At a mouth-watering and mind-expanding lunch in Paris in January, Chris
Lajtha, the risk manager for Schlumberger, suggested that I elaborate on
what "risk" means today. Over the years, I have continually modified
my definition of risk. By the late 1980s I was using "the possibility
that a future event may cause harm," a brief and memorable phrase
drawn from experience and reading. Both William Rowe (1978) and H. J. Dunster
(1985) referred to risk as the "probability of a specified adverse
event or consequence." This definition is still in vogue: Dr. Vlasta
Molak sees risk as "the probability of an adverse effect" in
her Fundamentals of Risk Analysis and Risk Management, (CRC Lewis
Publishers, Boca Raton, FL 1996).
Yet these definitions overlook a critical and obvious element: risk includes potential opportunity as well as harm. Several graduate students at the University of St. Gallen's Institute of Insurance Economics (IVW) challenged me at a seminar discussion in Switzerland several years ago. They are right. How we respond to risk can change the effect from minus to plus. Too much of risk management today focuses on risk in its pejorative sense.
Risk is "deviation from the expected," or, as Williams, Smith and Young define it in the seventh edition of Risk Management and Insurance, (McGraw-Hill, New York 1995), it is "the possible variation in outcomes."
What are the constituent elements of "risk?" The first is frequency. Will an event happen? How often will it occur? Frequency is closely linked with the second component, severity. What are the likely consequences? Can they be described in financial or intangible terms? What will be the effect on reputation or public confidence? These estimates are invariably value judgments, depending on the position of the observer. A multi-billion dollar organization's $1 million loss, easily written off, will be a disaster to a smaller concern. The third element is public perception. How do the "experts" see the risk? Is the public's perception different? Consider the differences in evaluation of nuclear power, EMF (electromagnetic force), and silicon breast implant risks.
All carry low to negligible "expert" risk estimates and
high "public" risk estimates. If the "public" believes,
however misguided, that risk is high, an organization is forced to take
responsive action. Frank Sterrett described this irony in "Risk Equilibrium,"
in RMR, March-April 1992, where he argued that the major goal of
risk management is to bring the public and expert estimates of risk into
some form of equilibrium, through a combination of control and communication.
The final element in risk is the confidence in our estimates. How sure are we in our knowledge? We must discount each calculation of frequency, severity and the public's perception by the quality of information available. Are the data reliable? Do we really understand them? When confidence is reduced, we must expand our confidence intervals. This is the classic caution of the actuary.
These four elements - frequency, severity, public perception and confidence in estimates - are essential to any risk analysis. What is often missing is appreciation for the opportunity latent in every "deviation from the expected." We are too paranoid about potential harm, missing the chance for gain.
Consider the Malden Mills example. In November, 1995, a major fire destroyed three of its mill buildings in Lawrence, Massachusetts, a disaster to this family-held $400 million institution that manufactures Polartec-brand textiles. The owner's options were to collect insurance and rebuild, shut down, sell out, or transfer operations outside the US. Aaron Feuerstein chose the first option and created opportunity out of disaster. Despite the shutdown, he continued to pay his employees and made an extra effort to help many during the December holidays that followed the fire. He promised to rebuild and continue operations in Lawrence, with a new state-of-the-art $100 million plant. In return his customers rallied to the company, garnering national press attention press, followed by an invitation to be a guest at the President 's State-of-the-Union address to Congress. A positive, humane and intelligent response converted disaster to new opportunity.
Risk is a vital and challenging ingredient of our daily lives. Risk management becomes a conscious affirmation that change is continuous and inevitable: how we respond determines our economic and emotional survival and prosperity in the future.
Perceived risk can best be characterized as a battleground marked by
strong and conflicting views about the nature and seriousness of the risks
of modern life. The paradox for those who study risk perception is that,
as people have become healthier and safer on average, they have become
more - rather than less - concerned about risk, and they feel more and
more vulnerable to the risks of modern life.
Paul Slovic, "Risk Perception and Trust,", in
|Of Mice and M&M|
The recent mergers in the insurance brokerage arena are separating mice
from men. The top four global firms, J&H Marsh & McLennan, Aon
Group, Sedgwick Group and Willis Corroon Group, now account for over US$
12 billion in annual revenues. The next largest firm, Acordia, has less
than $700 million, and after that the numbers drop rapidly. Is this gigantism
The Economist of March 22, 1997 observed: "Creative failure. bloated costs, the emergence of new technology and new competitors." The reference was to the automobile industry but this description could as easily apply to the insurance brokerage business. On RiskWeb that same week, Lisa Arsenault, of IMC Strategic Development in Canada, complained, "Insurance costs too much. Plain and simple. It costs too much because of obsolete systems, inferior data, inferior data management, substandard underwriting practices, incredibly stupid documentation practices and the ridiculous overhead required to maintain the brokerage/agency system."
