Risk management has been driven largely by regulation, both of financial services and more broadly:
- Insurers must perform an Own Risk and Solvency Assessment (ORSA) which tests an insurer's solvency and liquidity over (e.g.) 3-5 years.
- UK companies with a Premium listing must make a Longer Term Viability Statement (LTVS) of its viability over a period determined by its Board.
Management and regulators may emphasise downside for extremities about which we know little. But, for many, business is about making profit at levels of exposure about which we do know quite a lot. ORVA is all about managing and exploiting this remaining uncertainty as a compeitive weapon.
Defining ORSA, LTVS and ORVA
Arguably the nearest equivalent to the LTVS for the financial sector, an insurer's Own Risk and Solvency Assessment tests its solvency and liquidity over (e.g.) 3-5 years. The ORSA is required by the UK PRA and Solvency II. The "Comparing ORSA, LTVS and ORVA" table below makes the LTVS:ORSA comparison.
Insurers must perform an ORSA as part of Solvency II. The ORSA's forward looking assessment of solvency goes beyond formulae, incorporating stress and scenario testing. Interpreted appropriately, it emphasises the role of management actions. The LTVS is a comparable requirement to ORSA for non-financial firms.
ORSA is helpful, but it's still about solvency. Insurers – and non-financial firms – should go beyond ORSA/LTVS, not least in the interests of their shareholders.
The FRC's Guidance on Risk Management implies that the LTVS is an assessment of solvency and liquidity over a period chosen by the Board:
Taking account of the company’s current position and principal risks, the directors should explain in the annual report how they have assessed the prospects of the company, over what period they have done so and why they consider that period to be appropriate. The directors should state whether they have a reasonable expectation that the company will be able to continue in operation and meet its liabilities as they fall due over the period of their assessment, drawing attention to any qualifications or assumptions as necessary. Section C.2.2. of The UK Corporate Governance Code (September 2014)
The UK Corporate Governance Code (September 2014) has general requirements regarding business model and performance which go beyond the LTVS:
The directors should confirm in the annual report that they have carried out a robust assessment of the principal risks facing the company, including those that would threaten its business model, future performance, solvency or liquidity.
The directors should describe those risks and explain how they are being managed or mitigated. Section C.2.1. of The UK Corporate Governance Code (September 2014)
I suggest the discipline of an Own Risk and Value Assessment (ORVA) corresponding to the ORSA, but with a different target: risk-adjusted shareholder value.
OVRA is, most importantly, a way of working, although it can be an internal process and document. ORVA enables the adopter to formalise and optimise its approach to risk-adjusted value generation. For example the uncertainty regarding the drivers of future business and profit growth are acknowledged and managed.
A tailored a version of ORVA (e.g. an ORVA document, or disclosure of a formal approach) could be shared with regulators, rating agencies, analysts and shareholders, setting out at an appropriate level the techniques that the insurer is using to gain competitive advantage. This is turn may be viewed favourably, with potential for early adopter advantage. Read the "ORVA take up" section below for why I expect non-financial firms to be big ORVA beneficiaries.
The ORSA, LTVS, ORVA progression
There is a sense is which the above represents a progression of Enterprise Risk Management (ERM):
- ORSA = ERM 1.0. ERM is a 21st century phenomenon, arising from bank and (subsequently) insurer regulation from the 1980s onwards.
- LTVS = ERM 1.5. A development (and staging post) in which the insights of ERM 1.0 flow to non-financial companies, increasing the level of "risk maturity". (*)
- ORVA = ERM 2.0. ORVA reaches the parts outside the ORSA / LTVS domain: James Lam's vision of uncertainty management and performance optimisation.
(*) This is not a pejorative statement, but rather concerns the more robust risk management tools and greater degree of formality employed in the LTVS versus previous incarnations of risk management in non-financial companies. The table below suggests that the ORVA generates more value than the LTVS.
Comparing ORSA, LTVS and ORVA
All UK companies (including banks and insurers) with a premium listing will need to provide a LTVS e.g. in the strategic report. Insurers will also have to produce an ORSA, which is arguably very similar to the LTVS. The following table compares the ORSA (c.f. LTVS) and 4ARM's suggestion of an ORVA.
