The risk vision and plan

The risk and vision plan, together with a better risk process and a minimalist risk framework can tackle our big "ERM 1.0 challenges":

  1. Opaque value: Risk seems invisible and it can be difficult to define and secure value from risk management. It doesn't have to be this way.
  2. Risk-business gap: There can be a gap between the "risk function" and other "value-generating" business functions. They can work together.
  3. ERM drag: A governance-heavy, non-integrated approach leads to puzzled boards and ERM being organisational drag. Reduce the hard slog.

I consider the role and content of a risk vision and plan mainly from the perspective of a private sector firm: bank, insurer or other corporate. Coverage outside this can be found in our forthcoming risk management for the public sector and, for charities, Sayer Vincent's rather good risk management made simple.

Is there *really* an opportunity?

It's real

I suggest that this is a rare opportunity; the chance to refocus risk management on what James Lam says it should be about: not just reducing losses, but managing uncertainty and optimising performance. And making it explicit how this is done. Low cost, high value and without disrupting existing processes and systems.

Buy-in secured from the appropriate people, Lam's a-b-c approach can be implemented in a gradual way, testing for the claimed value at each point.

Why would you not do that?

The first step: being clear

Discussing the "value claims" for risk management, risk expert Bill Panning claims:

Notably scarce, for example, are papers that describe and critique alternative strategies for managing firm-wide risk or that define what is meant by "adding value" and propose ways that this could be implemented and measured in practice or even in principle. Bill Panning writing in Managing the Invisible

Without dealing with this it's hard to see how the value of risk management can be measured, let alone secured. A good risk vision and plan can help.

Leapfrog: get ahead of your competitors

It's rare to explicitly demand value from risk management

It is rare to have a document which simply sets out the intended value from risk management. Usually the risk vision and plan – as I've defined it in terms of core content – doesn't exist as a separate document. It may be combined in a risk framework or risk strategy. But the point is to articulate the value somewhere.

Too often that doesn't happen. For public sector organisations or third sector (e.g. voluntary) bodies a cut down policy, largely focusing on managing downside risk may be appropriate. But private sector companies – and especially banks and insurers whose business is risk-based – should be more explicit.

What's done instead

Private sector companies should be naturally comfortable balancing risk and return. But for confidentiality or other reasons, many do not attempt to make this explicit. I speculate that the reasons are as follows:

How big is the value likely to be?

The value is a combination of your attitudes towards risk management, your external environment and your "risk" and "non-risk" capabilities:

Your attitudes to risk management: you may be

  1. Not bothered about risk management. An increasingly untenable position, especially in regulated industries. And you probably wouldn't be reading this.
  2. Focused on the regulator. An appropriate concern, but this focus limits the risk value add, reinforcing any gap between your risk and business functions.
  3. Set on the loss reduction path. The goes beyond solvency and balance sheets – and there is some value to be had here.
  4. Keen to learn more about Lam's (b) and (c). Good idea – that's where most of the value lies. Why not take a look at our FAB-testing service for ideas?

Your environment is competitive: you may be

Conclusion: If your environment is competitive and you're "in the pack", good risk management has a lot to offer. Now let's write some policy headings.

Risk vision and plan: two pictures

A picture as a driver of headings

I believe each of the pictures below is useful; they present different angles on what could be an appropriate aim for risk management.

Picture 1: motivated by Lam

There are three major business applications of risk management: loss reduction, uncertainty management and performance optimisation. The combination of all three is enterprise risk management.James Lam – the world’s first Chief Risk Officer

Be clear in your own mind. Questions in moving from the picture to risk vision and plan headings:

  • Uncertainty management: Is uncertainty management a low level allowance for the uncertainty of parameter estimates in (e.g.) a pricing process? Or a high level strategic process corresponding to Ingram's "risk steering" below? If it's strategic, is it about scenario testing to ensure capital is not exhausted over the next 5 years? Or about scenario testing to get a good strategy a la Shell?
  • Performance optimisation: Again this could be interpreted as a high level process (as above) or as a low level, tactical, deal-by-deal capability which optimises deal size, risk-adjusted return on capital etc.

Picture 2: Panjer and Ingram

The core of the diagram comes from Professor Panjer's presentation Enterprise risk management: an introduction.

(*) The controlling / trading / steering terminology is from the IAA's Comprehensive Actuarial Risk Evaluation – Ingram et al.

The terminology suggests to me that:

  1. Loss controlling is especially about the balance sheet.
  2. Risk trading is about (e.g.) risk-adjusted return on capital.
  3. Risk steering is about a dynamic look at capital planning.

As a result the role of risk management in positively contributing to a good strategy – rather than ensuring the strategy won't strain the balance sheet over the next few years – is unclear.

The important thing is to explain if / how / why any of this matters to you. Do this and you'll be ahead of the competition.

Risk vision and plan: headings and indicative text

Type of organisation determines the appropriate content for a risk vision and plan, as I define it. I have assumed for the purposes of the material below that the organisation is an insurer in a competitive market. Its stakeholders are policyholders, its regulator and shareholders (and other parties not covered below).

