Back in the ’70s, Chris Mandel quite literally stumbled into insurance, as a result of a racketball injury at Virginia Polytech Institute when he suffered a detached retina. After two months of lying flat in a hospital bed, he had to forego his post-graduate job in retail management and start looking for employment in D.C. — he began an unexpected career in managing claims at Liberty Mutual.
Mandel excelled in his job but realized a career in claims management wasn’t what he wanted. So, in the early ’80s, he moved to Marsh brokerage for five years and set up a risk management program for an AT&T spinoff that evolved into what is now Verizon. He then left Marsh to be Verizon’s first risk manager — building its program from scratch.
By the ’90s, he landed in several top corporate risk management positions at the American Red Cross, Pepsico/KFC and Triton Global Restaurants (YUM Brands). Mandel also began his six-year volunteer stint as the president of RIMS (1998-2004), after serving in many different key RIMS leadership roles. He earned an MBA in finance from George Mason University along the way.
By 2001, Mandel was on several advisory boards (i.e. Zurich, AIG, FM Global and Liberty Mutual), before making a career and geographic move to the USAA Group in San Antonio. There, he built an enterprise risk management (ERM) program because he saw a “broken traditional approach” to risk management. After nearly 10 years of developing an ERM program lauded in the industry (including by AM Best, Moody’s and S&P), Mandel was promoted at USAA to head of enterprise risk management, as well as president and vice chair of Enterprise Indemnity, a USAA commercial insurance subsidiary. While at USAA, he was recognized as Business Insurance’s Risk Manager of the Year (2004).
His dream was to be a corporate chief risk officer, but he saw that title more often going to “quants,” (like actuaries), rather than risk professionals. So, as a well-known and sought-out industry spokesperson and visionary, Mandel moved on from USAA in 2010 to found a Nashville-based risk management consulting group, then-called rPM3 Solutions, which holds a patent on a game-changing enterprise risk measurement methodology. Then, in 2013, he moved to Sedgwick as a senior vice president. He is responsible for conducting scholarly research, driving innovation, managing industry relations and forging new business partnerships.
In early 2016, he was appointed director of the newly formed Sedgwick Institute, which is an extension of the firm’s commitment to delivering innovative business solutions to Sedgwick’s clients and business partners — as well as the whole insurance industry. In 2016, Mandel was awarded RIMS’ distinguished Goodell Award (see video below).
When asked what he sees as critical strengths for someone entering risk management, Mandel said: “I try to hire managers who can think strategically and who can convince C-suiters and boards of the value of being resilient in addressing a company’s risk profile. Progressive leaders understand the strategy to leverage risk for value.”
A holistic approach, as he describes it, “seeks a vantage point that can assess both the upside and downside of all foreseeable risks.” He believes true innovation evolves from a company’s risk-taking. “It’s not so much identifying what or when adversity is going to happen, it’s how a company responds to risk in order to minimize disruption,” he said.
In assessing his personal strengths and accomplishments, Mandel feels that a person needs to be “emotionally intelligent” — able to adapt to different people in organizations. He doesn’t consider himself a people person but says he learned to be one the hard way. He advises: “Team spirit is putting other people first and helping them succeed. … Admit your failures and build trustworthiness from your mistakes.”
Besides writing, teaching, speaking and (still) playing racketball, he serves an active role as an advisory board member of Insurance Thought Leadership. He and his wife also serve in church ministries, where he often plays guitar alongside his grown children, who are ordained ministers. Mandel said, “I’m blessed by a Creator who’s had my back.”
In the world of mechanical engineering, stress testing involves subjecting a mechanism to extreme conditions, considerably beyond the intended operating environment, to determine the robustness of the device and the circumstances under which it might fail. Financial stress testing is much the same.
What is a Financial Stress Test?
Generally speaking, a stress test is an assessment of the financial impact of changing a specific variable, without regard to the likelihood of this change.
Often, all other factors remain constant (even if this is not especially realistic). Sometimes the point of the test is to determine failure modes: A reverse stress test determines the magnitude of change necessary to induce financial ruin.
