August, 1996

Risk Management reports

September, 1996
Volume 23, No. 9

Autopoiesis
Richard Lowther, the well-read risk manager of Brown & Williamson, in Louisville, Kentucky, sent me an e-mail that challenged my vocabulary and view of risk management: "I recently read Microcosmos, by Lynn Margulis and Dorion Sagan, and was struck by the following passage: To be alive, an entity must be autopoietic, that is, it must actively maintain itself against the mischief of the world. Life responds to disturbance, using matter and energy to stay intact. An organism constantly exchanges its parts, replacing its component chemicals without ever losing its identity. This modulating, holistic phenomenon of autopoiesis, of active self-maintenance, is at the basis of all known life; all cells react to	"external perturbations in order to preserve key aspects of their identity within their boundaries." For myself, I am thinking of renaming Risk Management at Brown & Williamson the Department of Autopoesis. The only problem I can see is that even fewer people would understand what we are about, but at least fewer people would mistakenly believe that they knew!" Lowther's quotation confirms what my wife has been telling me to thirty years: risk management is natural, an expression of common sense. Perhaps, as Margulis and Sagan believe, our species will evolve to compensate for various risks. Even so, I hope that the discipline of risk management can help speed the process, accelerating the learning curve so that we encounter fewer disasters along the way.

Autopoiesis

Richard Lowther, the well-read risk manager of Brown & Williamson, in Louisville, Kentucky, sent me an e-mail that challenged my vocabulary and view of risk management:

"I recently read Microcosmos, by Lynn Margulis and Dorion Sagan, and was struck by the following passage:

To be alive, an entity must be autopoietic, that is, it must actively maintain itself against the mischief of the world. Life responds to disturbance, using matter and energy to stay intact. An organism constantly exchanges its parts, replacing its component chemicals without ever losing its identity. This modulating, holistic phenomenon of autopoiesis, of active self-maintenance, is at the basis of all known life; all cells react to

"external perturbations in order to preserve key aspects of their identity within their boundaries."

For myself, I am thinking of renaming Risk Management at Brown & Williamson the Department of Autopoesis. The only problem I can see is that even fewer people would understand what we are about, but at least fewer people would mistakenly believe that they knew!"

Lowther's quotation confirms what my wife has been telling me to thirty years: risk management is natural, an expression of common sense. Perhaps, as Margulis and Sagan believe, our species will evolve to compensate for various risks. Even so, I hope that the discipline of risk management can help speed the process, accelerating the learning curve so that we encounter fewer disasters along the way.

"I take risks when I must. You cannot do business without taking risks."

A. S. Byatt, The Babel Tower, Random House, New York, 1996

Lessons from the Young
Last month, I gave a newly-hatched egg from one of our hens to my three-and-a-half year-old granddaughter for the short walk to her house. My wife wisely put it in a plastic bag, and I suggested discussing with the child the nature and fragility of eggs before we let her trudge up the hill. My wife argued that we should let nature take its course: "To a three year old, what hasn't happened, won't." It reminded me that many adults have not moved beyond this mentality. They think, "If it hasn't happened, it won't (at least to me)."	They then build houses in earthquake fault zones or on beaches open to hurricanes. They assume that, if the stock market has risen for eight years, it will rise forever. They can't conceive of an employee stealing from their company. Seatbelts and motor cycle helmets are for others. Well, as expected, a scrambled egg arrived at my granddaughter's house. Fortunately the hens continued their daily production and all the subsequent egg deliveries have been successful. It proves again that sad experience is often the best lesson in risk management.

Lessons from the Young

Last month, I gave a newly-hatched egg from one of our hens to my three-and-a-half year-old granddaughter for the short walk to her house. My wife wisely put it in a plastic bag, and I suggested discussing with the child the nature and fragility of eggs before we let her trudge up the hill. My wife argued that we should let nature take its course: "To a three year old, what hasn't happened, won't."

It reminded me that many adults have not moved beyond this mentality. They think, "If it hasn't happened, it won't (at least to me)."

They then build houses in earthquake fault zones or on beaches open to hurricanes. They assume that, if the stock market has risen for eight years, it will rise forever. They can't conceive of an employee stealing from their company. Seatbelts and motor cycle helmets are for others. Well, as expected, a scrambled egg arrived at my granddaughter's house. Fortunately the hens continued their daily production and all the subsequent egg deliveries have been successful. It proves again that sad experience is often the best lesson in risk management.