If these critiques are correct, what do these firms and their shareholders see in these mega-mergers? Look at the reported first quarter 1997 numbers for Marsh & McLennan (pre-J&H merger): Putnam Investments revenues up 43%, Mercer Consulting revenues up 10.5%, but insurance services (brokerage) business up only 1.3%. Both revenue growth and profits are shrinking rapidly.
This rush to elephantiasis may stimulate unintended consequences.
(1) Mixing the oil and water of a partnership and a publicly traded corporation may prove impossible. The "producer" mentality that dominates these firms may create increasing competition among individual producers and offices in an effort to position themselves against the heralded expense reductions. An "everyone for himself" attitude won;t help the customers!
(2) The mergers will stimulate fresh competition. Business Insurance (April 28, 1997) editorialized that "this situation may also create the opportunity for non-traditional players to enter the brokerage business, including retail and investment banks that have been eyeing insurance."
Chief financial officers and risk managers, knowing that alleged costs
savings will probably never reach them, will reduce the role of brokers
and more seriously consider going directly to the market. Insurers themselves,
fearful of being whipsawed by mega-firms, will work more assiduously at
building direct relationships with their customers. A number of insurer
senior officers have recently acknowledged this to me, obviously not for
(3) Sellers will experiment with new methods of distribution for the insurance product. Fred Church, in Boston Risk Management Corporation's April 1997 newsletter, Friends, Romans, Countrymen . . ., summarized the current distribution techniques for insurance in the US. The agency/brokerage system is the largest segment, but it is shrinking rapidly, from over 70,000 firms in the early 1980s to 44,000 in 1996 and a projected 35,800 by 2006. Part of this reflects mergers but much is also absolute shrinkage. Other methods are exclusive agents (State Farm and Allstate, for example), direct response sales ( USAA and GEICO, for example) and sponsored sales through employers. The newer entries are the commercial banks and the Internet. The latter two probably with grow geometrically in the next decade.
The keys to the future of this brokerage business remain service and cost. Clients, corporate and personal, should receive high quality services, but only those they need. They should pay only for services used. Wrapping unneeded services in a blanket of commissions is wasteful. Fees, based on concrete hourly rates and periodic reporting, should replace commissions. The day of 20%, 15% or even 10% commissions is gone. The fixed commission too often creates complacency. I recently worked with several brokers and agents and expected prompt feedback from our discussions. I was taught that a service provider should respond to a client within 24 hours if possible. Email now makes this pro forma. Yet in three cases, after I had asked for response, the brokers/agents managed to reply after three weeks in two cases and never in one! No wonder clients are exasperated with the system!
Bigger creates more problems than solutions, and unexpected consequences. Could the next step for Marsh & McLennan be a spin off its insurance brokerage operations, leaving shareholders with the far more profitable investment and management consulting businesses?
. . . the story you finish is never the one you begin.
Salman Rushdie, Midnight's Children
|Reporting on Risk Management|
Few organizations today give a coherent and comprehensive report on
their risks and responses. A risk analysis is required by Canada's Dey
Report and UK's Cadbury Report The Australian/New Zealand Standard recommends
it. Too often information on risk hedging is buried in footnotes to the
financial statement, credit risks are noted only in bad debt reserves,
and environmental, safety and health issues are treated only after a problem
arises. That's why the NOVA Corporation 1996 Annual Report is singular.
A full page "Safety, Health, Environmental & Risk (SHER) Report,"
building on similar analyses in 1994 and 1995 (see RMR, July 1995),
reveals a new integrated effort across all NOVA businesses. Seven "networks"
address risk: Environmental Leadership; Safety Excellence; Occupational
Health; Occupational Hygiene; Material Flow and Product Safety; Emergency
Response; and SHER Services. NOVA still needs to incorporate substantive
information on risk magnitudes, financial risks (currency, credit and interest
rate) and risk financing, to make this report complete.
Other corporations experimenting with more creative risk reporting include Reuters, Barclays Bank and Royal Dutch/Shell. Cautioned by the public's reaction to its plan to scuttle the Brent Spar oil platform in the Atlantic and its "see-no-evil" approach to its operations in Nigeria, the massive oil company is proposing to revise its business principles to support "fundamental human rights in line with the legitimate role of business." Shell recognizes that it lives in a fish-bowl world of instant news, CNN coverage and public reaction. The old Milton Friedman/University of Chicago thesis that a corporation is in business solely to serve its shareholders is gone.
Stakeholders are more diverse and cantankerous today:
employees resent arbitrary downsizing and sue; pension and mutual funds
intervene in management; customers want to know more about their suppliers,
and vice versa; regulators seek increased information to avoid taxpayer
retribution; and communities want candid assessments of the risks that
jointly affect them and the corporation. "Stakeholder value"
has replaced "shareholder value."
New guidelines are available to help corporations report on risk and response. One set, suggested by Chris Stooke and Mark Stephen of Price Waterhouse, appeared in the March 1997 issue of InfoRM, the journal of London's Institute of Risk Management.
