How safe is safe enough? An introduction to risk management By Angela Darlington, Simon Grout & John Whitworth Presented to The Staple Inn Actuarial Society At Staple Inn Hall At 6 p. m. On 12 June 2001 Contents Section 1 2 3 4 5 6 7 8 9 Page Introduction…………………………………………………………………………………………………… 1 Why is risk interesting? …………………………………………………………………………………… 2 Types of risk …………………………………………………………………………………………………. Risk perception ……………………………………………………………………………………………. 10 Traditional risk management………………………………………………………………………….. 14 Risk analysis methods ………………………………………………………………………………….. 17 Basel Capital Accord ……………………………………………………………………………………. 24 Enterprise risk management ………………………………………………………………………….. 26 How can actuaries add value? ………………………………………………………………………. 32 Appendices A B The FSA and risk management References How Safe Is Safe Enough? To Risk Management 1 Introduction “One of the common denominators I have found is that expectations rise above that which is expected. ” George W Bush, US President 1. 1 1. 2 As we are sure is the experience of most writers of SIAS papers, we found it very easy to volunteer but extremely difficult to get around to actually writing it. Initially, we planned to write a paper on e-commerce – a hot topic causing great interest and debate at the time that we booked this session.
However, by the time we got round to writing the paper, the market for technology stocks had crashed and job losses were piling up. At the same time, Equitable Life was in the middle of the problems created by its unhedged annuity rate guarantees. This lead us to consider that much had changed over the previous year. And so our thoughts turned towards how to avoid the problems which appeared to be plaguing both the e-commerce and financial services industries. And so this paper was born. This paper aims to provide an introduction to some of the key risk management concepts, issues and processes.
This paper is not intended to be an all-singing, alldancing description of the risk management industry. Rather, we hope that it provides a summary of the themes and practices that we use in risk management. This may enable actuaries to understand how risk management ideas and processes can add value to their organisation and how they can use these concepts in their work. We have tried to use some practical examples that illustrate the main themes of risk management in an interesting way. However, hindsight is a wonderful thing, and if we had perfect information about the future, risk management would be easy and perhaps unnecessary.
In any case, we hope that the examples prove if not useful then at least interesting. The thoughts, words and deeds in this paper are our responsibility and not those of our employer, the Institute of Actuaries or the Faculty of Actuaries. However we would like to thank our colleagues for their invaluable input and, in particular, our enterprise risk management colleagues for lending us many of the diagrams in this paper. Finally, we would like to thank George W Bush for his words of wisdom. 1. 3 1. 4 1. 5 Page 1 How Safe Is Safe Enough? An Introduction To Risk Management 2 Why is risk interesting? When I was coming up, it was a dangerous world, and you knew exactly who they were. It was Us v. Them, and it was clear who ‘Them’ was. Today, we are not so sure who the ‘They’ are, but we know they’re there. ” George W Bush, US President Why is risk interesting? 2. 1 In today’s dynamic business environment, companies are under significant pressure to deliver high quality products and services quickly and economically. Businesses are facing increasing levels of change, competition and globalisation. Regulators and stakeholders are interacting with businesses and evaluating them in new ways.
Institutional investors, in particular, have become more interested in management accountability and are now often more active participants in shareholder voting and meetings. Regulators have also become focussed on corporate governance. Corporate governance standards are becoming more stringent around the world. Firms listed on the London Stock Exchange are required to report to shareholders on their risk management practices and processes. Corporate governance regulations or codes of conduct in France, Germany, Italy, Netherlands, North America and Japan all now incorporate some form of risk assessment and risk management reporting.
Finally, organisations are being challenged to meet ever increasing financial expectations. During the 1990’s many responded by aggressively pursuing growth along with expense reduction and rationalisation. Most organisations have attempted to become lean and (theoretically) efficient. All of these changes suggest the need for an integrated and flexible risk management system that focusses on the whole organisation. This system must enable ongoing evaluation of risks, risk-based decision-making and accountability for critical risks which may affect the organisation’s ability to deliver its business strategy.
With the benefit of hindsight, it is easy to think that risks and their potential consequences could have been predicted and managed. However, business success usually requires some acceptance of risk and, by their very nature, risky strategies can go wrong. Without hindsight, it is not always possible to predict the risks which are worth taking but a company with a strong analytical understanding of the risks it is facing is more likely to adopt a successful strategy that one working on “gut-feel”. A good analogy here is the actuarial role within general insurance.
