the CEO.  Boards who try to set up a CRO function that reports directly to them and is intended to act as a check on the CEO are at best wasting their own and the CROs time.  At worst they are creating a very unhealthy dynamic in the firm. 

If a CRO is given the job of defense against killer losses and the rest of the firm is given the job of winning customers and making a profit, guess who will lose whenever there is a conflict.  An adverserial risk function is not a healthy way to manage a company.  By refusing to delegate the risk role, Buffet is sending a message to all of his companies that risk is important to him, the CEO of the firm that owns their company. 

Now Buffet (or any other CEO that goes this route) needs to do more than refuse to appoint a CRO.  A CEO who does not want any risk management to slow down his firm can quote Buffet and not appoint a CRO and then totally ignore risk. 

The CEO/CRO needs to make it constantly known that they are concerned about risk by their words AND deeds.  They need to talk the talk and walk the walk of risk management. 

As Buffet knows, that does not necessarily mean that he needs a risk register of hundreds of risks.  Berkshire Hathaway is in dozens of businesses and is actually exposed to hundreds of risks.  But BH is also very large and diversified.  There are actually only a few risks that need to be on Buffet’s plate as the CEO/CRO. 

And what Buffet and other CEO/CROs need to do is to make sure that they are totally aware of what their firm is doing with the handful of truely killer risks.  They need to make sure that:

  • Everyone who could make a decision to increase the firm’s exposure to these killer risks knows that the CEO/CRO must be involved in that decision.
  • The firm is being properly compensated for the killer risks that they are taking.
  • The Risk Treatment programs for these risks are being properly maintained and operated. 
  • The firm has alternatives to the current risk treatment programs in case the existing programs become less effective or unavailable.
  • The firm is carefully monitoring the risk environment that impacts those risks and any change or even strong hint of future change is brought to the attention of the CEO/CRO.
  • The board is kept informed about all of the above. 

Interestingly, this list does not change at all if the CEO decides to appoint a CRO.  The list above can be a major part of the agenda when the CEO and CRO have their daily meetings.

2012 ERM Symposium – Washington DC

March 30, 2012

The 2012 ERM Symposium will explore how risk professionals use ERM to meet their organizations’ challenges, especially those presented by the financial events of the past few years.

ERM Symposium sessions will address issues, applications, and insights across a broad spectrum of industries and foster cross-pollination and collaboration of ERM professionals without regard to industry, sector, or geography.

Now in its tenth year, this premier global conference on ERM will offer:

  • five general sessions and more than 25 concurrent sessions featuring top risk management experts
  • seminars on hot ERM issues
  • networking opportunities to renew and expand your list of ERM contacts
  • a track of sessions featuring academics presenting ERM research from leading universities
  • exhibitors demonstrating their ERM services and knowledge.

Who should attend:

  • Chief risk officers
  • Chief financial officers
  • Chief actuaries
  • Risk professionals
  • Equity analysts and other investment professionals
  • Risk modeling experts
  • Asset liability management practitioners
  • Anyone interested in learning more about enterprise risk management
  • Anyone interested in networking with colleagues about recent issues and how best to manage risk


Presented by:

CAS Canadian Institute of Actuaries PRMIA SOA
And in collaboration with:
Asociacion Mexicana de Actuarios, A.C.     ERM-II     CONAC

Registration Now Open!

Three Ideas of Risk Management

March 12, 2012

In the book Streetlights and Shadows, Gary Klein describes three sorts of risk management.

  • Prioritize and Reduce – the system used by safety and (insurance) risk managers.  In this view of risk management, there is a five step process to
    1. Identify Risks
    2. Assess and Prioritize Risks
    3. Develop plans to mitigate the highest priority risks
    4. implement plans
    5. Track effectiveness of mitigations and adapt plans as necessary
  • Calculate and Decide – the system used by investors (and insurers) to develop multi scenario probability trees of potential outcomes and to select the options with the best risk reward relationship.
  • Anticipate and Adapt – the system preferred by CEO’s.  For potential courses of action, the worst case scenario will be assessed.  If the worst case is within acceptable limits, then the action will be considered for its benefits.  If the worst case is outside of acceptable limits, then consideration is given to management to reduce or eliminate the adverse outcomes.  If those outcomes cannot be brought within acceptable limits then the option is rejected.

