# Could Risk Analysis Win the Lottery?

I started writing yet another article trying to convince risk managers to grow their quant competencies, to integrate risk analysis into decision-making processes and to use ranges instead of single-point planning, but then I thought, why bother? Why not show how risk analysis helps make better risk-based decisions instead?

After all, this is what Nassim Taleb teaches us. Skin in the game.

So I sent a message to the Russian risk management community asking who wants to join me to build a risk model for a typical life decision? Thirteen people responded, including some of the best risk managers in the country, and we set out to work.

We decided to solve an age-old problem – win the lottery. With help from Vose Software ModelRisk we set out to make history. (Not really: It’s been done before. Still fun, though).

Here is some context:

• Lotteries are an excellent field for risk analysis because the probabilities and range of consequences are known
• In Russia, as in most countries, lotteries are strictly regulated.
There is a rule: When a large amount accumulates, several times a year it is divided among all the winners. This is called roll-down.
• If no one takes the jackpot before or during the roll-down, then the whole super prize is divided among all other winners
• So the probability of winning is the same as usual, but the winnings for each combination can be significantly higher if no one wins the jackpot.

We set out to test our risk management skills in a game of chance.

June 8, 2019

Whatsup group created. Started collecting data from past games. Some of the best risk managers in the country joined the team, 15 in total: head of risk of a sovereign fund, head of risk of one of the largest mining companies, head of corporate finance from an oil and gas company, risk manager from a huge oil and gas company, head of risk of one of the largest telecoms, infosecurity professionals from Monolith and many others.

June 9, 2019

Placing small bets to do some empirical testing.

June 10, 2019

June 11, 2019

Created red team and blue team to simultaneously model potential strategies using two different approaches: bottom up and top down. Second model is created…

June 12, 2019

Testing if the lottery is fair, just in case we can game the system without much math. Yes, some numbers are more frequent than others, and there appears to be some correlation between different ball sets but not sufficient to produce a betting strategy. The conclusion – the lottery appears to be fair, so we will need to model various strategies.

June 13, 2019

Constantly updating red and blue models as we investigate and find more information about prize calculation, payment, tax implications and so on. The team is now genuinely excited. Running numerous simulations using free ModelRisk.

June 14, 2019

Did nothing, because all have to do actual work.

June 15, 2019

After running multiple simulations, we selected a low-risk, good-return strategy. Dozens more simulations later, here are the preliminary results, using very conservative assumptions:

• probability of loss 9.8%; worst-case scenario, we lose 60% of the money invested
• probability of winning 90%; 80% of the time, winnings would be between 50% and 100% of the amount invested, after taxes (this means there is a high possibility to double invested cash at relatively low risk)
• potential upside significantly higher than downside

Red and blue team models produced comparable results.

June 16, 2019

Started fundraising.

If we manage to collect more than the required budget, we decide to make two bets: one risk management bet (risk management strategy) and one speculative bet with much higher upside and as a result greater downside (risky strategy).

Full budget collected within just a few hours. Actually collected almost double the necessary amount and, as agreed, separated 50% of the funds into the second investment pool. Separate team set out to develop the risky strategy. While I was an active investor in the risk management strategy, I decided to play a role of a passive investor in the risky strategy and only invested 16% into the risky.

June 17, 2019

Continued to develop the model, improving estimates every time. Soon, we felt the financial risks were understood by the team members, and we needed to take care of other matters before the big day.

First, took care of legal and taxation risks. Drafted a legal agreement clearly stating the risks associated with the strategy, the distribution of funds and the responsibilities of team members. Each member signed. Agreed to have an independent treasurer.

Then started to deal with operational risks. Apparently transferring large sums of money, making large transactions and placing big bets is not plain vanilla and required multiple approvals, phone calls and even a Skype interview. Five team members in parallel were going through the approvals in case we needed multiple accounts to execute the strategy.

Probably the biggest risk was the ability of the lottery website to allow us to buy the tickets at the speed and volume necessary for our low-risk strategy. This turned out to be a huge issue, and we found an ingenious solution. The information security team at Monolith did something amazing to solve the problem, and I mean it, amazing. I have never seen anything like this. It’s a secret, unfortunately, because, you guessed it, we are going to use it again.

The strategy that the lottery company recommended for large bets is actually much riskier than the one we selected. How do we know that? Because we ran thousands of simulations and compared the results.

