分類是人類解決問題的智慧,來看看人家如何分類風險與解決問題的智慧
能不能控制?
如何設立風險管理機制
短中長期對策
有哪些心理陷阱與常見問題
風險管理是門給贏家老闆的帝王學,不適合年幼無知的打工仔與層次格調太低的(boss, seafood and guru)
Managing
Risks: A New Framework
Robert S. Kaplan(平衡計分卡) Anette Mikes
The
Six Mistakes Executives Make in Risk Management
Nassim N. Taleb(黑天鵝作者), Daniel
G. Goldstein, and Mark W. Spitznagel
Risk management is too often treated as a
compliance issue that can be solved by drawing up lots of rules and making sure
that all employees follow them. But rules-based risk management will not
diminish either the likelihood or the impact of a disaster such as Deepwater
Horizon, just as it did not prevent the failure of many financial institutions
during the 2007–2008 credit crisis.
風險管理不能光靠制定規則,還要看看外部環境變化如何影響組織整提營運與策略的運作(導致內部人員是否遵守規定..)
looking at how organizations can identify
and prepare for non-preventable risks that arise externally to their strategy
and operations.
要靠(平等溝通)對話而非(由上而下)制定規則
Managing Risk: Rules or
Dialogue?
人們通常不願意討論風險(呸呸呸,烏鴉嘴),直到太遲
individuals have strong cognitive biases
that discourage them from thinking about and discussing risk until it’s too
late.(如果公司文化又是保密防諜/官大學問大/命令式的那種…高階主管通常也不願意或沒有分享資訊的習慣)
三種類型的風險
Category
I: Preventable risks. (營運層次/內部)
These are internal risks, arising from
within the organization, that are controllable and ought to be eliminated or
avoided. Examples are the risks from employees’ and managers’ unauthorized,
illegal, unethical, incorrect, or inappropriate actions and the risks from
breakdowns in routine operational processes.
This risk category is best managed through
active prevention: monitoring operational processes and guiding people’s
behaviors and decisions toward desired norms.
這類對於公司沒有任何好處,要有嚴謹的內控內稽規範人員遵守規定(可以用rule 來管控風險)
Category
II: Strategy risks. (外部/策略、產業與business層次)
A company voluntarily accepts some risk in
order to generate superior returns from its strategy. 高風險才有高報酬No guts, no glory.
Strategy risks are quite different from
preventable risks because they are not inherently undesirable. Strategy risks
cannot be managed through a rules-based control model. Instead, you need a
risk-management system designed to reduce the probability that the assumed
risks actually materialize and to improve the company’s ability to manage or
contain the risk events should they occur.(沒有辦法用rule來管控風險,需要有一套系統或制度(精算?)讓公司能夠比對手更有效的管理這類風險enable companies
to take on higher-risk, higher-reward ventures than could competitors with less
effective risk management.)
Category
III: External risks. (外部環境,包含天災與政經巨變,公司個體無法掌控)
Some risks arise from events outside the
company and are beyond its influence or control. Sources of these risks include
natural and political disasters and major macroeconomic shifts. External risks
require yet another approach. Because companies cannot prevent such events from
occurring, their management must focus on identification (they tend to be
obvious in hindsight) and mitigation of their impact.
公司的風險管理要依據以上三類加以剪裁量身訂做
為何風險管理不給力
Risk mitigation is painful, not a natural
act for humans to perform.
人通常難以對未來與事前-想清楚/規畫周詳(通常是走一步算一步)
告訴老闆種種疑慮與可能對策也很難讓上級幫你升官加薪
People overestimate their ability to
influence events that, in fact, are heavily determined by chance. We tend to be
overconfident about the accuracy of our forecasts and risk assessments and far
too narrow in our assessment of the range of outcomes that may occur.(太過高估自己的預測)
We also anchor our estimates to readily
available evidence despite the known danger of making linear extrapolations
from recent history to a highly uncertain and variable future.(依據過去已知經驗進行線性推估未來情勢)
因為事前的猜測與預估說的不清不楚,所以事後總能穿鑿附會/推卸責任(欸,沒有人能夠正確預測未來,無須苛求與苛責任何人…)
Organizational biases also inhibit our
ability to discuss risk and failure.組織官僚與政治氣息讓人更難討論可能出錯的風險:大家只是透過開會來完成了一個決策與管理風險的動作,實際上是另一回事
Groupthink is especially likely if the team
is led by an overbearing or overconfident manager who wants to minimize
conflict, delay, and challenges to his or her authority.