It has taken time to become established, but it is now more generally accepted that the quantitative discipline 2. 2 2. 3 2. 4 2. 5 2. 6 2. 7 Page 2 How Safe Is Safe Enough? An Introduction To Risk Management provided by actuaries is a good complement to the anecdotal experience of the underwriter. Definition of risk 2. 8 The following is a definition of risk which we have found most useful in our work: “Risk is the threat that an event or action will adversely affect an organisation’s ability to maximise stakeholder value and achieve its business objectives and business strategies.
Risk arises as much from missed opportunities as it does from possible threats. ” Corporate risk management objectives 2. 9 The definition given above works well for corporations because it contains the key elements which are of interest to management. In today’s environment, it is important for all companies to have a clearly defined and communicated strategy and to be seen to be achieving the business objectives contained within such a strategy. The ultimate aim of risk management for a proprietary company is usually to protect and enhance shareholder value.
For a mutual life insurer, the prime objective may be to meet the policyholders’ reasonable expectations. In either case, the company must have clear business objectives and strategies before a risk management program can be put in place. Also, it is necessary to manage risks to objectives at all levels within the organisation. 2. 10 Page 3 How Safe Is Safe Enough? An Introduction To Risk Management 3 Types of risk “I am not part of the problem. I am a Republican. ” George W Bush, US President Types of risk 3. Whilst a single definition of risk is useful from a theoretical point of view, in practice it is necessary to drill-down further to generate useful risk management ideas. On this practical level, risk is often broken down between a number of different types of risk. Different risk managers are likely to choose different risk groupings, depending upon the relative importance of each of the factors to the business they are working in, together with their subjective views and the cultural issues affecting the corporate view of risk. In this paper we have chosen to consider risk in four categories: ! ! ! Operational risk – e. g. loss of key staff, IT system failure, image problems, health and safety issues. Financial risk – e. g. market risk, credit risk, liquidity risk. Hazard risk – e. g. environmental pollution, product liability issues, natural disasters, stress claims, property risk. Strategic risk – e. g. reduced insurance company profitability due to the implementation of stakeholder pensions, mergers and acquisitions, changes in demand, political changes. 3. 2 3. 3 Some risks are difficult to allocate to just one of these four categories because they involve two or more elements.
For example, merger and acquisition risks could include both strategic and operational risks. The diagram on the following page illustrates how different risks can be allocated between these four simple categories, allowing for some overlap. Page 4 How Safe Is Safe Enough? An Introduction To Risk Management Externally driven Internet sales tax Foreign currency rates Economic downturn Customer credit Interest rates Increased postage or printing costs Telemarketing RSI E&O liability Significant power failure Directors & officers Loss of major Supplier Shifts in product mix Liquidity and cash flow Customers demand lower prices Loss of supplier
Financial Risks Strategic Risks Internally driven Merger of competitors Change of government Damage to reputation Failure to lower costs via internet delivery Loss of talent to competitors Fraud Privacy issues related to mailing lists Internet outage or web site collapse Damage to information systems Theft of intellectual capital Loss of a site Hazard Risks Major office fire Operational Risks Operational risk “The risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events” – British Bankers’ Association 3. Operational risk is one of the first risks that organisations must manage, even before they make their first transaction. More recently, there is a growing consensus that operational risk management is a discipline in its own right with its own management structure, tools and processes. Some examples of operational risk are: ! ! ! ! ! Process risk – Are the processes operating efficiently? What are the weak points and what are the potential consequences of failure? IT risk – Is there a risk of total system failure? Are new system upgrades adequately tested? Are the optimal software and hardware in use?
Control system risk – Are there sufficient controls to spot errors and illegal acts early enough to minimise any adverse effect on the business? Human capital risk – Is the human capital resource adequately managed to maximise intellectual capital and minimise staff turnover? Health and safety risk – Is legislation constantly monitored and guidelines updated accordingly? 3. 5 Page 5 How Safe Is Safe Enough? An Introduction To Risk Management ! Compliance risk – Are adequate regulatory compliance policies in place and are they adhered to? Are compliance standards continually reviewed? Do conduct standards include an ethical element? . 6 Over the last few years, a number of high profile IT failures have highlighted the potential cost of operational risks. In March 2001, British Airways was hit by a computer glitch, caused during routine maintenance, which crashed the reservations system. As a result of this failure, manual systems had to be used causing hundreds of flights to be delayed and a number to be cancelled. In April 2000, a failure in the IT system at the London Stock Exchange left investors unable to trade for eight hours on the last day of the tax year and in 1998 problems with IT systems at the Passport Agency are estimated to have cost ? 2. 6 million. We could compare these stories of IT disaster with an almost miraculous story of a successful disaster recovery operation. On August 11 1999, United Airlines suffered a fire in its headquarters which left their mainframe systems unmanned due to evacuation of the building. United had just set up a complete mirror site as part of its disaster recovery plan and this plan was implemented without a hitch. As a result, United cancelled only one flight and had five delays out of 2,500 flights that day.