High level non-technical comparison
The following tables use high (H), medium (M) and low (L) to show the intended emphasis of the risk assessment. All assessments should incorporate action.
|Internal / External||Int||Ext||Int||ORSA: insurer's Board and its regulator. LTVS: publicly available in report and accounts. ORVA: internal (only).|
|Documentation||H||M||L||Solvency II has onerous documentation standards. The FRC is likely to be more proportionate.|
|Business model||–||–||H||C.2.1. says business model aspects are covered in the strategic report, not in the LTVS. ORVA goes further.|
|Future performance||–||–||H||This is the major contributor to ORVA, especially for non-financial firms.|
|Solvency||H||H||M||Value must incorporate allowance for likelihood of future insolvency. But solvency is a low hurdle for shareholders.|
|Liquidity||H||H||M||Too many valuable companies have failed due to not having cash at the right time – see the Buffett quote below.|
|Value metric||–||–||H||ORVA combines uncertainty over future growth (especially) and the contribution of solvency to value.|
At Berkshire we ... have pledged that we will hold at least $10 billion of cash, excluding that held at our regulated utility and railroad businesses. Because of that commitment, we customarily keep at least $20 billion on hand so that we can both withstand unprecedented insurance losses ... and quickly seize acquisition or investment opportunities, even during times of financial turmoil. Warren Buffett: 2010 Berkshire Hathaway letter to shareholders
The ORVA governance and documentation "hurdle" is low – whatever makes sense in terms of shareholder value. The ORVA is under your own control. Its development and deployment should be proportionate; introduced on a step-by-step basis and only progressed if it adds value. That's good risk management too.
Here's the point: ORVA reaches the parts ORSA and LTVS don't reach.
Risk management techniques comparison
The following compares ORSA to ORVA. We might also compare ORVA to the Longer Term Viability Statement.
|Governance and framework||H||L||Regulator can act dramatically against insurer for failings here. ORVA uses a framework to help decision making.|
|Solvency||H||M||Central focus of ORSA. Insolvency enters ORVA as a particular way in which the future cashflows have zero value.|
|Assessment||H||H||ORSA's focus is on solvency-related risks. ORVA considers risk and uncertainty in a much broader way.|
|Management actions||M||H||Implicit but arguably the heart of ORSA. ORVA builds these into the strategy from outset, valuing them explicitly.|
|Scenario testing||H||H||Used by ORSA to test capital adequacy over 3-5 years. Used by ORVA to test strategy.|
|Stress testing||M-H||H||ORSA may use combined stresses. ORVA uses particular stresses as "reasonableness test" and full range in optimisation.|
|Optimisation||N/A||H||ORSA protects capital; any "optimisation" is very loose. ORVA optimises value, conceptually and operationally.|
|Variability||L||H||ORSA considers only extreme variability. ORVA incorporates value and management of less extreme variability.|
|Risk appetite||L-M||H||Implicit in ORSA. Likely to be explicit in ORVA optimisations.|
|Simulation||N/A||H||Central to ORVA's optimisation.|
The ORVA: reaching the parts that the ORSA can't reach
I've shown these pictures elsewhere, but they're useful.
Lam's vision for enterprise risk management
There are three major business applications of risk management: loss reduction, uncertainty management and performance optimisation. The combination of all three is enterprise risk management.James Lam – the world’s first Chief Risk Officer
The contribution of ORSA to the Lam vision
The ORSA makes an excellent contribution to (a). Beyond that I'd argue the effect is limited:
- ORSA and strategy: ORSA's scenario testing provides a check on the adequacy of the current capital to support the intended strategy. It's a short stretch to management actions and risk appetite – good.
- ORSA and decision making: ORSA's limitation is that it is simply a (reasonable!) hurdle for an insurer's strategy (capital, risk appetite etc). But there's not much of an overlap with Lam's (b) and (c).
ORSA and risk management maturity
The diagram on the right comes from Professor Panjer's presentation Enterprise risk management: an introduction and the controlling / trading / steering terminology (*) is from the IAA's Comprehensive Actuarial Risk Evaluation – Ingram et al.
There are three areas ORSA doesn't touch:
- Strategy formulation. Beyond ORSA's capital-focused validation approach, Scenario testing can help set strategy.
- Capital allocation as part of return optimization.
