Example of a Decision Tree

A simple example of using a decision tree to help us with decision-making.

A couple renting an apartment and is wondering whether they should sign a 1-year contract on the rent.  If they sign a contract, their rent is guaranteed not to increase during the 1-year period. If they don’t sign a contract, their rent will increase by about $20 after 6 months.

This seems like a simple decision.  But there is a drawback to signing the contract. If the couple decides to terminate the contract before the end of 1 year, they are liable to pay up to 25 weeks worth of rent to the landlord, unless the landlord is able to get someone else to rent the place earlier. 

The couple intends to buy their own home if the right opportunity comes, so there is a chance that they would need to terminate any contract they sign.

Supposing the initial rent is $900 per month, what is the couple’s best option?

Let us choose the simplest situation first.  Let’s assume there is zero chance that the couple will terminate the contract.  So the decision tree looks like this:

The tree says that the option to sign a lease contract will result in a total 1-year rent of $10,800 ($900 * 12 months), while not signing a lease contract will result in a total 1-year rent of $11,800 ($900 * 6 months + $900 * 1.2 * 6 months).

But what happens if the couple finds their dream house and moves out of the house after 8 months?

The Essence of Risk Management

All of man’s activities is fraught with uncertainty and risk.  When he undertakes something, he faces uncertainty and risk and loss.  Even when he does not undertake anything new, but simply goes on with life as normal, he still faces uncertainty and risk and loss.

Therein lies the essence of risk management, to which man runs to, to seek an answer to his question: in the face of this uncertainty, what should we do?

Operations Risk

Every company faces risks as it goes about its day-to-day operations. 

A bank branch could find itself in the midst of a robbery.  A fastfood restaurant could suddenly have a cook badly burned by an overturned pot filled with boiling water.  A shipping company may have one of its ships boarded by pirates.  A veterinary clinic may have one of its staff or customers bitten by a dog. A data centre may find the building it is located in collapsing due to an earthquake. These risks are called ‘Operations Risk’, or alternatively ‘Operational Risk’. 

The types of operations risk a company faces depends heavily on its line of business, although the nature of risk is that it is often unexpected: the bank could suddenly discover that the pirates who boarded the ship in the above example are actually the bank’s customers.  The shipping company may find its cook burned badly while preparing food.

Operations risk is different from the other types of risks that companies face.  It is not credit risk, which is the risk related to debtors not paying the company.  It is not strategic risk.  It is not market risk.  It is not reputation risk.  Nevertheless, risks arising from operations can cascade into these types of risks.  The revelation that a pirate has been hoarding its loot in your bank can rapidly discredit the bank (reputation risk). 

Conrow and Opportunity Management

There are two kinds of risk managers.  There is the kind who think that risk management is about managing ‘negative’ risks.  Then there are those who think that risk management should include managing ‘positive’ risks.

Briefly, a negative risk is a situation that has undesired impacts on our objectives, while a positive risk is a situation that could potentially have desirable impacts on our objectives.  For the most part, risk management has been about managing negative risks.  People buy fire insurance just in case their house burns down.  Nobody buys insurance just in case their house doesn’t burn down.

Edmund Conrow and Robert Charette has an article in Defense AT&L critical of ‘Opportunity Management’ (PDF link) .  The authors argue that Opportunity Management, or OM, is unnecessary, and will only bring in more trouble than benefits.  The main argument Conrow & Charette make is that the standard processes of project management, risk management, and systems engineering, are enough to ensure that the project takes care of opportunities that present themselves in the course of the execution of the project. Therefore there is no need for a distinct OM.

Before I came across this article, I’ve already come across literature endorsing the inclusion into risk management the management of ‘upside risks’ (opportunities),  but I’ve not come across any literature that purports to advance OM as aggresively as that suggested by Conrow and Charette’s article.   The authors worry about OM IPT’s (Integrated Project Teams) running about looking for opportunities in a projects, and enveloping the whole project team with scope creep.

The Australia Risk Management Standard ANZ 4360:2004 indeed recommends management of positive risks.  Chapman and Ward have also been proponents of this view for many years.  But from what I understand of at least these two sources, the main idea is, as part of risk management, to be prepared in case it is the positive event, rather than the negative event that occurs.  That is, to be prepared to take advantage of the situation. 

