Tag Archives: kahneman

Cognitive Bias Toward Loss Aversion

On the surface, it may seem redundant to think that underwriters are averse to loss. After all, our job is to make sure the policies we write for our respective companies earn more in premium than the claims and expense dollars that are paid. Yet, the cognitive bias of loss aversion is more nuanced, and recognizing the bias at work can help us avoid making ill-advised underwriting decisions.

In the 1970s, researchers Daniel Kahneman and Amos Tversky began exploring how biases affected decision-making, and went on to formulate what is known as Prospect Theory. At a high level, Prospect Theory found that, when people faced a choice that resulted in either a loss or a gain of the same amount, the displeasure resulting from the loss was far greater than the benefit derived from the gain. Simply stated, losses loomed larger than gains.

Picture the following coin-flip scenario:

  • If the outcome is tails, you’d lose $100
  • If the outcome is heads, you’d win $150

Would you take the bet? For most people, the fear of losing $100 outweighs the chance of winning $150, even though the expected value of the gamble is positive. To me, this example of the loss aversion bias feels like one of the more salient references to underwriting. Underwriting, in essence, is like a coin flip in the context that a bound policy either will or won’t have a loss. Quite often, we are faced with making judgment calls on challenging risks that do not come with a clean history. We are armed with supporting qualitative or quantitative information about the risk (i.e., affirming the “positive expected value” of the gamble), but it’s still possible that prior losses exert enough influence in the decision-making process that you must decline the submission.

See also: How Underwriting Is Being Transformed  

Additional caveats of Prospect Theory hold that decisions involving loss and gain are framed around a reference point, which is quite often neutral (or zero). Moreover, subjects in Kahneman’s and Tversky’s studies experienced diminishing sensitivity to both gains and losses. Essentially, an increase in income from $100 to $200 has more of an emotional impact than an increase from $1,000 to $1,100.

Consider the following choices:

    • A sure gain of $3,000, or an 80% chance to win $4,000

And separately,

  • A sure loss of $3,000, or an 80% chance to lose $4,000

For the gambled portion of both choices, the expected value would be positive $3,200 in the first choice and negative $3,200 in the second. With this in mind, the wager in “a” and the guaranteed outcome in “b” would appear to be the logical pick. However, Kaheman’s and Tversky’s research found the opposite: For choice “a,” the majority of subjects went with the sure gain, while for choice “b” most people chose the riskier option. Importantly, different behavior was observed on both sides of the reference point of zero. With this in mind, as well as knowing that losses are felt more than the same gains, their subjects’ behavior was described as risk-averse for gains, and risk-seeking for losses.

What comes to mind is the racetrack bettor who is having a bad day and decides to wager big on the long shot during the last race in an effort to recoup his earnings. He has a shot to break even and feels that it is wise to take it, despite the slim chance the horse has to win.

Does this happen in underwriting? Think of your production budget in the framework of situation “b” above. For added emphasis, imagine that the account you have on your desk will be the last one you’re working on before the quarter closes. Binding it would put you at plan, but not writing it would leave you short by 10%. What’s more, according to your metrics, this account is barely profitable, and you realize the price your broker is telling you to meet is deficient. Do you push to write it? Do you go all in on the long shot?

In this hypothetical example, the “loss” isn’t in the context of whether the specific account would earn an underwriting profit. The reference point here pertains to the potential budget shortfall. The underwriter has to decide whether to display sound judgment and pass on the risk, only to fall short of plan (a sure loss), or attempt to write a below-average account that might enable him or her to meet plan (a chance at no loss). Kahneman’s and Tversky’s findings might suggest that making the proper underwriting call in this case would be difficult, because we’re risk-seeking for losses.

See also: Risk Management: Off the Rails?  

Now flip this scenario on its head. What if you have already exceeded plan? Couldn’t this be construed as a sure gain? Recall that, due to diminishing sensitivity, additional gains lose their luster. So, are you motivated to pursue additional opportunities (a chance at a greater gain) knowing that you’ve already “won” for sure? Or does complacency set in, resulting in foregone revenue? Remember, we tend to be risk-averse for positive outcomes.