Most ERM System are set up to support the first two ideas of Risk Management.

But if it is true that most CEO’s favor the Anticipate and Adapt approach, a total mismatch between what the CEO is thinking and what the ERM system is doing emerges.

It would not be difficult to develop an ERM system that matches with the Anticipate and Adapt approach, but most risk managers are not even thinking of that possibility.

Under that system of risk management, the task would be to look at a pair of values for every major activity.  That pair would be the planned profit and the worst case loss.  During the planning stage, the Risk Manager would then be tasked to find ways to reduce the worst case losses of potential plans in a reliable manner.  Once plans are chosen, the Risk Manager would be responsible to make sure that any of the planned actions do not exceed the worst case losses.

Thinking of risk management in this manner allows us to understand the the worst possible outcome for a risk manager would not be a loss from one of the planned activities of the firm, it would be a loss that is significantly in excess of the maximum loss that was contemplated at the time of the plan.  The excessive loss would be a signal that the Risk area is not a reliable provider of risk information for planning, decision making or execution of plans or all three.

This is an interesting line of reasoning and may be a better explanation for the way that risk managers are treated within organizations and especially why risk managers are sometimes fired after losses.  They may be losing their jobs, not because there is a loss, but because they were unable to warn management of the potential size of the loss.  It could well be that management would have made different plans if they had known in advance the potential magnitude of losses from one of their choices.

Or at least, that is the story that they believe about themselves after the excessive loss.

This suggests that risk managers need to be particular with risk evaluations.  Klein also mentions that executives are usually not particularly impressed with evaluations of frequency.  They most often want to focus on severity.

So whatever is believed about frequency, the risk manager needs to be careful with the assessment of worst case losses.

Ford does some Real ERM Thinking

February 28, 2012

Ford shifted their pension fund investment strategy to overweight in bonds.  See Business Insider Story 

This is a clear example of real ERM thinking. 

For at least 40 years, pension plans have been investing in equities and they have claimes that since they have a long investment horizon, that they were immune to concerns about the fluctuations. 

But what has happened instead is that company after company has built up a very large equity exposure.  If they figured their real corporate risk profile, management would see how exposed that they are to stock market risk. 

Ford did some real ERM thinking when they realized that their business risk was fairly highly correlated to the stock market.  So by investing their pension plan assets in the stock market, they were assuring that investors would see their pension plan funding levels faulter just when their business was sputtering. 

There are two aspects of real ERM thinking here.  First, Ford looked past the fiction of the separate pension fund to realize that the company was really exposed to the risk of equity fluctuations.  Second, they realized the true correlations that face their business and its risks. 

Risk managers need to think outside the lines that we draw just like Ford did.   The banks did not do that when they lent money to hedge funds to purchase Mortgage CDOs. 

Risk managers need to look for risks that are likely to hit together and prepare to reduce the likely impact of the combined risk exposure by whatever means makes the msot sense.

Five Buckets of Risk

January 17, 2012

Forget about risk registers and risk models.


What you really need is a good Risk Bucket system.

To manage your risks, you then need to know

  • which bucket each risk goes into;
  • How much is already in each bucket;
  • How much you want to have in each bucket.

Each bucket will have different rules for how it is monitored and managed.  About who must pay attention to the new risks going into the bucket.  And who makes sure that what was put in the buckets still belongs in that bucket.

One way to define the five buckets would be to say that

Bucket 5 – these risks must be approved by the Board.  The Board must monitor all of the risks in this bucket very regularly.  Strategic Risks belong in this bucket.  Especially large concentrations of risks should go into this bucket.  Risks that are of a size that an adverse experience might endanger the company’s survival must go into this bucket.  Once the Board has agreed on what it wants in this bucket, then they should require management to assert that they are getting regular reports on all of the exposures that the companies has or are considering that should go into this bucket.
Bucket 4 – there risks must be approved and are monitored by the CEO and top management.
Bucket 3 – these risks must be approved and are monitored by a business unit head.
Bucket 2 – these are risks that must be approved and are monitored by supervisors or middle managers.
Bucket 1 – these are risks that do not need approvals.

