Risk Management Reports

June, 1997
Volume 24, No. 6

Defining Risk
At a mouth-watering and mind-expanding lunch in Paris in January, Chris Lajtha, the risk manager for Schlumberger, suggested that I elaborate on what "risk" means today. Over the years, I have continually modified my definition of risk. By the late 1980s I was using "the possibility that a future event may cause harm," a brief and memorable phrase drawn from experience and reading. Both William Rowe (1978) and H. J. Dunster (1985) referred to risk as the "probability of a specified adverse event or consequence." This definition is still in vogue: Dr. Vlasta Molak sees risk as "the probability of an adverse effect" in her Fundamentals of Risk Analysis and Risk Management, (CRC Lewis Publishers, Boca Raton, FL 1996).

Yet these definitions overlook a critical and obvious element: risk includes potential opportunity as well as harm. Several graduate students at the University of St. Gallen's Institute of Insurance Economics (IVW) challenged me at a seminar discussion in Switzerland several years ago. They are right. How we respond to risk can change the effect from minus to plus. Too much of risk management today focuses on risk in its pejorative sense.

Risk is "deviation from the expected," or, as Williams, Smith and Young define it in the seventh edition of Risk Management and Insurance, (McGraw-Hill, New York 1995), it is "the possible variation in outcomes."

What are the constituent elements of "risk?" The first is frequency. Will an event happen? How often will it occur? Frequency is closely linked with the second component, severity. What are the likely consequences? Can they be described in financial or intangible terms? What will be the effect on reputation or public confidence? These estimates are invariably value judgments, depending on the position of the observer. A multi-billion dollar organization's $1 million loss, easily written off, will be a disaster to a smaller concern. The third element is public perception. How do the "experts" see the risk? Is the public's perception different? Consider the differences in evaluation of nuclear power, EMF (electromagnetic force), and silicon breast implant risks.

All carry low to negligible "expert" risk estimates and high "public" risk estimates. If the "public" believes, however misguided, that risk is high, an organization is forced to take responsive action. Frank Sterrett described this irony in "Risk Equilibrium," in RMR, March-April 1992, where he argued that the major goal of risk management is to bring the public and expert estimates of risk into some form of equilibrium, through a combination of control and communication.

The final element in risk is the confidence in our estimates. How sure are we in our knowledge? We must discount each calculation of frequency, severity and the public's perception by the quality of information available. Are the data reliable? Do we really understand them? When confidence is reduced, we must expand our confidence intervals. This is the classic caution of the actuary.

These four elements - frequency, severity, public perception and confidence in estimates - are essential to any risk analysis. What is often missing is appreciation for the opportunity latent in every "deviation from the expected." We are too paranoid about potential harm, missing the chance for gain.

Consider the Malden Mills example. In November, 1995, a major fire destroyed three of its mill buildings in Lawrence, Massachusetts, a disaster to this family-held $400 million institution that manufactures Polartec-brand textiles. The owner's options were to collect insurance and rebuild, shut down, sell out, or transfer operations outside the US. Aaron Feuerstein chose the first option and created opportunity out of disaster. Despite the shutdown, he continued to pay his employees and made an extra effort to help many during the December holidays that followed the fire. He promised to rebuild and continue operations in Lawrence, with a new state-of-the-art $100 million plant. In return his customers rallied to the company, garnering national press attention press, followed by an invitation to be a guest at the President 's State-of-the-Union address to Congress. A positive, humane and intelligent response converted disaster to new opportunity.

Risk is a vital and challenging ingredient of our daily lives. Risk management becomes a conscious affirmation that change is continuous and inevitable: how we respond determines our economic and emotional survival and prosperity in the future.

Perceived risk can best be characterized as a battleground marked by strong and conflicting views about the nature and seriousness of the risks of modern life. The paradox for those who study risk perception is that, as people have become healthier and safer on average, they have become more - rather than less - concerned about risk, and they feel more and more vulnerable to the risks of modern life.

