Pregnancy and 7 Lessons About Risk Management

When my wife was expecting our first son, it surprised me that most of the stories we heard about childbirth from other people involved something going wrong. At some point, we made a conscious decision to ‘switch off’ and ignore those stories.  I don’t really know whether our experience was representative.  

It strikes me that risk management appears a bit similar; it is easy to hear what went wrong.  Before I go any further, I admit my share of guilt for writing about risk management lessons from enforcement cases of the UK’s Financial Conduct Authority (here, here, here, here and

here).  This post seeks to address that bias by sharing a paper about risk management success stories.

The paper is based on extensive field work with two companies outside financial services.  This makes it more even more interesting for me because it removes the inevitable interaction with regulation in financial services.  

From the perspective of designing and implementing an ERM system, there are seven lessons I take from these success stories:

1.    The background of the CRO did not seem to matter.  In one case it was someone with a business background, and in other case it was someone with a corporate background.  The common factor was the CRO’s determination from the outset to find a practical way of adding value to the business.

2.    Success seemed to be described by reference to the role of risk management in the preparation of the business plan.  The path to this involved in both cases a discrete deliverable, typically preparing and maintaining a business risk profile.

3.    Successful engagement of the risk function with the business was crucial. Needless to say, each CRO tailored it to reflect the business.  For example, one of the organisations was more project-focused, and there was more emphasis on risk assessment by business lines.

4.    It was important to develop a common risk language in an unobtrusive manner.   This could be in terms of controls and risk, impacts that reflect the various functional dimensions of the business or scenario planning.

5.    The risk function needed a degree of self-confidence.  This could be useful to start the risk assessment process, develop business-specific tools and encourage the business to take more risks where it is deemed appropriate to meet business objectives.

6.    Risk functions achieved a balance between being close to the business and being independent of the business. 

7.    An effective tone from the top was more helpful in terms of behaviours.  This is really about how CEOs interact with others and ask questions about risks as part of the usual scrutiny of initiatives.

I believe that I have come across most of these lessosn in different contexts.  It is, however, interesting to see all of them together. 

If I had to single out one lesson from the above for financial services, I would choose the link to the annual business plan.  On a scale of 0 to 100, where 0 is no risk management involvement in the annual business plan and 100 represents the full integration of the risk management in the annual business process, what would be the score for your organisation?  

More importantly, what would be your target score for the medium term?  What would that mean in terms of different activities?  What would you need to persuade your CEO to accept that involvement?   

If you work in financial services, I would be keen to hear your thoughts about this article.  If you don’t, I would be keen to know if these lessons resonate with your experience. 

You can subscribe to future posts at http://crescendo-erm.blogspot.co.uk.

Guest Post: the Objective of Risk Management – EIOPA's Perspective

One of the lessons from my post on the objective of risk management was that there are a number of perspectives on the objective of risk management.  I asked a number of leading industry experts to share their perspective.

Two weeks ago, I shared the views of James Tufts, Group CRO of Guardian Financial Services (here).  His perspective emphasised that the objective of risk management is to clarify the role of risk management of the business and of the risk function.

Today, I am delighted to share the views of Carlos Montalvo Rebuelta, Executive Director of EIOPA.  As a regulator, it is perhaps not surprising that he focuses on the extent to which Solvency II regulation changes the objective of risk management.

I will continue sharing these perspectives in the next few weeks.

****************************

Solvency II: a revolution in risk culture?

Carlos Montalvo Rebuelta, Executive Director, EIOPA

As Executive Director of EIOPA, in charge of managing the Authority and an insurance supervisor that has faced very different approaches to risk management across national supervised entities, I would like to touch upon the topic of risk management in insurance.

If we start the topic far away from business, in Nature, we see how species try to do the best out of the environment they operate in, in order to survive, yes, but also in order to prevail and ensure a legacy. They are confronted with risks and they exploit opportunities, risk management at its best, albeit in a very primitive form.