Business model

We are an insurer with three main lines of business:

  1. Pension buyouts large policies sold to pension schemes. Covers future pension payments in return for a lump sum. Profits effectively through asset margins.
  2. Protection business written on guaranteed rates and sold to individuals. Profits arise through charging more than risk and other costs and via reinsurance.
  3. Investment business e.g. pensions and other savings sold to individuals. Profits through charging fees at a higher level than costs.

Implications for assets and liabilities

Unlike most non-financial businesses we are driven by liabilities; we invest the premium(s) from policyholders to pay future liabilities. As a result of this, and needing to invest in interest-bearing assets, both are assets and liabilities are uncertain, and the difference – a measure of solvency – is therefore subject to double uncertainty. For this reason we hold "risk capital", in a way which is largely unnecessary for non-financial firms. We need to earn a return on this capital.

Regulation

As a UK insurer we are regulated by two main bodies (which also supervise banks):

Our regulator serves several vital social purposes, including:

  • Its oversight of insurers means that individuals can have confidence in dealing with us; otherwise individuals might engage in inefficient individual investigation.
  • It seeks to ensure that any losses fall on appropriate parties – and especially not on policyholders or wider society.

Reflecting the regulatory requirements

The FCA's conduct requirements are primarily reflected (and the risks managed) through the design and delivery of our products and associated processes. This is covered in our operational risk policy and has a very limited impact on our capital position. The PRA's financial requirements have more direct and material financial implications for risk management and associated capital and are covered in this risk vision and plan, as well as in the corresponding risk policies.

Optimisation of franchise value

The key features (to be expanded):

  • RAROC approach – but improved to FAB-testing.
  • Maximise true risk adjusted return on capital: TRAROC.
  • Denominator is economic capital (EC).
  • Numerator allows for all uncertainty levels, not just EC.
  • Numerator can also be transformed through "4Ts".

This shows how risk management adds value at the tactical and transaction level. Additionally, as business works through to the balance sheet we manage the corresponding uncertainty through economic capital and the ORSA. Risk management also actively contributes to setting strategy.

Balance sheet protection

Once business has been "selected" and written (using the above risk-adjusted assessments) it flows through to the balance sheet as shown in the diagram.

  • We manage balance sheet risk and set economic capital largely according to regulatory SYSC risk classifications.
  • We employ an active ongoing approach to capital management, using reinsurance, derivatives etc.
  • The purpose of this approach is to "secure" value and the balance sheet, freeing us up to maximise franchise value.
  • The reasonableness of our economic capital assessment is tested using stress and scenario testing techniques, including reverse stress testing.

Risk steering 1: dynamic capital

Part of the contribution of risk management to "risk steering" is the consideration of capital adequacy over the business planning cycle. This contribution is through (for example) the ORSA process and report, through which risk and capital assessments are carried out not just today, but over the future. ORSA allows for:

  • Projection of future business volumes on a range of bases.
  • Corresponding risk and capital assessments over the future.
  • Stresses and scenarios over the projection period as they affect risk, capital required (regulatory and economic) and capital available.
  • The reasonableness of our economic capital assessment is tested using stress and scenario testing techniques, including reverse stress testing.

We deploy ORSA as a dynamic rather than a reporting tool; we use it to test the reasonableness of our risk appetite and (e.g.) where we take credit for management actions we attempt to validate their likely effectiveness, through the quality of our contingency plans and comparing to past actions.

Risk steering 2: setting strategy

We optimise capital and protect our balance sheet as part of our vision to maximise our firm's franchise value.

An increasing contributor to this franchise value maximisation is the deployment of "risk-based thinking" in setting strategy. Our approach is becoming increasingly formal, through the use of scenario planning and other techniques such as "real options". We see this risk expertise as benefiting us across the board.

The risk vision and plan should be an ongoing work in progress. It should cover incomplete work rather than being full of "good news" for the regulator.

Responsibilities

  • Front line executives are mainly responsible for delivering optimised franchise value. Scrutiny and challenge by risk and capital management.
  • Risk and capital teams are mainly responsible for balance sheet management. Scrutiny and challenge by various auditors, executives and Board.
  • Governance is carried out through a robust structure of the Board and its Risk and Audit Committees, supported by (e.g.) Internal and External Audit.

The risk vision and plan is written to be understood and approved by the Board. Detail would be supplied in other documents e.g. the risk framework.

Conclusion

It is all too easy for risk managers to retreat into their own specialist areas. Ironically the introduction of more "enterprise" risk management, with its consistent administration and measurement of the various "risk types" driven by a central department, may have exacerbated this. In seeking to get rid of some silos we may have introduced others. The gap between a central risk function and other business functions can increase complexity and weaken links with the core purpose.

We have seen this play out in a diagram. But we can fix it, making it simultaneously simpler and more effective.

Where next?

© 2014-2017: 4A Risk Management; a trading name of Transformaction Development Limited