- Risk trading e.g. RAROC at the transaction level.
Of course you don't need an ORVA. There are many ways for you to maximise risk-adjusted value. You might work with management tools such as an internal cashflow projection model and the Balanced Scorecard. But, like data, risk and uncertainty management is going to be a 21st century theme.
ORVA: why you should really want it
Does an ORSA really reach these parts?
In ORSA for Dummies a.k.a. ORSA: the heart of Solvency II Peter Taylor gives a list of good questions (a company should ask itself) and another list of not-so-good questions (he suggests might be asked by others e.g. a regulator). The lists (slightly tweaked) are:
Good questions you should ask:
- What's our business plan?
- What's making us the money and over what period and with what risk?
- How is our capital allocated between lines?
- Have we tested our assumptions?
- Can we show a meaningful risk register?
- Are we within our risk tolerances?
- Can we take an intelligent layman through some sample scenarios?
Not-so-good questions others might ask include can we explain / demonstrate our:
- ERM strategy?
- Policies, Process and Procedures?
- compliance with the Use Test? (*)
- data quality and our data directory?
(*) No Solvency II background? For an insurer's internal model to be credible for solvency purposes it must also use it for core management decisions.
|Management and Regulators can get obsessed with the downside for extremities about which we know little||Yes||Agree|
|Business is about making profit at levels of exposure about which we do know quite a lot||Yes||Agree|
|... and we explain this in the ORSA||No||Only if the risk framework has an ORVA-like as well as an economic capital / ORSA / LTVS focus. This in atypical for insurers – and LTVS won't got this way unless companies want this.|
Uncertainty around "Business and levels of exposure about which we do know quite a lot" is an explicit purpose of ORVA
Tails you lose
I, like some other actuaries such as Mark Graham, believe that there is greater potential to add value towards the centre of distributions rather than at the "tails".
- As little as possible at the extremes of the distribution as is necessary to get internal model approval
- Not believe the results from the extremes of the distribution
- Concentrate on design, parameterisation and use between the [5th] to [95th] percentile, where:
- Data is more complete
- History may be a guide
- Expertise is more relevant
It is in the central part of the distribution that models can provide valuable insights and, used correctly, add material commercial value. The great 99.5th percentile swindle
Uncertainty around estimation and "the central part of the distribution" is an explicit purpose of ORVA
ORVA and decision making
To be absolutely clear: ORVA is very much about good decision making in the face of risk and uncertainty:
- Strategy formulation. ORVA looks at the impact of strategic uncertainty, using e.g. stress and scenario testing techniques.
- Capital allocation. ORVA uses modelling techniques such as RAROC and FAB-testing to drive the high level risk-adjusted value optimisation.
- Transactions. ORVA guides in making tactical decisions: how much in investment A versus investment B. What are appropriate concentration limits?
- "Risk decisions". What is the value of putting in place an operational control?
So why is decision making missing from the ORVA name? This is for entirely practical reasons:
- Insurance link. As supposed risk experts, insurers should like the ORVA idea, although the solvency and balance sheet focus of regulators pushes against this.
- Keep it short. ORVA is relatively memorable and doesn't need two more letters. The "value" is the key aspect – ORSA affects solvency-related decisions.
ORVA take up: insurers, banks and non-financial companies
If you believe in the Lam vision ORSA is central to what ERM should be and the value it should generate. Who will be first to adopt ORVA-like ideas?
Where – a US v UK effect?
Pointers indicating that the US may be somewhat ahead of the UK, at least in appetite if not adoption:
- The bold and specific statements on the value generating properties of good ERM by North America-based Lam and Panjer.
- The book Corporate value of Enterprise Risk Management by US Actuary Sim Segal
It is, perhaps, in the American culture to be willing to try things, especially if there are dollars in it.
Will insurers be first?
I think not.
First UK insurers are tired; they have been trying to deal with Solvency II and (many) other regulatory changes for 10 years and more. UK insurers, especially life insurers, are typically conservative, especially compared to banks.
But that's a shame: insurers have the expertise to adopt ORVA and there's surely a market opportunity to focus more on value than solvency and cash generation.
What about banks?
Is conventional risk management – of loss-reducing or value-maximising type – remotely adequate to deal with the current challenges facing banks?
