Assessing risk management – how to avoid an own goal

Enterprise Risk Management
                                                                                                                  Football image                                                 Picture the scene: Having battled to a goalless draw against Sweden and succumbed to defeat against a clinical Belgian side (and a highly debateable refereeing decision), the Republic of Ireland soccer team go into their final Euro 2016 group game with Italy knowing that only a win will guarantee progression in the competition, but a draw might be enough if other results go their way. Getting out of the “group of death” was always going to be a difficult task for the boys in green, and manager Martin O’Neill has a tough decision to make: choose a strategy which will maximise the possibility of scoring while minimising the chance of conceding, taking into account the various possible scenarios.                                             
The fundamental elements of this decision – balancing risk and reward – aren’t unique to football, or indeed to sport in general. Managing risk is also what actuaries do, but how do you know when you’ve done it well (or poorly)?

Risk management does not eliminate risk
The only way to avoid all risk is not compete at all. In other words, out of the possible responses to risk – remove, reduce, retain or transfer – there will always be some retained. The classic example is operational risk: the risk of inadequate or failed internal processes, people and systems. If you haven’t retained any of these, then you don’t have a company.

So, given that every company retains at least some risk (and many, such as insurers, specialise in taking on risk), there must be a distinct probability that, within a specific time period, the company will fail. And that is after assuming all the risk management processes are satisfactorily fulfilled.

All pretty obvious so far. Back to the football analogy…

The definition of success
In the end, it doesn’t work out for O’Neill’s men – the Italians score late in the match, sending Ireland home. A valiant defeat may not be the dream outcome, but at least the nation can hold its head high (and it’s a significant improvement on last time). The players did the best they could, but the opposition were just too good. Everyone knew there was a chance of losing, and that’s how it turned out.

The equivalent outcome in business is not quite as clear-cut. Suppose you’ve followed the risk management process by the book: you’ve identified, measured, controlled, financed and continuously monitored the risks, just as the risk management cycle dictates. You’ve estimated (with the help of judgement where necessary) that there’s around a 1 in 200 chance of the business collapsing this year. But then, disaster strikes. Maybe it’s a cyber-attack, a rogue employee, the bankruptcy of a key customer, or numerous other possibilities. Was this a brave effort that ultimately failed, or an avoidable oversight that could have been foreseen?

And that’s not the worst of it: after the dust has settled, you learn that your competitor didn’t bother with much in the way of risk management, but they still came through the episode mainly unscathed. Does this prove your efforts were a waste of time? Which company’s approach to risk management was really optimal? Given the opportunity again, what would you do differently?

Taking another look at history
Consider Equitable Life, often held up as an example of how not to do it. Essentially, it failed to accurately model its potential exposure to Guaranteed Annuity Rate policies which were sold in the 1970s and 1980s when interest rates were high, but which couldn’t be honoured as interest rates fell during the 1990s (i) . And yet this is a company that survived and prospered for over 200 years – should we disregard this fact, given that it must have survived numerous previous risk events during the process? In order to learn from the failure, it is important to take a balanced view.
It is not only misleading to suggest that all failed companies must have had poor risk management, and all successful companies must be excelling, it is also missing the point. If the definition of success of risk management is exactly the definition of success of the company, then by implication risk management is just the same as running a business and vice-versa. This can lead to dangerous consequences, for example achieving high returns could be because a company is employing a high risk strategy that is temporarily paying off but later turns sour.  
It is more helpful to think of risk as the possible variation of results around the expected outcome. Risk management allows you to optimise a trade-off between risk and return, but the default position is determined by other means. The probability of Ireland beating Italy is low, but managing risk is one perspective to allow the team the best opportunity to do so (even if this is still a long shot).

Conclusion
Although it may be fashionable to proclaim that “all management is risk management” (ii) , it would be wise to separate the two and consider risk management as a framework with which to make management decisions. Being able to tell the difference between a valiant loss and avoidable defeat is not an easy distinction, but it is key to interpreting events from a risk perspective. It is also crucial to communicate the risk management policy from the outset – explaining to other stakeholders that a risk appetite of zero is not possible.

None of this is new to actuaries, but I hope you’ve found it useful to consider in a different light. And as for the football, may the best team win (on average)!

Want to know more?
I’ve only scratched the surface. Check out the ERM Resource Database, where you can filter by “Benefits of ERM” or “Strategy”, among other categories.

Alex Breeze is a Consultant at Willis Towers Watson, member of the SAI’s Enterprise Risk Management Committee, and ever-optimistic Bristol Rovers and England supporter (despite all the statistical evidence to the contrary).

The views of this article do not necessarily reflect the views of the Society of Actuaries in Ireland, the Enterprise Risk Management Committee, or the author’s employer.
  (i) Financial Enterprise Risk Management, Sweeting, 2011, pages 514-517
 (ii) Practice Note on Enterprise Risk Management for Capital and Solvency Purposes in the Insurance Industry, International Actuarial Association, 11 August 2008, page 7