SEPM: Risk Management

Showing posts with label Risk Management. Show all posts

Jan 14, 2013

A Better Definition of Risk?

I HAVE conflicting feelings about ISO 31000’s definition of risk. This standard defines risk as ‘the effect of uncertainty on objectives’, a definition that succeeds at simultaneously being both clear and enigmatic.

Witness the various discussions in LinkedIn about what the definition means. Look around the web for many online blog entries, articles, and explanations of what the definition mean, and carefully note the certitude shown by those who wrote those online materials about what the definition means. Notice how they differ in their understanding.

In light of the absence of any clarifying remarks by the writers of the standard (who seem to be non-existent on the internet) about what they meant by their definition, I have settled on my own understanding of what they meant.

Their definition seeks to succinctly explain the nature of risk. When they say ‘effect’, they mean ‘phenomenon’. They don’t mean ‘consequence’ as many online writers seem to think. (Or at least, the standard writers should not have meant ‘consequence’ in sense of a risk eventuating bringing forth its consequences!). The reason why I feel certain ‘effect’ is not ‘consequence’ is because risk is about something that has not yet happened. If something has not happened, it has no consequence. Had they said, ‘risk is the potential effect of uncertainty…’, then it would clear they would have meant ‘consequence’.

My current position is that the standard writers are attempting to explain in the definition what the essence of risk is.

The best way I can think of of what they are saying is by making an analogy, comparing ‘risk’ with ‘shadow’. I will propose a definition of the word ‘shadow’:

the effect of an opaque, solid object on a light source.

I like this analogy because it almost perfectly parallels the ISO 31000 definition of risk. If you have objectives, and you have uncertainty, the intersection of the two brings forth a phenomenon which we call ‘risk’

If you have a light source, and you have an opaque, solid object, the intersection of the two brings forth a phenomenon which we call ‘shadow’.

Remove either objectives or uncertainty, and risk disappears. No intersection, no risk. Remove either the light source or the solid object, and the shadow disappears. No intersection, no shadow.

I have two criticisms for the risk definition though. First, the definition, while strictly correct, is near to being useless. It is an academic, technical definition, not an operational definition that can be acted upon by practitioners ‘in the trenches’. How would risk practitioners explain risk to lay members or board members of the organisation using such a definition?

My second criticism revolves around the use of the word ‘objectives’. The Merriam-Webster definition of objective is “something toward which effort is directed : an aim, goal, or end of action”, accurately reflecting the normal day to day usage of the word to mean something that is being strived for, something to be achieved, something not yet.

But risk is not always (nor even most of the time) about something you wish to achieve. It is often to protect what you already achieved.

What you already have are also at risk.

Strictly speaking, if you have good health and you have a desire to maintain that good health, then you sometime speak of such an objective: to maintain my good health.

But what about other things? People do not consciously state that their objective is to ensure that they keep on having a house. Or that their objective is to remain alive. They have an interest in ensuring they remain alive. They have an interest in ensuring their house remains liveable by them. But they are not objectives in the same degree as things they are striving to achieve, such as a job promotion, completion of a project, and so on.

Your health, your job, your finances, your properties, your relationship. your client list, your market position, your current operating efficiencies, your reputation, etc. are all at risk. These are things you have already achieved; objectives you already attained. You are interested in protecting them; they are your interests.

Risk management is (far more) often used to protect existing interests, while also being used as an aid in ensuring we achieve our objectives. It is in the former where risk management plays a more central role. Risk management is key to maintaining what we have; it is the means there. It is only useful in achieving what we do not yet have; here it is not the means.

My proposition is therefore to change the wording of the risk definition from ‘objectives’ to ‘interests’. Thus risk becomes: ‘the effect of uncertainty on interests’ where interest refers to things we value, such as health, reputation, property. But it also clearly encompasses as well as things you seek to achieve but have not yet -- your objectives.

I think this change would be an improvement to the definition.

