Posted tagged ‘Risk Management’

Risk Management Roles

October 18, 2021

Larger organizations with mature ERM programs tend to have evolved a short list of major risk management specific roles; many of which are part-time additions to already full time positions, while some are full time risk management only roles.  Smaller organizations tend to need an ERM operation with all part-timers.  We will call the former “Group ERM” programs and the latter “Company ERM”.

The organizing process always begins with two roles – the senior sponsor and the risk officer.  During the developmental phase, these two roles are very similar to those of Executive Sponsor and Project Manager as defined for normal project management[1].  The Executive Sponsor initiates a project and gets appropriate resources and budget for the project.  The Project Manager runs the project on a day-to-day basis.  During implementation, the Project Manager will keep the Executive Sponsor informed of progress and setbacks.  When problems are outside of the Project Manager’s authority, the Executive Sponsor will help by bringing in assistance or removing blockages from outside of the project team. 

Chief Risk Officer

The risk officer role that was the project manager for the initial development of a new ERM function will usually grow into a senior management role with the title of Chief Risk Officer (CRO). 

The CRO differs from organization to organization, but generally have some or all of these responsibilities:

  • Head the Risk Management Function
  • Chair the Risk Committee
  • Report to the Board on ERM
  • Report to shareholders on risk and capital management
  • Communicate risk and risk management matters to other stakeholders including rating agencies, employees, regulators

Each of these will be discussed in following sections of this chapter. 

The Chief Risk Officer may report directly to the CEO or, more often to the Chief Financial Officer.  Or else, the CRO role is handled by another senior officer such as the Internal Auditor, or, in an insurer, the Chief Underwriting Officer or Chief Actuary. 

The CRO has a wide variety of roles.  First and foremost, the CRO provides leadership and vision for the organization’s ERM program.  They must have a clear idea of the ERM objectives and the ability to direct a diverse group of employees throughout the organization, most of whom do not officially report to the CRO, to follow that vision.  The CRO is the point person in establishing and updating the ERM Framework, the ERM Policies and the Risk Appetite/Tolerance/Limit system.  This requires the CRO to understand the degree to which formal documents and processes fit with the organization’s culture.  The CRO is always the champion of intelligent risk management – risk management that fits the objectives, needs and budget of the organization.  The CRO may be the owner of the Enterprise Risk Model or that model may be owned by the Chief Actuary. 

The CRO will lead the discussion that leads to the formation and updating of the Risk Appetite and Tolerance.  This discussion will be based upon a single risk metric that is common to all risks; in countries that have adopted Solvency II, that single metric for insurers is almost always related to capital.  This is a source of conflict between the regulatory process and the management culture, especially in for-profit insurers, because otherwise, the preference for risk metric would likely be tied to earnings shortfalls rather than capital. 

The CRO is the leader of value added risk management.  That means using the information from the ERM system to help the growth of the firm’s risk adjusted value.  That requires some version of risk-adjusted financial results for various business units, territories and/or products.  The risk-adjustment is most often made based on Economic Capital either via a cost-of-capital adjustment to earnings, or through the reliance on a return on risk capital ratio.

The CRO  is the champion for the Value Added ERM, a major part of the implementation, as well as in explaining the idea and the results to stakeholders.  A major step in that process is the development and implementation of the analytic platform for Economic Capital Allocation.  The CRO may be responsible to perform analysis of risk-adjusted plan proposals and act as a resource to business units for developing risk-adjusted proposals.  As time progresses, the CRO will also work with the CFO to provide monitoring of plan vs. actual performance. 

The CRO’s wide range of responsibilities means that there is no single route to the position.  A Canadian survey[2] of twenty-one CROs found that, in their opinion, CROs needed to be skilled in Math, Finance, Communication and Accounting. 

Management Risk Committee

Most organizations form one or more risk management committees with a major role in the ERM framework.  There are three main reasons:  To provide support and assistance for the CRO, to help  keep the ERM process realistic (i.e. Intelligent ERM above); and, to direct the application of resources for ERM activities that are outside of the risk management department. 

Most often, the Risk Committee will focus first on the ERM reports to the board, reviewing the draft reports prepared by the risk management department for quality assurance, to make sure that the CRO will be able to tell the story that goes with the report, and that both the CRO and the risk committee members can answer any questions raised by the ERM report.  The Risk Committee is the nexus of Risk Culture for the organization – each area of the organization that has a major role in risk taking and risk management is usually represented on the risk committee. 

The exact responsibilities of the Risk Committee will vary by organization.  The four most common and most important responsibilities are:

  1. Setting Risk Appetite and Tolerance
  2. Approving Risk framework and policies
  3. Allocating Risk Appetite & Setting Risk Limits
  4. Setting standards for risk assessment and economic capital

The Risk Committee is usually responsible for setting (or recommending for approval by the board) the Risk Appetite and Tolerance for the organization.  This is a difficult and often tentative process the first time; mainly because the Risk Committee, like most of the management team, has little experience with the concepts behind Risk Appetite and Tolerance, and is wary about possibly making a mistake that will end up damaging the organization.  Once an initial Risk Appetite and Tolerance are set, making adjustments for early imperfections and updates for changing plans and circumstances become much more routine exercises. 

The Risk committee usually approves the Risk Framework and Risk Policies – in some cases, they are recommended for approval to the Board.  These will lay out the responsibilities of the CRO, Risk Committee, Risk Owners and ERM Department.  The Risk Committee should review these documents to make sure that they agree with the suggested range of responsibilities and authorities of the CRO.  The new responsibilities and authorities of the CRO are often completely new activities for an organization, or, they may include carving some responsibilities and authorities out of existing positions.  The Risk Committee members are usually top managers within the organization who will need to work with the CRO, not just in the Risk Committee context, but also in the ways that the CRO’s new duties overlap with their business functions.  The committee members will also be concerned with the amount of time and effort that will be required of the Risk Owners, who for the most part will either be the Risk Committee members or their  senior lieutenants. 

In some organizations, the allocation of Risk Appetite and setting of risk limits is done in the planning process; but most often, only broad conclusions are reached and the task of making the detailed decisions is left to the Risk Committee.  For this, the Risk Committee usually relies upon detailed work performed by the Risk Department or the Risk Owners.  The process is usually to update projections of risk capital requirements to reflect the final planning decisions and then to adjust Risk Appetite for each business unit or risk area and recommend limits that are consistent with the Risk Appetite. 

Many ERM programs have legacy risk assessment and economic capital calculation standards that may or may not be fully documented.  As regulatory processes have intruded into risk assessment, documentation and eventually consistency are required.  In addition, calls for consistency of risk assessment often arise when new products or new risks are being considered.  These discussions can end up being as much political as they are analytical, since the decision of what processes and assumptions make a risk assessment consistent with existing products and risks often determines whether the new activity is viable.  And since the Risk Committee members are usually selected for their position within the organization’s hierarchy, rather than their technical expertise, they are the right group to resolve the political aspects of this topic. 

Other topics that may be of concern to the Risk Committee include:

  • Monitoring compliance with limits and policies
  • Reviewing risk decisions
  • Monitoring risk profile
  • Proposing risk mitigation actions
  • Coordinate the risk control processes
  • Identify emerging risks
  • Discussing the above with the Board of Directors as agreed

Larger organizations often have two or more risk committees – most common is to have an executive risk committee made up of most or all of the senior officers and a working risk committee whose members are the people responsible for implementing the risk framework and policies.  In other cases, there are separate risk committees for major risk categories, which sometimes predate the ERM program. 

Risk Owners

Many organizations assign a single person the responsibility for each major risk.  Going beyond an organizational chart, a clear organizational structure includes documented responsibilities and clear decision making and escalation procedures. Clarity on roles and responsibilities—with regard to oversight and decision-making—contributes to improvement capability and expertise to meet the changing needs of the business[3].

Specifically, the Risk Owner is the person who organizationally resides in the business and is responsible for making sure that the risk management is actually taking place as risks are taken, which most of ten should the most effective way to manage a risk. 

The Risk Owner’s role varies considerably depending upon the characteristics of the risk.

Insurance and Investment risks are almost always consciously accepted by organizations, and the process of selecting the accepted risks is usually the most important part of risk management.  That is why insurance risk owners are often Chief Underwriting Officers, and Chief Investment officers  are often the owners of Investment risks.  However, risk structuring, in the form of setting the terms and conditions of the insurance contract is a key risk mitigation effort, and may not be part of the Chief Underwriter role.  On the other hand, structuring of investments, in situations where investments are made through a privately structured arrangement, is usually done within the Investment area.  Other risk mitigations, through reinsurance and hedging could also be within or outside of these areas.  Because of the dispersion of responsibilities for different parts of the risk management process, exercise of the Risk Owner responsibilities for Insurance Risks are collaborative among several company officers.  In some firms, there is a position of Product Manager who is the natural Risk Owner of a product’s risks.  The specialization of various investment types means that in many firms, a different lieutenant of the Chief Investment Officer is the risk owner for Equity risk, Credit Risk, Interest Rate Risk and risks from Alternative investments. 

Operational risks are usually accepted as a consequence of other decisions; the opportunities for risk selection are infrequent as processes are updated.  Often the risk owners for Operational risks are managers in various parts of the organization. 

Strategic risks are usually accepted through a firm’s planning process.  Usually the risk owners are the members of the top management team (management board) who are closest to each strategic risk, with the CEO taking the Risk Owner position for the risk of failure of the primary strategy of the firm. 

The Risk Owner may be responsible to make a periodic Report on the status of their risk and Risk Management to the governing Board.  This report may include:

  1. Plans for Exposure to risk and Risk Strategy
  2. Plans to exploit and mitigate
  3. Changes to Exposures taken and Remaining after mitigation
  4. Adequacy of resources to achieve plans

Risk Management Department

In all but the smallest organizations, the CRO’s responsibilities require more work and attention than can be provided by a single person.  The CRO will gain an assistant and eventually an entire department.  The risk management department serves primarily as support staff for the CRO and Risk Committee.  In addition, they may also be subject matter experts on risk management to assist Risk Owners.  Usually, the risk management department also compiles the risk reports for the risk committees and Board.  They are also usually tasked to maintain the risk register as well as the risk management framework and risk policies.

Internal Audit

Internal Audit often has an assurance role in ERM.  They will look to see that there is effective and continual compliance with Policies and Standards, and tracking and handling of risk limit breaches. 

If there is no Internal Audit involvement, this compliance assurance responsibility falls to the risk management department; that may create a conflict between compliance role and advisory role of the risk management department.  Compliance is the natural role of Internal Audit and giving this role to Internal Audit allows risk management to have more of a consultative and management information role. 

In many firms, the roles for risk owners, the risk management department, along with internal audit, have been formalized under the title “Three Levels of Defense.”

This approach is often coupled with a compliance role for the board audit committee. 

When internal audit is involved in this manner, there is sometimes a question about the role’s scope.  That question is: whether internal audit should limit its role to assurance of compliance with the ERM Framework and policies, or should it also have a role reviewing the ERM Framework itself?  To answer that question, the organization must assess the experience and capabilities of internal audit in enterprise risk management against the cost of engaging external experts to perform a review[4]

CEO Role in ERM

It is fairly common for a description of ERM roles at a bank or insurer to talk about roles for the board,CRO, and front line management, but not to mention any specific part for the CEO. 

“No one has any business running a huge financial institution unless they regard themselves as the Chief Risk Officer” – Warren Buffett, speaking at the New School (2013)

Warren Buffett, the CEO of Berkshire Hathaway, has said many times that he is the Chief Risk Officer of his firm and that he does not believe that it would be a good idea to delegate that responsibility to another individual.  While his position is an extreme that is not accepted by most CEO’s of financial institutions, there is an important role for the CEO that is very close to Buffett’s idea. 

For the CRO and the ERM program to be effective, the organization needs clarity on the aspects of risk management which the CEO is directly delegating his or her authority to the CRO, which are being delegated to the Risk Committee, and which risk management decisions are being delegated to the Risk Owners.  Leading up to the financial crisis of 2008, the authority for some risk decisions were not clearly delegated to either the CRO or the Risk Owners in some banks, and CEO’s remained aloof from resolving the issue[5].

[1] Executive Engagement: The Role of the Sponsor, Project Management Institute,

[2] “A Composite Sketch of a Chief Risk Officer”, Conference Board of Canada, 2001

[3] CRO Forum, Sound Risk Culture in the Insurance Industry, (2015)

[4] Institute of Internal Auditors, The Three Lines of Defense In Effective Risk Management And Control, (2013)

[5] Senior Supervisors Group, Risk Management Lessons from the Global Banking Crisis of 2008 (2009)


Risk Intelligence II

February 28, 2019

Somehow it worked.

Several psychologists stated that economists were rational and those who didn’t know what economists knew were irrational.

They collected data on how irrational folks are and analyzed that data and grouped it and gave cute names to various groups.

But I think that you could do the same thing with long division. Certainly with calculus. Compare answers of rubes on the sidewalk to math PhD s on a bunch of math questions and how well do you think the rubes would do?

Some of the questions that the psychologists asked were about risk. They proved that folks who rely solely on their gut to make decisions about risk were not very good at it.

I am sure that no-one with any Risk Intelligence would have bet against that finding.

Because Risk Intelligence consists of more than just trusting your gut. It also requires education regarding the best practices for risk management and risk assessment along with stories of how well (and sometimes ill) intentioned business managers went wrong with risk. It also requires careful analysis. Often statistical analysis. Analysis that is usually not particularly intuitive even with experience.

But Risk Intelligence still needs a well developed gut. Because history doesn’t repeat, analysis always requires simplification and assumptions to fill out a model where data is insufficient.

Only with all of Education, Experience and Analysis is Risk Intelligence achievable and even then it is not guaranteed.

And in addition, Education, Experience and Analysis are the cure for the irrational biases found by the psychologists. I would bet that the psychologists systematically excluded any responses from a person with Risk Intelligence. That would have invalidated their investigation.

Their conclusion could have been that many of us need basic financial and risk education, better understanding of how to accumulate helpful experiences and some basic analytical skills. Not as much fun as a long list of cutely names biases, but much more helpful.

Comparing Eagles and Clocks

August 11, 2015

Original Title: Replacing Disparate Frequency Severity Pairs.  Quite catchy, eh?

But this message is important.  Several times, RISKVIEWS has railed against the use of Frequency Severity estimates as a basis for risk management.  Most recently

Just Stop IT! Right Now. And Don’t Do IT again.

But finally, someone asked…

What would you do instead to fix this?

And RISKVIEWS had to put up or shut up.

But the fix was not long in coming to mind.  And not even slightly complicated or difficult.

Standard practice is to identify a HML for Frequency and Severity for each risk.  But RISKVIEWS does not know any way to compare a low frequency, high impact risk with a medium frequency, medium impact risk.  Some people do compare the risks by rating the frequency and severity on a numerical scale and then adding or multiplying the values for frequency and severity for each risk to get a “consistent” factor.  However, this process is frankly meaningless.  Like multiplying the number of carrots times the number of cheese slices in your refrigerator.

But to fix it is very easy.

The fix is this…

For each risk, develop two values.  First is the loss expected over a 5 year period under normal volatility.  The second is the loss that is possible under extreme but not impossible conditions – what Lloyd’s calls a Realistic Disaster.

These two values then each represent a different aspect of each risk.  They can each be compared across all of the risks.  That is you can rank the risks according to how large a loss is possible under Normal Volatility and how large a loss is possible under a realistic disaster.

Now, if you are concerned that we are only looking at financial risks with this approach, you can go right ahead and compare the impact of each risk on some other non-financial factor, under both normal volatility and under a realistic disaster.  The same sort of utility is there for any other factor that you like.

If you do this carefully enough, you are likely to find that some risks are more of a problem under normal volatility and others under realistic disasters.  You will also find that some risks that you have spent lots of time on under the Disparate Frequency/Severity Pairs method are just not at all significant when you look at the consistently with other risks.

So you need to compare risk estimates where one aspect is held the same.  Like comparing two bikes:


Or two birds:


But you cannot compare a bird and a Clock:



And once you have those insights, you can more effectively allocate your risk management efforts!

“Adalberti 1” by Juan lacruz – Own work. Licensed under CC BY-SA 3.0 via Wikimedia Commons –

The CRO is making a list and checking it twice

February 2, 2015

“You never said that you wanted me to do that”  is an answer that managers often get when they point out a shortfall in performance.  And in many cases it is actually true.  As a rule, some of us tend to avoid too much writing things down.  And that is also true when it comes to risk management

That is where ERM policies come in.  The ERM policy is a written agreement between various managers in a company and the board documenting expectations regarding risk management.


But too many people mistake a detailed procedure manual for a policy statement.  Often a policy statement can be just a page or two.