Firms actually incubate risk through the
normalization of deviance, as they learn to tolerate apparently minor failures
and defects and treat early warning signals as false alarms rather than alerts
to imminent danger.現實決策情境是:太多資訊,難以判斷哪些是狼來了真實訊號亦或誤警
Rules about what to do and what not to do
won’t help here. In fact, they usually have the opposite effect, encouraging a
checklist mentality that inhibits challenge and discussion. Managing strategy
risks and external risks requires very different approaches.
Managing Strategy Risks
Each approach requires quite different
structures and roles for a risk-management function, but all three encourage
employees to challenge existing assumptions and debate risk information.
Independent experts.
找外部專家來當魔鬼代言人
航太業JPL的例子
Establish a risk review board made up of
independent technical experts whose role is to challenge project engineers’
design, risk-assessment, and risk-mitigation decisions. The experts ensure that
evaluations of risk take place periodically throughout the product-development
cycle.
The meetings, both constructive and
confrontational, are not intended to inhibit the project team from pursuing
highly ambitious missions and designs. But they force engineers to think in
advance about how they will describe and defend their design decisions and
whether they have sufficiently considered likely failures and defects. The
board members, acting as devil’s advocates, counterbalance the engineers’
natural overconfidence, helping to avoid escalation of commitment to projects
with unacceptable levels of risk.
Facilitators.
設立總部單位,幫助彙整資訊與避免見樹不見林
能源業
Since no single staff group has the
knowledge to perform operational-level risk management across diverse
functions, firms may deploy a relatively small central risk-management group
that collects information from operating managers. This increases managers’
awareness of the risks that have been taken on across the organization and
provides decision makers with a full picture of the company’s risk profile.
They runs dozens of workshops each year at
which employees from all levels and functions identify and rank the principal
risks they see to the company’s strategic objectives. Employees use an
anonymous voting technology to rate each risk, on a scale of 1 to 5, in terms
of its impact, the likelihood of occurrence, and the strength of existing
controls.
之所以要成立專責RM單位,而不是讓各單位權責合一(風險自負)是因為
The danger from embedding risk managers
within the line organization is that they “go native”—becoming deal makers
rather than deal questioners.
分開扮演攻守與黑白臉,免得單位主管精神認知錯亂、或自行衡量風險(為了績效吃案/忽視風險)
The corporate-level capital-planning
process allocates hundreds of millions of dollars, principally to projects that
reduce risk effectively and efficiently. The risk group draws upon technical
experts to challenge line engineers’ investment plans and risk assessments and
to provide independent expert oversight to the resource allocation process. At
the annual capital allocation meeting, line managers have to defend their
proposals in front of their peers and top executives. Managers want their
projects to attract funding in the risk-based capital planning process, so they
learn to overcome their bias to hide or minimize the risks in their areas of
accountability.
Embedded experts.
內部專家協助評估投資風險,銀行
Risk managers, embedded within the line
organization, report to both line executives and a centralized, independent
risk-management function. The face-to-face contact with line managers enables
the market-savvy risk managers to continually ask “what if” questions,
challenging the assumptions of portfolio managers and forcing them to look at
different scenarios. Risk managers assess how proposed trades affect the risk
of the entire investment portfolio, not only under normal circumstances but
also under times of extreme stress, when the correlations of returns across
different asset classes escalate.
Avoiding the Function Trap
各種risk會各自歸類分發給IT、營運部門、財務部門…
Such organizational silos disperse both
information and responsibility for effective risk management. They inhibit
discussion of how different risks interact. 讓資訊沒流通與忽視風險的連動
Managers can develop a companywide risk
perspective by anchoring their discussions in strategic planning. 在公司層級的策略規劃,討論公司的風險樣貌與地圖
範例福斯汽車
公司策略目標與各項風險的態勢
Managing the Uncontrollable (天災與政經巨變)
External risks lie largely outside the
company’s control; companies should focus on identifying them, assessing their
potential impact, and figuring out how best to mitigate their effects should
they occur. Some external risk events are sufficiently imminent that managers
can manage them as they do their strategy risks. For example, global financial
crisis.
Most external risk events, however, require
a different analytic approach either because their probability of occurrence is
very low or because managers find it difficult to envision them during their
normal strategy processes. We have identified several different sources of
external risks:
Natural and economic
disasters with immediate impact.
These risks are predictable in a general
way, although their timing is usually not (a large earthquake will hit someday
in California
Geopolitical and
environmental changes with long-term impact.
These include political shifts such as
major policy changes, coups, revolutions, and wars; long-term environmental
changes such as global warming; and depletion of critical natural resources
such as fresh water.
Competitive risks with
medium-term impact.
These include the emergence of disruptive
technologies (such as the internet, smartphones, and bar codes) and radical
strategic moves by industry players (such as the entry of Amazon into book
retailing and Apple into the mobile phone and consumer electronics industries).