The self is a fiction. I make up the story of myself with scraps of memory, sensation, reading, and hearsay. It is a tale I whisper against the dark. Only in rare moments of luck or courage do I hush, forget myself entirely, and listen to the silence that precedes and surrounds and follows all speech.

Scott Russell Sanders, "Wayland," in Best American Essays

1993, Ticknor & Fields, New York 1993

Grading Risk Management
How successful is a risk management function? Measuring competence and success is a continuing problem facing every organization. When I first became involved in the insurance business in the late '50s, the solution to the measurement problem was to ask competing insurance brokers and companies to present bids. If they were lower, you changed your program. If they were higher, then, by definition, the existing program was satisfactory. The inanity of allowing sellers to measure program value then led to independent insurance audits performed by organizations with no financial interest in the outcome. These were followed by a "management by objectives" approach that enabled internal auditors to measure performance against mutually defined annual goals, both qualitative and quantitative. In the mid-1960s Douglas Barlow suggested measuring "cost of risk," a broader view of risk management than just insurance, and risk management audits followed almost immediately. By the late '70s North American "cost of risk" surveys enabled organizations to make rough cost comparisons with their peers, despite numerous significant statistical and data collection inadequacies, some of which persist to this day. By the early '80s some "Guiding Principles" for risk management were available to auditors, later embodied in "The Risk Management Audit" in RMR No. 2 for 1988 and updated six years later (see RMR June 1994). Most currently came "benchmarking" and "best practices," as risk management expands beyond its insurance limits. The process of performance measurement continues. It is a never-ending attempt to push the boundaries of creativity and to improve performance. In the past few months I read two new approaches to grading risk management. The first was a "report card" for the community of risk analysis scholars and practitioners represented bu the Society for Risk Analysis. It was presented by Professor M. Granger Morgan, of Carnegie Mellon University, at the Society's 1995 Annual Meeting. He used eight general areas to measure risk analysis, assigned each area two grades, one for "best practice" (how well our society applies what we know) and the other for "typical practice" (how well an individual organization operates). I support this distinction: it compares our efforts to the best, and then compares the best to what we should really be capable of achieving. His areas: (1) Status and Use of Basic Science (2) Analyzing Exposure and Effects Processes (3) Handling Uncertainties (4) Analyzing Risk Perceptions (5) Incorporating Values (6) Considering Organizational and Social Context (7) Applying Decision Rules and Risk Management Strategies (8) Communicating Risks These areas use terminology different from that employed by most insurance or financial risk managers. That is why they may be especially valuable. They represent a shift in traditional thinking. Why not try to grade your risk management function using some or all of them? I especially like the areas of "analyzing risk perceptions" and "communicating risks."	Conventional risk managers are often weak here. They fail to understand that public perception is the major driving force behind any risk response and that continued coherent communication with all organizational stakeholders is essential. NatWest Group in London has developed a more detailed Scorecard that measures the performance and quality of risk management in each internal business unit against established Group Standards and Best Practices. The Scorecard is divided into "People and Structure" and "Operation of Processes." It is especially appropriate since its covers all areas of banking, trading and operational risks. The "People and Structure" section of the Scorecard asks "to what extent have Group Standards and Best Practices been inculcated into Businesse in respect to" seven areas, the first four defined aspriority factors and the last three as other factors. Each is followed by several specific assessment criteria. (1) Risk Management Framework Effectiveness, Including Committee Structures: Is there a framework in place to help identify and evaluate key risks and implement policy? (2) Appropriateness of Risk Functions: Does each area have the risk function(s) required for effective control? (3) Consideration of Risk Issues in the Planning Process: Are risk issues considered in strategic planning? (4) Asset Quality and Risk Reward Assessment Methodologies: Are analytical and information systems in place? (5) Quality of Staff in Key Risk Positions and Adequacy of Succession Planning (6) Identification and Management of Problem Accounts (7) Provisioning Process and Policies The second section of the Scorecard addresses "Operation of Processes," asking, "to what extent are major risks being effectively managed?" for credit, trading/market and operational risks. Credit risk addresses portfolio management, counterparty and settlement risks, new product risks, country risk, systemic risks/disaster scenarios, setting and delegation of discretionary powers, and an overview of credit decisions at all levels. Trading/market risk addresses portfolio management, new product risk and systems. Operational risk addresses identification, measurement and management of operational risk (including contingencies), risk financing and insurance strategy, environmental risks, and other key risks (including information and reputational risks). Each of these areas on the Scorecard has specific assessment criteria that enable each business unit leader to complete a self-evaluation. Both of these grading approaches leads to a more active and informed participation by individual business units. The units then accept ownership of and responsibility for their own risks. Risk management becomes a natural procedure in their thinking, reducing their reliance on corporate specialists. The Granger and NatWest scorecards also use ideas and a framework that incorporate all forms of risk.