Therefore, we need to be aware of the potential impact of our cognitive biases, such as loss aversion, and how they shape our behavior. This could not be more relevant for underwriters, given that we regularly need to decide – often quickly or under duress – on which risks to wager our companies’ bottom line. At the end of the day, getting a better grasp on the way we frame our underwriting decisions will keep us away from that long shot and closer to the safe bet.

Originally published by the copyright holder, General Reinsurance, and reprinted with its permission.

3 Things SMEs Can Teach Big Firms

I was very fortunate to host a roundtable during the FERMA risk seminar in Malta. I am very thankful for the opportunity, because the experience of brainstorming for 45 minutes with the representatives from various small and medium enterprises (SMEs) really highlighted some major problems with modern-day risk management and risk managers.

Here are three things that I think all of us could learn from managing risk at SMEs:

SMEs simply can’t afford to waste time or other resources on an activity that does not generate direct value

For SMEs, time is pressure, management teams are small, margins are limited and, as a result, management is very pragmatic about any new, sexy activities and initiatives. Risk management is no different. It has been around for years, yet few SMEs have properly adopted it. Something’s not right…

So can risk management make companies money? Of course it can. Do modern-day risk managers in non-financial companies in fact make money for their companies? Very few. Most of the modern-day approaches used by risk managers are so academic and superficial that management has a tough job buying it. Here is a short video on showing value from risk management, and it’s not what most risk managers are doing.

See also: Can Risk Management Even Be Effective?  

I think it’s about time we had an honest look at some of the activities risk managers do:

  • Do risk assessments really change the way business processes work, change the manufacturing process and change the way products are sold?
  • Do risk managers bring something of value to the table when any important business decision is made?
  • Do risk assessments change the way executives make decisions, and is risk analysis available on time to support every significant decision?
  • Are risk registers looked at by the CEO before making an important decision?
  • Do risk owners check their risk mitigation actions regularly?
  • Do risk appetite statements in non-financial companies change the way the company operates and the way decisions are made?
  • Do employees regularly read risk management framework documents?
  • Do managers call the risk manager before making a decision when faced with uncertainty?

I suspect the answer to most of those questions is “not quite.” This could mean one of two things: Either the risk manager is not doing his job properly, or he is properly doing his completely wrong. My bet is on the second option. There is simply a better way than risk profiles, risk registers, risk frameworks, risk owners — and so on. Here is a short video about what the future holds for risk management.

SMEs don’t do risk management to mitigate risks; they do it to make better decisions

This I found bizarre: We seem to have created a myth that risk management is about managing risks. Not so. Risk management is not an objective in itself. It’s just another management tool to help make better decisions and achieve objectives. This realization is a big difference between SMEs and large corporations.

SMEs do risk analysis when a decision needs to be made, using whatever risk analysis methodology is appropriate for that particular type of decision. Large corporations do risk management when it’s time to do risk management, be it annually, quarterly or some other regular internal. Nothing could be further from the truth. Unless your methodologies, approaches and tools allow risks to be analyzed at any moment during the day — when an important decision is being made or at every milestone within the core business processes — you are probably doing something wrong.

If there is one thing I learned over the years it is that no one in the company, and I mean NO ONE, expects the risk manager to care about risks. Well, maybe some about-to-retire audit committee member would, but most executives wouldn’t have the courage to deal with the real risks if you showed the risks to them. The rest of the company cares about making money, meeting objectives with the least amount of effort and getting nice bonuses as a result.

You can assign risk ownership to top executives as much as you like — no one cares. SMEs learned the hard way that unless an activity directly contributes to achieving objectives, it’s not going to be done. Risk management is no different. I find it ridiculous when risk managers talks about high risks and the need to mitigate them when, instead, they could be saying things like, “the probability of meeting this objective is 10% — unless we change things,” “there is an 85% chance your business unit will not get bonuses this year based on our risk analysis” and so on.