Dec 11, 2012

Churchill on Risk Management

Here’s an excellent quote form Winston Churchill, eminently applicable as the proper attitude to adopt in risk management. The sentence comes after Churchill summarises the beliefs and convictions taken by the then British Prime Minister Neville Chamberlain on what Hitler will do the the limits of what he will do, taking the position that he (Chamberlain) has taken the measure of Hitler, and that he (Hitler) has satisfied his territorial conquest needs:

“The Prime Minister is persuaded that… He believes that… Mr. Chamberlain is convinced that… But all this lies in the region of hope and speculation. A whole set of contrary possibilities must be held in mind. He may ask us to submit to things which we cannot endure; he may be forced to ask us to submit to things which we cannot endure.” (Churchill, the Second World War Volume 1, The Gathering Storm)

I like this ‘a whole set of contrary possibilities must be held in mind’ assertion. For this is what risk management is about – that things may not work out as we thought, or hoped, and we must be able to survive and recover when they do.

Nov 3, 2012

Risk Management Bibliography / Library

Some key works on various risk management topics either in my library or I have read. I plan to update this list every now and then.

Risk, Risk Management, and Uncertainty in General

Aven, T. Misconceptions of Risk. Chichester, West Sussex, U.K.: Wiley, 2010.

Bernstein, Peter L. Against the Gods: The Remarkable Story of Risk. New York: John Wiley & Sons, 1996.

Kammen, Daniel M., and David M. Hassenzahl. Should We Risk It?: Exploring Environmental, Health, and Technological Problem Solving. Princeton, NJ: Princeton UP, 1999

Moore, P. G. The Business of Risk. Cambridge [Cambridgeshire: Cambridge UP, 1983.

Morgan, M. Granger. Risk Communication: A Mental Models Approach. 2002

Rowe, William D. An Anatomy of Risk. New York: Wiley, 1977.

Wilson, Richard, and Edmund A. C. Crouch. Risk-benefit Analysis. Cambridge, MA: Harvard Center for Risk Analysis, 2001.

Yoe, Charles E. Primer on Risk Analysis: Decision Making under Uncertainty. Boca Raton, FL: CRC/Taylor & Francis, 2012. Print.

Business / Enterprise Risk Management

Culp, Christopher L. The Risk Management Process: Business Strategy and Tactics. New York: J. Wiley, 2001.

Fraser, John, and Betty J. Simkins. Enterprise Risk Management: Today's Leading Research and Best Practices for Tomorrow's Executives. Hoboken, NJ: J. Wiley & Sons, 2010.

Hampton, John J. Fundamentals of Enterprise Risk Management: How Top Companies Assess Risk, Manage Exposures, and Seize Opportunities. New York: American Management Association, 2009.

Monahan, Gregory. Enterprise Risk Management: A Methodology for Achieving Strategic Objectives. Hoboken, NJ: John Wiley & Sons, 2008.

Young, Peter C., and Steven C. Tippins. Managing Business Risk: An Organization-wide Approach to Risk Management. 2001.

Project / Program Risk Management

Chicken, John C. Managing Risks and Decisions in Major Projects. 1994.

Conrow, E. H. Effective Risk Management: Some Keys to Success. Reston, 2nd Ed. 2003.

Dorofee, Audrey J. Continuous Risk Management Guidebook. 1996

Operations / Operational Risk Management

van Grinsven, Improving Operational Risk Management. Amsterdam: IOS, 2009.

Banking and Financial Risk Management

Bessis, Joël. Risk Management in Banking. New York: Wiley, 2002.

Greuning, Hennie Van., and Sonja Brajovic. Bratanovic. Analyzing and Managing Banking Risk. Washington D.C.: World Bank, 2009.

van Grinsven, Risk Management in Financial Institutions: Formulating Value Propositions. Amsterdam: Delft UP/IOS, 2010.

Safety and Risk Management

Duffey, R. B., and John Walton Saull. Know the Risk: Learning from Errors and Accidents : Safety and Risk in Today's Technology. Amsterdam: Butterworth-Heinemann, 2003.

May 5, 2012

Modern Tools for Business Continuity / Disaster Recovery

Today’s world provides so many enabling technologies for enabling an efficient and effective BC / DR plan in place. Enterprises can no longer justify not having a working and effective BC / DR plans in place.

The coming of the Cloud is a tremendous help for BC/DR planning. You have a safe repository of all your important information physically separate from your physical operations. Even if your whole building becomes inaccessible through fire, flood, or terrorism, the data, applications, and knowledge stored in the cloud remain untouched, completely unaware that something has occurred. It is just there waiting for you to access it from wherever you are. No time or effort or cost need to be spend recreating hardware and infrastructure.