The term scenario test is often used to describe an assessment of the financial impact of a specific event (again, without regard to that event’s likelihood), in which the testers seek to reflect realistically the impact of this event on all aspects of the firm.
So, a scenario test involves a more holistic look at possible circumstances rather than altering a specific variable in isolation.
Does not require understanding of overall dependencies among linked risks
Avoids “black-box syndrome”
Stress tests can be used as a primary risk measure: assessing the level of a specific risk, measuring aggregate risk level, setting risk tolerances or evaluating the benefit of risk mitigation. Tests can also be used to verify the calibration of more complex risk models.
Examples of Stress Tests
Stress tests and scenario tests have a long history and have been broadly applied. Deterministic financial projections readily lend themselves to stress testing.
For example, Willis Re’s eNVISION financial forecasting model allows users to easily change the value of a single parameter and see how that change affects key metrics.
Click image to see it at full size.
An example of scenario testing is Standard & Poor’s use of past market stress events, pegging them to a rating level. In other words, a company with a BB rating should be able to get through a “BB event” without defaulting.
A blend of stress and scenario testing can be seen in the A.M. Best approach. Since 2011, the rating agency has asked insurers to estimate the impact of the largest potential threats to the firm arising from six different types of risk: market risk, credit risk, underwriting risk, operational risk, strategic risk and liquidity risk – each using a specific “Risk / Event / Scenario” combination designed by the company.
For example, in terms of market risk one could consider a stock market scenario based on the events of 2008, or a three-percentge-point rise in interest rates such as that experienced in 1994.
The lessons of recent events have also led regulators to look to stress tests to assess how well the market could stand up to adverse events.
Each included deterioration in market, credit and insurance risk variables. Regulators will increasingly expect insurers to evidence such stress testing as part of their overall solvency management.
While it is easy to develop scenarios that reflect prior experience, it is a much more difficult proposition to consider scenarios that factor in emerging or as yet unknown risks.
The Lloyd’s emerging risk reports provide interesting examples of the extensive work that is being carried out to try and increase understanding and awareness of risk.
Natural Catastrophe Analysis
Another example of stress testing can be seen in the realm of natural catastrophe analysis. While sophisticated simulation models are quite well accepted for certain perils and regions (such as U.S. hurricane and earthquake), other catastrophe models are not so far advanced.
For example, the modeling of severe convective storm — tornado and hail — still faces significant shortcomings and is subject to significant model risk; for other perils, such as brushfire and sinkhole subsidence, there may be no model at all.
That’s why many companies prefer to use stress tests and scenario tests to assess their catastrophe exposure, supplementing stochastic models in some cases.
Willis Re’s SpatialKey geospatial platform, including stress testing apps such as eXTREME Tornado, is one example of a tool that facilitates this approach.
We understand that the International Association of Insurance Supervisors (IAIS) is considering a scenario test approach for its developing insurance capital standards for Globally Systemically Important Insures (G-SIIs) and Internationally Active Insurance Groups (IAIGs).
Calibration and Interpretation
When creating a stress test, analysts typically calibrate by ensuring that it ranks among real events of appropriate magnitude — and, while likelihood is not necessarily considered in stress testing, the frequency of real events of comparable magnitude may guide the design of the stress test.
An understanding of this calibration provides context for the numerical results of the stress test.
When reviewing the results of a stress test or scenario test, the first question to ask is: What does this say about the firm’s resiliency? As in the Standard & Poor’s example, the results may indicate a level of security that is either higher or lower than desired.
Given the concrete, intuitive nature of stress tests and scenario tests, these results facilitate communication with senior managers, the board of directors and other stakeholders.
When only a single variable is test, the explanatory power of the test is clear. And when using a scenario test, the “story” of the scenario enables company leaders to think concretely about its financial effects, how the firm could respond and what might be done to prevent a loss that large in the first place.
Overall, stress tests and scenario tests deserve a prominent place in a strong enterprise risk management program: they do much to foster a healthy risk culture.