Requirements

Craig has posted a taxonomy of requirements on his blog (the taxonomy is Don Firesmith’s not Craig’s). 

I haven’t seen the discussion mentioned in the post, so I don’t know  whether it had any influence on the illustration or is independent of it.  But the nomenclature shown in the illustration, having the format of ‘X requirements’ where X can be anything from ‘Functiona'l’ requirements, ‘Documentation’ requirements, etc. got me thinking. 

A ‘requirement’ is something that someone needs from someone else.  A bit more formally, some entity needs (‘requires’) something from another entity.  When you say ‘maintenance requirements’, ou have to be clear, who is needing these requirements?

Without a clear understanding of who or what that requiree is, you can be assured that the ‘requirement’ will be muddled. 

The diagram shows ‘Documentation Requirement’ in a box.  There is an arrow from that box pointing to a box labeled ‘Product Requirements’.  What does that arrow mean?  Does it mean that documentation requirements are a subset of product requirements? And that as part of delivering the product, documentation should be delivered as well? 

If that is how to interpret the arrow, what does the arrow from ‘Business Requirements’ to ‘Product Requirements’ mean? 

Concatenation of Risk

Currently reading J. Davidson Frame’s “Managing Risk in Organizations”.  Great example of a seemingly insignificant event cascading into a major headache.  A printing press experiences a fire and will not be able to deliver brochures expected to be that were supposed to come today.  These brochures are needed for a client’s conference in two weeks time. All the arranged plans to sort, label, and send them out have to be replanned.

The Problem Statement

Man-made systems are created to exploit opportunities or to reduce threats.  They are designed to fulfill a mission, or objective, aimed a exploiting the opportunity, or reducing a threat.

A problem space is a relativistic concept. Two people in the same organisation may view problems differently.

Problems and solutions could be two sides of the same coin. One man’s problem is another man’s opportunity -- a client has a problem, the solution provider has an opportunity.

Sometimes what we think as problem solving is actually only symptom solving.

Problem spaces are not static. They evolve.

Problems can be symptoms.  Finding the root cause helps in finding an effective solution.

In systems, often the root cause of problem spaces can be many.

Sometimes the best way to understand the solution space is to strart with a conceptual solution.

The problem space is partitioned into solution spaces. This is to reduce the complexity.  It can be impossible to provide a single homogeneous solution that addresses the whole solution space. Each partitioned solution space is analysed deeper and even partitioned.

You cannot really expect to solve a problem if you don’t know what the problem is.  One of the first steps in solving a problem is to understand the problem. 

Often, a problem cannot be solved away, it can only be managed.

Implementation of a solution changes the surrounding system and may introduce new problems and opportunities. Systems are systems.

 

References:

• System Analysis, Design, and Development: Concepts, Principles, and Practices (Wiley Series in Systems Engineering and Management)

System Operations Model

Every (man-made) system is intended to be deployed, operated, and eventually disposed of.  Having a common understanding of how the system is to be deployed, operated, and disposed helps avoid much miscommunication between the project team.

A System Operations Model is a high-level model of how a system is envisioned to be deployed, operated, and eventually, disposed.

It shows, in graphical terms (a SOM is typically diagrammed) the interrelationships among the different stages, gates, and operations:

• System development
• Entrance criteria (entrance into deployment)
• System deployment
• Performance of purpose (mission)
• System maintenance
• System reconfiguration
• Phasing out
• System disposal

Once we have built the SOM, it becomes the basis for further systematic elaboration into operations and tasks.

Seeing Tomorrow, III

Continuing book review of Dembo & Freeman’s “Seeing Tomorrow: Rewriting the Rules of Risk”

In chapter 2, the authors introduce four elements they consider to be core to any forward-looking approach to risk management:

• Time horizon
• Scenarios
• Risk measure
• Benchmarks

Time horizon refers to the future period that we are interested in.  It is a distinct period (with a distinct begin and end, as opposed to simply ‘the future’).  An investor who wants to assess the risks involved in an investment needs to think about the timeframe of his investment.  This timeframe (or time horizon)  is very different for someone who wants to cash in in two years than for someone who plans to cash in 15 years into the future.