The BC / DR plans themselves that used to be kept in physical paper files can now be stored in electronic format, immediately accessible and available through different channels and devices. In electronic format, it becomes easy to update and keep current, easy to disseminate and and ensure that everyone has the latest version, and very importantly, easy to access when needed.

Copies of the plans can be kept in secure thumb drives at the homes of key employees.

When disaster strikes, the ubiquity of handheld smart devices allow employees to be easily advised, easily contacted, and potentially able to work from anywhere.

For a web-based central platform for reporting and keeping track of what’s going on, you can also put up a wiki platform that key personnel can readily update as information and progress occur. A wiki software you can use is Mediawiki. This is the same software that Wikipedia runs on.

Tools for automating the DR testing make coming up with working plans far easier. Solutions like VirtualSharp or Sanovi can help here.

BC / DR solutions need to go all the way to recovery. Many cloud solutions merely back up your data and applications. This is much better than nothing, but it is not enough. You also need to restore the data and applications into a state suitable to continue doing business. Plain backups do not help in adhering to RPOs (Recovery Point Objectives) and RTOs (Recovery Time Objectives) set for critical processes and data.

A lot of these tools were not around ten years ago. Failure to take advantage of them is almost criminal.

May 25, 2011

The Likelihood of an Event

The biggest constraint in risk management, indeed the very reason for the existence of the discipline, is our inability to foresee what will happen next.

In most cases where people have to manage the risk of an event, it is very common to rely on subjective estimates of the likelihood that the event will happen. It may be easy to deliver criticism of this approach, but alternative options are limited.

An improvement over such a simplistic 'gut feel' approach is to incorporate the phenomenon that events of a smaller scale occur at a higher frequency than similar events of bigger scale. Earthquakes of low magnitude occur very frequently. Killer earthquakes occur far less frequently.

The relationship of the frequency between the two types of events is described a the Power Law Distribution. If we keep track of smaller scale events, we will be able to predict with a certain degree of confidence the frequency of the bigger scale events.

***

Feb 10, 2011

Winning and Risk Management

There’s a highly-regarded self-coaching book called “Sail, Race, and Win”, by Eric Twiname and Cathy Foster. In the book is a neat description of how to win in a race. They ask the reader to imagine a descending escalator, with lots of people, representing the competitors, walking up the escalator. The goal being to remain in the same spot they started in as much as they could manage to. They can walk up to the same pace that the escalator is going down, but they can't walk up faster than that.

images

Since no one’s allowed to go faster than the pace of the escalator, the would-be winner will have to focus on not making mistakes rather than walking faster than the pace of the escalator. Any mistake, no matter how momentary, will set you back a little, possibly allowing someone behind to move out in front of you. The more mistakes and lapses you make, the more you are pushed back relative to your starting position, and relative to the other competitors.

Now since you can't go faster than the pace of the escalator, you can't make up the distance you lost by putting in extra effort. The best you can do is to make no more mistakes. The only way you can get ahead of those in front of you is if they make mistakes.

I haven’t seen winning explained in this manner before, and despite its oddness, it has a certain valid point. Twiname and Foster come from the world of sailing. Perhaps the idea of not being able to outpace the escalator comes from their world, where your progress depends on the winds and the tides -- you can't go faster than what the elements or the environment allows.

The image seems rather useful when thinking about how risk impacts business. A company cannot make more money than what its environment allows. For example, if you are a consumer goods company, how much you can sell is moderated by the size of your market, the demand for your product, and the competitive dynamics of the industry you are in. In a market with 10,000 customers and 5 competitors, you just cannot make sales equivalent to a market of 20,000 customers.

And while you can't get ahead, you can definitely be set back. The key to winning then becomes minimising the setbacks. From an operational basis, you are constantly being set back if your production costs are more than the competition’s. From a discrete and pulsating basis, you are set back each time a risk eventuates which impacts you negatively. The longer and more expensive it takes you to recover, the more you are set back. The key to winning in this case is to ensure that you minimise your risk eventuations and minimise their impacts.

You can look at risks as these setbacks. It is in your interest to avoid them as much as possible, and to be able to recover as quickly as possible. Even then, you can only recover to a point less better than where you started. Hence, reducing the occurrences of risks become a key factor in winning.

Nov 15, 2010

Review of "The Failure of Risk Management: Why It's Broken and How to Fix It" Part 2

In Chapter two of his book, Douglas Hubbard's discusses where the risk management industry has been and where it currently thinks it is.