June 18, 2019

The lottery company changed the game rules slightly. Ironically, this slightly improved our 90% confidence interval and reduced the probability of loss. So, thank you, I guess.

More testing and final preparation. The list of lottery tickets waiting to be executed.

In the true sense of skin in the game, team members who worked on the actual model put up at least double the money of other team members.

June 19, 2019

8am. We were just about to make risk management history. A lot of money to be invested based on the model that we developed and had full trust in. I felt genuinely excited: Can proper risk management lead to better decisions? I am sure other team members were excited, too.

By about lunch time, the strategy was executed. We bought all the tickets. Now we just had to wait for the 10pm game. Don’t know about the others, but I couldn’t do any work all day. I couldn’t even sit still, let alone think clearly. Endorphins, dopamine, serotonin and more.

At 9:30pm, we did a team broadcast, showing the lottery game as well as our accounts to monitor the winnings, both for excitement purposes and as full disclosure.

Then came the winning numbers. Two team members actually managed to plug them into the model and calculate the expected winnings. We had the approximation before the lottery company did.

You guessed it: We won. Our actual return was close to 189% on the money invested after taxes (or 89% profit; remember, our estimate was 50% to 100% profit, so well within our model). We almost doubled our initial investment. Not bad for risk management. (Good luck solving this puzzle with a heat map.)

June 20, 2019

More excitement, model back-testing and lessons learned — and, perhaps the most difficult part, explaining to non-quant risk management friends why, no, this was not luck; it was great decision making.

In fact, our final result was close to P50. We were actually unlucky, both because we didn’t get some of the high-ticket combinations and, more importantly because five other people did, significantly reducing our prize pool.

Let me repeat that: We were unlucky and still almost doubled our money.

June 21, 2019

Job well done!

# 4 Steps to Integrate Risk Management

Let me start by saying that integrating risk management into strategic planning is NOT doing a strategic risk assessment or even having a risk conversation at the strategy-setting meeting; it is so much more.

Kevin W. Knight, during his first visit to Russia a few years ago, said, “Risk management is a journey… not a destination.” Risk practitioners are free to start their integration journey at any process or point in time, but I believe that evaluating strategic objectives at risk can be a good starting point. The evaluation is relatively simple to implement yet has an immediate, significant impact on senior management decision making.

Step 1 – Strategic Objectives Decomposition

Any kind of risk analysis should start by taking a high-level objective and breaking it down into more tactical, operational key performance indicators (KPIs) and targets. When breaking down any objectives, it is important to follow the McKinsey MECE principle (ME – mutually exclusive, CE – collectively exhaustive) to avoid unnecessary duplication and overlapping. Most of the time, strategic objectives are already broken down into more tactical KPIs and targets by the strategy department or HR, saving the risk manager a lot of time.

This breakdown is a critical step to make sure risk managers understand the business logic behind each objective and helps make risk analysis more focused.

Important note: While it should be management’s responsibility to identify and assess risks, the business reality in your company may be that sometimes the risk manager should take the responsibility for performing risk assessment on strategic objectives and take the lead.

Example: Risk Management Implementation

VMZ is an airline engine manufacturing business in Russia. The product line consists of relatively old engines, DV30, which are used for the medium-haul airplanes Airliner 100. The production facility is in Samara, Russia. In 2012, a controlling stake (75%) was bought by an investment company, Aviarus.

During the last strategic board meeting, Aviarus decided to maintain the production of the somewhat outdated DV30, although at a reduced volume due to plummeting sales, and, more importantly, to launch a new engine, DV40, for its promising medium-haul aircraft Superliner 300.

The board signed off on a strategic objective to reach an EBT (earnings before tax) of 3,000 million rubles by 2018.

Step 2 – Identifying Factors, Associated With Uncertainty

Once the strategic objectives have been broken down into more tactical, manageable pieces, risk managers need to use the strategy document, financial model, business plan or the budgeting model to determine key assumptions made by management.

Most assumptions are associated with some form of uncertainty and hence require risk analysis. Risk analysis helps to put unrealistic management assumptions under the spotlight. Common criteria for selecting management assumptions for further risk analysis include:

• Whether the assumption is associated with high uncertainty.
• Whether the assumption impact is properly reflected in the financial model (for example, it makes no sense to assess foreign exchange risk if in the financial model all foreign currency costs are fixed in local currency and a change in currency insignificantly affects the calculation).
• Whether the organization has reliable statistics or experts to determine the possible range of values and the possible distribution of values.
• Whether there are reliable external sources of information to determine the possible range of values and the possible distribution of values.