Credit rating is a highly concentrated industry, with the two largest CRAs, Moody’s Investors Service and Standard & Poor’s (S&P) controlling 80% of the global market share, and the “Big Three” credit rating agencies, which also include Fitch Ratings, controlling approximately 95% of the business. While the value of the rating agencies has been highly questioned, they remain critically important to many organizations. Risk managers can play a key role in preserving and improving their organizations’ credit rating.
Having had the opportunity to participate in rating agency presentations for a publicly traded company and a non-profit, I learned that the process was similar for both and that the stakes were high, requiring a tremendous amount of preparation. In the case of the publicly traded company, my presentation materials were focused on traditional risk management and audit practice (it was the ‘90s), and with the non-profit my focus was on enterprise risk management (progress). The following, though not a comprehensive description of the rating process, describes key areas where risk managers should focus:
Engage with the lead on the rating team (typically within the CFO division)
Prepare a high level report for the lead’s review. Provide information regarding how the organization is addressing risks, both insurable and non-insurable.
Inquire about the rating agency criteria
Agencies do not use the same criteria, but they are required to be transparent about the criteria and will share them beforehand. Through inquiry, you can identify the areas of risk that will be their focus. Read other institutions’ credit reports for clues.
Know your financial statements
Carefully review your financial statements for what the rating agency analyst will be looking for: debt, finances, significant litigation, mergers and acquisitions, etc. and be prepared to address questions around risk in all these areas.
Understand the metrics that are used
In addition to financial metrics, the focus will also be on legal review, risk management and governance.
Strategies and polices
Board composition and capabilities
Ability to anticipate, predict and respond to potential challenges
Rehearse your presentation
It is common to rehearse individually and as a group for the presentation. Your presentation time will likely be less than 30 minutes. There may also be tours provided to the rating agency analysts, so assist in preparing the people involved and the physical location.
What can lead to a downgrade? Failure to meet targets, two or more years of declining revenue, debt burden that exceeds 10% of operating revenue, significant turnover in leadership and litigation.
What can lead to an upgrade? Consistent financial performance, lower debt burden, modest future capital plans (not overextending) and a strong enterprise risk management program.
At the University of California (UC), we presented our enterprise risk management program during the rating agency review. Universities access the capital markets to finance their working capital need, so a strong credit rating is critical. The result was that UC was the first non-financial institution to receive credit agency acknowledgement of an enterprise risk management program. S&P’s RatingsDirect on the Global Credit Portal wrote on Sept. 9, 2010: “The UC has implemented a system-wide enterprise risk management information system, which in our opinion, is a credit strength.”
As a result of the presentation, Standard & Poor’s requested that we conduct a webinar on Enterprise Risk Management in Higher Education for its analyst in New York and has continued to focus on the importance of ERM. The company has written: “Standard & Poor’s Ratings Services has expanded its review of the financial service industry’s enterprise risk management (ERM) practices. This enterprise risk management initiative is an effort to provide more in-depth analysis and incisive commentary on the many critical dimensions of risk that determine overall creditworthiness. This enhancement is part of Standard & Poor’s holistic assessment of enterprise risk management of corporations and financial institutions. Standard & Poor’s is continually enhancing its ratings process to respond to the emergence of new risks and marketplace needs and conditions.”
The presentation centered on demonstrating that risk management programs and tools were in place and effective, fulfilling the following criteria:
ERM aims to measure an institution’s achievement of four primary objectives:
Strategic – High-level goals that are aligned with and support the institution’s mission
Operational – Continuing management process and daily activities of the organization
Financial reporting – Protection of the institution’s assets and quality of financial reporting
Compliance – The institution’s adherence to applicable laws and regulations
Within each of these four objectives, there are eight related components:
Internal environment – The general culture, values and environment in which an institution operates. (e.g., tone at the top)
Objective-setting – The process management uses to set its strategic goals and objectives, establishing the organization’s risk appetite and risk tolerance
Event identification – Identifying events that influence strategy and objectives, or could affect them
Risk assessment – Assessment of the impact and likelihood of events, and a prioritization of related risks
Risk response – Determining how management will respond to the risks an institution faces. Will they avoid the risk, share the risk or mitigate the risk through updated practices and policies?