The chapter starts out with a very brief history of risk management ('800 words' according to the author), tracing the route from the discovery of mathematical probabilities, to its initial commercial application in insurance, and finally down to the modern day emerging 'new character' or risk management, incarnated in regulations like Basel II, and in applications like Enterprise Risk Management. His history is not very complimentary, comparing today's state of risk management as similar to the Old West gold rush towns, where things look brightly painted and pretty, but built on shaky foundations and filled with snake oil peddlers.

His history aligns quite well with Peter Bernstein's own summary, although at a very very high level and, I suspect, very much framed to support his thesis (which I suppose is what the rest of the book is about).

Hubbard then makes a brief discussion of the common risk assessment approaches (expert intuition, weighted scoring, probabilistic models, etc) and suggests that some of these are not up to par for the role risk management is playing (corporate growth survival, after all) and will probably need to be dispensed with.

The next section covers risk mitigation approaches. He has a brief treatment of the common approaches (what risk management book doesn't?): avoid, reduce, transfer, retain. The most interesting part of this section is his list of examples of concrete manifestations of risk mitigation approaches (in contrast to the abstract approaches of
avoid, reduce, etc. His list includes selection processes, contractual risk transfer, insurance, liquid asset position, etc.).

In the final section, Hubbard discusses 3 major surveys of enterprise risk management, conducted by Aon, The Economist, and Protiviti. The surveys show what the executives in these companies thought about what their top risks are (reputation, market, human capital, and regulatory environment figure very high). The surveys indicate that risk management is present in those companies primarily because they are being required to have it (a necessary evil). It also shows that risk
management is well represented and increasingly so at the board level. The executives seem pretty confident that they are doing risk management well.

Hubbard suggests that that is not the case at all.

Sep 6, 2010

Assumptions

Until we develop the ability to see the future, projects and programmes will have to be run in the face of uncertainty.

In the absence of complete information, assumptions will have to be made. Otherwise decisions cannot be made and activities will stall. At least some of these assumptions are documented in the projects. In the more badly run projects, the assumptions are there uncritically reviewed. Because a project is proceeding as if these assumptions are valid, it is critically important to review the assumptions.

You are trying to cross a bridge and making the assumption that the floor is sound. You have several choices: make the assumption, and proceed to walk normally as if the assumption is correct. You can also make the assumption, keeping in mind that you could be wrong, and proceed with caution, testing every step to see if the assumption holds. You can also, before, proceeding, inspect the bridge, and gather more information about the assumption. How likely is the assumption to be correct? How likely is it wrong? Apart from
physical inspection you can observe the environment. Are locals crossing the bridge? Are there local experts who know if the bridge is sound?

Because the assumptions are the 'floor' on which the programme will be proceeding, it is critical to review these assumptions to see how sound they are. These assumptions should be looked at with the following filters:

Are they complete? Are these the only critical assumptions?
Are they valid? Are we making assumptions about things that are not already known to be false?
Do we have a plan for reviewing the assumptions at a later date, when we may have more information and able to verify or reject the assumptions.
Have we identified the risks that will arise if the assumptions on which we are proceeding are proven false?

Nov 12, 2009

The Essence of Risk Management

All of man’s activities is fraught with uncertainty and risk. When he undertakes something, he faces uncertainty and risk and loss. Even when he does not undertake anything new, but simply goes on with life as normal, he still faces uncertainty and risk and loss.

Therein lies the essence of risk management, to which man runs to, to seek an answer to his question: in the face of this uncertainty, what should we do?

Sep 19, 2009

Conrow and Opportunity Management

There are two kinds of risk managers. There is the kind who think that risk management is about managing ‘negative’ risks. Then there are those who think that risk management should include managing ‘positive’ risks.

Briefly, a negative risk is a situation that has undesired impacts on our objectives, while a positive risk is a situation that could potentially have desirable impacts on our objectives. For the most part, risk management has been about managing negative risks. People buy fire insurance just in case their house burns down. Nobody buys insurance just in case their house doesn’t burn down.

Edmund Conrow and Robert Charette has an article in Defense AT&L critical of ‘Opportunity Management’ (PDF link) . The authors argue that Opportunity Management, or OM, is unnecessary, and will only bring in more trouble than benefits. The main argument Conrow & Charette make is that the standard processes of project management, risk management, and systems engineering, are enough to ensure that the project takes care of opportunities that present themselves in the course of the execution of the project. Therefore there is no need for a distinct OM.

