ACCA CRSA ERM research update PRL - - Get a Free

3/14/12

1

© 2011 Paradigm Risk Limited. All rights reserved 1

ACCA CRSA FORUM MARCH 2012 | BUT DOES IT WORK IN PRACTICE?

But does it work in practice . . . ? An brief update on research on risk, control & ERM

ACCA CRSA FORUM Approaches to Risk Management

16 March 2012

. . . helping !rms to make sense of and succeed in a complex and unpredictable world



Research on what? A framework of risk research

•  Risk •  The system •  Managing the system •  Risk in the system •  Managing risk in !rms / other entities •  Managing risk in the system

3/14/12

2



What does that mean?

Risk The nature of risk & uncertainty; where uncertainty arises and why; how humans understand risk rightly & wrongly; decision-making

The nature of the business and organisational world; the actors in the system; how government acts in and on the system; the role of banks, brokers, asset managers, corporate governance

The role of actors and government regulation and enforcement entities in establishing and maintaining the system

The nature and extent of risk in the market system, domestically and globally; markets for risk, !nancial risk transfer products, measuring and understanding risk in the system; !rm-level risk and required rates of return

The system

Managing the system

Risk in the system

Managing risk in !rms / other entities

Managing risk in the system

Firm- & entity-level risk management systems; structure, analysis and behaviour in !rms; control routines; risk objective setting; oversight; risk anticipation; resilience-building; risk response routines

Managing systemic risk in banking and !nancial services; managing money supply and aggregate supply and demand; managing externalities and cost-risk allocation systems between !rms and jurisdictions



Disciplinary focus

•  Integrative nature of ERM –  Engineering –  Systems theory / cybernetics / control theory

•  Insights from physical sciences, especially biology –  Financial economics

•  Insurance / catastrophe –  Utility theory / behavioural economics –  Organisational behaviour –  Learning, knowledge and knowledge management –  Philosophy / epistemology –  Psychology – group and individual behavioural / clinical –  Anthropology / sociology / political science –  Management accounting

3/14/12

3



Raises important questions . . .

•  Is there a unique discipline of risk management? •  Is there a profession of risk management? •  Who are the natural claimants to the title ‘risk management professional’?



They times they are a-changin’ (?) Bob Dylan (January 1964)

“Plus ça change, plus c’est la même chose.” The more things change, the more they stay the same. Alphonse Karr in Les Guêpes, January 1849

“We should resign ourselves to the fact that the ‘new normality’ is characterized by volatility and uncertainty.”

Josef Ackerman, CEO Deutsche Bank, Frankfurt, 5 September 2011

3/14/12

4



2012 results by impact

1.  [Another] major systemic !nancial failure

2.  Water supply crises 3.  Food shortage crises 4.  Chronic !scal imbalances 5.  Diffusion of WMD 6.  Extreme agricultural / energy

price volatility 7.  Severe income disparity 8.  Global governance failure 9.  Terrorism

WEF 2012 Global Risk Landscape



1

4

WEF (2)

Global risk categories

Economic Environmental Geopolitical Societal Technological

6

7

8

9

3/14/12

5



Some recent research on risk, systems, ERM . . .

•  Neil Allan & Neil Cantle, 2011. A review of the use of complex systems applied to risk appetite and emerging risks in ERM practice, The Institute and Faculty of Actuaries 28 November 2011 ( London) [77 pages]

•  Neil Allan & Neil Cantle, 2010, Risk DNA: An evolutionary approach to identifying emerging and adapting enterprise risk using phylogenic analysis, ERM Symposium, Society of Actuaries, (April 2010).

•  Marika Arena, Michela Arnaboldi & Giovanni Azzone, G., 2010. The organizational dynamics of Enterprise Risk Management. Accounting, Organizations and Society, 35.

