Last day, last General Session, last session...
General Session V: "Interconnectedness and Contagion in Global Markets: Missed Opportunity"
Panelists: Kimo (sp?), Jim Allison of ConocoPhillips, Allan Mendelowitz of the Federal Housing Finance Board, Adam Litke of Bloomberg, Stuart Wason of OSFI Canada, + one more (PC Guy)
Kimo: The literal interconnectedness of assets, now that the topology is actually known by regulators, isn't significant to explain the amount of contagion seen during the financial crisis. [KR: They've literally mapped this over time, which is pretty cool.]
Jim: Path-dependence relates to contagion. Some exogenous cause is not contagion. Contagion is how an exogenous cause affects entities 1-(i-1) and then that affects entity i.
Allan: Remember that all of this is happening in a fractional-reserve system. Institutions are brought down by liquidity and collateral shortages. One aspect of contagion is Jim's type. The other type is related to the lack of information, where everyone tends to assume the worst, which leads to fire sales. So the perception of a problem is as important as actual problems.
Adam: Over an even longer timeframe, the connections become even more unlikely and unexpected.
Stuart: Insurance doesn't do as much work on interdependencies, but it's applicable to us as well. Contagion risk is less of an issue, although there are examples.
Some PC guy: Insurers look at classes of business. Premiums rise and fall with the general economy, so there's a big connection there. Characterizes asbestos and Sandy as contagions. Asset side is simple though. Simple, carefully managed, liquid, and low-yield.
What about regulatory contagion? Financial crisis resulted in regulations on energy sector.
Jim: I don't like saying that something could not be foreseen. True we didn't, but could we have? In this case, we were indirectly connected to the banks. Banks -> derivatives, derivatives = highly risky, high risk -> regulation. That was the logic of pulling the energy sector into the regulatory response. I wouldn't call it contagion since it hasn't killed us yet.
Central clearing is applied as a way to reduce interconnectedness. Does that create too much systemic risk? Is there a central point of failure?
Jim: Yes, they've been identified as such, but the rationalization is that they are well capitalized and therefore safe. We've heard this argument before. All the eggs are in one basket, so that basket needs to be watched very carefully.
Allan: Contagion is about reducing counterparty risk, not systemic risk. Clearing houses address counterparty risk. I don't see how they improve systematic risk. We're just trading one set of risk for another.
Adam: Clearing houses do provide other benefits, for instance it simplifies the process in a way that reduces operational risk. They also separate direction risk from counterparty risk.
Jim: Still we appreciate having the ability to use clearing houses, because at times we are concerned with removing counterparty risk. But in exchange you pick up liquidity risk. In my industry, we are accustomed to managing counterparty risk, but liquidity risk is something we're less comfortable with. Consequently there is a potential for systemic risk to increase.
PC guy: Sandy illustrates interconnectedness of bank, insurance, and energy in that insurance losses are mitigated when the power can come on sooner. At one point, a regulator explained his view on rate increases, and while he said that he believes insurers are entitled to reasonable returns, he explicitly said "Do not send me a rate filing that includes a hurricane model, because we don't have hurricanes in this state." The very next week, the governor's mansion was hit by a hurricane. So, what are you going to do about that?
Jim: We discussed giving regulators "big data" to do "big science." What if instead we determined how much/what information on your counterparty is necessary to assess your risk re: that counterparty. I think it might make more sense for each entity to have access to the information (to remove/reduce the information asymmetry) and to each perform their own analysis. Could that reduce the threat to whole system? Could we convince entities to give up that kind of information?
Adam: Regulators can improve the information flow, but so can firms. TBTF is destined to fail because the largest economy will always have the largest firms.
Have business and regulators done enough to prepare for the next crisis?
PC Guy: We are always looking toward the next crisis, but what are we to do when we're regulated into certain assets and certain risks? We have limited ability to do anything to prepare.
Allan: I don't like the term TBTF. TBT-Prosecute, maybe. Better is Too Interconnected to Fail. Look at the car industry. In order to do something about this, the government needs to know what the interconnectedness looks like. During the financial crisis, the government people made all kinds of huge decisions with no data and no evidence. So we need information, we need data standards.
Stuart: Regulators could ask firms to demonstrate how they would manage thing if they were to get into difficulties.
Kimo: I think we're on a good path to understanding interconnectedness. Contagion needs a lot more work. The domino effect isn't known that well for central banks and others. We need formal models for this. For joint-ownership of assets, we don't know anything right now.
End Conference! Thanks for following.
Wednesday, April 24, 2013
Day 3 Lunch - Sheila Bair
Today's luncheon keynote was a vast improvement over yesterday's gross failure. The speaker was Sheila Bair, former FDIC Chairman. The welcome packet for the seminar included her book, Bull by the Horns. Her most interesting comments to me were:
1. The move in regulation toward using internal models to set capital limits (in banking and in insurance) is in her opinion a bad idea. It creates perverse incentives by penalizing firms with conservative models. Models are going to be biased low when regulators use them directly (and worse: unbiased models won't be produced at all.)
2. Regulators create more and more complexity, and the current path (Basel, etc.) is disastrous because of this. Incomprehensible regulations abound that no one can follow.
3. Valuing assets on a risk-adjusted basis for regulatory purposes has been a disaster. It creates perverse incentives to hold certain assets and report them in a certain way. As a solution, she proposes a return to a simple leverage ratio requirement temporarily until regulators have enough time to develop a better model for risk-valuation of assets.
Overall, it was an interesting talk. I look forward to reading her book.
End Lunch Keynote.
1. The move in regulation toward using internal models to set capital limits (in banking and in insurance) is in her opinion a bad idea. It creates perverse incentives by penalizing firms with conservative models. Models are going to be biased low when regulators use them directly (and worse: unbiased models won't be produced at all.)
2. Regulators create more and more complexity, and the current path (Basel, etc.) is disastrous because of this. Incomprehensible regulations abound that no one can follow.
3. Valuing assets on a risk-adjusted basis for regulatory purposes has been a disaster. It creates perverse incentives to hold certain assets and report them in a certain way. As a solution, she proposes a return to a simple leverage ratio requirement temporarily until regulators have enough time to develop a better model for risk-valuation of assets.
Overall, it was an interesting talk. I look forward to reading her book.
End Lunch Keynote.
Concurrent Session 4F
"Optimal Growth and Correlation Analysis for PC Insurers"
Last concurrent session...
Dr. Luyang Fu:
Rapid growth is one of the top causes of financial impairment in PC. Growing often means lowering price, looser UW standards, and taking on poorer risks.
"Introduction" slide lists some papers for background reading on the inverse relationship between profitability and growth: Aghion and Stein (2008), Harrington, Danzon, and Epstein (2008), and Ma (2009).
Papers on relationship between policy age and loss ratio: D'Arcy and Doherty (1989; 1990), Cohen (2005), and Wu and Lin (2009).
Papers on optimal growth: D'Arcy and Gorvett (2004) uses a 3-factor econometric model on 14/15 companies. Excluding AIG from the data, he finds that the optimal growth is actually 0%. Including AIG he gets 10%.
Using this model in practice is problematic due to the lack of data and the extreme volatility from removing AIG (parameter risk.) Also the underlying assumptions of the DFA scenarios are iffy. Fu (2012) applies some improvements to the model, but also disadvantages in that it's not stochastic. Equilibrium theory underlies his model. Starts with growth target and % that will be new business to project the combined ratio over a number of years.
Surplus constrains growth, as we know, so there is a limit on the curve. This means that in order to grow faster, CR needs to be lower, and you can draw this "blue line." [KR: see the presentation for formulas. Session is also being recorded.]
Plotting both curves gives you something like the supply and demand curves, yielding the optimal growth. See the Case Study slides for the end results. Note that in the chart of 5-year profits, the column labeled "Year" is supposed to be "Retained Profit." Weight on surplus and the time horizon both make a difference in whether or not growth > 0 is optimal.
Dr. Benedict Escoto (Aon, woot!):
Discussion of correlation/contagion factors. Hierarchical models (Bayes networks) express Y as a function of X. Multivariate distributions with a correlation. Notes that 0 correlation =! independence. Also there are other ways to measure correlation besides the standard Pearson (Cov(X,Y) / SDxSDy.) Copulas (CDF) transform distributions (any monotonic increasing) into a distribution between 0 and 1. Slide 9 shows an interesting example of how even having the perfect underlying distribution can be less effective due to synthesis error. It can work better to use the "wrong" distribution sometimes if it's simpler.
CAT models have traditionally assumed no correlation in severe weather events (non-hurricane.) Tornadoes recently seem to contradict this notion. Traditional model is getting frequency right and severity by layer right, but layer and ground-up CVs are mismatched. Higher layers have more volatility than the traditional model suggests. Using a Gaussian copula [KR: see slides for this formula.] resolves this issue.
Audience question - disconnect between AY CR and CY CR. Does this send false signals about growth?
Luyang: Yes, CY result would be off, particularly if you're under-reserved. It's important to education your executives about the difference between CY and AY.
Luyang's question to Benedict - how often is reinsurance sold in each of these layers versus overall? Does it really matter that we're off on the volatility by layers?
Benedict: Not every reinsurer buys enough layers to solve the problem.
Audience question - how do you parameterize correlations between lines of business?
Benedict: Relatively simple approach. Larger companies with greater diversification in losses are more subject to market risks. We develop a correlation matrix for market risk and layer on top the individual company diversification risk.
End Concurrent Session 4F.
Last concurrent session...
Dr. Luyang Fu:
Rapid growth is one of the top causes of financial impairment in PC. Growing often means lowering price, looser UW standards, and taking on poorer risks.
"Introduction" slide lists some papers for background reading on the inverse relationship between profitability and growth: Aghion and Stein (2008), Harrington, Danzon, and Epstein (2008), and Ma (2009).
Papers on relationship between policy age and loss ratio: D'Arcy and Doherty (1989; 1990), Cohen (2005), and Wu and Lin (2009).
Papers on optimal growth: D'Arcy and Gorvett (2004) uses a 3-factor econometric model on 14/15 companies. Excluding AIG from the data, he finds that the optimal growth is actually 0%. Including AIG he gets 10%.
Using this model in practice is problematic due to the lack of data and the extreme volatility from removing AIG (parameter risk.) Also the underlying assumptions of the DFA scenarios are iffy. Fu (2012) applies some improvements to the model, but also disadvantages in that it's not stochastic. Equilibrium theory underlies his model. Starts with growth target and % that will be new business to project the combined ratio over a number of years.
Surplus constrains growth, as we know, so there is a limit on the curve. This means that in order to grow faster, CR needs to be lower, and you can draw this "blue line." [KR: see the presentation for formulas. Session is also being recorded.]
Plotting both curves gives you something like the supply and demand curves, yielding the optimal growth. See the Case Study slides for the end results. Note that in the chart of 5-year profits, the column labeled "Year" is supposed to be "Retained Profit." Weight on surplus and the time horizon both make a difference in whether or not growth > 0 is optimal.
Dr. Benedict Escoto (Aon, woot!):
Discussion of correlation/contagion factors. Hierarchical models (Bayes networks) express Y as a function of X. Multivariate distributions with a correlation. Notes that 0 correlation =! independence. Also there are other ways to measure correlation besides the standard Pearson (Cov(X,Y) / SDxSDy.) Copulas (CDF) transform distributions (any monotonic increasing) into a distribution between 0 and 1. Slide 9 shows an interesting example of how even having the perfect underlying distribution can be less effective due to synthesis error. It can work better to use the "wrong" distribution sometimes if it's simpler.
CAT models have traditionally assumed no correlation in severe weather events (non-hurricane.) Tornadoes recently seem to contradict this notion. Traditional model is getting frequency right and severity by layer right, but layer and ground-up CVs are mismatched. Higher layers have more volatility than the traditional model suggests. Using a Gaussian copula [KR: see slides for this formula.] resolves this issue.
Audience question - disconnect between AY CR and CY CR. Does this send false signals about growth?
Luyang: Yes, CY result would be off, particularly if you're under-reserved. It's important to education your executives about the difference between CY and AY.
Luyang's question to Benedict - how often is reinsurance sold in each of these layers versus overall? Does it really matter that we're off on the volatility by layers?
Benedict: Not every reinsurer buys enough layers to solve the problem.
Audience question - how do you parameterize correlations between lines of business?
Benedict: Relatively simple approach. Larger companies with greater diversification in losses are more subject to market risks. We develop a correlation matrix for market risk and layer on top the individual company diversification risk.
End Concurrent Session 4F.
Concurrent Session 3E
"Stories of Risk Culture: the Good, the Bad, the Ugly"
Presenters: John Wengler of Hess and Dragana Pilipovic of Energy Risk WorkDesk
John:
Blame VaR/models/numbers for the crisis? NO. Don't blame the breaks, blame the driver. "St. Francis of Assisi" vision of a risk manager, i.e., highly moral (and associated with martyrdom.) Risk manager should NOT be the most moral person in the organization; he should be like everyone else in the organization.