For example, a large investment company may have the following risky assumptions: the expected rate of return for different types of investment, an asset sale timeframe, timing and the cost of external financing, rate of expected co-investment, exchange rates and so on.

Concurrently, risk managers should perform a classic risk assessment to determine whether all significant risks were captured in the management assumptions analysis. The risk assessment should include a review of existing management and financial reports, industry research, auditors’ reports, insurance and third party inspections and interviews with key employees.

By the end of this step, risk managers should have a list of management assumptions. For every management assumption identified, risk managers should work with the process owners and internal auditors and use internal and external information sources to determine the ranges of possible values and their likely distribution shape.

Example: Risk Management Implementation (Continued)

The assessment would look into:

Macroeconomic assumptions

• Foreign exchange
• Inflation
• Interest rates (rubles)
• Interest rates (USD)

Materials

• DV30 materials
• DV40 materials

Debt

• Current debt
• New debt

Engines sales

• New DV30 sales volume
• New DV40 sales volume
• DV30 repairs volume
• DV40 repairs volume
• DV30 price
• DV40 price

Other expenses

• Current equipment and investments in new
• Operating personnel

Based on the management assumptions, VMZ will significantly increase revenue and profitability by 2018. Expected EBT in 2018 is 3,013 million rubles, which means the strategic objective will be achieved.

We will review what will happen to management projections after the risk analysis is performed in the next section.

Step 3 – Performing Risk Analysis

The next step includes performing a scenario analysis or Monte Carlo simulation to assess the effect of uncertainty on the company’s strategic objectives. Risk modeling may be performed in a dedicated risk model or within the existing financial or budget model. There is a variety of different software options that can be used for risk modeling. All examples in this guide were performed using the Palisade @Risk software package, which extends the basic functionality of MS Excel or MS Project to perform powerful, visual, yet simple risk modeling.

When modeling risks, it is critical to consider the correlations between different assumptions. One of the useful tools for an in-depth risk analysis and identification of interdependencies is a bow-tie diagram. Bow-tie diagrams can be done manually or using the Palisade Big Picture software. Such analysis helps to determine the causes and consequences of each risk and improves the modeling of them as well as identifying the correlations between different management assumptions and events.

The outcome of risk analysis helps to determine the risk-adjusted probability of achieving strategic objectives and the key risks that may negatively or positively affect the achievement of these strategic objectives. The result is strategy@risk.

Example: Risk Management Implementation (Continued)

The risk analysis shows that while the EBT in 2018 is likely to be positive, the probability of achieving or exceeding the strategic objective of 3,000 million rubles is 4.6%. This analysis means:

• The risks to achieving the strategy are significant and need to be managed
• Strategic objectives may need to change unless most significant risks can be managed effectively

Further analysis shows that the volatility associated with the price of materials and the uncertainty surrounding the on-time delivery of new equipment have the most impact on the strategic objective.

Management should focus on mitigating these and other risks to improve the likelihood of achieving the strategic objective.

Tornado diagrams and result distributions will soon replace risk maps and risk profiles as they much better show the impact that risks have on objectives.

This simple example shows how management’s decision making process will change with the introduction of basic risk modelling.

Step 4 – Turning Risk Analysis Into Actions

Risk managers should discuss the outcomes of risk analysis with the executive team to see whether the results are reasonable, realistic and actionable. If indeed the results of risk analysis are significant, then management, with help from the risk manager, may need to:

• Revise the assumptions used in the strategy.
• Consider sharing some of the risk with third parties by using hedging, outsourcing or insurance mechanisms.
• Consider reducing risk by adopting alternative approaches for achieving the same objective or implementing appropriate risk control measures.
• Accept risk and develop a business continuity/disaster recovery plan to minimize the impact of risks should they eventuate.
• Change the strategy altogether (the most likely option in our case)

Based on the risk analysis outcomes, it may be required for the management to review or update the entire strategy or just elements of it. This is one of the reasons why it is highly recommended to perform risk analysis before the strategy is finalized.

At a later stage, the risk manager should work with the internal auditor to determine whether the risks identified during the risk analysis are in fact controlled and the agreed risk mitigations are implemented.