Approaches for external risk.
Tail-risk stress tests.
極端事件壓力測試(看組織承受的門檻for Natural and economic
disasters with immediate impact.以備不時之需)
Stress-testing helps companies assess major
changes in one or two specific variables whose effects would be major and
immediate, although the exact timing is not forecastable. Financial services
firms use stress tests to assess, for example, how an event such as the
tripling of oil prices, a large swing in exchange or interest rates, or the
default of a major institution or sovereign country would affect trading
positions and investments.
Scenario planning.
情境推演預估(for 中長期5-10年of Geopolitical and environmental
changes)
This tool is suited for long-range
analysis, typically five to 10 years out. Originally developed at Shell Oil in
the 1960s, scenario analysis is a systematic process for defining the plausible
boundaries of future states of the world. Participants examine political,
economic, technological, social, regulatory, and environmental forces and
select some number of drivers—typically four—that would have the biggest impact
on the company. Some companies explicitly draw on the expertise in their
advisory boards to inform them about significant trends, outside the company’s
and industry’s day-to-day focus, that should be considered in their scenarios.
For each of the selected drivers,
participants estimate maximum and minimum anticipated values over five to 10
years. Combining the extreme values for each of four drivers leads to 16
scenarios. About half tend to be implausible and are discarded; participants
then assess how their firm’s strategy would perform in the remaining scenarios.
If managers see that their strategy is contingent on a generally optimistic
view, they can modify it to accommodate pessimistic scenarios or develop plans
for how they would change their strategy should early indicators show an
increasing likelihood of events turning against it.
War-gaming.
“殺”盤推演for Competitive
risks with medium-term impact. 找出自己相對於對手的長短處、雙方各自的脆弱與可能策略;短期1-3年
War-gaming assesses a firm’s vulnerability
to disruptive technologies or changes in competitors’ strategies. In a
war-game, the company assigns three or four teams the task of devising
plausible near-term strategies or actions that existing or potential
competitors might adopt during the next one or two years—a shorter time horizon
than that of scenario analysis. The teams then meet to examine how clever
competitors could attack the company’s strategy. The process helps to overcome
the bias of leaders to ignore evidence that runs counter to their current
beliefs, including the possibility of actions that competitors might take to
disrupt their strategy.
經過以上分析,接下來是
買保險或進行投資分散避險hedging
工程投資準備,降低損失…
The Leadership Challenge
Managing risk is very different from
managing strategy. Risk management focuses on the negative—threats and failures
rather than opportunities and successes. It runs exactly counter to the “can
do” culture most leadership teams try to foster when implementing strategy. And
many leaders have a tendency to discount the future; they’re reluctant to spend
time and money now to avoid an uncertain future problem that might occur down
the road, on someone else’s watch. Moreover, mitigating risk typically involves
dispersing resources and diversifying investments, just the opposite of the
intense focus of a successful strategy. Managers may find it antithetical to
their culture to champion processes that identify the risks to the strategies
they helped to formulate.
根本的問題
1.人性-喜歡討論正面成功機會甚於負面失敗可能(往往追求全壘打與曾經輝煌而非忍耐存活到最後)
2.與(鼓勵冒險犯難的)組織文化衝突
3.策略與資源的兩難-要集中賭一把還是把資源用分散風險
A company’s ability to weather storms
depends very much on how seriously executives take their risk-management
function when the sun is shining and no clouds are on the horizon.(要看頭目與掌舵的對於風險的偏好與認知取捨)
Further, executives routinely ignored risk
managers’ warnings.
---------------------------------------------------------------------------------
The
Six Mistakes Executives Make in Risk Management
Nassim N. Taleb(黑天鵝作者), Daniel G. Goldstein, and Mark W. Spitznagel
1. We think we can manage risk by predicting extreme events.
This is the worst error we make, for a
couple of reasons. One, we have an abysmal record of predicting Black Swan
events. Two, by focusing our attention on a few extreme scenarios, we neglect
other possibilities. In the
process, we become more vulnerable.
It’s more effective to
focus on the consequences—that is, to evaluate the possible impact of extreme
events. Realizing this, energy companies have finally
shifted from predicting when accidents in nuclear plants might happen to
preparing for the eventualities. In the same way, try to gauge how your company
will be affected, compared with competitors, by dramatic changes in the
environment. Will a small but unexpected fall in demand or supply affect your
company a great deal? If so, it won’t be able to withstand sharp drops in
orders, sudden rises in inventory, and so on.
2. We are convinced that studying the past will help us manage risk.
Risk managers mistakenly
use hindsight as foresight. Alas, our research shows
that past events don’t bear any relation to future shocks. World War I, the
attacks of September 11, 2001—major events like those didn’t have predecessors.