Paul Slovic, "Risk Perception and Trust,", in
Fundamentals of Risk Analysis and Risk Management,
edited by Vlasta Molak, CRC Lewis Publishers, Boca Raton, FL, 1997

Of Mice and M&M
The recent mergers in the insurance brokerage arena are separating mice from men. The top four global firms, J&H Marsh & McLennan, Aon Group, Sedgwick Group and Willis Corroon Group, now account for over US$ 12 billion in annual revenues. The next largest firm, Acordia, has less than $700 million, and after that the numbers drop rapidly. Is this gigantism warranted?

The Economist of March 22, 1997 observed: "Creative failure. bloated costs, the emergence of new technology and new competitors." The reference was to the automobile industry but this description could as easily apply to the insurance brokerage business. On RiskWeb that same week, Lisa Arsenault, of IMC Strategic Development in Canada, complained, "Insurance costs too much. Plain and simple. It costs too much because of obsolete systems, inferior data, inferior data management, substandard underwriting practices, incredibly stupid documentation practices and the ridiculous overhead required to maintain the brokerage/agency system."

If these critiques are correct, what do these firms and their shareholders see in these mega-mergers? Look at the reported first quarter 1997 numbers for Marsh & McLennan (pre-J&H merger): Putnam Investments revenues up 43%, Mercer Consulting revenues up 10.5%, but insurance services (brokerage) business up only 1.3%. Both revenue growth and profits are shrinking rapidly.

This rush to elephantiasis may stimulate unintended consequences.

(1) Mixing the oil and water of a partnership and a publicly traded corporation may prove impossible. The "producer" mentality that dominates these firms may create increasing competition among individual producers and offices in an effort to position themselves against the heralded expense reductions. An "everyone for himself" attitude won;t help the customers!

(2) The mergers will stimulate fresh competition. Business Insurance (April 28, 1997) editorialized that "this situation may also create the opportunity for non-traditional players to enter the brokerage business, including retail and investment banks that have been eyeing insurance."

Chief financial officers and risk managers, knowing that alleged costs savings will probably never reach them, will reduce the role of brokers and more seriously consider going directly to the market. Insurers themselves, fearful of being whipsawed by mega-firms, will work more assiduously at building direct relationships with their customers. A number of insurer senior officers have recently acknowledged this to me, obviously not for attribution.

(3) Sellers will experiment with new methods of distribution for the insurance product. Fred Church, in Boston Risk Management Corporation's April 1997 newsletter, Friends, Romans, Countrymen . . ., summarized the current distribution techniques for insurance in the US. The agency/brokerage system is the largest segment, but it is shrinking rapidly, from over 70,000 firms in the early 1980s to 44,000 in 1996 and a projected 35,800 by 2006. Part of this reflects mergers but much is also absolute shrinkage. Other methods are exclusive agents (State Farm and Allstate, for example), direct response sales ( USAA and GEICO, for example) and sponsored sales through employers. The newer entries are the commercial banks and the Internet. The latter two probably with grow geometrically in the next decade.

The keys to the future of this brokerage business remain service and cost. Clients, corporate and personal, should receive high quality services, but only those they need. They should pay only for services used. Wrapping unneeded services in a blanket of commissions is wasteful. Fees, based on concrete hourly rates and periodic reporting, should replace commissions. The day of 20%, 15% or even 10% commissions is gone. The fixed commission too often creates complacency. I recently worked with several brokers and agents and expected prompt feedback from our discussions. I was taught that a service provider should respond to a client within 24 hours if possible. Email now makes this pro forma. Yet in three cases, after I had asked for response, the brokers/agents managed to reply after three weeks in two cases and never in one! No wonder clients are exasperated with the system!

Bigger creates more problems than solutions, and unexpected consequences. Could the next step for Marsh & McLennan be a spin off its insurance brokerage operations, leaving shareholders with the far more profitable investment and management consulting businesses?

. . . the story you finish is never the one you begin.