# How to ‘Gamify’ Risk Management

In 2014, I collaborated with EY to develop Russia’s first risk management business game. It was great fun, and as a result we created a pretty sophisticated business simulation.

Participants were split into teams of 10, each person receiving a game card that describes a role (CEO, CFO, risk manager, internal auditor, etc.). At the start of the game, teams must choose one of four industry sectors (telecom, oil and gas, energy or retail) and name their company. The game consists of four rounds, in each of which teams must make risk based decisions. Each decision has a cost associated with it and a number of possible outcomes. Teams must analyze and document the risks inherent in each decision they make. The riskier the decision, the higher the probability of adverse outcome. At the end of each round, a computer simulation model chooses a scenario, and the outcome is announced to each team.

The aim of the game is to increase the company valuation by properly weighing risks and making balanced business decisions. The winning team is the one that increased its company’s value the most after four rounds.

This game was successfully played by participants at two risk management conferences as well as postgraduate students at the Moscow Institute of Physics and Technology.

In 2015, I started working with Palisade to develop something a little different.

Just like in the previous version of the game, the participants were split up into teams of 10. However, the game mechanics have changed substantially. Each player still receives a card describing a role, but this time the card provides a complete history of the character’s role within the company and assigns each player a unique secret mission.

The aim of the game is to successfully complete a merger between a large holding company and an innovative startup. The game, as before, consists of four rounds. The first round involves performing a risk assessment of the target company. Each team must identify 10 significant risks using only the information provided on the cards.

The second, third and fourth rounds are dedicated to the management of these risks. Each identified risk has between 5 and 10 possible mitigation strategies that can be selected by the team. Each team has a limited budget dedicated to risk mitigation, and each mitigation action has a cost.

The effects of each mitigation action selected by the teams was modeled using Palisade@Risk to determine whether it increases or decreases the value of the target company. The winning team is the one that increases the value of the target company more than the others and is then able to complete the merger.

More information is available here. Let me know if your company is interested in sponsoring the translation and running the game in English.

Risk management business game 2015 (online version)

With the help of eNano, we went even further and produced an interactive risk management business game (only available in Russian). This game combined an e-learning course and an interactive business simulator.

Each participant takes on the role of general manager of one of three innovative companies. They then receive tasks that need to be completed throughout the e-learning course:

• First, each participant needs to conduct interviews with all colleagues to identify and document risks;
• Then he needs to evaluate risks using the information presented. Note that, just like in real world, most of the information presented is biased;
• Then he needs make difficult decisions relating to risk mitigation given a limited budget;
• During the last step, participants need to develop an action plan designed to improve risk culture.

All of these steps increase or decrease the company valuation. You can find out more about this course here.

Risk management game 2016

This game is the result of collaboration among Risk-academy, Palisade, Institute for Strategic Risk Analysis (ISAR) and Deloitte. Together we have created an amazing business game to teach non-financial management and staff how to perform risk modeling on day-to-day management decisions.

Participants will have to play a role of an aircraft engine manufacturing company. Each team has prepared a business case for a multimillion-dollar plant modernization. Unfortunately, the project plan have just been rejected by the board, so teams only have a couple of hours to conduct in-depth risk analysis and present an updated business case to the board.

The game is focused on risk modeling, requiring participants to identify and validate management assumptions, identify relevant risks, establish ranges and select possible distributions for each assumption, perform Monte Carlo simulation using Palisade@Risk and present the final results. All this has to be performed in limited time and with incomplete information… just like in real life. And just to add a little bit of drama, like in real life participants have to deal with unexpected “black swans” during the game.

The aim of the game is to prepare risk analysis for a multimillion-plant modernization investment project. The team with the highest risk-adjusted rate of return wins.

This game has also become one of the modules in the risk management training ran by ISAR; more information is available here.

Due to lots of positive comments, the latest risk modeling game is now available in English here.

What’s next?

The latest game was both hard and entertaining, so we began talks with our partners to turn it into an online risk quantification championship. The games will require online registration, have downloadable content and require proper risk modeling. Championships will run once a quarter, and winners will receive wonderful prizes.

# The Costs of Inaction on Encryption

Alarm systems have a long and varied history — from geese in ancient Rome, to noise makers that announced the presence of an intruder, to present-day electronic sensors and lasers. Originally, the creation of alarms was driven by the psychological need all humans have to establish a safe environment for themselves. Today, that same need exists, but it has been extended to include other concerns, such as valued personal possessions, merchandise and intellectual property. In the cyber realm, security is as important as it is in the physical world because people must be able to feel secure in their ability to store sensitive, high-value data. Without that sense of security, the cyber realm would lose almost all of its relevance.

