While progress on enterprise risk management (ERM) has been substantial in recent years, tackling unknown risks may require further repositioning. Stuart Wason reports
“As we know, there are known knowns. There are things we know we know. We also know there are known unknowns. That is to say, we know there are some things we do not know. But there are also unknown unknowns, the ones we don't know we don’t know.”
– Donald Rumsfeld, US Secretary of Defense at Department of Defense news briefing, 12 February 2002.
It is perhaps ironic that Donald Rumsfeld could state so clearly what I believe to be one of the great challenges of enterprise risk management, or ERM.
Today I would like to talk about ‘known’ and ‘unknown’ risks and some of the challenges that I see with their identification, assessment and management. Specifically, are you measuring yesterday’s risk? If not, perhaps your ERM needs repositioning.
Much progress has been made with enterprise risk management (ERM) in the last several years especially with respect to risks with which we are most familiar and have experience. This is only natural. But is this experience sufficient to help us assess the impact of low probability occurrences of those risks? How useful is past experience in foretelling the future? Is the future subject to unpredictable jumps which we can only fathom in hindsight? How well do we understand the way in which risks interact with each other especially for low probability? Which risks, insignificant on their own, will become systemic risks affecting the entire industry? How can we protect ourselves from the ‘unknown, unknown’ risks?
ERM progress
Much progress has been made with enterprise risk management (ERM) in the last several years. The importance and value of ERM is now well recognised and embraced in the global insurance industry.
Through the introduction of sound governance practices for risk management including the use of the actuarial control cycle, insurers are focusing on the identification, assessment and management of credit, market, underwriting and (increasingly) operational risk. Best governance practices involve the embedding of ERM throughout the insurer’s risk and capital management decisions, including board oversight and frequently (especially for larger insurers) the appointment of a chief risk officer (CRO).
Increasingly insurers are using sophisticated internal models for their risk and capital management decisions. Increasingly regulators are allowing insurers to use their internal models for determining some or all of their capital requirements (IAIS and IAA both working on papers in this regard).
Known risks – learning from yesterday
It is part of an actuary’s basic training to assess the frequency and severity of “known” risk, based on prior observed experience. It is through the study of this experience that we gain an understanding of the risk itself and its key drivers. Frequently, we apply this understanding of the past in the determination of risk’s current estimate, trend and variability.
Unfortunately as actuaries, we know all too well the challenge of insufficient credible data on which to base decisions. Some traditional ways of dealing with the lack of credible data include:
•Including experience from relevant market or industry studies.
•Including experience from other ‘similar’ risks assumed by the insurer.
•Extending the observation period over time to include additional observations.
The first two options can compromise the validity of the original study due to comparability issues. The third option exposes the original data to underlying trends or events which occurred during the longer observation period. Each of these options makes it difficult to truly discern the current estimate of the risk we are studying.
The bigger challenge (I believe) in the assessment of ‘known’ risks based on their past experience is twofold:
•Insufficient understanding of risk behaviour for low probability events (ie events in the tail of the distribution; and
•Insufficient understanding of how future experience will differ from that of the past.
Known risks – low probability events
Beyond understanding the expected behaviour (ie current estimate) of ‘known’ risks we also seek to understand their variability. This variability might be due to random statistical volatility or to various types of uncertainty. In many applications of our actuarial work we seek to understand the severity of the risk at low levels of probability. For example, we might want to know how much capital we should hold to be 99 per cent confident that the insurer will have sufficient assets to withstand adverse experience.
A study of low probability or extreme events suffers (by definition) from a lack of credible data. A possible response to this lack of data is to assume that the risk being studied behaves according to a commonly used statistical distribution. Such a simplification can make our calculations simpler but can also misrepresent the tail behaviour of that risk. It is vital that we take great care in selecting that distribution as pointed out by Nassim Nicholas Taleb in his recent book entitled The Black Swan.
Taleb points out the dangers in assuming that risks behave according to Gaussian laws. He describes this world of risk behaviour as being “mediocristan”, a world in which particular events do not contribute much individually only collectively. In “mediocristan” we will need relatively few observations adequately define the shape of the distribution. The distribution of human heights or weights would be examples of data from “mediocristan”.
On the other hand, Taleb points out that there are many more risks than we might expect which do not behave in a Gaussian manner and have much fatter tails. Taleb uses the term “extremistan” to describe a province in which the inequalities between individual events are so great that one single observation can disproportionately impact the aggregate. For example, he examined the odds of being rich in Europe (ie the probability that a person would have a net worth higher than 1 million) and assumed that wealth above that level is scalable then:
People with a net worth:
Higher than 1 million are 1 in 62.5
Higher than 2 million are 1 in 250
Higher than 4 million are 1 in 1,000
Higher than 8 million are 1 in 4,000
Higher than 16 million are 1 in 16,000
On the other hand, if the wealth distribution was assumed to follow a Gaussian law then,
People with a net worth:
Higher than 1 million are 1 in 62.5
Higher than 2 million are 1 in 127,000
Higher than 3 million are 1 in 14 billion
Higher than 4 million are 1 in 886 quadrillion
Clearly, as Taleb illustrates, there is a huge difference between these two approaches. The first one, belonging to the world of “extremistan” is clearly more in tune with our modern society. We need only contemplate a few of the world’s richest people (such as Bill Gates) to understand the impact of their wealth on the aggregate of all individuals. As actuaries we must pay close attention to the reasonability of our choices for modelling risk, especially tail risk.
Known risks – future vs past experience
Have you ever analysed how accurate our projections of the future are? Taleb in his book suggests that history moves ahead by jumps. He further suggests that we are better in determining the reasoning behind events in retrospect than we are in their prediction. One has only to reflect on the circumstances surrounding the catastrophic events of September 11, 2001, the stock market crash of 1987, Enron etc, to realise this truth. How many times have we heard words similar to the following when assessing risk?
“But in all my experience, I have never been in any accident … of any sort worth speaking about. I have seen but one vessel in distress in all my years at sea. I never saw a wreck and never have been wrecked nor was I ever in any predicament that threatened to end in disaster of any sort”
— E J Smith, captain RMS Titanic, 1907.
This quote was used by Dave Ingram in his 2005 presentation to the Chicago ERM symposium and was also used by Taleb in his book.
How often in our modelling have we focused on trying to calibrate our risk model based solely on historical experience? Is the environment which created that experience still relevant today and into the future? Let me cite two Canadian examples of what I mean.
In Canada insurance companies sell a mutual fund (unit linked) type product with maturity, death benefit and/or withdrawal guarantees. A number of industry observers have begun commenting on the high level of management expense loads currently levied by insurers versus those levied by the banks on their mutual funds. Already there are some indications of a consumer backlash that might force insurers to lower their loads. With this background it might be prudent to consider, as a possible scenario, the future position of the insurer if the lower loads are brought into effect.
As another example, in Canada we have been discussing the appropriateness of using mean reversion in the generation stochastic scenarios for interest rates and equity returns. In other words, should the long-term returns revert to some view of an inevitable mean developed from past experience? The choices made in this regard have a very substantial effect on the value of financial instruments, including insurance liabilities. Who would have guessed that interest rates, especially those in Japan, would have remained so low for so long? If mean reversion is not appropriate for interest rates, might it be appropriate for equity returns? How about other risks that we model?
I am not suggesting that we stop gathering experience data and studying it as a foundation for setting our current estimate of experience going forward. Rather, I suggest healthy scepticism in discerning how past trends and experience might evolve in the future.
Known risks – risk dependencies
In the early stages of ERM for financial institutions major types of risks such as credit and market risk were modelled separately with little consideration of possible risk dependencies. The current Basel Accord for banks reflects this background. However, we are increasingly aware of the importance of modelling the dependencies between risks. Recent market events have shown the importance of the linkage between increasing credit spreads and equity market price decreases.
Risks can behave independently of each other, they can be negatively correlated or they can be positively correlated. Of course, as actuaries we are frequently concerned with the behaviour of risks under improbable conditions and risks which are normally independent of each other suddenly are positively correlated. One has only to consider mortality risk and the risk of an economic downturn to realise that in the event of a serious pandemic these normally independent risks become strongly correlated. Your ERM needs to consider the behaviour of risk dependencies in the tail.