The criteria for assigning risks to buckets will vary from company to company.  One criteria may be size, another familiarity with the risk.  Volatility or extreme losses per unit of activity that is mugh higher than normal for the company should mean a higher number bucket.

The funny thing about this system is that absolutely everyone already uses the bucket system.  But few have written down the definitions of what goes into each bucket.  Few monitor the risks systematically.

To go from an unconscious five bucket risk management system to a Five Bucket ERM System all that is needed is to formalize the assignments, monitor that risks in each bucket regularly, produce reports that show how much risk that is in all of the buckets at regular intervals.

The final step in shifting to an a Five Bucket ERM System  is to shift from using the buckets to monitor risk to using them to manage risk.  That means shifting from activity metrics to risk metrics.  It also means identifying the profits that are coming from each bucket.   It leads to conscious decisions of how muck risk that can be accepted in each bucket.

The first step in this transition for everyone is to start to notice the buckets that are already right there in your office.

ERM Mission Statements

January 10, 2012

From the Annual Reports:

A.     Risk management is a key part of our corporate management. Its task is not only to safeguard the Group’s financial strength in order to satisfy our obligations to clients and create sustained value for our shareholders, but also to protect Munich Re’s reputation. We achieve these objectives through global risk management encompassing all areas of our operations. (Munich Re)

B.     The financial crisis has demonstrated the importance of a strong and independent risk management function, as well as the need for an  integrated approach to  assessing and controlling  risks. To this end, we further enhanced our risk management by establishing a more robust governance process, intensifying our risk oversight and strengthening our  liquidity management. (Swiss Re)

C.     We employ an enterprise-wide approach to all risk taking and risk management activities globally. The enterprise risk management framework sets out policies and standards of practice related to risk governance, risk identification and monitoring, risk measurement, and risk control and mitigation. In order to ensure that we can effectively execute our risk management we continuously invest to attract and retain qualified risk professionals, and to build and maintain the necessary processes, tools and systems. (Manulife Financial)

D.    Management believes that effective risk management is of primary importance to the success of Goldman Sachs. Accordingly, we have a comprehensive risk management process to monitor, evaluate and manage the principal risks we assume in conducting our activities.

E.     AEGON’s risk management and control systems are designed to ensure that these risks are managed as effectively and efficiently as possible. For AEGON, risk management involves:
·      Understanding which risks the company is able to underwrite;
·      Assessing the risk-return trade-off associated with these risks;
·      Establishing limits for the level of exposure to a particular risk or combination of risks; and Measuring and monitoring risk exposures and actively managing the company’s overall risk and solvency positions.

F.     The mission of Zurich’s Enterprise Risk Management is to promptly identify, measure, manage, report and monitor risks that affect the achievement of our strategic, operational and financial objectives. This includes adjusting the risk profile in line with the Group’s stated risk tolerance to respond to new threats and opportunities in order to optimize returns.

G.     QBE’s risk management strategy is underpinned by a number of robust processes which are aimed at reducing uncertainty and volatility and avoiding unwelcome surprises. Risks are subject to rigorous identification and evaluation throughout the business management cycle.

H.    The management of risk is a core skill supporting the Group’s ability to offer both sustainable risk transfer solutions to its clients and attractive returns to shareholders. The management and identification of risk is the day to day responsibility of many of our staff and is a feature of all our business activities. (Amlin)

I.      Diversification is used as a tool to reduce the Group’s overall insurance risk profile by spreading exposures, thereby reducing the volatility of results. QBE’s approach is to diversify insurance risk, both by product and geographically.

J.      The Group employs a comprehensive risk management framework to identify, assess, manage and monitor the risks arising as a result of operating the business. The framework includes a comprehensive suite of risk policies, procedures, measurement, reporting and monitoring techniques and a series of stress tests and scenario analyses to ensure that the Group’s risk exposures are managed appropriately. (RSA)

The Practice Effect – How to Minimize Overconfidence

January 9, 2012

All you need in this life is ignorance and confidence then success is sure.  Mark Twain

Overconfidence is one of the favorite biases of Behavioral Finance folks.  It goes a long way to help support their Irrational Market paradigm.

