Risk Management Reports

April, 1997
Volume 24, No. 4

Intervention is an expressive word, especially when spoken with a Swiss-German accent. It then becomes "inter-wention" and means that you are being asked to present your iconoclastic views to a group of non-believers. I made my first "inter-wention" to a security conference in St. Gallen, Switzerland in 1977, at the request of Dr. Matthias Haller, then director of the Institute of Insurance Economics at the University of St. Gallen. I've returned to Europe for many similar presentations. After all of these Swiss and German sessions I received the accolade of knuckles rapping wood, their form of applause.

Intervention has two primary meanings, positive and negative. The favorable one suggests mediation or intercession between two opposing points of view. When that fails, intervention becomes interference and intrusion, resented by all parties. A successful intervention requires acknowledgement of the strengths of respective positions, a cautious disclosure of some weaknesses, and a possible solution born of synthesis. Intervention is diplomacy married to direction.

This word reappeared not because of another call from Dr. Haller but because of a challenging short piece by John Barth, in The New York Times Magazine, on March 9, 1997, entitled "Inventing a Few More Tomorrows." Barth wrote, "But one's calling is intervention, not confession." My calling in this publication is intervention. The path is not smooth. I often stumble, but I hope to intervene and suggest alternatives not previously considered. Avoiding pitfalls isn't easy. Some pitfalls are generalities: The Economist unloaded on President Clinton's 1997 state-of-the-union speech, saying that "he descended to the occasion, peddling treacly generalities." I occasionally must plead guilty to sentimentality, a product of advancing age. Another pitfall: while experience brings perspective, retirement distances an observer from day-to-day action, and I find appropriate may be impractical for troops in the field. As Salman Rushdie wrote in Midnight's Children, " . . . above all things, I fear absurdity."

So treat my interventions with both deference and skepticism!

Today was a difficult day. Tomorrow will be better.

Kevin Henkes, Lilly's Purple Plastic Purse
Greenwillow Books, New York, 1996
(Read his books if you have children or grandchildren between four and eight.)

Integrating Risk Management

The idea of an integrated, holistic or strategic risk management function within an organization is one that I continue to advance. Two readers, while agreeing with my thesis, complained of the difficulties of moving in this direction. First, they have little spare time, most of it being absorbed by current duties (managing financial risk; assuring that regulations are met; constructing and renewing financing programs). Second, traditional fiefdoms take umbrage at presumed invasions of their territory. Specialists want us to believe that their knowledge is so arcane that, without years of training, we could not understand it.

Finding ways of reducing time spent on conventional tasks frees hours to help lead a new function. Working within internal task teams helps alleviate the turf problem.

The real difficulty comes when we are asked to define individual risks. Risk itself is hardly a singularity, yet risks are seldom as discrete as we might like. Michael Rubenstein, of American Express, best describes it when he calls the mixture of risks "mush." Every risk tends to slop over into others, creating a soggy oatmeal, defying differentiation. An exlosion in a plant can involve property loss, income interruption, employee injury, liability to outsiders, regulatory investigation and even deterioration of a credit rating. That's why insurance, one risk financing tool that tries to pigeon-hole risks separately, has such a difficult time. Just when an underwriter believes that he or she has nailed down a risk in contractual language, a new modification pops up, creating knee-jerk reactions of new exclusions or new policies with separate premiums. Treasurers tell us that hedges apply only to financial risks, but why can't they be used for others as well? What we need is a composite view of risk and its consequences. As Charles Handy writes, "The whole is nearly always both greater than, and different from, the sum of its parts." (see "The Sixth Need of Business," in Focus, Zurich Insurance Company, No. 20, Winter 1997).

Some practitioners are trying to construct a new holistic econometric model of the four major types of risk: financial/market, regulatory/political, legal liability majortypes of risk: major types of risk: financial/market, regulatory/political, legal liability and operational.

I wish them luck but doubt that we can easily generate a single financial number to describe the relationship of all risks to an organization's equity. The "mush" is too sloppy and risks change too rapidly.

If we need to address risks in an integrated fashion and no single "model" is available to translate the effects of these risks, how do we proceed? Again, Mike Rubenstein suggests an possible approach. Start with people rather than econometric models. He believes that it is better first to raise the level of risk awareness in employees, then work toward the more difficult mathematical model.

One way of increasing risk awareness is to enlist employee teams, like those used for quality circles, to describe possible exposures, suggest prudent responses, and accept risk ownership. This is Dr. Vernon Grose's approach, described in his classic text Managing Risk: Systematic Loss Prevention for Executives. It is also used by Barclays Bank (see following article). Each team prepares brief written "scenarios" for the most important risks within its operational area, drafts responses and possible costs, and relays these scenarios to a senior management "risk jury" that integrates them within the organization's strategy. The jury then allocates resources to manage and balance these risks. Implicit in this approach is the encouragement of these employees to see not only the harm but also the opportunity inherent in each risk. Fear can be replaced by confidence and an otherwise negative situation can be turned into a positive opportunity for a company. The entire effort becomes a corporate contingency plan. Building risk awareness assures that employees continuously think about changing risk parameters, something that is impossible for senior management, even as the higher team constructs broad-based defenses against catastrophe.

Integrating risk management begins with clear definitions of the basic risks facing every unit of an organization. It demands that each employee take some responsibility for assessing and responding to these risks. It builds a flexible financial plan to assure corporate continuity. We need an "new language of risk" and more sophiticated models, but these are secondary steps.

We should care for each other more than we care for ideas, or else we will end up killing each other. Am I not right?

Louis de Bernieres, Corelli's Mandolin
Vintage International, New York, 1995

Risk Management at Barclays Bank
"Risk managers are fitness trainers, as compared to auditors, who are diagnostic physicians." This is the medical analogy of Dr. Paul Dorey, the Group Operational Risk Director of London's Barclays Bank. Risk managers match the various forms of risks affecting an organization to their potential rewards, and prepare managers practically and emotionally to organize their risk positions. Auditors advise us when something could go wrong and suggest remedies after identifying the symptoms. In a wide-ranging interview in London in January, Dr. Dorey described to me the risk management function at his bank and how it has become more integrated.

At the top, a Group Risk Policy Committee, led by the Deputy Chairman, oversees the assessment and management of four critical risk areas: credit, market, business and operational. Reports on each area go to the Board at least twice a year. Audit remains a separate and independent function from risk management, even though the two are complimentary and work together. The corporate risk management "team" includes representatives from bank operations, statistics, data modeling, financial controls, audit, insurance, information technology security, strategy and quality control.

Coordinating an integrated risk management function requires considerable effort and diplomacy, especially when faced with traditional departments, often rigid in their resistance to change. Barclays operates in 71 countries with assets of L187 billion. It transmits L80 billion a day in electronic payments. The Bank's risks are enormous and it recognizes that a coordinated approach to their management is necessary to match risk and reward and to assure long-term business continuity. Dorey's area - operational risk - includes such events as data input errors, documentation errors, fraud and disasters.

The first major challenge, according to Paul Dorey, is to break down the barriers of traditional management approaches. Figure One shows the nature of this problem: the loose and unassembled pieces of a jigsaw puzzle.

The goal is to interlock these pieces into a linked mechanism, using information to create a common risk view and an appreciation of interdependencies so that the organization can make better decisions on controls and financing.

The second Bank challenge is to develop a common understanding of risk, making risk awareness second nature to all employees. Paul's team is working on a new data model for risk incorporating incidence and exposure, so that business units have their own risk ranking profiles. Different risks now employ different gauges. Melding these requires a review of risk correlations and their behavior, understanding intuitive versus quantitative rankings, and tackling the difficulty of diverse risk perceptions. Scenario analyses performed by each business unit help define and alter these perceptions of likelihood and effect . For example, a Catastrophe Risk Subcommittee meets periodically to define potential crisis situations and assigns to an "owner" responsibility for developing response plans. All this work at Barclays involves an understanding of processes, controls and inherent risks, including their critical "causes" and "effects." This leads to effective accountability for risks, and, beyond that, to new and innovative solutions.

A third special challenge is that of information security in electronic commerce. Paul Dorey sees the solution coming from an understanding of key subject areas, such as, (1) the security of the environment of each trading counterparty, (2) new standards for electronic interchange security and risk management, and (3) the creation of legal precedent for the respective liability of counterparties. Potential solutions, such as the British Information Security Standard BS7799, and the experience of closed mechanisms, such as SWIFT and similar financial networks, are under review.

