Archives for risk management

How good underwriters earn their money

November 30, 2012 by tim in Work | Leave a comment

It is the design part of my job that I find particularly satisfying. Taking an unusual exposure and designing a policy for it is always rewarding, particularly if I can help other potential customers with the same unaddressed exposure!

Increasingly though, I find that thinking about risk from the insurer’s perspective is more rewarding. It is not that I don’t think about what an insurer is going to look for when designing a new policy – you have to or you have no chance of succeeding.

I mean thinking like an underwriter when managing a portfolio; really, I mean thinking like an underwriting risk manager, because it is the design of the risk management framework around underwriting a portfolio that is fascinating.

The best approach I have seen – described very crudely – has three main elements, though there are many more detailed components within each. The roles in the three elements are performed by actuaries, underwriters and analysts.

The actuaries look into the past performance of the portfolio – or of proxy portfolios – and try to see what the past can tell them about the future performance of the portfolio.

The analyst looks forward and – I said this was crude – looks out for the icebergs that might cause the portfolio catastrophic loss. They also look for less dramatic changes in the external environment, to see the general direction the portfolio might head, for example, in risk selection, coverage and pricing terms.

It is the underwriter’s job to focus on the here and now and to contribute what he is seeing in the market day to day to the past and future analysis and – most important – to deploy the collective knowledge to every day transactions.

I came across this article a few days ago. With my analysts head on, it reminded me of a Canadian programme I used to handle in London (in a former life…) – new home warranty in the Prairies and BC.

The main point of the article was a discussion about how long some buyers are having to wait for the delayed completion of their new condos. What interested me however, is that the article seems to be highlighting two leading indicators of one of the key risks in any new home warranty programme.

First, the risk.

Depending on which set of figures you look at, most new home warranty claims occur within 12 or 24 months of the new home being taken over by its new owner. And most of the claims concern the fit and finish of the property. In some portfolios in some years, these losses can be anything up to 80% of the losses, so mitigating them can produce a significant benefit.

More important, these claims aren’t what a new home warranty should be about; to deal with a major structural issue or design defect – like the water ingress problems in BC some years ago. This means that mitigating these losses is essential because, otherwise, the underwriter has no margin to deal with the most significant exposure in the portfolio.

Now, the two leading indicators.

The article describes how the gap between promised delivery dates and actual delivery dates is now often more than a year, sometimes 18 months. Now, not every developer will cut corners when they are so far behind in their schedules but, given the knock on effect this could be having on their cash flow, you have to suspect that the temptation might be there… Checking a developers actual v. promised delivery dates looks to me like an obvious way of monitoring this.

The article also discusses the demographics of the construction industry. It talks about how many are employed in the industry at a given time and how this peaks as the property market heats up. Now, it is one of the best known risks in the new home warranty business that the hotter the property market, the more un-qualified developers and trades enter the industry and the more frequent and severe the fit and finish claims become. It would therefore be worth investigating if there is a number or percentage of construction related workers compared to all those employed, that corresponds to “too many, not good enough trades”?

Of course, the further challenge then is to manage the tension between extended delivery times and “too many not good enough trades” and to do so, bearing in mind that the leading nature of the indicators is pointing to a potential increase in claims in two or three years time. But that is when a really good underwriter makes their money – deploying uncertain knowledge, that might be as helpful to their customers as to them, without endangering the portfolio or loosing too many of his better customers.

Just so you know what I see when I read the business pages…

Complete network security? Hit managers harder.

February 15, 2012 by tim in Risk Management | 2 Comments

Firms – or rather the managers of firms – always like to externalise their costs (a polite way of saying ‘let someone else pick them up’) but you can understand them bitching about this idea (from the US Senate, via Bloomberg Businessweek) when the costs are questionable, at best.

Two of the largest U.S. business- lobbying groups criticized a Senate cybersecurity bill aimed at shielding vital computer networks, saying the measure would burden companies with unneeded and costly regulation.

The bipartisan legislation introduced yesterday calls for the U.S. Homeland Security Department to identify systems critical to national and economic security and set security rules for overseeing companies and government agencies.

The aims of course sound entirely reasonable – legislative aims usually do.  As set out in the article, even the key provisions sound sensible:

Under the legislation, the Homeland Security Department would have the power to identify systems that may cause mass casualties or catastrophic economic damage when attacked. The agency would set regulations requiring operators of critical networks to improve security. Companies would have to show that their networks are secure or face penalties.

Well, they were sensible until that last line.

Companies would have to show that their networks are secure or face penalties.

Wielding a big stick is absolutely the right answer to some questions but it is not the right answer to every question.  And it absolutely cannot be the right answer if the question is ‘how do I make my network secure?’

It is not just that there is no such thing as a completely secure network, which no amount of hitting is going to change.  It is that hitting/penalising people encourages them – perfectly rationally – to adopt a herding or flocking view where, ‘they can’t hit all of us if we all act the same way’.

To ensure they act the same way, rules are created for everyone to follow and following the rules becomes more important than the original objective for which the rules were established.

And, as my Father-in-Law never stops telling me:

Rules are made for the guidance of wise people and the obedience of fools.

We all, clearly, want networks to be as secure as possible – certainly those capable of causing “mass casualties or catastrophic economic damage when attacked” – but you can’t impose an unattainable standard of security (complete security) by fear.  All you end up with is bright people managing security foolishly because it is safer (personally) than doing it wisely.

And yes, I believe ‘wisely’ is possible because I believe most people innately prefer to behave well.

What does it say about legislators, that they think in terms of hitting?  A question for another day…

 

Would you freely share cyber security information with Government?

January 30, 2012 by tim in Risk Management | Leave a comment

This article from Sci-tech today discusses a new report due out in a couple of days from The Constitution Project.

According to the article, the report will discuss how:

The federal government’s plan to expand computer security protections into critical parts of private industry is raising concerns that the move will threaten Americans’ civil liberties.

In a report for release Friday, The Constitution Project warns that as the Obama administration partners more with the energy, financial, communications and health care industries to monitor and protect networks, sensitive personal information of people who work for or communicate with those companies could be improperly or inadvertently disclosed.

I am sure the concern about the exposure of personal information is genuine but it seems to me that the real threat is to the efficacy of a cyber risk sharing initiative proposed and supported by Government.

In my experience, of all the entities firms are willing to share information with, Governments are at the bottom of the list.

(Another) Top insurance executive misses the point shock…

January 20, 2012 by tim in Observation | Leave a comment

Update 9/2/12:  Joe Plumeri (Martin Sullivan’s boss – see below) makes the same 300 year old speech but (naturally) more colourfully at InsiderScope…  ”The golden age of insurance is upon us” – apparently…

I have just read a report (subscription required) in The Insider (an excellent London market based insurance magazine @InsuranceInside) about a speech Martin Sullivan gave two days ago to an Insurance Institute of London meeting at Lloyd’s.  Though Sullivan is currently Deputy Chairman of Willis, he is better known as the former head of AIG.

Now, because I wasn’t at the speech, I may be about to be very unfair to The Insider or to Martin Sullivan because either;

  1. the report was dreadfully incomplete or
  2. the speech was dreadfully incomplete.

Can someone please tell me which is true?

Here’s what I mean.

According to the report, Sullivan’s speech seems to have been celebrating the 350th (or so) anniversary of the ‘there are lots of scary new risks out there and we need to be innovative about designing new products for them’ speech.  Since new risks have always emerged, Sullivan seems to have inserted some nearly interesting if entirely predictable comments about volcanos, tsunamis, reputations, cyber, patents and IP, and supply chain risk into the blanks of the ‘scary new risk’ speech template.

Templates are very useful but when they get out of date, as this one has, they can be extremely dangerous.  The problem with the ‘scary new risks’ speech template is that the first half of its thesis (that there are lots of scary new risks) is unarguable – in the way the bleeding obvious is always unarguable.  This lulls listeners into accepting what sounds like a perfectly plausible second half of the thesis; that innovative new products are the natural response to new risks.  Except that they aren’t any more.

Innovation is something individual firms choose to do, sometimes for tactical, sometimes for strategic reasons and most innovation is incremental.  Even at a specific level therefore, Sullivan’s prescription for dealing with the new risks is flawed.  For example, incremental approaches won’t deal with the dynamism of some of the new risks, other new risks are networked so individual firms can’t hope to deal with them on their own and most of the new risks are to some extent the result of a new environment, where tools also from the new environment are necessary to deal with them – but I’ll come back to those points another day.

My point is that innovation is a logical response only in an unthinking ‘if new this, then new that’ sort of a way but its ‘straight on’ logic puts me in mind of the the kind of tumbleweed moment Wile E. Coyote has when he realises he has run off a cliff.  The logic appears perfect, yet is completely flawed because of the turn not taken.

The turn not taken?  This is where the prescription is more fundamentally flawed.

We are living in arguably the most exciting times since Gutenberg developed a workable printing press.  The means to generate, produce, add to, filter and disseminate information now exist in the hands of anyone with an Internet connection.  As a result, industries – particularly information industries like insurance – are being fundamentally re-shaped.  Some completely new industries and companies have started to emerge; think social media, Google and Facebook.  Some old industries have resorted to fighting tooth and nail to try to save themselves; think old media and SOPA.  And former titans of the old world are disappearing; 131 year old Eastman Kodak has just filed for Chapter 11 bankruptcy protection.