Before I came across this article, I’ve already come across literature endorsing the inclusion into risk management the management of ‘upside risks’ (opportunities), but I’ve not come across any literature that purports to advance OM as aggresively as that suggested by Conrow and Charette’s article. The authors worry about OM IPT’s (Integrated Project Teams) running about looking for opportunities in a projects, and enveloping the whole project team with scope creep.

The Australia Risk Management Standard ANZ 4360:2004 indeed recommends management of positive risks. Chapman and Ward have also been proponents of this view for many years. But from what I understand of at least these two sources, the main idea is, as part of risk management, to be prepared in case it is the positive event, rather than the negative event that occurs. That is, to be prepared to take advantage of the situation.

May 12, 2009

Risk

Risk cannot be separated from benefits. It is only because we enjoy benefits that we are concerned with risk.

We undertake projects in the hope of reaping future benefits from the project.

In order to understand the risks we face, first we identify the benefits we want to protect.

There are two types of benefits. First is the future benefit that we hope to acquire (e.g., a job promotion). The second is the current benefit that we are enjoying (e.g., a healthy life).

Once we’ve identified the benefits, then we can consider the risks we are concerned with. For example, the risk that we do not get the promotion. Or, the risk that our health suffers.

May 3, 2009

The Risks of Doing Nothing

The risk that companies face often come, not from activities originating from decisions they make, but very, very much often, from decisions made by others.

They are out to get you. Every one of of your competitors is out to get your customers. Every single day they are plotting to change the world and make it more favourable to them (and less favourable to you, but you can relax, as that is merely a secondary purpose).

Failing to monitor, perceive, and anticipate the changes exposes your company to risks. Doing nothing against the changes means your risks are increasing.

For a simplistic example, imagine a company that did not adjust its salaries to keep pace with industry salaries. If its competitors pay much better, key people will tend to move to the competitors. Doing nothing is not doing your responsibility.

Feb 16, 2009

Quantitative Risk Management

Notes for McNeil, A.J., Frey, R. & Embrechts, P. “Quantitative Risk Management: Concepts, Techniques, and Tools”, Princeton University Press, 2005, Chapter 1.

Risk is most often understood as a hazard, a chance of bad consequences, etc., or something that is primarily a downside event. An initial definition might be ‘an action or event that may adversely affect an organization’s ability to achieve its objectives or execute its strategies’. This does not capture all the essence of risk, however.

Risk is strongly related to uncertainty and therefore to randomness, another term that has defied a very firm universal definition for centuries until Kolmogorov’s axiomatic definition (1933). Kolomogorov’s probabilistic model is a triplet (Ω,F,P), where Ω is a state, F is the set of events, of which P is a member, and P(A) is the probability of event A occurring.

FINANCIAL RISK

In the context of finance and insurance, the most common types of risk include:

Market risk – the risk of a change in the value of a financial position due to change in its underlying components.
Credit risk – the risk of not receiving promised repayments.
Operational risk – risk of losses resulting from inadequate or failed internal processes, people, systems, and external events.

Liquidity risk is the risk stemming from the marketability of an investment, that it cannot be sold in time to prevent a loss or achieve a gain.
The only viable way to achieve successes in financial risk management is through a holistic approach, taking all types of risks and their interactions into account.

Risk measurement. Measuring the risk of a portfolio of X holdings with w weightings requires a distribution function Fx(x) = P(X <= x).

Basel II defines operational risk a the risk of losses resulting from inadequate or failed internal processes, people and systems or from external events.

THE REGULATORY FRAMEWORK OF BASEL II

Basel II released in 2004. Focuses on more risk-sensitive minimum capital requirements for banking organizations, by laying out principles, enhancing transparency in financial reporting

3-Pillar Concept. In Pillar 1, banks are required to quantify their minimum capital charge (regulatory capital) in line with their economic loss potential. There is a capital charge for credit, market, and operational risk. There was no consideration for operational risk in Basel I. Pillar 2 focuses on ensuring there is a well-functioning corporate governance with appropriate checks and balances. Pillar 3 is about ensuring appropriate public disclosure of risk measures.

