Value-based risk management: three lines of attack

This is where most of my risk work since 2013 has focused: this is my best (short) advice on adding value through risk management.

I contrast the conventional 'three lines of defence' risk management paradigm with a more positive and value-focused alternative: 'three lines of attack'.

Under conditions of uncertainty the best decision doesn't correspond to the one where all parameters take their best estimate values. Good risk management adds value by highlighting and delivering these different 'risk-based' decisions. We can quantify the impact and extra value of these risk-based decisions.

We can even use this approach as a driver for risk management: let's call it value-based risk management.

For my articles and those from three leading risk management gurus see Risk Olympians

Conventional risk managementthree lines of defence

What are the three lines of defence?

The three lines of defence are:

  1. Operational management
  2. Risk management and compliance functions
  3. Internal audit

See what The Institute of Internal Auditors – a third line organisation – say in their Position paper on the three lines of defence concept.

The three lines and business value

But the three lines concept can easily miss the business value of risk management. I suggest it results in an almost automatic over-emphasis on:

  • downside. Yes, the 'first line' of operational management is in the picture, but when it comes to their risk management responsibilities, the focus will often be on stopping bad things happening – especially sudden events – rather than, for example, optimising profits after allowing for uncertainty.

    I advocate an approach which emphasises optimisation after allowing for uncertainty – see below. This is not the same as incorporating capital into pricing.

  • regulation, governance and legislation. Nothing at all wrong with compliance having strong input, but they are there to limit downside.
  • capital and extreme events. Some companies – banks and insurers for example – make long term promises to their customers. There is a so-called asymmetry of information and regulators (especially) do not want to see insolvency and customer detriment 'on their watch'. This leads to capital. But these financial firms assess capital on a 1-in-200 basis, leading to the potential for what actuary Mark Graham called The great 99.5th percentile swindle.
  • financial risks. Risk frameworks are usually audited and sometimes recommended by accountants, whose main expertise is finance, rather than operations or strategy. What's more, perceived risk management leaders – again banks and insurers – often take a finance, capital and balance sheet approach to risk.
  • external and faster moving factors. Sinking, Fast and Slow suggests that – typically – the biggest risks to organisations are internal, relatively slow moving, strategic and operational. That's an uncomfortable management position versus blaming e.g. an external financial crisis which 'no one could have anticipated'.
  • narrative. This is particularly dangerous; a firm focussed on assessing and managing extreme risks will lack data and will rely more on expert opinion. That opinion will come from various sources: the three lines, external advisers and senior management. What will be the preferred opinion, and why?

The three lines and integration

The above critique suggests that conventional risk management has over-emphasised the defensive aspect rather than value. But there's a linked issue arising from the conventional approach: lack of integration with core management activities.

The less that risk management is linked to day-to-day operational and management activities – strategy, marketing, sales, pricing, distribution etc – and the more it is linked to obscure and remote events, the less traction it will get with non-risk staff. It all becomes a self-fulfilling prophecy with risk people left to write documentation and talk about 'risk universes'. We can do better than the sort of 'embedding' which first line people compare to a visit to the dentist.

This toxic mix can lead to a downward spiral of mutual frustration.

An alternative from the world's first chief risk officerthree lines of attack

What he said

There are three major business applications of risk management: loss reduction, uncertainty management and performance optimisation. The combination of all three is enterprise risk management.James Lam – the world's first Chief Risk Officer: chapter 15 of Enterprise Risk Management: from Incentives to Controls

Building on the words

'The question is,' said Alice, 'whether you can make words mean so many different things.'Lewis Carroll: Through the Looking Glass

Although I like his words, my version of 2 and 3 is a little different to Lam's (as detailed in his book). Mine follows.

  1. Loss reduction. In a regulated industry such as financial services value maximising is subject to hurdles; regulators will not accept insolvency risk above a certain level, even if it maximises value. More importantly for our purposes, items such as dividend policy and debt levels can be optimised within a risk model which allows explicitly for loss. The model can suggest whether those losses should be limited further – and how – based on a cost-benefit analysis.

    Practical example: credit ratings. In the late 1990s most reinsurers lost their AAA credit ratings, suggesting an increased default probability. But, based on cost-benefit considerations, those reinsurers chose not to restore those ratings, choosing lower captial, a higher default probability and increased value.

  2. Uncertainty management. Lam says 'The second stage of risk management—originating from a string of insights during the 1990s—focuses on managing volatility around business and financial results.' But the Capital Asset Pricing Model (CAPM) suggests that this does not increase a firm's value.

    But there is an alternative approach in which we seek to exploit uncertainty to improve best estimate performance (this applies also to 3 below).

    My emphasis here is on learning, data and modelling. What seems to be random variation often only appears to be so. Firms can use a range of techniques to identify and model such variation, then seek to exploit it; direct marketing companies may expect response rates of c1%, but they use techniques to target those more likely to respond. Typically this is done by using predictive analytics techniques. A model is built based on a sample of data ('test data'). The model incorporates factors (inputs) and predicts outputs (e.g. a response rate). Competing models are then assessed based on different data ('validation data').

    We can call this assessing uncertainty, heterogeneity or 'skimming the cream', but experience in data science techniques can help.

    Learn from the past, look to the future. There is some value in applying insights from primarily backward-looking analyses; descriptive statistics based on past data, sometimes called business intelligence. But this gains extra power when allied to modelling and modern forward-looking predictive techniques.

  3. Performance optimisation. You've done a robust and accurate uncertainty assessment. But corresponding good decisions still need to be made.

    Value delivered. Many claims are made for the value of risk management. Some are reassuring – 'helps the board to sleep soundly at night' – but few have edge. In contrast, the performance optimisation using risk management techniques implies that good risk management demonstrably increases the (expected) value of a firm. This can be quantified by an internal discounted cashflow model, can be communicated to analysts and should flow through to market value.

    Good decisions might include optimising the:

    • stock levels held by a firm – the Newsboy problem is one of the most popular models in decision science and operations management
    • mix of fixed versus variable expenses in a firm; profitability is affected by the variation in sales levels
    • debt-equity mix in a firm; this affects survival probabilities and hence value
    • dividend policy (payout ratio) of a firm
    • capital levels in a firm – see below
    • proportion of wealth to invest in a venture – see Kelly Criterion

    Experience in decision science techniques can help here.

Scope for learning from other areas. The areas of data science, decision science and risk management seem to have minimal overlap. My guess is that this gap will be eliminated by successful firms and that this will lead to their risk management incorporating more of 2 (data science) and 3 (decision science).

© 2014-2017: 4A Risk Management; a trading name of Transformaction Development Limited