There's nothing inherently wrong with speculation. We have to have bottom-feeders and vultures, etc. That's how we get functioning markets. See slide 6 for his matrix of the types of risk culture. Individuality versus Community and Order versus Chaos. From this we get "the Accountants," "the Hollywood Agents," "the Commanded and Controlled," and "the Flock" (respectively mapping to: IO, IC, CO, CC.) Then you create a distribution of the organization according to where each person in the organization falls on these axes. The core represents the culture of the organization, but you should have people who go against the core as well, as these people can drive innovation.
Dragana:
Risk management culture needs to be tied to the way the company makes its money. So then the question is: who is motivated naturally within the organization to achieve high-quality risk management? Someone who will stay at the company long-term, who understands the key factors that create success for the company, who answers to the shareholders. Is it about ethics or personality? How does corporate culture motivate? The same person can behave very differently in a different environment.
Focus is on trading. Market making is theoretically risk-neutral (as compared to speculation where you deliberately leave your position unhedged.) Arbitrage as a strategy does NOT usually mean pure arbitrage (this doesn't happen enough to make enough money.) Statistical arbitrage aims to make money over time. In this case, you do hedge by buying the option and the underlying stock. If you're right about the actual price, eventually you will make money. Finally there's a strategy to just invest in risk-free rates.
In some cases, people say they're doing statistical arbitrage, but when the underlying thing you're betting on is itself risky, it starts to look like speculation. In general, the best traders I've seen have been the best risk managers; in fact, they are risk managers first and traders second.
Natural choices for risk managers include the C-suite and consultants (operation in a competitive consulting market.)
Success stories:
Story 1: Speculative trading shop taking substantial risks. Top trader with decades of experience was not particularly quantitative but did have a good instinctual feel for distributions. He would review the company's book periodically and if he didn't agree with another trader's trade, he would literally take the opposite position in his own book. His focus was on the risk for the total company being at an acceptable level, even if he personally took losses to accomplish that. This shop then had ridiculously stable returns, unlike anything I've ever seen.
Story 2: Volatility arbitrage firm with a head trader who had a quant background, but not a deep understanding. But he valued quants and had as many quants as traders. In this shops, the quants were viewed as the profit-makers, above the traders. Traders were only allowed based on the quants' estimates of volatilities subject to a certain spread. Again a very successful shop.
Story 3: Energy company where CEO and CFO were the top risk managers. Culture started with them and permeated the company. Maintained an appropriate level of trading (under Treasury function) given their level of expertise.
Who is *not* motivated to help the company? Rogue traders, people who just don't realize they lack expertise, C-suites motivated by short-term gains or who are addicted to high returns, or consultants who are loyal to one person and not the company as a whole (because that one person will feed them more business.)
Failure stories:
Story 1: Speculation - Rogue trader takes advantage of "chaos" in the firm to mark his books to his advantage. Really this is a management failure - chaos must be dealt with.
Story 2: StatArb - Assumed mortgage pre-payment rate was fixed, then it suddenly changed. Perhaps couldn't be hedged, but the size of the position could have been managed. In this case, everyone was reviewing and following the model, but this assumption was missed. Consider when assumptions might change.
Story 3: Asset arbitrage failed at a firm where the C-suite (same company as success story!) decided to chase higher returns without acquiring the appropriate in-house expertise. Failed and exited the new business.
Story 4: Market-making - sales-driven organization ended up with negative MTM value on numerous deals. Possible due to IT system.
Story 5: C-suite addiction to higher returns happens frequently. They don't ask how the money is being made. Natural gas spreads, ignoring market liquidity. C-suite approved blowing through the VaR limit multiple times.
Responses to questions from the audience:
John: I don't even like the title CRO, because is implies that risk is a separate function rather than embedded throughout the organization. The best, most thoughtful manager of risk should NOT be the risk manager, it should be the CEO and head trader.
Dragana: The capital issues during the financial crisis were aggravated rather than solved by TBTF. Not that it would have prevented the crisis, but the clean-up would have been more efficient had it been allowed to happen in the free market. Then again it might have prevented it if the risk had been owned by the market (instead of by Fanny/Freddy/gov't.) It may not have made a difference, honestly, if C-levels were caught up in the huge returns. The data was there, showing the risk, but it was ignored.
John: Greenberg at AIG valued the AAA credit rating above all else. After he left, the attitude became "why isn't AA good enough?" But the collateral demands on a AAA versus a AA company are significant. They lost their access to easy credit in addition to having to post margins for losses and collateral on loans. You need to recognize where you're vulnerable. That and you need to recognize when you've been lucky.
Is risk management contrary to human nature?
John: There are some members of the tribe who think long-term, who are managing risk. At the same time, there are cowboys out there.
End session.
Presenters: John Wengler of Hess and Dragana Pilipovic of Energy Risk WorkDesk
John:
Blame VaR/models/numbers for the crisis? NO. Don't blame the breaks, blame the driver. "St. Francis of Assisi" vision of a risk manager, i.e., highly moral (and associated with martyrdom.) Risk manager should NOT be the most moral person in the organization; he should be like everyone else in the organization.
There's nothing inherently wrong with speculation. We have to have bottom-feeders and vultures, etc. That's how we get functioning markets. See slide 6 for his matrix of the types of risk culture. Individuality versus Community and Order versus Chaos. From this we get "the Accountants," "the Hollywood Agents," "the Commanded and Controlled," and "the Flock" (respectively mapping to: IO, IC, CO, CC.) Then you create a distribution of the organization according to where each person in the organization falls on these axes. The core represents the culture of the organization, but you should have people who go against the core as well, as these people can drive innovation.
Dragana:
Risk management culture needs to be tied to the way the company makes its money. So then the question is: who is motivated naturally within the organization to achieve high-quality risk management? Someone who will stay at the company long-term, who understands the key factors that create success for the company, who answers to the shareholders. Is it about ethics or personality? How does corporate culture motivate? The same person can behave very differently in a different environment.
Focus is on trading. Market making is theoretically risk-neutral (as compared to speculation where you deliberately leave your position unhedged.) Arbitrage as a strategy does NOT usually mean pure arbitrage (this doesn't happen enough to make enough money.) Statistical arbitrage aims to make money over time. In this case, you do hedge by buying the option and the underlying stock. If you're right about the actual price, eventually you will make money. Finally there's a strategy to just invest in risk-free rates.
In some cases, people say they're doing statistical arbitrage, but when the underlying thing you're betting on is itself risky, it starts to look like speculation. In general, the best traders I've seen have been the best risk managers; in fact, they are risk managers first and traders second.
Natural choices for risk managers include the C-suite and consultants (operation in a competitive consulting market.)
Success stories:
Story 1: Speculative trading shop taking substantial risks. Top trader with decades of experience was not particularly quantitative but did have a good instinctual feel for distributions. He would review the company's book periodically and if he didn't agree with another trader's trade, he would literally take the opposite position in his own book. His focus was on the risk for the total company being at an acceptable level, even if he personally took losses to accomplish that. This shop then had ridiculously stable returns, unlike anything I've ever seen.
Story 2: Volatility arbitrage firm with a head trader who had a quant background, but not a deep understanding. But he valued quants and had as many quants as traders. In this shops, the quants were viewed as the profit-makers, above the traders. Traders were only allowed based on the quants' estimates of volatilities subject to a certain spread. Again a very successful shop.
Story 3: Energy company where CEO and CFO were the top risk managers. Culture started with them and permeated the company. Maintained an appropriate level of trading (under Treasury function) given their level of expertise.
Who is *not* motivated to help the company? Rogue traders, people who just don't realize they lack expertise, C-suites motivated by short-term gains or who are addicted to high returns, or consultants who are loyal to one person and not the company as a whole (because that one person will feed them more business.)
Failure stories:
Story 1: Speculation - Rogue trader takes advantage of "chaos" in the firm to mark his books to his advantage. Really this is a management failure - chaos must be dealt with.
Story 2: StatArb - Assumed mortgage pre-payment rate was fixed, then it suddenly changed. Perhaps couldn't be hedged, but the size of the position could have been managed. In this case, everyone was reviewing and following the model, but this assumption was missed. Consider when assumptions might change.
Story 3: Asset arbitrage failed at a firm where the C-suite (same company as success story!) decided to chase higher returns without acquiring the appropriate in-house expertise. Failed and exited the new business.
Story 4: Market-making - sales-driven organization ended up with negative MTM value on numerous deals. Possible due to IT system.
Story 5: C-suite addiction to higher returns happens frequently. They don't ask how the money is being made. Natural gas spreads, ignoring market liquidity. C-suite approved blowing through the VaR limit multiple times.
Responses to questions from the audience:
John: I don't even like the title CRO, because is implies that risk is a separate function rather than embedded throughout the organization. The best, most thoughtful manager of risk should NOT be the risk manager, it should be the CEO and head trader.
Dragana: The capital issues during the financial crisis were aggravated rather than solved by TBTF. Not that it would have prevented the crisis, but the clean-up would have been more efficient had it been allowed to happen in the free market. Then again it might have prevented it if the risk had been owned by the market (instead of by Fanny/Freddy/gov't.) It may not have made a difference, honestly, if C-levels were caught up in the huge returns. The data was there, showing the risk, but it was ignored.
John: Greenberg at AIG valued the AAA credit rating above all else. After he left, the attitude became "why isn't AA good enough?" But the collateral demands on a AAA versus a AA company are significant. They lost their access to easy credit in addition to having to post margins for losses and collateral on loans. You need to recognize where you're vulnerable. That and you need to recognize when you've been lucky.
Is risk management contrary to human nature?
John: There are some members of the tribe who think long-term, who are managing risk. At the same time, there are cowboys out there.
End session.
ERM Symposium Day 3: General Session IV
Last day, penultimate general session!
General Session IV: "Critical Reflections of the Crisis; International Regulatory Experiences and the Way Forward to a More Robust Financial System"
Dr. Colin Lawrence of the Bank of England, Dr. Allan Malz of the Federal Reserve Bank of New York, John Bilson of the Illinois Institute of Technology
Almost everything said during this panel was said before, particularly in General Session II and in Dr. Lawrence's comments during the "Three Lines of Defense" Seminar (Day 1.) Note that I didn't take notes on the very beginning of this panel, nor on the parts that were redundant.
Allan:
Risk spreads - declined since 2009 but not all the way back to historical levels
Market liquidity - continues to be in poor shape
Implied volatilities - at all-time lows
Why hasn't market liquidity improved with these other variables?
John:
Concerned about the behavior of central banks (increasing the money supply.) We are moving toward a period of higher interest rates. "In economics, everything takes a lot longer to happen than you think it would. When it happens, it happens more quickly than you thought it would." We are seeing inflation in the stock market and housing prices as a consequence of this monetary policy (quantitative easing.) Consequently there is a lot of uncertainty in the financial markets. Which countries are doing best coming out of this crisis? Australia and Canada seem to be doing better, with less central bank interference (although there are other influences in those economies.)
Colin:
Commercial bank profitability declines with interest rate compression. If you raise the interest rates, it's not just the central bank rate, it's the expected inflation on top of that. With high interest rates *and* high unemployment, we'll have high impairments. Forbearance, etc., will result in many more challenges for banks unless they change their controls in advance.
Allan:
We need to remain cognizant of the "human risk," because any adjustment we might make may not play out as expected if people react differently than anticipated. Regarding inflation, at least for the moment expected rates seem well-anchored.
What are implications for risk management practices?
Allan:
Obviously risk managers need to be tracking these regulatory changes. Regulators are looking more at risk-weighted assets, but more than that, we're realizing that simply adding more capital resolves a lot of problems very simply.
What about CVaR? In some cases, we see the CVaR is actually lower than the VaR.
Allan: I've never understood why CVaR is set up as being so much better than VaR. You still need a distribution, and the problem with VaR is that we don't know the distribution. It also doesn't resolve the problem on one-size-fits-all regulation.
John:
There's a fiber-optic cable from Chicago to NY that runs in a straight line instead of along the railways like the old one. Access to this cable costs $1M per year, and it saves you 3-1000ths of a second. That shows how big electronic trading is. Computers are making trades before any human even hears or reacts to news.
Colin:
Liquidity issues make VaR not work when you have concentrated assets. It's a fundamental flaw that's been present for a long time.
End General Session IV.
General Session IV: "Critical Reflections of the Crisis; International Regulatory Experiences and the Way Forward to a More Robust Financial System"
Dr. Colin Lawrence of the Bank of England, Dr. Allan Malz of the Federal Reserve Bank of New York, John Bilson of the Illinois Institute of Technology
Almost everything said during this panel was said before, particularly in General Session II and in Dr. Lawrence's comments during the "Three Lines of Defense" Seminar (Day 1.) Note that I didn't take notes on the very beginning of this panel, nor on the parts that were redundant.