“People are overconfident. Psychologists have determined that overconfidence causes people to overestimate their knowledge, underestimate risks, and exaggerate their ability to control events. Does overconfidence occur in investment decision making? Security selection is a difficult task. It is precisely this type of task at which people exhibit the greatest overconfidence.”
Nofsinger (2001)

Overconfidence means that we generally tend to view the future prospects to be more favorable than they turn out to be and it also means that we tend to overestimate the likelihood of our predictions about the future being accurate.

Overconfidence is one of the most powerful forces that works against appropriate risk management.  The most overconfident feel that risk management is a total waste of time and money.  Why waste time and resources preparing for failure when you can spend that time and resources assuring success? they ask.

One way to reduce the power of overconfidence is Practice.  What you need to practice is estimating likelihoods.  And then tabulating the  results.  Regularly perform what actuaries call an actual to expected analysis.

The Practice Effect is what psychologists want to avoid when they are doing experiments.  They usually do not want folks getting better and better with repeated trials.  So they are always looking to introduce fresh folks.

But in business and especially risk management we need the Practice Effect.

Risk Management works with estimated distributions of likelihood of adverse events.  One simple way to practice is to look at each period’s experience in terms of the prior year’s estimated distribution.  Was last year a 99th percentile year or a 78th percentile year?  Each you everyone should be informed of that and everyone can form an opinion about how good that prior estimate of likelihood was.

Of course, the firms that look at each risk as a single frequency severity pair cannot do that.  One more reason why the single pair approach to risk assessment falls short of real usability.

Here’s to 2011

December 29, 2011

Another year has passed us by.  In 2011, Riskviews blog saw a dramatic upsurge in readership.  That surge was coincident with changes to the Google search routines.  Hits jumped from about 2000 per month in 2010 to a steady 3000 per month in 2011.

The Risk Management quotes were still by far the favorite feature of the blog, with about 800 hits per month.  That has been steady for over 3 years now.  What changed was the hits to the other content.  The home page saw over 6000 hits in 2011, or about 500 per month.  Some posts from prior years continue to be very popular.

Here are the most popular new posts from 2011:

Integrating ERM and Value Based Management

Avoiding Risk Management 

Risk Appetite and Risk Attitude

The Difference Between Risk and Loss

Risk Capacity Measurement

Integrating Risk Capacity and Business Management

Assessing Risk Capacity Utilization

Risk Management Success

COSO & ISO31000 & ERM for Insurers

Liquidity Risk Management for a Bank

Five of these posts were written by Riskviews, four by Jean-Pierre Berliet and one by Jawwad Farid.

What’s Your Philosophy?

December 15, 2011

Strategic Risk Magazine has a piece with interviews of a dozen risk managers.  Once question was “What’s Your Philosophy?”  Here are the answers that they received:

Risk management is a fantastic career opportunity as it gives people a very broad and deep perspective on the business through strategic and operational involvement, dealing with people at all levels in an organisation.

Reed Elsevier chief risk officer Arnout van der veer

Risk management now is a career option – it wasn’t when I first started down this route. Certainly the world today is a riskier place and there is a demand for professional, competent people. You need to be qualified in a relevant discipline (business studies, economics, and so on – financial and economic literacy is key) and consider one of the excellent MBAs now available.

DLA Piper chief risk officer Julia Graham

My philosophy over the years has been to take new opportunities as they arise. The job is what you make it, using your skills and competencies.

Morgan Crucible director of risk assurance Paul Taylor

To be an enterprise risk manager, you need to get a solid grounding in business and management at different levels. It’s not an entry-level job.

Ferma vice-president and GDF Suez deputy chief risk officer Michel Dennery

There are uncertainties in everything we do, and hence a career in risk management provides the opportunity to explicitly do what everyone intellectually knows must be done. Further, the concept of uncertainty provides an intriguing angle from which a company can be addressed.