Whilst the disaster recovery site had cost $3 million to set up, this one event could have incurred a loss of as much as $600 million. For readers who are interested in finding out more about operational risk within the banking industry, we recommend a discussion document published by the British Bankers’ Association. This provides a comprehensive overview of current and emerging banking industry practice for the management of operational risk based on a survey and interviews with fifty five global financial institutions in North America, Europe and Asia. . 7 3. 8 Financial risk 3. 9 Some examples of financial risk are: ! ! ! ! 3. 10 Economic risk – Economic trends, changing interest rates, exchange rates, input prices, output prices and labour costs. Market risk – Stock market volatility, stock market crashes. Credit risk – Risk that a counterparty will not repay the amount owed in part or in full. Related operational risks – Control systems. Banks have been at the forefront of understanding financial risks over the last two decades. Despite this, they have experienced some of the most traumatic losses.
The near collapse of Long-Term Capital Management (LTCM) is one such case. LTCM was run by a group of high profile traders and economists whose strategy involved making arbitrage trades based on small inconsistencies in the pricing of assets, and taking highly leveraged positions to generate high returns. By early 1998, LTCM’s swaps amounted to about 5% of the total global market ($1. 25 trillion notional value) but its underlying net asset value was only $4 billion. Market changes following How Safe Is Safe Enough? An Introduction To Risk Management Page 6
Russia’s devaluation of the rouble in 1998 increased LTCM’s market exposure to the point that the available capital was no longer sufficient to cover its open positions. As many of LTCM’s creditors were banks, LTCM’s potential losses threatened a meltdown of the banking system and caused the US Federal Reserve Bank to intervene with a rescue plan. Many of the banks took huge charges in their 1998 accounts to cover the potential losses. 3. 11 LTCM’s strategy was not necessarily flawed; if they could have continued to operate, they may have produced profits from their trades.
They simply did not have enough capital to support their open positions. A better understanding of the capital requirements could have prevented LTCM from reaching such a dominant position in the market. The demise of Barings is one of the most famous failures and provides another very useful case study in risk management. Whilst it was movements in the financial markets which ultimately caused the losses on Nick Leeson’s derivative trading accounts, it is generally accepted that it was flaws in the related operational risk management practices allowed the situation to build up.
Nick Leeson had enough control over the operational processes to avoid the checks and balances which would normally be in place to prevent inappropriate trading. At the same time, the bank’s high level control systems did not detect that the portfolio was not matched even though it was generating unusually high profits. Banking risk management has also lead to the development of some practices which manage individual institution’s risks, but may have increased the level of risk within the market as a whole.
In March 2001, the Bank of England warned that global financial stability could be threatened by the rapid growth of credit derivatives. Banks use these derivatives to control the credit risk on their loan portfolios. However, the spreading of credit risk around the banking system also means that it is no longer easy for lenders, shareholders and regulators to assess the exposure of an individual bank to credit risk. The use of credit derivatives has more than tripled since 1997 to about $600 billion and this has lead to concerns that risk understanding and management may not have kept pace with the growth of this new market.
David Clementi, deputy governor of the Bank of England, said “It is important for institutions to ensure that infrastructure, documentation and risk management keep pace with the traders. ” 3. 12 3. 13 Hazard risk 3. 14 Hazard risks are familiar to the many actuaries who work in non-life insurance either for insurance companies, Lloyd’s or consultancies. They include many of the external risks which have traditionally been insured. Some examples of hazard risk are: ! ! ! ! Page 7 How Safe Is Safe Enough? An Introduction To Risk Management 3. 15 Property risk – Theft, vandalism, fire, security. Liability risk – Threat of lawsuits.
Environmental risk – Liability for pollution. Natural disasters – Storms, floods, earthquakes. ! 3. 16 Political risks – War, terrorism. As many of these risks have traditionally been insured, it is not surprising that one of the most interesting case studies related to hazard risk is based on the problem within the Lloyd’s market in recent years caused by asbestosis claims. The unique “Names” structure within Lloyd’s had developed over its 300 year history. Each individual Name provided capital to its syndicate in order for that syndicate’s managing agent to take on risks and, hopefully, make a profit.