Allan:
Risk spreads - declined since 2009 but not all the way back to historical levels
Market liquidity - continues to be in poor shape
Implied volatilities - at all-time lows
Why hasn't market liquidity improved with these other variables?
John:
Concerned about the behavior of central banks (increasing the money supply.) We are moving toward a period of higher interest rates. "In economics, everything takes a lot longer to happen than you think it would. When it happens, it happens more quickly than you thought it would." We are seeing inflation in the stock market and housing prices as a consequence of this monetary policy (quantitative easing.) Consequently there is a lot of uncertainty in the financial markets. Which countries are doing best coming out of this crisis? Australia and Canada seem to be doing better, with less central bank interference (although there are other influences in those economies.)
Colin:
Commercial bank profitability declines with interest rate compression. If you raise the interest rates, it's not just the central bank rate, it's the expected inflation on top of that. With high interest rates *and* high unemployment, we'll have high impairments. Forbearance, etc., will result in many more challenges for banks unless they change their controls in advance.
Allan:
We need to remain cognizant of the "human risk," because any adjustment we might make may not play out as expected if people react differently than anticipated. Regarding inflation, at least for the moment expected rates seem well-anchored.
What are implications for risk management practices?
Allan:
Obviously risk managers need to be tracking these regulatory changes. Regulators are looking more at risk-weighted assets, but more than that, we're realizing that simply adding more capital resolves a lot of problems very simply.
What about CVaR? In some cases, we see the CVaR is actually lower than the VaR.
Allan: I've never understood why CVaR is set up as being so much better than VaR. You still need a distribution, and the problem with VaR is that we don't know the distribution. It also doesn't resolve the problem on one-size-fits-all regulation.
John:
There's a fiber-optic cable from Chicago to NY that runs in a straight line instead of along the railways like the old one. Access to this cable costs $1M per year, and it saves you 3-1000ths of a second. That shows how big electronic trading is. Computers are making trades before any human even hears or reacts to news.
Colin:
Liquidity issues make VaR not work when you have concentrated assets. It's a fundamental flaw that's been present for a long time.
End General Session IV.
Tuesday, April 23, 2013
ERM Symposium Day 2: Panel 4
General Session III: "At the Nexus of Strategic and Operational Risk"
Jim Allison of ConocoPhillips:
Strategic risk: 1. Gap between what you actually did and what you said you were going to do. 2. Mistake made in estimation process.
Operational risk: 1. Doing things that ought not be done. 2. Not doing things that ought to be done.
Business creates value from opportunities, with proper execution, subject to constraints.
New regulatory environment post-financial crisis is increasing operational risk substantially. For example: Imposed margins to reduce risk to financial systems, which simply transforms counterparty risk into liquidity risk. An energy firm may have a better handle on counterparty risk than liquidity risk, in which case this trade doesn't make sense. Efficiency and transparency resulted in more reporting. Abuses/fraud have always been illegal, but authority to punish is increased. Prevent inappropriate marketing resulted in special protection for municipalities and other "special entities."
Attitude of regulator tends to be to punish rather than coach to improve compliance. Reason is that Congress attacks regulators whenever something goes wrong unless they can demonstrate that they were "all over it." Then of course these are all expensive things to implement, the cost of which is most likely to be passed on to consumers.
Frans Valk of GE Oil & Gas (Enterprise Risk Leader):
Industrial risk management at GE is new. Even the Oil & Gas part of GE is relatively new. It was built out of a number of acquisitions. Now all divisions have an ERM leader and adherence to risk policies are audited. Believes that the important thing for the risk team to do is bring a different perspective to business discussions.
The see the four main risks as operational, strategic, financial, and legal/compliance. Then he asks each department "What's your current status? What is your goal?" Sometimes you have to accept a trade-off between what you want to achieve and the risks you're willing to take in order to achieve it. Because of the nature of a product manufacturing type business, his focus as a risk manager is on the hand-offs of risk as products move through the process.
His main point was that in the traditional product market, they have to set risk appetite in a different way than in insurance. They think of risk in terms of outcomes. For example if our product is defective, how many people lose fingers? Are we willing to tolerate 1? 100? 0? The answer needs to relate explicitly to your goals and strategy.
Lindene Patton of Zurich:
Greenhouse gas emissions as a potential emerging liability. She thinks climate change risk needs to be addressed in a broader way. Further if we don't, society will deal with it for us in a less economical way.
Bottom line regarding increasing natural disasters: assets are increasingly ending up in harm's way. Despite this, we haven't allocated more capital to dealing with that. Instead we're essentially insuring less and less. Thus the bigger the event, the less relevant insurance becomes. This probably doesn't make the most long-term sense for society. We need to be talking about the amount of capital that should be allocated to this risk. When losses are uninsured, it tends to lead to long-term macroeconomic losses. Even as we improve disaster response, it's not a substitute for insurance, because it doesn't make you whole.
The tort risk comes in when people who experience a disastrous loss and aren't insured start to feel frustrated and angry over the bad thing that happened to them that wasn't their fault. This is the starting point of litigation. Unhappy people will look for someone to blame, and the emissions angle has already been tried, albeit dismissed at the trial court level. There is a lot of testing of this possible argument going on. Outside the US as well, for instance climate change rights are part of the constitution of Bangladesh as of 2011. She thinks this is unlikely to go away. Also recommends reading the GAO Highest Risks series.
Most likely, it will be cheaper in the long-run to write insurance for disasters (or use some other ex-ante funding strategy.)
End Panel 4.
Jim Allison of ConocoPhillips:
Strategic risk: 1. Gap between what you actually did and what you said you were going to do. 2. Mistake made in estimation process.
Operational risk: 1. Doing things that ought not be done. 2. Not doing things that ought to be done.
Business creates value from opportunities, with proper execution, subject to constraints.
New regulatory environment post-financial crisis is increasing operational risk substantially. For example: Imposed margins to reduce risk to financial systems, which simply transforms counterparty risk into liquidity risk. An energy firm may have a better handle on counterparty risk than liquidity risk, in which case this trade doesn't make sense. Efficiency and transparency resulted in more reporting. Abuses/fraud have always been illegal, but authority to punish is increased. Prevent inappropriate marketing resulted in special protection for municipalities and other "special entities."
Attitude of regulator tends to be to punish rather than coach to improve compliance. Reason is that Congress attacks regulators whenever something goes wrong unless they can demonstrate that they were "all over it." Then of course these are all expensive things to implement, the cost of which is most likely to be passed on to consumers.
Frans Valk of GE Oil & Gas (Enterprise Risk Leader):
Industrial risk management at GE is new. Even the Oil & Gas part of GE is relatively new. It was built out of a number of acquisitions. Now all divisions have an ERM leader and adherence to risk policies are audited. Believes that the important thing for the risk team to do is bring a different perspective to business discussions.
The see the four main risks as operational, strategic, financial, and legal/compliance. Then he asks each department "What's your current status? What is your goal?" Sometimes you have to accept a trade-off between what you want to achieve and the risks you're willing to take in order to achieve it. Because of the nature of a product manufacturing type business, his focus as a risk manager is on the hand-offs of risk as products move through the process.
His main point was that in the traditional product market, they have to set risk appetite in a different way than in insurance. They think of risk in terms of outcomes. For example if our product is defective, how many people lose fingers? Are we willing to tolerate 1? 100? 0? The answer needs to relate explicitly to your goals and strategy.
Lindene Patton of Zurich:
Greenhouse gas emissions as a potential emerging liability. She thinks climate change risk needs to be addressed in a broader way. Further if we don't, society will deal with it for us in a less economical way.
Bottom line regarding increasing natural disasters: assets are increasingly ending up in harm's way. Despite this, we haven't allocated more capital to dealing with that. Instead we're essentially insuring less and less. Thus the bigger the event, the less relevant insurance becomes. This probably doesn't make the most long-term sense for society. We need to be talking about the amount of capital that should be allocated to this risk. When losses are uninsured, it tends to lead to long-term macroeconomic losses. Even as we improve disaster response, it's not a substitute for insurance, because it doesn't make you whole.
The tort risk comes in when people who experience a disastrous loss and aren't insured start to feel frustrated and angry over the bad thing that happened to them that wasn't their fault. This is the starting point of litigation. Unhappy people will look for someone to blame, and the emissions angle has already been tried, albeit dismissed at the trial court level. There is a lot of testing of this possible argument going on. Outside the US as well, for instance climate change rights are part of the constitution of Bangladesh as of 2011. She thinks this is unlikely to go away. Also recommends reading the GAO Highest Risks series.
Most likely, it will be cheaper in the long-run to write insurance for disasters (or use some other ex-ante funding strategy.)
End Panel 4.
Concurrent Session 2F
"Big Data, Systemic Risk, and the US Intelligence Community"
Christine I. Ray of Market Intelligence, Bryan Ware of Digital Sandbox, Dr. Gary Nan Tie (PhD Mathematics) of SVP
Christine:
Started out in finance, but began to consider whether the same ideas and methods could apply to the intelligence community. There are differences, obviously, in that intelligence is focused on Bayesian models and catastrophic scenarios. IC can't rely on past data to predict the future. Structured analysis is used to measure these unique possible events. See slide 12 for an example. She advocates a similar Bayesian approach for ERM. You can integrate risks and employ expert knowledge and opinion where needed.
Bryan:
Software seller, not a risk person himself. Big data is a nice buzzword, but it doesn't have anything to do with the size of databases. It has to do with the *ubiquity* of data. Models like Google rely 100% on correlation, and in that case it works quite well. But in other situations, you need to incorporate causation. Security risks are in the latter category. All events are possible, but you can't prepare for all of them, so you need some way to determine which are more likely (not only that, but also our definition of acceptable losses.) When we started our company/project, we had zero data. So we start with just human judgment and build to having both data and judgment in a causality model. One of his tasks was to allocate security budget to major cities based both on the risk and their capabilities. NYC has high risk, but the NYPD is also effectively the 6th largest military in the world.
Gary:
How do we know the model is right? "A model is nothing more than codified common sense." It's essentially an epistemological question: how do we know we know? We can confirm via a model-independent truth, by context, or by comparison to another model. Provable, probable, and plausible are all viable for decision-making, they are just different paradigms. Provable will be based on the model-independent truth. Probable will be based on some estimate of probability, based on past data. Plausibility can be intuitive. One example: to test a complex model, he developed an economic theory of insurance and used it to predict certain relationships between different parts of the business. He then compared this to the simulations coming out of the model and showed that they were generally in-line with the expectations. This isn't proof, it isn't a probabilistic statement, but it is plausibility and *can be used* to make decisions. Recommended reading: "Theories of Decision Under Uncertainty".
Is regulation helping or hurting?
Gary: Regulators need to be careful not to create systemic risk. Can create and control behavior in predictable ways, but regulators aren't mindful of this.
Bryan: Doesn't particularly apply, but regulation turns things into managing to regulation instead of managing to get actual results.
Chris: Agreed.
End Concurrent Session 2.
Christine I. Ray of Market Intelligence, Bryan Ware of Digital Sandbox, Dr. Gary Nan Tie (PhD Mathematics) of SVP
Christine:
Started out in finance, but began to consider whether the same ideas and methods could apply to the intelligence community. There are differences, obviously, in that intelligence is focused on Bayesian models and catastrophic scenarios. IC can't rely on past data to predict the future. Structured analysis is used to measure these unique possible events. See slide 12 for an example. She advocates a similar Bayesian approach for ERM. You can integrate risks and employ expert knowledge and opinion where needed.
Bryan:
Software seller, not a risk person himself. Big data is a nice buzzword, but it doesn't have anything to do with the size of databases. It has to do with the *ubiquity* of data. Models like Google rely 100% on correlation, and in that case it works quite well. But in other situations, you need to incorporate causation. Security risks are in the latter category. All events are possible, but you can't prepare for all of them, so you need some way to determine which are more likely (not only that, but also our definition of acceptable losses.) When we started our company/project, we had zero data. So we start with just human judgment and build to having both data and judgment in a causality model. One of his tasks was to allocate security budget to major cities based both on the risk and their capabilities. NYC has high risk, but the NYPD is also effectively the 6th largest military in the world.
Gary:
How do we know the model is right? "A model is nothing more than codified common sense." It's essentially an epistemological question: how do we know we know? We can confirm via a model-independent truth, by context, or by comparison to another model. Provable, probable, and plausible are all viable for decision-making, they are just different paradigms. Provable will be based on the model-independent truth. Probable will be based on some estimate of probability, based on past data. Plausibility can be intuitive. One example: to test a complex model, he developed an economic theory of insurance and used it to predict certain relationships between different parts of the business. He then compared this to the simulations coming out of the model and showed that they were generally in-line with the expectations. This isn't proof, it isn't a probabilistic statement, but it is plausibility and *can be used* to make decisions. Recommended reading: "Theories of Decision Under Uncertainty".