Conduct-related issues dominate banking risk: Chartis research (May 2015) has revealed that 98% (by value) and 82% (by frequency) of the top 50 global operational risk losses over the period March 2014 to February 2015 related to suitability or fiduciary failures and improper business or market practices.
Recent scandals affecting UK banks include Payment protection insurance, money laundering, interest rate hedging (mis-sold contracts to small firms), LIBOR rigging and Forex fixing. In May 2015 the Sunday Times summarised one financial impact on banks:
In the UK alone, the five biggest banks have paid out £38.7 billion in fines over the past fivs years, which accounted for 60% of their profits. Source: Guilty as Charged – Sunday Times, 10 May 2015
That leaves non-financial companies
ORVA is even more valuable for non-financial companies, who have more flexibility and (relatively) more upside compared to their financial peers.
Total company value is the sum of two items:
- Balance sheet value: a.k.a net asset value and related to (the value of) the excess of assets over liabilities.
- Franchise value: the excess of the firm's market value over its balance sheet value. Driven by the market's assessment of future profits.
Where the balance sheet comprises significant (e.g.) long term liabilities to customers (e.g. an insurer's policyholders) and associated capital, value generation is somewhat constrained. In financial services this is (rightly) reinforced by regulators, acting on behalf of customers. Two things favour non-financial companies:
- Non-financial firms typically have more balance sheet flexibility; they can invest more in value generation.
- The ratio of franchise value to total value tends to be larger for non-financial firms.
Non-financial firms should expect to spend less of their risk management time on regulation and more on optimising risk-adjusted value.
It may take time, but with the greater competitive upside, I believe non-FS companies will be the first to make the break.
LTVS and ORVA: a role for actuaries
Reasons to think an actuary can help:
- Part super-hero. Part fortune-teller. Part trusted advisor. See the set of skills an actuary has.
- In 1775 an actuary quantified mortality risks. 200+ years later, we're still doing risk and probability.
- Beyond liabilities actuaries now manage assets, solvency and the uncertainty around company value.
- Pricing risk. Whether it's life, health, cars, homes or businesses, insurers rely on actuaries to get prices right.
- Mitigation experience. e.g. using techniques such as contract design, (re)insurance, hedging, diversification.
- Making sense of total risk. We can combine operational, insurance and financial risks into a common currency.
LTVS - ORSA overlap. Solvency II insurance regulation requires actuarial and risk functions to delivering the ORSA. Actuaries are able to extend this experience to your industry and your LTVS. Actuaries can make sense out of risk.
And reasons to take care:
- Communication: it is claimed that, with their technical expertise, actuaries are not natural communicators.
- Criticism from other professionals: Economist John Kay isn't a fan but then Taleb dislikes economists.
- Domain expertise: An actuary may not have a deep understanding of you industry. But actuaries can reach out:
An actuary who is only an actuary is not an actuary Frank Redington, voted the greatest British actuary ever
Grill an actuary
As with any important process, due diligence is important. Your actuary should be able to give confidence:
- Communication: Can he convey how risks may differ between insurance and your industry?
- Practical skills: Will he be able to combine (your) experts' views, data and models in a risk assessment?
- Action focus: Will his report lead to actions which could protect and produce value?
- Technical prowess: Do heavy tails mean anything to him? Are they relevant to you? Are the answers credible?
- Your specific concerns: Your may have particular issues you want to cover. Your actuary should naturally engage.
ERM 1.0 critique
- Enterprise Risk Management: Review, Critique, and Research Directions
- Risk culture in financial organisations
ERM 1.5 and the LTVS
- EY on LTVS: Finding opportunities in the new regulatory challenge
- EY on risk and value How leading companies use risk management to fuel better performance
ERM 2.0 for non-financial firms
- Enterprise risk management for non-financial companies : clear consultancy paper on the value of ERM for non-financial firms.
ERM: the contribution to securing and building value
- Corporate Value of Enterprise Risk Management : book by US risk management expert Sim Segal.
- Implementing the value-based approach : a review of one US insurer's experience, by Michael J. Moody.
- Managing the Invisible : prize winning paper by US risk management expert Bill Panning.
- Making money safely : a personal view of risk management for banks, insurers and non-financial corporates – Philip Scott, ex-IFoA president.