The syndicate’s capital security was provided by a call on each Name’s entire personal wealth. During the 1970’s and 1980’s, Lloyd’s was extremely profitable and the number of non-professional Names grew rapidly. Many Names did not understand that losses could be made at Lloyd’s. During the 1980’s significant asbestosis claims began to emerge in the U. S. and major losses were incurred. It was only at this point that Names began to appreciate the extent of the risk to their personal wealth. As a result of this crisis, the structure of Lloyd’s has been amended and there is an increasing awareness of the risks borne.
Not all Names understood that in a world where there is no such thing as a free lunch, high returns can generally only be earned by taking high risks. If a deal looks too good to be true, then it probably is. 3. 17 3. 18 Strategic risk 3. 19 3. 20 Historically, the management of strategic risk has tended to be the domain of management consultants and other business strategy analysts. Some examples of strategic risk are: ! ! ! ! ! ! ! ! ! ! Page 8 How Safe Is Safe Enough? An Introduction To Risk Management Mergers and acquisition risk – Which company should be targetted?
Is due diligence carried out appropriately? What is the “right” price? Business risk – What effect could adverse publicity have on the business? Competitor risk – What are competitors likely actions? What effect will they have on supply and prices? Customer risk – What are the likely demographic and demand changes? Brand risk – Are brands adequate, suitable and known? Supplier risk – What are suppliers’ possible actions? How might they affect the company’s value? Legal risk – What are the effects of changes to legislation currently being considered? Political risk – What effect will a change of government have?
Image risk – What are the potential effects of whistleblowers and pressure groups? New opportunity risk – Which opportunities should be exploited, which put on hold, and which ignored? ! ! 3. 21 Product risk – Which product mix optimises the risk-reward trade-off? Opportunity cost – Are there unexploited opportunities within the organisation? A recent article in the Financial Times showed how, even given the best strategic analysis in the world, exposure to strategic risk can have catastrophic results. “How the mightiest fall for the silliest ideas. After the failure of London’s Millennium Dome, its supporters resorted to two defences.
First, they pointed to expert advice that said the Dome would attract the 12m visitors it needed to make a profit. Second, they said negative press comment had kept millions of people away. In doing so, they demonstrated the characteristic behaviour of those who make disastrous business decisions: a selective interpretation of the evidence in deciding to go ahead with a project and an insistence after it fails that it was someone else’s fault. ….. Why do companies make bad decisions? One reason is that people in control are determined to make their mark by doing something dramatic. …In a paper subtitled ‘How can experts know so much and predict so badly? ‘ they cite a study of clinical psychologists that showed experienced practitioners were no better at judging personality disorders than advanced graduate students, although they were more accurate than untrained students and secretaries. …. ‘Training has some effects on accuracy but experience has almost none’….. Senior executives make too few decisions to learn much from them. It can be years before they discover whether their projects have failed and it is often not entirely clear why they have done so. ” Probabilistic and systematic risk 3. 2 3. 23 3. 24 We could also consider two different types of risk with which actuaries are generally familiar, probabilistic risk and systematic risk. Probabilistic risk is that element of risk which can be eliminated (averaged-out) by diversification. Systematic risk is risk which cannot be averaged-out because it affects all projects e. g. index tracker funds eliminate the (probabilistic) risk of underperforming the market but their return is still uncertain because it is dependent upon overall market returns. Different types of opportunity can be subject to different levels of systematic risk e. g. he success of construction projects has a high level of correlation with the economic cycle but “bread and water” projects are more independent of the economic cycle. In general, probabilistic risk can be allowed for by attaching probabilities to the various outcomes and systematic risk can be allowed for by varying the discount rate. An analysis of discount rates is beyond the scope of this paper, but the choice of discount rate should reflect the nature of the risk and any market price that may be observable for similar risks. 3. 25 3. 26 Page 9 How Safe Is Safe Enough? An Introduction To Risk Management 4
Risk perception “I believe we are on an irreversible trend toward more freedom and democracy – but that could change. ” George W Bush, US President Public perception of risk 4. 1 Risk perception in everyday life has changed greatly over the last few decades. Round the clock news channels and increased media interest in risk have increased the amount of public debate on risk and how it can be managed. But has risk actually increased? Individuals are exposed to many different forms of personal risk e. g. risk of injury, financial loss etc. We have chosen one specific risk for consideration in this section, the risk of death.
