Lloyds - cognition and how human factors affect risk perception

While the Solvency II world will be as grateful for as they are familiar with Lloyds of London's work in the Sol II sphere, they pushed out an intriguing paper for all risk practitioners this week around cognition, the impact of human behaviour, and our interaction with models when identifying and assessing risks.

This is a piece of academic research very much needed at this point in time, where the regulatory obligations around internal model challenge have yet to formally land, let alone be adequately road-tested, while at the same time the UK is continuing with its ICAS+ regime, where entrants will no doubt receive running commentary on their progress in upscaling both assumption/parameter challenge as well as model use.

Anyone involved in the 200-ish pre-applications for internal model use prior to Solvency II go-live in Europe would therefore benefit from a read of this, particularly if you are on the validation-side. I picked out the following;

Fundamentals which impact on modelling choices (data sets, interpolation/extrapolation, correlations, tail dependencies etc)

• "We are not equally aware of all risks...people make decisions based on a subset of the available evidence"
• "Expectations are strongly influenced by personal experience and current events"
• Tendency to "...lose sight of infrequent losses" in the face of more frequent visible events
• Tendency to procrastinate around risks which are difficult to assess
• "Some may query the relevance of human factors, given the prevalence of quantitative risk models - the suggestion being.modelling rules out biases"

Risk appetite

• "Low risk appetite can increase false alarms, and a high risk appetite increases misses"
• "The greater risk appetite of powerful individuals can stem from a tendency to focus more on rewards and successes, while people who are lacking in power are often more cautious and attentive to threats and potential obstacles" - is it this dichotomy which makes the role of the CRO ultimus inter pares in the boardroom?

Aide-memoire lists for risk practitioners

• How to counteract risk perceptions - p11
• Separating risk perceptions from immediate context - p13
• Awareness of bias linked to power - p16
• Risks in perspective - p20
• Behavioural principles which can create added value - p22

Protiviti - top risks for 2013

Nice piece of 'top risks' benchmarking for practitioners was pushed out this week by Protiviti - heavily US-centric, cross-industry (around 25% financial services, but all respondents are C-suite types), and the 'risks' are provided as a selection of 20 pre-written items, but the work has still got some mileage, even if I am far from convinved by the early statement that "...the first question an organisation seeks to answer in risk management is 'what are our most critical risks'" with no reference to their strategic objectives!

Let's take that as an editorial oversight, and pick through the highlights;

• Unsurprisingly, economic conditions and regulatory change/scrutiny are top of the financial services hitlist of 'top risks' (and indeed other industries)
• CROs and Chief Audit Executives were less likely to rate a risk "less significant" than their first-line counterparts - nest feathering or legitimate conservatism?
• Financial services considerably more likely to deploy additional resource to enhance risk management capabilities in the next year

There is also a "suggested questions for Boards" list at the back, which covers (albeit in a rather flannel-y fashion) the kind of items which emerged in the FSB's risk governance recommendations from earlier in the week, such as;

• Is the Board sufficiently involved in/informed of the risk assessment process regarding the implementation of strategy (mergers & acquisitions, new lines etc)?
• Is the MI around the Risk Profile sufficient?
• Is there an existing emerging risk management process?
• Is the risk profile consistent with risk appetite?

A decent piece to run through your NEDs at the very worst, and potentially of some use for your emerging risk/reverse stress testing activities for 2013.

Did we learn from Equitable Life? Professor says "No"...

A cracking thought paper was released this week by Professor Roberts from Kings College regarding the lessons one could reasonably have learned from British mutual Equitable Life's demise in early 2000s, and more importantly, did UK plc actually learn them! (simple timeline of recent events here for our non GB readers, but anyone whose website starts with a banner exclaiming "recreating value for policyholders" has clearly had a lean few years!)

This document works nicely as an aide-memoire for anyone working in a financial services risk function as to what one should be wary of in the day-job. Professor Roberts ties in some of the most recent work in this space (leaning heavily on the Cass Business School/AIRMIC Roads to Ruin research and its conclusions in particular), and comes to the inevitable conclusion that lessons are well publicised, but never learned.

My main concern as a risk specialist is that certain recurring themes in the failure of financial services firms appear to remain outside of the Risk function's control or indeed influence, notably;

• Hubris of Senior/Chief executives - Almost every example of failure in insurance and banking referenced in Prof. Roberts paper includes a flukey, unchallenged CEO who got bolder as circumstance rather than skill kept their businesses growing. I had flagged a couple of articles in a post last year touching on what makes an executive tick, and since then I have seen psychopathy and leadership (as opposed to cherubic faces!) examined further in a popular mainstream book. The legitimate concern here of course is that CROs are seemingly no nearer to being guaranteed seats at the top table, let alone a veto to keep the most dominant executives in check, regardless of their loud voices, when necessary.
• Poor quality governance from Non-Executive Director level - Risk functions simply must have the NEDs performing at their optimum in order to provide acceptable services to their employers. While the "old school tie" approach to recruiting NEDs may take a generation to phase out entirely (to be replaced by an army of Fembots, so Viviane Reding would have us think), Risk functions are left with tottering old fee-sweepers as their key route to early intervention. The more visceral approaches to documenting risk appetite/tolerance/preference now being supported by corporate governance codes and vocational/professional bodies may make it easier to raise concerns with NEDs in future (probably as it will be colour coded and in Excel...), but until they are actually prepared to risk their comfortable semi-retirement with some probing questions in the C-suite itself, should Risk functions ever think they can overcome such a void?
• Failure of regulation - Should Risk functions be banking on the (inevitable?) failure of the nascent regulatory environment, and reserve for subsequent claims/compensation if one or a number of products are "too" successful, thus providing the necessary quantum of dissatisfied customers for the regulator to act? I would have laughed this suggestion out of the room until a year ago, since when the FSA have made retrospective calls on interest rate swaps, PPI, and TLPs, all of which would have been presented as "compliant" products in the Boardroom.

For the Solvency II fans, it also notes on page 11-12 that Equitable Life featured in the research which grew up to be Solvency II! Maybe we did learn something after all - if we smash up the affordability of long-term guaranteed products, we can all go unit-linked and never have to worry about another Equitable...

Active Risk - 'What makes a great Risk Manager' results...

I participated in a survey a little while back about "what makes a great risk manager" which involved looking at personality traits, and the guys at Active Risk posted the results today.

While I was hoping the results would look like my CV (!), there were some interesting findings from the 200-ish sample;

•  Categorises risk managers into Traditionalists (from the 'department who likes to say no'!), Drivers (who are pragmatic and impatient) and Evangelists (who have the CRO style, without necessarily the substance. The split of respondents was 60/10/30 respectively. The obvious thought for me was that this was the perfect ratio of the three skillsets to arrive at a quality Chief Risk Officer, and the conclusions touch on this throughout.
• Suggests traditionalists may be holding their companies back due to presentational shortcomings (probably fair), while Drivers should understand their impatience can come over as aggression and Evangelists should wind back on what I like to call 'risk rabbit' (where throwing terminology left and right leaves the consumer disinterested or confused.

Should certainly be of interest to my friends at Clarity Resourcing, as these kinds of considerations cross over most industries when fishing for risk talent - I hasten to add that I can't immediately recall what I was classed as!

Late post-script - found my personalised report, and I was down as a "reactive extrovert" - I'll settle for that!

Chief Risk Officer activity

LV+ got in on the CRO staffing activity in advance of Solvency II this week, pitching a finance-oriented executive into the role, with a remit of embedding an ERM Framework and managing Solvency II. In line with previous posts, I'm not sure who to score this one to (probably not the Risk team), but important to note the reporting line still going into the CEO.

On topic, but bank rather than insurer as the example, the Reputability Blog picked up on a slightly different organisational problem that I suspect will become more prevalent over the next couple of years - namely that with the maturity of the CRO role comes an ambition to be more than the CEO's "angel on the shoulder".

Larger financial services organisations may find their CROs develop something of a wanderlust if they don't expect a reasonable shot at the top job will be forthcoming (indeed an earlier blog post highlighted that a company Stateside is using the role as CEO training). I would have thought this is even more of a strategic issue for insurers, where existing CRO/de-facto CROs will be critical to Solvency II delivery plans, and will of course have extensive knowledge of their respective institutions' economic and regulatory capital weaknesses after 2+ years of project graft!