Cybersecurity is established by various hardware and software components, but none of the components are more essential than strong encryption. It is such encryption that keeps bank transactions, online purchases and email accounts safe. However, there is a disturbing worldwide governmental trend to weaken encryption, which was exemplified in the legal disagreement earlier this year between Apple and the U.S. government. While there are definite aspects of the dispute that fall outside of the professional insurance sphere, there is an undeniable part of the battle for strong encryption that the professional insurance sector must not fail to acknowledge and address. The outcome of this struggle will be felt well into the 22nd century, and, perhaps, at least in the business arena, the outcome will be borne most keenly by cyber liability and technology E&O insurers.

With global attempts to reduce the effectiveness of encryption, no insurer can claim it lacks a part in the effort for resilient and ever-evolving encryption and cybersecurity measures. The Chinese government is not a supporter of privacy, and it has even hacked Google’s Gmail service and the Dalai Lama’s email account to gain access to information it has deemed disruptive. It also has been stepping up its “investigations” into products produced by U.S-based technology companies. Furthermore, after both the 2015 attack in Paris and the 2016 attack in Brussels, the debate regarding whether encryption should be allowed was re-ignited in Europe and the U.K. Recently, the French, Hungarian and British governments have made various attempts at weakening or removing encryption. Therefore, with this global challenge facing insurers, they are required to be completely aware of what is at risk for them, and they must help pave a path forward that endeavors to balance profitability of products (like cyber liability and technology E&O) with the protection those products should afford any insured.

Apple, perhaps, serves as the best example of how governmental interference with cybersecurity is an issue that requires direct and immediate intervention from insurers. There are thousands of businesses around the world that rely on the iPhone and iPad for productivity purposes — and almost all of those businesses also rely on the security that those devices provide, both from a hardware and a software standpoint. Recently, the U.S. government attempted to force Apple, in different judicial battles, to write code that will allow the government to have a master key to access the data of any iPhone. However, the U.S government is also pursuing a legislative avenue to pass a law that will force U.S. companies to give the U.S. government unfettered retrieval of any data on which it sets its sight.

To provide such access would almost always require companies to write software code that is purposefully compromised from a security standpoint. It would be extremely unwise for professional insurance companies to assume this disagreement is only between the technology sector and world governments because, if there is an outcome favorable for the U.S. government, it will have direct and immediately negative effects on insurers that offer cyber liability and technology E&O insurance in the U.S., and it will set a dangerous precedent that will embolden other governments to justify similar breaches that will allow them to acquire what should be secure data.

From a cyber liability standpoint, any vulnerability in software code gives hackers another way to compromise a victim’s computers and network. If a company like Apple (which has thousands of businesses depending on it to keep them safe) has to create a master key, then all of the businesses that use Apple products will be vulnerable to attack. The U.S. government has a long history of being unable to keep its own data safe, which means, in time, hackers will be able to figure out what entrance point was created and then exploit it. The most worrisome entities that might access the backdoor would be non-democratic nation-states because they have the most to gain from exploiting any vulnerabilities in U.S-based companies. However, such companies are not the only ones who use products produced by Apple, which means companies located anywhere would also be vulnerable. Additionally, if world governments put restraints on encryption to make it illegal or to limit the ways data can be encoded then, again, that gives power to those entities that would exploit weak encipherment to the detriment of the private sector.

From a technology E&O standpoint, any request by the U.S. government to weaken products produced by an insured creates a breach of contract, which will hurt claims made against technology E&O policies. If Foxconn, which builds the iPhone for Apple, was forced to alter firmware used in the iPhone to allow at least one software flaw, then Apple could sue Foxconn for a breach of contract were Apple to learn of Foxconn obeying a government order to create a security bypass in the firmware code. Worse yet would be a company like FireEye being forced to reduce the effectiveness of its virtual execution engines that are at the heart of its malware analysis appliances. FireEye, and other cyber security companies, are what often stand between a hacker and its victim. Should a cybersecurity company ever be forced to obey a government order, little would stand between a hacker and its potential victims. Moreover, all of the companies that depend on the products of a cybersecurity company would also be in a position to bring claims against the insured organization, which would certainly be detrimental to technology E&O insurers.