Given that we now live longer and generally have better health than we did twenty years ago, one could argue that the risk of death has not increased. We are however more aware of the risks that exist. The media interest in the growing incidence of cancer is one example of how it is possible to misrepresent risk. We have become generally more aware of the growing number of cancer cases and so many people perceive there to be a higher personal risk of cancer. However, since cancer is generally an older person’s disease, the increased number of cancer cases could merely be an indication of an ageing population.
Higher incidence of cancer could also be associated with reduced incidence of death from illnesses which strike at much younger ages. The media coverage of research findings can be misleading and is often sensationalised. Usually there is little discussion of the statistical basis of the research or of the underlying assumptions or modelling weaknesses. Once published, information can gain more credibility than the underlying scientific analysis deserves. Actuaries are skilled at separating the accurate from the spurious in areas such as analysis and reporting of results. 4. 2 4. 3 4. 4
Personal perception of risk 4. 5 It is important for risk management professionals to understand the difference between perceived risk and actual risk. Whilst it is not possible to give a completely accurate quantitative assessment for every risk, we can produce a reasonable estimate for many. Analysis of data relating to a particular risk can lead to surprising results when compared against “gut-feeling”. As an example, we investigated the fear of flying. One of the authors (try and guess who! ) regularly travels to clients by plane, despite an intermittent fear of flying, and in particular a fear of turbulence.
Taking off and How Safe Is Safe Enough? An Introduction To Risk Management 4. 6 Page 10 landing are fine, even though 70% of all aircraft incidents occur during these parts of the flight. Indeed, only 24 people have died in turbulence related incidents since 1980. Whilst statistical analysis shows that flying is the safest option for certain types of journey, this individual’s personal appetite for this particular risk is so low that other forms of transport are always preferable. This is despite the fact that the odds of dying on the flight to Turkey, a journey which the (female! author is about to take this week, are apparently 1 in 10,763,895 flying with British Airways in a Boeing 757. These odds are much lower than those for a comparable journey by car, especially if it is being driven by one of the other authors (try and guess who! ). 4. 7 This example illustrates one well proven risk perception phenomenon. In general, people have a fear of disasters, even though disasters are a smaller cause of mortality than more routine risks. Every day people need to identify, prioritise and manage the risks they face in life, but they often seem to get it wrong.
They ignore serious risks like driving and heart disease and obsess about trivial risks such as flesh-eating bacteria – the set of risks that kills people and the set of risks that scares them are not the same. Some interesting studies have been carried out which provide some insights into the factors affecting perceptions of risk. A study carried out by researchers in the US indicated that females are consistently more risk averse than their male counterparts, and that a number of other factors such as race and educational status can also affect risk perception.
Risk managers need to be aware of these biases when attempting to quantify risks based on opinions. However, it is important not to over-generalise and each individual’s contribution must be treated with equal respect. 4. 8 Subjectivity of risk assessments 4. 9 A further problem with risk assessment is that it is often subjective. There is no such thing as a true risk assessment; the nuclear engineer’s probabilistic risk estimate for a nuclear accident is based on a theoretical model whose structure is subjective and whose inputs are dependent upon judgement.
Subjectivity permeates risk assessments from the initial structuring of the risk problem to deciding which results or consequences to include in the analysis, identifying and estimating exposures, choosing relationships and so on. For example, in a risk assessment environment, there are a number of ways of expressing the actuarially familiar mortality risk depending on the industry being examined or the question being asked. Between 1950 and 1970, coal mines became much less risky in terms of accidents per tonne of coal, but became marginally more risky in terms of deaths per employee.
Deciding which measure is most important for decision making is entirely subjective. Coal mine managers are more likely to be concerned with the former and coal miners with the latter. Each way of summarising deaths embodies its own set of values: ! ! “Reduction in life expectancy” values young lives more highly than older lives. “Number of deaths” values all lives equally and also treats all reasons for death equally. 4. 10 4. 11 Page 11 How Safe Is Safe Enough? An Introduction To Risk Management ! 4. 12 Number of deaths weighted by some risk factor or by type of death” involves a value judgement regarding the weights attaching to different categories of death. Once a risk analysis has been carried out, a further element of subjectivity is incorporated through the presentation of results. Numerous research studies have demonstrated that different (but logically equivalent) ways of presenting the same risk information can result in different evaluations and decisions. For example, research has shown that strikingly different reactions can be generated by information framed in terms of probability of surviving rather than the risk of dying.
