Risk Management Reports

(This article is drawn from my presentation to the Seattle Chapter of the Risk & Insurance Management Society, March 15, 2004. It repeats many themes familiar to my readers.)

What are the skills we need in the future? I heard this question twice in the past eight months, first from a parent of a junior enrolled in a sailing program in Tenants Harbor, Maine, and later from a risk manager in Seattle, Washington. The answer, I think, is found not so much in specific skills as in aptitudes.

Take sailing, for example. The skills that we teach and that are required to handle a small boat successfully in various types of weather and sea conditions include being able to swim, knowing the parts of a boat, and its rigging, understanding how sails work, sailing a boat both upwind and downwind, knowing what to do in the event of a person overboard or a capsize, leaving and returning from docks and mooring, tying the correct knots and understanding weather, tides and currents. These are specific and necessary skills that are easily taught. More important, however, are the aptitudes that serve as the foundation for these skills. Independence is the first: the willingness to step out on your own. Patience is the second: understanding that a sailboat cannot go directly upwind, nor can it move when there is no wind. And third is teamwork: sailing and racing a small boat requires exquisite timing and cooperation in order to do well. Without these three aptitudes, a sailor literally may be at sea.

My sailing analogy applies equally to the discipline of risk management. Again, independence comes first. In its current evolution as an integrated and strategic process throughout any enterprise, its "champion" and guide must be independent of conventional staff and operating functions. Too many organizations attempt to force risk management into finance where it becomes both dependent and restricted. Independence begins with a fresh and broader view of "risk" itself. It is not, as too many safety, finance and insurance practitioners construe it, merely a "chance of loss." It must be viewed as encompassing the unexpected, both favorable and unfavorable. Risk is "a measure of the possibility of unexpected outcomes." Under this definition risk management becomes "a discipline for dealing with uncertainty," a far more strategic approach than as construed by the narrow confines of finance, insurance, safety, quality control, and business recovery planning. Risk management independence thus requires a leader who has a direct reporting relationship to both the CEO and the organization’s governing board. Only in this way can that leader raise unpopular and even dangerous risk issues, those risk issues that are truly material to the future of the organization.

As an example, the most pressing current issue is that of excessive executive compensation. Too many organizations have allowed their senior management reward systems to skyrocket out of control, to obscene levels. CEOs are naturally unwilling to take action and compliant boards exacerbate the problem. The result: regulators, shareholders and stakeholders lose confidence in management. We need chief risk officers who are both able and willing to address these and similar larger strategic issues and who, at the same time, can present these issues intelligently and dispassionately to critical board committees. Otherwise, we will continue to focus on relatively minor risks to the exclusion of those that materially affect our futures. As David Godfrey, the CRO for Swiss Reinsurance Company, said recently, "And from time to time you (the CRO) need the ability to say, ´I´m sorry, but I don’t agree with what you say.´ If you (the CRO) only report to the CEO, it’s very difficult to go beyond that in order to express disagreement, if the channels aren’t there already to do so." (See "ERM, Operational Risk and Risk Management Evolution," in GARP Risk Review, March/April 2004)

The Economist stated the issue of trust and independence most succinctly in its April 22, 2000 issue (I quoted it earlier in RMR April 2001): "There may be two good reasons for companies to worry about ethical behavior. One is anticipation: bad behavior, once it stirs up a public fuss, may provoke legislation that companies will find more irksome than self-restraint. The other, more crucial, is trust. A company that is not trusted by its employees, partners and customers will suffer."

Independence of risk management is necessary to permit and stimulate both strategic perspective and the courage to speak out when required. It is an aptitude that transcends specific skills.

My second aptitude, drawn from sailing, is patience. When the wind isn’t favorable, you may have to anchor and wait for it to change. The Chinese for centuries used bamboo as a comparable example. In a storm the bamboo shaft bends but doesn’t break, springing back to its normal position when the winds subside. Patience implies a long-term view of an organization and its future. One of the most pernicious current problems is the overfocus, even paranoia, on “shareholder value” and near-term stock prices. We have succumbed to a mass frenzy trying to outdo each other in managed earnings and artificial stimulation of the daily prices posted in New York, London, Frankfurt and Sydney. The patient CRO understands the long-view of an organization’s responsibility to its stakeholders, including shareholders, one that may reach out as far as twenty to thirty years. Patience means revising the goal of risk management (and the organization itself) to "building and maintaining stakeholder confidence." "Shareholder value" is but a piece of this equation, with all respect to the University of Chicago theories of economic practice.