Is regulation helping or hurting?
Gary: Regulators need to be careful not to create systemic risk. Can create and control behavior in predictable ways, but regulators aren't mindful of this.
Bryan: Doesn't particularly apply, but regulation turns things into managing to regulation instead of managing to get actual results.
Chris: Agreed.
End Concurrent Session 2.
Disclaimer
Given the volume of traffic I'm receiving from these ERM Symposium posts, I want to make a quick disclaimer:
These posts are *not* recorded verbatim. Nothing that I've recorded is meant to represent an exact quotation from any party. Rather I have paraphrased based on my understanding and what I deemed important or interesting to record. I have done my best to accurately represent what the speakers have said, but I can't guarantee that I have not misunderstood, misinterpreted, or simply mistyped.
I have endeavored to objectively record the essence of each speaker's remarks. When I've felt it necessary to include my own commentary, it is denoted by [KR: Comment.]
Thank you and enjoy!
Katrina
These posts are *not* recorded verbatim. Nothing that I've recorded is meant to represent an exact quotation from any party. Rather I have paraphrased based on my understanding and what I deemed important or interesting to record. I have done my best to accurately represent what the speakers have said, but I can't guarantee that I have not misunderstood, misinterpreted, or simply mistyped.
I have endeavored to objectively record the essence of each speaker's remarks. When I've felt it necessary to include my own commentary, it is denoted by [KR: Comment.]
Thank you and enjoy!
Katrina
ERM Symposium Day 2: Panel 3
More last-second speaker changes followed by the appropriate jokes regarding OpRisk. Moderator/organizer expresses her desire for us to discuss ERM issues across disciplines (insurance, banking, energy sector.)
Six panelists: Dave Ingram, Willis. Stuart Wason, OSFI Canada. Jim Allison, ConocoPhillips. Allan Someone, something regulatory. Bruce Manson, Bloomberg. Dan Rodriguez, Credit Suisse.
Define complexity.
Stuart: Complexity is inherent in the businesses we work with [KR: Non-answer.]
Allan: What does complexity do in the financial world? Creates asymmetries between buyers and sellers when it comes to understanding the risks of products. Complexity isn't inherently a problem, but it has to be understood. In finance complexity usually means opaqueness.
Jim: Complex things are dynamic, interrelated, and changing. Our usual micro-analysis toolkit doesn't work. But complex is not the same thing as complicated.
Dave: Agreed. A complex system is adaptive, which means static controls won't work.
Jim: Right, it hasn't worked so far.
Bruce: You may be able to predict the adaptations based on past history. Also there is *some* methodology behind these trades. We know that because they are priced consistently.
Dan: There's also expected complexity and unexpected complexity. [KR: He seems to be equating complexity with model risk.] There's been a general move now toward simpler products, although the complexity risk certainly still exists throughout the system. Regulatory capital requirements are now higher for more complex instruments.
Discuss the regulatory paradigm shift from rules-based to flexible, complex regulation. What are the consequences? [KR: Moderating is lecturing and misusing "begs the question." Why didn't she just put herself on the panel?]
Jim: We were confused as to why the financial services reform dragged energy in at all. Rigidity in regulating complex systems is a red flag.
Allan: Hunt brother cornered the market on silver, but when it went south, they sold off their other major asset: beef. So unexpectedly we have cattle ranchers being severely impacted by the silver market. Legislation is of course a mess, in part because it happens *after* a crisis. Regulation is always backward-looking. They don't have the tools to do so. This is what the Office of Financial Research is supposed to be able to do, if they can get usable data.
Bruce: Bloomberg sees two types of customers: proactive and reactive. This makes it hard to create regulatory solutions. Bloomberg is trying to come up with data from what the proactive people are asking for in order to answer these questions. It's still backward looking, however.
But what is Bloomberg doing to solve the regulatory data problem?
Bruce: We meet with regulators regularly.
Canada did better during the crisis. Do you have similar problems as the U.S.?
Stuart: We try to stay away from rules and instead apply forward-looking principles. The market is 1/10th the size, which allows the regulators to get very close to the institutions they regulate. ORSA follows this type of philosophy. Firms should be able to explain *how* they make their money. Knowing this is a prerequisite for identifying the risks. Note that as nice as it is to use internal models for setting capital, internal models will become a compliance tool only if they don't reflect the way the firm actually approaches risk.
Dave: Assuming that a capital standard is sufficient for regulation is flawed, because one measure of risk does not work. Institutions will find risks that look good under your single measure, and they will eventually blow up. A formula won't be adaptive enough even for setting capital. I would note that the capital requirements in the U.S. for insurers are pretty low, and no insurers operate at that low a level of capital. So it's something like a hybrid system between rules and free market. Insurance came through the financial crisis fine except for one.
Allan: "Well, Mrs. Lincoln, besides that, how was the play?"
Dan: As much as I like that Credit Suisse came through the crisis well, we have to acknowledge that there was some luck involved. Regulatory interference does have these unintended consequences, though, for instance the "London whale" was part of an effort to decrease RWA.
Allan: Private capital caused the financial crisis.
Dan: Private capital that was encouraged by government policy.
Moderator: You can't absolve the banks, nor can you point to a single source. Pointing fingers gets in the way of us coming together and creating adaptive solutions. [KR: I wonder how she expects to develop solutions without understanding what is causing the problems.]
Moderator switch: Risk management is an art and a science. "Dog and Frisbee" and whatnot. So how can we assess the health of the financial system? [KR: He lectured for several minutes before getting to the question, then was practically incapable of articulating the question. A good example of how it's much more difficult to listen than to talk.]
Dave: Having standards for professionalism with risk managers.
Prior moderator wants to know how we get risk managers to go beyond the minimum requirements. [KR: Isn't that was this conference is for?]
Stuart: We need to consider risks from a number of different perspectives. "What if the earthquake happened *today*? What would you do? How would it play out?"
Jim: The question was "Are we better?" At the system level, I don't think we've learned anything. I think the regulations, especially Dodd-Frank, will increase rather than decrease systemic risk by linking into that system entities that previously would have been relatively independent. At the firm level, I don't know. We have learned to simplify as much as possible, but we continue to re-learn the importance of understanding your counterparties. Especially now as we're being forced into dealing with certain counterparties, which makes liquidity risk a bigger concern. Overall I'm not optimistic that we've learned very much.
Allan: Main lesson is that systemic risk is a situation where the whole is greater than the sum of its parts. Consequently the Feds need the data, they need to analyze it to understand the entire system.
Bruce: We just provide data, as opposed to actually managing risk. From what I've seen, though, more data is needed. I think we're doing better, though.
Dan: TBTF is an obvious moral hazard problem. We can give the Fed more data, more resources, etc., *or* we can eliminate the moral hazard. I recently read a study [KR: I think he said out of MIT.] that concluded that regulation *always* creates more risk. I know aspects of regulation have made aspects of banking safe, but overall I think there is more risk, it's just been pushed elsewhere, where we can't see it right now. Consequently I don't believe that empowering the Fed will stop future crises.
Moderator being a mouthpiece for the old moderator now: we need real-time updated data, and get regulators and industry together to get better data. How can we do that?
Allan: Weather forecasting moved from small science to big science. Finance needs to make that transition. We shouldn't give up. It's possible to get there.
Stuart: Stress testing for systemic risk is now part of most regulatory regimes.
Jim: If the system really is complex, then would analysis like Allan suggests actually work?
[KR: Obviously I'm going to have a lot to say on this later. A very dynamic panel, to say the least!]
End Panel 3.
Six panelists: Dave Ingram, Willis. Stuart Wason, OSFI Canada. Jim Allison, ConocoPhillips. Allan Someone, something regulatory. Bruce Manson, Bloomberg. Dan Rodriguez, Credit Suisse.
Define complexity.
Stuart: Complexity is inherent in the businesses we work with [KR: Non-answer.]
Allan: What does complexity do in the financial world? Creates asymmetries between buyers and sellers when it comes to understanding the risks of products. Complexity isn't inherently a problem, but it has to be understood. In finance complexity usually means opaqueness.
Jim: Complex things are dynamic, interrelated, and changing. Our usual micro-analysis toolkit doesn't work. But complex is not the same thing as complicated.
Dave: Agreed. A complex system is adaptive, which means static controls won't work.
Jim: Right, it hasn't worked so far.
Bruce: You may be able to predict the adaptations based on past history. Also there is *some* methodology behind these trades. We know that because they are priced consistently.
Dan: There's also expected complexity and unexpected complexity. [KR: He seems to be equating complexity with model risk.] There's been a general move now toward simpler products, although the complexity risk certainly still exists throughout the system. Regulatory capital requirements are now higher for more complex instruments.
Discuss the regulatory paradigm shift from rules-based to flexible, complex regulation. What are the consequences? [KR: Moderating is lecturing and misusing "begs the question." Why didn't she just put herself on the panel?]
Jim: We were confused as to why the financial services reform dragged energy in at all. Rigidity in regulating complex systems is a red flag.
Allan: Hunt brother cornered the market on silver, but when it went south, they sold off their other major asset: beef. So unexpectedly we have cattle ranchers being severely impacted by the silver market. Legislation is of course a mess, in part because it happens *after* a crisis. Regulation is always backward-looking. They don't have the tools to do so. This is what the Office of Financial Research is supposed to be able to do, if they can get usable data.
Bruce: Bloomberg sees two types of customers: proactive and reactive. This makes it hard to create regulatory solutions. Bloomberg is trying to come up with data from what the proactive people are asking for in order to answer these questions. It's still backward looking, however.
But what is Bloomberg doing to solve the regulatory data problem?
Bruce: We meet with regulators regularly.
Canada did better during the crisis. Do you have similar problems as the U.S.?
Stuart: We try to stay away from rules and instead apply forward-looking principles. The market is 1/10th the size, which allows the regulators to get very close to the institutions they regulate. ORSA follows this type of philosophy. Firms should be able to explain *how* they make their money. Knowing this is a prerequisite for identifying the risks. Note that as nice as it is to use internal models for setting capital, internal models will become a compliance tool only if they don't reflect the way the firm actually approaches risk.
Dave: Assuming that a capital standard is sufficient for regulation is flawed, because one measure of risk does not work. Institutions will find risks that look good under your single measure, and they will eventually blow up. A formula won't be adaptive enough even for setting capital. I would note that the capital requirements in the U.S. for insurers are pretty low, and no insurers operate at that low a level of capital. So it's something like a hybrid system between rules and free market. Insurance came through the financial crisis fine except for one.
Allan: "Well, Mrs. Lincoln, besides that, how was the play?"
Dan: As much as I like that Credit Suisse came through the crisis well, we have to acknowledge that there was some luck involved. Regulatory interference does have these unintended consequences, though, for instance the "London whale" was part of an effort to decrease RWA.
Allan: Private capital caused the financial crisis.
Dan: Private capital that was encouraged by government policy.
Moderator: You can't absolve the banks, nor can you point to a single source. Pointing fingers gets in the way of us coming together and creating adaptive solutions. [KR: I wonder how she expects to develop solutions without understanding what is causing the problems.]
Moderator switch: Risk management is an art and a science. "Dog and Frisbee" and whatnot. So how can we assess the health of the financial system? [KR: He lectured for several minutes before getting to the question, then was practically incapable of articulating the question. A good example of how it's much more difficult to listen than to talk.]
Dave: Having standards for professionalism with risk managers.
Prior moderator wants to know how we get risk managers to go beyond the minimum requirements. [KR: Isn't that was this conference is for?]
Stuart: We need to consider risks from a number of different perspectives. "What if the earthquake happened *today*? What would you do? How would it play out?"
Jim: The question was "Are we better?" At the system level, I don't think we've learned anything. I think the regulations, especially Dodd-Frank, will increase rather than decrease systemic risk by linking into that system entities that previously would have been relatively independent. At the firm level, I don't know. We have learned to simplify as much as possible, but we continue to re-learn the importance of understanding your counterparties. Especially now as we're being forced into dealing with certain counterparties, which makes liquidity risk a bigger concern. Overall I'm not optimistic that we've learned very much.
Allan: Main lesson is that systemic risk is a situation where the whole is greater than the sum of its parts. Consequently the Feds need the data, they need to analyze it to understand the entire system.
Bruce: We just provide data, as opposed to actually managing risk. From what I've seen, though, more data is needed. I think we're doing better, though.
Dan: TBTF is an obvious moral hazard problem. We can give the Fed more data, more resources, etc., *or* we can eliminate the moral hazard. I recently read a study [KR: I think he said out of MIT.] that concluded that regulation *always* creates more risk. I know aspects of regulation have made aspects of banking safe, but overall I think there is more risk, it's just been pushed elsewhere, where we can't see it right now. Consequently I don't believe that empowering the Fed will stop future crises.
