22 September 2009

Published in: Risk governance

Ask the right questions about risk management

Don't get too focused on simply measuring risk, argues Mike Wilkinson

There have been many advances in risk theory in recent years, and these, in turn, have informed and propelled advances in risk modelling. All of these are important in an increasingly complex and risk-averse world, as they help us to understand better the nature of the environment within which we operate and its relationship to risks.

A key element in effective risk models is the ability to identify the drivers of risk and how these interrelate, as well as the implications of the risks actually occurring. In this, the actual selection of the risk factors (those underlying drivers of risk) is fundamental. However, the factors used in models are often proxies for other elements and based on what we can actually measure.

Take a simplistic case, where a motor insurer decided (and had evidence to show) that being a homeowner was a significant factor in reducing motor insurance losses. This could be rationalized on the basis that you might reasonably expect a homeowner to be more mature, more responsible, and take care of things better. The insurer decides to target homeowners, giving a discount and monitoring the percentage of homeowners in its portfolio as a key risk indicator. The percentage of homeowners increases as a result. Job done.

Or is it? Does the insurer continue to assess how effective homeowner status is as a factor? Do the company take account of the changing proportion of the population owning their own home? For example, the National Statistics Office recorded a 45% increase in the number of owner occupiers in the UK between 1981 and 2004. In this instance the answer is most likely "yes", but these are the questions required for all model parameters.

In reality we need to ask: Was "homeowner" status ever a real driver of risk or just something on which we had data and could measure? Have all these additional homeowners suddenly become safer drivers? And, has offering a discount lowered or increased our risk?

Once we have a factor to measure -- either internally or externally imposed -- it's all too easy to focus on the measurement, rather than what the measured factor is there for. This is as true in risk as it is in any walk of life. For instance, there have been well-publicized cases in the UK's National Health Service where performance measures were introduced, for instance, for the numbers of patients treated. The end result of this was a redefinition of "patient" and, although performance measures were achieved, it was highly questionable if efficiency or service quality had improved. So the measures were achieved but what they were trying to measure wasn't necessarily.

What does this mean for our risk models and how we use them?

Firstly, the model should reflect the business. It's not just a matter of seeing what data is available and modelling it, although that does have its place as a way of identifying risks and risk correlations. This means the model structure needs to reflect the structure of the business and be able to adapt with it. This is best achieved by the senior management sufficiently articulating the business objectives within the model, together with the main risks to those objectives, and their appetite and tolerances for those risks.

Secondly, the factors measured to identify and record risk should be realistic and relevant, and kept under review. Take former RBS chief executive Sir Fred Goodwin's revealing admission to the UK House of Commons' Treasury Committee in February this year: "Our traders held positions in what we thought to be triple-A-rated securities and they turned out to be worth five cents on the dollar." This demonstrated the failure of RBS's risk models and their practical use in that the bank (along with many other institutions) placed reliance on rating agency assessments of financial instruments, which were themselves proxies as they were often related to the rating of the institution supporting them. These were then not challenged or re-calibrated sufficiently to take account of changing circumstances.

Solvency II considers this issue and places heavy emphasis on "back-testing" and governance to establish how closely the model reflects the actual business from a practical perspective, how well it predicts what actually happens, and therefore the effectiveness of the business decision-making. A key element of this is "institutionalizing" the management "challenge".

A model needs to be understood, and acted upon, by business management. The balance between complexity and practicability has to be considered in its design. What should be included and shouldn't be? How complex does each part of the model need to be to be effective? How will the model and its output be used? The answers to these questions require both business and technical expertise working together co-operatively. This will be a challenge for many business and many technical staff. But first they will need to learn how to talk the same language -- or find someone who talks both.

The big questions are not really about risk management. They are not even really about risk. In particular, for risk-based businesses, such as insurance, they are simply about management, and management understanding. Models need to reflect and support this.

Mike Wilkinson heads the risk management consulting team at EMB.

Back to top