Control activities – Represent policies and procedures that an institution implements to address these risks
Information and communication – Practices that ensure that the right information is communicated at the right time to the right people
Monitoring – Consists of continuing evaluations to ensure controls are functioning as designed, and taking corrective action to enhance control activities if needed
Your criteria (framework) could be different; the key is to demonstrate that you have an effective means of identifying, managing and monitoring a wide variety of risks across the enterprise. Of primary importance is the identification of risks. The analysts are very concerned that organizations are going to be hit by surprises and thus be ill-prepared to respond and recover from them.
Examples of programs and tools that evidence your ability to detect risks:
Policies that are supported by awareness and education (people know the right thing to do), backed up with reward and accountability for doing the right thing – built into employee selection process, job description, development plans and reviews and compensation plans (people want to do the right thing)
Multiple reporting channels – anonymous hotlines for employees, customers and the public and ease of access to human resources, compliance, risk management and legal and the inclusion of continual communication that retaliation is not tolerated
Incident reporting and tracking systems (claims, safety, human resources information systems, etc.)
Risk assessments at both an enterprise level and at the functional level
Business intelligence system – the ability to aggregate and analyze data across the organization to enhance detection and advance predictive modeling
Key takeaway: As a risk manager or enterprise risk practitioner, your engagement in the credit rating process is an ideal way for you to add value. Leverage your ERM program to highlight your organization’s ability to detect, manage and respond to risk events.
This is part two of a series of five on the topic of risk appetite and its associated FAQs.
The author believes that enterprise risk management (ERM) will remain locked in organizational silos until boards are mobilized in terms of their comprehension of the links between risk and strategy. This is achieved either through painful and expensive crises or through the less expensive development of a risk appetite framework (RAF). Understanding risk appetite is very much a work in progress for many organizations. The first article made a number of observations of a general nature based on experience in working with a wide variety of companies. This article describes the risk landscape, measurable and unmeasurable uncertainties and the evolution of risk management.
The Risk Landscape
Lessons learned following the great financial crisis (GFC) include the importance of establishing an effective risk governance framework at the board level. In essence, two key questions must now be addressed by boards.
First, do boards express clearly and comprehensively the extent of their willingness to take risk to meet their strategic and business objectives? Second, do they explicitly articulate risks that have the potential to threaten their operations, business model and reputation?
To be in a position to provide credible answers to these fundamental questions, we must first seek to understand the relationship between risk and strategy.
It is RMI’s experience that risk and strategy are intertwined. One does not exist without the other, and they must be considered together. Such consideration needs to take place throughout the execution of strategy. Consequently, it is vital that due regard is given to risk appetite when strategy is being formulated1
Crucially, risk is now defined as “the effect of uncertainty on objectives.”2
It is clear, therefore, that effective corporate governance is strategy- and objective-setting on the one hand, and superior execution with due regard for risks on the other. This particular landscape is what we in RMI refer to as the interpolation of risk and strategy. For this reason, RMI describes board risk assurance as assurance that strategy, objectives and execution are aligned. Alignment is achieved through operationalization of the links between risk and strategy, which will be described in the final article in this series.
Before further discussion, however, we would like to draw attention to observations based on our practical experience that give cause for concern, namely:
1. Risk appetite: While we now have a globally accepted risk management standard3 and sharper regulatory definition of effective risk management for regulated organizations, there is as yet much confusion, and neither a consensus nor an internationally accepted guidance, as to the attributes of an effective risk appetite framework.
2. Risk reporting: In relation to risk reporting, two significant matters arise:
Risk registers that are primarily generated on the basis of a compliance-centric requirement, as distinct from an objectives-centric4 approach, tend to contain lists of risks that are not explicitly associated with objectives. As such, they offer little value in terms of reporting on risk performance.
Note: RMI supports the adoption of a board-driven, objectives-centric approach5 to reporting and monitoring risks to operations, the business model and reputation.
Risk registers and other reporting tools detail known risks and what we know we know. They tend not to detail emerging or high-velocity risks that have the potential to threaten the business model. As such they tend to be of limited value in terms of reporting or monitoring either unknown knowns6, or unknown unknown7 risks. This is a matter that should give boards cause for concern given pace of change, hyper-connectivity and the disruptive nature of new technologies.