Moderator being a mouthpiece for the old moderator now: we need real-time updated data, and get regulators and industry together to get better data. How can we do that?
Allan: Weather forecasting moved from small science to big science. Finance needs to make that transition. We shouldn't give up. It's possible to get there.
Stuart: Stress testing for systemic risk is now part of most regulatory regimes.
Jim: If the system really is complex, then would analysis like Allan suggests actually work?
[KR: Obviously I'm going to have a lot to say on this later. A very dynamic panel, to say the least!]
End Panel 3.
Lunch Speaker
The lunch speaker is a Sociologist from Yale who blames literally every problem in the world on global warming, which he asserts is primarily caused by carbon emissions. I will not be blogging on his commentary, as I refuse to be a mouthpiece for useless, dishonest, pseudo-intellectuals. I will return when someone with useful things to say starts talking.
Concurrent Session 1B
"Capitalizing on Opportunity: How an Increased Focus on Operational Risk Helped Build an ERM Framework"
Blair Himmerlreich, Director at Canadian Western Bank
Starts off covering the size and success of the bank. Has approximately doubled in size every five years for the last 20 years. Consistent management (same CEO for 23 years, new CEO promoted internally after 22 years with CWB.) Very conservative risk profile, despite rapid growth. Even though growth increases risk, they are focused on limiting losses. Focus on chosen areas in "plain vanilla" banking. The CEO is the reputational risk manager.
Recommends one-on-one meetings with regulators. Over time it will help influence policy, particularly for small firms.
CWB has set a definition of risk management and a statement on the principle of risk, that the goal isn't to eliminate it but to manage it prudently. This is directly from the Chairman of the Board, and the message has been consistent over time. What you do want to eliminate are surprises. Note that a missed risk is *also* a missed opportunity. He sees a lot of value in the stable senior management and the focus on people.
Operational risk program started in 2002. He sees this as laying the foundation for the ERM program. Mentions the need to summarize at a high level for senior management. In 2004 some ERM standards are issued. CWB decides to hold off; ends up being repealed. EVP ends up deciding some of the standards are useful, so they paused OR and developed ERM (CSOX.) Again, deep connections with regulators is key. See slide 18 for a graphic showing CWB's risk management structure. Slides are here: http://www.ermsymposium.org/2013/concurrent-sessions.php. The word "useful" needs to be attached to anything (as opposed to a compliance exercise.)
Have annual operational risk workshops. Generates dialog, builds consensus/team perspective, and commits people to action. His personal focus is on building a structure that will support the future, whatever that may be. Create a winning environment.
Advice: 1. find your champions, 2. gain support from key stakeholders (clear Board message, supported by executive), 3. find your framework (doesn't recommend starting from scratch), 4. use the right guidance, and 5. root is the culture and values which has to be built from within by someone who lives it. Also remember that it all must link to corporate strategy.
COSO themes: 1. support from the top, 2. build ERM incrementally (not as a project but as part of DNA), 3. focus on a small number of top risks [KR: I particularly like this last point, and it reflects some of my concerns from yesterday.], 4. leverage existing resources, 5. build upon existing activities, 6. embed ERM [KR: redundant.], and 7. Ongoing updates and education for directors and senior management.
Developing the framework is easy, but embedding is hard. Constantly develop new champions. Keep it simple/dumb it down. Managing residual risk is easier than inherent risk. May need to increase risk appetite in certain areas. Hard to define ownership of OpRisk, because it's diffuse through the organization. Makes tweaks to the system as he goes (and informs the Board.)
Question: Are things different if you start with ERM and then add OpRisk?
Whatever the order, you should view them as partners (more efficient that way.) However he sees OpRisk as what should come first. It's a build-up process.
Question: Do you have risk committees for the Board?
No, because we have an active Board who sees strategy and risk as their job, so in a sense all committees are risk committees.
Question: Internal audit overlap with OpRisk, is that an issue at CWB?
Internal audit and risk management need to talk to each other. Understanding risk is how audit adds value. A lot of things get more difficult though with larger organizations and with additional regulations.
How does risk get reported up the chain? How it evolved?
Self-reporting through branches and partners. Needs data that can be reconciled, though, so getting data from finance is more reliable. A lot easier when they all report up through you, though.
What approach did you take to identify the key risk indicators?
Sat down with the risk owners, told them what he wanted measured, and let them figure out how best to measure and report that.
What about risks that can't be quantified like reputational risk?
Maintain a very strict view of privacy within the firm. [KR: couldn't hear first part of his answer.]
End Concurrent Session 1.
Blair Himmerlreich, Director at Canadian Western Bank
Starts off covering the size and success of the bank. Has approximately doubled in size every five years for the last 20 years. Consistent management (same CEO for 23 years, new CEO promoted internally after 22 years with CWB.) Very conservative risk profile, despite rapid growth. Even though growth increases risk, they are focused on limiting losses. Focus on chosen areas in "plain vanilla" banking. The CEO is the reputational risk manager.
Recommends one-on-one meetings with regulators. Over time it will help influence policy, particularly for small firms.
CWB has set a definition of risk management and a statement on the principle of risk, that the goal isn't to eliminate it but to manage it prudently. This is directly from the Chairman of the Board, and the message has been consistent over time. What you do want to eliminate are surprises. Note that a missed risk is *also* a missed opportunity. He sees a lot of value in the stable senior management and the focus on people.
Operational risk program started in 2002. He sees this as laying the foundation for the ERM program. Mentions the need to summarize at a high level for senior management. In 2004 some ERM standards are issued. CWB decides to hold off; ends up being repealed. EVP ends up deciding some of the standards are useful, so they paused OR and developed ERM (CSOX.) Again, deep connections with regulators is key. See slide 18 for a graphic showing CWB's risk management structure. Slides are here: http://www.ermsymposium.org/2013/concurrent-sessions.php. The word "useful" needs to be attached to anything (as opposed to a compliance exercise.)
Have annual operational risk workshops. Generates dialog, builds consensus/team perspective, and commits people to action. His personal focus is on building a structure that will support the future, whatever that may be. Create a winning environment.
Advice: 1. find your champions, 2. gain support from key stakeholders (clear Board message, supported by executive), 3. find your framework (doesn't recommend starting from scratch), 4. use the right guidance, and 5. root is the culture and values which has to be built from within by someone who lives it. Also remember that it all must link to corporate strategy.
COSO themes: 1. support from the top, 2. build ERM incrementally (not as a project but as part of DNA), 3. focus on a small number of top risks [KR: I particularly like this last point, and it reflects some of my concerns from yesterday.], 4. leverage existing resources, 5. build upon existing activities, 6. embed ERM [KR: redundant.], and 7. Ongoing updates and education for directors and senior management.
Developing the framework is easy, but embedding is hard. Constantly develop new champions. Keep it simple/dumb it down. Managing residual risk is easier than inherent risk. May need to increase risk appetite in certain areas. Hard to define ownership of OpRisk, because it's diffuse through the organization. Makes tweaks to the system as he goes (and informs the Board.)
Question: Are things different if you start with ERM and then add OpRisk?
Whatever the order, you should view them as partners (more efficient that way.) However he sees OpRisk as what should come first. It's a build-up process.
Question: Do you have risk committees for the Board?
No, because we have an active Board who sees strategy and risk as their job, so in a sense all committees are risk committees.
Question: Internal audit overlap with OpRisk, is that an issue at CWB?
Internal audit and risk management need to talk to each other. Understanding risk is how audit adds value. A lot of things get more difficult though with larger organizations and with additional regulations.
How does risk get reported up the chain? How it evolved?
Self-reporting through branches and partners. Needs data that can be reconciled, though, so getting data from finance is more reliable. A lot easier when they all report up through you, though.
What approach did you take to identify the key risk indicators?
Sat down with the risk owners, told them what he wanted measured, and let them figure out how best to measure and report that.
What about risks that can't be quantified like reputational risk?
Maintain a very strict view of privacy within the firm. [KR: couldn't hear first part of his answer.]
End Concurrent Session 1.
ERM Symposium Day 2: Panel 2
Colin Lawrence is back (Bank of England, PhD Economics University of Chicago, also paratrooper in Israel), representing the regulatory perspective. Dan Rodriguez (Credit Suisse CRO, PhD Economics MIT, BS West Point). Michelle McCarthy, Nuveen.
Colin: [KR: already said "et cetera"twice thrice.] Themes to think about for the conference overall: shift toward financial stability regime, almost zero-tolerance for "fat-tailed" failure, stress testing of capital and liquidity, business model sustainability, dynamic capital and liquidity buffers, (bail-in) contingent capital, and recovery and resolution regime. Mentions Frank H. Knight's 1921 book "Risk, Uncertainty, and Profit." Not actually objecting to risk and losses, as long as the Board is made aware of the risks undertaken. [KR: in general, he's showing the same slides as yesterday.] Encourages debate with regulators.
Dan: Credit Suisse has a practice of cashing out toxic assets and paying the proceeds out as employee bonuses. Spent a lot of time going over things that Credit Suisse has done to make it a safer bank. Goes through evidence that perception of safety is manifesting (CDS spread tracking with non-banking, volatility decreasing.)
Michelle: Discussing risk management in asset management firms. Mostly concerned with middle-of-the-distribution/market risk since asset managers have less exposure to extreme outcomes. Key thing is disclosures, because of how investors use these funds (part of a larger portfolio.) Also portfolio managers personally bear the risk of screwing up their portfolio, as in they could go to jail (unlike banks.) Needed a way to aggregate the risk of each portfolio manager (since each one measures risk in his own way.)
Exposure to market and credit risk, but biggest by far is operational risk. Are risk managers responsible for strategic risk? Not really, it's the Board's failure. Doesn't blame VaR; it's not stupid to ask "how much will we lose if history repeats itself?" The blame lies with the Board who only asked to see VaR. Also doesn't consider reputational risk part of the job.
Q&A:
How many stress tests do you (Colin) run?
Colin: Depends on goal. He ran one stress test for every institution in the UK. Had the institution run it and also ran it himself and compared the results. Facilitates constructive dialog. The institution itself should be running as many as possible. Point is to find where you're vulnerable then decide whether that risk is acceptable. You don't have to necessarily change anything in response to a vulnerability.
What is recent regulation doing to financial institutions? Is it becoming a utility?
Dan: There's a huge change. People are leaving the field. Not necessarily a bad thing. Average hedge fund leverage has gone down significantly. Not a lot of risk capacity. Banks that remain are getting a larger share of a smaller pie.
Michelle's reaction?
Michelle: Certainly less capital available. Ability to match duration using swaps is limited, increasing exposure to interest rate risk.
Audience question: comment on results compared to some matrix estimates.
Michelle: Any time you mine data, you're assuming that history will repeat itself.
Model wrong or the application of the model? What's the future of mathematical modeling?
Michelle: Business model will always move to the edge of what's allowed in an effort to optimize. When a new product arrives, you haven't the data to build a reliable model, but we still go to the edge. The solution isn't to throw out the model but to have the discipline not to apply models to things to which they were never meant to apply.
Colin: When you have concentrate, large positions and no liquidity, hedging is very different. References a "dog and frisbee" paper about regulation and modeling. Trust is models is too high.
Panel 2.
Colin: [KR: already said "et cetera"
Dan: Credit Suisse has a practice of cashing out toxic assets and paying the proceeds out as employee bonuses. Spent a lot of time going over things that Credit Suisse has done to make it a safer bank. Goes through evidence that perception of safety is manifesting (CDS spread tracking with non-banking, volatility decreasing.)
Michelle: Discussing risk management in asset management firms. Mostly concerned with middle-of-the-distribution/market risk since asset managers have less exposure to extreme outcomes. Key thing is disclosures, because of how investors use these funds (part of a larger portfolio.) Also portfolio managers personally bear the risk of screwing up their portfolio, as in they could go to jail (unlike banks.) Needed a way to aggregate the risk of each portfolio manager (since each one measures risk in his own way.)
Exposure to market and credit risk, but biggest by far is operational risk. Are risk managers responsible for strategic risk? Not really, it's the Board's failure. Doesn't blame VaR; it's not stupid to ask "how much will we lose if history repeats itself?" The blame lies with the Board who only asked to see VaR. Also doesn't consider reputational risk part of the job.
Q&A:
How many stress tests do you (Colin) run?
Colin: Depends on goal. He ran one stress test for every institution in the UK. Had the institution run it and also ran it himself and compared the results. Facilitates constructive dialog. The institution itself should be running as many as possible. Point is to find where you're vulnerable then decide whether that risk is acceptable. You don't have to necessarily change anything in response to a vulnerability.
What is recent regulation doing to financial institutions? Is it becoming a utility?
Dan: There's a huge change. People are leaving the field. Not necessarily a bad thing. Average hedge fund leverage has gone down significantly. Not a lot of risk capacity. Banks that remain are getting a larger share of a smaller pie.