Of the four elements, the authors give the longest treatment to scenarios.  A scenario is a projection of what could possibly happen in the future.  The purpose of creating scenarios is to help us plan for that event if it occurs. 

The key here, the authors say, is not merely generating a scenario but several scenarios.  These set of scenarios will help us gain a clearer understanding of the range of dangers (and opportunities) we might face. 

If a scenario eventuates, and we had anticipated that scenario, and made plans for it, then we are in a better position to react and perhaps exploit the new situation.  We will be better placed, relative to our competitors and relative to where would be had we not planned for it.

The third element of risk management is deciding on a risk measure. This is about deciding we measure riskiness.  Apparently this is very tricky, since choosing a measure like Value at Risk (VaR) could protentially produce similar values to very different risk situations, effectively obscuring the reality that they are very different propositions.

The final element is Benchmark, or having something to compare with.  Choosing the appropriate benchmark is key to understanding how well we are managing our risks.  Do we choose to benchmark our investment performance relative to Warren Buffet’s or the DOW index or something else?

After the discussion on the four elements, the authors also touch on Risk-Adjusted Valuation.  This is the ‘real’ price tag of something and is almost always ignored.  For example, suppose you buy an expensive ring for $20,000.  Now, you would want to insure something that valuable since you cannot afford to self-insure it (absorb the loss if it gets lost).  So let’s say you pay $100 per year to insure that ring.  That total amount (comprised of the original amount of the ring, plus its ongoing insurance) is the Risk-Adjusted Value of that ring.  The authors want the reader to begin thinking always about the Risk-Adjust Value of everything.

The chapter ends by tying up all the four elements in a short example using a model called Marking-to-Future, a model developed by one of the authors.

Seeing Tomorrow, II

Book review of Dembo & Freeman’s “Seeing Tomorrow: Rewriting the Rules of Risk”

In chapter 1, the authors give more details about the Soros / Reichmann deal gone wrong which they hinted at in the introduction.   It seems the reason for the deal was that Reichmann camp considered only one possible risk event (one that would be a windfall for them), got fixated on that and wouldn’t budge in the negotiations.  They (inadvertently?) preferred to risk losing the whole deal rather than giving up a small portion of the profit.

Demob & Freeman writes that the way to think about risk not to consider one possible event, but to look at several different possible outcomes, explore how each event will make use react .

The chapter then very lightly mentions considerations about risk. That we all have different views of risk, that what is attractive to one is repellent to another, that risks have positive and negative aspects, that doing nothing can be risky as well. 

The one interesting notion I hadn’t come across before stood out briefly:

“an acceptable risk one day might appear a foolish gamble on the next day.” 

But after further reflection, this is very common in hindsight, when events that we weren’t able to consider during decision time unfold.

The second half of the chapter consist of continuing remarks about flawed and outdated approaches to risk management, examples of failures in managing risk: Orange County, the very biggest banks, etc.   They also picked up on Peter Bernstein’s notion on whether modern man has replaced his earlier superstitions of the fates and the gods with new superstitions about the magic of statistics and quantifications of risk.

The topic then shifts to the idea of sharing the risk, with a story about a group of women involved in charity, who without realising it, bought futures contracts on grains. 

They reveal a little more about their soon-to-be-explained  framework, by noting that risk sharing (distributing the risk) is an important concept of the framework.

The last few paragraphs of the chapter – oddly - begin sounding like a marketing brochure on reinsurance. Words like catastrophe reinsurance, catastrophe insurance bonds, pure risk, packaging of business risk and so on are spoken about (with a bit of a hint of glee?)  Some of the final paragraphs in this chapter may be more opaque  for readers not yet familiar with insurance terms as they are used without definition.

A review of chapter 2 will come next.

Seeing Tomorrow, I

Book review of Dembo and Freeman’s “Seeing Tomorrow: Rewriting the Rules of Risk”.

There is something breath-taking about the title of this book. The audacious title,  the equally audacious subtitle, and even the painting on the cover remind me of Peter Bernstein’s risk management opus, “Against the Gods”, a book that made Bernstein to risk management what Carl Sagan was to cosmology: a modern-day Prometheus who brought the fascinating story of a scientific discipline to the  understanding of mortals.

