The Continuing Evolution of Risk Modeling

Printer version  PDF

by Ryan Ogaard

The global financial crisis has increased the world’s focus on risk modeling, and for some it has called the very validity of the practice into question. Common themes resonating throughout the popular press include the difficulty of modeling human behavior and the complexity of the intricate webs of financial hedging that imploded to create the current crisis. In-depth investigations into the mechanics of subprime have revealed the existence of known blind spots in the models. Management considered these blind spots either unimportant or unlikely to have an impact on results, but they point to the real culprits in most modeling mishaps – a lack of holistic risk awareness, or what the 9/11 Commission’s report called “a failure of the imagination.”

Risk assessment is, at its heart, a creative endeavor — an exercise in visualizing and testing the unknown. A task like this cannot be summed up in a single tool, such as a “risk model,” nor can it be dismissed because reliance on such tools was one of the many proximate causes of the recent financial crisis. Indeed, risk modeling is robust and yields valuable information to decision-makers. This is particularly true in the property and casualty (P&C) insurance sector, where risk is the basic fabric of the business. P&C lines of business have experienced decades of investment, failure, investigation, and improvement in the methods, tools, and processes that produce credible risk information. Much of the progress in risk management has been facilitated by advances in technology, and recently, a consensus on risk management best practices has been emerging.

A range of sophisticated risk management practices is now required by stakeholders in P&C companies. Such practices are meant to prove that an insurer is managing risk and to provide transparency into a company’s balance of risk and supporting capital. Management has generally embraced advanced risk-assessment methods and tools, seeing them not only as requirements, but also as creators of competitive advantage. Insightful analysis of risk can show a company where to deploy capital, where unexploited opportunities lay, and where exposures might be dangerous, or at least unprofitable. But in spite of widespread adoption within the industry, risk assessment is still developing and all too often is not seen as holistic.

Often, the situations or events that define unacceptable risk have never occurred, or have occurred in far different environments than exist today. While models attempt to put all relevant information about a particular risk into a single picture, it is well known that they will never fully mimic human behavior – but that does not lessen their value. Models can be very informative if they are put into the proper context and used to produce knowledge rather than definitive answers. To understand models, decision makers must understand the information that created and feeds them – the data.

There are two primary uses for data in the context of risk modeling. First, it is a historical record of events that is used to understand risk patterns of the future. How many defaults have happened in the past? How many insurance claims? What sort of entity had a higher likelihood of loss? Data is also the representation of the current exposure base. How many loans are outstanding? How many insurance policies have been written? What are the primary qualities of these risks? The data from the past points to probability; the current data, to immediate loss potential.

These related uses of data – as a basis for model building, and as a current risk profile – are critical to effective model-based decision-making. The essential starting point, however, is the current risk profile. But this is often overlooked. Before the application of advanced math and sophisticated simulation techniques, some relatively simple data-mining exercises can paint a useful picture of the risk landscape. This landscape might be defined by exposure to a class of risk, location, type of business, or changes in the profile over time, in varied economic conditions or in relation to demographic shifts – the list is endless and variable for each company. Such analysis gives decision-makers a context in which to judge more complex modeling results and can point to further methods of investigation. A fundamental analysis of exposure data is common sense – but it has not been common practice.

Recent events – from collateralized debt obligations (CDOs) losses to hurricanes losses – have highlighted the power and importance of understanding exposure data. As a result, a new focus is emerging on this aspect of risk management. Practices that seem simple and obvious, however, can be difficult to implement. One frequent stumbling block is the overwhelming amount of data that comprises a risk profile. Compiling all this information into a coherent format, analyzing terabyte-size databases, and creating usable output from analysis can consume entire departments and require highly specialized skill sets. Fortunately, the evolution of data-handling technology has been robust, driven by online innovations and the need to do massive, ultra-fast lookups, processing, and reporting.

One example of emerging risk/data technology is Guy Carpenter’s i-aXs® platform, which melds business information software with a GIS system and supercomputers to create a specialized risk-assessment environment capable of quickly analyzing and reporting on a massive risk-profile database. Such a platform can leverage the skills of analysts and makes laborious inquiries into risk exposure more practical and information more accessible to decision-makers.

The sheer volume of data is not the only challenge. Once data is parsed and metrics are developed, flaws and gaps in the risk profile often become glaringly apparent. Indeed, a thorough risk assessment seeks to discover such discrepancies. Fortunately, a wealth of new information sources has come into existence, and databases identifying nearly every natural and man-made object in the world are for sale from specialist firms. This information can be used to augment a data set and draw a more complete picture of risk. Specialty catastrophe-modeling firms that are widely used in the P&C space, such as Risk Management Solutions, have recently developed an entirely new practice focused on data-quality assessment and enhancement. Once again, the skill and technology to harness third-party databases can be a roadblock, but platforms such as i-aXs are built to integrate data from various sources, yield a more complete and accurate data set, and create a more robust foundation for further risk assessment.