Anyone can be a risk manager, but it’s not natural

Despite what we within the risk management community have been telling each other for years, managers are not really managing risks every day. Thinking about risks is not natural for humans. The way System 1 and System 2 thinking operate in our brain make it literally impossible to see most of the risks associated with making decisions, let alone analyze them or manage them. Since the 1970s, many scientists, including two Nobel Prize winners (Kahnemann and Tversky), have discovered more than 200 cognitive biases that prevent managers from seeing, understanding and dealing with risks.

See also: 4 Ways Risk Managers Can Engage on Cyber  

This basically means risk surveys, most risk workshops and any kind of qualitative risk assessments are very unlikely to produce truthful results. But then what should risk managers use? There are plenty of alternatives, much better alternatives.

So how was the rest of the FERMA seminar?

My feedback to the organizers stays the same as my last post on the FERMA forum in Venice last year. In short, it’s impossible to grow if the people you talk to at conferences are people just like you: risk and insurance professionals.

Someone needs to play the devil’s advocate. It would be good to hear from a CFO who says he doesn’t care about any of the work risk managers do and budgets based on his own methodology with no input from the risk manager.

But, then again, Europe is probably way too politically correct for that 🙂

Can Risk Management Even Be Effective?

Lately, everyone from government agencies to regulators to corporate board members seem to be talking about the need for more effective risk management. The challenging part is that, despite the guidance provided in ISO 31000:2009, the concept of risk management effectiveness remains vague. This article attempts to summarize the basic components of effective risk management, which should help risk managers to respond to the challenges set by regulators and shareholders.

The team at Institute for Strategic Risk Analysis in Decision Making (ISAR) and www.risk-academy.ru has been studying risk management for more than 15 years, and we firmly believe that effective risk management is only possible when all four criteria below are met. Each of these criteria is based on ISO31000:2009, the most widely used risk management standard in the world (translated and officially adopted in 44 of the 50 biggest countries based on the GDP).

1. Integrating Risk Into Decision Making

One of the most important tests of true risk management effectiveness is the level of risk management integration into decision making. ISAR research shows that companies achieve long-term advantage if they are capable of systematically integrating risk management into planning and budgeting decisions, investment decisions, core operational business processes and key supporting functions. Just consider an example of a large investment fund, which makes investment decisions only after an independent risks analysis and does simulations to test the effect of uncertainty on key project assumptions and forecasts. Another example is a large airline, which makes strategic decisions based on several quality alternatives with a risk assessment performed for each alternative.

For us it’s very important that risks are taken into account when investment decisions are made. That’s why risk assessments are mandatory for all investment decisions. Risks are identified and evaluated by both the project team and the back-office departments, including legal, finance, scientists, strategy and others. This ensures a more objective and independent risk analysis when making investment decisions.

–Konstantin Dozhdikov, Head of Risk, RUSNANO

 2. Strong Risk Management Culture

Human psychology and the ability of business managers to make decisions in situations of great uncertainty have a huge impact on risk management effectiveness. Nobel laureates D. Kahneman and A. Tversky, have conducted some exceptional research in the field of risk perception, showing that most people, consciously or subconsciously, choose to be ignorant to risks. Robust risk management culture is therefore fundamental to effective risk management. Take for example a large petrochemical company, which used online and face-to-face training to raise risk management awareness and competencies across all staff levels. The company also allocated resources to integrating risk management principles into the overall company culture. Another example is a government agency, which documented transparent discussion and sharing information about risks as one of the corporate values, which were later communicated to all employees.

See also: Risk Management, in Plain English

Training is one of the most important factors in the development of a risk management culture. Risk management can become an effective tool as soon as every employee understands what is it and how it applies to their personal area of responsibility. There are many different kinds of risk management training. It could be risk induction training offered to all new employees. Induction training should include a short explanation of the risks that might arise, information about a useful tool risk management and how to use it when making day-to-day business decisions. It is also useful to conduct separate specialized risk management training for department heads and key managers in order to help them integrate risk analysis into key business processes. The main thing is to remember that training is not supposed to be a one-time measure and, on the contrary, should be offered on a regular basis. Training sessions can be led by your company’s own risk manager or an external party, but either way the trainers must possess relevant competencies and qualifications.