Other problems caused by subjectivity in the perception of risk are: ! Probabilistic information processing – People tend not to generate accurate probability statements about the frequency or severity of events. This could be due to poor memory of past events and to an inability to convert information into a probabilistic framework. All too often, intuitive analyses of events leads to systematic bias in probabilistic estimates. The law of small numbers – There is a tendency to overgeneralise on the basis of small sample sizes and often to fail to discriminate between long and short recording periods when evaluating evidence.
Perception of randomness – People have a very poor perception of randomness. For example, in coin tossing games, there is a marked tendency to expect that a tail is more likely to occur after a head, or a series of heads, have occurred. Judgements of correlation – Prior expectations of probabilistic relationships can lead individuals to perceive correlations where they do not really exist. Judgement of probability – In complex situations, people have a tendency to estimate probabilities by reducing difficult problems to a series of simpler judgements.
Some events are more memorable than others and these tend to be attributed a higher probability than more frequent events which are less memorable. Equally, when estimating the potential loss due to a particular hazard, judgements tend to be heavily influenced by the most recent comparable event. In actuarial terms, people tend to be poor at estimating the exposure to risk. Information processing biases – There is some evidence to indicate that problems with the integration of information may cause people to make judgements that are inconsistent with their underlying values.
For example, if a person is asked to rank a series of risks by preference, and then to state a preference between each pair of risks, the answers are not always consistent. Hindsight bias – Looking back on events, we tend to believe that we had a better idea of what was going on than we actually did. This can prejudice the evaluation of decisions made in the past and limits what is learned from experience. 4. 13 ! ! ! ! ! ! Page 12 How Safe Is Safe Enough? An Introduction To Risk Management Subjectivity and risk management 4. 4 The stakeholders in an organisation are collections of individuals: shareholders, executives, employees, customers and regulators. The organisation’s utility function or set of preferences for risks is a combination of the stakeholders’ utility functions, each of which is affected by the individual’s perception of risk. So, individual risk perception is clearly important to risk managers. Clearly, risk has a large qualitative as well as a quantitative element. Analysing organisations’ risk appetites is as much an art as a science.
Traditionally, risk managers have not believed that actuaries could add significant value to the process of understanding risk. However, the actuarial discipline can prove valuable in putting together a framework which enables a rigorous analysis of risk to be carried out in a way which fully documents the assumptions and potential weaknesses in the underlying model. 4. 15 Page 13 How Safe Is Safe Enough? An Introduction To Risk Management 5 Traditional risk management “I hope the ambitious realise that they are more likely to succeed with success as opposed to failure. ” George W Bush, US President 5. Risk is an essential element of any strategy; take on too little or too much and returns may be affected. Business writing is filled with terms such as “risk-reward trade-off”, “cost-benefit analysis” and “calculated risk”. The ultimate aim of risk management policies for a proprietary company is usually to protect and enhance shareholder value. For a mutual life insurer, the prime concern may be to meet the policyholders’ reasonable expectations. In either case, the company must have clear business objectives and strategies before a risk management program can be put in place.
Also it is necessary to manage risks to objectives at all levels within the organisation. An important goal of risk management is to improve the quality of decision making within the organisation by putting in place a structure which identifies the organisation’s exposure to all forms of risk, and analyses the potential effect of these risks on the organisation’s performance. Entire industries have evolved to help companies manage risk: ! Hazard risk – Insurers created insurance coverages to enable companies and individuals to pool this type of risk, dramatically smoothing the financial impact on individuals and enterprises.
Financial risk – Financial services firms have developed techniques and financial instruments to help companies to dampen or hedge against the impact of financial risks such as fluctuations in exchange rates. Operational risk – Consulting firms have devised ways to minimise risks from information, systems and processes. Strategic risk – Management consultants have filled this space with their everchanging views of the optimal business structure – first downsizing, then rightsizing. 5. 2 5. 3 5. 4 ! ! ! Traditional risk management processes 5. It is important to consider a wide range of issues before setting up a risk management framework because it is impossible to predict exactly what will happen in the future. These issues include: Page 14 How Safe Is Safe Enough? An Introduction To Risk Management ! ! ! ! ! ! ! 5. 6 What risks does the organisation face? How sensitive are the organisation’s strategies, market position, financial results and other sources of value to these risks? Which of these risks may prevent the organisation from achieving its objectives? How capable is the organisation of responding to changing situations?