LEGO senior director, strategic risk management Hans Laessøe

You have to care – about jobs, the health of the employees, the health of the factories and the health of the business.

Ferma president and director of risk management for Pirelli Worldwide Jorge luzzi

If you are able to communicate to your colleagues the concept that a risk manager can help the company’s business, protecting profit margins and business continuity, and they understand this, risk management is a really enjoyable job.

Prysmian group risk manager  Alessandro de Felice

My motivation is to create value to my organisation by ensuring that we can deliver what we promise to our customers and shareholders through a well-functioning risk management process.

Assa Abloy group risk and insurance manager Fredrik Finnman

Risk managers should built professional skills over the following pillars: knowledge of risk measurement techniques; knowledge of the company’s processes; skills in spreading the risk culture inside the company; knowledge of the insurance business and risk underwriting: skills in leading internal working groups and designing procedures and control processes.

Telecom Italia corporate risk manager Paolo Rubini

Risk management is about managing risks inherent to the business, so it is critical to understand your business. Moving the company towards a different way of thinking about risk is all about change management and leadership. It’s important to share thoughts and experiences with other colleagues in the field. Attending professional and international events, such as the Ferma Forum, specific seminars and courses to meet other practising risk professionals is a good way to do this.

Campfrio Food Group director of corporate risk management and Ferma board member Christina Martinez

Actuarial Risk Management Volunteer Opportunity

August 11, 2011

Actuarial Review of Enterprise Risk Management Practices –

A Working Group formed by The Enterprise and Financial Risks Committee of the IAA has started working on a white paper to be titled: “Actuarial Review of Enterprise Risk Management Practices”.  We are seeking volunteers to assist with writing, editing and research.

This project would set out a systematic process for actuaries to use when evaluating risk management practices.  Actuaries in Australia are now called to certify risk management practices of insurers and that the initial reaction of some actuaries was that they were somewhat unprepared to do that.  This project would produce a document that could be used by actuaries and could be the basis for actuaries to propose to take on a similar role in other parts of the world.  Recent events have shown that otherwise comparable businesses can differ greatly in the effectiveness of their risk management practices. Many of these differences appear to be qualitative in character and centered on management processes. Actuaries can take a role to offer opinion on process quality and on possible avenues for improvement. More specifically, recent events seem likely to increase emphasis on what the supervisory community calls Pillar 2 of prudential supervision – the review of risk and solvency governance. In Solvency II in Europe, a hot topic is the envisaged requirement for an ‘Own Risk and Solvency Assessment’ by firms and many are keen to see actuaries have a significant role in advising on this. The International Association of Insurance Supervisors has taken up the ORSA requirement as an Insurance Core Principle and encourages all regulators to adopt as part of their regulatory structure.  It seems an opportune time to pool knowledge.

The plan is to write the paper over the next six months and to spend another six months on comment & exposure prior to finalization.  If we get enough volunteers the workload for each will be small.   This project is being performed on a wiki which allows many people to contribute from all over the world.  Each volunteer can make as large or as small a contribution as their experience and energy allows.  People with low experience but high energy are welcome as well as people with high experience.

A similar working group recently completed a white paper titled the CARE report.  http://www.actuaries.org/CTTEES_FINRISKS/Documents/CARE_EN.pdf  You can see what the product of this sort of effort looks like.

Further information is available from Mei Dong, or David Ingram

==============================================================

David Ingram, CERA, FRM, PRM
+1 212 915 8039
(daveingram@optonline.net )

FROM 2009

ERM BOOKS – Ongoing Project – Volunteers still needed

A small amount of development work was been done to create the framework for a global resource for ERM Readings and References.

http://ermbooks.wordpress.com

Volunteers are needed to help to make this into a real resource.  Over 200 books, articles and papers have been identified as possible resources ( http://ermbooks.wordpress.com/lists-of-books/ )
Posts to this website give a one paragraph summary of a resource and identify it within several classification categories.  15 examples of posts with descriptions and categorizations can be found on the site.
Volunteers are needed to (a) identify additional resources and (b) write 1 paragraph descriptions and identify classifications.
If possible, we are hoping that this site will ultimately contain information on the reading materials for all of the global CERA educational programs.  So help from students and/or people who are developing CERA reading lists is solicited.
Participants will be given author access to the ermbooks site.  Registration with wordpress at www.wordpress.com is needed prior to getting that access.
Please contact Dave Ingram if you are interested in helping with this project.