Michelle's reaction?
Michelle: Certainly less capital available. Ability to match duration using swaps is limited, increasing exposure to interest rate risk.
Audience question: comment on results compared to some matrix estimates.
Michelle: Any time you mine data, you're assuming that history will repeat itself.
Model wrong or the application of the model? What's the future of mathematical modeling?
Michelle: Business model will always move to the edge of what's allowed in an effort to optimize. When a new product arrives, you haven't the data to build a reliable model, but we still go to the edge. The solution isn't to throw out the model but to have the discipline not to apply models to things to which they were never meant to apply.
Colin: When you have concentrate, large positions and no liquidity, hedging is very different. References a "dog and frisbee" paper about regulation and modeling. Trust is models is too high.
Panel 2.
ERM Symposium Day 2: Opening Ceremony/CRO Panel
ERM Symposium, Day 2
Here we go! Opening ceremony and panel discussion.
Today the "real" conference starts. Consequently we get fancy bags and more complicated name tags. "Free" book [TITLE]. Looks like 200 people or so in the room. Presented award for a paper called "Risk Interconnectivity: Increasing Risk Intelligence at the Canadian Revenue Agency." Nothing else worth noting.
General Session I: CROs and Senior Risk Practitioners - Top-of-Mind Issues
Apparently the planned panel couldn't make it for various reasons, so these panelists are not the ones expected. Mark (?), RGA. Wayne Fisher, CAS President elect. Mike Stein, IGA.
What are the main challenges for CROs currently?
Mark: Low interest rates - historical lows. Requires a push into global markets. For multinational company, feeding the information back up to the enterprise level is another significant challenge.
Wayne: Getting organizational buy-in after identifying the risks. [KR: relates to my prior post. Need to prioritize applies within a risk function as well. What do you tackle first with limited resources?]
Mike: Less investment in the future of our profession. Mostly just trying to stay afloat. Wants to bring in new, young people. Also concerned that regulation will impede good risk management due to compliance costs.
How do you get buy-in across the organization?
Wayne: Total Risk Profile exercise with the Board, just make it a requirement. Leverage the Board, get them to ask questions "Wouldn't you like to know?" Then you can say "Oh, the Board asked for this." Use the Board to give you license to do what you need to do. You can have the Board do things like sign off on limits to give them more clout, even though it's not really important that the Board review the limits. But it makes the people throughout the organization take it more seriously.
How do you get the Board engaged?
Mark: Board engagement is critical for any organization. Tone from the top impacts risk culture; Board's voice enhances that tone. Tries to engage Board by focusing on issues most important to them. Sometimes you just need one or two Directors interested in the risk management side.
Mike: Transparency is useful; people throughout the organization should see what the Board sees.
Board responsibilities seem to be increasing. How do you educate the Board? How do you decide how much information to give them?
Mike: View Board as a collection of many individuals. They have different tastes for information. Provide summaries but also make the details available for those who are interested.
Wayne: Use subgroups on specific risk topics (not just with the Board but also managers talking to the Board).
Mark: His Board is engaged anyway. Cover things with the entire Board, then Committees dive deeper. Info should be available, answer questions, prod them to ask if they aren't asking.
Wayne: Requirements for financial exams help get Board attention.
Update on CRO Council?
Mike: CRO from companies with $6B premium, headquartered in NA can join. Website: CROcouncil.org. Published papers: "Model Risk Validation," and a paper on emerging risks. Working with European CRO Council, which has been around longer. Recent focus on establishing guiding principles. No one best way, but some guiding principles exist.
Audience question: Charles Gilbert, Nexus - disconnect between regulation/accounting and economic measurement of exposure to risk.
Mark: Accounting is backward-looking, and consequently not what we need for risk.
Audience question: John Kollar, ISO (for one more week) - what about upside risk? Has ERM made money rather than just preventing a loss?
Mike: We'd be unable to make decisions without the ERM process. It's how we weigh opportunities.
Audience question: Missed her name - cyber risk and terrorism, how is it incorporated? Similarly culture supports a lack of accountability.
Wayne: Evasion is persistent. Any time someone did something wrong, someone knew about it and chose not to raise that up. Aside from influencing the culture, you need systems in place to force the information to surface.
Mike: Open discussions about franchise value and reputation help. Compensation needs to be aligned with long-term value creation.
Mark: Accountability is important, but we don't as an industry have standardized practices that allow us to identify failures (before they blow up.) Self-interest is aligned for all these players, but we need to make sure we encourage a long-term perspective. Regarding cyber/terrorism, it's an emerging field, which ties back to earlier point about getting young people into the field.
End Panel 1.
Here we go! Opening ceremony and panel discussion.
Today the "real" conference starts. Consequently we get fancy bags and more complicated name tags. "Free" book [TITLE]. Looks like 200 people or so in the room. Presented award for a paper called "Risk Interconnectivity: Increasing Risk Intelligence at the Canadian Revenue Agency." Nothing else worth noting.
General Session I: CROs and Senior Risk Practitioners - Top-of-Mind Issues
Apparently the planned panel couldn't make it for various reasons, so these panelists are not the ones expected. Mark (?), RGA. Wayne Fisher, CAS President elect. Mike Stein, IGA.
What are the main challenges for CROs currently?
Mark: Low interest rates - historical lows. Requires a push into global markets. For multinational company, feeding the information back up to the enterprise level is another significant challenge.
Wayne: Getting organizational buy-in after identifying the risks. [KR: relates to my prior post. Need to prioritize applies within a risk function as well. What do you tackle first with limited resources?]
Mike: Less investment in the future of our profession. Mostly just trying to stay afloat. Wants to bring in new, young people. Also concerned that regulation will impede good risk management due to compliance costs.
How do you get buy-in across the organization?
Wayne: Total Risk Profile exercise with the Board, just make it a requirement. Leverage the Board, get them to ask questions "Wouldn't you like to know?" Then you can say "Oh, the Board asked for this." Use the Board to give you license to do what you need to do. You can have the Board do things like sign off on limits to give them more clout, even though it's not really important that the Board review the limits. But it makes the people throughout the organization take it more seriously.
How do you get the Board engaged?
Mark: Board engagement is critical for any organization. Tone from the top impacts risk culture; Board's voice enhances that tone. Tries to engage Board by focusing on issues most important to them. Sometimes you just need one or two Directors interested in the risk management side.
Mike: Transparency is useful; people throughout the organization should see what the Board sees.
Board responsibilities seem to be increasing. How do you educate the Board? How do you decide how much information to give them?
Mike: View Board as a collection of many individuals. They have different tastes for information. Provide summaries but also make the details available for those who are interested.
Wayne: Use subgroups on specific risk topics (not just with the Board but also managers talking to the Board).
Mark: His Board is engaged anyway. Cover things with the entire Board, then Committees dive deeper. Info should be available, answer questions, prod them to ask if they aren't asking.
Wayne: Requirements for financial exams help get Board attention.
Update on CRO Council?
Mike: CRO from companies with $6B premium, headquartered in NA can join. Website: CROcouncil.org. Published papers: "Model Risk Validation," and a paper on emerging risks. Working with European CRO Council, which has been around longer. Recent focus on establishing guiding principles. No one best way, but some guiding principles exist.
Audience question: Charles Gilbert, Nexus - disconnect between regulation/accounting and economic measurement of exposure to risk.
Mark: Accounting is backward-looking, and consequently not what we need for risk.
Audience question: John Kollar, ISO (for one more week) - what about upside risk? Has ERM made money rather than just preventing a loss?
Mike: We'd be unable to make decisions without the ERM process. It's how we weigh opportunities.
Audience question: Missed her name - cyber risk and terrorism, how is it incorporated? Similarly culture supports a lack of accountability.
Wayne: Evasion is persistent. Any time someone did something wrong, someone knew about it and chose not to raise that up. Aside from influencing the culture, you need systems in place to force the information to surface.
Mike: Open discussions about franchise value and reputation help. Compensation needs to be aligned with long-term value creation.
Mark: Accountability is important, but we don't as an industry have standardized practices that allow us to identify failures (before they blow up.) Self-interest is aligned for all these players, but we need to make sure we encourage a long-term perspective. Regarding cyber/terrorism, it's an emerging field, which ties back to earlier point about getting young people into the field.
End Panel 1.
Reflections on the Workshop
The "Three Lines of Defense" seminar yesterday primarily convinced me of one thing: no one knows how many lines of defense there should be. Like most of what I've seen in ERM to date, there is no consensus, no industry standard. As the first speaker, Alexander Shipilov, pointed out yesterday, even the titular "Three Lines" were originally just a metaphor, picked up by regulators and made into a sort of rallying cry. It represents neither accepted theory nor practiced reality in the profession.
Not one speaker actually adhered to or advocated a "Three Lines" strategy. Leon Bloom argues for six, Sean Lyons for nine, and Colin Lawrence for no particular number. The two "practical" presenters, Bogie Ozdemir and Stephan Schenk, merely reported on what they have seen in actual practice, with Mr. Ozdemir describing more of a two-line approach and Mr. Schenk alternatingly supporting two lines and four lines.
This suggests to me that, as I've suspected for some time, there is a sort of vacuum in the market for ERM that everyone is rushing to fill. There is no unifying theory; in fact, as we saw yesterday, there isn't even a general agreement on who should be considered a shareholder whose value should be maximized. Consequently we see a rush to fill the void, with many aspiring intellectual leaders throwing out partially complete theories with fancy names and appealing acronyms. These in turn are picked up by regulators, who are desperate to be seen setting standards.
Regarding regulation, it was fascinating to see the divide between Mr. Lawrence, representing the academic and regulatory perspective, and the industry representatives. Mr. Lawrence presented a long, long list of what he considers minimum best practices for ERM. As he points out, and the other speakers confirm, absolutely no firm has implemented these practices.
Does this mean that the industry has been lying down on the job? Have we failed to live up to our obligations? It's certainly possible, although I would argue that this is simply the cost of the absurd amount of resources the industry is forced to commit to regulatory and compliance issues; regulators once again are wanting to have their cake and eat it too.
Free market theory aside, however, it's also worth noting that, while Mr. Lawrence's recommendations are all sound, he provides no hint of a priority order for these practices. For a firm with few or none of these practices already in place, the task of implementing them must appear hopelessly expensive. For this reason, it is essential to define a ordinality if not a cardinality. If we are unable to develop such a priority ordering, then I am inclined to believe that we don't actually have enough justification to define these as best practices.
Starting the second day now. Stay tuned.
Not one speaker actually adhered to or advocated a "Three Lines" strategy. Leon Bloom argues for six, Sean Lyons for nine, and Colin Lawrence for no particular number. The two "practical" presenters, Bogie Ozdemir and Stephan Schenk, merely reported on what they have seen in actual practice, with Mr. Ozdemir describing more of a two-line approach and Mr. Schenk alternatingly supporting two lines and four lines.
This suggests to me that, as I've suspected for some time, there is a sort of vacuum in the market for ERM that everyone is rushing to fill. There is no unifying theory; in fact, as we saw yesterday, there isn't even a general agreement on who should be considered a shareholder whose value should be maximized. Consequently we see a rush to fill the void, with many aspiring intellectual leaders throwing out partially complete theories with fancy names and appealing acronyms. These in turn are picked up by regulators, who are desperate to be seen setting standards.
Regarding regulation, it was fascinating to see the divide between Mr. Lawrence, representing the academic and regulatory perspective, and the industry representatives. Mr. Lawrence presented a long, long list of what he considers minimum best practices for ERM. As he points out, and the other speakers confirm, absolutely no firm has implemented these practices.
Does this mean that the industry has been lying down on the job? Have we failed to live up to our obligations? It's certainly possible, although I would argue that this is simply the cost of the absurd amount of resources the industry is forced to commit to regulatory and compliance issues; regulators once again are wanting to have their cake and eat it too.
Free market theory aside, however, it's also worth noting that, while Mr. Lawrence's recommendations are all sound, he provides no hint of a priority order for these practices. For a firm with few or none of these practices already in place, the task of implementing them must appear hopelessly expensive. For this reason, it is essential to define a ordinality if not a cardinality. If we are unable to develop such a priority ordering, then I am inclined to believe that we don't actually have enough justification to define these as best practices.
Starting the second day now. Stay tuned.
Monday, April 22, 2013
Three Lines of Defense - Q&A
"Three Lines of Defense," Q&A Session
We started with a discussion of an earlier question: how do you balance "top-down" changes with "bottom-up" implementation in the 3LD framework? The short answer is that assigning accountability is key. Create the proper incentives (financial and otherwise), and you will get the behavior you want. [KR: I had to step out to take a client call and missed a few questions, I believe.]
Can CROs become CEOs?