The same is true of price changes. Until the late 1980s, the worst decline in
stock prices in a single day had been around 10%. Yet prices tumbled by 23% on
October 19, 1987. Why then would anyone have expected a meltdown after that to
be only as little as 23%? History fools many.
Because of socioeconomic randomness, there’s no such thing as a “typical” failure or a “typical”
success. There are typical heights and weights, but there’s no such
thing as a typical victory or catastrophe. We have to predict both an event and
its magnitude, which is tough because impacts aren’t typical in complex
systems. For instance, when we studied the pharmaceuticals industry, we found
that most sales forecasts don’t correlate with new drug sales. Even when
companies had predicted success, they underestimated drugs’ sales by 22 times!
Predicting major changes is almost impossible.
3. We don’t listen to advice about what we shouldn’t do.
Recommendations of the “don’t” kind are
usually more robust than “dos.” For instance, telling someone not to smoke
outweighs any other health-related advice you can provide. “The harmful effects
of smoking are roughly equivalent to the combined good ones of every medical
intervention developed since World War II.
Psychologists distinguish between acts of
commission and those of omission. Although their impact is the same in economic
terms—a dollar not lost is a dollar earned—risk managers don’t treat them
equally. They place a greater emphasis on earning
profits than they do on avoiding losses. However, a company can be
successful by preventing losses while its rivals go bust—and it can then take
market share from them. In chess, grand masters focus
on avoiding errors; rookies try to win. Similarly, risk managers don’t
like not to invest and thereby conserve value. But consider where you would be
today if your investment portfolio had remained intact over the past two years,
when everyone else’s fell by 40%. Not losing almost half your retirement is
undoubtedly a victory.
4. We assume that risk can be measured by standard deviation.
standard deviation—used extensively in
finance as a measure of investment risk—shouldn’t be used in risk management.
The standard deviation corresponds to the square root of average squared
variations—not average variations. The use of squares and square roots makes
the measure complicated. It only means that, in a world of tame randomness,
around two-thirds of changes should fall within certain limits (the –1 and +1
standard deviations) and that variations in excess of seven standard deviations
are practically impossible. However, this is inapplicable in real life, where
movements can exceed 10, 20, or sometimes even 30 standard deviations. Risk
managers should avoid using methods and measures connected to standard
deviation, such as regression models, R-squares, and betas.
5. We don’t appreciate that what’s mathematically equivalent isn’t
psychologically so.
Providing a best-case
scenario usually increases the appetite for risk. Always look for the different
ways in which risk can be presented to ensure that you aren’t being taken in by
the framing or the math.
If you tell investors that, on average,
they will lose all their money only every 30 years, they are more likely to
invest than if you tell them they have a 3.3% chance of losing a certain amount
each year.
The same is true of airplane rides. We
asked participants in an experiment: “You are on vacation in a foreign country
and are considering flying the national airline to see a special island you
have always wondered about. Safety statistics in this country show that if you
flew this airline once a year there would be one crash every 1,000 years on
average. If you don’t take the trip, it is extremely unlikely you’ll revisit
this part of the world again. Would you take the flight?” All the respondents
said they would.
We then changed the second sentence so it
read: “Safety statistics show that, on average, one in 1,000 flights on this
airline has crashed.” Only 70% of the sample said they would take the flight.
In both cases, the chance of a crash is 1
in 1,000; the latter formulation simply sounds more risky.
6. We are taught that efficiency and maximizing shareholder value don’t
tolerate redundancy.
In companies, redundancy consists of
apparent inefficiency: idle capacities, unused parts, and money that isn’t put
to work. The opposite is leverage, which we are taught is good. It isn’t; debt
makes companies—and the economic system—fragile. If you are highly leveraged,
you could go under if your company misses a sales forecast, interest rates
change, or other risks crop up. If you aren’t carrying debt on your books, you
can cope better with changes.
Overspecialization hampers companies’
evolution. David Ricardo’s theory of comparative advantage recommended that for
optimal efficiency, one country should specialize in making wine, another in
manufacturing clothes, and so on. Arguments like this ignore unexpected
changes. What will happen if the price of wine collapses? In the 1800s many
cultures in Arizona and New Mexico
Remember that the biggest
risk lies within us: We overestimate our abilities and underestimate what can
go wrong. The ancients considered hubris the greatest
defect, and the gods punished it mercilessly. Look at the number of heroes who
faced fatal retribution for their hubris: Achilles and Agamemnon died as a
price of their arrogance; Xerxes failed because of his conceit when he attacked
Greece
沒有留言:
張貼留言