What are the organisation’s risk preferences? What is the organisation’s required risk-reward trade-off? Does the organisation have enough capital to absorb any significant losses? Traditional risk management tended to be carried out at the operational or financial unit level. In general, the traditional risk management process would incorporate the following stages: ! Assess risk – Carefully identify the risks faced by the unit and develop a clear understanding of the nature of these risks. Identify the key risks to the unit’s performance. Evaluate impact – Model the risks and their effects on the unit.
This should also include an assessment of the risk that the model chosen is not an accurate reflection of the risk going forward. Implement risk management programs – Develop risk mitigation programs, risk avoidance programs and risk financing solutions. Set reward strategies – Develop compensation packages which contain an element relating to risk management activities. These should be structured to ensure that managers’ incentives are consistent with the risk management strategy. Implement organisational structure – For a risk management program to be successful, each individual’s role and responsibilities should be clearly defined.
The lines of management and the organisational structure should be clearly set out and communicated. Identify risk monitoring measures – Identify a key set of measures for each risk so that risk exposures can be monitored regularly. Implement control systems – Implement a suitable control environment to ensure that risks are adequately reported and managed. This should include well defined management structures and systems which provide sufficient checks and balances on individual’s actions and business processes. Training personnel – Implement a training regime that assists members of staff in carrying out their roles. ! ! ! ! ! ! Page 15 How Safe Is Safe Enough? An Introduction To Risk Management ! Back-testing – The risk models should be back-tested regularly against actual data to ensure that the model continues to be valid. Parameters should be reset where necessary. Monitor financial and process performance – The systems should provide risk information in a timely and consistent manner. The results should be analysed regularly and the risk management process reset if necessary. ! 5. 7 This process of monitoring and feedback is very familiar to most actuaries nd is analogous to the actuarial control cycle. Some examples 5. 8 The response to a number of recent issues provides a useful set of case studies. Could the effects of these “crises” have been mitigated if a pro-active, risk-focussed strategy to management had been in place prior to the event? After the Hatfield train crash, speed limits were placed on many sections of the rail network and a vast program of emergency rail upgrades was put in place. This caused widespread chaos on the rail network and forced many people to drive instead.
Statistically, driving is not as safe, but deaths on the roads generally occur in isolated incidents and have less media coverage. People are generally more concerned with high severity, low frequency events such as train and plane crashes than they are with low severity, higher frequency risks such as car accidents. The emergency strategy adopted was probably not the most efficient solution. A well-managed risk management strategy could have highlighted this problem earlier, so that a more structured rail replacement program could have been implemented. The Y2K problem illustrates a very different approach to risk management.
The issue was identified early, the potential risks were assessed and communicated and corrective action was taken in time to prevent any business disruption. Or was this an over hyped non-issue which cost many companies a huge amount of money? Y2K can only be considered to have been a successful risk management exercise if the perceived value of the risk which was prevented is less than the cost of the “cure”. Risk management costs money and, if done well, will reduce losses. It is therefore important to identify the likely cost savings from risks which have been successfully managed.
These should be broadcast loudly to ensure that the organisation does not become complacent and scale back a successful risk management program. 5. 9 5. 10 5. 11 Monitoring changes in behaviour 5. 12 As well as measuring the success of a risk management program, it is also important to monitor any behavioural changes it may cause. The potential of risk mitigation to affect decision-making is well known to actuaries, for example, the moral hazard in insurance. Actuaries can provide a wealth of experience in monitoring and managing such effects. Page 16 How Safe Is Safe Enough? An Introduction To Risk Management 6 Risk analysis methods It isn’t pollution that’s harming the environment. It’s the impurities in our air and water that are doing it. ” George W Bush, US President 6. 1 Risk analysis is a broad term which includes risk assessment, risk ranking, understanding risk characteristics, comparative risk assessment, setting risk-based priorities, risk-reward analysis and cost-benefit analysis Risk characteristics 6. 2 Several characteristics could be of interest when assessing a risk. These include the mean, volatility, probability distribution, correlations between the risks, utility functions for various types of risk and any qualitative characteristics.
For some types of risk, there may be a credible amount of relevant historic data on which to base estimates for these characteristics. For example, a huge amount of work has been carried out on the analysis of historic stock market data for use in stochastic projections. For other risks there may be little data on which to build probabilistic statements. In these cases, the ability to make judgements based on past experience of the business or of similar risk scenarios is invaluable.