However, at just the second page of the Introduction, I was startled by a prosaic admission: “Even as this book was in preparation, one of the authors, who sold a house in 1994, watched in dismay as property prices…defied expectations and rose to new heights” -- weren’t these blokes going to teach us to see ‘tomorrow’?

Anyway, as with so many risk management books, this one  opens with an example of risk-taking gone wrong.  The authors pick on someone as big as they can get: George Soros, the man who broke the Bank of England. 

Apparently, naive George often makes the mistake of looking at the past to predict the future. “It is no use looking over our shoulder and assuming that we can find all there is we need to know”, says Dembo and Freeman.   Quite true, but quite unconvincing since the man you pick is several times wealthier than you and prides himself as being a philosopher of some calibre.  I do not quite think the circumstances and the mistake are quite as simple as what the book relayed.

Modern man, say the authors, is faced with far too many choices, and they have written the book to rewrite the rules of risk, calling approaches to risk ‘outmoded’ and ‘flawed’. 

They bring up a pausing image of what we all go through each time we come to a fork in the road and have to make a choice:

“…we are faced with a single, unique decision that will probably not be repeated or will only be repeated a few times. We need to make that decision despite the uncertainty the future brings, and we need to make it now.”

Do I buy this house? Do I take this job? Should I get this insurance? Should I sell these shares now?

The book is about a new risk-taking framework which the authors introduce to make use of a risk concept they call  ‘Regret.’  D&F say this framework is ‘no different’ from the system they use ‘to help the world’s most sophisticated banks manage their risks.’ The framework is focused on the future, with the past taking a backseat (though not ignored).

Towards the end of the Introduction, there is a brief excursion on the etymology of the word ‘speculator’.  Anyone familiar with  Benjamin Graham’s or Warren Buffet’s writings know what pejorative connotations the word ‘speculator’ can bring.  Everyone coming from reading Graham will want to be known as ‘investors’ and not ‘speculators'.’

D&F gives us an etymology of the word that might change our minds. ‘Speculator’ comes from the Latin ‘specula’ which refer to watchtowers ringing the boundaries of the Roman Empire. 

When guards in the watchtowers see danger coming (barbarian hordes, for example), they would send signal to the next specula, which in turn sends a signal to the next one, until the signal reaches Rome, which dispatches its legions.

A speculator was someone who ‘tries to see dangers in the future and acts on them.’

More in the next post.

Risk and Uncertainty

The Institute of Risk Management’s “A Risk Management Standard” defines risk as the combination of the probability of an event and its consequences.

A risk is connected to an event, its probability, and its consequences.

An event that has no probability of happening does not pose a risk.  There is no risk that your project team will be kidnapped by aliens tomorrow.

An event that has a 100% chance of happening should not be treated as a risk.  If you do not pay your employees, do not place in your risk register that “my employees might not want to work without pay.”

If the event has no consequences for you, it is not a risk.  The collapse of the Nigerian stock market may affects thousands of people, but of no consequence to you (presuming you have no investments there).

If the event (if it occurred) has a positive impact on you, you can take advantage of that by treating it as a risk.

Risk

Risk cannot be separated from benefits.  It is only because we enjoy benefits that we are concerned with risk. 

We undertake projects in the hope of reaping future benefits from the project. 

In order to understand the risks we face, first we identify the benefits we want to protect. 

There are two types of benefits.  First is the future benefit that we hope to acquire (e.g., a job promotion).  The second is the current benefit that we are enjoying (e.g., a healthy life).

Once we’ve identified the benefits, then we can consider the risks we are concerned with.  For example, the risk that we do not get the promotion.  Or, the risk that our health suffers.

The Risks of Doing Nothing

The risk that companies face often come, not from activities originating from decisions they make, but very, very much often, from decisions made by others. 

They are out to get you.  Every one of of your competitors is out to get your customers.  Every single day they are plotting to change the world and make it more favourable to them (and less favourable to you, but you can relax, as that is merely a secondary purpose).

Failing to monitor, perceive, and anticipate the changes exposes your company to risks. Doing nothing against the changes means your risks are increasing.

For a simplistic example, imagine a company that did not adjust its salaries to keep pace with industry salaries. If its competitors pay much better, key people will tend to move to the competitors.  Doing nothing is not doing your responsibility.