For Risk Management there are several places where firms tend to “write it down”:

  • ERM Policy – documents that the firm is committed to an enterprise wide risk management system and that there are broad roles for the board and for management.  This policy is usually approved by the board.  The ERM Policy should be reviewed annually, but may not be changed but every three to five years.
  • ERM Framework – this is a working document that lists many of the details of how the company plans to “do” ERM.  When an ERM program is new, this document many list many new things that are being done.  Once a program is well established, it will need no more or no less documentation than other company activities.  RISKVIEWS usually recommends that the ERM Framework would include a short section relating to each of the risk management practices that make up a Risk Management System.
  • Risk Appetite & Tolerance Statement – may be separate from the above to highlight its importance and the fact that it is likely to be more variable than the Policy statement, but not as detailed as the Framework.
  • Separate Risk Policies for major risk categories – almost all insurers have an investment policy.  Most insurers should consider writing policies for insurance risk.  Some firms decide to write operational risk policies as well.  Very few have strategic risk policies.
  • Policies for Hedging, Insurance and/or Reinsurance – the most powerful risk management tools need to have clear uses as well as clear lines of decision-making and authority.
  • Charter for Risk Committees – Some firms have three or more risk committees.  On is a board committee, one is at the executive level and the third is for more operational level people with some risk management responsibilities.  It is common at some firms for board committees to have charters.  Less so for committees of company employees.  These can be included in the ERM Framework, rather than as separate documents.
  • Job Description for the CRO – Without a clear job description many CROs have found that they become the scapegoat for whatever goes wrong, regardless of their actual authority and responsibilities before hand.

With written policies in place, the board can hold management accountable.  The CEO can hold the CRO responsible and the CRO is able to expect that may hands around the company are all sharing the risk management responsibilities.

More on ERM Policies on WillisWire.


The ERM Pioneers and the Settlers – Let’s not have another range war!

January 24, 2015

Most of the people with CRO jobs are pioneers of ERM.  They came into ERM from other careers and have been working out what makes up an ERM process and how to make it work by hard work, trial & error and most often a good deal of experience on the other side of the risk – the risk taking side.

As ERM becomes a permanent (or at least a long term) business practice, it is more likely that the next generation of CROs will have come up through the ranks of the Risk function.  It is even becoming increasingly likely that they will have had some training and education regarding the various technical aspects of risk management and especially risk measurement.

The only problem is that some of the pioneers are openly disdainful of these folks who are likely to become their successors.  They will openly say that they have little respect for risk management education and feel strongly that the top people in Risk need to have significant business experience.

This situation is a version of the range wars in the Wild West.  The Pioneers were the folks who went West first.  They overcame great hardships to fashion a life out of a wilderness.  The Settlers came later and were making their way in a situation that was much closer to being already tamed.

Different skills and talents are needed for successful Pioneers than for successful Settlers.  Top among them is the Settlers need to be able to get along in a situation where there are more people.  The Risk departments of today are large and filled with a number of people with a wide variety of expertise.

Risk will transition from the Pioneer generation to the Settler generation of leadership.  That transition will be most successful if the Pioneers can help develop their Settler successros.

How to Show the Benefits of Risk Management

January 2, 2015

From Harry Hall at

Sometimes we struggle to illustrate the value of risk management. We sense we are doing the right things. How can we show the benefits?

Some products such as weight loss programs are promoted by showing a “before picture” and an “after picture.” We are sold by the extraordinary improvements.

The “before picture” and “after picture” are also a powerful way to make known the value of risk management.

We have risks in which no strategies or actions have been executed. In other words, we have a “before picture” of the risks. When we execute appropriate response strategies such as mitigating a threat, the risk exposure is reduced. Now we have the “after picture.”

Let’s look at one way to create pictures of our risk exposure for projects, programs, portfolios, and enterprises.

Say Cheese

The first step to turning risk assessments into pictures is to assign risk levels.

Assume that a Project Manager is using a qualitative rating scale of 1 to 10, 10 being the highest, to rate Probability and Impact. The Risk Score is calculated by multiplying Probability x Impact. Here is an example of a risk table with a level of risk and the corresponding risk score range.

Level of Risk

Risk Score

Very Low

< 20


21 – 39


40 – 59


60 – 79

Very High

> 80

Figure 1: Qualitative Risk Table

Looking Good

Imagine a Project Manager facilitates the initial risk identification and assessment. The initial assessment results in fifteen Urgent Risks – eight “High” risks and seven “Very High” risks.

Figure 2: Number of Risk before Execution of Risk Response Strategies

We decide to act on the Urgent Risks alone and leave the remaining risks in our Watch List. The team develops risk response strategies for the Urgent Risks such as ways to avoid and mitigate threats.

Figure 3: Number of Risks after Execution of Risk Response Strategies

After the project team executes the strategies, the team reassesses the risks. We see a drop in the number of Urgent Risks (lighter bars). The team has reduced the risk exposure and improved the potential for success.

How to Illustrate Programs, Portfolios, or Enterprises

Now, imagine a Program Manager managing four projects in a program. We can roll up the risks of the four projects into a single view. Figure 4 below illustrates the comparison of the number of risks before and after the execution of the risk strategies.

Figure 4: Number of Program risks before and after the execution of risk response strategies

Of course, we can also illustrate risks in a like manner at a portfolio level or an enterprise level (i.e., Enterprise Risk Management).

Tip of the Day

When you ask team members to rate risks, it is important we specify whether the team members are assessing the “before picture” (i.e., inherent risks) or the “after picture” (i.e., residual risks) or bothInherent risks are risks to the project in the absence of any strategies/actions that might alter the risk. Residual risks are risks remaining after strategies/actions have been taken.

Question: What types of charts or graphics do you use to illustrate the value of risk management?

New Year’s ERM Resolution – A Risk Diet Plan

December 31, 2014

Why do you need an aggregate risk limit?

For the same reason that a dieter needs a calorie limit.  There are lots and lots of fad diets out there.  Cottege Cheese diets, grapefruit diets, low carb, low fat, liquid.  And they might work, but only if you follow them exactly, with absolutely no deviation.  If you want to make some substitution, many diets do not have any way to help you to adapt.  Calories provide two things that are desparately needed to make a diet work.  Common currency for substitutions and a metric that can be applied to things not contemplated in the design of the diet.

So if you do a calorie counting diet, you can easily substitute one food for another with the same calorie count.  If some new food becomes available, you do not have to wait for the author of the diet book to come up with a new edition and hope that it includes the new food.  All you need to do is find out how much calories the new food has.

The aggregate risk limit serves the exact same role role for an insurer.  There may be an economic capital or other comprehensive risk measure as the limit.  That risk measure is the common currency.  That is the simple genius of VaR as a risk metric.  Before the invention of VaR by JP Morgan, the risk limit for each risk was stated in a different currency.  Premiums for one, PML for another, percentages of total assets for a third.  But the VaR thinking was to look at everything via its distribution of gains and losses.  Using a single point on that distribution.  That provided the common currency for risk.

The diet analogy is particularly apt, since minimizing weight is no more desirable than minimizing risk.  A good diet is just like a good risk tolerance plan – it contains the right elements for the person/company to optimum health.

And the same approach provided the method to consistently deal with any new risk opportunity that comes along.

So once an insurer has the common currency and ability to place new opportunities on the same risk basis as existing activities, then you have something that can work just like calories do for dieters.

So all that is left is to figure out how many calories – or how much risk – should make up the diet.

And just like a diet, your risk management program needs to provide regular updates on whether you keep to the risk limits.


Transparency, Discipline and Allignment

October 27, 2014

Firms that have existed for any length of time are likely to have risk management.  Some of it was there from the start and the rest evolved in response to experiences.  Much of it is very efficient and effective while some of the risk management is lacking in either efficiency of effectiveness.  But some of the risk management that they might need is either missing or totally ineffective.  It is somewhat hard to know, because risk management is rarely a major subject of discussion at the firm.  Risk management happens in the background.  It may be done without thinking.  It may be done by people who do not know why they are doing it.  Some risks of the firm are very tightly controlled while others are not.  But the different treatment is not usually a conscious decision.  The importance of risk management differs greatly in the minds of different people in the firm and sometimes the actions taken to reduce risk actually work against the desired strategy of the firm.  The proponents of carefully managed risk may be thought of as the business prevention department and they are commonly found to be at war with the business expansion department.


Enterprise Risk Management (ERM) is an approach to risk management that provides three key advantages over traditional, ad hoc, evolved risk management.  Those advantages are:




ERM takes risk management out of the background and makes it an open and transparent primary activity of the firm.  ERM does not push any particular approach to risk, but it does promote openly discussing and deciding and documenting and communicating the approach to each major risk.  The risk appetite and tolerances are decided and spoken out loud and in advance in an ERM process, rather than in arrears (and after a major loss) as is more often the case with a traditional risk management program.

Transparency is like the math teacher you had in high school who insisted that you show your work.  Even if you were one of those super bright math geeks who could just do it all in your head and immediately write down the correct answer.  When you wrote down all of the steps, it was transparent to the math teacher that you really did know what you were doing.  Transparency means the same sort of thing with ERM.  It means showing your work.  If you do not like having to slow down and show your work, you will not like ERM.

ERM is based upon setting up formal risk control cycles.  A control cycle is a discipline for assuring that the risk controlling process takes place.  A discipline, in this context, is a repeatable process that if you consistently follow the process you can expect that the outcomes from that process will be more reliable and consistent.

A pick-up sports team may or may not have talent, but it is guaranteed not to have discipline.  A school team may have a little talent or a lot and some school teams have some discipline as well.  A professional sports team usually has plenty of talent.  Often professional teams also have some discipline.  The championship sports teams usually have a little more talent than most teams (it is extremely difficult in most sports to have lots more talent than average), but they usually have much more discipline than the teams in the lower half of the league.  Discipline allows the team to consistently get the best out of their most talented players.  Discipline in ERM means that the firm is more likely to be able to expect to have the risks that they want to have.

ERM is focused on Enterprise Risks.  In RISKVIEWS mind, Enterprise Risks are those risks that could result in losses that would require the firm to make major, unexpected changes to plans or that would disrupt the firm (without necessarily causing losses) in such a way that the firm cannot successfully execute the plans.  Enterprise Risks need to be a major consideration in setting plans.  Through discussions of Risk Appetite and Tolerance and returns for risks and the costs of risk mitigations, ERM provides a focus on alignment of the risk management with the strategic objectives of the firm.

To use another sports analogy, picture the football huddle where the quarterback says “ok.  Everyone run their favorite play!”  Without ERM, that is what is happening, at least regarding ERM at some companies.

Alignment feeds off of the Transparency of ERM and Discipline provides the payback for the Alignment.

Just Stop IT! Right Now. And Don’t Do IT again.

June 16, 2014

IT is a medieval, or possibly pre-medieval practice for evaluating risks.  That is the assignment of a single Frequency and Severity pair to each risk and calling that a risk evaluation.

In the mid 1700’s Daniel Bernoulli wrote:

EVER SINCE mathematicians first began to study the measurement of risk there has been general agreement on the following proposition: Expected values are computed by multiplying each possible gain by the number of ways in which it can occur, and then dividing the sum of these products by the total number of possible cases where, in this theory, the consideration of cases which are all of the same probability is insisted upon. If this rule be accepted, what remains to be done within the framework of this theory amounts to the enumeration of all alternatives, their breakdown into equi-probable cases and, finally, their insertion into corresponding classifications.

Many modern writers attribute this process to Bernoulli but this is the very first sentence of his “Exposition of a New Theory for Measuring Risk” published in 1738.  He suggests that the idea is so common in his time that he does not cite an original author.  His work is not to prove that this basic idea is correct, but to propose a new methodology for implementing.

It is hard to say how the single pair idea (i.e. that a risk can be represented by a sing frequency/severity pair of values) has crept into basic modern risk assessment practice, but it has. And it is firmly established.  But in 1738, Bernoulli knew that each risk has many possible gain amounts.  NOT A SINGLE PAIR.

But let me ask you this…

How did you pick the particular pair of values that you use to characterize any of your risks?

You see, as far as RISKVIEWS can tell, Bernoulli was correct – each and every risk has an infinite number of such pairs that are valid.  So how did you pick the one that you use?

Take for an example, the risk of a fire.  There are an infinite number of possible fires that could happen.  Some more likely and some less likely.  Some would do lots of damage some only a little.  The likelihood of a fire is not actually always related to the damage.  Some highly unlikely fires might be very small and low damage.  Hopefully, you do not have the situation of a likely high damage fire.  But all by itself, you could make up a frequency severity heat map for any single risk with many points on the chart.


So RISKVIEWS asks again, how do you pick which point from that chart to be the one single point for your main risk report and heat map?

And those heat maps that you are so fond of…

Do you realize that the points on the heat map are not rationally comparable?  That is because there is no single criteria that most risk managers use to pick the pairs that they use.  To compare values they need to have been selected by applying the same exact criteria.  But usually the actual criteria for choosing the pairs is not clearly articulated.

So here you stand, you have a risk register that is populated with these bogus statistics.  What can you do to move away towards a more rational view of your risks?

You can start to reveal to people that you are aware that your risks are NOT fully measured by that single statistic.  Try revealing some additional statistics about each risk on your risk register:

  • The Likelihood of zero (or an inconsequential low amount) loss from each risk in any one year
  • The Likelihood of a loss of 1% of earnings or more
  • The expected loss at a 1% likelihood (or 1 in 100 year expected loss)

Try plotting those values and show how the risks on your risk register compare.  Create a heat map that plots likelihood of zero loss against expected loss at a 1% likelihood.

Those values are then comparable.

So stop IT.  Stop misinforming everyone about your risks.  Stop using frequency severity pairs to represent your risks.


Insanity is . . .

May 11, 2014

Albert Einstein is famously quoted as saying that

Insanity is doing the same thing over and over and expecting different results.

Of course, risk management is based upon an assumption that if you do something that is risky over and over again, you will get different results.  And that through careful management of the possibilities, you can, on the average, over time, get acceptable results, both in terms of sufficient gains and limited losses.

But there is also an embedded assumption in that statement that is hidden.  The statement should include the standard caveat “all else being equal”.

But in fact, all else is NEVER equal.  At least not out in the world where things count.  Not for things that involve people.  Out in the real world, once can count on the same result from the same actions, but only for a while.

All else never stays the same in the situations where people are involved because people rarely continue to follow rules like the rules of physics.  People keep changing what they do.

For example, the ideas of Hyman Minsky regarding the changing approach to credit.  People just do not leave things alone.  With credit, people are constantly seeking to get just a little more juice out of the lemon.

The Risk Balancing Act

April 21, 2014

All firms are performing a difficult balancing act.  They are balancing the need to go out and take risks by doing something to expand their businesses with the need to be safe and secure.  Most firms have found a happy spot – at least for now – in that balancing act.

Firms in the risk business are doing a double balancing act.  They always have the same sort of risk of failure that all businesses have – that is the risk that they will not have enough customers.  In addition, they have the risk that the business that they have captured may just blow up in their faces with claims or losses far in excess of their expectations.

So when a firm in the risk taking business learns how to survive their dual balancing act, they will be very sensible if they are very, very reluctant to make changes to their process for balancing.  They are going to be extremely skeptical if the advice for change comes from someone – a regulator or member of their own company’s risk management team – who has not real world experience of this balancing.

To most of the successful managers of risk taking firms, ERM seems like an awkward and unnatural process.  To them, ERM manuals read like a book of detailed instructions on how to breathe.

That is because these firms all have plenty of risk management already.

However, the ERM imperative from the regulators and rating agencies requires that they explain that risk management and that they adopt some formal processes and documentation that was not, in their opinion, needed.

There are two approaches to achieving the ERM that is wanted by these outside forces:

  • Clean Slate – work to install a comprehensive ERM program as if on a clean slate, ignoring or replacing all existing risk management activities.  This results in a complete ERM program that will fulfill all of the external requirements.
  • Augmentation – work to carefully understand the existing risk management system.  Start by documenting the strengths of that system.  Next move to identifying the weaknesses of that system and then making adjustments and additions to improve risk management performance in those areas of weakness.

RISKVIEWS strongly favors the second approach.  RISKVIEWS has observed that many firms following the Clean Slate approach never complete the installation of the new ERM system, or if they do complete it, they abandon it after a short time period.  Firms following the Augmentation approach also will falter with installation but they have usually added to their ability to explain what they already do well and may have added a few new risk management practices that actually enhance their business.

