Posted tagged ‘Risk and Compliance’

G20 Risk Management Directive 2008

September 11, 2013

RISKVIEWS sometimes remarks that ERM is the only management system that has been endorsed by the heads of state of the 20 largest economies (G20).  The following is an excerpt from the G20 directive from the fall of 2008.

Risk Management

Immediate Actions by March 31, 2009

•  Regulators should develop enhanced guidance to strengthen banks’ risk management practices, in line with international best practices, and should encourage financial firms to reexamine their internal controls and implement strengthened policies for sound risk management.

•  Regulators should develop and implement procedures to ensure that financial firms implement policies to better manage liquidity risk, including by creating strong liquidity cushions.

•  Supervisors should ensure that financial firms develop processes that provide for timely and comprehensive measurement of risk concentrations and large counterparty risk positions across products and geographies.

•  Firms should reassess their risk management models to guard against stress and report to supervisors on their efforts.

•  The Basel Committee should study the need for and help develop firms’ new stress testing models, as appropriate.

•  Financial institutions should have clear internal incentives to promote stability, and action needs to be taken, through voluntary effort or regulatory action, to avoid compensation schemes which reward excessive short-term returns or risk taking.

•  Banks should exercise effective risk management and due diligence over structured products and securitization.

Looking at this list several years on and from outside of banking, we can ask if other financial institutions can get anything from these points.  So we rephrase these points as questions (and provide preliminary answers for the insurance sector):

  1. Are firms aware of risk management best practices?  Most of the larger firms are aware.  Quite a number of small to medium sized firms are not aware of best practices. 
  2. Are firms managing liquidity risk?  Most insurers have provided for a very large range of liquidity needs. 
  3. Are firms managing concentration risks?  Cat modeling provides information to most insurers about their property concentrations.  Other concentrations may not be as well attended to. 
  4. Do firms assess their risk models?  Insurers that had risk models before the crisis are much more wary of those models now.  The insurance sector in the US has been slow in general to adopt a full company modeling approach.  Insurers in Europe and in much of the rest of the world have adopted full company models for Solvency II compliance purposes.  With the delay of Solvency II implementation, it remains to be seen whether those models will be used or shelved until required.  Actions taken purely to satisfy regulation tend to be less effective. 
  5. Are firms using stress tests?  Most firms are using stress tests.  AM Best is urging all those who do not to develop the capability.
  6. Do compensation programs incent decreasing or increasing stability?  Most incentive programs do not reflect risk and therefore may incent increasing instability. 
  7. Do firms apply special diligence to more complicated risk structures?  Most non-life insurers do not tend to participate in complicated risk structures.  Many life insurers do manufacture and sell products with complicated embedded options and took large losses from those products in both 2001 and 2008 because they either did not try to hedge the risks (2001) or had hedging programs that did not perform as needed (2008).  All who offer these products have made serious adjustments to their offering, their hedging or both, but it remains to be seen whether that situation will hold until the next financial crisis disrupts things in an unanticipated manner.

So five years later, the insurance sector seems to have acted on the six points made by the G20 in 2008.  But there are many other elements to a fully effective ERM program.  The ongoing theme of the G20 follow through on risk management through the Financial Stability Board is extremely bank centric.  Insurers who rely upon this source of motivation for ERM will have the elements of ERM for their risks that line up with banks and little ERM for the insurance risks that predominate their operations.

In addition, banks and their supervisors do not seem to be even thinking about a true enterprise wide view of risk.  Insurers that have taken up ERM are adamant about such a view being central to their ERM program.

The Cost of Risk Management

May 19, 2011

PNC Chairman and Chief Executive Officer James E. Rohr is quoted in the Balitomore Sun as saying that Dodd Frank would raise costs and that those costs would ultimately be passed along to the customers.

Now Riskviews is not trying to suggest that Dodd Frank is necessarily good risk management.

But risk management, like regulation, usually has a definite cost and indefinite benefits.

The opponents of Dodd Frank, like the opponents of risk management will always point to those sure costs and a reason not to do regulations or risk management.

But with Dodd Frank, looking backwards, it is quite easy to imagine that more regulation of banks could have a pennies to millions cost – benefit relationship.  The cost of over light regulation of the banks was in the trillions in terms of the losses in the banks plus the bailout costs to the government PLUS the costs to the economy.  Everyone who has lost a job or lost profits or lost bonuses or who will ultimately pay for the government deficit that resulted from the decreased economic activity have or will pay the cost of underregulated banks.