•  Simon Ashby, 2011. Picking up the Pieces: Risk Management in a Post Crisis World, London: FSRF, FS KTN

•  Simon Ashby and Stephen Diacon, 2010. Risk Appetite in Theory and Practice, Working Paper, Nottingham Business School



Some (more) recent research

•  Mark S. Beasley, Bruce C. Branson and Bonnie V. Hancock, 2010. Enterprise risk oversight: A global analysis, CIMA and AICPA research series, September

•  Peter Bonisch, 2012. Getting to grips with risk governance and 'risk culture', Paradigm Risk White Paper, March.

•  Peter Bonisch & P.J. Di Giammarino, (2010). Achieving supervisory control of systemic risk, London: FS KTN, JWG and Paradigm Risk

•  John Downer, 2010. Anatomy of a Disaster: Why Some Accidents Are Unavoidable, CARR Discussion Paper, 61, March 2010

•  Scott Engle, 2010. Did Enterprise Risk Management Really Work? The Case of Lincoln Financial Corporation, ERM Symposium, Society of Actuaries, (April 2010).

3/14/12

6



Some (more) recent research

•  Deepa Govindarajan, 2011. Corporate Risk Appetite: Ensuring Board and Senior Management Accountability for Risk, (Henley) ICMA Centre Discussion Papers: 2011 Series (November)

•  Andrew G. Haldane & Robert M. May, 2010. Systemic risk in banking ecosystems, Nature, 20 January 2011, vol. 469

•  Thomas Hull, 2010. A Deterministic Scenario Approach to Risk Management, ERM Symposium, Society of Actuaries, (April 2010).

•  Tim J. Leech, 2012. The High Cost of “ERM Herd Mentality”, January, Leech & Co. GRC

•  Carl Macrae, 2007. Interrogating the Unknown: Risk Analysis and Sensemaking in Airline Safety Oversight, CARR Discussion Paper, 43, May 2007

•  Matthias Meyer, Cathérine Grisar, Felix Kuhnert, 2011. The impact of biases on simulation-based risk aggregation: modeling cognitive in"uences on risk assessment, J Manag Control (2011) 22:79–105



And still more recent research

•  Anette Mikes, 2011. From counting risk to making risk count: Boundary-work in risk management, Accounting, Organizations and Society, In Press

•  Leen Paape & Roland Spekle, 2012. The Adoption and Design of Enterprise Risk Management Practices: An Empirical Study, European Accounting Review, forthcoming

•  Scott Page, 2011. Diversity & Complexity, Princeton Univ. Press.

•  Michael Power, 2009. 'The risk management of nothing.' Accounting, Organizations and Society, 34(6/7): 849-55

•  Michael Power, 2011. Smart and Dumb Questions to Ask About Risk Management, Risk Watch, May, The Conference Board of Canada.

•  Russell Sears, 2010. A fundamental law of risk evaluation, Contingencies, January/February, 10-13

3/14/12

7



And just a bit more . . .

•  Robert Skidelsky, 2009. Keynes: The Return of the Master, Allen Lane.

•  Standard & Poor’s, 2007. Request for comment: Enterprise Risk Management Analysis For Credit Ratings Of Non-!nancial Companies, 15 November

•  A New Approach for Managing Operational Risk Addressing the Issues Underlying the 2008 Global Financial Crisis, Actuaries Canadian Institute of Actuaries Casualty Actuarial Society, December 2009

•  UBS management, 2008. Shareholder Report on UBS Write-downs, Zurich, UBS, 18 April 2008

•  World Economic Forum, 2012. Global Risks 2012, Seventh Edition, WEF



Getting hold of . . . recent research

•  All references and links available at

http://www.paradigmrisk.com/latest-erm-research

3/14/12

8



Some key themes

•  Don’t count on counting – ‘calculative’ risk management is based on a series of assumptions about the future and its relationship to the past.

•  Risk management systems seem to work perfectly right up to the point that they don’t work – perceptions of current performance are unreliable.

•  Observing conditions of failure (after the fact) gives us an opportunity for practical learning about what works and what doesn’t. We should take it.