3. Risk data governance: The quality, rigor and consistency in application of accounting data that is present in well-managed organizations does not equally exist in those same organizations in the risk domain.
The responsibility of directors to use reliable accounting information and apply controls over assets, etc. (internal controls) as part of their legally mandated role extends equally to information pertaining to risks that threaten financial performance. The latter is not, however, treated in an equivalent fashion to accounting data. Whereas the integrity of accounting data is assured through the use of proven and accepted accounting systems subject to audit, information pertaining to risks typically relies on the use of disparate Excel spreadsheets, word documents and Power Points with weak controls over the efficacy of copying and pasting of data from one level of report to another.
Weaknesses and failings in risk data governance can be addressed in much the same way as for other governance requirements.
a. Comprehensive training for business line managers and supervisors on:
(Risk) Management Processes,
Board (Risk) Assurance Requirements
b. Performance in executing (risk) management roles and responsibilities included in annual performance appraisals,
c. System8 put to process through the use of database/work flow solutions, providing an evidence basis of assurance that:
The quality, timing, accessibility and auditability of risk performance data is as rigorously and consistently applied as that for accounting data,
Dynamic management of risk data (including risk appetite/tolerance/criteria) can be tracked at the pace of change
Tests can be applied to the aggregation of risks to objectives at the pace of change and prompt interdictions applied when required,
Reports, or notification, of significant risks are escalated without delay, and without risk to the originator of information.
4. Lack of understanding of the nature of the risks that need to be mastered in the boardroom:
Going back to our definition of risk as the effect of uncertainty on objectives: There are many types of objectives — for example, economic, financial, political, regulatory, operational, customer service, product innovation, market share, health safety, etc. — and there are multiple categories of risk. But what is uncertainty?
Uncertainty9 is the state, even partial, of deficiency of information related to understanding or knowledge of an event, its consequence or its likelihood.
There are essentially two kinds of uncertainty:
1. Measurable uncertainties: These are inherently insurable because they occur independently (for example, traffic accidents, house fires, etc.) and with sufficient frequency as to be reckonable using traditional statistical methods.
Measurable uncertainties are treated individually through traditional (risk) management supervision, and residually through insurance.
Measurable uncertainties are funded out of operating profits.
2. Unmeasurable uncertainties: These are inherently un-insurable using traditional methods because of the paucity of reliable data. For example, whereas we can observe multiple supply chain and service interruptions, data breaches, etc. they are not sufficiently similar or comparable to be soundly put to a probability distribution and statistically analyzed.
Un-measurable uncertainties are treated on a broad basis through organizational resilience. For the top 5-15 corporate risks10 that are typically inestimable in terms of likelihood of occurrence, the organization seeks to maintain an ability to absorb and respond to shocks and surprises and to deliver credible solutions before reputation is damaged and stakeholders lose confidence.
Un-measurable uncertainties are funded out of the balance sheet.
The hyper-connected and multispeed world in which we live today has driven the effect of un-measurable uncertainties on company objectives to unprecedented, heights, and so amplified the risk potential enormously.
5. Urgent need to recognize the mission-critical importance of building and preparing management to always be prepared to offer credible solutions in the face of unexpected shocks and surprises Figure 1 below describes the evolution of risk management as depicted within the red dotted line11 and the next stage of the evolution (resilience) as envisioned by RMI.
Figure 1: Evolution of risk and the emergence of “resilience” as the current era in the evolution of 21st century understanding of risk
Resilience was the theme that ran through the World Economic Forum: Global Risks 2013, Eight Edition Report. Resilience was described as capability to
Adapt to changing contexts,
Withstand sudden shocks, and
Recover to a desired equilibrium, either the previous one or a new one, while preserving the continuity of operations.
The three elements in this definition encompass both recoverability (the capacity for speedy recovery after a crisis) and adaptability (timely adaptation in response to a changing environment).