Market Risk Capital Charge. Banks are allowed use internal VaR (Value at Risk) models. Example: A 10-day VaR at 99% for $20 million means there is a 1% probability for the bank to lose at least $20 million by the end of the 10-day period.

Credit Risk. Under Basel I and Basel II, credit risk is assessed as the sum of risk-weighted assets. The risk weight is reflects the credit worthiness of the counterparty. In Basel I, creditworthiness was crude and allowed only 3 categories: governments, regulated banks, and other. Hence risk-weighting for all corporate borrowers are the same, independent of their actual creditworthiness. In Basel II banks can choose to use standardised approaches or more advanced internal-ratings-based approaches. The new standardised approaches provide substantially more classifications than the old Basel I.

The premise under Basel II is that while individual banks will reduce their credit risk capital charge through internal credit models, the overall size of regulatory capital will remain unchanged. All agree that operational risk is important, but there is disagreement and uncertainty about how to quantify this risk.

Cooke ratio says that capital should be at least 8% of the risk-weighted assets of a company.

Criticism of Basel II:

Cost of setting up a compliant risk management system is substantial
‘Risk management herding’ could take place. This is the phenomenon where organizations simply follow the same rules and behave the way during crisis, exacerbating the situation.
Overconfidence may come about due to regulation.

Some have raised the notion that regulatory risk management actually makes organisations even more risky.

SOLVENCY 2

Solvency 2 is a review of the capital adequacy of the European insurance industry. Basel II is aimed to reinforce the soundness and stability of the international banking system. Solvency 2 is aimed to protect policyholders against isolated bankruptcy of their insurance company. Basel II addresses systematic risk, Solvency 2 does not (and is not intended to).

Solvency I was very basic and focused on solvency margins. It was not risk based.

Decision on solvency is based on a 2-tier approach. The first level is a target capital, based on risk-sensitive, market-consistent valuation. Breaching the first level triggers regulatory intervention. The second level is the minimum capital, computed with the old Solvency I rules.

WHY MANAGE FINANCIAL RISK?

Different stakeholders have different interests as to an institutions investment in quantitative risk management. A balance between the interests have to be sought. Stakeholders can include customers, shareholders, regulators, board of directors, politicians, etc. SOCIETAL VIEW

Modern society depends on the smooth and reliable functioning of the global financial system. There is a danger of systemic risk. Modern models attemp to spread out the risk to those most willing and presumably able, to accept the risk. Derivatives are instruments that help to enhance the stability of this system. Challenges of Quantitative Risk Management

It is the large, extreme, unexpected events that form one of the challenges for QRM. Modelling the expected and normal outcomes may have the advantage of simplifying things but risk understating the risks.

Concentration of risks is about exposure to what was thought to be diversified risks, but which happened to experience simultaneous falls or rises. It is a case where many things go wrong at the same time.

If a portfolio is too expansive, multivariate models for all risk factors may not be feasible. QRM needs to be simplified to use broad brush strokes, concentrating on the key features only. This is a problem in scalability of QRM.

Successful QRM requires integration with many disciplines. Understanding QRM requires integrating techniques from various disciplines, such as mathematical finance, statistics, financial economics, and actuarial mathematics.

QRM FOR THE FUTURE

QRM has had an overall positive impact in the insurance and banking industry. Other industries (e.g., car manufacturing) have similar practices albeit called differently (e.g., total quality control).

QRM techniques have been adopted in the transport and energy industries, among others. Electrical power is traded on energy exchanges, derivative contracts are used to hedge price increases. There is debate on how much of Basel II can be transferred to the energy industry.

A new area of application is establishments of markets for environmental emission allowances. The Chicago Climate Futures Exchange offers futures contracts on sulphur dioxide emissions.

Alternative risk transfer is the transfer of risks between industries.

Feb 14, 2009

Futures Contract

A futures contract is a form of a derivative. It is a contract to buy a specified asset at a specified price at a specified future date. It is a tool to manage financial risk.

Here’s how it works. Suppose a company has an obligation to pay a debt of US$1 million in 8 months time. The company is based in Australia, and normally trades in its own local currency (AUD). In order to protect itself from the uncertain currency fluctuation, it decides to purchase a futures contract to buy US$1 million in 8 months time from a bank at a guaranteed exchange rate of USD1 = AUD 1.7. The contract specifies that the company will buy $1 million in 8 months, at the pre-determined exchange rate. By having this contract, the company does not have to worry about whether the US$ will fluctuate against its favour. It is guaranteed to be able to buy $1 million at the specified exchange rate.