Within the corporate world, but outside the financial sector, we may take the example of EIOPA, where different toolkits are used to anticipate and address challenges, but also to identify and grab opportunities. Risk logs, monitoring tools, clear reporting lines, allocation of ownership for action… doesn’t that sound familiar? Risk management, indeed, reinforced by the conviction from senior management on the usefulness of it; setting the tone from the top. 

A distinctive feature of insurance and reinsurance is that the business itself is all about risk. The core objective of (re)insurers is to deal with different kinds of risks making a profit out of them. So, the industry should already have a wide range of specific know-how and experience in the area of risk management, if only because this is what the business is all about i.e. risk.

However, the financial crisis has shown that financial market participants, including insurers, need to rely on stronger risk management capabilities in order to deal with the different challenges posed by the economic slowdown and the financial market volatility. In other words, their risk management frameworks were not always up to the challenge stemming from the crisis.

Self-regulation within undertakings proved insufficient. Very often, any concerns raised about long-term sustainability of the company were ignored or even ferociously denied. Wrong incentives, short term gambits, unsustainable growth… reality was far away from what undertakings claimed to be their situation, with the consequences we all have witnessed.

The upcoming supervisory and regulatory framework for insurance - Solvency II - is going to make significant changes in the current risk culture of many insurers.  It is a different way of looking at and managing risks. First of all, it presents risk management not as a point in time procedure, but as a continuous process that should be used in the implementation of the undertaking’s overall strategy.

There is a purpose, and tangible outcomes. The Solvency II framework aims at establishing high quality risk management standards that will be beneficial for insurance undertakings, shareholders and consumers. One of the main requirements of a risk-based regulatory regime is that risk and capital should not be considered separately. This approach will allow top management to ensure that the company does not take on more risks than its capital base allows. It is also an opportunity for the senior executives to anchor a risk culture in an insurer’s day-to-day operations; again, setting the tone from the top.

The Solvency II regime  requires insurers and reinsurers to have in place an effective risk management system comprising strategies, processes and reporting procedures necessary to identify, measure, monitor, manage and report, on a continuous basis the risks, both at individual and aggregated levels, they are or could be exposed, and their interdependencies. Nothing new under the sun? Unfortunately, this is not the case.

One of the most innovative changes introduced by Solvency II is the requirement that insurance companies develop their Own Risk and Solvency Assessment (ORSA) as a tool of their overall risk management system. Insurers will need to properly assess their own short- and long-term risks as well as the amount of their own funds necessary to cover them to ensure on-going compliance with capital requirements. Quoting the lyrics of a song by The Velvet Underground, “I will be your mirror, reflect what you are, in case you don’t know it”.

I believe that the Solvency II approach to risk management will allow for an enhanced understanding of the nature and significance of the risks to which a company is exposed, including its sensitivity to those risks and its ability to mitigate them. This understanding will help companies to see their real opportunities and manage their business on that basis.Strong risk management will also be beneficial also for the customers of insurance companies. It will allow insurers to better meet their claims towards clients and, thus, to promote confidence in the insurance sector.

All in all, Solvency II should lead to a win-win situation and bring a risk-based regulatory framework to a business that deals with risk.

****************************

If you work in financial services, I would be keen to hear your thoughts about this perspective on the objective of risk management.  If you don’t, I would be keen to know if these lessons resonate with your experience. 

You can subscribe to future posts here.  

Business Model Analysis Coming of Age?

I wrote a few months ago (here) that one of the common areas of prudential and conduct supervision is the focus on understanding business models.  The Prudential Regulation Authority (PRA) published an interesting paper about the application of business model analysis to developments in the insurance sector (here).

However, it still felt that business model analysis remained something confined to policy and supervisory circles.  I was therefore pleasantly surprised to read about it in a quick Q&A session with Sir Win Bischoff in The Times (Saturday, 6 September).  In response to a question about his views on leadership, he said, “establish the business model, set the strategy and then let management get on with it.”

Given Sir Win Bischoff's role as a former chairman of several major banks, there are a number of messages in this answer: 

1.  confirmation of boards' interest in oversight of the business model, meaning it is not just a supervisory issue; and   

2.  a pecking order with the business model setting the wider parameters for the strategy.