Salman Rushdie, Midnight's Children
Penguin Books, New York, 1980

Reporting on Risk Management
Few organizations today give a coherent and comprehensive report on their risks and responses. A risk analysis is required by Canada's Dey Report and UK's Cadbury Report The Australian/New Zealand Standard recommends it. Too often information on risk hedging is buried in footnotes to the financial statement, credit risks are noted only in bad debt reserves, and environmental, safety and health issues are treated only after a problem arises. That's why the NOVA Corporation 1996 Annual Report is singular. A full page "Safety, Health, Environmental & Risk (SHER) Report," building on similar analyses in 1994 and 1995 (see RMR, July 1995), reveals a new integrated effort across all NOVA businesses. Seven "networks" address risk: Environmental Leadership; Safety Excellence; Occupational Health; Occupational Hygiene; Material Flow and Product Safety; Emergency Response; and SHER Services. NOVA still needs to incorporate substantive information on risk magnitudes, financial risks (currency, credit and interest rate) and risk financing, to make this report complete.

Other corporations experimenting with more creative risk reporting include Reuters, Barclays Bank and Royal Dutch/Shell. Cautioned by the public's reaction to its plan to scuttle the Brent Spar oil platform in the Atlantic and its "see-no-evil" approach to its operations in Nigeria, the massive oil company is proposing to revise its business principles to support "fundamental human rights in line with the legitimate role of business." Shell recognizes that it lives in a fish-bowl world of instant news, CNN coverage and public reaction. The old Milton Friedman/University of Chicago thesis that a corporation is in business solely to serve its shareholders is gone.

Stakeholders are more diverse and cantankerous today: employees resent arbitrary downsizing and sue; pension and mutual funds intervene in management; customers want to know more about their suppliers, and vice versa; regulators seek increased information to avoid taxpayer retribution; and communities want candid assessments of the risks that jointly affect them and the corporation. "Stakeholder value" has replaced "shareholder value."

New guidelines are available to help corporations report on risk and response. One set, suggested by Chris Stooke and Mark Stephen of Price Waterhouse, appeared in the March 1997 issue of InfoRM, the journal of London's Institute of Risk Management.

  • an explanation of the overall areas of risk faced by the company;

  • a summary of the framework under which risk is managed, including the responsibilities and roles of individual committees involved in its management;
  • a description in general terms of how those committees consider risk; and
  • for individually significant classes or types of risk, a description of the issues faced by the company, their impact and the steps taken to mitigate them.

The authors also offer sound advice: "It is more positive to disclose than to keep silent."

Wait, I'll make you a prophecy, one the immortal gods have planted in my mind - it will come true, I think,though I'm hardly a seer or know the flights of birds.

Homer, The Odyssey, Book 1, lines 232-235.
translated by Robert Fagles, Viking Press, New York, 1996

Letter from Australia
My old friend Mike Oswald has set up a new risk management consultancy, Context Risk Management, in Brisbane, Australia, leaving his position at QIDC (see "Challenges in Australasia, RMR, August 1996). A recent letter offers some serious reflections on the state of the discipline:

"Having been through some very interesting risk battles, I never cease to be amazed at the power of the status quo as a way forward, with the associated affront taken at presumed invasions of territory. But, heartened by a quote from Carlos Castaneda's A Separate Peace, 'the difference between a warrior and an ordinary man is that a warrior sees everything as a challenge, while an ordinary man sees everything as a blessing or a curse,' my challenge is to review the issue of the hierarchical structure as an opportunity. For if the issue is the difficulty in bringing a perspective to the well-drawn turf boundaries in the pursuit of managing risk, then how do these hierarchies manage risk, and what are the implications for the overall organisation?

As Theodore Levitt wrote, in Management for Business Growth, 'all organisations are hierarchical. At each level people serve those above them. An organisation is therefore a structured institution. If it is not structured, it is a mob. Mobs do not get things done, they destroy things.'

If effective risk management is a commercial decision, then we should be looking along organisation structure lines to see how commercial decisions are made, and what information is used to frame these decisions, and how accountability is allocated.

I agree with Mike Rubenstein of American Express (RMR, April 1997) that people are the starting point in seeking a holistic or integrated approach to risk management. It is the people who continually reallocate risk management resources to their challenges, within these structured organisations, and any integrated risk model should review these relationships.