To defend itself and its products from government interference, Apple is implementing a security feature that removes its ability to bypass the iPhone’s security. While such method works from a simplicity standpoint, it will not work for a majority of technology companies, with cybersecurity and cloud providers being two examples of where such a solution would not work. Additionally, if a law were passed that forced a company by way of a court order, for example, to decrypt information on its products, then the company so ordered would be put into a bind. Cyber liability and technology E&O insurers could also add exclusions to policies that would void insurance contracts if an insured organization complied with a governmental request to create a backdoor.

However, it would be extremely difficult for an insurer to prove the backdoor was created deliberately, and, ultimately, such exclusions would be ethically ambiguous given they would punish an insured firm for obeying the rule of law. Companies could also contest each governmental request, assuming no law makes it illegal to deny a government request, but not all companies have the time or financial resources with which to fight a government. The only reasonable avenue to rein in disruptive governmental orders, then, is for insurers, technology companies and others to unite and block any legislative attempt to pass a law that would force any technology company to create a security gap. Moreover, the resistance movement will also need to fight against any attempt to weaken or make illegal any type of encryption.

Currently, the relationship that exists between the insurance and technology sectors is that of provider and client, but that relationship must now evolve into a partnership. The technology sector cannot afford to go without cyber liability and technology E&O insurance because almost every company needs to offset technological risk now that we are in a globally connected and highly litigious age. Insurers also need to continue offering cyber liability and technology E&O policies because they have the clout and financial strength to help protect companies — especially small- and medium-sized ones — from an ever-changing technological landscape. Then, too, whichever insurer develops a realistic understanding of the intersection of risk and technology will be in a position to enrich itself.

The path forward, then, is to create a coalition whose first goal would be to stay on top of both pending and current judicial cases and bills being drafted or voted on in any legislature worldwide that would degrade the security strength of any member’s product. The U.S. government has recently tried to force Apple to create a master key to one of its product lines, and there is no reason to believe that it will not force other companies (like cloud providers) to build similar backdoors into their products. To work against such actions, the coalition might be composed of two representatives from each sector’s main representative organization. For instance, for the professional insurance sector that would be PLUS, and for technology companies that would be IEEE.

Furthermore, the coalition might also be composed of members from automotive manufacturers, educators and telecommunication firms. The coalition’s protective approach, then, would be to identify cases or bills and then attempt to bring all resources forward to eliminate or mitigate the offending threat. A recent example on the judicial side of a case that would have been a threat to the putative coalition was the Apple vs. the U.S. government in Central District of California, Eastern Division. A current example of a legislative threat to the coalition is the Burr-Feinstein Anti-Encryption draft that seeks to allow courts to order a company to decrypt information it has encoded, like the way the iPhone protects a user’s data.

In a judicial case, the main measure could be filing amicus curiae briefs on the part of the aggrieved organization, but another measure might be ensuring the defendant is crafting the most reasonably persuasive anti-governmental interference arguments and appealing unfavorable rulings. On the legislative front, measures might include lobbyists but, more importantly, ought to involve the unity achieved by the existence of the coalition, working with an organization like the EFF and even creating public relation campaigns to appeal to the support of the world populace. In the rare instances when a government attempts to work with the private sector to understand the concerns that it has — for instance, as the U.S. government is trying to do with the proposed “Digital Security Commission” — then the coalition would need to support such efforts as much as possible.

It is true that the coalition’s efforts in countries like China and Russia might be limited, and they will be also be limited when a country feels that a criminal act, like terrorism, is better dealt with by eroding encryption and cybersecurity measures. In an instance concerning China, insurers could consider increasing the amount of re-insurance that they purchase on their cyber liability and technology E&O portfolios to offset the damage from increased claims. Insurers will also need to be extremely cautious when providing cyber liability and technology E&O coverage to organizations that have close relationships with non-democratic governments (like the Chinese government) or ones that produce products that have a high likelihood of being the result of IP theft, such as any mid- to high-end binary processor.

The pursuit of the best encryption and cybersecurity measures needs to be unencumbered by the efforts of any government, just as alarm systems have been free to evolve over the past two or three millennia. This can only be achieved, though, through the unified actions and vigilance of a coalition. Encryption and resilient cybersecurity frameworks are the essential and irreplaceable elements in a safely connected world. To limit, in any way, the efforts to perfect those elements or to purposefully reduce their effectiveness is irresponsible regardless of whether the reason is national security or the pursuit of breaking a criminal enterprise. Lloyds, and other organizations involved with cyber liability and technology E&O insurance, see a future where insurers are able to achieve healthy profits off those two products. However, if insurers do not responsibly oppose governmental attacks on encryption and cybersecurity, that profitable future will give way to a future of excessive claims, damaging losses and very little profit.

