Risk Management Reports

September, 1997
Volume 24, No. 9

GARP
John Irving's novel, The World According to Garp, describes a tumultuous world where the unexpected occurs and the characters are unprepared. It has nothing to do with the newest "GARP," a set of suggested "generally accepted risk principles" prepared by the international accounting firm of Coopers & Lybrand and published last year. These principles are designed to prepare organizations, particularly financial institutions, to control the unexpected and survive.

In the late 1970s and early '80s, while working as a management consultant with Risk Planning Group, several of us developed a set of general risk management "principles" against which we could benchmark client programs. These preliminary "principles" met with approval and were published in 1988 in "The Risk Management Audit," in Risk Management Reports, Vol. 15, No. 2. The fifteen "Guiding Principles for a Sound Risk Management Process" were later revised and updated in 1994 by Tillinghast-Towers Perrin, with which Risk Planning Group merged in 1985. Each principle was accompanied by one to four "risk strategies." These strategies,in turn, had numerous "risk tactics," tools and techniques employed successfully by different organizations. Of course, none of this had the imprint of "accepted wisdom." It was only a suggested starting point.

Now Coopers & Lybrand has attempted a more ambitious set of standards. It has responded to the series of notable financial market catastrophes (Barings, Daiwa, Bankers Trust and Metallgeschellshaft, among others) that reduced confidence in banks, and to the resulting new regulations. Using both internal staff and a blue ribbon external review board, chaired by Sir Peter Middleton, the Coopers & Lybrand GARP is a major addition to the risk management literature.

Sir Peter concludes in his Foreword, "The cost of risk management is not an item of discretionary expenditure. If an organization is to be properly managed, spending on risk management has to be driven by the risks taken on, rather than by the profits or loss achieved by the business unit, or by the politically or economically sustainable overhead level. A business line must treat the cost of risk management as the cost of doing business." This is exactly the message of those preaching integrated, or holistic, or strategic risk management these past few years. It is now embodied in 89 Principles. 

A cynic might argue that 89 are a bit of overkill. Moses only needed ten, and we managed with 15 in 1988. On the other hand, Martin Luther rambled on to 95, so perhaps the 89 of GARP are reasonable.

GARP suggests four "fundamental themes:" (1) The ultimate responsibility for risk management must be with the board . . . ., (2) The board and executive management must recognize a wide variety of risk types . . . ., (3) Support and control functions . . . need to be an integral part of the overall risk management framework, and (4) Risk management objectives and policies must be a key driver of the overall business strategy. These themes are not new. Royal Dutch Shell incorporated many of them into its strategies over a decade ago. Bankers Trust uses the RAROC (risk adjusted return on capital) model for its operations. "Value at Risk" (VAR) is employed by many financial institutions. Yet the GARP Principles incorporate much recent research and practice.

The first twelve Principles address risk management strategy. They include the ultimate responsibility of the board, the need for an "integrated framework of responsibilities and functions" for risk management, the delegation of board responsibility to the executive committee, and the need for independence of support and control functions.

Principles 13-19 call for a "dedicated risk management function" to address first credit, market and liquidity risks, and then other organizational risks. This function "must be independent of the business units and trading areas." To me, this means that risk management should not report to finance, human relations, or administration, but, as GARP suggests, directly to the executive committee. GARP suggests a "risk management group," led by the risk management function, composed of representatives from strategic planning, human resources, information technology, legal, compliance and internal audit. Oddly, finance is missing. The roles of the specific risk management function are risk monitoring, evaluating and measuring. Separate risk managers should be appointed to cover each business unit. The Principles correctly insist that "the responsibility for a business unit's risks remains with the head of the business unit."

Principles 20-55, on risk measurement, reporting and control, aim specifically at market, credit and liquidity risks, more typical of financial institutions. For example, one Principle suggests that firms "should mark-to-market daily (my emphasis) all trading positions." Probability-based measures, such as VAR, should be used to aggregate risks. Limits should be set for various types of risk, such as capital at risk (No. 41), market risk (No. 42), and credit risk (No. 43). Notably absent are Principles that apply to "limits" on operational, legal, regulatory, reputation and human resources risks. These are identified early in GARP but unfortunately do not receive later attention. They are included in the framework but seem to be dismissed thereafter. I acknowledge that market, credit and liquidity risks are more important for financial institutions, but other risks, admittedly less susceptible to concrete measurement, can be significant. Appendix 1 defines some of these risk terms. "Operational risk" includes transaction, operational control and systems risks. It also mentions "Business/Event risk," incorporating currency convertibility, shift in credit rating, loss of reputation, change in taxation, and legal, disaster and regulatory concerns, but this term does not appear in the text. I'd rather see currency and credit rating risks combined in the credit and market area, and consolidate the rest under the heading "operational." I prefer my simpler four risk categories: financial/market, regulatory/political, legal, and operational.