If at the 8 month period, the exchange rate becomes USD 1.00 = AUD 2.00, the company is able to purchase the USD1 million at AUD1.7 million, very much in its favour. The downside of course is that if at the 8-month period, the exchange rate has become USD1 = AUD1, then the company will be purchasing the USD1 million at an unfavourable, though surprise-free, rate.

Feb 6, 2009

Risk Roadshow

Interesting concept of a risk road show to introduce young children to the mathematics of probability: Risk Roadshow.

Feb 4, 2009

Choose One: Risk Management or Crisis Management

The title of this post is adapted from a comment made by the CRO of Fidelity Investments, who wrote:

“Corporate leaders recognise that over the long term, the only alternative to risk management is crisis management. And crisis management is much more expensive, time-consuming, and painful.”

Feb 2, 2009

A Short History of Risk Management

Summarised from : Kloman, Felix. “A short history of risk management: 1900-2002”. Risk Management Reports, 2002

Risk management is the idea that a logical, disciplined approach to the uncertainties of the future is possible and necessary in order to live with these uncertainties productively and efficiently. Prior to the advent of risk management, faith and luck were the two pillars for managing the future. Events have causes. Believing in luck obscures the causes.

The great conflicts (e.g., World War 2), the great disasters, (e.g., Chernobyl) all affected and contributed to the development of risk management. But the most significant milestones are from personal events:

1900: The Galveston Texas flooding changes the nature of weather prediction worldwide.

1905-1912: Workers’ compensation laws introduced in the US from inception in Germany, introduces pension and shifts personal responsibility to business and government.

1920: BP forms Tanker Insurance Company, Ltd, which becomes one of the first captive insurance companies. Today there are 5000 such companies with $214 billion investable assets. (Captive insurance companies are companies formed to finance the risks of their parent companies)

1921: John Maynard Keynes publishes ‘A Treatise on Probability’ which emphasises the importance of relative perception (over numbers?) and judgment when determining probabilities.

1926: Von Neumann begins publishing papers on games strategy showing that a goal of not losing is superior to a strategy focused on winning.

1933: The US Congress passes the Glass-Steagall Act, which slowed the development of financial institutions and fragmented risk management. Also caused the split between financial and insurance risks. Revoked in 1999.

1952: Markowitz’s paper ‘Portfolio Selection’ published, which explores return and variance, which led to many of the sophisticated measures of financial risk in current use.

1956: Russell Gallagher’s paper ‘Risk Management: A New Phase of Cost Control’ published. Philadelphia becomes focal point of new ‘risk management’ thinking. Snider argues that the ‘professional insurance manager should be a risk manager’. Herbert Denenberg picks up writings of Henri Fayol, using them to explore risk management.

1962: Massey Ferguson develops the idea of ‘cost-of-risk’, comparing sums of self-funded losses, insurance premiums, loss control costs, and administration costs to revenues, assets and equity. Moves insurance risk management thinking away from insurance, but fails to cover all forms of financial and political risk. Rachel Carson’s ‘Silent Spring’ is published, leading to the formation of the EPA and Green movement.

1965: Ralph Nader’s ‘Unsafe at Any Speed’ is published which gives rise to the consumer movement. Caveat emptor changes to caveat vendor, leading to stiff product and work safety regulations. Rise of punitive damages in American courts.

1966: Insurance Institute of America issues the first examination for ‘Associate in Risk Management’

1972: Kenneth Arrow Nobel Prize winner imagines a perfect world where every uncertainty is insurable. Concludes our knowledge is always incomplete. We are best prepared for risk by accepting its potential as stimulant and penalty.

1973: Geneva Association is formed. Two years later begins linking risk management, insurance and economics. The association provides intellectual stimulus for the developing discipline. Scholes and Black publish paper on option valuation, opening up the field of derivatives.

1974: Gustav Hamilton creates a ‘risk management circle’ which graphically describes the interaction of all elements of the process, from assessment and control to financing and communications.

1975: American Society of Insurance Management changes name to Risk & Insurance Management Society (RIMS), signalling shift towards risk management and by end of the century has 3500 corporate members.