The first step in the Augmentation approach is to develop an understanding of the possibilities that an ERM program presents and to choose from those possibilities the practices that the firm will want to include in its ERM program.  Those possibilities include:

  • A strict control process for risks that the firm has a zero tolerance for.
  • Risk measurement and tracking for control of the risks that the firm wants to limit exposures.
  • Risk based pricing for those risks that the firm takes to make its profits to assure that the sales that are one of the primary objectives of the firm are supporting the long term performance of the enterprise.
  • A risk profile that communicates the relationship between plans and risks taking over time.
  • A process for assessing and maintaining adequate capital for the risks taken by the firm.
  • Risk capital allocation to support the process of optimization of risk adjusted returns.
  • Communication of risk management processes for the board and outside audiences.
  • An assurance process regarding continuous implementation of the risk management program.

Once management selects the ERM practices that they want for their ERM program, they then need to go through the self assessment exercise.

More on that in a following post…..

Getting Started with a Risk Management Program

February 4, 2014

Every year companies look at their list of things that they plan to do “someday” and decide that this is the year to tackle implementing Enterprise Risk Management (ERM).

But many of them fail to get very far with that goal.

They start out with hopes to build an ERM program but never see the light at the end of the ERM tunnel.  They never get to the point of having a valuable process.

WillisWire has featured five ERM posts in 2014 that, if followed, can lead to a tangible and useful first level ERM process.  There are two primary objectives of ERM:

  • To make sure that the company has a consistent level of risk management for all of the major risks of the organization.
  • To use the information from the processes that are built up to accomplish the above to make strategic decisions about the risk profile that enhance the ability to achieve its objectives.
Excerpt from the IAA report in Enterprise Risk Management:
The terms “risk” and “risk management” are commonly viewed through a lens of avoiding “bad” things happening and limiting the downside. Whilst understandable, the more enlightened view emerging is one of connecting risk to value maintenance and creation. This includes, for example, the empowerment of people to exploit opportunities. Indeed, market watchers view the ability to anticipate and react to a market opportunity to be as important as readiness for a potentially significant business disruption.
Moreover, the importance of the risk management culture is naturally being linked with effective ERM practices.

The five risk management practices are needed to create a complete risk control cycle (the first ERM objective above) for all of the major risks of the firm.

  1. Risk Identification
  2. Risk Measurement
  3. Risk Limits and Controlling
  4. Risk Organization
  5. Risk Policies and Standards

RISKVIEWS has posted a number of times on ERM Systems.  Several times there have been classes for ERM beginners, in Seoul, South Korea; Nairobi, Kenya;  Almaty, Kazakhstan; Mexico City, Mexico and Lausane, Switzerland.  See Introduction to ERM where slide decks and suggested readings are posted.


Whose Job is it to do ERM?

January 28, 2014

“We are not big enough to need ERM.” says the smaller company CEO.  “So we all do it together.”

But what is everyone’s job, is no one’s responsibility.  No one is held accountable for how or even whether ERM functions actually happen.

If a company wants to have ERM, then they must make assignments – assignments to individuals.

This process, these assignments, are what RISKVIEWS calls Risk Organization.  Everyone does not need the same Risk Organization, but everyone who is serious about ERM needs to clearly assigning responsibility for the risk identification, measurement and management of risks.

This week’s post on the WillisWire series on ERM Practices is about Risk Organization:

This is Part 4 of a 14 part series on the ERM practices that support an ORSA. The other pieces in that series so far are:

Risk Measurement

RISKVIEWS has also posted discussions of Risk Organization.  Here are a few examples:

Doing ERM is the Control Cycle

January 27, 2014

RISKVIEWS has commented many times that Risk MANAGEMENT is not a spectator sport.  It is all about DOING.

If Risk Management never results in the firm DOING something different than what would have been done before Risk Management  – then STOP IMMEDIATELY.  You are wasting your time and money.

The DOING part of Risk Management is not particularly tricky or difficult.  Doing ERM is accomplished with a Control Cycle.

In fact Doing ERM is accomplished with one control cycle for each major risk and one control cycle over all risks in total.

WillisWire has recently featured a piece on risk limits and the risk control cycle that would apply to each major risk.

Which is from the 14 part ERM Practices for Insurance Company ORSA series.  The other pieces in that series so far are:
RISKVIEWS has often posted about Control Cycles as well.  Here are two examples:
Controlling with a Cycle about the control cycles for each risks and
ERM Control Cycle about the overall ERM control of total risk

Building Risk Culture is a two legged beast

January 13, 2014

RISKVIEWS is reading about Business Organizational Culture – particularly the Corporate Culture Survival Guide by Edgar Shein.

Shein suggests that culture has three aspects:  Artifacts, Espoused Values and Underlying Assumptions.  Artifacts are what you can easily see happening. Espoused Values are public statements about what is wanted, things like policies and mission statements. Underlying Assumptions are the part of culture that is difficult (not impossible) to discern and very time consuming to change.  These are the things that really determine the choices and decisions of the firm.

Shein suggests that culture is formed as a new company has the successes that cause it to survive and thrive.  The initial culture is a combination of the vision and rules of the founder along with the learned values from those early experiences.

He says that culture change comes about when the Underlying Assumptions no longer seem to work and people can feel motivated to learn new approaches that if they succeed, become the new Underlying Assumptions.

To me, RISK seems particularly difficult for this process.  Most new ventures are founded with a willful disregard for RISK.  So it is relatively rare for a newer firm to have a healthy respect for risk.

In addition, the result of good risk management is a reduction in the likelihood of the experience of undesirable adverse events (UAEs).  That is also the outcome from LUCK.  In both cases, the indication of good results is a LACK of bad experience.

The Risk Culture develops as the firm experiences adverse outcomes and then only if they learn that a risk management process can reduce the likelihood that they will experience UAEs.  Otherwise, the Underlying Assumption will be that whatever the firm is doing is just right to avoid those UAEs.  Sort of like the sports star who failed to shave before the game where they scored 2 goals, so they forever after deliberately do not shave on the day of a game.

Building or Changing a Risk Culture, in my opinion, involves teaching the idea that a deliberate and comprehensive risk management process can accomplish the reduction in likelihood of UAEs.

The students may be very responsive after a major adverse experience.  Otherwise, the Risk Culture Builder needs to depend on stories of other companies that succeed and fail to avoid the major adverse experiences.

The Risk Culture Builder must be prepared to turn every experience of the organization and of other organizations into stories that support the formation of a positive Risk Culture. But it takes an extremely good story teller to create motivation to adopt a healthy Risk Culture from stories of other companies.

Risk Management is actually more about managing tendencies than actual management of UAEs.  Which is one of the things that makes Risk Culture Building particularly difficult.  Most people will judge the Risk Culture successes in terms of the actual losses experienced.  Meaning, if there are losses, then risk management is not worth the trouble.

Risk Management will only result in near zero losses if the risk tolerance is near zero.  And then only if the risk manager is given the nearly unlimited budget that it takes to actually eliminate most risk.

Instead, what can be expected from Risk Management, that is from a tendency to reduce frequency and/or severity of UAEs is loss experience that is better than those who do not practice risk management on the average, over time, when adjusted for differences in the inherent risk profile of the different organizations.

In building and reinforcing the risk culture, the Risk Culture Builder needs to be ready to explain how well (or poorly) that the company is succeeding with that.

Because ultimately, those stories, the stories of how the risk management program is succeeding or how the lack of risk management has failed are an extremely important leg of the risk culture building process.

The other leg (risk management culture is a two legged beast), is the story of how the risk management program needs to work to support achievement of the risk appetite.  That story needs to be told, not in terms of explaining the parts of a risk management framework, but instead that story is about the outcomes to be expected.

So for both legs, or both stories, the Risk Culture Builder needs to have a clear idea in mind of how the results of risk management will be demonstrable.

And that is another story.

Reviewing a Risk Control Framework

October 29, 2013

[The material below is the work of an ad hoc IAA working group.  It was produced in 2011 but never completed or published.  RISKVIEWS is sharing so that this good work can be viewed.]

A Risk Control Framework (RCF) can be considered as the measuring stick against which risk management performance will be judged. It is right at the heart of the co-ordinated activities used to control an organisation with regard to risk, that is risk management.

The effective management and leverage of risk should add to the bottom line of an organisation that implements it. The risk control framework is a central tool in an organisations armoury, that can be used to ensure that the organisation achieves its strategic goals, with regard to an accepted and monitored level of risk.

There needs to be committment at a high level to managing the risk, and this should be transparent. This would involve the risk managers having a very clear view of what the company does and not just trying to avoid risk. It should be undertaken to the extent that it pays for itself, although this is hard to measure. Ownership and implementation by all is required as a risk in one small section of the organisation can be a serious threat to the whole organisation.

A RCF would need to be bespoke and fit the organisation’s Vision, Mission, Objectives, Strategy and Tactics (VMOST).

<An organization’s vision is all about what is possible, all about potential and may be aspirational. The mission is what it takes to make that vision come true. Happy to change the words or put in a definition, the point being that there is a bigger picture view of whats going on that the risk control frame work need to be informed by this. I really want to get across that the risk management need to be alighned, to what the organisation is trying to achieve >.

The RCF can act as a focus and ensure that:

  • There are no gaps and that there is appropriate accountability
  • Aligning organsiations objectives with the RCF
  • The reporting mechanisms and management system is embedded – this could be a driver of culture
  • A uniform risk criteria and evaluation metrics is created – those accountable know how they are going to be measured

Given much risk is derived from a company’s culture (think investment banking culture/ENRON etc), and that the ease of implementing the key stages will also depend on culture. For example if the risk control framework may be excellent on paper, but if it is not implemented effectively then it is not worth the paper it is written on.

A clear goal of the RCF is to ensure clarity of the risks being managed along with appropriate accountability (with individuals) for ensuring effective action.

When implementing an RCF (either creating a new one or testing an existing RCF) then the following model internal factors (using the McKinsey 7 s framework ) should be considered:-

Hard factors (tangible)

  • Are there systems in place that can assist in risk identification and monitoring?
  • Can an IT soution be implemented for subsets of systemic risk (e.g. aggregate monitoring for RI’s)?
  • What are the legal minimums with respect to certain risks, how is compliance measured?
  • Is there information already gathered


  • Does strategic planning consider risk management, is it open to this, can risk management contribute?
  • Does risk management have board level support?
  • What is the organisations risk appetite?
  • What is the organisations risk tolerance?


  • Is the risk management function senior enough to have an influence?
  • Do the risks need to be restructured so that a single individual/department can take the key responsibility for certain cross function risks?
  • Is there a forum for considered emergent risks?
  • Are there regional or location specific risks to consider, how integrated is the whole approach?

Soft factors (intangible)

  • The way management goes about solving problems, listening or dominant there are ways to measure this
  • Passive vs active management
  • Business goal driven or risk averse
  • Who makes the key decisions – who is involved – is this structured?  Does risk management get a seat?


  • The collective presence of the people- different styles will appeal to certain types: gung ho vs risk averse
  • How active is the framework managed, active “positive assurance” to passive “nothing has come my way”
  • Are staff time poor, are there dedicated risk staff in business units?
  • Is risk perceived as compliance rather than business driven?


  • adaptable, thoughtfull, processing?
  • Is there suffienct understanding of what is risky and what is unknown?
  • Are the risk able to be measured
  • Are there enough skillfull communicators to ensure that messages sent are received in the same context internally

Shared Values

  • infighting between depts, risk mgmt seen as an inhibitor rather than strategic?
  • Is the companies strategic vision emebeded in the culture, is each department headed in the same direction?
  • Is there interdepartmental meetings happening or a siloed approach?
  • How are decisions made, centralised vs local, is this effective, who has the final say?

The above can act as a litmus test to perhaps assess the receptiveness or otherwise of the risk management in general, an important part is the links between the factors. For risk management to be effective it needs to be part of “the way things are done around here”, ie the companies culture.

The following are the key minimum generic elements that need to be considered in a Risk Control Framework(RCF):-

  • Risk identification
  • Risk monitoring
  • Policies and limits
  • Risk Treatment
  • Limit Compliance
  • Feedback


It can often be difficult to measure the effectiveness of effective controls as the events that the controls are in place to prevent never happen. This lack of event could be an effective control well implemented or an uneccesary control (similar to the old anti elephant powder joke).

Below we give some definitions on the effectiveness of the RCF using the minimum criteria identified above.

Ad Hoc Risk Control Framework

  • Risk identification – Not all significant risk exposures have been identified.
  • Risk monitoring – Company’s risk monitoring is informal, irregular, and of questionable accuracy.
  • Policies and limits – Risk limits are not documented or are so broad that they do not have any impact on operational decision making. Risk limits and policies are not widely known or understood.
  • Risk Treatment – Risk-management activities are situational, ad hoc, and driven by individual judgment.
  • Limit Compliance – Review of compliance of limits is irregular, and often there are no consequences for exceeding limits.
  • Feedback – Company quickly puts loss situations behind it without review or with a review of extremely limited scope.

Basic Risk Control Framework

  • Risk identification – Significant risk exposures are believed to have been identified.
  • Risk monitoring – Company’s risk monitoring is performed post events, tend to miss events before they occur
  • Policies and limits – Risk limits are documented,  but they have limited impact prior to an event that is they do not have any impact on operational decision making.
  • Risk Treatment – Risk-management activities not laid out, but are raised to management
  • Limit Compliance – Review of compliance of limits is irregular, and often there are no consequences for exceeding limits.
  • Feedback – Company quickly puts loss situations behind it without review or with a review of extremely limited scope.

Standard Risk Control Framework

  • Risk identification – Company management has performed a process of identifying risks exposures and the most significant of those exposures.
  • Risk monitoring – Company monitors all significant risks on a regular basis, with timely and accurate measures of risk.
  • Policies and limits – Company has clearly documented policies and limits for risk taking and risk management that are widely understood within the company.
  • Risk Treatment – Company has clear programs in place that are regularly used to manage the risks the company takes.
  • Limit Compliance – Company has a process in place to see that risk limits and risk-management programs are followed as planned. Exceeding limits has clear, predetermined, and effective consequences.
  • Feedback – Company has a loss post-mortem process to determine if its processes need improvement.

Advanced Risk Control Framework

  • Risk identification – Company management has performed a process of identifying risks exposures and the most significant of those exposures. This is holistic and done a part of the usual way of doing business.
  • Risk monitoring – Company monitors all significant risks as a matter of course
  • Policies and limits – Company has clearly documented policies and limits for risk taking and risk management that are widely understood within the company, these are embedded and part of normal routines, they never get challenged and don’t get in the way of the business.
  • Risk Treatment – Company has clear and integrated programs in place that are regularly used to manage the risks the company takes.
  • Limit Compliance – Company has a process in place to see that risk limits and risk-management programs are followed as planned. Exceeding limits has clear, predetermined, and effective consequences, although in practice risk limits are amolst never challenged.
  • Feedback – Company has a loss post-mortem process to determine if its processes need improvement.

A Risk Register is the Siren Song of Risk Management

May 20, 2013

Before we go any further, let me state unequivocally that filling in boxes in a risk register chart is not Risk Management.

But on numerous occasions, RISKVIEWS has come across risk officers who have been concentrating on managing a Risk Register for multiple years.  That is why the Risk Register is the siren song of Risk Management.  No not the siren that makes a loud noise for the Fire Department.  The Sirens of Homer’s Odyssey.

The siren’s song attracted sailors who as they got closer to listen crashed upon the rocks and died.

So with risk managers and risk registers.  Risk registers provide two convenient things: plenty of tasks and evidence of accomplishment.  However the tasks are ultimately lower value and the accomplishment is usually only internal to the Risk Register.  The risk manager who is enthralled by the song of the risk register gets further and further into the world of the risk register and loses touch with the world of the company.  They try to find ways to entice others into the world of the risk register.

But real risk management requires only a simple list of risks, risk owners and risk mitigation activities.  This should never be maintained on spreadsheets in formats that can only be printed with 8 point type or never seen in total because there are just too many columns of important details.  Nor should the list of risks require a special purchased system that allows only registered users to view or enter information.

Managing the process of

Adding cash or profits now while adding risk


reducing cash or profits now while decreasing risk

is real risk management.  

Because the real job of risk management is not the manufacture of lists that are elevated in status by the name register.  Real risk management involves making difficult decisions and taking actions based upon those decisions.  Those decisions always involve a trade-off between cash or profits now and risk later.  Adding cash or profits now while adding risk later or reducing cash or profits now while decreasing risk later.  That is real risk management.

Learnings from the Superstorm

April 29, 2013

From the FSOC 2013 Annual Report with minor paraphrasing…

• Planning and testing: It is important that your company and all of your important counterparties, vendors, and sub contractees, fully understand the functionality of contingency systems, and that key operations and business personnel communicate efficiently to assure enterprise-wide clarity. Expanded testing exercises would enhance assurance of failover reliability. Such testing should involve all parties inside and outside your firm that you depend upon to continue functioning, and should also involve providers of essential services such as power, water, and telecommunications.