The same sort of argument can be made for risk management.  The cost of good risk management is usually an increase to costs or a decrease to revenues in good times.  This is offset by a reduction to losses that might have been incurred in bad times.  This is a view that is REQUIRED by our accounting systems.  A hedge position MUST be reported as something with lower revenues than an unhedged position.  Lack of Risk Management is REQUIRED to be reported as superior to good risk management except when a loss occurs.

Unless and until someone agrees to a basis for reporting risk adjusted financials, this will be the case.

Someone who builds a factory on cheap land by the river that floods occasionally but who does not insure their factory MUST report higher profits than the firm next door that buys expensive flood insurance, except in the year that the flood occurs.

A firm that operates in a highly regulated industry may look less profitable than a firm that is able to operate without regulation AND that is able to shed most of their extreme losses to the government or to third parties.

Someone always bears those risk costs.  But it is a shame when someone like Rohr tries to make that look as if the cost of regulation are the only possible costs.

ERM News comes in Threes

February 2, 2011

There are three news items about changes to approach by two rating agencies and a regulator.

  1. AM Best announced that they were adding two pages of ERM questions to their Supplemental Ratings Questionnaire (SRQ)
  2. S&P announced that they are now going forward with reviewing internal capital models for consideration in their view of capital adequacy.
  3. The IAIS has adopted an Insurance Core Principal (ICP 16) that requires that all insurance regulators adopt requirements that insurers should perform an Own Risk and Solvency Assessment (ORSA) and the NAIC will be starting to announce their plans for compliance with this in mid-February.

The place for insurers to stand and ignore ERM is shrinking quickly.

But Riskviews has noticed that when you talk people in the insurance industry about ERM, there are at least three different topics that they think about:

  • Economic Capital Modeling – a large fraction of people think that ERM means Economic Capital modeling.  So when they hear that rating agency or regulator wants to hear about ERM, they might say that they do not have one, so there is nothing to talk about.  The S&P announcement confirms their belief.  They read the Best SRQ questions and only see the spots that require numbers, completley ignoring as unimportant the parts about culture.
  • Compliance with rating agency or regulatory requirements.  These three news items are strong motivators for those who think that ERM is compliance.  These folks had heard AM Best asking about ERM, but saw no outcome from that process so they eventually lost interest in ERM themselves.  Now they are back to being interested.  The ORSA idea is confusing to these folks, because they already are doing their compliance regarding capital adequacy.  The ORSA seems like redundant regulation to them.  They do not see the shift of responsibility from the regulator to the board and management that is fundamental to the ORSA idea.
  • Management decision making.  These firms are using ERM to enhance their decision making processes.  They hear these announcements and are annoyed at the additional distraction from the real risk management.  Some of them will not change what they are doing at all to enhance their “score” with the rating agencies or regulators.  There is too much of the firm;s real value at stake to risk changing their risk management program to suit these outsiders who do not know much about the company or its risks.

The news comes in threes and the reactions comes in threes as well.

Financial Reform & Risk Management (2)

September 12, 2010

An AP summary of the negotiated consolidated Financial Reform act of 2010, there are 9 major provisions.  These posts will feature commentary on the Risk Management implications of each.

2. CONSUMER PROTECTION A Consumer Financial Protection Bureau within the Federal Reserve would police lending, taking powers now exercised by various bank regulators.

The current financial crisis is not unique in the financial history in that the major banks took it on the chin.

But while there are many troubling stories of consumers who are suffering hardships as a result of transactions that they entered into during the run up to the crisis, Roger Lowenstein admitted in a recent Sunday New York Times magazine article that try as they might, journalists have not been able to find a story of a truly innocent consumer who was taken advantage of.  In fact, if you look at most situations where folks seem to have been hurt, they either went into the situation with their own greedy motives to get something for nothing (house flippers) or were able to live in much better housing often at a lower price than before the crisis.  As the crisis hit and housing prices fell and refinancing opportunities evaporated, many consumers lost the houses that they could not afford in the first place.  But in fact if you look at the details of what happened, they usually got more than their money’s worth in terms of housing during the time they had a house.  What they lost were their unrealistic expectations.

To be brutally honest, the consumers did ok not well, but ok, and the bankers got hosed.

So as a result, Congress has decided to protect the consumers from any such future abuse.

And to again be brutally honest,  the motives of this “consumer” protection seems to be to protect banks from themselves.

But motives and consequences will doubtless be different.  The consequences of this part of the financial reform act will likely be the erosion of the margins of banks and other financial organizations that deal with consumers.