Quantitative Risk Management

Notes for McNeil, A.J., Frey, R. & Embrechts, P. “Quantitative Risk Management: Concepts, Techniques, and Tools”, Princeton University Press, 2005, Chapter 1.

Risk is most often understood as a hazard, a chance of bad consequences, etc., or something that is primarily a downside event.  An initial definition might be ‘an action or event that may adversely affect an organization’s ability to achieve its objectives or execute its strategies’.  This does not capture all the essence of risk, however.

Risk is strongly related to uncertainty and therefore to randomness, another term that has defied a very firm universal definition for centuries until Kolmogorov’s axiomatic definition (1933). Kolomogorov’s probabilistic model is a triplet (Ω,F,P), where Ω is a state, F is the set of events, of which P is a member, and P(A) is the probability of event A occurring.

FINANCIAL RISK

In the context of finance and insurance, the most common types of risk include:

• Market risk – the risk of a change in the value of a financial position due to change in its underlying components.
• Credit risk – the risk of not receiving promised repayments.
• Operational risk – risk of losses resulting from inadequate or failed internal processes, people, systems, and external events.

Liquidity risk is the risk stemming from the marketability of an investment, that it cannot be sold in time to prevent a loss or achieve a gain.
The only viable way to achieve successes in financial risk management is through a holistic approach, taking all types of risks and their interactions into account.

Risk measurement. Measuring the risk of a portfolio of X holdings with w weightings requires a distribution function Fx(x) = P(X <= x).

Basel II defines operational risk a the risk of losses resulting from inadequate or failed internal processes, people and systems or from external events.

THE REGULATORY FRAMEWORK OF BASEL II

Basel II released in 2004. Focuses on more risk-sensitive minimum capital requirements for banking organizations, by laying out principles, enhancing transparency in financial reporting

3-Pillar Concept. In Pillar 1, banks are required to quantify their minimum capital charge (regulatory capital) in line with their economic loss potential. There is a capital charge for credit, market, and operational risk. There was no consideration for operational risk in Basel I. Pillar 2 focuses on ensuring there is a well-functioning corporate governance with appropriate checks and balances.  Pillar 3 is about ensuring appropriate public disclosure of risk measures.

Market Risk Capital Charge. Banks are allowed use internal VaR (Value at Risk) models.  Example: A 10-day VaR at 99% for $20 million means there is a 1% probability for the bank to lose at least $20 million by the end of the 10-day period.

Credit Risk. Under Basel I and Basel II, credit risk is assessed as the sum of risk-weighted assets. The risk weight is reflects the credit worthiness of the counterparty.  In Basel I, creditworthiness was crude and allowed only 3 categories: governments, regulated banks, and other.  Hence risk-weighting for all corporate borrowers are the same, independent of their actual creditworthiness.  In Basel II banks can choose to use standardised approaches or more advanced internal-ratings-based approaches.  The new standardised approaches provide substantially more classifications than the old Basel I.

The premise under Basel II is that while individual banks will reduce their credit risk capital charge through internal credit models, the overall size of regulatory capital will remain unchanged.  All agree that operational risk is important, but there is disagreement and uncertainty about how to quantify this risk.

Cooke ratio says that capital should be at least 8% of the risk-weighted assets of a company.

Criticism of Basel II:

• Cost of setting up a compliant risk management system is substantial
• ‘Risk management herding’ could take place.  This is the phenomenon where organizations simply follow the same rules and behave the way during crisis, exacerbating the situation. 
• Overconfidence may come about due to regulation.

Some have raised the notion that regulatory risk management actually makes organisations even more risky.

SOLVENCY 2

Solvency 2 is a review of the capital adequacy of the European insurance industry.  Basel II is aimed to reinforce the soundness and stability of the international banking system.   Solvency 2 is aimed to protect policyholders against isolated bankruptcy of their insurance company.  Basel II addresses systematic risk, Solvency 2 does not (and is not intended to).

Solvency I was very basic and focused on solvency margins. It was not risk based.

Decision on solvency is based on a 2-tier approach. The first level is a target capital, based on risk-sensitive, market-consistent valuation.  Breaching the first level triggers regulatory intervention. The second level is the minimum capital, computed with the old Solvency I rules.