With hindsight, it is possible to see that what may have seemed changes to business strategy were really changes to the business model.  Seeking to separate decisions about business model and strategy would go some way to supporting an enhanced oversight of risk taking.  How would risk functions rise to this challenge?     

If you work in financial services, I would be keen to hear your thoughts about business model and risk management.  If you don’t, I would be keen to know if these lessons resonate with your experience. 

You can subscribe to future posts here and receive them by email about once a week.   

Guest Post: the Objective of Risk Management – a CRO View

One of the lessons from my post on the objective of risk management was that there are different perspectives on this subject.  I asked a number of leading industry experts to share their perspective on the objective of risk management.

I am delighted that James Tufts, Group Chief Risk Officer at Guardian Financial Services has agreed to share his thoughts.  I will continue sharing perspectives from leading industry experts in the next few weeks.

****************************

The objective of risk management

James Tufts, Group Chief Risk Officer, Guardian Financial Services

Risk management is fundamental to what an insurance company does and the core of its business purpose.  Insurers take on risk and through a variety of different techniques and tools, they manage those risks such that they can charge an appropriate premium to customers, service those customers, meet regulatory requirements and produce an acceptable return on capital for the owners – this is the embodiment of risk management.

Risk management is therefore fundamental to all the activities in the business and the Enterprise Risk Management (ERM) framework is the core model for how the business operates.

Perhaps surprisingly, the objective of the “Risk Function” should not be “risk management”.  That’s a business objective.  The objective of the “Risk Function” is to provide the ERM framework and the source of challenge and oversight on all aspects of the business model, relative to this framework.  It is only when this distinction is fully understood and internalised in a company that risk management adds value.

****************************

If you work in financial services, I would be keen to hear your thoughts about this perspective on the objective of risk management.  If you don’t, I would be keen to know if this resonates with your experience. 

You can subscribe to future posts here.   

Big-Data – a Small Risk Transformation?

These days big-data seems to be so ‘big’ that it is everywhere.   I have read with some interest ‘Big data’ by Mayer-Schonberger and Cukier.  I was looking to form some views about it reflecting my perspective of risk management in financial services and ‘value enhancement’. These are three of the key points I took from the book. 

1.    Big-data is not about size but about the ability to work with full data sets. 

This means that the constraints that might arise from sampling are avoided.  Interestingly, there will be cases where adopting a big-data approach means handling a relatively small data set. 

2.    The shift from causation (small data) to correlation (big-data). 

The ability to create additional data at low cost and join up data sets means that we are likely to increase our ability spot correlations.  This would help us understand the ‘what’ even if we don’t fully understand the ‘why’ or the causation. 

3.    All data has value and a company’s ability to extract the value depends on the business model and skills.   

The value of data arises from secondary uses which are difficult to predict when the data is collected.  Companies can extract the value by hoarding the data, analysing it and identifying opportunities for big-data. 

This led me to three observations about big-data and risk management:

1.    Risk managers need to identify the aspects of risk management that can be enhanced by understanding correlations (‘what’) and the aspects that can be enhanced by causation (‘why’). 

While the message of big-data is that correlation is becoming cheaper to identify and offers more value in a shorter period of time, there isn’t a one fits all!  For example, insurers’ ability to spot financial crime, cases of fraud and price insurance risks would be enhanced by the ability to identify the correlation between key variables.  On the other hand, understanding correlations between risk drivers may need some plausible stories to make them actionable.

2.    Existing risk management and regulatory concepts would need to be revisited.

One of the features of big-data is that when different data sets are combined the resulting data is ‘messy’ with many empty cells.  How do you apply existing criteria for data quality governance, in particular ‘completeness’?

How do you validate models?  The authors bring in an interesting example where a simple model performs more effectively than any of the alternatives when a significant amount of data is fed into the model.

3.    Extracting value from data would need careful thinking.

One of the fundamental technological changes is that data is generated in many un-suspected places and situations, e.g. internet searches.  Spotting those opportunities requires a big-data mind set.  Capitalising them requires the ability to capture the data and / or use it.  One implication is that the value of data is something that would need to be factored into commercial outsourcing with third parties.