Risk models tend to be a synthesis of data, expert opinion, and technique: The best thinking and information boiled down to a very educated guess. It is essential to understand how this guess was made and to weave that knowledge into decisions about risk-taking. This can be difficult. Risk models are generally complex – sometimes opaque in their workings – and even models that seem transparent can produce unforeseen results due to the interaction of their many moving parts. The components of a risk model encompass the nature of risk events, including frequency, severity, correlation, and probability. Each component must be sound and interact properly with other components. It is no wonder that P&C insurers are employing ever-increasing numbers of modeling specialists.

Risk models link the present and the past. Most risk models involve some form of “back testing,” which overlays current exposure onto historical patterns of loss (and gain). Historical patterns are almost always adjusted to compensate for changes in economic or physical conditions. The compatibility of the current risk profile and historical risk patterns is very important. Model users must ask themselves if the model accurately recognizes their data and if the assumptions and adjustments that went into the model represent their present situation. The problem is more subtle than simply, “garbage in, garbage out.” Anything from climate change to inflation could make a model an inaccurate descriptor of the contemporary risk environment.

Property catastrophe models (cat models) developed by specialty firms are among the most widely used risk models in the P&C industry. Cat models represent a class of models that attempts to create representations of physical events, such as hurricanes, earthquakes, or even wildfires. Such models rely on scientists and engineers to describe how an event unfolds and its likely effects on exposed objects (buildings, autos, oil platforms, etc.).

Another category of risk model is based on network theory rather than event replication. This approach is more useful in modeling non-recurring events or events caused by interrelationships between entities (usually businesses) that can cause unknown concentrations of risk or cascading chains of loss. The CASUS and Casualty Cat models (both developed jointly by Guy Carpenter and Arium, Ltd.) are examples of network-theory models. CASUS maps concentrations of people that can create unforeseen workers compensation loss potential (such as a convention or concentration of customers).

Casualty Cat maps the loss-causing, relationship-types of business activities and the liability patterns that can flow through an event such as the Enron insolvency.

In some cases companies build their own highly specific models, often based on their own historical data. Such a practice involves actuarial expertise and a healthy dose of business judgment. Technology also plays a part in the form of actuarial toolkits that help analysts adjust data and fit probability distributions to historical data. Risk analysis toolkits (such as Guy Carpenter’s InstratFitTM) contain a consistent advanced-math platform that is specifically tailored to support risk simulation and helps experts estimate the parameters for statistical distributions of loss frequency, severity, and correlation that describe the company’s risk.

As estimates of risk parameters are developed, it is critical to understand the surrounding uncertainties. Platforms such as InstratFit generate “parameter uncertainty” (sometimes called “secondary uncertainty”) with each estimate of a frequency or severity distribution. These uncertainty measures should not only be used to judge the soundness of the parameter estimate, but should also be recognized by the risk model. The concept of building uncertainty into risk models has become more common in recent years, but it is still difficult to explain and is sometimes difficult for risk decision-makers to accept. Recognizing parameter uncertainty will always increase the risk as represented by a model. This translates into increased estimates of the cost of risk or price of risk hedging. There is an inherent discomfort when abstract influences such as parameter risk drive up risk measures (and inevitably, cost derived from them), but recognizing parameter risk is essential in the use of risk models. Uncertainty in the risk parameters might be the most volatile aspect of risk that an insurer faces.

A misunderstanding of models and exposure data is not the primary cause of most modeling failures. Indeed, many companies that have suffered in recent catastrophes, both physical and financial, had substantial and sophisticated resources invested in risk analysis. What is often missing is the connection between analysis and management decisions, and this is the link that the rapidly evolving practice of enterprise risk management (ERM) is meant to create.

ERM is not new, but its value is newly recognized. Even a quick overview of the risk-analysis world reveals the need for a systematic approach, the tools to support the effort, and substantial expertise resident in the firm. But these will not exist in a firm without a high degree of commitment. ERM demands a culture of risk awareness that begins with senior management. Such a top-down approach increases the likelihood that a holistic and well-supported risk-analysis process will take root in a company. It also should decrease the friction that can exist between decision-makers and technical risk experts when unpalatable results are traced to valid, but esoteric, analytics.

A failure of the imagination does not always come from a lack of creativity; it often emerges when the time and energy required for creativity cannot be found. Fortunately, expertise, technology, and best practices have evolved that can help firms overcome the inertia that keeps them from implementing a holistic risk management framework. In the current economy, the possible penalties for inadequate risk management could not be more obvious. It is the potential for profits, however, that make risk management a fascinating pursuit.