Risk Management Reports

December, 1997
Volume 24, No. 12

Canadian Risk Management Guideline
Canada follows Australia and New Zealand with a new "guideline" on risk management. The Australasian "Standard" (# 4360:1995 - see RMR February 1996) broke the ice and received global applause. Now the Canadian Standards Association has published CAN/CSA-Q850-97 (October 1997), "Risk Management: Guideline for Decision-Makers, A National Standard for Canada." It is more a public policy risk document than a financial or operational risk management guide, but it raises the visibility of the discipline again.

First, what are its strengths? It confirms that risk "involves three key issues:" the frequency, the consequences, and the perception of loss. I maintain that the public perception of risk is far more important than the experts' mathematical estimates of "how often" and "how much." Section is a concise and complete discussion of public perceptions: personal control; catastrophe potential; the "dread" of consequences; the distribution of risks and benefits; and the degree to which an exposure is "voluntary."

The Canadian guideline also focuses on how risk affects all stakeholders. It emphasizes the importance of communications among stakeholders in the process of seeking responses. It identifies a "risk cycle" of estimation, evaluation and control in which methods of financing are implicitly included. It recommends the creation of a "risk management team," a multidisciplinary group of internal and external experts, plus perhaps some stakeholder representatives, to address the major risk issues facing an organization. It suggests creating a "risk information library" that includes documentation of issues, scope of decisions, identification of roles and responsibilities, identification of decision-makers, details of analyses, stakeholder responses, and support documentation for decisions. This is thorough, but, as the guideline comments, "some information may be confidential to the organization." No mention is made as to how these data are to be protected from public disclosure. It also suggests "third party review" to confirm the integrity of the analysis process, if not the actual risk management decision.

Above all, the guideline is concise: 46 pages of text.

Its weaknesses? The term, unfortunately, remains too narrowly defined: "the chance of injury or loss as defined as a measure of the probability and severity of an adverse effect to health, property, the environment, or other things of value." Too limited and too verbose! Risk is simply "deviation from the expected." It has both positive and negative faces, like Janus, suggesting opportunity and harm. This point is tacitly acknowledged in the guideline in a discussion of the term ALARA - As Low As Reasonably Achievable: "risk is acceptable only if a compensating benefit is available." The definition of risk management is equally pedantic: "the systematic application of management policies, procedures, and practices to the tasks of analyzing, evaluating, controlling, and communicating about risk issues." In other words, "risk management is the management of risk!" We can do better than that. My wording: "a discipline for living with uncertainty."

Another flaw: apparently the Technical Committee that prepared this guideline never reviewed the Australasian Standard, since it isn't mentioned in the bibliography. Neither the Dey Report (Canada) nor the Cadbury Report (United Kingdom) are noted and "financial risk" is curiously omitted. The definition of stakeholders overlooks two critical groups: customers and suppliers!

While this new Canadian guideline is a contribution to the development of the discipline, it remains too narrow, a public policy document rather than a complete overview of risk management, including financial and operational aspects. For a copy, at C$38 each, contact Canadian Standards Association, 178 Rexdale Boulevard, Etobicoke, Ontario M9W 1R3, Canada. Telephone: 416-747-4000. Fax: 416-747-2475.

The concept of risk is a peculiarly modern one; in the Middle Ages, for instance, one simply believed that things "happened" according to the providence of God or nature. Modernity, in contrast, is characterized by the omnipresence of "manufactured risk," man-made hazards that are the result of what man has done to nature, rather than what nature does to man. The Frankenstein monsters of pollution, overcrowding, global warming and techno-ennui - our creations, not nature's - are out of control.

Living in a world of manufactured risk makes us extremely self-conscious; life becomes a series of complex calculations in which we "establish a portfolio of risk assessment" as we try to construct a viable identity.

Robert S. Boynton, writing about the ideas of Anthony Gliddens, of the London School of Economics, in "Letter from London - The Two Tonys"
The New Yorker, October 6, 1997

Bernstein Speaks
The Class of 1940 at Harvard University produced two great Bernsteins: Leonard for music and Peter for risk management. I've already commented on Peter's article in Harvard Business Review ("The New Religion of Risk Management," HBR, March-April 1996) and his eminently readable Against the Gods: the Remarkable Story of Risk. He is as challenging on the podium as he is in print. I heard him address a Swiss Re New Markets Financial Forum in Boston on October 20. Some nuggets: (1) "History teaches us that the probability of surprise is high." (2) "Risk management tools are becoming so sophisticated that they create new risks." (3) "Today the world economy is less risky than it was ten years ago." (4) "Government is on the defensive. It is itself a source of uncertainty." (5) "The only game in town to regulate macro-risk, system risk, is the central bank."

Peter very kindly sent me some past copies of his biweekly newsletter, Economics and Portfolio Strategy, available for $1,600 annually (Peter L. Bernstein, Inc., 575 Madison Avenue, Suite 1006, New York, NY 10021; Tel: 212-421-8385; Fax: 212-421-8537). It is filled with perceptive comments on the global financial scene:

o "The ultimate question that faces all of us, as citizens as well as investors, is whether all this good news is stable.

Everything that I have ever learned has taught me that solutions create problems. The Law of Unintended Consequences can tell us a lot more about the future than we can learn from the Law of Large Numbers and other laws of that ilk." June 1, 1997)

o "I believe that a crisis is most likely to develop from a failure in the complex interaction of checks and balances that now holds everything so neatly in place. These checks and balances are motivated by a residual sense of risk throughout the world economy - a stubborn refusal by some players to believe that uncertainty is dead. . . . Fat tails always lurk in the distributions of possible outcomes." (June 1, 1997)

o ". . . our failure to appreciate variety is the primary reason why we are constantly afflicted by surprise at major turning points. . . . The sum and substance of risk management is in the recognition of variety. Losses stem, not from average results, but from deviations from the average or norm, from the outliers at the far reaches of the tails, and from the outcomes never imagined. . . . The trick in risk management, perhaps, is in recognizing that normal is not a state of nature but a state of transition, and trend is not destiny. . . ." (Sept. 1, 1997)

I'm looking forward to Peter's next book!

The striking thing about the biz (philosophy ) is that despite the wielding of rationality, the brouhaha over proof, the bravado of the nous, you can't turn in the history of philosophy without tripping over mysticism, spectre-spectaculars and the bleatings for celestial authorities to sort out our riddle-riddled universe.

Tibor Fischer, The Thought Gang,
Scribner, New York, 1994

Small Businesses
Is the discipline of risk management as applicable to small as to large businesses and organizations? Yes. The problem is translating the processes of risk management into the language of small business leaders and convincing them to use its tools.

The principles are the same: consider all the risks that affect the company; do what is prudent to control them; and finance those that you can't afford through a combination of reserves, credit and insurance. Above all, remain flexible. Flexibility is one of the greatest strengths of a small business.

The question of how to persuade small business leaders to adopt risk management was raised in November by one of my readers, Marv Walden, who runs a risk management consultancy in Hilo, Hawaii. He wrote, "Smaller companies (defined as from five to three hundred employees, and annual sales from $50,000 to $5,000,000) either lack or think they lack knowledge about risk management or have not been exposed to its ideas." Too often, according to Marv, the sole source for risk management advice is the insurance agent or broker, whose understanding is limited and who is primarily interested in selling insurance. The small business leader often is too busy running the business and takes the easy course of buying suggested insurance and not thinking comprehensively about risk.

Marv Walden suggested that a simplified approach to risk management principles and practices could help these smaller organizations. I agree. It begins with each small company describing the four or five "major" risks that could affect its operations. What are they (using scenarios to paint pictures)?

What contingency plan will respond to them? Where can the company obtain funds for adverse events?

Some of the problems include the increasing weight of government local, state, Federal) regulations and their costs (ADA, ERISA, OSHA, etc.), changing responsibilities to employees (employment practices iability), increasing crime in the workplace, and a growing dependence on information technology. Each of these risks involves the potential for both opportunity and harm. Some are not treatable by insurance.

Some possible solutions: more "pooling" of risks with comparable organizations (risk retention groups; purchasing groups; association-sponsored plans), longer term partnerships with support organizations (insurers, banks, accountants, etc.), increased retention levels as owners become more comfortable with their own assessments, and use of the Internet for both the receiving and sending of practical information on exposures and responses.

Delivering practical help to smaller businesses is a challenge. One recent step in the right direction is the publication by the Nonprofit Risk Management Center in Washington of "Mission Accomplished," a simplified guide to risk management, complete with a "do-it-yourself" workbook, for smaller nonprofit organizations. The basic ideas are equally compatible for small businesses. Will an electronic version for the private sector be prepared next year?

For copies of this manual and workbook, write to the Nonprofit Risk Management Center, 1001 Connecticut Avenue, NW, Suite 900, Washington, DC 20036. Telephone: 202-785-3891 Email: npriskmgmt@aol.com

. . . it is part of our fate never to see our destiny as a whole or discern the archetypal forces that shape our lives.

Robertson Davies, The Merry Heart,
Viking, New York, 1997

Too Much Information
During October and November, too many of us followed the upheavals in the global stock markets not day by day, but hour by hour and even minute by minute. Perhaps too much information, received too fast, led to excessive reaction. The onslaught of new data drive us to take more action, however irrational.

That action, multiplied by the responses of others, creates a frenzy that is unnatural and unnecessary. We don't need to respond to every blip in the system simply because we are told about it.

Sit by the ocean for a few quiet hours and watch the ebb and flow of the tide. The murmurs of the water in the sand. The pipers and gulls searching for dinner. Change is constant. Cyclicality is natural. Don't panic when the tide begins to rise or the market begins to fall. Recognizing this cyclicality and adjusting our lives to it may be the best lesson that the ocean can give.

I have always found the sea, in whatever mood it was in, good and sufficient company.

Alex Guinness, My Name Escapes Me,
Viking, New York, 1997

Tempus Fugit
"Another cherished long-standing practice, the payment of commissions by insurers and reinsurers to brokers who do not charge their clients, is under scrutiny. In an interview with Aon Benefits, a new Aon Group company set up in Singapore, the idea that brokers should charge fees and not accept commissions, like in the case of lawyers and accountants, was raised." Editorial in Asia Insurance Review, September 1997

"The risk manager requires a variety of services in performing his function, many of which have little direct connection to insurance. He should purchase only those outside services that are essential and effective. There is no reason why he should continue to be forced to buy a 'package' of services, some needed and some not, given the argument that there is no alternative to the broker/agent 'commission' system. There is an alternative. Risk managers can insist on paying a fee to brokers and agents. They can insist on an annual accounting of time to support that fee.

A fee related to premium is nothing more than a commission in disguise. This is hardly a denial of the need for a qualified broker. If he is, as he purports to be, a professional, he should be paid as one. Fortunately, most brokerage houses are now willing to discuss a fee on a rational basis and we see little of the hypersensitivity that characterized the discussion of fees vs. commissions several years ago." Felix Kloman, "The Revolt of the Risk Manager," Best's Review, October 1971

It has taken a sound idea 26 years to reach the shores of Asia!

If the broker wishes to be judged on a professional basis, he should charge on a professional basis. In the last analysis, however, the manner of remuneration is secondary to the mutual confidence and respect of the parties and the acceptability of the services provided.

If the broker wishes to be judged on a professional basis, he should charge on a professional basis. In the last analysis, however, the manner of remuneration is secondary to the mutual confidence and respect of the parties and the acceptability of the services provided.

H. F. Kloman, "The Care and Feeding of Agents and Brokers,"

Risk Management Reports, Vol. 1, No. 2, March-April 1974

"Risk," John Adams
1997 is the year of the oasis for me. I've crawled for years through the parched sands of risk management writing, seeking the refreshing waters of coherent prose and a holistic view of risk. For years, nothing, and now, within six months I've read two books that have revived my faith in the search. The first, of course, is Peter Bernstein's Against the Gods (see my earlier note). The second is Risk, written by John Adams, a reader in geography at University College, London, and published by the University College London Press in 1995.

His is a skeptic's view of risk. He believes that it is difficult to "manage" and perhaps impossible to "measure." He finds that we waste enormous sums tilting at the wrong risks or taking control actions for the wrong reasons. Adams begins with the thesis that risk is culturally constructed. Our perceptions of risks are guided more by "assumption, inference and belief" than by "deterministic rationality", no matter how much we believe the experts can measure risk for us. Risks, and our perceptions of them, "are constantly being transformed by our effect on the world, and its effect on us." He goes on, "Prediction becomes even more difficult when people are introduced to such (complex natural) systems, because people respond to predictions, thereby altering the predicted outcome." The example of Heisenberg's Uncertainty Principle and our knowledge of quantum mechanics support this view. The "Beijing Butterfly" analogy (the beat of a butterfly's wing in China sets forth a sequence of weather that leads to a hurricane in Florida) and recent chaos theory also expand our understanding of the elusiveness of risk measurement. Adams believes the delineation of "objective" and "subjective" risk doesn't work in the real world: "all risks are conditional."

He suggests, as a working model, a "risk thermostat" that shows an individual's or organization's "propensity to take risks" for "rewards," balanced by "perceived dangers" and possible resulting "accidents." Here again are the essential elements of "reward" and "harm" in risk and the need to achieve "balance," not elimination. Adams tries to explain the varying responses to risk using four general personality types: "fatalist," "hierarchist," "individualist," and "egalitarian." While he grants that this may be an over-simplification, it helps develop his point that risk is "culturally constructed." We must understand the cultural viewpoints of individuals and organizations before we build any rational response to risk.

Adams is critical of the application of risk management, particularly in how developed societies approach road safety issues. He argues that, instinctively, individuals compensate for risk reduction measures by modifying their behavior to increase risk to their earlier comfort levels. "Those who consider human error to be the sole or principal cause of accidents advocate safety measures that reduce the likelihood of nasty surprises by signposting dangers, by improving coping skills, or by creating 'failsafe' or 'foolproof' environments. But this approach is one-sided. It ignores the positive reasons that people have for taking risks - the rewards of risk." I see this on Interstate 95 here in Connecticut: fifteen years ago the average speed here was about 55 miles per hour. Today with general use of seat belts, air bags and demonstrably safer cars, the average speed in over 70 m.p.h.

Drivers have compensated for the safer environment with riskier behavior!

Adams attacks the problem of measuring risk. He challenges the "unreliability of the historic accident record" and the "absence of an agreed scale for measuring the magnitude of adverse events." "Death," he says, "is the least ambiguous of all the measures of accidental loss." This carries over to the monetizing of risk: the difficulty of including "intrinsic values" with "economic values." The problems that he outlines then lead him to see serious difficulties with the current rush to "cost-benefit" analyses.

Even with his debunking the value of seat belts in automobiles and the greenhouse effect as a contributor to global warming, Adams still rises above his own critique in a celebration of the role that "risk" plays for us. It remains an indispensable part of life. Living with risk leads him to conclude with twelve "modest suggestions" for its management:

"(1) Remember, everyone else is seeking to manage risk too.

(2) They are all guessing; if they knew for certain, they would not be dealing with risk.

(3) Their guesses are strongly influenced by their beliefs.

(4) Their behaviour is strongly influenced by their guesses, and tends to reinforce their beliefs.

(5) It is the behaviour of others, and the behaviour of nature, that constitute your risk environment.

(6) Safety interventions that do not alter people's propensity to take risks will be frustrated by responses that re-establish the level of risk with which people were originally content.

(7) In the absence of reductions in people's propensity to take risks, safety interventions will redistribute the burden of risk, not reduce it.

(8) Potential safety benefits tend to get consumed as performance benefits.

(9) For the foreseeable future, nature will retain most of her secrets, and science will continue to invent new risks.

(10) Human behaviour will always be unpredictable because it will always be responsive to human behaviour - including your behaviour.

(11) It will never be possible to capture "objective risk," however powerful your computer, because the computer's predictions will be used to guide behaviour intended to influence that which is predicted.

(12) In the dance of the risk thermostats, the music never stops."

Risk is now one of the essential documents for a manager's bookshelf.

Everyone is a true risk expert in the original sense of the word; we have all been trained by practice and experience in the management of risk.

John Adams, Risk
University College London Press, London, 1995