• Incident management: Protocols for assuring a timely decision on whether and when to close or open the company would benefit from review and streamlining by the responsible parties. Likewise, protocols for assuring timely decisions within the firm on whether and when to leverage back-up sites would benefit from continued regular testing. Furthermore, operational interdependencies need to be fully incorporated in the decision-making process.

• Personnel: The resilience of critical components of the company requires geographic dispersal of both electronic systems and personnel sufficient to enable an organization to operate despite the occurrence of a wide-scale disruption affecting the metropolitan or geographic area of the organization’s primary operations, including communities economically integrated with, adjacent to, or within normal commuting distance of the primary operations area. Organizations, including major firms, need to continuously and rigorously analyze their routine positioning and emergency repositioning of key management and staff. This is an ongoing requirement as technology, market structure, and institutions evolve rapidly. Developed business continuity plans should be implemented, and key staff should be sent to disaster recovery sites when there is advance notice of events.

• Dependencies: Cross-industry interdependencies require constant review, reassessment, and improvement by organizations to mitigate the impact of energy, power, transport, and communications failures during severe incidents, and to help ensure reliable redundancy.

Underwriting of risks is a key part of risk management for insurers

April 9, 2013

Underwriting is the process of reviewing and selecting risks that an insurer might accept, under what terms, and assigning those an expected cost and level of riskiness.

  • Some underwriting processes are driven by statistics.  A few insurers who developed a highly statistical approach to underwriting personal auto coverages have experienced high degree of success.  With a careful mining of the data from their own claims experience, these insurers have been able to carefully subdivide rating classes into many finer classes with reliable claims expectations at different levels.  This allows them to concentrate their business on the better risks in each of the larger classes of their competitors while the competitors end up with a concentration of below average drivers in each larger class.  This statistical underwriting process is becoming a required tool to survive in personal auto and is being copied in other insurance lines.
  • Many underwriting processes are highly reliant on judgment of an experienced underwriter.  Especially commercial business or other types of coverage where there is very little close commonality between one case and another.  Many insurers consider underwriting expertise to be their key corporate competency.
  • Usually the underwriting process concludes with a decision on whether to make an offer to accept a risk under certain terms and at a determined price

How underwriting can go wrong:

  • Insurers are often asked to “give away the pen” and allow third parties to underwrite risks on their paper. Sometimes a very sad ending to this.
  • Statistical underwriting can spin out of control due to antiselection if not overseen by experienced people.  The bubble of US home mortgage securities can be seen as an extreme example of statistical underwriting gone bad.  Statistics from prior periods suggested that sub prime mortgages would default at a certain low rate.  Over time, the US mortgage market went from one with a high degree of underwriting of applicants by skilled and experienced reviewers to a process dictated by scores on credit reports and eventually the collection of data to perform underwriting stopped entirely with the no doc loans.  The theory was that the interest rate charged for the mortgages could be adjusted upwards to the point where extra interest collected could pay for the excess default claims from low credit borrowers.
  • Volume incentives can work against the primary goals of underwriting.
  • Insurance can be easily undone by underwriting decisions that are good risks, but much too large for the pool of other risks held by the insurer.

To get Underwriting right you need to:

  • Have a clear idea of the risks that you are willing to accept, your risk preferences.  And be clear that you are going to be saying NO to risks that are outside of those preferences.
  • Not let the pen get entirely out of the hand of an experienced underwriter that is trustable to make decisions in the interest of the firm, either to a computer or to a third party.
  • Oversight of underwriting decisions needs to be an expectation at all levels.  The primary objective of this oversight should be to continually perfect the underwriting process and knowledge base.
  • Underwriters need to be fully aware of the results of their prior decisions by regular communication with claims and reserving people.

This is one of the seven ERM Principles for Insurers

Has the risk profession become a spectator sport?

April 3, 2013

The 2013 ERM Symposium goes back to Chicago this year after a side trip to DC for 2012. This is the 11th year for the premier program for financial risk managers.   April 23 and 24th.

This year’s program has been developed around the theme, ERM: A Critical Self-Reflection, which asks:

  • Has the risk profession become a spectator sport? One in which we believe we are being proactive, yet not necessarily in the right areas.
  • For the most significant headlines during the past year, how was the risk management function involved?
  • Since the financial crisis, has there been genuine learning and changes to how risk management functions operate?
  • What are the lessons that have been learned and how are they shaping risk management today? If not, why?
  • Does risk management have a seat at the table, at the correct table?
  • Are risk managers as empowered as they should be?
  • Is risk management asking the right questions?
  • Is risk management as involved in decision making and value creation as it should be, at inception of ideas and during follow through?

On Wednesday, April 24 Former FDIC Chairman Sheila Bair will be the featured luncheon speaker

Sheila C. Bair served as the 19th chairman of the Federal Deposit Insurance Corporation for a five-year term, from June 2006 through July 2011. Bair has an extensive background in banking and finance in a career that has taken her from Capitol Hill to academia to the highest levels of government. Before joining the FDIC in 2006, she was the dean’s professor of financial regulatory policy for the Isenberg School of Management at the University of Massachusetts-Amherst since 2002.

The ERM Symposium and seminars bring together ERM knowledge from the insurance, energy and financial sectors.  Now in its 11th year, this premier global conference on ERM will offer: sessions featuring top risk management experts; seminars on hot ERM issues; ERM research from leading universities; exhibitors demonstrating their ERM services.  This program has been developed jointly by the Casualty Actuarial Society (CAS), the Professional Risk management International Association (PRMIA) and the Society of Actuaries (SOA).

Riskviews will be a speaker at three sessions out of more than 20 offered:

  • Regulatory Reform: Responding to Complexity with Complexity – Andrew Haldane, executive director of Financial Stability at the Bank of England, recently made a speech at the Federal Reserve Bank of Kansas City’s Jackson Hole Economic Policy Symposium titled “The Dog and the Frisbee” warning that the growing complexity of markets and banks cannot be controlled with increasingly complex regulations. In fact, by attempting to solve the problem of complexity with additional complexity created by increased regulation, we may be missing the mark—perhaps simpler metrics and human judgment may be superior. Furthermore, in attempting to solve a complex problem with additional complexity, we may not have clearly defined or understand the problem. How does ERM fit into the solutions arsenal? Are there avenues left unexplored? Is ERM adding or minimizing complexity?
    • We are drowning in data, but can’t hope to track all the necessary variables, nor understand all or even the most important linkages. Given the wealth of data available, important signals may be lost in the overall “noise.”
    • Unintended consequences maybe lost/hidden in the maze of complexity thereby magnifying the potential impact of future events.
    • The importance of key variables changes throughout time and from situation to situation, so it’s not possible to predict in advance which ones will matter most in the next crisis.
    • We experience relatively few new crises that are mirror images of prior crises, so we really have limited history to learn how to prevent or to cure them.
    • Complex rules incent companies and individuals to “manage to the rules” and seek arbitrage, perhaps seeding the next crisis.
  • Actuarial Professional Risk Management  –  The new actuarial standards for Risk Evaluation and Risk Treatment bring new help and new issues to actuaries practicing in the ERM field. For new entrants, the standards are good guidelines for preparing comprehensive analyses and reports to management. For more experienced practitioners, the standards lay out expectations for a product worthy of the highly-qualified actuary. However, meeting the standards’ expectations is not easy. This session focuses on clarifying key aspects of the standards.
  • Enterprise Risk Management in Financial Intermediation  –  This session provides a framework for thinking about the rapidly evolving, some would say amorphous, subject of ERM, especially as applied at financial institutions and develops seven principles of ERM and considers their (mis)application in a variety of organizational settings. The takeaways are both foundational and practical.

Please join us for some ERM fun and excitement.



Controlling with a Cycle

April 3, 2013


No, not that kind of cycle… This kind:

CycleThis is a Risk Control Cycle.  It includes Thinking/Observing steps and Action Steps.  The only reason a sane organization would spend the time on the Assessing, Planning and Monitoring steps is so that they could be more effective with the Risk Taking, Mitigating and Responding steps.

A process capable of limiting losses can be referred to as a complete risk control process, which would usually include the following:

  • Identification of risks—with a process that seeks to find all risks inherent in a insurance product, investment instrument, or other situation, rather than simply automatically targeting “the usual suspects.”
  • Assess Risks – This is both the beginning and the end of the cycle.  As the end, this step is looking back and determining whether your judgment about the risk and your ability to select and manage risks is as good as you thought that it would be.  As the beginning, you look forward to form a new opinion about the prospects for risk and rewards for the next year.  For newly identified risks/opportunities this is the due diligence phase.
  • Plan Risk Taking and Risk Management – Based upon the risk assessment, management will make plans for how much of each risk that the organization will plan to accept and then how much of that risk will be transferred, offset and retained.  These plans will also include the determination of limits
  • Take Risks – organizations will often have two teams of individuals involved in risk taking.  One set will identify potential opportunities based upon broad guidelines that are either carried over from a prior year or modified by the accepted risk plan.  (Sales) The other set will do a more detailed review of the acceptability of the risk and often the appropriate price for accepting the risk.  (Underwriting)
  • Measuring and monitoring of risk—with metrics that are adapted to the complexity and the characteristics of the risk as well as Regular Reporting of Positions versus Limits/Checkpoints— where the timing needed to be effective depends on the volatility of the risk and the rate at which the insurer changes their risk positions. Insurers may report at a granular level that supports all specific decision making and actions on a regular schedule.
  • Regular risk assessment and dissemination of risk positions and loss experience—with a standard set of risk and loss metrics and distribution of risk position reports, with clear attention from persons with significant standing and authority in the organization.
  • Risk limits and standards—directly linked to objectives. Terminology varies widely, but many insurers have both hard “Limits” that they seek to never exceed and softer “Checkpoints” that are sometimes exceeded. Limits will often be extended to individuals within the organization with escalating authority for individuals higher in the organizational hierarchy.
  • Response – Enforcement of limits and policing of checkpoints—with documented consequences for limit breaches and standard resolution processes for exceeding checkpoints. Risk management processes such as risk avoidance for risks where the insurer has zero tolerance. These processes will ensure that constant management attention is not needed to assure compliance. However, occasional assessment of compliance is often practiced. Loss control processes to reduce the avoidable excess frequency and severity of claims and to assure that when losses occur, the extent of the losses is contained to the extent possible. Risk transfer processes, which are used when an insurer takes more risk than they wish to retain and where there is a third party who can take the risk at a price that is sensible after accounting for any counterparty risk that is created by the risk transfer process. Risk offset processes, which are used when insurer risks can be offset by taking additional risks that are found to have opposite characteristics. These processes usually entail the potential for basis risk because the offset is not exact at any time or because the degree of offset varies as time passes and conditions change, which is overcome in whole or in part by frequent adjustment to the offsetting positions. Risk diversification, which can be used when risks can be pooled with other risks with relatively low correlation. Risk costing / pricing, which involves maintaining the capability to develop appropriate views of the cost of holding a risk in terms of expected losses and provision for risk. This view will influence the risks that an insurer will take and the provisioning for losses from risks that the insurer has taken (reserves). This applies to all risks but especially to insurance risk management. Coordination of insurance profit/loss analysis with pricing with loss control (claims) with underwriting (risk selection), risk costing, and reserving, so that all parties within the insurer are aware of the relationship between emerging experience of the 
risks that the insurer has chosen to retain and the expectations that the insurer held when it chose to write and retain the risks.
  • Assess Risks – and the cycle starts again.

This is one of the seven ERM Principles for Insurers

Real Resilience is not what you think it is

January 30, 2013

There is confusion about the term Resilience.  To many people, it means the ability to withstand stress. To some people, the ultimate resilience comes from thick walls (or huge capital requirements).  The picture above is one of many thousands like it that shows the ultimate result of seeking resilience in a static manner.

The dictionary has something slightly different:

the power or ability to return to the original form, position, etc., after being bent, compressed, or stretched; elasticity.

But Holling, a prominent ecologist, suggests something much more robust.  He suggests that a resilient species will survive all of the stressors that attack it from its environment and thrive when conditions become benign.

“a major strategy selected is not one maximizing either efficiency or a particular reward, but one which allows persistence by maintaining flexibility above all else. A population responds to any environmental change by the initiation of a series of physiological, behavioral, ecological, and genetic changes that restore its ability to respond to subsequent unpredictable environmental changes. Variability over space and time results in variability in numbers, and with this variability the population can simultaneously retain genetic and behavioral types that can maintain their existence in low populations together with others that can capitalize on opportunities for dramatic increase. The more homogeneous the environment in space and time, the more likely is the system to have low fluctuations and low resilience.”  CS Holling, Resilience and Stability of Ecological Systems

Real resilience is ADAPTABILITY.  The ability to change your approach.  To find the way to survive the extreme adverse scenario without devoting so much resources to safety that you miss the chance to “capitalize on opportunities for dramatic increase” as Holling says.

Does your ERM program build walls, thicker and thicker, or does it build adaptability?

How many people in your organization do you think would know what to do in the event of an adverse situation that has never happened before?

But what is this adaptablity?  In two studies in the late 1990’s, researchers studied thousands of crisis situations and identified 8 dimensions of adaptability for individuals.  See study here.

Handling emergencies or crisis situations

Reacting with appropriate and proper urgency in life threatening, dangerous, or emergency situations; quickly analyzing options for dealing with danger or crises and their implications; making split-second decisions based on clear and focused thinking; maintaining emotional control and objectivity while keeping focused on the situation at hand; stepping up to take action and handle danger or emergencies as necessary and appropriate.

Handling work stress

Remaining composed and cool when faced with difficult circumstances or a highly demanding workload or schedule; not overreacting to unexpected news or situations; managing frustration well by directing effort to constructive solutions rather than blaming others; demonstrating resilience and the highest levels of professionalism in stressful circumstances; acting as a calming and settling influence to whom others look for guidance.

Solving problems creatively

Employing unique types of analyses and generating new, innovative ideas in complex areas; turning problems upside-down and inside-out to find fresh, new approaches; integrating seemingly unrelated information and developing creative solutions; entertaining wide-ranging possibilities others may miss, thinking outside the given parameters to see if there is a more effective approach; developing innovative methods of obtaining or using resources when insufficient resources are available to do the job.

Dealing with uncertain and unpredictable work situations

Taking effective action when necessary without having to know the total picture or have all the facts at hand; readily and easily changing gears in response to unpredictable or unexpected events and circumstances; effectively adjusting plans, goals, actions, or priorities to deal with changing situations; imposing structure for self and others that provide as much focus as possible in dynamic situations; not needing things to be black and white; refusing to be paralyzed by uncertainty or ambiguity.

Learning work tasks, technologies, and procedures

Demonstrating enthusiasm for learning new approaches and technologies for conducting work; doing what is necessary to keep knowledge and skills current; quickly and proficiently learning new methods or how to perform previously unlearned tasks; adjusting to new work processes and procedures; anticipating changes in the work demands and searching for and participating in assignments or training that will prepare self for these changes; taking action to improve work performance deficiencies.

Demonstrating interpersonal adaptability

Being flexible and open-minded when dealing with others; listening to and considering others’ viewpoints and opinions and altering own opinion when it is appropriate to do so; being open and accepting of negative or developmental feedback regarding work; working well and developing effective relationships with highly diverse personalities; demonstrating keen insight of others’ behavior and tailoring own behavior to persuade, influence, or work more effectively with them.

Demonstrating cultural adaptability

Taking action to learn about and understand the climate, orientation, needs, and values of other groups, organizations, or cultures; integrating well into and being comfortable with different values, customs, and cultures; willingly adjusting behavior or appearance as necessary to comply with or show respect for others’ values and customs; understanding the implications of one’s actions and adjusting approach to maintain positive relationships with other groups, organizations, or cultures.

Demonstrating physically oriented adaptability

Adjusting to challenging environmental states such as extreme heat, humidity, cold, or dirtiness; frequently pushing self physically to complete strenuous or demanding tasks; adjusting weight and muscular strength or becoming proficient in performing physical tasks as necessary for the job.

The questions that remains are:

Is adaptability of a company anything different from adaptability of the people in the company?

How does a company get adaptable people?  Are people born that way or can they be trained?

Five components of resilience – robustness, redundancy, resourcefulness, response and recovery

January 24, 2013

Adapted from the WEF Global Risks 2013 Report  (Minimal editing to focus discussion on “an organization” rather than “a country”)

Resilience Characteristics (Robustness, Redundancy and Resourcefulness)

The following three components of resilience are used to describe an organization’s state of resilience. These components should be designed into a system and, as such, will enable assessments of an organization’s inherent resilience capabilities.  