Overall, this could lead to a significant transformation of how risk is managed and become a new ‘normal’.   However, between now and then companies would need to tread carefully to avoid chasing ‘big-data’ opportunities of limited value.   

If you work in financial services, I would be keen to hear your thoughts about big-data and risk management.  If you don’t, I would be keen to know if these lessons resonate with your experience. 

You can subscribe to future posts at http://crescendo-erm.blogspot.co.uk and receive them by email - no more than once a week.  You will need to provide an email address and then confirm the subscription.  Your email address will not be shared.

My Son the Risk Manager?

That’s not a question for me.  I guess I am already there.  It is more of a potential question for my children – and yours as well.  The ultimate question is whether you would be happy to encourage your children (or perhaps the children of one of your best friends) to go into risk management as a career.

Put it differently, has risk management become like accountancy or law? Is risk-management a generic business qualification that can be applied in different business contexts?

Once I started thinking about this I realised that it wasn’t clear to me if risk management is a career in its own right.  The alternative is that risk management would be a common and reasonably well-defined role in many sectors.  This matters because one of the next questions in that hypothetical conversation would be along the lines of “how do I get there”.

The main argument in favour regarding risk management as a career in its own right is that there seems to be an emerging body of risk management theory that cuts across sectors.  This can be evidenced from the emergence of standardised approaches to risks management that cut across sectors, e.g. ISO 31000, and professional associations.

A similar argument would be in terms of the skills needed to perform successfully in the role.  While my experience is limited to financial services, my feeling is that the blend of skills needed in risk roles tend to be slightly different from those required for other roles – in no particular order, they include the ability to see the big-picture, communication, determination, ability to keep things simple.

At the same time, while developing tools and approaches for risk management is a considerable ongoing challenge, the main one is the implementation.  However, implementing successfully risk management and certainly generating value depends on business knowledge and understanding of the corporate environment.

All in all, I am more inclined to suggest to my children the following:

•  choose a degree you like – IT, law, economics, engineering, finance – and a sector; 
•  consider risk management as a role that would help career advancement; and
• explore ways of getting ready for that challenge.

If you work in financial services, I would be keen to hear your thoughts about these suggestions.  If you don’t, I would be keen to know if these lessons resonate with your experience. 

If you found this interesting, you can subscribe to future posts at http://crescendo-erm.blogspot.co.uk and receive them by email - no more than once a week.  You will need to provide an email address and then confirm the subscription.  Your email address will not be shared.  Alternatively, if we share a group in “LinkedIn” you can choose "follow" Isaac Alfon. 

Enforcement Lessons: 5 Lessons from a Fine Chance*

The UK Financial Conduct Authority (FCA) published recently the details (here) of an enforcement case involving Credit Suisse International (CSI) and Yorkshire Building Society (YBS).  They were fined for failing to meet the requirement that financial promotions are ‘clear, fair and not misleading’ £2m and £1.4m respectively.

Not much new so far but the circumstances of the case indicate how financial services are evolving and the challenges for risks management.

The case involves a structured product providing capital protection, a guaranteed minimum return and the potential for achieving a higher return under certain conditions related to the performance of FTSE100 index.  CSI manufactured the product and YBS distributed (most of) it.  The product raised nearly £800m and reached 84 thousand customers.

At the heart of this case there is a concern that product complexity can reach a level such that it is difficult to ensure that disclosures to retail customers are clear, fair and not misleading.  For example, the FCA was concerned that the disclosures suggested that this was a simple index tracker – it wasn’t.  This can distort customers’ ability to infer the likelihood of a maximum return. 

In addition, there are five interesting points to take away from this case:

1.    Distribution arrangements give rise to significant conduct risk, even if no financial advice is provided.    

2.    The chances of relevant events need to be taken into account in financial promotions.  A ‘maximum return’ that can be achieved with nearly zero probability based on past history is not really a ‘maximum return’!