# Buckle Up: Monetary Events Are Speeding

Just when you thought the world could not spin much faster, global monetary events in 2015 have picked up speed. Buckle up.

A key macro theme of ours for some time now has been the increasing importance of relative global currency movements in financial market outcomes. And what have we experienced in this very short year-to-date period so far? After years of jawboning, the European Central Bank has finally announced a \$60 billion monthly quantitative easing exercise to begin in March. Switzerland “de- linked” its currency from the euro. China has lowered the official renminbi/U.S. dollar trading band (devalued the currency). China lowered its banking system required reserve ratio. The Turkish and Ukrainian currencies saw double-digit declines. And interest-rate cuts have been announced in Canada, Singapore, Denmark (four times in three weeks), India, Australia and Russia (after raising rates meaningfully in December to defend the ruble). All of the above occurred within five weeks.

What do all of these actions have in common? They are meant to influence relative global currency values. The common denominator under all of these actions was a desire to lower the relative value of each country’s or area’s currency against global competitors. As a result, foreign currency volatility has risen more than noticeably in 2015, necessarily begetting heightened volatility in global equity and fixed income markets.

If we step back and think about how individual central banks and country-specific economies responded to changes in the real global economy historically, it was through the interest-rate mechanism. Individual central banks could raise and lower short-term interest rates to stimulate or cool specific economies as they experienced the positive or negative influence of global economic change. Country-specific interest-rate differentials acted as pressure relief valves. Global short-term interest-rate differentials acted as a supposed relative equalization mechanism. But in today’s world of largely 0% interest rates, the interest-rate “pressure relief valve” is gone. The new pressure relief valve has become relative currency movements. This is just one reality of the historically unprecedented global grand central banking monetary experiments of the last six years. At this point, the experiment is neither good nor bad; it is simply the environment in which we find ourselves. And so we deal with this reality in investment decision making.

There has been one other event of note in early 2015 that directly relates to the potential for further heightened currency volatility. That event is the recent Greek elections. We all know that Greece has been in trouble for some time. Quite simply, the country has borrowed more money than it is able to pay back under current debt-repayment schedules. The New York consulting/ banking firm Lazard recently put out a report suggesting Greek debt requires a 50% “haircut” (default) for Greece to remain fiscally viable. The European Central Bank (ECB), largely prompted by Germany, is demanding 100% payback. Herein lies the key tension that must be resolved in some manner by the end of February, when a meaningful Greek debt payment is due.

Of course, the problem with a needed “haircut” in Greek debt is that major Euro banks holding Greek debt have not yet marked this debt to “market value” on their balance sheets. In one sense, saving Greece is as much about saving the Euro banks as anything. If there is a “haircut” agreement, a number of Euro banks will feel the immediate pain of asset write-offs. Moreover, if Greece receives favorable debt restructuring/haircut treatment, then what about Italy? What about Spain, etc? This is the dilemma of the European Central Bank, and ultimately the euro itself as a currency. This forced choice is exactly what the ECB has been trying to avoid for years. Politicians in the new Greek government have so far been committing a key sin in the eyes of the ECB – they have been telling the truth about fiscal/financial realities.

So, to the point: What does this set of uncharted waters mean for investment decision making? It means we need to be very open and flexible. We need to be prepared for possible financial market outcomes that in no way fit within the confines of a historical or academic playbook experience.

Having said this, a unique occurrence took place in Euro debt markets in early February: Nestle ́ shorter-term corporate debt actually traded with a negative yield. Think about this. Investors were willing to lose a little bit of money (-20 basis points, or -.2%) for the “safety” of essentially being able to park their capital in Nestle’s balance sheet. This is a very loud statement. Academically, we all know that corporate debt is “riskier” than government debt (which is considered “risk-free”). But the markets are telling us that may not be the case at the current time, when looking at Nestle ́ bonds as a proxy for top-quality corporate balance sheets. Could it be that the balance sheets of global sovereigns (governments) are actually riskier? If so, is global capital finally starting to recognize and price in this fact? After all, negative Nestle ́ corporate yields were seen right alongside Greece’s raising its hand, suggesting Euro area bank and government balance sheets may not be the pristine repositories for capital many have come to blindly accept. This Nestle ́ bond trade may be one of the most important market signals in years.