A. Robustness

Robustness incorporates the concept of reliability and refers to the ability to absorb and withstand disturbances and crises. The assumptions underlying this component of resilience are that: 1) if fail-safes and firewalls are designed into an organization’s critical networks, and 2) if that organization’s decision-making chains of command become more modular in response to changing circumstances, then potential damage to one part of an organization is less likely to spread far and wide.

Example of Attributes

— Monitoring system health: Regularly monitoring and assessing the quality of the subsystem ensures its reliability.

— Modularity: Mechanisms designed to prevent unexpected shocks in one part of a system from spreading to other parts of a system can localize their impact, as happened with the contagion from investment banking to retail banking during the 2007-2008 financial crisis.

— Adaptive decision-making models: Networked managerial structures can allow an organization to become more or less centralized depending on circumstances, such as when branch offices of the Japanese retailer Lawson’s continued operating through the serious disruptions of the Great East Japan Earthquake in 2011.  These measures can include having in place the right investment and incentive structures to overcome competing interests.

B. Redundancy

Redundancy involves having excess capacity and back-up systems, which enable the maintenance of core functionality in the event of disturbances.  This component assumes that an organization will be less likely to experience a collapse in the wake of stresses or failures of some of its infrastructure, if the design of that organization’s critical infrastructure and institutions incorporates a diversity of overlapping methods, policies, strategies or services to accomplish objects and fulfill purposes.

Examples of Attributes

— Redundancy of critical infrastructure: Designing replication of modules which are not strictly necessary to maintaining core function day to day, but are necessary to maintaining core function in the event of crises.

— Diversity of solutions and strategy: Promoting diversity of mechanisms for a given function. Balancing diversity with efficiency and redundancy will enable organizations to cope and adapt better than those that have none.

C. Resourcefulness

Resourcefulness means the ability to adapt to crises, respond flexibly and – when possible – transform a negative impact into a positive.  For a system to be adaptive means that it has inherent flexibility, which is crucial to enabling the ability to influence of resilience.  The assumption underlying this component of resilience is that if organizations can build trust within their networks of suppliers, employees and customers and are able to self-organize, then they are more likely to spontaneously react and discover solutions to resolve unanticipated challenges when larger industry and community institutions and governance systems are challenged or fail.

Example of Attributes

— Capacity for self-organization: This includes factors such as the extent of social and human capital, the relationship between social networks and organizational structures, and the existence of institutions that enable face-to-face networking. These factors are critical in circumstances such as failures of government institutions when organizations need to self-organize and continue to dobtain essential services.

— Creativity and innovation: The ability to innovate is linked to the availability of spare resources and the rigidity of boundaries between disciplines, departments and social groups within the organization.

Resilience Performance (Response and Recovery)

These two components of resilience describe how a system performs in the event of crises. They provide evidence of resilience when actual crises occur.  Response and recovery are dependent on risk, event and time. These components will provide the ability to compare systems and feed the measurements and results to calibrate the resilience characteristics.

D. Response

Response means the ability to mobilize quickly in the face of crises. This component of resilience assesses whether an organization has good methods for gathering relevant information from all parts of society and communicating the relevant data and information to others, as well as the ability for decision makers to recognize emerging issues quickly.

Example of Attributes

— Communication: Effective communication and trust in the information conveyed increase the likelihood that, in the event of a crisis, stakeholders are able to disseminate and share information quickly, and to ensure cooperation and quick response from the audience.

— Inclusive participation: Inclusive participation among all stakeholders can build a shared understanding of the issues underpinning crises and acute risks to the organization, reduce the possibility of important interdependencies being overlooked, and strengthen trust among participants.

E. Recovery

Recovery means the ability to regain a degree of normality after a crisis or event, including the ability of a system to be flexible and adaptable and to evolve to deal with the new or changed circumstances after the manifestation of a risk.  This component of resilience assesses the organization’s capacities and strategies for feeding information throughout the organization,  and the ability for decision-makers to take action to adapt to changing circumstances and  incorporating new situations into business strategies,.

Example of Attributes

— Active “horizon scanning”: Critical to this attribute are multi-stakeholder processes tasked with uncovering gaps in existing knowledge and commissioning research to fill those gaps.

— Responsive feedback mechanisms: Systems to translate new information from horizon-scanning activities into action – for example, defining “automatic policy adjustments triggers” – can clarify circumstances in which policies must be reassessed.

As an example of the overlapping and complementary nature of these attributes, inclusive participation is listed as a key attribute of response, but it is also vital in other areas such as recovery and resourcefulness. Also inherent in all resilience characteristics, though referenced above only in the attribute of adaptive decision-making models, are investment and incentive structures and design requirements to overcome collective action problems and competing interests. There are many individual stakeholders who would benefit from greater shared resilience but currently lack either the incentive or feel too pressed for time and resources to take the necessary actions.

What Do Your Threats Look Like?

December 6, 2012

Severe and intense threats are usually associated with dramatic weather events, terrorist attacks, earthquakes, nuclear accidents and such like.  When one of these types of threats is thought to be immanent, people will often cooperate with a cooperative ERM scheme, if one is offered.  But when the threat actually happens, there are four possible responses:  cooperation with disaster plan, becoming immobilized and ignoring the disaster, panic and anti-social advantage taking.  Disaster planning sometimes goes no further than developing a path for people with the first response.  A full disaster plan would need to take into account all four reactions.  Plans would be made to deal with the labile and panicked people and to prevent the damage from the anti-social.  In businesses, a business continuity or disaster plan would fall into this category of activity.

When businesses do a first assessment, risks are often displayed in four quadrants: Low Likelihood/Low Severity; Low Likelihood/High Severity; High Likelihood/Low Severity; and High Likelihood/High Severity.  It is extremely difficult to survive if your risks are High Likelihood/High Severity, so few businesses find that they have risks in that quadrant.  So businesses usually only have risks in this category that are Low Likelihood.

Highly Cooperative mode of Risk Management means that everyone is involved in risk management because you need everyone to be looking out for the threats.  This falls apart quickly if your threats are not Severe and Intense because people will question the need for so much vigilance.

Highly Complex threats usually come from the breakdown of a complex system of some sort that you are counting upon.  For an insurer, this usually means that events that they thought had low interdependency end up with a high correlation.  Or else a new source of large losses emerges from an existing area of coverage.  Other complex threats that threaten the life insurance industry include the interplay of financial markets and competing products, such as happened in the 1980’s when money market funds threatened to suck all of the money out of insurers, or in the 1990’s the variable products that decimated the more traditional guaranteed minimum return products.

In addition, financial firms all create their own complex threat situations because they tend to be exposed to a number of different risks.  Keeping track of the magnitude of several different risk types and their interplay is itself a complex task.  Without very complex risk evaluation tools and the help of trained professionals, financial firms would be flying blind.  But these risk evaluation tools themselves create a complex threat.

Highly Organized mode of Risk Management means that there are many very different specialized roles within the risk management process.  May have different teams doing risk assessment, risk mitigation and assurance, for each separate threat.  This can only make sense when the rewards for taking these risks is large because this mode of risk management is very expensive.

Highly Unpredictable Threats are common during times of transition when a system is reorganizing itself.  “Uncertain” has been the word most often used in the past several years to describe the current environment.  We just are not sure what will be hitting us next.  Neither the type of threat, the timing, frequency or severity is known in advance of these unpredictable threats.

Businesses operating in less developed economies will usually see this as their situation.  Governments change, regulations change, the economy dips and weaves, access to resources changes abruptly, wars and terrorism are real threats.

Highly Adaptable mode of Risk Management means that you are ready to shift among the other three modes at any time and operate in a different mode for each threat.  The highly adaptable mode of risk management also allows for quick decisions to abandon the activity that creates the threat at any time.  But taking up new activities with other unique threats is less of a problem under this mode.  Firms operating under the highly adaptive mode usually make sure that their activities do not all lead to a single threat and that they are highly diversified.

Benign Threats are things that will never do more than partially reduce earnings.  Small stuff.  Not good news, but not bad enough to lose any sleep over.

Low Cooperation mode of Risk Management means that individuals within their firm can be separately authorized to undertake activities that expand the threats to the firm.  The individuals will all operate under some rules that put boundaries around their freedom, but most often these firms police these rules after the action, rather than with a process that prevents infractions.  At the extreme of low cooperation mode of risk management, enforcement will be very weak.

For example, many banks have been trying to get by with a low cooperation mode of ERM.  Risk Management is usually separate and adversarial.  The idea is to allow the risk takers the maximum degree of freedom.  After all, they make the profits of the bank.  The idea of VaR is purely to monitor earnings fluctuations.  The risk management systems of banks had not even been looking for any possible Severe and Intense Threats.  As their risk shifted from a simple “Credit” or “Market” to very complex instruments that had elements of both with highly intricate structures there was not enough movement to the highly organized mode of risk management within many banks.  Without the highly organized risk management, the banks were unable to see the shift of those structures from highly complex threats to severe and intense threats. (Or the risk staff saw the problem, but were not empowered to force action.)  The low cooperation mode of risk management was not able to handle those threats and the banks suffered large losses or simply collapsed.

Tug of War Between Intertwined Roles

December 3, 2012


A question posed to RISKVIEWS:

Do you have a clear distinction between “What’s Risk vs What’s Actuarial?”  It seems that the roles of Risk Management and Actuarial are utterly intertwined and overlapping, thus causing utter confusion, within the company of my employ. While we have internally agreed to a segregation of duties over two years ago, the organization has barely moved forward to align itself accordingly.

Any attempt I have made to seek external guidance has not resulted in any definitive clarity. In response to the question “What’s Risk vs What’s Actuarial?”, most consultants offer “it depends on the company”. Solvency II guidance seems to indiscriminately interchange, say, risk management function (risk management is everyone’s job) with Risk Management Department.

I should clarify – when I refer to Actuarial, I am referring to “all four legs of the actuarial stool” – namely, Pricing, Modeling/Projections, Valuation, and Experience Studies.

In fact, it really does depend upon the company.  That is because actuarial roles are extremely broad in some companies and very narrow in others.

The four legs of the actuarial stool referenced, “Pricing, Modeling/Projections, Valuation, and Experience Studies” are in fact a moderately broad definition.  In the most narrowly drawn situations, the actuarial role is limited solely to situations where an actuarial opinion is required by law or regulation.  In companies that define the actuarial role in that manner, there is almost no overlap with the Risk function.

But Risk can be defined differently in different companies as well.  In some companies, the definition of the Risk function takes in only what is needed to get capital relief from regulators or rating agencies.  Or to satisfy other requirements of the same audiences.

In companies where both the Actuarial and Risk roles are broadly defined, there is great potential for overlap.

  • The Actuarial Function in these firms will include not only “Pricing, Modeling/Projections, Valuation, and Experience Studies” but may also have a role in broad financial oversight and or broad risk oversight.  In fact, RISKVIEWS worked for two insurers with such a broad definition of the actuarial function.
  • A broadly defined Risk function in these firms will overlap most clearly with those last two roles.  With the installation of a separate Risk function, it seems clear that the broad risk oversight once performed by the Actuarial function needs to be surrendered.  But there are Risk aspects of all five of the other functions listed.
    • Pricing – A strong Risk function will want to make sure that pricing is appropriate for the risks of the activities
    • Modeling/Projections – A strong Risk function will want to perform stress tests that are in fact simple projections.
    • Valuation – Since the definition of the capital of the firm is totally dependent upon the valuation of the liabilities of the firm and the Risk function usually has a major role regarding capital adequacy, a strong Risk function will have a high interest in Valuation of Liabilities.
    • Experience Analysis – The process that has been developed by actuaries to update Liabilities from year to year includes the collection and analysis of quite a large amount of information about the emerging experience of the firm.  This information is also used in Pricing.  And should be a main part of the information needed to evaluate the risks of the firm.  Which makes this area of high importance to Risk.
    • Broad Financial Oversight – Actuaries in many insurers have already lost this role to CFOs years ago.  But in the cases where they have not, the CRO becomes a new challenger with the idea that Risk should oversee the strategic risk and capital budgeting processes.

Some of the conflict is a matter of competition between the leader of a “new” function within the firm and the leader of an “old” function.  The firms where this conflict is the worst would be the firms where there is a broadly defined Actuarial and Risk function.  The development of a new Risk function in these firms can be interpreted as Actuarial losing influence.  This perception would add to the conflict and to the confusion.  Risk will want to control its own destiny, so would naturally want to control much of what had “always” been Actuarial.  Actuarial would not want to lose any responsibility and may therefore seek to maintain parallel activities even where Risk is now performing a former Actuarial function.

At the other extreme, a number of companies see the very high degree of overlap between the Actuarial function and the Risk function and have named their Chief Actuary to be their Chief Risk Officer.  The success of that approach will depend upon the degree to which the Chief Actuary is willing to appropriately prioritize the activities needed to support the new responsibilities.  In these cases, the conflict described above between Risk and Actuarial will take place, but a large part of it will be inside the Chief Actuary / CRO’s head.

Knowing and Thinking must be linked to Doing

November 26, 2012

“One of the things that we’re trying to do is to get people to think more rather than know more,” said Rick Nason, associate professor of finance at Dalhousie University’s School of Business in Halifax, Nova Scotia. “In risk management we’ve gotten into a regulatory mode of knowing more, and unfortunately we’re stuck on techniques and forget how to think about risk. Going beyond knowing is what we’re trying to stress.”

Too few risk managers are actually empowered to actually DO anything.  Natural human nature steps in which leads these disempowered risk managers to elevate the importance of the things that they are empowered to do.  Knowing and Thinking are two of those things.

It is of course important to KNOW your risks and the possible paths to loss that go with each risk as well the current status of your exposures.  Nason rightly points out that regulatory risk management requirements work on the assumption that if a management team KNOWS about their risks that they can necessarily be counted on to react.  But that is often an unstated and unrequired assumption.  Perhaps regulators shy away from going any further in their prescriptions because of lack of authority.

Risk Management systems, such as ISO31000, build up a massive infrastructure of steps that are required to support the KNOWing objective.  A risk manager applying ISO31000 can keep very, very busy for several years building up that infrastructure without getting to the step of actually infringing upon management of the company.

Nason is right to suggest that THINKing is a step further.  But by focusing on THINKing, he makes the same sort of assumption, that if someone THINKs about their risks, they surely must eventually DO something about them.

The risk manager who wants to be effective must start with the end in mind (see Covey).  DOing must be the purpose of a risk management system.  A system that focuses on KNOWing or THINKing is merely a Risk Management Entertainment System.

Getting Started in a Risk Management Career

November 10, 2012

RISKVIEWS got an email request…

I am a senior ‘Risk Management & Insurance’ and ‘Finance’ double major at Butler University. I was wondering if you would be able to lend some advice for my future career endeavors. One question is “what made you chose the consulting risk management side over more of a singular corporation risk management position?”  My basic concern is that unlike finance, I feel the path for a student to get involved with the risk management industry is much less defined. I keep hearing how most risk managers usually start in a completely different corporate function. I am just trying to do my due diligence and research to get insight into all career paths before I choose which way I want to go.   Daniel Gable

Daniel, some Risk Management career paths are very new.  New enough that there are not yet any people who entered the field out of college and who are now in retirement.  Now, if you are majoring in “Risk Management and Insurance”, then you are aware that there is a long established career centering upon the management of corporate insurance purchasing programs.  But the risk management programs that go beyond insurance purchasing, in banks, insurance companies and in many other industries are all new enough that they mostly had to go outside the field for at least initial leadership.  Those people will value skills and experiences that come from a wider range of experiences than someone might have who has always worked in risk management.  So their senior staff positions will have some people who also did not start out in a risk management career.

RISKVIEWS’ perspective is that risk management will be best served if a balance of highly trained risk management specialists along with a significant number of people with broader business perspectives and especially experiences working in the areas where the risk is taken on.

The highly trained risk management specialists are needed to keep the technical rigor of the risk management program up to a similar level to the areas that originate the risk taking.


The best sports teams prevail against their rivals only if they have great natural players in both offensive and defensive positions.  There are an extremely small number of players who can excel at either offense or defense.  Most players in most sports are much better at one or the other.  Risk management programs need to find the natural defenders who also excel at the technical skills that are needed to monitor the risk taking effectively.

But only some risk management work can be accomplished by highly technically competent trained risk managers.  Some of risk management requires people with the experience and gut instincts about the business who can tell when something just “smells” wrong.   To get this experience, one needs to have lived in the business, understand the motivations and choices that are available to the people in the business as well as their competition and the markets that they operate in.  This is all experience that is very difficult to get working from within the risk management program.

At the top of the risk management system is a Chief Risk Officer.  Like most senior executives, this person will need a high degree of leadership/managerial/political skills.  Perhaps much more so than most of the people who work in the risk management program.  In the last year or so, there have been a steady stream of bank CROs moving to CEO positions.  So in many places, it is a position with a serious future.

Finally, Daniel asked about consulting vs. working inside a company?  First of all, many consulting firms hire few if any entry level people.  They usually look to find people with at least a few years of experience inside of the firms that they are likely to consult for.  Once you have enough experience to have a choice, the option is for breadth vs. depth.  RISKVIEWS has over ten years of experience in both situations.  Inside of a company, a person may get the chance to develop a deep understanding of one or several aspects of the company operations.  Many people get a feeling of satisfaction from mastering their environment in this way and developing the ability to work with people and situations that they know very well.  Many corporate jobs are also in a fixed location, so that people who have strong reasons to want to be home most nights would prefer that.  While there is some uncertainty about continuation of corporate jobs, many jobs are secure for a decade or more at a time.  Consulting positions on the other hand provide the person to get a very broad perspective on the many different ways that things are being done in the industry.  Consulting often offers the possibility of doing different work without it having a significant impact on career path.  Consultants often travel, some a little and most quite a bit.  An advantage for some and a big disadvantage for others.  Consulting work is insecure, often it is unknown what work a consultant will be doing in six months.  Some people are very excited by the variety and uncertainty of consulting work.  Consultants need to have excellent communications skills, especially the “client facing” consultants.

In both the question of starting out in risk management or moving to risk management after working in a business and the question of starting early in consulting vs. after some work inside of a business, the considerations end up being similar.  A few people have the talent to pick up enough of the details of the business life to be able to be effective consultants or risk managers from outside of the business, but most people need to live it to be really effective risk managers or consultants.

Daniel is studying Finance as well as Risk Management.  RISKVIEWS cannot give any advice in finance careers, but will observe that with the effect of the financial crisis and the resulting changes to regulation of banks, the future finance career path may well be very different than it has been for the past 20 years.


Performance Pressure

September 22, 2012

It has become a pretty standard part of business management practice. Every year, the demand is for MORE with the same or fewer resources and in the same or less time.  The latest requirement to be a senior manager is the ability to stare a subordinate straight in the eye and demand that they significantly enhance productivity again when you have absolutely no idea how they will pull that rabbit out of their hat.

One very common way to work this magic is to spend less resources on things like risk management.  Risk Management is rarely one of those places where more productivity is being required.  In fact, during this productivity discussion, risk management is almost never mentioned.  That is the hint that risk management is one of the areas where adjustments can be made to pick up some slack.

In a firm without a clear risk management culture, risk management will often just be skipped altogether.  End of story.

But in a firm with a strong risk management culture, that would never be an acceptable course of action.  What instead will happen is that substitutions will be made.  Less time spent on risk management, less frequent checking of the need for mitigation.  Less, Less, Less.

And if this happens in “normal” times, then there will be no feedback from the environment that there is any problem with Less Risk Management.  If the original intention of the Risk Management was to protect against all but 1 in 100 year losses and there is a drift, an easing into Less Risk Management, then what was thought to be a 1/100 loss might become a 1/10 loss.  There is still a 90% chance that the extreme loss will not happen.

That is the “Drift into Failure” of the Safety Engineers.  In the book of that title, Dekker tells of an airplane maintenance schedule that drifts over time from the manufacturers recommended 350 hours of flight time to 2500 hours of flight time.  Then one maintenance cycle was skipped and a plane crashed.  The drift from 350 hours to 2500 hours was not one big decision.  It was many little decisions, each moving things up only 10% to 20%.  Skipping just one maintenance was not a big decision either.  Things were tight one month and they needed the plane.

So Risk Management procedures need to allow for natural drift caused by Performance Pressure.  And for normal degree of mistakes, like skipping a scheduled maintenance.

At JP Morgan, the Corporate Investment Office did not start out making gigantic trades for profit.  They were doubtless like lots of other hedging operations.  One quarter, they saw an odd situation where a profit could be made with a fairly high degree of certainty.  So they asked permission and took a small gain.  They were then told to look for other similar opportunities.  After a while, they started to get a profit goal along with all the other business units.  Like LTCM, they must have hit a period where such profit making opportunities stopped falling into their laps.  So the started to go very big on something with small reward.  One decision at a time.  And probably risk management oversight that was one or two stages of their evolution behind.

It may well not have been one big bad wrong decision, it may well have been a series of small seemingly easy, sensible decisions that together spelled disaster.

But no one looked at them all together.

Rounding Up to Reduce Drift into Failure and Maintain Risk Karma

July 31, 2012

So what to do about Drift into Failure?

Think of DIF in simple math terms.  At every turn in the calculation, you are rounding down or truncating the values that you calculate.  With that process, your result will always be low.  Not always noticeably low but with a bias to be below the value that you would have calculated with carrying forward the value with all of the decimal points.

With a Risk Management or Safety system, it is the same thing.  If checking ten times will give a .9999 guaranty of safety, then nine times should be good enough.  If lubricating weekly produces no failures, how about lubricating every 9 days.  And so on.  If a hedge that is 98% effective works out fine most days, how about a hedge that is 96% effective.  A $5 million retention works, why not move it to $5.5 million.

In every case, the company rounds down.

So the practice that is needed to reduce DIF is to occasionally round up.  One year, try rounding up on half the risk systems.  Make the standards just a tiny bit tighter a few times.  Balance things that way.  Think of your firm as accumulating bad karma by allowing the shortcuts, the rounding down on the risk management and safety systems.  Protect the karma, by going the other way in the same sort of imperceptible small steps that are the evidence of the DIF.

Stop Drifting.   Join the Fight Against Bad Risk Karma Today.

When You Find Yourself in a Hole, Stop Digging

July 2, 2012

Attributed to Will Rogers

Who knew that Will Rogers was a closet Risk Manager.   He must have been because that is great risk management advise.

If you have too much of something – the first thing that you should do is to STOP ADDING to your position.

We do not yet have the full story, but it is pretty safe to guess that neither MF Global or JP Morgan followed that idea.  It seems fairly obvious that at some point in time, the each had smaller positions that were already too big and then they ADDED to their positions.

The bank/hedge fund trading mentality suggests that the traders who really tener cojones will be able to keep raising the size of their position until the market breaks.

Insurance companies harbor the same mentality, except that they are never on the big win side of the bet.  Insurers win small on any one bet.  They win if there is no claim.  But even with that lopsided situation does not stop insurers from loading up on bets where they already have too much.

So the answer is to invite WIll Rogers into your Limit protocol.  When you are setting or reviewing your limits for the next period, set a new WILL ROGERS LIMIT.  The new WILL ROGERS LIMIT (WRL) is the point where you automatically stop adding to your position if there has not been a discussion and an exception to the WRL.

And that is what risk management is all about.  Just thinking ahead.  It is not magic.  Just listening to the great risk managers of the past.

Quantity, Quality and Variety

June 12, 2012

Another way to think of ERM is to focus on just three things:

  • Quantity of Risk – is the usual focus on what can be measured.
  • Quality of Risk –  is something that is often left out – it relates to how well you are controlling that what you have is what you think that you have.  Lowest quality risk might well be anything.
  • Variety of Risk – is what you need for resilience.  No matter how well you control the quantity and quality of risk, if you are not making sure that you have variety, then you have a mono culture.  Monocultures look great – until they die out all at the same time.

CRO is not the Moral Compass

May 29, 2012

The American Banker has a new column on risk management.  The first article is here.  Clifford Rossi makes some good points about the JP Morgan story.  But Riskviews takes issue with one point that he makes…

The paradigm of the trader and the risk manager are fundamentally at odds. The trader will believe that if they are given the funds to make one more trade, they will make up all of the past losses and post a large gain. The stories of successful traders and hedge fund managers all read the same, losses, growing losses, no one else believes in the trader. Finally, they are vindicated by a large gain that makes them the hero. When you listen to the stories from Bear Sterns and Lehman, folks who were involved all say that it was just a liquidity issue. If they just had a little more funds, they would have made the trades that would have brought the firm back.

The risk manager on the other hand believes that there must be a limit to the amount that is put at risk by the firm. Do not bet what you cannot afford to lose. The risk manager believes that even the best theory can have a run of bad luck that the firm cannot afford.

Ultimately, the risk manager is not the moral compass of the firm. The risk manager is nothing more or less than the person who is charged to make sure that the CEO and the Board understand and are fully aware and approve of all of the risk taking activities of the firm. To make that process work, the risk manager will ask the board and CEO to pre-approve some activities and to require to be notified about others.

In JP Morgan’s case, the board and CEO should have been aware of what was going on, of the size of the positions. Perhaps they did not give clear directions to the risk manager or perhaps the risk manager for some reason failed to report the risk positions.

However, it should have been a business decision made by the Board and CEO, not a decision of the trader or of the risk manager.  The loss that resulted would be a decision that did not work out as intended, not even necessarily a bad decision.  All decisions do not work out well.  And while $3 Billion is a large amount of money, it is only a fraction of earnings for a good year for JP Morgan.

If the decision to make the trade(s) that added up to the $3 Billion loss were made by the trader and not reported to the CEO and Board, then and only then is this a risk management failure.

Black Swan Survival Kit for Investors

May 16, 2012

From  Black: Swans and Crude by Liz Ann Saunders, her tips for investing in a sideways market:

  • Be diversified, especially now that asset-class correlations have begun to recede toward normal levels.
  • If you like to be opportunistic, keep some powder dry in highly liquid investments for both cash needs and some flexibility to take advantage of volatility.
  • Consider more frequent rebalancing if volatility reasserts itself, allowing you to sell into strength and buy into weakness.
  • Focus on your long-term goals and not short-term market dips so you’re less likely to fall prey to panic selling (or buying).
  • Review your portfolio and asset allocation to confirm your risk tolerance matches your financial goals.

These suggestions line up well with the Pragmatist risk attitude of Plural Rationalities.  That is good because the Pragmatists expect an Uncertain Environment, which is what we hear over and over that we are experiencing.

A Pragmatist will seek to diversify.  Not only will they want to diversify their risks as Ms. Saunders suggests as her very first suggestion, but they will also be diversifying their approach to risks.  Pragmatists will sometimes look to limit their losses with a Conservator style risk management approach, to aggressively pursue profits with a Maximizer style approach and even sometimes to look at risk vs reward in a Manager style approach.

Notice the interesting twist in her first point “now that asset-class correlations have begun to recede”.  You see that she is not a card carrying Pragmatist either.  She fundamentally believes that the world should return to an orderly state where correlations and volatilities are more stable.

Mathematically, that is how you can define the uncertain market of the times – variable volatility and variable correlations, variable drift.  A market model that cannot support trading.

The models for the other three environments might be:

  • Boom – positive drift, low and stable volatility, low and steady correlations.
  • Bust – negative drift, low volatility, high correlations.
  • Moderate – near zero drift, moderate but stable volatility, moderate but stable correlations.

In her second point, she tells how to be ready for when the environment goes back to Boom or Moderate – by taking the classical Pragmatist position of under invested.

But the Pragmatist approach to risk is not really a Black Swan survival approach.  If you really believe that a Black Swan event is coming, you would have the Conservator view of risk.  That would lead you to move to a much lower expected upside and also a much lower likelihood of failure of your portfolio.  In its purest form, the Conservator would accept almost no chance of total ruin.  In actual practice, most Conservator leaning firms will accept risks that might cause a failure of the firm, but only if they have long experience with those risks and feel that they have them totally under their control.

Must have more than one View of Risk

May 14, 2012

Riskviews finds the headline Value-at-Risk model masked JP Morgan $2 bln loss to be totally appalling. JP Morgan is of course famous for having been one of the first large banks to use VaR for daily risk assessment.

During the late 1980’s, JP Morgan developed a firm-wide VaR system. This modeled several hundred risk factors. A covariance matrix was updated quarterly from historical data. Each day, trading units would report by e-mail their positions’ deltas with respect to each of the risk factors. These were aggregated to express the combined portfolio’s value as a linear polynomial of the risk factors. From this, the standard deviation of portfolio value was calculated. Various VaR metrics were employed. One of these was one-day 95% USD VaR, which was calculated using an assumption that the portfolio’s value was normally distributed.
With this VaR measure, JP Morgan replaced a cumbersome system of notional market risk limits with a simple system of VaR limits. Starting in 1990, VaR numbers were combined with P&L’s in a report for each day’s 4:15 PM Treasury meeting in New York. Those reports, with comments from the Treasury group, were forwarded to Chairman
Weatherstone.                        from History of Value-at-Risk:1922-1998 by Glyn Holten

JP Morgan went on to spin off a group, Riskmetrics, who sold the capability to do VaR calculations to all comers.

Riskviews had always assumed that JP Morgan had felt safe selling the VaR technology because they had moved on to something better.

But the story given about the $2 billion loss suggests that they were flubbing the measurement of their exposure because of a new risk measurement system.

Riskviews would suggest two ideas to JP Morgan:

  1. A firm that makes its money taking risks should never rely upon a single measure of risk.  See Risk and Light and the CARE Report for further information.
  2. The folks responsible for risk evaluation need to apply some serious standards for their work.  Take a look at the first attempt of the actuarial profession of standards for professionals performing risk evaluation in ERM programs.  This proposed standard suggests many things, but the most important idea is that a professional who is evaluating risk should look at three things: the risk taking capacity of the firm, the risk environment and the risk management program of the firm.

These are fundamental principles of risk management.  Not the only ones, but principles that speak to the problem that JP Morgan claims to have.

Old Risk Management Programs – 10 ERM Questions from Investors – The Answer Key (7)

April 2, 2012

Riskviews was once asked by an insurance sector equity analyst for 10 questions that they could ask company CEOs and CFOs about ERM. Riskviews gave them 10 but they were trick questions. Each one would take an hour to answer properly. Not really what the analyst wanted. Here they are:

  1. What is the firm’s risk profile?
  2. How much time does the board spend discussing risk with management each quarter?
  3. Who is responsible for risk management for the risk that has shown the largest percentage rise over the past year?
  4. What outside the box risks are of concern to management?
  5. What is driving the results that you are getting in the area with the highest risk adjusted returns?
  6. Describe a recent action taken to trim a risk position?
  7. How does management know that old risk management programs are still being followed?
  8. What were the largest positions held by company in excess of the risk limits in the last year?
  9. Where have your risk experts disagreed with your risk models in the past year?
  10. What are the areas where you see the firm being able to achieve better risk adjusted returns over the near term and long term?

They never come back and asked for the answer key. Here it is:

Every company has legacy risk management programs.  Some are being dutifully followed, some have been abandoned and some are actually still alive and well.  The best answer to this question would be that the company has a process for periodically assessing all of its ERM programs.  That there is an aging metric for risk treatment processes and whenever a risk treatment process has gone three years without any changes or updates, that triggers a review.  In that review, the risk staff assess whether the risk treatment is still needed, whether it is still effective and whether it can be updated to take advantage of new developments.

One particular concern is whether changes elsewhere in the company have created a need for major increases or decreases in the tolerance for the risk being treated.  It is quite possible that changes elsewhere in the risk profile of the firm means that there now may be natural offsets to the old risk and risk treatment can be reduced.  It is also possible that the risk treatment program was put in place assuming that the risk would grow to a size that would make it material to the risk profile of the firm.  If that growth has not materialized, or if growth elsewhere in the firm has changes the scale considerations, then the materiality of the risk and the resulting need for the risk treatment program needs to be reassessed.

Of course, it also could be true that the level of risk treatment activities that were put in place in the past may be found to be inadequate and need to be increased.  This could be because the understanding of the risk has changed and the risk treatment is less effective than initially thought.  Or it may be that the risk environment has heightened and the risk per unit of activity is currently higher than assumed in determining the approach to risk treatment.

The cost of the risk treatment program should also be assessed.  There may now be different alternatives for achieving the same effectiveness of risk treatment for a lower cost that were not available previously.

This is important because everyone tends to forget old risks.  They just assume that since they have not been mentioned for some time that they have gone away.  But in many cases, old risks of insurers tend to linger.  And if the risk treatment programs that are supposed to be controlling those risks are being handled in an autopilot sort of mode, those risks might erupt into a totally unexpected problem if there is any stress.

Risk Management for the Real Economy

February 15, 2012

ZURICH—In another move to rein in compensation, UBS AG notified employees it will claw back part of the bonuses due to its best-paid investment bankers, according to a person familiar with the matter.

The action by Switzerland’s largest lender by assets is likely to further upset some top employees at a bank that already has faced problems retaining top talent and is now in the midst of a revamp of its investment bank. The UBS board has decided to take back 50% of share-based bonuses awarded last year to investment bankers whose bonuses exceeded two million Swiss francs.

Wall Street Journal, 9 February, 2012

A claw back of bonuses.  This totally changes the risk reward for employees.

Banker pay is shrinking.  See Forget the big bonuses; a pay squeeze is coming.  Tett puts banker pay into a very long term historical perspective.  It seems that banker pay was previously so high – and is it a coincidence that was right before the Depression.

The reason why banker pay matters so much is that finance does not follow the same economic laws of supply and demand as physical goods.  Many people talk as if they do, but there is at least one major difference that was clearly evidenced in the run up to the financial crisis.  Scarcity does not apply to financial goods.  So there is no natural limiting feedback loop.  Remember what happened with CDOs related to mortgages?  When demand went up, price didn’t.  Supply leaped instead.  Synthetic CDOs filled the need and there is an unlimited supply of synthetic financial assets.

The amount of financial goods compared to the rest of the economy is therefore totally flexible.  Think about it for a minute.  The world cannot be any more wealthy because there are more financial goods.  The sole result of the expansion of financial goods is to tilt the ownership of the wealth of the world away from the real economy and towards the banks and others in finance.

Limiting banker pay limits the incentive to inflate the financial system.  Clawbacks means that when the bankers and others in finance do manage to push those financial goods up anyway, any excess compensation that results can be recovered when the excess of financial goods reverses itself.

So both of these measures are Risk Management for the Real Economy.

Chief Scapegoat in Waiting

February 1, 2012

The position of Chief Risk Officer is perilous.

Just watch Demi Moore get fired in Margin Call.  She said that she had sounded the alarm about the risky trades that were the main topic of the film a year ago.  But her warnings were obviously not heeded and when things turned out poorly as she had warned, she was fired as the scapegoat.


Just read the stories about the two Chief Risk Officers at MF Global.  Both of them sounded alarms about the trades that eventually bankrupted the firm.  Roseman left over the issue.  Stockman is testifying to Congress about exactly when he determined that the trades were too risky.

A House committee is expected to disclose on Thursday that MF Global, under Jon S. Corzine, stripped critical powers from its top executive in charge of controlling risk, according to a person briefed on the matter. NYTimes

Riskview suggests that they have it all wrong.  Corzine is the one who is responsible for the risk management of MF Global.  No one is suggesting that Corzine was ill served by his CRO.  Instead, the discussion suggests that the board should have listened to the CRO and not the CEO.  Easy to say in hindsight.  But in fact, the CRO is an agent of the CEO.  If the board sets up the CRO as their agent within the firm who can trump the CRO, then the board is overstepping its role.  If the board does not like what the COE is doing, the board has the responsibility to replace the CEO.

If the board wants to know more about the risk of the firm than the CEO wants to tell, then the board should not be going around the CEO to people who work for the CEO.

Congress should be talking to the board members who repeatedly approved Corzine’s decisions.  The CRO is now being used as a scapegoat by the board and by congress.

The position of CRO at a firm that does fail is even more perilous than usual for that position.  When the firm fails or comes close to failure, the CRO can become the scapegoat for failure to act.  And the fact that the CRO did not have the authority, does not change that process at all.

That is because there is a myth that the CRO is in charge of preventing bad things from happening.  That is not the case.

The CRO job is to make sure that management has the tools and the people and the information to prevent bad things from happening.  Only if the CRO is set up as someone with MORE authority in the organization than the CEO should the CRO be held responsible when bad things that they did warn about do happen.

72 Risk Management Quotes added in 2011

December 26, 2011

And the total library of Risk Management quotes has about 250 total quotes.  Here are my 10 most favorite:

“Every person takes the limits of their own field of vision for the limits of the world.”  Arthur Schopenhauer

Life is a series of failures punctuated by brief successes. James Altucher

Managing risk is not just about assessing and monitoring all the things that could go wrong. Rather it is about understanding all the things that need to go right for an organization to achieve its mission and objectives.  UN Joint Staff Pension Fund ERM Policy Statement

Across the grand sweep of history, the relationship between risk and return has been loose and variable.
Warren Hatch

“Call on God, but row away from the rocks.” Hunter S Thompson

“It don’t matter how hard you hit if you cannot take a punch” from the song Lend a Hand by Jakob Dylan

Don’t forget that people sometimes make very silly mistakes, especially when dealing with derivatives. Kevin Dowd

Frankly, I’m suspicious of anyone who has a strong opinion on a complicated issue.  Scott Adams

People are disposed to get angry and punish those who violate the models that they themselves are using, but the targets of such sanctions often do not acknowledge that that particular model applies, or that their acts were transgressions, so they perceive the intended sanctions as illegitimate aggression.   Alan Fiske

“everyone has a plan ’till they get punched in the mouth”  Mike Tyson


The Importance of Managing Risk Quality

October 10, 2011

One possible reason that insurers might need to regularly perform the difficult and expensive process of calculating Economic Capital is that they lack any significant Risk Quality control process.  They do not know the quality of the risks that they write and they have no existing process for monitoring changes in risk quality and acting upon those changes to bring risk quality back into line.

What is this mysterious Risk Quality, you ask?

Risk Quality if the amount of risk per unit of business activity.

The bottom up risk management process would then be to define the acceptable levels of Risk Quality for a business and then to establish a risk underwriting process to determine the Risk Quality at time of consideration for acceptance, processes for modifying the inherent Risk Quality to achieve an acceptable Risk Quality at time of acceptance.  Then during the exposure period, the Risk Quality would be monitored to determine whether it had changed and if there was a change that caused the residual risk to now be unacceptable, the risk manager would undertake to again take steps to bring the risk back into the acceptable range.

With the Risk Quality bottom up type risk management system, the responsibility of to central staff is to verify whether the risk quality pieces add up to an acceptable amount of risk.  If they do, then the business unit managers have a clear process to manage.  They have a risk budget in the aggregate.  They know that their expected mix of business among the different classes of risk quality will fit with that budget, so their management process then can focus on the trade-offs between the different classes.

The quantum of risk can be calculated by a simple formula then:

Total Risk = Sum over all risk classes of (Risk per unit of business activity X amount of business activity) – diversification adjustment. 

Back in The Playroom

October 7, 2011

As the UBS story unfolds, we clearly see that banks still believe the story that they have been telling over the years.

The story of the recent “rogue trader” loss is that he made large trades and faked the offsetting position.

That makes sense only if you believe the story that the traders have been telling for years that it is not the gross positions, but the net positions that count.

RISKVIEWS wonders at what ultimate cost they will hold onto that idea?

The other similar idea is that the notional amount of a derivative is not important, just the price and the recent price volatility.

You see, the gigantic gross position with another gigantic gross position offsetting is just like a derivative contract.

So the two ideas are really the same.  And both totally wrong.  They are only correct if things stay nice and tame.

But the flaw in the two arguments is that things are not really guaranteed to stay tame.  Haven’t the banks noticed that yet?

When things are not tame, the recent price volatility is not any indication of future volatility.  The amount of the notional becomes a giant level that can catapult the bank sitting with lots and lots of notional right out of the playroom.

It is starting to seem like the banks are making decisions on what ideas that they will believe based upon a a Peter Pan system.  If they close their eyes and really, really believe then things will go back to when the playroom was really, really fun and they made lots and lots of money.

When things are not tame, those two gigantic offsetting positions are not guaranteed to move in opposite directions.  Doesn’t anyone remember why LTCM went bust?  For heavens sake, some of the offsetting positions that they lost hundreds of millions on were treasuries with only slightly different maturities.  THERE ARE NO RELIABLE OFFSETS.

Banks may want to consider a simple rule that is used by insurers.  For large transactions, have a limited number of responsible individuals who must personally authorize.  (Note to bank HR departments – need to hire some.)  For extremely large transactions require that the CEO personally authorize.  For multi Billion transactions, require board approval.

Why would any rational person who is running a bank give a trader on a desk authority to make a two billion transaction, even if there is supposed to be an offset somewhere?  What sort of playroom is a bank trading desk?

But the most important question, in RISKVIEWS mind, is why would anyone give these folks their hard owned money to go out and gamble like that, offsetting positions or not??????????

The insanity WILL continue until investors get some sanity and insist on only giving money to banks that have sensible and transparent risk management rules that they actually follow.  

Exceeding Risk Limits – – 10 Investor Questions (8)

September 1, 2011

Riskviews was once asked by an insurance sector equity analyst for 10 questions that they could ask company CEOs and CFOs about ERM.  Riskviews gave them 10 but they were trick questions.  Each one would take an hour to answer properly.  Not really what the analyst wanted.

Here they are:

  1. What is the firm’s risk profile?
  2. How much time does the board spend discussing risk with management each quarter?
  3. Who is responsible for risk management for the risk that has shown the largest percentage rise over the past year?
  4. What outside the box risks are of concern to management?
  5. What is driving the results that you are getting in the area with the highest risk adjusted returns?
  6. Describe a recent action taken to trim a risk position?
  7. How does management know that old risk management programs are still being followed?
  8. What were the largest positions held by company in excess of risk the limits in the last year?
  9. Where have your risk experts disagreed with your risk models in the past year?
  10. What are the areas where you see the firm being able to achieve better risk adjusted returns over the near term and long term?

They never come back and asked for the answer key.  Here it is:

This sounds like a “when did you stop beating your wife” type question.  But it isn’t.  In fact it is the opposite.

The wrong answer is “we didn’t have any positions in excess of limits.  That answer indicates that the limits are not effective.  They are too high or else, the company has a Berlin Wall type limit system – they shoot anyone who gets close.  That sort of limit system discourages thoughtful risk taking.  It insists on fearful risk taking.  Everyone will be so afraid of getting near the limits that each person will invent their own checkpoint that is lower than the limit.  They will stay below the checkpoint instead of the limit.  The Berlin Wall type of limit system ends up encouraging everyone in the company to create their own checkpoints.  It takes the decision making on risk out of top management hands.

The right answer is that the CEO knows that there have been breaches of the limits and knows why and knows what happened as a result of the breach.  The breaches are not a problem is they are low in both frequency and severity.

Having a few breaches means that the people who are empowered to take risks are also looking to find the best opportunities for the firm and are making every effort to make good deals.  They are working as hard as they can to win and they are sometimes a little over enthusiastic.  The company has a system that finds these instances and communicates them all the way up to the top, which they should.  Another reason why the CEO might say that there are no breaches is because the CEO is never told about the breaches.

And the consequences of breaches are important as well.  One firm once told RISKVIEWS that whenever there was a breach of a limit that management reacted by raising the limit!!!

That is equivalent to having no limits.  It might be a good result to raise the limit occasionally.  But the main reaction to breaching a limit should be to work to get the situation back to within the limit.  For market traded investments, the easiest option is to put on a hedge or to sell the position.  For insurance risk, the option is to obtain reinsurance.  Another reaction might be to cease to accept similar risks until that risk class is within the limit.  Finally, there may be a reaction that is some sort of sanction on the person who caused the breach.  In some cases the breach may be so significant and so clearly against the policies of the company that termination might be the sanction.  That is an unusual situation.  In some cases, a person is transfered either temporarily or permanently to a different position.  In some cases, the sanction might be an adjustment to bonus.  Most common is a reprimand.

The situations where the reaction is to raise the limit might be those where the limit breach was for a transaction that is clearly of exceedingly favorable prospects – one where the risk reward prospects are clearly superior.

In a company with a really vibrant risk management culture, the CEO might want to tell you a story as long and nuanced as the above.  Give that CEO extra points.

Be Honest about the Cost of Risk Management

August 29, 2011

The cost of risk management is not primarily salaries and other expenses for the risk management staff.

It is not even the cost of top management time that might be diverted to risk management from other topics.

The real cost of risk management is the cost of the activities that the firm undertakes to prevent or reduce losses.

That was brought home with Hurricane Irene this weekend.  To reduce possible losses, Riskviews spent several hours bringing inside personal things that might have been blown into the house, bringing the kayak in from the marina and filling up containers with extra water.  It will take another half day to put things back after the storm.

Almost all risk management activities have such costs.  Or else they have the opportunity costs that we also experienced this past weekend.  Most people on the eastern seaboard missed out on one opportunity or another because of the storm.

These are the costs of risk management because doing risk management means doing something different than you would have done without risk management.

This past weekend, at least in the New York area, Hurricane Irene was not as dangerous as the hurricane that we were all advised to prepare for.

Risk management is about changing future probabilities.  So that means that these costs will sometimes be incurred when the hurricane weakens before getting to you, or veers off into the ocean and does not even trouble the city.

Some managers are taught to make business decisions based upon cost benefit analysis.  With a cost benefit approach, many risk management actions will fall short.  That is because they will usually look at the actual cost and the experienced benefit.  Many risk management actions, such as hedging or reinsurance may have an expected cost – that means that your projection is that you will reduce profits by taking the risk management actions.

But the real benefit of risk management is the reduction of the likelihood that an adverse event will create unacceptable losses.  Whether that event happens or not and whether or not it is as adverse as expected, is not a primary consideration.  That information is a matter for calibration of the model used to project the likelihood of the adverse event.

So the sooner you have the conversation about the true cost of risk management the better.

And when you have that conversation, be honest.

Actuarial Risk Management Volunteer Opportunity

August 11, 2011

Actuarial Review of Enterprise Risk Management Practices –

A Working Group formed by The Enterprise and Financial Risks Committee of the IAA has started working on a white paper to be titled: “Actuarial Review of Enterprise Risk Management Practices”.  We are seeking volunteers to assist with writing, editing and research.

This project would set out a systematic process for actuaries to use when evaluating risk management practices.  Actuaries in Australia are now called to certify risk management practices of insurers and that the initial reaction of some actuaries was that they were somewhat unprepared to do that.  This project would produce a document that could be used by actuaries and could be the basis for actuaries to propose to take on a similar role in other parts of the world.  Recent events have shown that otherwise comparable businesses can differ greatly in the effectiveness of their risk management practices. Many of these differences appear to be qualitative in character and centered on management processes. Actuaries can take a role to offer opinion on process quality and on possible avenues for improvement. More specifically, recent events seem likely to increase emphasis on what the supervisory community calls Pillar 2 of prudential supervision – the review of risk and solvency governance. In Solvency II in Europe, a hot topic is the envisaged requirement for an ‘Own Risk and Solvency Assessment’ by firms and many are keen to see actuaries have a significant role in advising on this. The International Association of Insurance Supervisors has taken up the ORSA requirement as an Insurance Core Principle and encourages all regulators to adopt as part of their regulatory structure.  It seems an opportune time to pool knowledge.

The plan is to write the paper over the next six months and to spend another six months on comment & exposure prior to finalization.  If we get enough volunteers the workload for each will be small.   This project is being performed on a wiki which allows many people to contribute from all over the world.  Each volunteer can make as large or as small a contribution as their experience and energy allows.  People with low experience but high energy are welcome as well as people with high experience.

A similar working group recently completed a white paper titled the CARE report.  You can see what the product of this sort of effort looks like.

Further information is available from Mei Dong, or David Ingram


David Ingram, CERA, FRM, PRM
+1 212 915 8039
( )

FROM 2009

ERM BOOKS – Ongoing Project – Volunteers still needed

A small amount of development work was been done to create the framework for a global resource for ERM Readings and References.

Volunteers are needed to help to make this into a real resource.  Over 200 books, articles and papers have been identified as possible resources ( )
Posts to this website give a one paragraph summary of a resource and identify it within several classification categories.  15 examples of posts with descriptions and categorizations can be found on the site.
Volunteers are needed to (a) identify additional resources and (b) write 1 paragraph descriptions and identify classifications.
If possible, we are hoping that this site will ultimately contain information on the reading materials for all of the global CERA educational programs.  So help from students and/or people who are developing CERA reading lists is solicited.
Participants will be given author access to the ermbooks site.  Registration with wordpress at is needed prior to getting that access.
Please contact Dave Ingram if you are interested in helping with this project.


We do what we can

June 17, 2011

Recently, Riskviews read a parable that ended with one person coming upon a small animal, perhaps a cat, lying on the ground with their feet up in the air.  When asked why, the cat explained that it had heard that the sky was falling.  The person laughed and said that the cat couldn’t stop the sky from falling.  The cat replied, “we do what we can”.  (Anyone who can help with the source please add to comment.)

We Do What We Can” would be a good motto for risk managers.  Contrary to popular belief, Risk managers do not know the future any better than anyone else.  But with the twin handicaps of no prescience and popular belief that they possess it, risk managers can have a positive effect.

Risk Managers can have an impact on frequency of damaging losses.  Though they cannot eliminate them.  Many risk managers have been fired because they failed to stop 100% of all damaging losses.  But many others keep on working to reduce the likelihood that the firm will experience a damaging loss.  One important part of having an impact on frequency of damaging losses is to recognize the changing likelihood over time.

The other place where risk managers do what they can is in the area of firm resilience.  Good work in previous crises only makes the risk manager’s job harder.  Survival of past crises can foster a feeling of invulnerability and complacency towards risk management.  The risk manager needs to work to maintain vigilance.  It must be done carefully to avoid the chicken little syndrom.


ERM in a Low Interest Rate Environment

June 14, 2011

(Excerpts from presenation at Riskminds USA)

A discussion of how the current low interest rate environment impacts choices for (1) interest rate risk, (2) other risks and (3) Enterprise Risk Management.
How an insurer might react to low interest rates depends to a large extent on risk taking strategy and their point of view about interest rate risk.  There are four primary strategies for interest rate risk:
  • Minimize Risk
    • The Classic ALM approach is designed to minimize risk.  Duration mismatch is a measure of the degree to which you failed to achieve risk minimization.  Most ALM programs allow for an acceptable level of mismatch which might be an operational risk acceptance or it might be an option to take some interest rate risk tactically.  Risk is evaluated compared to Zero (matched position).
  • Accumulate Risk
    • The classic approach of banks to interest rate risk is to accumulate it.  The Japan carry trade is an interest rate accumulation trade.  Life Insurers usually Accumulate Mortality Risk.  Non-Life Insurers usually Accumulate attritional Risks  Accumulation of risk usually means that there is no limit to the amount of the risk that may be taken if it is priced right.  Risk is evaluated compared to expected cost using Utility theory – accept risk if expected value >0.
  • Manage Risk
    • The New ERM approach to Risk is to Manage Risk by looking at Risk vs. Reward for the portfolio of risks including diversification effects.  Taking a Strategic or Tactical approach to making choices – Return Targets “Over the Cycle” or “Every Year”.  Risk is evaluate with an Economic Capital model.  Risk means increase in total enterprise Economic Capital.
  • Diversify Risk
    • Many firms pay attention to diversification, but few make it the cornerstone to their ERM.  Firms focused on diversification will accumulate a risk as long as it does not come to dominate their risk profile and if it is expected to be profitable, often taking a purely  Tactical approach to which risks that they will accumulate.  They may not even have a chosen Long Term Strategic view of most risks.  They evaluate each risk in comparison to other risks of the enterprise.  The target is to have no single large risk concentration.
There are two aspects of Point of View that you need to be clear about:
  • Long Term Strategic vs. Short Term Tactical
    • You might ignore both and imply avoid a risk
    • You might ignore Strategic and take risks tactically that might not make sense in the long run
    • You might Strategically decide to take a risk and ignore Tactical which means you take the risk no matter the environment
    • You might pay attention to both and always take the risk but vary the amount of the risk
  • Going Concern vs. Going out of Business
    • Classic ALM (and Economic Capital models) use a “going out of business” model
    • But the “Going Concern” model is much more complicated and requires assumptions about future business and should include a going out of business assumption
With these questions resolved a company can go about setting their strategy for interest rate risk taking in a low interest environment.
To do that they may want to look at three scenarios:
·Scenario 1 – Interest Rates stay low
·Scenario 2 – Interest Rates increase slowly
·Scenario 3 – Interest Rates increase quickly
For each scenario, look at the implications for both interest rate risk as well as all of the other aspects of their risk profile and their business strategy.  If a scenario shows results that are unacceptable, then the planners and risk managers need to develop strategies to avoid or mitigate the projected problem, should that scenario come to pass as well as triggers for initiating those activities should the scenario appear imminent.

Systems of Controlling

March 28, 2011

Source: Controlling Modern Government

The four methods of controlling chart above can be very helpful to envision ways to improve risk management control systems.  A control system can use one or several of these methods.  But first it might require a little translation:

  1. Contrived Randomness – choosing by lots does not seem to be a control method, but in fact it is a part of a method that is used every day in almost every business.  Contrived randomness is usually used along with another of the control techniques.  Instead of constantly applying the other control processes, they are applied in a random fashion.  It is easy to imagine how the contrived randomness is vital to cost effective and just plain effective controlling.  If Oversight, for example, is used for controlling on a constant basis, it is very costly, requiring review of every single outcome.  However, if the Oversight is applied regularly, say every 10th event, then the cost is reduced by 90%, but the effectiveness is also reduced by up to 90%.  That is because the person who is being overseen can easily adjust to comply with the control process only on every 10th event and fail to comply the other 9 times without the control process noticing.  Using a random schedule means that a person seeking to avoid the effort of compliance is at much higher risk of being caught by oversight.  And even better, BF Skinner found that intermittent reinforcement provided by positive situations found in random inspections can have much higher impact on creating favorable habits than regular or even constant reinforcement.  The chart also suggest rotation of staff.  This part of the Contrived Randomness approach to controlling is seen in the efforts by banks to control fraud by shifting employees and especially by doing more thorough audits during employee vacations, which is again a combination of randomness and Oversight.
  2. Mutuality – When Mutuality is used as a control system, it sometimes uses peer review, in addition to processes that involve partnering.  The partnering process can be very expensive, or it may save time and money depending on the process.  When the partnering involves two people doing what one might have done, then the extra cost is obvious.  In fact, the cost might well be more than double for a two person term because of the degree in interaction between the partners that might add time to the tasks.  This must be offset by an increase in effectiveness, quality or continuity for the doubling of resources to make sense.  But the control system application of peer review is very common.  The peer review can be at several possible levels – the peer can be doing a very high level check – “does this make sense?”  Or they can be doing a more thorough review.  Or the peer can be trying to totally independently reproduce the work being reviewed.  In addition, the decision must be made of the frequency of the peer review.  The same ideas expressed above about intermittent reinforcement apply to peer review.
  3. Oversight – monitoring from a supervisory position is the most common form of control.   The supervisor is the most natural candidate for the type of oversight that is needed.  It means broadening the supervisor’s role to go beyond the accomplishment of the primary objective of the unit to also include the controlling objectives.  The downside to this method is the dilution of the supervisor’s attention distracting them from the accomplishment of the primary objective.  In addition, there is the potential mismatch of skills and talents.  In some cases, the primary objective and the controlling objectives require very different methods and skills.
  4. Competition – Competition is another technique that  may be difficult to imagine as a control method.  And what is needed to make competition a controlling system is openness of information about the activities that are to be controlled.  For different members of a team to compete, they need to know what and how the others are doing.  This openness is not very common.  But one of the objectives of the open office movement is the free controlling that automatically comes in the open environment.  Some firms do use Competition through a totally open system of managing where all members of a unit know about what every other member is doing.  Control breaches then can only happen if the entire unit agrees that they are necessary.

Many would think that Oversight is the main form of controlling.  Hopefully, this post will expand your view to include these other options.

What’s Next?

March 25, 2011

Turbulent Times are Next.

At, a feature from Guillermo Felices tells of 8 shocks that are about to slam the global economy.

#1 Higher Food Prices in Emerging Markets

#2 Higher Interest Rates and Tighter Money in Emerging Markets

#3 Political Crises in the Middle East

#4 Surging Oil Prices

#5 An Increase in Interest Rates in Developed Markets

#6 The End of QE2

#7 Fiscal Cuts and Sovereign Debt Crises

#8 The Japanese Disaster

How should ideas like these impact on ERM systems?  Is it at all reasonable to say that they should not? Definitely not.

These potential shocks illustrate the need for the ERM system to be reflexive.  The system needs to react to changes in the risk environment.  That would mean that it needs to reflect differences in the risk environment in three possible ways:

  1. In the calibration of the risk model.  Model assumptions can be adjusted to reflect the potential near term impact of the shocks.  Some of the shocks are certain and could be thought to impact on expected economic activity (Japanese disaster) but have a range of possible consequences (changing volatility).  Other shocks, which are much less certain (end of QE2 – because there could still be a QE3) may be difficult to work into model assumptions.
  2. With Stress and Scenario Tests – each of these shocks as well as combinations of the shocks could be stress or scenario tests.  Riskviews suggest that developing a handful of fully developed scenarios with 3 or more of these shocks in each would be the modst useful.
  3. In the choices of Risk Appetite.  The information and stress.scenario tests should lead to a serious reexamination of risk appetite.  There are several reasonable reactions – to simply reduce risk appetite in total, to selectively reduce risk appetite, to increase efforts to diversify risks, or to plan to aggressively take on more risk as some risks are found to have much higher reward.

The last strategy mentioned above (aggressively take on more risk) might not be thought of by most to be a risk management strategy.  But think of it this way, the strategy could be stated as an increase in the minimum target reward for risk.  Since things are expected to be riskier, the firm decides that it must get paid more for risk taking, staying away from lower paid risks.  This actually makes quite a bit MORE sense than taking the same risks, expecting the same reward for risks and just taking less risk, which might be the most common strategy selected.

The final consideration is compensation.  How should the firm be paying people for their performance in a riskier environment?  How should the increase in market risk premium be treated?

See Risk adjusted performance measures for starters.

More discussion on a future post.

Chief Mitigation Officer

March 9, 2011

Does your firm have a place for a Chief Mitigation Officer?  What is a mitigation officer, you ask?  Here is an excerpt from a job description from the CEA.

The Chief Mitigation Officer (CMO) will be responsible for the California Earthquake Authority’s (CEA) educational outreach efforts, collaborating with research institutions, and leading efforts to develop financial incentives to encourage seismic-risk mitigation.  The unique nature of the CEA’s public/private structure requires strong leadership capable of leading people and projects, and executing responsibilities through skillful collaboration, coordination and communication.   As a member of the executive management team, reporting directly to the Chief Executive Officer, the CMO will perform mitigation-project oversight as follows:

Duties / Responsibilities

۰    Manage statewide residential-retrofit programs designed to help California homeowners make their homes more resistant to earthquake damage and serve as the Executive Director of the California Residential Mitigation Program, a statutory Joint Powers Authority created for mitigation funding purposes.

۰    Develop programs aimed at educating the public on the importance of earthquake loss mitigation through multiple channels, including CEA participating insurers and the residential construction industry.

۰    Work with academic institutions, nonprofits, the residential construction industry, earthquake related research groups in both science and engineering, and other stakeholders to support mitigation-related research and educational activities, along with local, state and federal agencies to further California’s residential earthquake preparedness, protection and mitigation goals.

۰    Oversee programs providing financial assistance (loans, grants, rebates, or other financial incentives) that help homeowners with structural and contents retrofitting of their homes.  Contribute to the CEA’s ongoing efforts to establish justifiable mitigation premium discounts for CEA policyholders who make approved retrofit improvements to their homes.

Riskviews thinks that the idea has possibilities.  A different framing for some of the key activities in the risk management area.  Perhaps have two senior risk related positions, risk mitigation and risk evaluation.

For the Risk Mitigation, another firm might want to strongly downplay the outreach aspects that the CEA has a strong interest in.

Instead, The Chief Risk Mitigation Officer might be in charge of Risk Management Actions.

Risk Management Success

March 8, 2011

Many people struggle with clearly identifying how to measure the success of their risk management program.

But they really are struggling with is either a lack of clear objectives or with unobtainable objectives.

Because if there are clear and obtainable objectives, then measuring success means comparing performance to those objectives.

The objectives need to be framed in terms of the things that risk management concentrates upon – that is likelihood and severity of future problems.

The objectives need to be obtainable with the authority and resources that are given to the risk manager.  A risk manager who is expected to produce certainty about losses needs to either have unlimited authority or unlimited budget to produce that certainty.

The most difficult part of judging the success of a risk management program is when those programs are driven by assessments of risk that end up being totally insufficient.  But again the real answer to this issue is authority and budget.  If the assumptions of the model are under the control of the risk manager, that is totally under the risk manager’s control, then the risk manager would be prudent to incorporate significant amounts of margin either into the model or into the processes that use the model for model risk.  But then the risk manager is incented to make the model as conservative as their imagination can make it.  The result will be no business – it will all look too risky.

So a business can only work if the model assumptions are the join responsibility of the risk manager and the business users.

But there are objectives for a risk management program that can be clear and obtainable.  Here are some examples:

  1. The Risk Management program will be compliant with regulatory and/or rating agency requirements
  2. The Risk Management program will provide the information and facilitate the process for management to maintain capital at the most efficient level for the risks of the firm.
  3. The Risk Management program will provide the information and facilitate the process for management to maintain profit margins for risk (pricing in insurance terms) at a level consistent with corporate goals.
  4. The Risk Management program will provide the information and facilitate the process for management to maintain risk exposures to within corporate risk tolerances and appetites.
  5. The Risk Management program will provide the information and facilitate the process for management and the board to set and update goals for risk management and return for the organization as well as risk tolerances and appetites at a level and form consistent with corporate goals.
  6. The Risk Management program will provide the information and facilitate the process for management to avoid concentrations and achieve diversification that is consistent with corporate goals.
  7. The Risk Management program will provide the information and facilitate the process for management to select strategic alternatives that optimize the risk adjusted returns of the firm over the short and long term in a manner that is consistent with corporate goals.
  8. The Risk Management program will provide information to the board and for public distribution about the risk management program and about whether company performance is consistent with the firm goals for risk management.

Note that the firm’s goals for risk management are usually not exactly the same as the risk management program’s goals.  The responsibility for achieving the risk management goals is shared by the management team and the risk management function.

Goals for the risk management program that are stated like the following are the sort that are clear, but unobtainable without unlimited authority and/or budget as described above:

X1  The Risk Management program will assure that the firm maintains profit margins for risk at a level consistent with corporate goals.

X2  The Risk Management program will assure that the firm maintains risk exposures to within corporate risk tolerances and appetites so that losses will not occur that are in excess of corporate goals.

X3  The Risk Management program will assure that the firm avoids concentrations and achieve diversification that is consistent with corporate goals.

X4  The Risk Management program will assure that the firm selects strategic alternatives that optimize the risk adjusted returns of the firm over the short and long term in a manner that is consistent with corporate goals.

The worst case situation for a risk manager is to have the position in a firm where there are no clear risk management goals for the organization (item 4 above) and where they are judged on one of the X goals but which one that they will be judged upon is not determined in advance.

Unfortunately, this is exactly the situation that many, many risk managers find themselves in.

Avoiding Risk Management

February 14, 2011

In the past two years, many firms and many investors have de-risked their world.

On the other hand, there is no shortage of advice that you should never seek to avoid all risk.  Try typing the two words “Avoid Risk” into Google and more than half of the links that come up are discussions of why that is not a good strategy.

But one of the links that is on the first page is from the Chronicle of Higher Education.  The headline is “Most Colleges Avoid Risk Management

So you now have the classic two by two grid of choices:

Each of the four choices has adherents.  But there are pluses and minuses to each choice.

1.  Avoid Risk/Avoid Risk Management – a person or organization can do very well with this choice.  Until – – – they are struck by a risk that they did no know that they were taking.  The only risks that a person who avoids all risk takes are those risk that they are unaware of.  This strategy also requires that the world not change too much.  The largest risk to this choice is the risk that the person or organization will no longer have a viable strategy.  By avoiding risk, they have saved themselves from the agony of failure but also from the joy of successfully developing new strategies – some of which might become the strategy for the future.

2.  Avoid Risk/Risk Management – This was the Mubarak strategy.  It was very successful for 30 years.  Then, suddenly, it stopped working.  It feel victim to the failure to adapt risk which is the second type mentioned above.   But by practicing risk management, he was able to avoid the first risk above – the risk of taking risks unawares.  A firm with a very successful product or business might take up this strategy, seeking to maximize value of that successful strategy.

“People who don’t take risks generally make about two big mistakes a year. People who do take risks generally make about two big mistakes a years.” – Peter F. Drucker

3.  Take Risks/ Avoid Risk Management – On its face, this choice seems clearly irrational.  However, it is widely practiced and sometimes by people that are held to be highly successful geniuses in their fields.  What we fail to recognize is that some of these folks are simply lucky and the rest might well be geniuses.  The lucky are noticed because of survivor bias.  So if you choose this strategy, you are following in the footsteps of some of the most famous.  And in your own experience, you have probably worked with people who got where they are because of luck.  Someone has to get 8 tails in a row flipping coins.  And if you award a senior vice presidency to everyone who does …

4.  Take Risks / Risk Management – this seems like the most sensible choice.  You are then left with the decision of how to choose the risks that you take and which sort of risk management to practice.  Which are the main topics of this blog.

In my experience, I have found that some people define risk taking as 3 above – that is diving off the board without looking down first.  When they say “you must take risks to get the rewards” they are thinking about the blind risk taking of 3.  I can only suggest that a firm should seek to avoid applying strategy 3 to something on which the survival of the firm depends.

Thanks to Riskczar for the Drucker quote.

%d bloggers like this: