The business of risk management

CIO talks to risk management expert, Associate Professor John Evans.

CIO: What are your main areas of interest in terms of risk management and business?

Evans: I look at risk as a holistic approach, how you actually implement it into an internal organisation. The other area I work in is called 'extreme risk'. My particular area of interest is operational risk. But you can get extreme risks in credit risk, or in market risk. One of the reasons I'm interested in all that is that we don't know how to model it. We just don't know.

We have data for banks around the world. We're still reaching the conclusion [but it looks as if] you have to run two models; one for the normal bid, which nobody is all that interested in it anyway because it's easy and banks are been meeting the costs of those normal operational risks for the last couple of hundred years. It's the extreme ones and I guess the issue that interests me is that these are unpredictable. So therefore while I'm encouraging modeling, I'm also encouraging lateral thinking about risk -- even if you can't identify them. They're unknown unknown risks.

How do you try and manage that sort of unknown risk?

There are a couple of ways of doing it. One is just pick a number out of the air, add a 'fiddle factor' and that's the amount of capital you have. Nobody will have a clue whether it's right or wrong.

Another one -- and it is one I teach students -- is to be very careful with your contractual obligations. Leaving consumer issues aside, in particular, what I advocate in, say insurance, is what I call 'positive word contracting'. Say you have a motor vehicle contract. So instead of saying 'if you prang your car we'll pay', you say 'if event A or B or C happens, we will pay'. If you just say 'if you prang your car, we'll pay', you have no idea what that means. And things can change over time.

Now the big advantage for general insurance of course is that these are one-year contracts. So putting aside marketing issues, you can change them, theoretically.

That's why I like the holistic approach. I don't think you can manage risks in one dimension. Particularly extreme risks; they're not one-dimensional at all. They're multi-dimensional problems. And you have to think how does the organisation control these, and you also have to ask: If we can't control them, do we want to be in the business?

Now that's a decision people are really scared to make. Particularly insurers. The marketing people will tell them we have to have this contract and you have no idea what the liability is going to be.

I'm not advocating this from the social perspective, but in Queensland, they had this definition (I'm not sure of the exact words) of what a flood was -- and it didn't include water just trundelling down the street. It had to be a thing called a flashflood. I think, from an insurance perspective, that's perfectly reasonable to limit the risk.

Then you have the other side of the organisation that looks at marketing -- not sales. They'll say: "Well, I'm not too sure that, if there was a catastrophe, we're going to get away with this." What that simply means is they're pricing as though they can get away with it, and then they find they can't.

It's called going broke. And you have to be careful of the re-insurance contracts as well because if you've excluded it, they've excluded it. You're left out holding the baby.

You also have to be aware of political risk and that's one thing that we're not very good at taking into account. A long time ago, there was a hill slide in Wollongong and several houses ended up in the ocean. Hill slides were not covered under the NRMA insurance in those days and the political who-ha was such thing that they ended up paying. Now it was 20 houses times $50,000, $60,000 in those days for a house in Wollongong. But that could have been millions of dollars.

And we are seeing that to some extent in Queensland...

I think that's why you've got to get a cultural approach. It has taken Australian institutions a long time to come to grips with that. The banks were the first in to it -- at least the top two or three banks -- and my view is that their culture now is one of risk management. Why do you do it? It's actually quite financial. In the end, you do not want profits gyrating all over the place. We know from research... that shareholders have a perception of the range of profit fluctuation for various institutions.

Remember when NAB had that foreign exchange problem and APRA threw a tantrum? I think they lost $360 million or something. That's a flee bite; they lost $4 billion on HomeSide in the US.

APRA's attitude was: It was a pure mistake, or chance, that the number was 300. [The NAB was] so far out of control that it could have been any number.

That's what APRA was all about. But why did the share price go through the floor? It went down by about 20 per cent. The reason is that shareholders began to say: "What else is going on? We're scared and you're not going to come within this nice range."

QBE is another classic example, on the opposite side. When 9/11 happened, QBE was going to the market to raise capital. They admitted they had some liability, admitted they had no idea what it was, through re-insurance contracts, but they were subscribed in the market. Normally they should have got belted, right? But the market said, "Yes, you're in the insurance business and it's volatile".

So I think have to look at quite holistically and that's why the chief risk officer is now a very senior person in the business -- it's to make sure that you're real end objective is to make sure that your profits and earnings are within the acceptable range -- no shocks.

I think the banks have achieved that. There's very much a risk management culture. Whereas US banks are not.

Will we see that change in the US, in future?

Absolutely. The unfortunate thing is we're going to get caught.

In the regulatory environment?

Yes, there'll be more regulation, which I don't think is necessary in Australia. What you need to do is set up a framework and say the banks, "Just get on with it". Because the banks actually know more about their business than the regulator does. That comes as a surprise to some people, but they do. And therefore they know how to manage their risks.

But we are going to get caught on the backend of the US disaster, and the reason the US had a disaster was simply because it was driven by market share. It wasn't driven by risk management at all.

So what other organisations are going down the risk management path at this point in time, and who can do it better?

I think the general insurers are going down the path now. They have gone down it some way already. I did a survey about five years ago and...bearing in mind these people are in the risk business, I didn't think they had a clue in terms of risk management. There have been dramatic changes in the last five years. Now I think to some extent APRA, the regulator, has a lot of experience with the banks now. So we can actually drive this thing forward more quickly. But effectively too, solvency is coming.

There's also a view now that there should a common regulatory regime across all the financial institutions. And I think that makes a lot of sense, provide you keep it at a principle level and not at a detail level.

And which industry needs a bit more work, in your opinion?

I don't work outside of the financial sector, but having had some experience recently with mining companies. I don't think they have a good grasp of risk management.

Chief information officers can often end up as the quasi-risk managers for their organisation...

Which is probably not good practice...

So how can they educate their peers that this needs to change?

Risk management is a completely different function; it's to look at the information and say, "What is significant and what could go wrong?"

In fact, ultimately, the responsibility is on the board. It's not the responsibility of the chief information officer; it's up to the board to drive it and to ask: "Where are our risks?"

Risk is often difficult to quantify. How do you overcome this?

It's great to be able to quantify things but it's about 'identify', it's not 'quantify'. You need to be able to identify the risks. Use traffic light systems, if that is what the organisation understands. Don't try the fancy maths. And if you're going to do a fancy maths, just make sure you understand where it's wrong.

You mean the assumptions?

Most of the 'quant' stuff in risk management makes one fundamental flaw: It assumes the world keeps continuing. Which is not what's going to happen in a crisis.

This story, "The business of risk management" was originally published by CIO.

Copyright © 2011 IDG Communications, Inc.

8 simple ways to clean data with Excel
Shop Tech Products at Amazon