Peter Drucker is reported to have once said “what gets measured, gets managed.” That truism of modern management applied to risk as well as it does to other more commonly measured things like sales, profits and expenses.
Regulators take a similar view; what gets measured should get managed. ORSA frameworks aim to support prospective solvency by giving management a clear view of their on-going corporate risk positions.
This in turn should reduce the likelihood of large unanticipated losses if timely action can be taken when a risk limit is breached.
From a regulatory perspective, each identified risk should have at least one measurable metric that is reported upwards, ultimately to the board.
The Need to Measure Up
Many risk management programs build up extensive risk registers but are stymied by this obvious next step – that of measuring the risks that have been identified.
Almost every CEO can cite the company’s latest figures for sales, expenses and profits, but very few know what the company’s risk position might be.
Risks are somewhat more difficult to measure than profits due to the degree to which they depend upon opinions.
Insurance company profits are already seen as opaque by many non-industry observers because profits depend on more than just sales and expenses: profits depend upon claims estimates, which are based on current (and often incomplete) information about those transactions.
Risk, on the other hand, is all about things that might happen in the future: specifically, bad things that might happen in the future.
A risk measure reflects an opinion about the size of the exposure to future losses. All risk measures are opinions; there are no facts about the future. At least not yet.
There are, however, several ways that risk can be measured to facilitate management in the classical sense that Drucker was thinking of.
That classic idea is the management control cycle, where management sets a plan and then monitors emerging experience in comparison to that plan.
To achieve this objective, risk measures need to be consistent from period to period. They need to increase when volume of activity increases, but they also need to reflect changes in the riskiness of activities as time passes and as the portfolio of the risk taker changes.
Good risk measures provide a projected outcome; but in some cases, such calculations are not available and risk indicators must be used instead.
Risk indicators measure something that is closely related to the risk and so can be expected to vary similarly to an actual risk measure, if one were available.
For insurers, current state-of-the-art risk measures are based upon computer models of the risk taking activities.
With these models, risk managers can determine a broad range of possible outcomes for a risk taking activity and then define the risk measure as some subset of those outcomes.
Value at Risk
The most common such measure is called value at risk (VaR). If the risk model is run with a random element, usually called a Monte Carlo or stochastic model, a 99% VaR would be the 99th worst result in a run of 100 outcomes, or the 990th worst out of 1000.
Contingent Tail Expectation
This value might represent the insurer’s risk capital target. A similar risk measure is the contingent tail expectation (CTE), which is also called the tail value at risk (TVaR).
The 99% CTE is the average of all the values that are worse than the 99% VaR. You can think of these two values in this manner: if a company holds capital at the 99% VaR level, then the 99% CTE minus the 99% VaR is the average amount of loss to policyholders should the company become insolvent.
Rating agencies, and increasingly regulators, require companies to provide results of risk measures from stochastic models of natural catastrophes.
Stochastic models are also used to estimate other risk exposures, including underwriting risk from other lines of insurance coverage and investment risk.
In addition to stochastic models, insurers also model possible losses under single well-defined adverse scenarios. The results are often called stress tests.
Regulators are also increasingly calling for stress tests to provide risk measures that they feel are more easily understood and compared among companies.
Key Risk Indicators
Most other risks, especially strategic and operational risks, are monitored by key risk indicators (KRIs). For these risks, good measures are not available and so we must rely on indicators.
For example, an economic downturn could pose risk to an insurer’s growth strategy. While it may be difficult to measure the likelihood of a downturn or the extent to which it would impair growth, the insurer can use economic forecasts as risk indicators.
Of course, simply measuring risk is insufficient. The results of the measurement must be communicated to people who can and will use the risk information to appropriately steer the future activity of the company.
Simple charts of numbers are sufficient in some cases, but the state of the art approach to presenting risk measurement information is the risk dashboard.
With a risk dashboard, several important charts and graphs are presented on a single page, like the dashboard of a car or airplane, so that the user can see important information and trends at a glance.
The risk dashboard is often accompanied by the charts of numbers, either on later pages of a hard copy or on a click-through basis for on-screen risk dashboards.
Regulators won’t may not expect all companies to have sophisticated stochastic models and risk dashboards in place. Solvency II focuses on proportionality. The approach of each company should reflect the nature, scale and complexity of their business.
Our next blog will discuss the next stage in the process which assigns limits and controls to these risk measures.
This blog was authored with Stephen Mullan and originally published January 13, 2014.