3.    Third party consumer advocates can have an impact.  The UK Consumers Association (‘Which?’) approached YBS and CSI in September 2010 with concerns about financial promotions and the chance of achieving the maximum return advertised.  This resulted in limited changes to disclosures: more emphasis on the conditions required to achieve the maximum return and less emphasis on the presentation of the maximum return.

4.    The target consumer group has practical importance.  The disclosures will be crucial to ensure appropriate consumer outcomes if you are targeting ‘stepping stone customers’, ‘typically conservative, risk averse customers’, with a structured product and don’t offer advice.

5.    Slow reaction to regulatory developments persists.   The relevant period when the breach took place stretches to 30 months from November 2009 to June 2012.  The earlier intervention by ‘Which?’ and concerns raised by the FCA had limited effect. 

It is interesting to see all these different factors coming together in a case.  This may be one of the few occasions (if not the first) where a fine results because financial promotions did not take into account the chances of the underlying events. 

If you work in financial services, I would be keen to hear your thoughts about these lessons for the management of conduct risk.  If you don’t, I would be keen to know if these lessons resonate with your experience. 

* Thanks to my colleagues for suggesting a title.

If you found this interesting, you can subscribe to future posts at http://crescendo-erm.blogspot.co.uk and receive them by email - no more than once a week.  You will need to provide an email address and then confirm the subscription.  Your email address will not be shared.  Alternatively, if we share a group in “LinkedIn” you can choose "follow" Isaac Alfon.

The Objective of Risk Management

This is a continuation of an earlier post about identifying the value of risk management (here).  I would like to focus on the objective of risk management.  I hasten to say that I am writing from the perspective of financial services and that there may also be different views. These thoughts are inspired by an article by Stulz from 1996 (here).  

The starting point is that the aim of risk management as seeing in the traditional academic literature is minimising the variance in profits.  Not surprisingly, this would imply much more hedging and risk management that it’s generally observed from surveys and other sources, which is puzzling.

On the other hand, a company will have certain ‘comparative advantage’ in terms of skills, resources, or location that it can profitably exploit.  Today, we would see this as part of the ‘business model’.  If risk management seeks to reduce the variance in profits, it will also eliminate the upside that might exist as a result of the company’s business model.  If that upside is to be preserved, then the objective of risk management becomes the elimination of costly lower tail outcomes while preserving as much as possible of the upside. 

The key to risk management is therefore the firm's business model (earlier posts here and 
here).  It shapes the strategy and creates the risks that need to be managed and probably points at those risks that will emerge.  In practice, this means understanding the source of profits and being able to put this in the context of how the business operates and its strategy. 

Consider the business strategy of a currency trading desk.  The main question is whether profits arise from position taking (with the firm’s capital) or from market-making.  Incidentally, the evidence quoted in the paper suggests that profits arise from market-making rather than position taking.  For an insurer, this would involve understanding the extent to which profits arise from underwriting, investment performance or fees and the alignment with the business strategy. 

Where this understanding forms the basis of how risk management operates, it makes financial distress less likely.  In turn, this means that risk management can be regarded as a substitute for equity capital; the same amount of equity capital can go further in terms of supporting a wider set of profitable activities. 

Unfortunately, a similar outcome can be observed when the risks are under-estimated.  How can a company that adopts this approach to risk management distinguish itself?  I don't think that there is a simple answer.  It is important that risk management takes a truly holistic perspective and seeks to demonstrate the alignment between business model, strategy, risk assessment and senior management incentives.   

If you work in financial services, I would be keen to hear your thoughts.  If you don’t, I would be keen to know if this articulation of the objective of risk management resonates with your experience.  

If you found this interesting, you can subscribe to future posts at http://crescendo-erm.blogspot.co.uk and receive them by email - no more than once a week.  You will need to provide an email address and then confirm the subscription.  Your email address will not be shared.  Alternatively, if we share a group in “LinkedIn” you can choose "follow" Isaac Alfon.

The Cost and Benefits of EU Membership

A lot that has been said about the recent elections to the European Parliament.  (Full disclosure: I am an EU national living in the UK.)  For me, part of the debate in the UK represents a useful reminder of the challenge of cost-benefit analysis.  Not surprisingly, there isn’t an accepted view about the balance between costs and benefits of EU membership.  Here is an illustration of the range of estimates (as of 2013) from a research paper of the UK Parliament:

I reviewed some of what has been written and have also read with interest Hugo Dixon's recent book - 'The in / out question'.  I thought that rather than develop another cost-benefit analysis, I would set out the main considerations to take into account if you choose to read one of them to form your own views.

It seems uncontroversial – I think – that the economic benefit from EU membership is the access to supply products and services to a market of 510 million consumers and an economy the size of the US.  Hugh Dixon quotes an estimated benefit of the order of 4% to 5% of UK GDP.  If you accept this, then the key questions are whether: 

•  the costs to the UK of achieving that benefit offset it; and  
•  the benefit can be achieved through an alternative arrangement. 

To consider this, a cost-benefit analysis must set out the ‘counterfactual’, i.e. what would happen in the absence of EU membership, and identify what is incremental as a result.  However, there are a number of options.  The ‘do nothing’ option means trading with the EU based on the UK membership of the World Trade Organisation (WT0).  This does not mean free-trade; it will entail custom duties for certain products such as cars.  There are also other options as represented by the cases of Norway, Switzerland and Turkey.  The bottom line is that you cannot seriously consider the costs and benefits of EU membership without taking an explicit view on an alternative from the very beginning.

If so, here are a number of questions and answers to identify what is incremental (including the benchmark of EU membership).  A "smiley" indicates that the change (or lack of it) is a positive development from a cost-benefit perspective.

A couple of points to note about the table.

Firstly, UK manufacturers exporting to the EU will need to comply with EU product regulations.  They are likely to end up manufacturing to UK and EU product regulation standards so (at best) cost savings would be limited. 

Secondly, the distinction between goods and services in the table is the reality of “free trade”, which does not usually apply to services, such as financial, business and legal services.  They represent 78% of the UK GDP. 

The table suggests that being outside the EU could be cheaper on a ‘cash’ basis.  However, none of the options would appear to replicate the benefits of a single market.  Norway replicates many of the benefits at a reduced cost.  However, note that they are bound to follow EU legislation without having a saying on it – an interesting view about sovereignty! 

Overall, I struggle to see how the UK would be able to replicate the economic benefit of the single market in products and services outside the EU. 

However, the real value of cost-benefit analysis is the impetus to focus on increasing benefits and reducing costs.  This means considering how to reform the EU and get the best from a single market of 510 millions of consumers and a GDP that is as large as the US.  Dixon suggestions include cutting red-tape, negotiating trade deals with US, Japan and China.  For me, one of the more interesting suggestions is the potential gains from banking disintermediation and providing long-term finance to industry through capital markets.  As he puts it, the crisis was a banking crisis not a financial crisis.  Something for another post …  

If you found this post interesting, you can subscribe to future posts at http://crescendo-erm.blogspot.co.uk and receive them by email; you will need to provide an email address and then confirm the subscription; your email address will not be shared.  Alternatively, if we share a group in “LinkedIn” you can choose "follow" Isaac Alfon.

‘Start With Why’ and the Value of Risk Management in Financial Services

A conversation with a friend about a book called ‘Start with Why’ helped me to put some order to my thoughts about the value of risk management. 

At one level the question of ‘why risk management’ can be answered by saying that it adds value to the business in the medium to long term. 

This is not a rhetorical question given the sums of money and senior management time that are being devoted (or is it diverted?) to risk management.

But, how can we identify the value of risk management? 

This is not a simple question.  I believe that there are two broad aspects to consider to answer this question.  Firstly, it is about identifying the right objective.  Secondly, it is about evidencing that pursuing the objective of risk management generates value. 

I intend to cover these issues in future posts from the perspective of financial services.  It will also be interesting to hear your thoughts and evidence about the value of risk management.

If you found this post interesting, you can subscribe to future posts at http://crescendo-erm.blogspot.co.uk and receive them by email; you will need to provide an email address and then confirm the subscription; your email address will not be shared.  Alternatively, you can choose "follow" Isaac Alfon in the relevant LinkedIn group.