Information industries are being re-shaped because the value chains by which information based products and services are produced or distributed (or both) have changed beyond all recognition – many disappearing altogether.  The firms and industries that survive will be those able to adapt to the new information value chains, not those that just innovate better products.  Innovation is not nearly enough.  Kodak, for example, is in desperate trouble not because it was deficient in innovative capacity.  Its patent assets are its most valuable (only?) asset.  It was a deficiency of adaptive capacity that turned Kodak from the company that once had such an exciting future, it was a catalyst for Warren and Brandeis to write “The Right to Privacy“, into what now looks, waddles and quacks very much like a patent troll.  How the mighty are fallen…

Adaptation is something firms across an industry have to do in the face of a fundamentally new environment.  Unlike innovation, failure to adapt means certain death.  What has this got to do with the insurance industry?  I don’t know if you think data (the raw material of information and its yet more refined cousin ‘knowledge’) is ‘one of’ or ‘the’ core ingredient in insurance but it is one or the other.  Which if the two you think it is, is however unimportant because the extent of the change to information value chains is so significant.  Insurance is used to commanding and controlling data but data is now, and will increasingly become, user generated, networked and so open to direct customer analysis.

The insurance industry’s future won’t therefore be shaped by how well or not we develop innovative new products to flog to customers already disgruntled by our out-dated processes and approaches.  It will be determined by how well and how quickly we adapt to how our customers are already starting to develop their own risk knowledge, to share it freely among themselves and where differentiation will be determined by customers gradually learning how to apply their newly developed knowledge in their own interests.  It will also be determined by how well we meet customer demands for products they design, based on their expert and/or crowd-sourced analysis of the risk.  It is almost rude to mention this last challenge – last in this incomplete list that is – that customers will also be able to generate more, richer and dynamic information, more cheaply than insurers.

At the risk of repeating myself – as anyone who has been kind enough to listen to me or read this blog before will know – I expect the application of social/collaborative technology to better connect the networks that currently operate too distinctly across risk, risk owner and risk management systems will be our key adaptation challenge but I also acknowledge the challenge may come from another direction.

In an earlier post, I wondered if the insurance industry would learn from the mistakes of the old media industry.  One of their mistakes was not to realise what was coming; another was to respond inappropriately when ‘it’ arrived.

The insurance industry doesn’t have the excuse of not knowing what’s coming and yet if we maintain the ‘straight on’ strategy the report suggests Sullivan called for two days ago, we will innovate ourselves off a cliff.

So, who was I unfair to?

A collaborative approach to cyber risk

December 5, 2011 by tim in Insurance, Network Security, Risk Management | Leave a comment

I have now had a chance at a first read of the UK Government’s Cyber Security Strategy.

There is some solid stuff in here and I obviously can’t argue with the essentially collaborative approach it espouses – I have been going on about that for years.

I will be particularly interested in watching what happens – if anything – at the ‘strategic summit’ proposed with ‘professional business services, including insurers, auditors and lawyers to determine the role they might play in promoting the better management of cyber risks’.

On one hand, I fully expect it to be one of those meetings for which all Governments are famous – meetings meant to show something is being taken terribly seriously rather than to actually achieve anything.  And that would be fine because the tenor of the Executive Summary is that the Government is inviting the private sector to join their ‘vision’ – yes, they use the ‘vision’ word.

I don’t want to get all Libertarian on everyone but in the interests of all cyber security stakeholders, shouldn’t the private sector be leading the initiative on developing better cyber risk management?   And most of all, isn’t that because cyber risk management is essentially a practical concern?

How will cyber risk be modelled? Part 1

November 1, 2011 by tim in Cyber, Network & Information, Insurance, Network Security, Risk Management | Comments Off

Insurers are struggling to model cyber risk.  In this first of two posts, I suggest that because of the dynamism and complexity of cyber risk, insurers should reconnect with the original purpose of models and then re-think their design.  The result could be cyber risk models primarily designed to understand cyber risk rather than the risk insurers accept, which is not the same thing at all.  The way cyber risk is understood also points to how it will then be managed.

In a second post, I will describe some of the elements I expect will form part of cyber risk models.

These ideas came out of reading a LinkedIn Groups (Privacy Risk Management specifically) response to this post.  The response was:

The challenge for an insurer to provide DDoS cover is to find a model with which to assess the exposure, and thus ascertain the cover and risk exposure. This requires an assessment model of sorts to score the potential client (and maybe a form of compliance statement to ensure a minimum standard of care before cover can be provided). Developing that model is not impossible, but it will take some time before that model can be tuned as there are no histories to work with.

It made me read the original post, which turned out to be one of those well-researched but slightly generic descriptions of cyber insurance written by a law firm advertising for coverage counsel work; i.e. interesting if deliberately not very specific.

Back to the response, it is a straightforward, high-level route map to underwriting cyber risk and so it is difficult to argue with some of it.  Like most commentaries on cyber risk however, it discusses cyber risk models without offering very much in the way of how such models might actually be designed.  It also makes two common but I believe fundamental mistakes.  It assumes cyber risk models will be like traditional models and that time alone will make cyber risk models effective.

On the contrary, I don’t believe cyber risk models will resemble anything traditional – i.e. loss based and tuned to emerging portfolio characteristics.  In fact, I think that if we pursue traditional modelling approaches, we will never effectively model cyber risk.

One reason traditional models can’t cope with cyber risk is, perhaps curiously, because of their reliance on portfolio theory.  Portfolio theory is the core underpinning of risk acceptance, allowing insurers to safely assume that not all risks are going to have losses every year, even if they don’t know how many will have losses.  But in relation to the amount and detail of risk information captured by insurers, and the frequency with which risk information is up-dated, portfolio theory also means insurers only capture enough information on each risk to verify that the risk falls broadly within the range of risks they want in a particular portfolio.  This is because, while the portfolio gradually changes all the time – for example as new risks enter and non-renewals leave it – the insurer operates under the reasonably safe assumption that neither individual risks nor other elements of the portfolio (the environment in which the risks exist for example) will usually change so quickly that the insurer can’t react to them.

The problem is that cyber risk isn’t like that; it changes a lot and quickly.  There are risks that potentially effect far more people, like pandemic risk and risks with far greater severity potential, like quake.  But there is no other risk that combines the number of potentially effected people and systems with so much severity potential, that is also in so constant a state of change, that is so complex and which, hardly surprisingly, crystallises into big losses so frequently.

Cyber risk is so different in fact that I don’t think cyber risk models will be designed to serve insurers in the way traditional models are.  Rather, I imagine cyber risk models will take a back to basics approach and be designed simply to understand cyber risk.  Risk management, with risk transfer as an integral part of the overall process, will flow from understanding the risk – at least as well as that is possible with a risk that changes so much and so quickly.  I believe in this idea of an independent model for two reasons.

First, because of cyber risk’s complexity I doubt that any one entity (insurer or otherwise) will be able to build an effective model on their own.  A model that is effective at understanding cyber risk will necessarily therefore be a collaborative process, first to collect sufficient data and second, so appropriate expertise is available to understand the data collected.

Second (and reinforcing the idea that collaboration can be a valid profit optimising strategy), in order to benefit from a collaborative modelling process, collaborators must have good reason to invest the time, money and effort needed to make an effective model.  I therefore expect that potential collaborators - system owners, insurers and the many experts needed to analyse cyber risk – will each want to be free (probably within a creative commons framework) to make decisions about how they choose to address cyber risk in their own interests.

A further purpose of the model will then be to allow for and to accommodate those decisions within the model – up to a point of course; ignoring cyber risk not being one of the options!  System owners will be able to decide how much to spend (on security for example) and what to prioritise based on model outputs of the latest threats or new legal concepts.  Insurers will be able to make similarly based decisions on the kind and amount of exposure they wish to accept.  Experts will be able to offer their services to system owners, insurers and others based on what they learn from the model, as long as the service is attributed to the model.

The sum of these issues suggests to me that it will make more sense for insurers and system owners to work together with relevant experts to design a model; an alternative would be to leave the design to an independent third party.  In either case, there are a few implications that flow from this suggestion…

One is that, by designing a full risk management model that fully integrates risk transfer, the model would put insurance (at least for cyber risk) back into its proper relationship with the rest of risk management, as opposed to it being the afterthought it often seems today.  Another would be that the almost impossible problem of both insurers and their customers maintaining ‘utmost good faith‘ towards each other, in the face of a constantly changing risk, would be eliminated.  Yet another however, is that the insurance value chain, as we know it today, would cease to exist.  But I’ll stick with the model discussion for now…

In this first post, I have indicated why I don’t think traditional modelling approaches will be effective for cyber risk and that insurers aren’t going to have enough resource or expertise to build the new kinds of models needed on their own.  Equally however, risk owners and experts aren’t going to invest time, money, data or expertise into a model that doesn’t directly help them otherwise address cyber risk in their own interests.

In part two, I will try to describe some of the main ingredients of such a cyber risk model.

Infographics

October 17, 2011 by tim in Data, Risk Management | Leave a comment

This video is a good introduction to Infographics.

In a risk management world where data needs to make sense to everyone – not just actuaries – this will be important.

The value of data visualisation