–Lubov Frolova, Head of Risk , Tekhnodinamika

3. Disclosing Risk Information

Another criterion for effective risk management is willingness and ability of an organization to document and disclose risk-related information both internally and externally. A mature company not only documents the results of risk analysis in the internal decision making processes but also discloses information about risks and their mitigation to relevant stakeholders, where appropriate, in external reporting or on the company website. Because actual risk information may be sensitive and contain commercial secrets, the focus of disclosure should not be  on the risks themselves but rather on risk management framework, executive commitment to managing risks and culture of the organization. Many organizations tend to treat this formally, often copying and pasting risk management information in external reporting from year to year without any update.

Remember that disclosure of risk management information allows companies to both make and save money. For example, the insurance market reacts positively to a company’s ability to disclose information about the effectiveness of its risk management and control environment, offering a reduction in insurance premiums. Banks and investors also see risk disclosure in a positive light, allowing companies to lower their financing costs.

One large mobile network operator takes risk reporting particularly seriously. Its approach changed after an IPO. To this day, risk reporting as part of the annual report is not just a recount of the typical risks within their industry sector, but a reflection of key risk management changes and achievements over the last period. Risk reporting is composed of two parts: 1) A general description of events linked to risk management within the company; and 2) A description of key risks facing the company over the year. In the first part, risk managers give a detailed description of significant risk management events that occurred within the company that year. For example, there could be a description of how closely the company is aligned with the ISO 31000:2009 principles, or how the company has strengthened its risk culture. The second part describes common risk categories facing the company. This should point out the typical risks in the industry sector as well as the most significant risks identified over the past year. Additionally, the description of each risk should include the status of mitigation actions taken to manage the risk, their effectiveness and the anticipatory measures that the company intends to take in the future.

 4. Continuously Improving Risk Management

The final criterion for effective risk management has to do with the continuous improvement of the risk management framework and the risk team itself. One investment fund was able to do this with the help of regular assessment of the quality and timeliness of its risk analysis, annual risk management culture assessments and periodic review of risk management team competencies. For example, professional risk management certification helps to boost risk team competencies. One of the reasons behind the need for constant risk management improvement is rapid development of risk management discipline. The ISO 31000:2009 standard is currently being reviewed by more than 200 specialists from 30 different countries, including experts from Russia and members of ISAR. Some of the suggestions for the new version of the standard include the greater need for integration of risk management into business activities, including decision making, and the need to explicitly take into account human and cultural factors. These changes could have a significant impact on many modern non-financial organizations, raising questions about their risk management effectiveness.

See also: Risk Management: Off the Rails?  
Risk management, just like any other element of corporate governance, must be integrated into the overall management system of the organization. The ISO 31000:2009 international standard explicitly talks about the need for risk management to be adaptive, dynamic and iterative. As organizational risk maturity improves, so will the tools used by the organization to manage risks in decision making. Professional risk managers should not only develop risk management processes for the organizations but also improve their own risk management competencies.

As I am writing this, work is being undertaken on the update of both of the most widely adopted risk management standards (ISO 31000:2009 and COSO:ERM 2004). New versions are expected to be available in 2017 and promise to revolutionize our current understanding of risk management, not necessarily in a positive way. My experience shows that participating in international conferences, training sessions and certification programs constitutes a good way for risk managers to keep themselves in top professional shape.

I hope I will see you at the G31000 conference in Dubai on Oct. 12-13, 2016:www.g31000conference2016.org, where I will be presenting on the topic of risk management maturity.

We recommend executives and risk managers evaluate the current level of risk management maturity using the criteria for effective risk management presented in this article. If at least one of the puzzle pieces is missing, it is probably a bit premature to talk about effective risk management.