The final Principles (79-89) address risk management systems to generate and support needed decision-making information.

As GARP concludes, "the principles . . . have an impact on all levels of management within a firm, and collectively provide an integrated framework for risk management and control that links into business strategy and policy, the firm's culture and the operation of its business activities at a procedural level." GARP emphasizes the importance of covering all risks facing the organization, from the more critical market, credit and liquidity risks, to operational, legal, regulatory, reputation and human resources risks.

GARP is a significant contribution to the development of the risk management discipline.

For more information, contact Phil Rivett, at the Coopers & Lybrand Global Financial Risk Management Practice, 1 Embankment Place, London WC2N 6NN, United Kingdom. Telephone: +44-171-583-500 Fax: +44-171-822-4652

I spend my time at the great work of preserving. Memory, as well as fruit, is being saved from the corruption of the clocks.

Salmon Rushdie, Midnight's Children, Penguin Books, New York, 1980


Risk Strategy: Start-Up
A participant in the RiskWeb discussion group on the Internet recently asked how he could start a "risk strategy" in his organization. It's a challenging question. Where do we begin? One way of gathering support is to ask the CEO to create a new "risk strategy committee." Its participants should include representatives, as suggested above in the Coopers & Lybrand GARP, from legal, finance, human resources, strategic planning, IT, compliance, internal audit, plus operating units. Within six months this team should report to the CEO and the board on the major risks facing the organization, the rewards they appear to generate, how they are being controlled, what additional control measures might be prudent, how these risks are communicated to appropriate stakeholders, and, finally, how the organization plans to respond to a risk becoming reality. As a starter, the committee should ask the participants to describe three major risks, ranging through financial/market, political/regulatory and legal, to operational.

Out of the deliberations of this committee should come a new risk policy, a structure for continuing risk assessment, responsibility for risk controls, limits on risk and its financing, and a system for periodic monitoring and reporting to the Board, senior management and other stakeholders.

Whatever approach is used, don't wait. Begin it now.

The medium of print is, indeed, almost inescapably linear - this word and then this and then this; this line after that . . ., whereas a great deal of our experience of life is decidedly not linear. We think and perceive and intuit in buzzes and flashes and gestalts; we act in a context of vertiginous simultaneity; we see and hear and smell and touch and taste often in combination, whereas print is a particularly anesthetic medium of art, the only one I know that appeals directly to none of the physical senses.

John Barth, "The State of the Art," Wilson Quarterly, Spring, 1996



Insurance Irrelevant?
Bill Kelly, J. P. Morgan's Managing Director for Risk Management, has issued a clear and challenging call to the commercial insurance industry. His speech, "Is Insurance Becoming Irrelevant?," given to a symposium at Fairleigh Dickinson University, in New Jersey, in May this year, has now been published in the August issue of Risk Management magazine. The full text can also be found at www.rims.org/ifrima.

Bill and I have sometimes disagreed about the importance of a fully integrated risk management function but we share completely his concern about the relevance of the current non-life insurance market. He recites the vast array of relatively trivial coverages now offered to financial institutions. He criticizes the relentless shrinkage of the definition of "dishonesty." Like the Cheshire Cat, the body of coverage has disappeared, leaving only its mocking grin. Kelly asks, "Are we again at a point (as in 1985-86) where insureds are deciding that traditionally available insurance products simply don't serve their overall needs?" He suggests a new "partnership" be created among insureds and insurers in which risk is treated as a systemic problem, not separately. He acknowledges the growing financial disparity between banks (the insureds) and the non-life insurance industry. For example, in 1995, total US non-life premiums were $359 billion, supported by surplus of about $230 billion. The deposits of the top ten banks in the US alone totaled $787 billion in 1997. That buyers are turning to capital markets and other risk financing options should be no surprize. 

Bill Kelly describes the growing reliance of banks on earnings derived from other than physical plant. Yet "business interruption" insurance remains concretely anchored to building insurance! Technology systems, data, political infrastructure, and reputation all affect earning capability, but insurance is unavailable to respond.

He asks: "Where should the industry be focusing its creative energies, if it is not to be wedded to the past, or consumed with redecorating old structures?" His answer: "All of the fundamental changes in financial services and corporate America suggest that a radical change in financial service insurance products is called for." He argues, like British Petroleum (see RMR "Topsy Turvy," July 1994), that insurance can be cost effective at the primary level (BP defines this as less than $10 million), but isn't this the level that larger organizations can easily and cost-effectively fund themselves? Kelly proposes a new approach to a higher level of financing, initially set at $1 billion, and now modified to $500 million excess of $100 million. I suggest that this layer may, in the future, have greater participation from capital markets than from traditional non-life insurers.

J. P. Morgan is also moving toward a new "architecture" of risk management, addressing risks holistically: market/credit, revenue volatility, expense variation, operating and capital, similar to the GARP categories. Morgan has a "corporate risk management group," focusing on financial risks, complemented by an "operating risk committee," in response to the new regulatory demand that financial institutions "identify risk laterally across the organization." Kelly argues that different risks still require different responses. I agree: separate treatment, depending on specialty and counterparty availability, but a consolidated view of all risks.

Bill Kelly does not propose answers for the insurance industry, but his questions should stimulate immediate discussion.

You could already see that their great passion in life would be normality and they would seek out the tiles roof, the small window, the locked door, the clipped hedge, the wife who never farted, lacy pillows on the marital bed.

Peter Carey, The Illywhacker, Faber & Faber, London, 1985



"Global Cooling"
I read much in the press about global warming and its effect on weather patterns. Drought, storms, and floods are supposed to be increasing, leading to horrendous financial effects. While sharing with a Canadian friend some thoughts on both global weather and the move of ice hockey teams south (my Hartford Whalers are now in Nashville, Tennessee), I received from him the following email that points to an entirely different scenario. Risk managers, take note!

I have hit upon a significant fact of geothermal physics. The recent abundance of ice hockey rinks south of the border and as far down as Florida and Texas, where there should be virtually no ice at any time, and certainly none at this time of year, has resulted in the phenomenon called "global cooling." In addition, condensation from all this ice ("hice" a la Province de Quebec) has served to plug up those holes in the ozone layer, thus intensifying the reversion to our sadly missed "old fashioned winters."

Soon we will be able to dispense with artificial hice; we will be able to play in the streets again, and if the masses return to the national pastime, we will surely run out of rubber hockey pucks. Then we will revert to the favorite missile of our youth ("ute" a la Province de Quebec), the horse ball, or pomme de rue, which is a chunk of second hand oatmeal, bound together with equine body fluids and distributed abundantly on the streets by the docile beasts that pull the dairy and bakery sleds. They are the original and perfect hockey pucks. They take a uniform bounce, they have good carry-through (momentum) and they will hold together until some insensitive player slams one into the goal post with a slap shot, at which time the pomme de rue will explode into many pieces, some of which will go into the net causing the red light to go on, and confusing the hell out of everyone present or watching on radio. The goalie will yell, "Shit!", the referee will shout, "It's a goal," and the opposing coach will scream 'Horseshit!," to which everyone will have to agree; so they will give one point to each team and face off at center ice.

Yes, my correspondent is from Ottawa, not Montreal.

Young males are really the most dangerous people on the planet, because they easily respond to authority and they want approval. They are given the rewards for getting into the hierarchical system, and they're given to believe they're building heaven on earth. In most atrocities, there's the big utopian dream - a cleaner society, or purer society. Young people are very idealistic, and the powers prey on the young people by appealing to their more idealistic nature.

Dr. Richard Millica, Director, Program in Refugee Trauma, Harvard University, as quoted by Philip Gourevitch, "After the Genocide," The New Yorker, December 18, 1995



Egregious Error
In the August issue of Risk Management Reports, I concluded with a short piece on apostrophes, written by David Warren and his Uncle Pumblechook. I introduced Uncle P. by referring to "Dickens' Great Expectations." I goofed. The possessive of "Dickens" is properly "Dickens's." It doesn't look pretty but that's the way it should be. I should have known, since I am always reminded of that rule by the address of The Economist in London: 25 St. James's Street. My thanks to the readers who promptly (and gleefully) yanked my leash on this one.

We are all at best marginalia in another era's fossil record.

James Hamilton-Patterson, The Great Deep, Henry Holt & Co., New York, 1992