Grading Risk Management

How successful is a risk management function? Measuring competence and success is a continuing problem facing every organization. When I first became involved in the insurance business in the late '50s, the solution to the measurement problem was to ask competing insurance brokers and companies to present bids. If they were lower, you changed your program. If they were higher, then, by definition, the existing program was satisfactory. The inanity of allowing sellers to measure program value then led to independent insurance audits performed by organizations with no financial interest in the outcome. These were followed by a "management by objectives" approach that enabled internal auditors to measure performance against mutually defined annual goals, both qualitative and quantitative. In the mid-1960s Douglas Barlow suggested measuring "cost of risk," a broader view of risk management than just insurance, and risk management audits followed almost immediately. By the late '70s North American "cost of risk" surveys enabled organizations to make rough cost comparisons with their peers, despite numerous significant statistical and data collection inadequacies, some of which persist to this day. By the early '80s some "Guiding Principles" for risk management were available to auditors, later embodied in "The Risk Management Audit" in RMR No. 2 for 1988 and updated six years later (see RMR June 1994). Most currently came "benchmarking" and "best practices," as risk management expands beyond its insurance limits.

The process of performance measurement continues. It is a never-ending attempt to push the boundaries of creativity and to improve performance.

In the past few months I read two new approaches to grading risk management. The first was a "report card" for the community of risk analysis scholars and practitioners represented bu the Society for Risk Analysis. It was presented by Professor M. Granger Morgan, of Carnegie Mellon University, at the Society's 1995 Annual Meeting. He used eight general areas to measure risk analysis, assigned each area two grades, one for "best practice" (how well our society applies what we know) and the other for "typical practice" (how well an individual organization operates). I support this distinction: it compares our efforts to the best, and then compares the best to what we should really be capable of achieving.

His areas:

(1) Status and Use of Basic Science

(2) Analyzing Exposure and Effects Processes

(3) Handling Uncertainties

(4) Analyzing Risk Perceptions

(5) Incorporating Values

(6) Considering Organizational and Social Context

(7) Applying Decision Rules and Risk Management Strategies

(8) Communicating Risks

These areas use terminology different from that employed by most insurance or financial risk managers. That is why they may be especially valuable. They represent a shift in traditional thinking. Why not try to grade your risk management function using some or all of them?

I especially like the areas of "analyzing risk perceptions" and "communicating risks."

Conventional risk managers are often weak here. They fail to understand that public perception is the major driving force behind any risk response and that continued coherent communication with all organizational stakeholders is essential.

NatWest Group in London has developed a more detailed Scorecard that measures the performance and quality of risk management in each internal business unit against established Group Standards and Best Practices. The Scorecard is divided into "People and Structure" and "Operation of Processes." It is especially appropriate since its covers all areas of banking, trading and operational risks.

The "People and Structure" section of the Scorecard asks "to what extent have Group Standards and Best Practices been inculcated into Businesse in respect to" seven areas, the first four defined aspriority factors and the last three as other factors. Each is followed by several specific assessment criteria.

(1) Risk Management Framework Effectiveness, Including Committee Structures: Is there a framework in place to help identify and evaluate key risks and implement policy?

(2) Appropriateness of Risk Functions: Does each area have the risk function(s) required for effective control?

(3) Consideration of Risk Issues in the Planning Process: Are risk issues considered in strategic planning?

(4) Asset Quality and Risk Reward Assessment Methodologies: Are analytical and information systems in place?

(5) Quality of Staff in Key Risk Positions and Adequacy of Succession Planning

(6) Identification and Management of Problem Accounts

(7) Provisioning Process and Policies

The second section of the Scorecard addresses "Operation of Processes," asking, "to what extent are major risks being effectively managed?" for credit, trading/market and operational risks.

Credit risk addresses portfolio management, counterparty and settlement risks, new product risks, country risk, systemic risks/disaster scenarios, setting and delegation of discretionary powers, and an overview of credit decisions at all levels.

Trading/market risk addresses portfolio management, new product risk and systems.

Operational risk addresses identification, measurement and management of operational risk (including contingencies), risk financing and insurance strategy, environmental risks, and other key risks (including information and reputational risks).

Each of these areas on the Scorecard has specific assessment criteria that enable each business unit leader to complete a self-evaluation.

Both of these grading approaches leads to a more active and informed participation by individual business units. The units then accept ownership of and responsibility for their own risks. Risk management becomes a natural procedure in their thinking, reducing their reliance on corporate specialists. The Granger and NatWest scorecards also use ideas and a framework that incorporate all forms of risk.

It's getting harder to tell where the words go.
You send them off with instructions not to stop on the road,
Not to speak to strangers, but as they run they spill over.

Carl Dennis, from "Listeners," Wilson Quarterly, Spring 1996

World Insurance 1994
Sigma, the economic research publication of Swiss Reinsurance Company, has again published its estimates of world insurance premium volume (Economic Study 4/96). Its total for the year 1994 was US$ 1,968 billion (or $1.9 trillion in US parlance), for growth of just about 3.5% over the previous year. Life insurance remained the largest part of the pie, US$ 1,121 billion, with a growth rate of 4.4%, while the non-life sector, of greater importance to the readers of RMR, grew only a sluggish 2.3% to US$ 847 billion. Last year Sigma reported that 1993 was, in all probability, "close to the peak" of the current global insurance cycle of high growth and profits (1993 grew 6% over 1992). This forecast looks correct in light of this year's numbers. Latin America was the only aberration, continued its insurance buying spree with growth of 32.2%, most of it in non-life. Compare this to North America's paltry 2.1% and insurers may conclude that it's time to go south, young man!	In all of the Latin American countries except Chile (42%), non-life insurance premiums account for more than 60% of all premiums. Compare this to North America's paltry 2.1% and insurers may conclude that it's time to go south, young man! In all of the Latin American countries except Chile (42%), non-life insurance premiums account for more than 60% of all premiums. The bulk of non-life premium remains in North America, US$ 360 billion (42.6%), followed by Europe with $262 billion (30.9%) and Asia with $162 billion (19.1%). Sigma predicted for 1995 a further slowing in the global rate of premium growth. For a copy contact Thomas Hess, Editor, Sigma, Economic Research, Swiss Re, 50/60 Mythenquai, CH-8022, Zurich, Switzerland. Tel: +41-1-285-2551 Fax: +41-1-285-2999.

World Insurance 1994

Sigma, the economic research publication of Swiss Reinsurance Company, has again published its estimates of world insurance premium volume (Economic Study 4/96). Its total for the year 1994 was US$ 1,968 billion (or $1.9 trillion in US parlance), for growth of just about 3.5% over the previous year. Life insurance remained the largest part of the pie, US$ 1,121 billion, with a growth rate of 4.4%, while the non-life sector, of greater importance to the readers of RMR, grew only a sluggish 2.3% to US$ 847 billion. Last year Sigma reported that 1993 was, in all probability, "close to the peak" of the current global insurance cycle of high growth and profits (1993 grew 6% over 1992). This forecast looks correct in light of this year's numbers. Latin America was the only aberration, continued its insurance buying spree with growth of 32.2%, most of it in non-life. Compare this to North America's paltry 2.1% and insurers may conclude that it's time to go south, young man!

In all of the Latin American countries except Chile (42%), non-life insurance premiums account for more than 60% of all premiums.

Compare this to North America's paltry 2.1% and insurers may conclude that it's time to go south, young man! In all of the Latin American countries except Chile (42%), non-life insurance premiums account for more than 60% of all premiums. The bulk of non-life premium remains in North America, US$ 360 billion (42.6%), followed by Europe with $262 billion (30.9%) and Asia with $162 billion (19.1%).

Sigma predicted for 1995 a further slowing in the global rate of premium growth.

For a copy contact Thomas Hess, Editor, Sigma, Economic Research, Swiss Re, 50/60 Mythenquai, CH-8022, Zurich, Switzerland. Tel: +41-1-285-2551 Fax: +41-1-285-2999.

Where (they) go wrong is in an overvaluation of the purely random, a too great reliance on the human capacity to insist on finding meaning in the trivial, the flotsam and jetsam of the brain's tick and tock, messages on scraps of paper with one word. Anything is a message if you are looking for a message.

A. S. Byatt, The Babel Tower, Random House, New York 1996

Speeding Justice
In North America and the United Kingdom, both the criminal and civil justice systems move more slowly each year. Last year's O. J. Simpson trial was a gross perversion of the system. Consider also the asbestosis class actions that have dragged on for over a decade, with no end in sight. The only beneficiaries are lawyers, whose egos and fees are boundless. The frustration of both plaintiffs and defendants multiplies, leading organizations to consider arbitration, at least in the US, as a form of privatization of a no longer efficient public service. In UK, however, the recent report (see The Economist, July 27, 1996) by Lord Woolf on reforming the civil justice system may lead to dramatic change. He suggests that minor cases be referred to a small claims court and major cases split with a procedural judge attempting to review and accelerate a case before it goes to court. The majority of mid-range cases would be subject to a much faster track: o Cases tried within 30 weeks of filing a writ	o Trial of a fixed length: one day or less o Oral evidence from experts not permitted o Limited oral evidence from witnesses o Limitation of documents that counsel could request from other parties o Standard fees for lawyers (fixed price, eliminating both contingencies and runaway hours ar exhorbitant hourly rates) Overall, Lord Woolf wants to generate incentives to reach early settlements. Many risk managers and actuaries know that the longer a case runs, the higher its costs, even factoring in the imputed interest on funds not expended. Lord Woolf suggests that punitive rates of interest be applied where foot-dragging by either party is evident. Perhaps this will work in the UK, but imagine the protests from the plaintiff's bar in the US!

Speeding Justice

In North America and the United Kingdom, both the criminal and civil justice systems move more slowly each year. Last year's O. J. Simpson trial was a gross perversion of the system. Consider also the asbestosis class actions that have dragged on for over a decade, with no end in sight. The only beneficiaries are lawyers, whose egos and fees are boundless. The frustration of both plaintiffs and defendants multiplies, leading organizations to consider arbitration, at least in the US, as a form of privatization of a no longer efficient public service.

In UK, however, the recent report (see The Economist, July 27, 1996) by Lord Woolf on reforming the civil justice system may lead to dramatic change. He suggests that minor cases be referred to a small claims court and major cases split with a procedural judge attempting to review and accelerate a case before it goes to court. The majority of mid-range cases would be subject to a much faster track:

o Cases tried within 30 weeks of filing a writ

o Trial of a fixed length: one day or less

o Oral evidence from experts not permitted

o Limited oral evidence from witnesses

o Limitation of documents that counsel could request from other parties

o Standard fees for lawyers (fixed price, eliminating both contingencies and runaway hours ar exhorbitant hourly rates)

Overall, Lord Woolf wants to generate incentives to reach early settlements. Many risk managers and actuaries know that the longer a case runs, the higher its costs, even factoring in the imputed interest on funds not expended. Lord Woolf suggests that punitive rates of interest be applied where foot-dragging by either party is evident.

Perhaps this will work in the UK, but imagine the protests from the plaintiff's bar in the US!

When civilization functions, so do its public institutions. One hundred years ago, American public schools, public hospitals and other public facilities and services were among the best in the world. Since that time, the very sense of what is "public" has decayed: our public schools, public hospitals, and public transportation are shunned by many people. What the "privatization" of these institutions has meant is nothing but the replacement of one bureaucracy by another - and, almost always, the latter is of an inferior nature.

John Lukacs, "Our Enemy, The State?," Wilson Quarterly, Spring 1996

Standard Chartered Risk Map
John Boswell, with the Group Passive Risk Management Department in London's Standard Chartered Bank, shared with me a new "risk map" that he uses to describe visually the extent of risk and risk management within his global banking institution. (insert Risk Map - should be reduced to fit on one-half page) At the center are the five factors that "represent the universal conditions that give rise to loss": economic, technological, environmental, political and human. These are bounded by preventive controls and avoidance. Surrounding them are twenty-two loss events, within the general categories of credit, strategic, market and operational. (These , of course, are framed in the normal operations of a banking institution.)	The next ring represents the five types of mitigation: contractual documentation, detective controls, litigation, trading hedges, and insurance. Finally, the outer edges display the ultimate potential consequences. Boswell explains: "What this risk map does primarily is help distinguish between cause and effect(s) when losses occur. The events on the map may be viewed as arbitrary groupings and debated endlessly - it doesn't matter as long as an adequate scope of risk is expressed. The presence of underlying factors helps demonstrate the interrelationship between credit, market and other types of risk." The strength of this graphic: it shows all aspects of risk and its management visually. Its weakness: it may be too busy to use without explanation and discussion. We still need simpler images to enhance the understanding of risk management.

Standard Chartered Risk Map

John Boswell, with the Group Passive Risk Management Department in London's Standard Chartered Bank, shared with me a new "risk map" that he uses to describe visually the extent of risk and risk management within his global banking institution.

(insert Risk Map - should be reduced to fit on one-half page)

At the center are the five factors that "represent the universal conditions that give rise to loss": economic, technological, environmental, political and human. These are bounded by preventive controls and avoidance. Surrounding them are twenty-two loss events, within the general categories of credit, strategic, market and operational. (These , of course, are framed in the normal operations of a banking institution.)

The next ring represents the five types of mitigation: contractual documentation, detective controls, litigation, trading hedges, and insurance. Finally, the outer edges display the ultimate potential consequences.

Boswell explains: "What this risk map does primarily is help distinguish between cause and effect(s) when losses occur. The events on the map may be viewed as arbitrary groupings and debated endlessly - it doesn't matter as long as an adequate scope of risk is expressed. The presence of underlying factors helps demonstrate the interrelationship between credit, market and other types of risk."

The strength of this graphic: it shows all aspects of risk and its management visually. Its weakness: it may be too busy to use without explanation and discussion. We still need simpler images to enhance the understanding of risk management.

Rather than pessimism, I am left simply with a sense of the wisdom, in these matters, of modest expectations, of the importance of attending carefully to the nourishing of grass roots initiatives - the network of voluntary organizations, the collaborative efforts of state agencies with the non-profit - all of those undramatic, piecemeal activities which go to weave and strengthen the very fabric of civil society.

And I firmly believe that we must allow our knowledge of the past - the distant past no less than the recent - to inform, chasten, and bridle our expectations.

Francis Oakley, "Prospects for a Democratic Society,"
Ideas, Volume 4, Number 1, 1996

Internet Conference
Risk managers may be interested in participating in an innovative two month conference on the Internet, sponsored by the Secretariat of the International Decade for Natural Disaster Reduction (IDNDR). Entitled "Solutions for Cities at Risk," this conference will run from August 25 to October 26, 1996 and focus on the ability of communities, large and small, to respond to potential disasters. Since most corporations depend on the infrastructure of cities and towns, their risk managers	should be interested in this session, along with public entity risk managers. For more information, contact the session on the World Wide Web at http://www.quipu.net/risk/ or by email at risk@thecity.sfsu.edu. Week 1 will be a plenary session, followed by six weeks of workshops and a final concluding week. To register, send a message to listserv@the city.sfsu.edu and write "subscribe risk your-first-name your-last-name. You will then receive a registration form by email.

Internet Conference

Risk managers may be interested in participating in an innovative two month conference on the Internet, sponsored by the Secretariat of the International Decade for Natural Disaster Reduction (IDNDR). Entitled "Solutions for Cities at Risk," this conference will run from August 25 to October 26, 1996 and focus on the ability of communities, large and small, to respond to potential disasters.

Since most corporations depend on the infrastructure of cities and towns, their risk managers

should be interested in this session, along with public entity risk managers.

For more information, contact the session on the World Wide Web at http://www.quipu.net/risk/ or by email at risk@thecity.sfsu.edu. Week 1 will be a plenary session, followed by six weeks of workshops and a final concluding week. To register, send a message to listserv@the city.sfsu.edu and write "subscribe risk your-first-name your-last-name. You will then receive a registration form by email.