The margins that banks and others were getting from the sub prime mortgage business were so great that they generated their own myth of the actual viability of that business.  That self justifying myth can be thought of as the actual driver of the crisis.  To anyone who was not caught up in the wave of activity of the housing market, the myth may have seemed as somewhat unrealistic and benign.  But belief in the myth of unending appreciation of real estate enabled people at all levels to justify the behavior that now can be seen to be clearly outrageous.

But getting back to consumer protection, the new Consumer Protection Bureau will clamp down on abuses large and small that have helped to drive the bloated profitability of banks over the past 10 years.

The Risk Management consequences of this are that banks will not stand still and watch their earnings get savaged.  If they did that, then their stock values would either stay low or erode further.  So their reaction will be to seek other sources of revenue to replace the loss of the various fees and charges to consumers that are now found to be abusive.

And why is that a Risk Management concern?  It is because the new activity that will be undertaken to replace the lost revenues adds uncertainty to the system.  Some of that activity will fall inbetween the cracks of the regulatory system.  It will create risks that are not recognized in Basel III.   Some banks will act as if they believe Basel III and run these new activities as if there is no need for capital and end up adding significantly to their actual leverage.

So beware the unintended consequences of this new regulation.  The danger will only pass when banks have accepted the fact that they are fundamentally only 5% to 10% ROE businesses.  As long as they believe that they are 20% to 25% ROE businesses, they will end up finding the risks that will allow them to post those ROEs.

Death by Solvency

July 13, 2010

Another great post by  Maggid.

It seems that Solvency II is perfectly designed to reproduce the conditions that led US banks to believe that they were impervious to risks.  They and the regulators believed that they knew what they were doing with regard to Risks and Risk Management.

In 2004, the US Federal Reserve allowed investment banks to cut their capital levels by 2/3, tripling their potential leverage!  Not to worry, they knew how to manage risk.

European insurers are all being told that they need to have economic capital models to manage risks.  A few firms have had these models for more than five years now.  Those models tell us that those firms can reduce their capital by a third or more.

But everyone leaves out of their thinking two important things that will always happen.

The first is called the Peltzman effect by economists.  John Adams calls it the Risk Thermostat effect.  In both cases, it means that when people feel risk decreasing due to safety measures, they often respond by increasing the riskiness of their behaviors.  So the success of Solvency II will make some firms feel safer and some of them will take additional risks because of that.

The second effect is what I call the Law of Risk and Light.  That says that you will accumulate risks wherever you are not looking out for them.  So anywhere that there is a flaw in the Economic Capital model, the activity that accentuates that flaw will look like the best, most desirable business to be in.

But read Maggid’s post.  He provides some actual analysis to support his argument.

Monty Python on governance, risk, and compliance

November 10, 2009

Guest Post from Riskczar

I read too much about what GRC needs or what ERM needs but far too often suggestions read like my favourite Monty Python skit (a lot of easier said than done steps):

Alan Well, last week we showed you how to become a gynecologist. And this week on ‘How to do it’ we’re going to show you how to play the flute …but first, here’s Jackie to tell you all how to rid the world of all known diseases.
Jackie Hello, Alan.
Alan Hello, Jackie.
Jackie Well, first of all become a doctor and discover a marvellous cure for something, and then, when the medical profession really starts to take notice of you, you can jolly well tell them what to do and make sure they get everything right so there’ll never be any diseases ever again.
Alan Thanks, Jackie. Great idea. How to play the flute. (picking up a flute) Well here we are. You blow there and you move your fingers up and down here.

So when I read very articulate comments like these from the blog Corporate Integrity, it makes me think of how you play the flute:

Risk management does not happen in a vacuum … The board and management have to clearly define and communicate the culture of risk taking, acceptance, tolerance, and appetite. … Once a proper culture of risk management is defined – including risk tolerance, and appetite – this gets established and communicated through policies and procedures.

… organizations need to establish an enterprise committee to initiate a collaboration on defining, communicating, and managing a culture of risk in their environment. The goal is to define and communicate a culture of risk, establish it in policy and procedures, and monitor adherence to staying within boundaries of risk tolerance and appetite.

Again, easier said than done. I am not criticizing this approach, I actually agree 100% with what he writes, it’s just very difficult to execute.

Telling someone how to play the flute is not the same as teaching him or her how to play the flute, which take a lot of time, patience and practice. And telling business leaders or organizations what boards and committees need to do is not the same a getting buy in, getting them to do it and being successful at it.


%d bloggers like this: