Risk Management Reports

July, 1997
Volume 24, No. 7

YMCA Risk Consultants
Ten years ago the YMCAs in the United States faced a crisis in the cost and availability of insurance. They responded by forming a group captive insurance company, Y-Mutual, in Bermuda, to serve as the reinsurance backup for their primary insurer licensed in the US. Y-Mutual has almost tripled in size from its initial 130 members, who contributed $6.2 million in initial equity and $23 million in premiums. The equity of today's 342 members is $13.4 million, after $6.6 million in returns and dividends, and premiums are just under $18 million, a dramatic drop in average premiums per Y. The results are excellent.

One reason for this success is the requirement of a detailed "risk consultation" for each new member of the program and a periodic review thereafter for all participants. Shortly after the program started, the YMCA of the USA created YMCA Services Corporation to provide domestic services. First headquartered in Dallas, Texas, under the leadership of Jack Davis, a retired local YMCA executive and Darwin Haines, from the Chicago headquarters staff, Y-Services operates now from Chicago. It provides information and consultation on risk management, safety education and insurance to all interested Ys, not only those enrolled in the insurance program. The keystone to its consultation service is a group of 17 "risk consultants" who travel each year throughout the country carrying out the one day reviews with local Ys.

The ingenuity behind this idea is selecting as "consultants" retired YMCA executives, each of whom thoroughly understands the problems faced by local executives and brings years of common sense expertise to risk management and insurance situations. The consultants are selected for their YMCA experience and communications skills and spend their first year in training, traveling with another consultant. They receive travel expenses plus a per-location stipend of $500 to cover hotel, meals and reports. Spouses are encouraged to join consultants on the road trips, which are generally scheduled in the warmer climes during the winter for those living in the north, and vice versa in the summer.

Their reports are sent, often with photographs, to YMCA Services in Chicago, which delivers them to the local Ys within 45 days. Chicago then follows up on key suggestions and recommendations.

The driving force behind these reviews is the credibility of the consultant. Jim Tompkins, from Harwichport, Massachusetts, spent 40 years with the YMCA, his last position as Vice President for Corporate Affairs in the YMCA of Greater New York, responsible for insurance and claims. He also traveled widely, doing "field work" with Ys all over the US. His goal: "to help the Y address risk management problems, not tell it what to do." He approaches his work not as an auditor, but as a resource offering practical experiential solutions that are YMCA-oriented.

This spring, Tompkins visited some newly enrolled YMCAs in Kansas and Missouri. He commented: "It was like looking back ten years, seeing problems that other Ys in the program have already addressed and solved. That's the value we bring." He concluded, "You can tell what will happen by the attitude of the chief executive: if he or she is interested in risk management, results will occur."

The YMCA idea of enlisting retired YMCA executives to serve as risk consultants has drawn high ratings from the Ys themselves (92% called their consultations "valuable" or "very valuable" in a survey last year). Arguably it is a major reason for the continued financial success of the group captive reinsurer.

According to Glenda Short, Y Services' Director, Risk Management Services, this year the YMCA risk consultants will file reports on 160 visits, in a continuing effort to increase risk awareness and to stimulate prudent risk responses, The payoff? Probably higher dividends and lower insurance costs.

. . . YMCAs are showing increased interest and attention to measurable risk management procedures . . . (and) a heightened sensitivity to implement higher standards and assure proper levels of supervision in aquatic and child care areas. . . . Risk Management is becoming a recognized practice for many YMCAs.

Marv Reinke, President, YMCA Services Corporation, in
Risks, Reminders, Rumors & Results
November 1996

Chief Risk Officer?
Is it time for a new corporate position, the Chief Risk Officer?

 I raised this question in the late 1970s in Chicago with a CEO during a risk management audit. When I explained what I meant by all the facets of risk, the CEO replied, "I am the Chief Risk Officer!" He was right: every final risk decision came to his desk. Yet today, with our growing understanding of the uncertainties facing an organization and with more highly specialized tools available, relying on the CEO as the Chief Risk Officer may not be prudent.

New mandates for corporate governance (Cadbury and Dey Reports) call for confirmation to the Board that management has identified all material risks and taken appropriate response. New laws, especially in the US, require disclosure of risks to selected stakeholders: the chemicals used by certain facilities, warning and evacuation procedures for those living near a nuclear generating plant, and information to consumers, such as informed consent agreements for medical patients and warning labels on products.

The problem is that fragmentation inevitably occurs. Some risk specialists report to finance, some to human resources, and others to legal, administration or quality control. Asking the CEO to act as the overseer and coordinator for these disparate activities stretches the span on control to the breaking point.

Yet employees farther down the line of command, who see the need for integration and begin to act on it, risk challenges from those on whose sacred turf they tread! Rich Inserra, the assistant treasurer - risk management, for Danbury, Connecticut-based Union Carbide Corp., suggests a cautious approach: "It's important that you leverage yourself throughout the organization.

And if people see you driving a more consistent approach to risks, one that transcends all different types of risks, it will lead to what we are talking about today, the chief risk officer position." (Business Insurance, April 28, 1997, p. 12)

Risk managers with insurance expertise are inevitably type-cast. They find it difficult to persuade others that they are capable of understanding and directing a strategic risk management function that incorporates all risks. In financial institutions, credit, market and currency risks carry higher priorities and their specialists lead the risk management functions (see the following article on Operational Risk Management). In medical institutions, quality assurance is the major concern. In pharmaceuticals, product liability and legal problems are the controlling issues. Insurance is seldom the dominant factor.

I continue to believe that we need a strategic overview of all risks, led by a senior executive with the credibility and communication skills to coordinate the specialties. The obvious and major risks should not obscure others of equal importance. The risk management function does not belong in finance, or in legal, administration or human resources. It should connect with strategic planning and have direct access to the CEO, with a dotted line relationship to the Board. It should be independent. At Nat West in the US, risk management was part of the Office of the Chief Executive. At Royal Bank Financial Group (see RMR, December 1997), the Executive Vice President, Risk Management, reports to the CEO. Risk management is slowly and cautiously tending this way, led by financial institutions.

I suspect that the next century will see the position of "chief risk officer" firmly in place.

Most of what matters in your life takes place in your absence.

Salman Rushdie, Midnight's Children
Penguin Books
New York, 1980

Operational Risk Management
"What is the worst thing that could happen to our business . . and the worst time it could happen?" That's how Douglas Hoffman, Managing Director, Bankers Trust, challenges his managers to respond to the uncertainties of economic life. He discussed his approach at a seminar on Operational Risk Management, sponsored by ICM (International Communications for Management) in New York City on May 19-20, 1997. This session, chaired by Paul Dorey of Barclays Bank (see RMR, April 1997) and George Morris of Oliver, Wyman & Company, aimed primarily at financial institutions and their management and measurement of operational risk (in contrast to market or credit risk) for efficient capital allocation. The presentations and discussions were broad and sophisticated, and gave evidence that financial institutions are the leaders in addressing and measuring all forms of risk on a more integrated basis. They allocate capital to various operating businesses to reflect risk and adjust their prices to compensate for risk/equity relationships. For these reasons, similar seminars in which financial institutions play a major role are the most useful in helping to plot a new course for risk management.

I make four comments on this session, relating to definition, the focus of the speakers, how they anticipate "blow-out" events, and how operational risk management is both measured and managed.

Definitions For a few speakers, "operating" risks encompass all financial institution operations, including credit and market areas. Most, however, employed an operational risk definition similar to that used by the Basle Committee on Banking Supervision: " . . . the risk the deficiencies in information systems or internal controls will result in unexpected loss. The risk is associated with human error, system failures and inadequate procedures and controls." Barclays Bank, for example, separates "operating risk" from "credit" and "market" risk, and breaks it into two pieces: Business Risk (fall in demand; price war; cost increase; etc.) and Operational Risk (data input error; fraud; documentation error; disaster; etc.). Oliver, Wyman & Company uses the terms "event risk" (system failure; errors and omissions; fraud; litigation; settlement failure) and "business risk" (price, volume and cost variances). Stephen Ellis of ABN AMRO Bank, in Canada, defines operational risk as "the risk of financial loss due to inadequate systems controls, human error or managerial oversight."

The Bankers Trust definition is similar. Hoffman describes four types of risk facing the bank: market, credit, funding/liquidity and "business operational." The latter involves control failures or external events related to customer relationships, people/human capital, physical assets, technology and other external/regulatory events. Compared to the disparity of definitions used only five years ago, the consistency among those offered at this seminar convinces me of a growing consensus.

Focus The majority of speakers argued that adoption of sound risk management would produce tangible benefits for shareholders. "Shareholder value" was the mantra of the day. I have reservations about the narrowness of this focus (see "Reporting on Risk Management," in RMR June, 1997). I suggest that organizations consider the risk effects on all stakeholders, including shareholders, customers, employees, suppliers, lenders, regulators, and the communities in which they operate. All have legitimate interests, and even "investments," in an organization. All should be recipients of varying degrees of information on risks and responses. It's too easy to measure "value" only in terms of invested capital and to disregard the less tangible interests of other stakeholders. The market is only one determinant of value.

Blow-Out Event The quantitative types seem overly enamored of their econometric models and numbers. They spoke glowingly of their reliance on risk estimates to the "99th percentile." Perhaps Yankee ingenuity can cover the outlying one percent, but it's that "blow-out event" that completely scuttles the ship! The speakers never thoroughly addressed how to predict, measure, build prudent defenses, allocate capital and adjust prices for the "remote catastrophe." Can we conceive of such an event, a once in one hundred year occurrence? Do shareholders want management to adopt a financial plan for a "blow-out event? While the "stock market" response may be "no," other stakeholders may have different ideas.

Measurement The over-reliance on numerology and modelling obscures the realization that many risks are not susceptible to ready quantification. They are messy. They overlap and interact. Some correlate to others; some do not. They constantly change in light of daily events. To attempt to measure operational risk solely by measuring the "volatility of operating costs," as one speaker suggested, is too narrow. We were engulfed in acronyms such as VAR (Value at Risk), EVA (Estimated Value Added) and RAROC (Risk Adjusted Return on Capital), all of which have some utility but are becoming a secular jargon for the cognoscenti. What, for example, is meant by "the granularity of measurement?" I applaud those trying to develop new quantitative measures for risk but I don't think we should place excessive reliance on them. Stephen Ellis slyly suggested that "there is hardware, software and vaporware." Mark Rodriguez, of London's American Management Systems, was blunter: "The most valid thing in a balance sheet is the date." We need greater simplicity and acknowledgment of the importance of qualitative estimates to advance the cause of risk management.

Management The consensus is that risk management, in leading financial institutions, is addressed on an integrated basis and receives the attention of senior management and their Boards. There is no better guide for risk managers than the 1996 Annual Report of Bankers Trust. The bank proclaims that "we redefined contemporary risk management in the 1980s, and we draw upon that depth of experience and of skills today to identify, assess, and take effective action on all types of risk - credit, liquidity, currency, interest rate, equity, and operating." True! The Report goes on to state that "we define any risk management problem as improving the balance of risk and return in the client's enterprise." That's been my view for some time. It's also the thesis of retired chairman Charles Sanford: balance risk, don't avoid it. Bankers Trust now offers risk management advisory services to its customers and believes that "risk management is a growth industry." The 1996 Report details various forms of risk facing the bank and the application of RAROC, which Bankers Trust pioneered. But its most significant statement defines the importance of risk management to the Bank:

"Risk Management is a core competency from which the Corporation derives many of its competitive advantages. The ability to measure and manage risk is a prime concern in all the Corporation's business decisions, and sensitivity to risk management innovations and issues is an integral part of its culture. Four overarching principles guide the Corporation's management of risk:

  • a firm-wide commitment to effective risk management starts at the senior-management level;
  • a strong, centralized and independent control function for risk management operating in conjunction with decentralized business activities enables the Corporation to be agile and efficient in its business activities, yet prudent in its overall risk-taking;
  • diversification is an efficient mechanism for managing risk;
  • returns earned must be commensurate with the marginal risk associated with each business activity.

Finally, the Annual Report notes that the Bankers Trust team of dedicated risk management professionals "is independent of the Corporation's business lines and reports directly to senior management." This is the way it should be!

What a tidy thing the mind is, how affronted by the outlying chaos . . . .

E. L. Doctorow, Billy Bathgate
Random House
New York, 1989

The "Alternative" Market
Insurance deductibles have been with us for over one hundred years. Self-insurance (meaning some form of internal forecasting and reserving) is at least seventy years old. Captives have been around as long, although their rapid growth occurred in the 1970s and 1980s. Risk Retention Groups were formed after 1986. Yet the term "alternative market," encompassing all these risk financing techniques, is recent vintage.

Since we have no central record-keeping authority for the money spent in these activities, considered judgment is our only measurement tool. Two recent studies attempt such estimates. Conning & Company, a Hartford, Connecticut based investment firm has added up the numbers periodically since 1980. Its 1996 report (Alternative Markets: Evolving to a New Layer, Conning & Co., 185 Asylum St., Hartford, CT 06103-4105, $495.) is easily the most thorough, developing estimates on several different bases. Conning uses 1994 data and extrapolates them to 1997: a total commercial risk financing market of $213 to $228 billion in the US, with "alternative" mechanisms accounting for $78 to $85 billion, or 32% to 37%. Unfortunately, the Conning study does not appear to count governmental pools (formed under so-called "joint powers authority" in many states) and comparable self-insurance trusts. These are estimated at about $14 to $18 billion annually. When one pool shows up, it is misplaced in a list of "alternative risk financing" facilities. Conning may also have under-counted the extent of internal risk financing, ranging all the way from charging losses directly against income, to internal reserve accounts. Perhaps it is impossible to develop credible numbers for this funding, but we should try. This study includes valuable insights about the nature and fragility of the conventional insurance market and the ways in which large, medium-sized and small commercial organizations seek new means of addressing risk. It's a valuable investment for a risk manager.

The insurance brokerage firm of Sedgwick, Inc. devotes four pages to the "alternative market" in its Insurance Market Trends and Developments: 1997 report (1000 Ridgeway Loop Road, Memphis, Tennessee 38120 - free of charge).

Its estimate is considerably higher: a total commercial risk financing market of $276 billion, with $122 billion, or 44% for the alternative mode. This is another valuable annual study.

Both organizations confirm that, despite the recent "soft" market in which traditional insurance is both less expensive and more readily available, the "alternative" market has grown more rapidly. From 1980, when Conning first started keeping figures, to 1994, the traditional insurance market did not even double (+175%), while the alternative mechanisms quadrupled (+401%). It's a trend that promises to continue.

I think that both surveys seriously underestimated the market. I don't have hard numbers to back up my thesis, but I believe that traditional insurance should be called the "alternative" market, especially for larger corporations. If we could add the numbers accurately, the "primary" market - all forms of non-insurance financing - probably constitutes 95% of total risk financing! Consider the contributions to governmental pools and the enormous amount of internal chargeoffs and reserving, much of it not even accounted for by corporate risk managers. Add to that the post-loss financing from government and nonprofit sector sources following major disasters, such as flood, earthquake and windstorm. Add the self-funding for environmental cleanups and liabilities. Finally add the equally enormous sums in losses assumed for financial/market risks (hedges, swaps, derivatives gone wrong) and the penalties for regulatory and political risk. Conventional commercial insurance as risk financing is inconsequential for most organizations!

Most reviewers approach the problem of accounting for risk financing wearing the blinders of insurance, considering only the areas of conventional underwriting. True risk financing is far broader. I challenge Conning, Sedgwick and others to undertake studies of the real commercial risk financing marketplace for their next reports.

A great opening line to a chapter:
"It was when the patch of shit appeared on the pilot's cream rump that Richard knew for certain that all was not well."

Martin Amis
The Information
Harmony Books
New York, 1995