The authors also offer sound advice: "It is more positive to disclose than to keep silent."
Wait, I'll make you a prophecy, one the immortal gods have planted in my
mind - it will come true, I think,though I'm hardly a seer or know the
flights of birds.
Homer, The Odyssey, Book 1, lines 232-235.
|Letter from Australia|
My old friend Mike Oswald has set up a new risk management consultancy,
Context Risk Management, in Brisbane, Australia, leaving his position at
QIDC (see "Challenges in Australasia, RMR, August 1996). A
recent letter offers some serious reflections on the state of the discipline:
"Having been through some very interesting risk battles, I never cease to be amazed at the power of the status quo as a way forward, with the associated affront taken at presumed invasions of territory. But, heartened by a quote from Carlos Castaneda's A Separate Peace, 'the difference between a warrior and an ordinary man is that a warrior sees everything as a challenge, while an ordinary man sees everything as a blessing or a curse,' my challenge is to review the issue of the hierarchical structure as an opportunity. For if the issue is the difficulty in bringing a perspective to the well-drawn turf boundaries in the pursuit of managing risk, then how do these hierarchies manage risk, and what are the implications for the overall organisation?
As Theodore Levitt wrote, in Management for Business Growth, 'all organisations are hierarchical. At each level people serve those above them. An organisation is therefore a structured institution. If it is not structured, it is a mob. Mobs do not get things done, they destroy things.'
If effective risk management is a commercial decision, then we should be looking along organisation structure lines to see how commercial decisions are made, and what information is used to frame these decisions, and how accountability is allocated.
I agree with Mike Rubenstein of American Express (RMR, April 1997) that people are the starting point in seeking a holistic or integrated approach to risk management. It is the people who continually reallocate risk management resources to their challenges, within these structured organisations, and any integrated risk model should review these relationships.
The most interesting integrated model for managing company risk comes from the Board responsibilities proposed within the Dey Report on Canadian Corporate Governance (see RMR April 1996), released in 1995. The Report proposed five key responsibilities:
1) a succession plan for the CEO and senior management;
2) an effective communication plan;
3) a strategic plan;
4) effective systems; and
5) risk management responsibilityIf we accept these principles, then we can see that the Board is responsible and accountable for ensuring that the company manages its strategic risks.
We accept that the CEO and divisional managers are responsible for managing the day-to-day risk profile of the organisation, so is it not reasonable for the Board of Directors to seek statements of accountability from the CEO, along the following lines?
This approach is the minimum prudential approach for a Board of Directors to ensure that the company is managing its risks. The CEO should take a similar approach for the company's divisions and separate balance sheet operations.
This provides some sunlight to the mixture of risk (Mike Rubenstein's "mush" - see RMR, April 1997), as the CEO is responsible for managing the portfolio of exposures and resulting risks. Where the mix is difficult to manage as a result of anachronisms in the allocation of responsibility, the resolutions will reflect organisational risk rather than transfer pricing or balance sheet drivers.
In Australia we want to extend the role of the Board Audit Committee to be more aligned with the Risk Jury approach taken by Barclays Bank (RMR, April 1997). This linkage of compliance with a prospective approach allows the organisation to see what level of bang it is getting out of its 'control' buck, as tight controls on immaterial risks are a costly waste of resources."
Australia continues to provide significant leadership in risk management, as is evident in Mike's letter.
Total risk avoidance is impossible. The death rate will stay at one
Sir Hermann Bondi, "Risk in Perspective," in
|Environmental Risk Assessment|
"Risk assessment asks, 'How risky is this situation?' while risk
management asks, 'What shall we do about it?" A booklet just published
by ICMA (the International City/County Management Association, in Washington,
entitled Risk Assessment: The Role of Local Government., opens with
this idea. Human health and ecological risks connected to the use
and past misuse of our environment are its focal points. It summarizes
various methodologies used by local governments in the US to assess and
begin remediation at Superfund and brownfield sites, considering the differing
public views on levels of "acceptable risk" and the inevitable
costs of remediation. The report concludes that local governments should
play more active roles in this entire process, including:
The best parts of this report are the one page "risk case studies" of 23 cities, towns, and municipal groups: how each has approached the subject of human health and ecological risk assessments and how each has involved the community. Finally, the report includes numerous risk assessment resources, ranging from the Integrated Risk Information System (IRIS) of the Environmental Protection Agency in Washington, to other computer software and Internet addresses of these resources. Copies are available from ICMA, Research & Development, 777 North Capitol Street NE, Suite 500, Washington, DC 20002-4201. Tel: 202-962-3672.
The bags (under his eyes) gave his every utterance the gravity of one
who has seen it all and just barely survived. "Without these bags,
I'm no longer a lawyer, I'm just a complainer."
Donald Westlake, What's the Worst that Could Happen?