1976: Fortune magazine publishes ‘The Risk Management Revolution”, suggesting coordination of risk management functions within an organisation, and also suggesting board responsibility for organisational policy and oversight.

1980: Society for Risk Analysis formed in Washington. Its journal Risk Analysis published. Makes terms ‘risk assessment’ and ‘risk management’ well known in legislatures on both sides of Atlantic.

1983: William Ruckelshaus’s speech on ‘Science, Risk and Public Policy” brings risk management to the national political agenda.

1986: The Institute of Risk Management (IRM) begins in London. A few years later begins education program looking at all facets of risk management, issuing the designation “Fellow of the Institute of Risk Management”. US Congress passes Risk Retention Act. Risk retention groups begin.

1987: Black Monday. Vernon Grose publishes ‘Managing Risk’, one of the best ever primers on risk assessment and management.

1990: UN starts IDNDR, International Decade for Natural Disaster Reduction. Efforts end with publication of Natural Disaster Magazine, presenting a synopsis on nature of hazards and challenges for the 21st century.

1992: Cadbury Committee in UK issues report suggesting that governing boards are responsible for setting and accepting oversight for risk management policy. Successor committees in the UK (Hempel, and Turnbull) and in other countries establish a new and broader mandate for organisational risk management.

British Petroleum turns insurance world topsy-turvy with decision not to insure operations in excess of $10 million. Decision was based on academic study by Neil Doherty of the University of Pennsylvania and Clifford Smith of University of Rochester.

1995: AS/NZS 4360:1995 standard first published. First Risk Management Standard. Nick Leeson in Singapore topples Barings. Revives interest in operational risk management.

1996: Global Association of Risk Professionals start. Operating through the internet, it becomes the largest RM association in the world. Focused on financial risk.

Risk management popularised and becomes a bestseller through Peter Bernstein’s ‘Against the Gods’.

2000: Y2K bug fails to materialise, mainly because of massive fix effort. A big success for risk management.

2001: Sept 11. Collapse of Enron reinvigorates risk management.

Jan 22, 2009

Facts Versus Fears

Summary of “Facts and Fears: Understanding Perceived Risk”, a study of risk perception conducted by Slovic, Fischhoff, and Lichtenstein.

Perception of risk refers to the acceptance that there is in fact a risk. Acceptability of risk refers to how much the risk can be tolerated; to what level it should be controlled.

INVOLUNTARINESS

New research suggests that the accepted views on catastrophic loss may need to be revised. A current, popular view, based on a hypothesis forwarded by Starr (1969), says that people tend to demand stricter standards against hazards brought on by involuntary risks (involuntary risks are risks one does not take by choice). This hypothesis says that risks that are involuntary are perceived to be less tolerable.

Slovic, et. al's study did not intentionally seek to address Starr's hypothesis, but the findings provided an interesting test of it. Their new study seems to suggest that in addition to voluntariness, a host of other factors such as knowledge, controllability, etc. need to be factored into risk standards.

Their study further tends to the notion that it may not be involuntariness per se that drive the call for stricter results, but other conditions closely associated with involuntariness, such as catastrophic results. Involuntary hazards tend to include large-scale catastrophic events such as nuclear power, terrorism, bio-chemical threats.

Levels of acceptability of risk correlates positively with perceived benefits of the risk, in fact more strongly than voluntariness.

CATASTROPHIC POTENTIAL

The study suggests that it is the (perceived) potential for massive loss, rather than involuntariness, that could be the driving force to risk perception and acceptability.

CONCLUSIONS

Perceived risk is quantifiable and predictable.
Groups of people differ systematically in their perceptions
People make mistakes in judging risks.
Experts are also susceptible to bias.
The various modes of death possible from risks do not seem to have a significant impact on public vs. expert perceptions of risk (???)
The higher the perceived current level of risk, the larger the required adjustment needed to bring the risk down to acceptable levels.
The perceived potential for catastrophic loss of life is one of the most important risk characteristics (more so than involuntariness)
Evidence does not remove disagreements. Definitive evidence is rare. All other forms of evidence can be skewed to pre-conceived positions.

Further conclusions. The authors conclude that the public can make gross mistakes in perceptions of risk, but then so do experts, so public opinion ought not to be excluded from risk decisions. It is much better to involve the public in risk matters for the purpose of increasing their knowledge in the longer term and also because their cooperation is needed for risk management undertakings to succeed.

Feb 2, 2002