(more…)

Preparing for the Zombie Apocalypse

June 2, 2011

The CDC now has a page with preparedness tips for the next Zombie Apocalypse.

If you read that closely, you might notice that the preparedness tips are exactly the same as their tips for Hurricanes or Pandemics.

So maybe this is a good way to get folks to pay attention to disaster preparedness?

Must be better than the way that that some office buildings make preparedness into a mind numbing drill that is certain to take the edge off of any possible hint of preparedness.

Perhaps a suggestion for your next fire drill – have zombies show up and find out how many people were ready and how many got eaten by the zombies.

Incorporating Risk into Planning and Strategy

May 31, 2011

Risk has traditionally been a minor part of strategy discussions in many firms.

Usually you get it out of the way at the very start with a Strengths, Weaknesses, Opportunities and Threats (SWOT) discussion.  As quickly as possible, the planners shift into concentrating on discussion of Opportunities.  That is what they are there for anyway – Opportunities.

Utility theory and the business education that flows from utility theory suggests very little consideration of risk.  Not none at all, but very little.  Opportunities where the gains from the expected opportunities exceed the losses from the expected threats are considered good.  That is one spot where risk creeps in.  In addition, risk might be also reflected as an externality – the capital required by a regulator or ratings agency.

Financial economics came along and offered a more complicated view of risk.  Instead of using a fuzzily determined present value of risk from utility theory, Financial Economics substitutes the market cost of risk.

Risk management suggests a completely different and potentially contradictory approach.

The risk management approach to bringing risk into planning and strategy is to make risk appetite central to strategy selection.  The internal risk appetite becomes the constraint instead of the external capital constraint.  For firms that were using that external capital constraint as a key factor in planning, this could be an easy switch.  But often is actually is not.

The boards and management of most firms have failed to choose their own risk appetite constraint.

Riskviews believes that this is because the folks who have spent their entire careers under and external constraint system are ill equipped to set their own limits.  They do not have the experience with trial and error of setting risk appetite unlike the long experience that they have with most of their other management decisions.  For most management decisions, they came up through the management ranks watching their predecessors make good and bad decisions and succeed or fail.  When they reached their current positions, they had a lifetime of experience with most of the types of decisions that they need to make.

Now risk managers and regulators and rating agencies and consultants tell them that they need to make an entirely new decision about risk appetite, and then lever all of their other important decisions off of that one decision.  And when they look back upon their education and experience there was no mention at all of this risk appetite stuff.

And as the discussion at the start of this post states, the business education did not include risk appetite either.

But there are other ways that risk can be incorporated into the planning and strategy.

  • Risk Profile.  A part of the statement of the impact that the plan will have on the company should be a before and after risk profile.  This will show how the plan either grows the larger risks of the firm or diversifies those risks.   Risk cannot be fully described by any one number and therefore there is not one single pie chart that is THE risk profile of the firm.  The risk profile should be presented so that it shows the key aspects of risk that are the consequences of the plan – intended or unintended.  That may mean showing the geographic risk profile, the product by product risk profile, the risk profile by distribution system or the risk profile by risk type.  By looking at these risk profiles, the planners will naturally be drawn to the strengths and weaknesses of the risk aspects of the plan.  They will see the aspects of risk that are growing rapidly and therefore need extra attention from a control perspective.  And even if there are none of those reactions, the exposure to the risk information will eventually lead to a better understanding of risk and a drift towards more risk aware planning.
  • Risk management view of gains and losses.  Planning usually starts with a review of recent experience.  The risk managers can prepare a review of the prior year that describes the experience for each risk in terms of the exceedence probability from the risk models.  This could lead to a discussion of the model calibration and possibly to either better credibility for the risk model or a different calibration that can be more credible.
  • Risk Controls review.  Each risk operated within a control system.  The above review of recent experience should include discussion of whether the control systems worked as expected or not.
  • Risk Pricing review.  The review of gains and losses can also be done as a review of the risk margins compared to the risks for each major business or product or risk type.  Comparison to a neutral index could be considered as well.  With this review, the question of whether the returns of the firm were a result of taking more risk or from better selection and management of the risks taken should be addressed.