The Global Risks 2013 Report emphasized that global risks do not fit neatly into existing conceptual frameworks but that this is changing insofar as the Harvard Business Review (Kaplan and Mikes12) recently published a concise and practical taxonomy that may also be used to consider global risks13.
The report advises that building resilience against external risks is of paramount importance and alerts directors to the importance of scanning a wider risk horizon than that normally scoped in risk frameworks.
When considering external risks, directors need to be cognizant of the growing awareness and understanding of the importance of emerging risks.
Emerging risks can be internal as well as external, particularly given growing trends in outsourcing core functions and processes.
It is also interesting to observe the diversity in understanding of emerging risk definitions. For example:
Lloyds: An issue that is perceived to be potentially significant but that may not be fully understood or allowed for in insurance terms and conditions, pricing, reserving or capital setting,
PWC: Those large-scale events or circumstances beyond one’s direct capacity to control, that have impact in ways difficult to imagine today,
S&P: Risks that do not currently exist,
The 2014 annual Emerging Risks Survey (a poll of more than 200 risk managers predominantly based at North American re/insurance companies) reported the top five emerging risks as follows:
Financial volatility (24% of respondents)
Cyber security/interconnectedness of infrastructure (14%)
Liability regimes/regulatory framework (10%)
Blowup in asset prices (8%)
Chinese economic hard landing (6%)
Maintaining business defense systems capable of defending the business model has become an additional fiduciary requirement for the board, alongside succession planning and setting strategic direction15.
1 Influenced by COSO (Committee of Sponsoring Organizations of the Threadway Commission, Enterprise Risk Management (ERM) Understanding and Communicating Risk Appetite, by Dr. Larry Rittenberg and Frank Martens
2 Source: ISO 31000 (Risk Management 2009). ISO 31000 is now the globally accepted risk management standard.
3 The new globally accepted risk management standard (ISO 31000) is not intended for the purposes of certification. Rather, it contains guidance as to risk-management principles, a framework and risk management process that can be applied to any organization, part of an organization or project, etc. As such, it provides an overarching context for the application of domain-specific risk standards and regulations — for example, Solvency II, environmental risk, supply chain risks, etc.
4 Risk Communication Aligning the Board and C-Suite: Exhibit 1 Top Challenges of Board and Management Risk Communication by Association for Financial Professionals (AFP), the National Association of Corporate Directors (NACD) and Oliver Wyman
5 The Conference Board Governance Centre, Risk Oversight: Evolving Expectations of Board, by Parveen P. Gupta and Tim J Leech
6 An unknown known risk is one that is known, and understood, at one level (e.g. typically top, middle, lower level management) in an organization but not known at the leadership and governance levels (i.e. executive and board levels)
7An unknown unknown risk is a so called black-swan (The Black Swan: The Impact of the Highly Improbable, Nassim Nicholas Taleb)
8 Specified to the ISO 31000 series
9 Source: ISO 31000 (Risk Management 2009). ISO 31000 is now the globally accepted risk management standard
10 More than 80% of volatility in earnings and financial results comes from the top 10 to 15 high-impact risks facing a company: Risk Communication Aligning the Board and C-Suite, by the Association for Financial Professionals (AFP), the National Association of Corporate Directors (NACD), and Oliver Wyman
11 Source: Institute of Management Accountants, Statements on Management Accounting, Enterprise Risk Management : Frameworks, Elements and Integration
12 Managing Risks: A New Framework
13 Kaplan and Mikes’ third category of risk is termed “external” risks, but the Global Risk 2013 report refers to them as “global risks.” They are complex and go beyond a company’s scope to manage and mitigate (i.e. they are exogenous in nature).
14 Audit and Risk, 21 July 2014, Matt Taylor, Protiviti UK,
15 The Financial Reporting Council has determined that it will integrate its current guidance on going concern and risk management and internal control and make some associated revisions to the UK Corporate Governance Code (expected in 2014). It is expected that emphasis will be placed on the board’s making a robust assessment of the principal risks to the company’s business model and ability to deliver its strategy, including solvency and liquidity risks. In making that assessment, the board will be expected to consider the likelihood and impact of these risks materializing in the short and longer term;