If a CRO accepts this basic thesis, then it follows that the three basic objectives of risk management must be:

Credibility: Communicating the nature of risks, both favorable and unfavorable, with stakeholders, and their responses, to enhance the support of these groups for the organization.

Resilience: Building an internal and external flexibility so that the organization can respond to whatever unexpected event may occur, and in many cases actually taking advantage of a downside event to improve market position.

Perspective: Countering the prevailing over-focus on the short-term. Here Peter Schwartz’s The Art of the Long View (Doubleday, 1991) remains one of the best expositions of long-term perspective.

Patience, however, has an Achilles Heel. Most of the prevailing metrics for measuring the success or failure of a risk management function are cast in short-term numbers. VaR is one of these, and it, similar to many others, is flawed. No one has yet developed a consistent and accepted metric for measuring the longer-term results of risk management. We need one and we may be condemned to the short-term until and unless we can create a new measure.

My third aptitude is teamwork. Because tactical risk management embodies so many different skills, it makes good sense for its practitioners to reach out and try and understand the problems and solutions of others. While we are making some progress within organizations toward breaking down the artificial barriers that kept us from communicating with one another, too many of our major associations of risk management players continue to operate behind impregnable fortresses. Most are unable, even unwilling, to bring representatives of their counterpart groups to their annual conferences and local chapter meetings. The result is an appalling lack of knowledge of the work of others. Last December, I asked an audience of some 40 members of the Society for Risk Analysis how many had even heard of GARP, PRMIA or RIMS. Two hands were raised. I questioned registrants at the February 2004 GARP meeting: few had heard of SRA or RIMS. Then, at a RIMS chapter meeting in Seattle in March, I asked the same question of over 100 registrants. Only one was also a member of GARP; none were members of PRMIA or SRA. Many members of one association had not even heard of the other groups. This is the worst sort of parochialism.

Many specialist skills are required for risk analysis, the first step in the process (the identification of possible unexpected events; their measurement in terms of likelihood, timing, consequences and public perception; and their assessment relative to an organization’s objectives). They include scenario analysis, quantitative and probabilistic analysis, actuarial science, data management, knowledge of the law, econometric modeling, intuition and the use of heuristics, and, of course, the value of experience. Similarly, another set of skills is employed in risk response, the second step in the process (controls adopted to balance upside and downside risk; measuring and monitoring performance; and communicating with stakeholders). These skills include knowledge of safety and quality systems (Six Sigma), audit and accounting controls, environmental controls, behavioral economics (financial incentives and penalties), contingency and crisis management (business recovery planning), and financing (credit, derivatives, hedging, pooling, use of capital markets, insurance and claims management). It is too much to ask any one person to be fully conversant and expert in all these fields. This makes teamwork the mandatory aptitude. It is high time that the IIA, GARP, PRMIA, RMA, CAS/SOA, SRA, RIMS/IFRIMA and ASSE, among others, cease their guild-like restrictiveness and reach out to their counterparts, expanding the scope of our discipline.

The Swiss Re’s David Bothwell addressed the question of skills in a similar fashion: “They (risk officers) have to have skills that are seen to be relevant and at a high level. They have to be seen to be balanced, to look at the total picture, assessing the opportunity which the deal-doer is telling you is the greatest thing since sliced bread, . . . while at the same time balancing that with the broader picture. Risk managers have to be able to articulate well their reasoning for a particular position or view-point . . . . Risk managers have to be consistent – or they will lose respect . . . . But in the final analysis, they ultimately have to be prepared to stand up and say no.”

The major challenge for any risk management team is the prevailing failure to communicate intelligently and coherently with all of our stakeholder groups. Last month (April 2004), I described the Bank of Montreal’s exceptional eight-page description of its internal risk management program. Too few organizations attempt even this. I know of no organization that employs a consistent and effective continuing two-way dialogue with its stakeholder groups on its analysis of risks and its responses. Perhaps improved teamwork among the existing risk management groups can develop a better means of communication.

Academic institutions are a critical part of the teamwork equation. More are beginning to stretch their formerly narrow programs (finance; insurance; public policy; engineering) to incorporate ideas and methods from the other sub-disciplines. I hope that many of the association-run certification programs will also acknowledge their competitors and expand their curricula to include, as least nominally, other ideas and techniques.

Independence, patience and teamwork are three critical aptitudes for those who purport to practice this evolving discipline of risk management. Within them one can develop other technical skills; without them, these skills are meaningless.