Colin Lawrence: need a long evolution to get CROs to a place where they could be considered for CEO. Need to stop being risk measurers. Professional risk organizations need to provide/support executive training. CFOs managed to make the transition from "pure numbers guy" to business strategist, so CROs can follow that model.
Bogie Ozdemir: my firm's CFO was the CRO, and he stands a good chance of being picked for CEO.
Can a risk culture really change?
Leon Bloom: Yes, IF the CRO is on equal footing as other executives.
Colin Lawrence: People are working on developing ways to quantify risk culture. Once this is accomplished, it will make a huge difference. [KR: I'm tempted to try and count the number of times Colin says "et cetera."]
End Seminar.
We started with a discussion of an earlier question: how do you balance "top-down" changes with "bottom-up" implementation in the 3LD framework? The short answer is that assigning accountability is key. Create the proper incentives (financial and otherwise), and you will get the behavior you want. [KR: I had to step out to take a client call and missed a few questions, I believe.]
Can CROs become CEOs?
Colin Lawrence: need a long evolution to get CROs to a place where they could be considered for CEO. Need to stop being risk measurers. Professional risk organizations need to provide/support executive training. CFOs managed to make the transition from "pure numbers guy" to business strategist, so CROs can follow that model.
Bogie Ozdemir: my firm's CFO was the CRO, and he stands a good chance of being picked for CEO.
Can a risk culture really change?
Leon Bloom: Yes, IF the CRO is on equal footing as other executives.
Colin Lawrence: People are working on developing ways to quantify risk culture. Once this is accomplished, it will make a huge difference. [KR: I'm tempted to try and count the number of times Colin says "et cetera."]
End Seminar.
Three Lines of Defense Part 5
"Three Lines of Defense," Part 5
Presenter 5: Sean Lyons, Principal at R.I.S.C.
Lessons to Be Learned from Corporate Defense Management Failures
This presentation is broader in scope than the others. Rather than the simple 3LD model focused on banks and insurers, he uses an approach he calls "corporate defense." He spent a great deal of time going over this theory, most of which is easy to follow either from the presentation (which can be found here: http://www.ermsymposium.org/2013/seminars.php) or from his video (on YouTube.) The key aspect is that there are many, many dimensions of risk management, and they must go top-to-bottom over the entire firm *and* horizontally across business functions. He also encourages viewing stakeholders in an incredibly broad way (to the point that the definition almost becomes meaningless); he includes shareholders, employees, management, regulators, customers, suppliers, and society at large.
He spent some time recapping the well known problems with AIG, JPM/Chase, and BP. He characterizes the problem at AIG as "only Hank Greenberg knew the big picture" when it came to the risks of the firm. As a result, AIG had lots of small failures that had big consequences. [KR: By the way, I highly recommend The AIG Story, especially for you hard-core capitalists out there.]
I question his analysis of BP. His assumption is that, since the report following Deepwater Horizon contained suggestions, it meant BP had total deficiencies or failures in those areas. However I can't imagine someone be sent in to analyze what went wrong with Deepwater coming back with "nothing, everything was fine." Obviously *something* went wrong, but there are such things as freak accidents. As far as I can tell, there were no obvious failures that lead up to the disaster, just a highly unfortunate series of events.
Honestly I failed to see the point of much of this presentation. There was no real explanation as to what could have actually prevented these disasters. How do you engage in corporate defense when you don't know what you're defending against? This is a recurring question for ERM, in my opinion. Are we supposed to just sit down with everyone in the firm and try to list all the risks? That is literally the approach we currently take, but it seems doomed to failure: the risk that kills you will end up being the one you didn't see coming. What about the alternative idea of trying to build an organization that is flexible and responsive, so that when risks emerge, it's essentially able to either dodge them or lessen the effects?
End Part 5.
Presenter 5: Sean Lyons, Principal at R.I.S.C.
Lessons to Be Learned from Corporate Defense Management Failures
This presentation is broader in scope than the others. Rather than the simple 3LD model focused on banks and insurers, he uses an approach he calls "corporate defense." He spent a great deal of time going over this theory, most of which is easy to follow either from the presentation (which can be found here: http://www.ermsymposium.org/2013/seminars.php) or from his video (on YouTube.) The key aspect is that there are many, many dimensions of risk management, and they must go top-to-bottom over the entire firm *and* horizontally across business functions. He also encourages viewing stakeholders in an incredibly broad way (to the point that the definition almost becomes meaningless); he includes shareholders, employees, management, regulators, customers, suppliers, and society at large.
He spent some time recapping the well known problems with AIG, JPM/Chase, and BP. He characterizes the problem at AIG as "only Hank Greenberg knew the big picture" when it came to the risks of the firm. As a result, AIG had lots of small failures that had big consequences. [KR: By the way, I highly recommend The AIG Story, especially for you hard-core capitalists out there.]
I question his analysis of BP. His assumption is that, since the report following Deepwater Horizon contained suggestions, it meant BP had total deficiencies or failures in those areas. However I can't imagine someone be sent in to analyze what went wrong with Deepwater coming back with "nothing, everything was fine." Obviously *something* went wrong, but there are such things as freak accidents. As far as I can tell, there were no obvious failures that lead up to the disaster, just a highly unfortunate series of events.
Honestly I failed to see the point of much of this presentation. There was no real explanation as to what could have actually prevented these disasters. How do you engage in corporate defense when you don't know what you're defending against? This is a recurring question for ERM, in my opinion. Are we supposed to just sit down with everyone in the firm and try to list all the risks? That is literally the approach we currently take, but it seems doomed to failure: the risk that kills you will end up being the one you didn't see coming. What about the alternative idea of trying to build an organization that is flexible and responsive, so that when risks emerge, it's essentially able to either dodge them or lessen the effects?
End Part 5.
Three Lines of Defense Part 4
"Three Lines of Defense," Part 4
Presenter 4: Stephan Schenk, EVP and Head of Operational Risk Management at TD Bank
Implementing the 3LD Model in Banks
Interesting note: he doesn't agree that smaller firms can't do as much risk governance. He points out that smaller firms have smaller, simpler operations, and consequently their risks will be manageable by a small risk function.
He also contradicts the 3LD model to some extent. In a steady state, he agrees that the 1st line of defense should be the largest, then the 2nd, then the 3rd, and that all business functions should roll up into the risk management function. However if a firm is in crisis or after a major change like a merger, the opposite holds. The reason is that when the business is in turmoil, you need to put people who know that business in charge of solving the problem. The risk people are not the preferred resource in that case. So the risk governance function needs to be flexible enough to adapt to the needs of the business, that is, a crisis response process is required.
He notes that the second line of defense has an inherent weakness is that it will never be able to duplicate the expertise in the first line.
He advocates "inverting" the 3LD in this way, then, for new firms/recently merged firms.
Regarding operational risk, he views this as a major weak point. Predictive power in this area has been very low. Until something better is developed, his advice is to be ready for anything. One promising avenue is to conduct "near miss" analyses as opposed to just actual crises. He also notes that the key risk indicators we're all so fond of are more (really only) valuable in combination, rather than individually.
His final word of advice is to approach regulators as if they are customers. The aim is to build long-term relationships and earn their trust.
End Part 4.
Presenter 4: Stephan Schenk, EVP and Head of Operational Risk Management at TD Bank
Implementing the 3LD Model in Banks
Interesting note: he doesn't agree that smaller firms can't do as much risk governance. He points out that smaller firms have smaller, simpler operations, and consequently their risks will be manageable by a small risk function.
He also contradicts the 3LD model to some extent. In a steady state, he agrees that the 1st line of defense should be the largest, then the 2nd, then the 3rd, and that all business functions should roll up into the risk management function. However if a firm is in crisis or after a major change like a merger, the opposite holds. The reason is that when the business is in turmoil, you need to put people who know that business in charge of solving the problem. The risk people are not the preferred resource in that case. So the risk governance function needs to be flexible enough to adapt to the needs of the business, that is, a crisis response process is required.
He notes that the second line of defense has an inherent weakness is that it will never be able to duplicate the expertise in the first line.
He advocates "inverting" the 3LD in this way, then, for new firms/recently merged firms.
Regarding operational risk, he views this as a major weak point. Predictive power in this area has been very low. Until something better is developed, his advice is to be ready for anything. One promising avenue is to conduct "near miss" analyses as opposed to just actual crises. He also notes that the key risk indicators we're all so fond of are more (really only) valuable in combination, rather than individually.
His final word of advice is to approach regulators as if they are customers. The aim is to build long-term relationships and earn their trust.
End Part 4.
Three Lines of Defense Part 3
"Three Lines of Defense," Part 3
Presenter 3: Bogie Ozdemir
Implementing 3LD Model in Insurance Companies
Need to clearly define the line between the first line and second line. Second line needs to have no gaps and no overlaps, e.g., between actuarial, legal, HR, etc.
Example: credit risk management
First line: business group CEO and delegates, investments, ALM, and Hedging
Second line: business group risk officers, Chief Market Risk Office, back offic
Example: actuarial function
Not clear between 1st and 2nd line. Who is responsible for what between the actuarial function and the risk function? In his company, the Chief Actuary reports to the CRO
In general, there is no fully implemented 3LD that he's aware of.
One interesting thing he mentioned is that his company has a model validation unit, separate from the people who create the models. He also discussed the need for subject-level experts in this control/review process.
Apparently there's a debate as to whether 3LD applies to the finance department or not. Of course, ORSA is a second-line response, and finance plays a key role in ORSA.
Overall, he characterizes 3LD as a capital-optimization problem: capital is allocated by the 2nd line, risk is taken by the first line. The trick is to coordinate the two such that shareholder value is maximized.
End Part 3.
Presenter 3: Bogie Ozdemir
Implementing 3LD Model in Insurance Companies
Need to clearly define the line between the first line and second line. Second line needs to have no gaps and no overlaps, e.g., between actuarial, legal, HR, etc.
Example: credit risk management
First line: business group CEO and delegates, investments, ALM, and Hedging
Second line: business group risk officers, Chief Market Risk Office, back offic
Example: actuarial function
Not clear between 1st and 2nd line. Who is responsible for what between the actuarial function and the risk function? In his company, the Chief Actuary reports to the CRO
In general, there is no fully implemented 3LD that he's aware of.
One interesting thing he mentioned is that his company has a model validation unit, separate from the people who create the models. He also discussed the need for subject-level experts in this control/review process.
Apparently there's a debate as to whether 3LD applies to the finance department or not. Of course, ORSA is a second-line response, and finance plays a key role in ORSA.
Overall, he characterizes 3LD as a capital-optimization problem: capital is allocated by the 2nd line, risk is taken by the first line. The trick is to coordinate the two such that shareholder value is maximized.
End Part 3.
Three Lines of Defense Part 2
"Three Lines of Defense," Part 2
Presenter 2: Dr. Colin Lawrence, Bank of England
Risk, Control, and Culture: the Regulatory Approach
"We've become risk measurers rather than risk managers."
Failure of risk managers was to just measure VaR, without recognizing the context in which it was used. The first question should be "Is the business model sustainable."
"4th line of defense: the regulator." Concern for regulators is the safety and health of the entire financial system, *not* the particular firm.
Focus now is on the biggest risks to failure, whereas it used to be on dozens of different risks. Regulators used to have some tolerance for failure, but now it's zero tolerance.
The Bank of England is doing all these controls, but why aren't other firms doing this? Bank and insurers? Reason is an enormous moral hazard problem: when people are compensated for taking risks. Argument that regulators are needed to enforce risk governance.
Prior to 1960, banks made a stable 7%. When Nixon went off the gold standard, ROR went up to 20%, but with a great deal more volatility (almost 4x). Leverage went crazy. Securities became prevalent. "Re-aging" or "forbearance" might be good as a social value, but you need to build up reserves for the risk of default. Accounting conventions don't require this until there's an actual trigger of default.
Bank of England study on bank data: Found 85% of losses were from structured finance, distributed evenly between trading book and banking book. Bias to record profit in trading book and losses in banking book to avoid disclosing mark-to-market losses. Also note that all banks were essentially in the same investment market: real estate.
This tells us where reforms need to be made structurally. The branch model causes a lot of problems due to perverse incentives for branch managers. None of the governance discussed in the prior presentation were in place. He blames this on a principal agent problem: don't want to disclose, don't want to know.
Lack of IT integration means poor data. Poor data means poor risk management. Good data management needs to be understood and accepted as an essential part of the business - it's a cost of doing business. Book "Why People Cheat" by behavioral economist Dan Ariely talks about how people become institutionalized into not reporting thoroughly and promptly. [KR: I believe he means this book.]
Boards are not in a position to really do their jobs. Most Boardmembers are on multiple Boards; it's not possible that they are able to really understand everything they need to in order to do their jobs. Which firms did well? Mostly those with Boards that are on top of things. Setting limits doesn't actually help; banks just move things around to achieve the ROE in "limit arbitrage." He also notes that controllers are often ignored (and paid very little compared to those taking the risks.)
See slide 13 for a list of what he as a regulator wants each firm to demonstrate to him. Particularly interesting point to me is the emphasis on counter-cyclical resilience. Strikes me as highly applicable to insurance.
Because regulators will no longer tolerate failures, it's important that firms understand the conditions under which they will be resolved. *Not* looking at static values, *not* accounting values. Dynamic analysis of market values under many scenarios. "Ring fencing" means isolating certain business segments or units when things go south. "Contingent capital": regulator decides when it becomes a put option rather than the investor.
Recommends having a diverse jury on the Risk Committee.
Slide 23 shows how they did the bailout in UK. Notes the poor econometrics (he went to UChicago; hurray Maroons!)
End Part 2.
Presenter 2: Dr. Colin Lawrence, Bank of England
Risk, Control, and Culture: the Regulatory Approach
"We've become risk measurers rather than risk managers."
Failure of risk managers was to just measure VaR, without recognizing the context in which it was used. The first question should be "Is the business model sustainable."
"4th line of defense: the regulator." Concern for regulators is the safety and health of the entire financial system, *not* the particular firm.
Focus now is on the biggest risks to failure, whereas it used to be on dozens of different risks. Regulators used to have some tolerance for failure, but now it's zero tolerance.
The Bank of England is doing all these controls, but why aren't other firms doing this? Bank and insurers? Reason is an enormous moral hazard problem: when people are compensated for taking risks. Argument that regulators are needed to enforce risk governance.
Prior to 1960, banks made a stable 7%. When Nixon went off the gold standard, ROR went up to 20%, but with a great deal more volatility (almost 4x). Leverage went crazy. Securities became prevalent. "Re-aging" or "forbearance" might be good as a social value, but you need to build up reserves for the risk of default. Accounting conventions don't require this until there's an actual trigger of default.
Bank of England study on bank data: Found 85% of losses were from structured finance, distributed evenly between trading book and banking book. Bias to record profit in trading book and losses in banking book to avoid disclosing mark-to-market losses. Also note that all banks were essentially in the same investment market: real estate.
This tells us where reforms need to be made structurally. The branch model causes a lot of problems due to perverse incentives for branch managers. None of the governance discussed in the prior presentation were in place. He blames this on a principal agent problem: don't want to disclose, don't want to know.
Lack of IT integration means poor data. Poor data means poor risk management. Good data management needs to be understood and accepted as an essential part of the business - it's a cost of doing business. Book "Why People Cheat" by behavioral economist Dan Ariely talks about how people become institutionalized into not reporting thoroughly and promptly. [KR: I believe he means this book.]
Boards are not in a position to really do their jobs. Most Boardmembers are on multiple Boards; it's not possible that they are able to really understand everything they need to in order to do their jobs. Which firms did well? Mostly those with Boards that are on top of things. Setting limits doesn't actually help; banks just move things around to achieve the ROE in "limit arbitrage." He also notes that controllers are often ignored (and paid very little compared to those taking the risks.)
See slide 13 for a list of what he as a regulator wants each firm to demonstrate to him. Particularly interesting point to me is the emphasis on counter-cyclical resilience. Strikes me as highly applicable to insurance.
Because regulators will no longer tolerate failures, it's important that firms understand the conditions under which they will be resolved. *Not* looking at static values, *not* accounting values. Dynamic analysis of market values under many scenarios. "Ring fencing" means isolating certain business segments or units when things go south. "Contingent capital": regulator decides when it becomes a put option rather than the investor.
Recommends having a diverse jury on the Risk Committee.
Slide 23 shows how they did the bailout in UK. Notes the poor econometrics (he went to UChicago; hurray Maroons!)
End Part 2.
Three Lines of Defense Part 1
Workshop day. Looks like about 75 people in attendance, and we have six presenters.
Webpage for this day’s sessions: http://www.ermsymposium.org/2013/seminars.php
"The Three Lines of Defense," Part 1
Story about attempts to transfer accountability: manager asks internal audit to review the risk governance process he uses, thus making audit responsible. This is typical behavior from the first line of defense. Accountability in the first line is weak. Ultimately it's management's self-assessment. The Board is the check on this, and they need to review *and* challenge management's assumptions.
"6 is less than 3" - really sees 6 lines of defense, but doesn't say this because people think 6 is overwhelming compared to 3. Part of the reason why he sees 6 as being less than 3 is that he believes the third line of defense can downsize significantly. They are given the most resources, but this enables the first and second lines to rely on the third line instead of doing their jobs.
Story: company that kept hiring more internal auditors every time there was a risk event. Company of a few thousand ended up with 160 internal auditors. It didn't make a difference: the risk crises continued. CEO decided to make a change to the risk culture. He reduced audit back to 3 people, added 2 risk managers, and changed compensation to reflect risk accountability for execs. Number of risk events shrunk dramatically as a result, despite fewer resources allocated to risk management.
Risk management's job is *not* to set limits. Risk management creates the system that guides the setting of limits.
Risk taking structure: Board (oversight, approval) -> Executive Management Committee (ultimate responsibility, select risk appetite) -> Business Functional Head -> Business Leadership Groups (setting limits) -> Individual Risk Takers
Story: dominant CEO of insurer ignored Board and others and elected not to hedge. Lost 90% of market cap when stock market declined. They had an "Audit and Risk Committee," where risk was an add-on and not really understood. Everything that went to the Board went through CEO as well.
My question for him: CEOs change. Do you really have to revamp your risk governance every time your CEO changes? Answer: Yes, to the extent that is required with the particular CEO, *but* the principles of risk management for the firm should not change with the CEO. Principles remain constant, but the system needs to change to accommodate the personalities involved. [KR: this is interesting to me, the potential psychological angle to qualitative ERM.]
"Doers and checkers" - how his friend (actuary and CRO of reinsurer) describes the 6 line process.
Note that not all checkers would be full-time. Large banks have full-time staff doing model validation, but most likely for policy review, you wouldn't hire someone just for that. The key is for the checker to be competent and independent.
Business case for effective risk governance: it's about improving the odds when taking risks. Reduce surprises, optimize risk/return, improve shareholder value.
He believes it's a bad idea to have the CEO also be the Chairman of the Board or President.
My question for him: What's a small firm to do? How do you find competent, independent checkers? Answer: Smaller firms are limited in what they can do. Priority should be putting accountability with the risk taker. Remember that the principles would still remain the same.
My question for him: What if risk appetite is high to the point that perhaps you *want* the CEO to run wild? Answer: There is a limit to the risk your capital can absorb, regardless of your risk appetite. Risk appetite is deciding how close to that limit you're willing to go. Even if you are willing to go all the way to the limit, risk governance will still be needed to monitor and control *that* limit.
End Part 1
Webpage for this day’s sessions: http://www.ermsymposium.org/2013/seminars.php
Mostly
insurers in attendance, 15% consultants, and a smattering of banks.
Most insurers in attendance say they are implementing this idea to some
extent.
Intro (Alexander Shipilov):
“Three lines” was originally just a metaphor, but regulators adopted
it, so it stuck. There is a group on LinkedIn, “3 Lines of Corporate Defense,” where
you can go to continue the discussion and ask more questions. He recommends joining the group if you have an interest.
Presenter 1: Leon Bloom, Sr. Partner at Deloitte
Risk Governance: evolving beyond the traditional “three lines of defense” model
He sees the
financial crisis as caused by failure of risk governance. Regulators,
investors, and analysts are now focused in this area, making this a hot
topic. Firms that have adopted this approach have been more resilient.
Risk governance is the system for controlling the management of risk. It
involves roles, authority, responsibility, and information. Currently
seen as a gap area for the industry. The 3 line model is sound in theory but hasn’t been
sound in application; consequently it needs to evolve.
6 key issues for global financial institutions: capital,
liquidity, economy (US debt at all-time high, Euro insolvency, etc; very bad timing for all these problems),
operations (reducing costs), M&A, risk governance
“There will be winners and there will be losers...the winners with be those with the best handle on risk management.”
He has concerns about regulation becoming very prescriptive, getting the way of actual effectiveness.
Four
priority areas for regulation: inherent riskiness of the business
model, tail risk, pricing, risk governance (audit function =! risk
governance)
Story: Northern
Rock- successful institution, ROC was good, etc., but didn’t recognize that it was
heavily dependent on two sources for funding: mortgage-backed securities
and issuing short-term commercial paper. Liquidity dried up overnight. 9
weeks before they collapsed, their ORSA-equivalent had two paragraphs
on liquidity (and regulator signed off). Entire business model was
dependent on liquidity; plenty of capital, but that didn't matter.
Pricing hasn’t been sensitive to risk historically (and regulators blind to it).
Lack
of clarity around ownership of risk by the first line of defense -
failure of risk governance. Those who take the risks should be
accountable, rather than use the second and third lines as a management
control. [KR: this was the main emphasis of his presentation.]
“...as we continue to move through the financial crisis” - emphatic about this: it’s not over.
“Risk
people” should *never* own risk; ownership of risk should fall as close to the origin
of the risk as possible. The person taking the risk should own it.
“Risk management’s” job is *not* to manage risk; its job is to create
systems, policies, and support to guide the risk owner. Accountability
needs to be accompanied by authority.
Emerging
risk governance requirements: governance, closer alignment of risk and
business considerations, holistic risk governance approach.
Challenges: he lists a number, but the most interesting to me was the point that the objectives and target end-state for ERM are unclear.
Aside on Dodd-Frank:
it was passed in a hurry, with too many complex, confusing requirements. He doesn’t
think it’s going to help, and he expects it will be thrown out and replaced eventually.
Guiding
principles - see slide 8. Risk has been taken based on CEO personality (ability to intimidate the Board);
establishing principles can help keep that from happening.
Story: 12
months ago in UK a trader was sentenced to 12 year prison for losing 2b
lbs. He knew all the risk governance policies, but his boss told him to ignore it. This is the
operating culture versus the risk governance.
“The operating culture is
what goes on when no one’s looking.” - this is the other major take-away from this presentation.
Evolution
of the ‘lines of defense model’: “Roles, responsibilities,
accountabilities, authority, design, and information” (see graphic, slide 11)
Maturity
levels (of a firm's risk governance): unaware, fragmented, integrated, comprehensive, optimized.
Small organizations do too little, large can do too much (bureaucratic.)
"6 is less than 3" - really sees 6 lines of defense, but doesn't say this because people think 6 is overwhelming compared to 3. Part of the reason why he sees 6 as being less than 3 is that he believes the third line of defense can downsize significantly. They are given the most resources, but this enables the first and second lines to rely on the third line instead of doing their jobs.
Story: company that kept hiring more internal auditors every time there was a risk event. Company of a few thousand ended up with 160 internal auditors. It didn't make a difference: the risk crises continued. CEO decided to make a change to the risk culture. He reduced audit back to 3 people, added 2 risk managers, and changed compensation to reflect risk accountability for execs. Number of risk events shrunk dramatically as a result, despite fewer resources allocated to risk management.
Risk management's job is *not* to set limits. Risk management creates the system that guides the setting of limits.
Risk taking structure: Board (oversight, approval) -> Executive Management Committee (ultimate responsibility, select risk appetite) -> Business Functional Head -> Business Leadership Groups (setting limits) -> Individual Risk Takers
Story: dominant CEO of insurer ignored Board and others and elected not to hedge. Lost 90% of market cap when stock market declined. They had an "Audit and Risk Committee," where risk was an add-on and not really understood. Everything that went to the Board went through CEO as well.
My question for him: CEOs change. Do you really have to revamp your risk governance every time your CEO changes? Answer: Yes, to the extent that is required with the particular CEO, *but* the principles of risk management for the firm should not change with the CEO. Principles remain constant, but the system needs to change to accommodate the personalities involved. [KR: this is interesting to me, the potential psychological angle to qualitative ERM.]
"Doers and checkers" - how his friend (actuary and CRO of reinsurer) describes the 6 line process.
Note that not all checkers would be full-time. Large banks have full-time staff doing model validation, but most likely for policy review, you wouldn't hire someone just for that. The key is for the checker to be competent and independent.
Business case for effective risk governance: it's about improving the odds when taking risks. Reduce surprises, optimize risk/return, improve shareholder value.
He believes it's a bad idea to have the CEO also be the Chairman of the Board or President.
My question for him: What's a small firm to do? How do you find competent, independent checkers? Answer: Smaller firms are limited in what they can do. Priority should be putting accountability with the risk taker. Remember that the principles would still remain the same.
My question for him: What if risk appetite is high to the point that perhaps you *want* the CEO to run wild? Answer: There is a limit to the risk your capital can absorb, regardless of your risk appetite. Risk appetite is deciding how close to that limit you're willing to go. Even if you are willing to go all the way to the limit, risk governance will still be needed to monitor and control *that* limit.
End Part 1
Subscribe to:
Posts (Atom)