•  Reality is complex and complicated; assuming you can manage complexity simply is naïve.



Some key themes . . .

•  What we know – and can know – de!nes the limits of usefulness of risk prediction; to be effective, risk systems must move well beyond anticipation to allocation and resilience-building.

•  Intelligent questions challenge assumptions, invite discussion and debate and encourage candour. Checklist questions are usually “dumb” questions.

•  To control a system, you must seek to understand the behaviour of the system. Human involvement creates feedback loops that make any dynamic system complex.

•  People are fallible. All risk management systems will fail at some level.

3/14/12

9



Not all accepted techniques actually work

Arena et al (2010)

Highlight: risk maps are a waste of time

“ERM is then rendered a managerial problem only if the rationalities are re#ected in operable technologies. Qualitative risk maps are perceived as being of little use and far removed from managers’ decisions, contributing to a positioning of ERM as a governance device. In the case where this was overcome, and risks linked to performance, a new style of ERM-budgeting [ie. risk cost allocation system] emerged.” (emphasis added)



Asking intelligent questions & encouraging debate are critical

Power (2011)

Highlight: checklists lead to cliché responses

“A dumb question is one that essentially lacks traction, and is relatively easy for a CEO or CRO to answer and de#ect without revealing much of substance. Dumb questions allow executives to say something about due process, compliance, and the formal structure of risk management, but they don’t allow overseers to grasp the living process. For many external parties seeking to exercise oversight, such as institutional investors, dumb questions waste their limited time. Dumb questions simply invite busy executives to rehearse risk management clichés.

“An example of a dumb question could be “Do you have an embedded risk management system?” or “Do you have a strong risk culture?” There is nothing wrong with such questions themselves—their dumbness is not immediately evident, because they seem to feed naturally off the available guidance and current discourse.”

3/14/12

10



We need to look in detail at what works and what does not

Paape & Speckle (2012)

First large-scale, empirical review of ERM effectiveness

Highlight: COSO does not improve ERM effectiveness

“Application of the COSO ERM framework does not contribute to [perceived] risk management effectiveness. These !ndings raise concern as to the assumed authoritative status of this framework. If the framework is actually [useful], why do so many !rms choose not to use it? Any why are !rms that do use it not more successful that those that don’t?”



Measurement and estimation both have a place in ERM

Mikes (2011)

Highlight: measurement can only occur when things are measureable

“Over the last decade, a growing number of practitioners and commentators have been recasting a !rm‘s strategic, IT, legal, and compliance uncertainties as additional and distinct risk categories. If risk officers are to uphold the ideal of measurement, they can only extend their remit to risks that can be described by a priori known or statistically knowable distributions. Alternatively, if they are to discuss and in#uence the management of non-quanti!able risks, threats, and opportunities (Knightian uncertainties), they have to venture outside the measurement framework.”

3/14/12

11



Much ERM practice owes a lot to lemmings . . .

Leech (2011)

Highlight: we need to judge what works by observing practice and effect

ERM HERD MENTALITY WRONG TURNS

#3 – Focusing on risks - one-by-one

#4 – Making “risk registers” king

#5 – Falling in love with ‘heat maps’

#6 – Ignoring ‘black swans’

#7 – Focusing on controls instead of identifying all relevant forms of risk treatments

#9 – Using #awed and unproven “Risk Treatment” tools like COSO 92/COSO 2012 [or ISO or BS . . . ]



To address these problems . . .

•  New courses in risk management

•  Essentials of Risk Management: Lessons from Reality London, 4 & 5 April 2012

•  Crises, risk management and the ‘new, riskier normal’ 10 courses in London, April & May 2012 in association with the Centre for Governance Risk & Assurance (GRAcentre+) www.gracentre.org

3/14/12

12



Discussion



www.paradigmrisk.com

Documents

ACCA CRSA ERM research update PRL - - Get a Free