Ideally, the risk assessment team should include experts in the business, risk management professionals and others who can facilitate the risk assessment and model building process. Actuaries are particularly well suited to fill the latter roles. 6. 3 6. 4 Statistical analysis 6. 5 It is impossible to carry out any significant risk analysis exercise without a statistical framework. Statistical analysis enables the risk manager to take a body of historical data and to produce a model which can be used to predict and analyse possible future outcomes.
Specific probability distributions are generally used for different types of analysis e. g. normal distributions for market risk, beta distribution for credit risk. Each distribution should be carefully compared against historic data to ensure that it provides the best fit to the distribution of historical outcomes. Once a suitable distribution has been chosen for a risk, it can be used to generate simulated future results for that particular risk. The model should allow for correlations between the elements of risk.
Often, the risk in one period can be expressed as a function of a variable in the previous time period if observations over time are not independent. In this case, more complex models must be used to reflect this dependency. How Safe Is Safe Enough? An Introduction To Risk Management 6. 6 6. 7 Page 17 Extreme value theory 6. 8 Extreme value theory is a subset of statistical theory which relates to the tails of probability distributions. The extreme and generally rare events in the tails of the distributions are the events which can create the catastrophic results which the risk manager is trying to avoid.
However, there is usually little data regarding catastrophic events, so traditional statistical approaches tend to be inefficient at predicting them. In addition, distributions are usually fitted to data using the whole data set. A distribution which is a good fit for the whole data set will not necessarily be a good fit for the tails of the distribution, particularly if the tails are “fat” or “thin”. Extreme value theory concentrates on the data relating to the tails of the distribution and does not try to fit the distribution to the rest of the data.
Practitioners working within this field have developed special graphs and techniques such as Q-Q plots and the Hill graph, which help data analysis and distribution fitting for the tails of distributions. Extreme value theory methods can be applied to supplement other methods of risk assessment. For example, Value at Risk (see section 7) measures often assume a normal distribution of risk. A Value at Risk measure built around extreme value theory could arguably provide better estimates of catastrophic risk than measures based on the tails of common probability distributions. 6. 9 6. 10 Risk maps 6. 1 Where there are significant qualitative elements to a risk we need tools to put a sound and easily communicated framework around practitioners’ risk perceptions. The following two examples of risk maps illustrate the kind of output produced by the risk management process. Each of these sample risk maps is a pictorial representation of the practioners’ risk perception of the severity and frequency of a number of risks. Each has a slightly different scale. The first graph measures severity in monetary amounts and frequency in terms of how many years would elapse on average between events.
The second map uses different measures; both severity and frequency are measured on a scale of 1 to 5. In each case, individual risks are shown using codes (for example, T in the second map could be the risk of losing a site due to fire) and the range of possible outcomes is shown by using a line from the lowest possible outcome to the highest. Risk maps are particularly useful for ranking risks i. e. deciding which risks are more important to the business, ascertaining qualitative risk characteristics, assessing which risks are perceived to be comparatively important and setting risk based priorities. . 12 6. 13 Page 18 How Safe Is Safe Enough? An Introduction To Risk Management = Single Event Major Hazard / Operational / Financial Risks = Aggregate Uninsured/ Unhedged Insured/ Hedged Can’t buy / Choose not to buy Excluded Completely Within Deductible Subject to sublimits, exclusions, limits, coinsurance, deductibles, or retentions B13 $100M B4 B4 B15 B6 B17 B9 B18 B17 B10 B14 Severity $50M B15 B29 B7 B8 B17 B16 B18 B27 B8 B17 B16 B3 B10 B11 B14 B23 B12 B21 $10M B3 B20 B11 B24 B22 B21 B27 B12 $2M B20 B24 Every 20+ to 5 Years Low
Every 5-3 Years Low/Medium Every 3-1 Years Medium/High More than Once a Year Frequency Page 19 How Safe Is Safe Enough? An Introduction To Risk Management More likely to occur More severe 5 2P T L F Severity Scale 5 – Catastrophic – ? 100 million 4 – between ? 25 – ? 100 million 3 – Significant – ? 25 million 2 – between ? 2 – ? 25 million 1 – Material – ? 2 million D H E A W G 2G KJ 2E 2C 2K B 4 3 2 1 1 Extremely Unlikely Less than 5% 2 Unlikely Less than 25% 3 Occasionally 50% 4 Regularly 75% 5 Imminent / Ongoing Greater than 75% Probability Scale