The most interesting integrated model for managing company risk comes from the Board responsibilities proposed within the Dey Report on Canadian Corporate Governance (see RMR April 1996), released in 1995. The Report proposed five key responsibilities:

1) a succession plan for the CEO and senior management;

2) an effective communication plan;

3) a strategic plan;

4) effective systems; and

5) risk management responsibility

If we accept these principles, then we can see that the Board is responsible and accountable for ensuring that the company manages its strategic risks.

We accept that the CEO and divisional managers are responsible for managing the day-to-day risk profile of the organisation, so is it not reasonable for the Board of Directors to seek statements of accountability from the CEO, along the following lines?

  • Are you satisfied that the company is positioned reasonably to manage the risks inherent in its strategic direction?
  • Do you consider the policies, procedures, management systems, information systems and expertise of our company appropriate to manage the operational, financial/market, regulatory/political and legal liability risks that the organisation faces?
  • Do you require our support in ensuring that any risk control gaps are closed by rearranging relationships between the risk and the allocated risk management controls?
  • Does the organisation have a risk aware culture allowing it to respond to changing market circumstances?
  • Will we be reasonably and quickly informed of changes to the company's risk exposure, if major gaps in the control framework appear?
  • This approach is the minimum prudential approach for a Board of Directors to ensure that the company is managing its risks. The CEO should take a similar approach for the company's divisions and separate balance sheet operations.

    This provides some sunlight to the mixture of risk (Mike Rubenstein's "mush" - see RMR, April 1997), as the CEO is responsible for managing the portfolio of exposures and resulting risks. Where the mix is difficult to manage as a result of anachronisms in the allocation of responsibility, the resolutions will reflect organisational risk rather than transfer pricing or balance sheet drivers.

    In Australia we want to extend the role of the Board Audit Committee to be more aligned with the Risk Jury approach taken by Barclays Bank (RMR, April 1997). This linkage of compliance with a prospective approach allows the organisation to see what level of bang it is getting out of its 'control' buck, as tight controls on immaterial risks are a costly waste of resources."

    Australia continues to provide significant leadership in risk management, as is evident in Mike's letter.

    Total risk avoidance is impossible. The death rate will stay at one per person. Sir Hermann Bondi, "Risk in Perspective," in
    Risk: Manmade Hazards to Man,
    M. G. Cooper, editor, Clarendon Press, Oxford, 1985

    Environmental Risk Assessment
    "Risk assessment asks, 'How risky is this situation?' while risk management asks, 'What shall we do about it?" A booklet just published by ICMA (the International City/County Management Association, in Washington, entitled Risk Assessment: The Role of Local Government., opens with this idea. Human health and ecological risks connected to the use and past misuse of our environment are its focal points. It summarizes various methodologies used by local governments in the US to assess and begin remediation at Superfund and brownfield sites, considering the differing public views on levels of "acceptable risk" and the inevitable costs of remediation. The report concludes that local governments should play more active roles in this entire process, including:
    • better access to risk assessment tools and resources;
    • awareness of risk assessment and risk management processes;
    • awareness of information and guidance on risk communication;
    • skills in stakeholder and community involvement;
    • awareness of scientific uncertainties and assumptions;
  • awareness of the limitations in the quality and compatibility of data;
  • familiarization with range of risk assessment options;
  • balancing of individual with larger community interests;
  • recognition of the uncertainty and confusion on definitions;
  • education about environmental justice issues;
  • awareness of the use of comparative risk assessments.

    The best parts of this report are the one page "risk case studies" of 23 cities, towns, and municipal groups: how each has approached the subject of human health and ecological risk assessments and how each has involved the community. Finally, the report includes numerous risk assessment resources, ranging from the Integrated Risk Information System (IRIS) of the Environmental Protection Agency in Washington, to other computer software and Internet addresses of these resources. Copies are available from ICMA, Research & Development, 777 North Capitol Street NE, Suite 500, Washington, DC 20002-4201. Tel: 202-962-3672.

  • The bags (under his eyes) gave his every utterance the gravity of one who has seen it all and just barely survived. "Without these bags, I'm no longer a lawyer, I'm just a complainer."

    Donald Westlake, What's the Worst that Could Happen?
    Mysterious Press, New York, 1996