As we have stated in our writings many a time, one of the most important disciplines in the investment management process is to remain flexible and open in thinking. Dogmatic adherence to preconceived notions can be very dangerous, especially in the current cycle. As such, we cannot look at global capital flows and investment asset class price reactions in isolation. This may indeed be one of the greatest investment challenges of the moment, but one whose understanding is crucial to successful navigation ahead. In isolation, who would be crazy enough to buy short-term Nestle ́ debt where the result is a guaranteed loss of capital in a bond held to maturity? No one. But within the context of deteriorating global government balance sheets, all of a sudden it is not so crazy an occurrence. It makes complete sense within the context of global capital seeking out investment venues of safety beyond what may have been considered “risk-free” government balance sheets, all within the context of a negative yield environment. Certainly for the buyer of Nestle ́ debt with a negative yield, motivation is not the return on capital, but the return of capital.

This leads us to equities and, again, this very important concept of being flexible in thinking and behavior. Historically, valuation metrics have been very important in stock investing. Not just levels of earnings and cash-flow growth, but the multiple of earnings and cash-flow growth that investors have been willing to pay to own individual stocks. This has been expressed in valuation metrics such as price-to-earnings, price relative to book value, cash flow, etc. To the point, in the current market environment, common stock valuation metrics are stretched relative to historical context.

In the past, we have looked at indicators like total stock market capitalization relative to GDP. The market capitalization of a stock is nothing more than its shares outstanding multiplied by its current price. The indicator essentially shows us the value of stock market assets relative to the real economy. Warren Buffett has called this his favorite stock market indicator.

The message is clear. By this valuation metric, only the year 2000 saw a higher valuation than the current. For a while now, a number of market pundits have suggested the U.S. stock market is at risk of a crash based on these numbers.

Wells Capital Management recently developed data for the median historical price-to-earnings multiple of the NYSE (using the data for only those New York Stock Exchange companies with positive earnings). What this data tells us is that the current NYSE median PE multiple is the highest ever seen. Not exactly wildly heartwarming for anyone with a sense of stock market valuation history.

It is data like this that has prompted a number of market commentators to issue warnings: The big bad stock market wolf isn’t coming; he’s here!

In thinking about these numbers and these dire warnings from a number on Wall Street, we again need to step back and put the current cycle into context. We need to put individual asset class movements into context.

In isolation, current stock market valuations should be very concerning (and they are). In isolation, these types of valuation metrics do not make a lot of sense set against historical precedent. But the negative yield on Nestle corporate debt make littles to no common sense, either…unless it is looked at as an alternative to deteriorating government balance sheets and government debt markets.

Trust us, the LAST thing we are trying to do is be stock market cheerleaders. We’ll leave that to the carnival barkers at CNBC, with its historically low viewer ratings. What we are trying to do is “see” where the current set of global financial market, economic and currency circumstances will lead global capital as we move throughout 2015.

Heightened global currency volatility means an increasing amount of global capital at the margin is seeking principal safety. The recent Greek election results are now forcing into the mainstream commentary the issue of Euro bank and government fiscal integrity, let alone solvency. We believe the negative yield on the Nestle ́ corporate bond is an important marker that global capital is now looking at the private (corporate) sector as a potential repository for safety. The Nestle ́ bond is an investment that has nothing to do with yield and everything to do with capital preservation. Nestle ́ has one of the more pristine corporate balance sheets on Earth. We need to remember that equities represent a claim on not only future cash flows of a corporation but also on its real assets and balance sheet wherewithal.

We need to be open to the possibility that, despite very high-valuation metrics, a weak global economy and accelerating global currency movements that are sure to play a bit of havoc with reported corporate earnings, the equity asset class may increasingly be seen as a global capital repository for safety in a world where global government balance sheets have become ever more precarious over the last half decade. The investor who survives long-term is the one with a plan of action for all potential market outcomes. Avoid the tendency to cry wolf, but, of course, also keep in mind that even the boy who cried wolf was ultimately correct.

It’s all in the rhythm and pacing of each unique financial and economic cycle. Having a disciplined risk management process is the key to being able to remain flexible in investment thinking and action.