Some management groups will be much more interested in one or another of these approaches.  The risk manager must seek to find the approach to discussing risk that fits management’s interests for risk to become a part of planning and strategy.  Without that match, any discussions of risk that take place to satisfy regulatory or rating agency pressures will be largely perfunctory.

 

Firms Can Treat Systemic Risk Same as Emerging

July 2, 2010

As one looks back at the recent history of the financial crisis, it can now be clearly seen that a large number of financial firms and a few regulators did identify the looming problems and took reasonable steps to avoid excessive losses. Almost all of the attention has been on the firms and regulators who missed the crisis until it was much too late.

Now, everyone is talking about how to avoid the next crisis and the focus seems to be on the regulators and the largest firms – in short, those who got it wrong just a few years ago.

“The unknown losses can potentially bring the system to a halt at a much lower amount of loss than known losses.”

But we should also be focusing on what everyone else could be doing to prevent their firms from experiencing excessive losses in future crises.

Planning to have no future crises is not a realistic way to proceed [see my earlier article: IERM, Risk governance, 16 September 2009, “Understanding the four seasons of risk management“). The broad idea of Basel II and Solvency II is sound. Firms would be forced to identify their risk exposures and compare that to their capacity to bear risk. That information would be available to five groups under the three pillars: management, boards, regulators, investors and counterparties. It is assumed that one or more of the five groups would notice upticks in risk and prevent the firms from taking on more risk than their capacity to bear that risk.

There have been many problems with the execution of those principles and Solvency II is just starting the discussion of exactly what information will be made available for investors and counterparties. But the broad idea of disclosure to all those groups is sound. The disclosure of potential systemic risks is absolutely necessary for firms to use as a basis for developing their own programmes for avoiding excessive losses in these situations.

Systemic risks

The way that the term “systemic risk” is used and misused, it seems clear that most people understand that systemic risk was a problem that led to the crisis, but beyond that there is little consensus, other than a conviction that we want much less of that in the future. The IMF provides a definition:

“the risk of disruption to the flow of financial services that is (i) caused by an impairment of all or parts of the financial system; and (ii) has the potential to have serious negative consequences for the real economy.”

Had the quote ended after 10 words, that would have been sufficient.

For the system to be disrupted, two things need to be true:

  1. there needs to be an exposure that everyone believes or suspects will turn into a loss of an amount that exceeds the capacity to bear losses of a large number of participants in the system and
  2. there needs to be either a high degree of interdependency in the system or else widespread exposure to the loss-making large exposure. The system may seize up because the losses are known and the institutions are known to be insolvent or more commonly, because the losses are unknown.

For the rest of this discussion go to InsuranceERM.com

Making Sense of Immanent Failure

February 2, 2010

In the recent paper from the Said School, “Beyond the Financial Crisis” the authors use the phrase “inability to make sense of immanent failure” to describe one of the aspects that lead up to the financial crisis.

That matches up well with Jared Diamond’s ideas about Why Civilizations Fail.

And perfectly describes the otherwise baffling Chuck Prince quote about dancing.

I imagine that it is a problem that is more common with people who believe that they have really done their homework.  They have looked under every rock and they do not see the rock falling out of the sky.  It is not that they are failures.  In most times their extreme diligence will pay off handsomely.  There is just one sort of time period when they will not benefit appropriately from their careful work.

That is when there is a REGIME CHANGE.  Also called a SURPRISE.  All of the tried and true signals are green. But the intersection is uncharacteristicly clogged.

A major task for risk managers is to look for those regime changes – those times when the risk models no longer fit and at that point to CHANGE MODELS.  That is different from recalibrating the same old model.  That means applying the Baysian thinking not just to the parameters of the model but to the model selection as well.