Unknown unknown risks
Before joining the federal financial institution regulator (OSFI) in Canada, I was with the policyholder protection organisation for life insurance in Canada(Assuris). In that capacity, one of my projects was to review all of Assuris’ detection processes. That review revealed the importance to Assuris and the regulator and insurers of identifying, not just individual troubled insurers, but systemic risks as well. Of course individual insurers need be concerned with their own specific risks as well as the possible impact of systemic risks.
For this discussion, a working definition of systemic risk might be:
“Systemic risk is the risk of loss of economic value or confidence in a substantial number of insurers such that the financial position of the entire industry is significantly affected.”
Exposure to systemic risk
Insurers are exposed to a variety of types of risk as a result of the insurance contracts with policyholders (ie insurance risk), the assets used to support the policy liabilities and surplus (ie credit and market risk) and the administration of their businesses (ie operational risk).
Insurers manage their exposure to these risks through product design and pricing, investment policies, and risk management practices. Risk exposures change over time through the introduction of new product features, new types of investments and changes in operational practices. For example the introduction of segregated fund products in Canada with 100 per cent maturity guarantees in the 1990s significantly increased the exposure of life insurers selling these products to market risk and created a systemic risk. The recent launches by Canadian life insurers of new variable annuity products with guarantees presents these insurers with new exposure to market risk.
External events
Exposure to systemic risk only results in losses as a result of an adverse external event or change in the environment. These might include changing attitudes to distribution and sales practices, medical advances, significant changes in the financial markets etc. Some potential external events which may give rise to systemic risk might include severe economic downturn, flu pandemic, or increased longevity which adversely affects payout annuities.
If we consider the first of these, the severe economic downturn, the long period of global macro-economic stability that we had been enjoying is perhaps ending. Certainly we have been enjoying: economic growth, low inflation, low interest rates, high levels of liquidity, and low credit spreads.
In recent months credit spreads have widened, liquidity has tightened and equity markets have suffered corrections. These recent changes were due to several stresses which, when combined brought the period of stability to an end. A generic list of these stresses crafted over a year ago included:
•Increasing event risk related to the weather, terrorism, oil supplies etc.
• Severe trade imbalances.
•Anticipated weakness in the USeconomy.
• High housing prices.
•Negative savings rates in North America.
•Development of complex structured financial instruments to effect risk transfer and increase yield (eg credit derivatives, hedge funds etc)
Several of these undoubtedly contributed to the losses in the sub-prime mortgage sector and the increased market volatility we have witnessed of late, but it would have been difficult to predict in advance which stress or event would have been the specific trigger.
In fact, as Taleb points out in his book, we typically surprised by history as it tends to unfold by jumps rather than gradually and the underlying causes of those jumps (eg September 11, Enron, market crash of October 1987, Titanic etc) tend to be discovered after the fact.
Have you given thought to these unknown unknown risks and the potential exposures within your own operations that they might affect? I recently went through a brainstorming exercise with a board in which we attempted (with partial success) to identify these unknown unknowns. We first of all brainstormed significant trends and changes in our world today. These might include climate change, our wired 24/7 world, religious tensions, human genome and other medical advances etc. We then attempted to link each of these to their potential direct or indirect effect on the insurance industry. This board discussion was very helpful in broadening the board’s view of risk exposures beyond the narrower list of traditional risks which the organisation was accustomed to managing. They were introduced to the world of unknown unknown risks.
In this increasingly inter-connected and complex world of ours, have you given enough thought in your risk management to unknown unknown risks?
ERM implications
In conclusion, ERM needs to (a) pay close attention to the reasonability of our choices for modelling risk, especially tail risk (ie remember “mediocristan” vs “extremistan”); (b) use healthy scepticism in discerning how past trends and experience might evolve in the future; (c) carefully consider the behaviour of risk dependencies in the tail; and (d) give consideration to unknown unknown risks.
Are you measuring yesterday’s risk? If not, perhaps your ERM needs repositioning.
Stuart Wason is with the Office of the Superintendent of Financial Institutions (OSFI) which regulates Canada’s banking industry