Barclays uses benchmarking to review continually its own progress in overall risk management, not only to other global financial concerns, but also to other industries with many new management dependencies, such as aerospace, oil, and nuclear.

The goal at Barclays, according to Paul Dorey, is a "total risk management ethos" of balancing risk and reward, an ethos that will permeate the entire organization.

It is easier to stay up late working for hours than to take one-tenth the time to inquire into the question whether the work is worth performing.

William F. Buckley, Jr., "A Journal"
The New Yorker, January 31, 1983

The Mumpsimus Survey
Yet another Cost of Risk Survey has come off the presses, with trade journals dutifully mouthing the releases from the Risk & Insurance Management Society and Tillinghast-Towers Perrin, the survey's sponsors. "Cost of Risk is down" says the study, yet this is a guess, not a statistically provable assertion. Since the participants in each year's survey vary, there is no way to draw any substantive conclusion from the data. In addition, with only 720 organizations providing information, the addition or deletion of as few as ten large companies could easily distort the numbers. This survey should not be used, as advertised, to "measure the cost of risk over time" or "benchmark cost of risk against costs in peer organizations." The survey charts twenty-six industry groups, with costs varying wildly from as high as $3.66 per hundred dollars of revenues (for transportation services) to as low as 3.9 cents per hundred (for banks and S&Ls). One large company reporting or not reporting in a year can distort these ratios, making them unreliable for comparisons.

Do these survey data actually show the overall cost of risk and uncertainty? The questionnaire asks for information on property, liability and workers' compensation insurance premiums, self-insured losses, and administrative costs. Nothing is included for the costs of risk control that can exceed all of these costs. Nothing is included for the costs of "non-insurable" risks such as currency hedges, interest rate swaps, and regulatory responses. Are the costs of general counsel, auditors, and environmental, health and safety staff included in administration?

No. Even within a single industry group, such as "mining and energy" there are too many obvious radical differences in costs for exploration companies, retail companies and gas transmission companies to permit valid comparisons.

I repeat (see RMR for October and December 1995) that I admire the diligence and tenacity of those who continue to produce this survey I wish, however, they would apply these skills to amassing data that are more constructive. Remember the monk from whom the word "mumpsimus" is derived: when admonished for using a Latin word incorrectly in a church service, he continued to use the wrong word, simply because he did not want to change. "Mumpsimus" is the perpetuation of the incorrect "out of habit or obstinacy."

Cost of risk is a great slimy eel. It defies easy definition. Insurance managers initially wanted to be measured by more than the errant vagaries of the insurance marketplace. They adopted Doug Barlow's definition, but the survey has been stretched far beyond its real value. Individual organizations can and should construct their own definitions of "cost of risk" and calculate their own ratios from year to year. This is a valuable exercise. But don't try to compare them to others whose definitions are radically different. And don't try to pretend that adding together insurance premiums and self-insured costs really describes all of the risk costs facing an organization.

What did you do in school today, believe or think?

Ralph Nader, quoting his father's question to him when he returned from school; in a presentation to the Princeton University Class of 1955 Dinner, February 4, 1983

Risk Management Roundtable
Insurance agents and brokers can be positive catalysts for good risk management practices. I saw one example in action. The Fred C. Church Agency, with offices in Lowell, MA and Portsmouth, NH, has numerous educational institution clients. It sponsors a quarterly roundtable luncheon discussion for a number of independent schools and colleges, contributing the venue and external discussion leaders to address topics selected by the participants. Recent subjects and leaders included employment practices liability (a local lawyer), educational legal liability (a senior insurance company executive) and using "cost of risk" as an internal measurement tool (I was the facilitator). A buffet sandwich lunch preceded a lively two hour discussion that led the schools to agree to share some risk information, just as they share financial information.

These roundtables are hardly new ideas. Treasury groups and Risk & Insurance Management Society chapters provide similar outlets, although a smaller, more intimate group of individuals from the same "industry" can result in greater candor and the opportunity to discuss practical solutions confidentially. In these roundtables the broker becomes more risk management advisor than insurance seller, and this enhances credibility.

By the way, the chocolate chip cookies were superb. I hope to be invited back again.

Conversation . . . . its enemies are rhetoric, disputation, jargon and private languages, or despair at not being listened to and not being understood . . . . Only when people learn to converse will they begin to be equal.

Theodore Zeldin, An Intimate History of Humanity
Harper Collins, New York, 1994