It is not a failure when a new model must be chosen.  It is a normal and natural state of affairs.  Changing models is what I will call “Rational Adaptability”.

The reason why it will not work to simply recalibrate the old model is that the model with combined calibration for several regimes would be too broad to give appropriate guidance in different regimes.

You ride a car on highways, a boat on water and a plane on air.  Multi vehicles exist but they are never as efficient in any environment as the specialized vehicle.

So the risk manager needs to make sense of immanent failure and practice rational adaptability.

Get out of the car when you are wet up to the doors and get into a boat!

Reflexivity of Risk

November 19, 2009

George Soros says that financial markets are reflexive.  He means that the participants in the system influence the system. Market prices reflect not just fundamentals, but investors expectations.

The same thing is true of risk systems.  This can be illustrated by a point that is frequently made by John Adams.  Seat belts are widely thought to be good safety devices.  However, Adams points out that aggregate statistics of traffic fatalities do not indicate any improvement whatsoever in safety.  He suggests that because of the real added safety from the seat belts, people drive more recklessly, counteracting the added safety with added risky behavior.

That is one of the problems that firms who adopted and were very strong believers in their sophisticated ERM systems.  Some of those firms used their ERM systems to enable them to take more and more risk.  In effect, they were using the ERM system to tell them where the edge of the cliff was and they then proceeded to drive along the extreme edge at a very fast speed.

What they did not realize was that the cliff was undercut in some places – it was not such a steady place to put all of your weight.

Stated more directly, the risk system caused a feeling of safety that encouraged more risk taking.

What was lost was the understanding of uncertainty.  Those firms were perfectly safe from risks that had happened before and perhaps from risks that were anticipated by the markets.  The highly sophisticated systems were pretty accurate at measuring those risks.  However, they were totally unprepared for the risks that were new.  Mark Twain once said that history does not repeat itself, but it rhymes.  Risk is the same only worse.

Another Reason That ERM Will Not Prevent Firms from Failing

September 15, 2009

Guest post from Neil Bodoff

Firms use ERM techniques to quantify and reduce risk. But the very act of doing so makes firms feel safer and more secure, leading them to take more risk. This phenmomenon is often described as the “Peltzman effect“:
http://en.wikipedia.org/wiki/Peltzman_effect

So even though ERM can help firms master risk, the net result will be that firms take more risk, leading us back to the original situation in which the amount of risk that firms take will lead, eventually, to some
failures.

ERM Webinar Draws 1200 from over 40 countries!

December 30, 2008

Here are the final registration figures for the December 10 ERM Webcast:
Argentina Registrants:     2
Australia Registrants:     10
Bahrain Registrants:     1
Barbados Registrants:     1
Belgium Registrants:     1
Bermuda Registrants:     7
Canada Registrants:     22
Chile Registrants:     1
China Registrants:     8
Czech Republic Registrants:     1

Denmark Registrants:     1
Estonia Registrants:     1
France Registrants:     3
Germany Registrants:     14
Hong Kong Registrants:     23
Hungary Registrants:     1
India Registrants:     4
Ireland Registrants:     7
Israel Registrants:     1
Italy Registrants:     5
Japan Registrants:     23

Korea,  Republic of Registrants:     2

Lithuania Registrants:     1
Malaysia Registrants:     4
Mauritius Registrants:     1
Mexico Registrants:     1
Netherlands Registrants:     3
New Zealand Registrants:     1
Nigeria Registrants:     1
Norway Registrants:     1
Philippines Registrants:     1
Romania Registrants:     1
Singapore Registrants:     5
South Africa Registrants:     21
Sweden Registrants:     2
Switzerland Registrants:     5
Taiwan Registrants:     1
Thailand Registrants:     1
Trinidad And Tobago Registrants:     1
United Kingdom Registrants:     71
United States Registrants:     142

Total Meeting Registrants:     403

Survey responses tell us that there were approximately 4 listeners on the average for each registration, for a total audience of 1200 people from 41 countries.


%d bloggers like this: