Five Risk Management Lessons From Pixar

I read an interview in McKinsey Quarterly with Ed Catmull, one of the co-founders of Pixar, about his management approach for keeping the business innovative (here; registration may be required).  I hoped this article would provide an interesting window into a different sector.  When I finished reading the article, I had found something very different instead.  I had learned a number of useful lessons about the design and implementation of risk management:   

1.  That clear business objectives inform risk taking.  Are there clear business objectives?  How do they relate to risk management?

2.  The impossibility of delivering absolute clarity. Is risk management striking a balance between providing clarity and enabling staff at all levels to respond to challenges as they arise?   

3.       The importance of running experiments.  How do/can we experiment with risk management?  Is this about testing risk metrics?  Product features and claims?  Changes to underwriting criteria? 

4.       Articulating business culture to make it less dependent on key individuals and ensure it resonates beyond senior management.  How do we ensure that the ‘tone from the top’ is echoed by middle management?  

5.       The important distinction between assuming and spreading risks and their focus on the former.  How close is the risk management oversight to product development and risk taking? 

So the next time you watch a Pixar movie, remember that there is a fair amount of risk management behind the scenes. 

This post is part of the series "Aspects of Risk Management".  Other articles are available here.  

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here.  My target is to post on a regular basis (no more than weekly) and I will not be flooding your inbox. 

‘Nudging’ Meets Enterprise Risk Management?

It is no exaggeration to say that behavioural economics has become mainstream.  With hindsight, this is not really surprising because the assumptions underpinning economic theory have always been regarded as just that: assumptions. 

The key innovation of behavioural economics are the identification of specific circumstances where there are systematic departures from rational decision making and the development of context-specific predictions of behaviour.  Broadly speaking, departures from rational decision making are referred to as ‘biases’ because outcomes are poorer than the optimal outcomes under rational conditions.  These biases may affect preferences, beliefs or decision making.   Box 1 below shows some common types of biases.

Box 1: Sample of Common Types of Biases Affecting Decision Making

Type	Bias	Description	Example of bias in consumer decision making
Preferences	Reference dependence	Assessments are influenced by the reference point for the assessment ― typically the status quo ― or by a fear of losses.  Depending on the context, this can encourage either too much or too little risk taking.	Purchase decisions are driven by alternatives or product features which are irrelevant to the consumer.
Beliefs	Over-extrapolation	Predictions are made on the basis of few observations believed to be representative from which a real pattern or trend is inferred and, as a result, uncertainty is over- or under-estimated.	The quality of financial advice is assessed on the basis of few successful investments even if these could reflect pure luck.
Decision making	Rules of thumbs	Decision making is simplified by adopting specific rules of thumb such as choosing the most familiar and avoiding the most ambiguous.	Products at the top of a list or offered by large companies are selected.

Another innovation of behavioural economics is the notion that it is sometimes possible to address those biases, and thereby enhance outcomes, by making small changes to the environment ― hence the number of books about behavioural economics with the word ‘nudging’ in the title.  I have come across nudging considerations in terms of sales (e.g. how the default option affects customers’ choices) and in terms of public policy (e.g. the introduction of cooling-off periods in financial services). 

One of the key motivating aspects of enterprise risk management is its effectiveness.  This is not just a challenge concerning an outcome at a particular point in time.  The main aspect of the challenge is putting in place a process that drives enhanced effectiveness.  This is an aspect that has not escaped EU supervisors framing risk and capital requirements for banks and insurers in the EU, which require assessments of risk management effectiveness. 

So how could these two meet?  An assessment of risk management effectiveness could seek to identify behavioural biases that affect the management of risk across the business: for example, in terms of underwriting and investments.  Consider again the biases set out in Box 1: which ones could be relevant to risk management?  If we identify the biases that shape risk management, we can also assess their materiality and consider whether there are ways of addressing them through changes in the operating environment.  If you have any thoughts about how these biases, or others, could affect risk management, I would be very interested to hear them.

This post is part of the series "Aspects of Risk Management".  Other articles are available here.  

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here.  My target is to post on a regular basis (no more than weekly) and I will not be flooding your inbox. 

Risk Reviews: Not 'a Bridge Too Far'

The role of a Chief Risk Officer (CRO) and her team in the context of a three-lines-of-defence model in financial services can be best described, in my view, as ‘to protect and enable’ (click here for an earlier post on the subject).   Consistent with that, financial services supervisors in the UK and EU refer to the oversight role that the CRO's team provides. 

There are many issues and considerations in embedding effective risk management in financial services businesses.  At one level, oversight requires the CRO’s team to develop the appropriate engagement with the business to provide support, to challenge and to ensure that risk management features ultimately in decision making.  This may result in recommendations for senior management. 

On its own, this is unlikely to be adequate to evidence appropriate and effective oversight for two reasons.  Firstly, the rationale for covering certain business areas or aspects would not be evident.   Secondly, there may be overlaps with the areas reviewed by Internal Audit. 

The answer is not to restrict the engagement between businesses and the CRO’s team.  Instead, the CRO should put in place a programme of risk review which is coordinated with Internal Audit to avoid overlaps or underlaps.

A structured programme of risk reviews requires consideration of the risks to which the business is exposed and their materiality, as well as business cover.  For example, it would not be sensible to cover just one business area, even if that is the main source of risk. 

The key aspect of the development of a programme of risk reviews is identifying a number of potential reviews that map into a grid of risks, materiality and business areas.  The list of reviews is then whittled down in discussions with the CRO and the leadership team to a programme that is consistent with the scale of the business and the maturity of the CRO’s team.

The Board (or a Risk Committee) should review the proposed programme of risk reviews.  Some businesses require a combined submission from Internal Audit and the CRO to identify a complete assurance landscape.  The CRO’s team should then plan the reviews, including setting out terms of reference agreed upon with the business and delivering them throughout the year.  The CRO should also provide regular reports to the Board about the findings of the various reviews and management delivery of recommendations.

Overall, a programme of risk reviews complements Internal Audit’s activities because of the involvement of the CRO’s team on a real time basis in key business processes such as business planning and product development.  Experience suggests that overlaps with Internal Audit can be avoided and that performing these reviews enables the CRO team to get even closer to the business and embed risk management ― ‘to protect and enable’.   

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here.  My target is to post on a regular basis (no more than weekly) and I will not be flooding your inbox. 

Feedback Loops and Enterprise Risk Management (ERM)

One should not take things for granted and this also applies to ERM.  In the case of ERM, this would mean identifying feedback mechanisms about the effectiveness of ERM to provide assurance to boards about the value generated.  This should also generate further insights to enhance ERM’s value added.  

This connection between ERM and value has not escaped supervisors.   On a company level, EU directives covering prudential regulation of banks and insurers include requirements that aim to formalise these feedback mechanisms.

While boards and regulators may be interested in the effectiveness of ERM in specific companies, there seems to be less evidence at an industry level.  Wouldn’t it be useful to understand the link between ERM effectiveness and the role and experience of the CRO? How does board oversight contribute to ERM effectiveness? 

These are challenging questions, which are considered in a recent working paper by Cristina Bailey, assistant professor at the University of New Hampshire, using data for publicly traded US insurers.*  There is a fair amount of statistics and econometrics in this paper which would have been covered through peer review.  There are differences between regulatory requirements on the two sides of the Atlantic, which could challenge the ability to infer from US data for Europe.  However, it would seem that ERM effectiveness is driven by the underlying business rather than regulatory requirements and that the lessons should be transferable. 

So what can we learn from this paper?  There are a number of measures of ERM effectiveness and benefits.  The effectiveness of risk management can be gauged by reference to the ratings awarded by S&P for risk management.  There are five possible ratings: very strong, strong, adequate with strong risk control, adequate and weak.  In the paper, ERM is defined as holistic risk management and is associated with the top two S&P ratings.  ERM benefits can be considered by referring to the volatility in stock returns.  ERM benefits can also be inferred using a measure of strategic industry positioning defined as the difference between the return on assets for the insurer and the top quartile.

Normally, it is important to consider the experience that the CRO brings to the role.  A number of experiences are specifically identified: oversight (e.g. prior experience as CEO or COO), financial (e.g. accountancy qualification or prior role as CFO or financial controller), industry (previous employment in the insurance industry) and risk (previous experience as a CRO or a senior risk management position). 

The analysis suggests that the breadth of the CRO’s experience is positively related to ERM effectiveness after controlling for a wide range of relevant factors.  However, this logic does not seem to apply to the expertise of the risk or audit committee.  But before you despair about the value of effective risk governance provided by a board committee, consider the impact on ERM benefits mentioned earlier by reference to volatility or strategic industry positioning.  The breadth of expertise of the committee members turns out to be a significant determinant of the ERM benefits. 

This result is a useful reminder of the difference between outputs (effective ERM) and business outcomes (e.g. risk reduction).  A potential way of pulling together these results is as follows: a CRO with broad expertise can successfully shape the effectiveness of ERM.  However, the wider ERM benefits depend on shaping the overall direction of the company which requires, amongst others, board committee members with a similar breadth of experience to act on the outputs that the CRO leading an effective ERM system would generate.  The above points to the importance of the qualities of CROs. 

Headhunters Hedley May have also published an interesting paper on the role of the CRO – and the risk function – based on discussions with CROs in banking, insurance, investment management and other stakeholders.**  Their analysis seems to support the above hypotheses about the difference between an effective ERM system and delivering business benefits such as lower volatility.  The qualities of a good CRO were found to include relationship building, influence and an ability to synthesise. These would provide the CRO with appropriate credibility in front of the board to go beyond an effective ERM and affect business decisions.

* ‘The Effect of Chief Risk Officer and Risk Committee Expertise on Risk Management', (forthcoming, www.ssrn.com)

** ‘The Post Financial Crisis Chief Risk Officer: The Teenage Years’, 2015

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here.  My target is to post on a regular basis (no more than weekly) and I will not be flooding your inbox.