WHY MANAGE FINANCIAL RISK?

Different stakeholders have different interests as to an institutions investment in quantitative risk management.  A balance between the interests have to be sought. Stakeholders can include customers, shareholders, regulators, board of directors, politicians, etc. SOCIETAL VIEW

Modern society depends on the smooth and reliable functioning of the global financial system. There is  a danger of systemic risk.  Modern models attemp to spread out the risk to those most willing and presumably able, to accept the risk. Derivatives are instruments that help to enhance the stability of this system. Challenges of Quantitative Risk Management

It is the large, extreme, unexpected events that form one of the challenges for QRM.  Modelling the expected and normal outcomes may have the advantage of simplifying things but risk understating the risks.

Concentration of risks is about exposure to what was thought to be diversified risks, but which happened to experience simultaneous falls or rises.  It is a case where many things go wrong at the same time.

If a portfolio is too expansive, multivariate models for all risk factors may not be feasible.  QRM needs to be simplified to use broad brush strokes, concentrating on the key features only. This is a problem in scalability of QRM.

Successful QRM requires integration with many disciplines. Understanding QRM requires integrating techniques from various disciplines, such as mathematical finance, statistics, financial economics, and actuarial mathematics.

QRM FOR THE FUTURE

QRM has had an overall positive impact in the insurance and banking industry. Other industries (e.g., car manufacturing) have similar practices albeit called differently (e.g., total quality control).

QRM techniques have been adopted in the transport and energy industries, among others. Electrical power is traded on energy exchanges, derivative contracts are used to hedge price increases. There is debate on how much of Basel II can be transferred to the energy industry.

A new area of application is establishments of markets for environmental emission allowances.  The Chicago Climate Futures Exchange offers futures contracts on sulphur dioxide emissions.

Alternative risk transfer is the transfer of risks between industries.

Futures Contract

A futures contract is a form of a derivative.  It is a contract to buy a specified asset at a specified price at a specified future date. It is a tool to manage financial risk. 

Here’s how it works. Suppose a company has an obligation to pay a debt of US$1 million in 8 months time.  The company is based in Australia, and normally trades in its own local currency (AUD).  In order to protect itself from the uncertain currency fluctuation, it decides to purchase a futures contract to buy US$1 million in 8 months time from a bank at a guaranteed exchange rate of USD1 = AUD 1.7.  The contract specifies that the company will buy $1 million in 8 months,  at the pre-determined exchange rate.  By having this contract, the company does not have to worry about whether the US$ will fluctuate against its favour. It is guaranteed to be able to buy $1 million at the specified exchange rate.

If at the 8 month period, the exchange rate becomes USD 1.00 = AUD 2.00, the company is able to purchase the USD1 million at AUD1.7 million, very much in its favour.  The downside of course is that if at the 8-month period, the exchange rate has become USD1 = AUD1, then the company will be purchasing the USD1 million at an unfavourable, though surprise-free, rate.

Risk Roadshow

Interesting concept of a risk road show to introduce young children to the mathematics of probability: Risk Roadshow.

Some Notes on Consulting and Consultants

Some notes I jotted down while browsing a consulting text by Fiona Czerniawska.  Some of the thoughts are hers, some are mine. Useful considerations for risk consultants:

• Consulting is about knowledge transfer from consultant to client.
• When deciding which consultant to hire, companies look for enormous depth of knowledge in the areas their company is interested in.  General knowledge does not cut it.
• Of all consultancies, process oriented ones are where executives are least impressed because the client and consultant level of expertise is not much different, and ‘consulting’ work is mostly facilitation.
• Some (not all) consulting engagements are about solving a problem.
• Some types of consulting services:
  • delivering a specific service
  • implementing a particular system
  • creating a successful solution
• Firms hire consultants because they need the input but don’t want to replicate the skill.  They don’t need the skill in-house on a permanent basis.
• Consultants provide new energy and momentum.
• Consultants are hired as a source of best practice information not available in-house.
• Consultants are also hired to provide championing of a sponsor’s project internally, something that sometimes is not possible from someone internal. 
• The depth of knowledge required from a consultant is specialist knowledge.

Choose One: Risk Management or Crisis Management

The title of this post is adapted from a comment made by the CRO of Fidelity Investments, who wrote:

“Corporate leaders recognise that over the long term, the only alternative to risk management is crisis management. And crisis management is much more expensive, time-consuming, and painful.”

A Short History of Risk Management

Summarised from : Kloman, Felix. “A short history of risk management: 1900-2002”. Risk Management Reports, 2002

Risk management is the idea that a logical, disciplined approach to the uncertainties of the future is possible and necessary in order to live with these uncertainties productively and efficiently. Prior to the advent of risk management, faith and luck were the two pillars for managing the future.  Events have causes.  Believing in luck obscures the causes.

The great conflicts (e.g., World War 2), the great disasters, (e.g., Chernobyl) all affected and contributed to the development of risk management. But the most significant milestones are from personal events:

1900: The Galveston Texas flooding changes the nature of weather prediction worldwide.

1905-1912: Workers’ compensation laws introduced in the US from inception in Germany, introduces pension and shifts personal responsibility to business and government.

1920: BP forms Tanker Insurance Company, Ltd, which becomes one of the first captive insurance companies. Today there are 5000 such companies with $214 billion investable assets. (Captive insurance companies are companies formed to finance the risks of their parent companies)

1921: John Maynard Keynes publishes ‘A Treatise on Probability’ which emphasises the importance of relative perception (over numbers?) and judgment when determining probabilities.

1926: Von Neumann begins publishing papers on games strategy showing that a goal of not losing is superior to a strategy focused on winning.

1933: The US Congress passes the Glass-Steagall Act, which slowed the development of financial institutions and fragmented risk management. Also caused the split between financial and insurance risks. Revoked in 1999.

1952: Markowitz’s paper ‘Portfolio Selection’ published, which explores return and variance, which led to many of the sophisticated measures of financial risk in current use.

1956: Russell Gallagher’s paper ‘Risk Management: A New Phase of Cost Control’ published.  Philadelphia becomes focal point of new ‘risk management’ thinking. Snider argues that the ‘professional insurance manager should be a risk manager’. Herbert Denenberg picks up writings of Henri Fayol, using them to explore risk management.

1962: Massey Ferguson develops the idea of ‘cost-of-risk’, comparing sums of self-funded losses, insurance premiums, loss control costs, and administration costs to revenues, assets and equity.  Moves insurance risk management thinking away from insurance, but fails to cover all forms of financial and political risk.  Rachel Carson’s ‘Silent Spring’ is published, leading to the formation of the EPA and Green movement.

1965: Ralph Nader’s ‘Unsafe at Any Speed’ is published which gives rise to the consumer movement.  Caveat emptor changes to caveat vendor, leading to stiff product and work safety regulations.  Rise of punitive damages in American courts.

1966: Insurance Institute of America issues the first examination for ‘Associate in Risk Management’

1972: Kenneth Arrow Nobel Prize winner imagines a perfect world where every uncertainty is insurable. Concludes our knowledge is always incomplete. We are best prepared for risk by accepting its potential as stimulant and penalty.

1973: Geneva Association is formed.  Two years later begins linking risk management, insurance and economics.  The association provides intellectual stimulus for the developing discipline.  Scholes and Black publish paper on option valuation, opening up the field of derivatives.

1974: Gustav Hamilton creates a ‘risk management circle’ which graphically describes the interaction of all elements of the process, from assessment and control to financing and communications.

1975: American Society of Insurance Management changes name to Risk & Insurance Management Society (RIMS), signalling shift towards risk management and by end of the century has 3500 corporate members.

1976: Fortune magazine publishes ‘The Risk Management Revolution”, suggesting coordination of risk management functions within an organisation, and also suggesting board responsibility for organisational policy and oversight.

1980: Society for Risk Analysis formed in Washington. Its journal Risk Analysis published.  Makes terms ‘risk assessment’ and ‘risk management’ well known in legislatures on both sides of Atlantic.

1983: William Ruckelshaus’s speech on ‘Science, Risk and Public Policy” brings risk management to the national political agenda.

1986: The Institute of Risk Management (IRM) begins in London. A few years later begins education program looking at all facets of risk management, issuing the designation “Fellow of the Institute of Risk Management”.  US Congress passes Risk Retention Act. Risk retention groups begin.

1987: Black Monday.  Vernon Grose publishes ‘Managing Risk’, one of the best ever primers on risk assessment and management.

1990: UN starts IDNDR, International Decade for Natural Disaster Reduction.  Efforts end with publication of Natural Disaster Magazine, presenting a synopsis on nature of hazards and challenges for the 21st century.

1992: Cadbury Committee in UK issues report suggesting that governing boards are responsible for setting and accepting oversight for risk management policy.  Successor committees in the UK (Hempel, and Turnbull) and in other countries establish a new and broader mandate for organisational risk management.

British Petroleum turns insurance world topsy-turvy with decision not to insure operations in excess of $10 million.  Decision was based on academic study by Neil Doherty of the University of Pennsylvania and Clifford Smith of University of Rochester.

1995: AS/NZS 4360:1995 standard first published. First Risk Management Standard.  Nick Leeson in Singapore topples Barings.  Revives interest in operational risk management.

1996: Global Association of Risk Professionals start. Operating through the internet, it becomes the largest RM association in the world. Focused on financial risk. 

Risk management popularised and becomes a bestseller through Peter Bernstein’s ‘Against the Gods’.

2000: Y2K bug fails to materialise, mainly because of massive fix effort.  A big success for risk management.

2001: Sept 11. Collapse of Enron reinvigorates risk management.

Facts Versus Fears

Summary of “Facts and Fears: Understanding Perceived Risk”, a study of risk perception conducted by Slovic, Fischhoff, and Lichtenstein.

Perception of risk refers to the acceptance that there is in fact a risk. Acceptability of risk refers to how much the risk can be tolerated; to what level it should be controlled.

INVOLUNTARINESS

New research suggests that the accepted views on catastrophic loss may need to be revised.  A current, popular view, based on a hypothesis forwarded by Starr (1969),  says that people tend to demand stricter standards against hazards brought on by involuntary risks (involuntary risks are risks one does not take by choice).  This hypothesis says that risks that are involuntary are perceived to be less tolerable. 

Slovic, et. al's study did not intentionally seek to address Starr's hypothesis, but the findings provided an interesting test of it.  Their new study seems to suggest that in addition to voluntariness, a host of other factors such as knowledge, controllability, etc. need to be factored into risk standards. 

Their study further tends to the notion that it may not be involuntariness per se that drive the call for stricter results, but other conditions closely associated with involuntariness, such as catastrophic results.  Involuntary hazards tend to include large-scale catastrophic events such as nuclear power, terrorism, bio-chemical threats.

Levels of acceptability of risk correlates positively with perceived benefits of the risk, in fact more strongly than voluntariness.

CATASTROPHIC POTENTIAL

The study suggests that it is the (perceived) potential for massive loss,  rather than involuntariness, that could be the driving force to risk perception and acceptability.

CONCLUSIONS

1. Perceived risk is quantifiable and predictable.
2. Groups of people differ systematically in their perceptions
3. People make mistakes in judging risks.
4. Experts are also susceptible to bias.
5. The various modes of death possible from risks do not seem to have a significant impact on public vs. expert perceptions of risk (???)
6. The higher the perceived current level of risk, the larger the required adjustment needed to bring the risk down to acceptable levels.
7. The perceived potential for catastrophic loss of life is one of the most important risk characteristics (more so than involuntariness)
8. Evidence does not remove disagreements. Definitive evidence is rare. All other forms of evidence can be skewed to pre-conceived positions.

Further conclusions. The authors conclude that the public can make gross mistakes in perceptions of risk, but then so do experts, so public opinion ought not to be excluded from risk decisions.  It is much better to involve the public in risk matters for the purpose of increasing their knowledge in the longer term and also because their cooperation is needed for risk management undertakings to succeed.

Web projects are IS projects...

...but not quite.

Web projects are Information Systems projects with a few distinguishing features.  Like any project, principles of sound project management apply.

It is important to be aware of web projects' distinguishing features in order to manage them successfully.  It is critically important to understand that web projects are not simply technology projects but undertakings involving people, systems, and organisations.

Reference: Managing Web Projects, Turner