網頁

2018年2月24日 星期六

筆記:HBR- Risk Management

分類是人類解決問題的智慧,來看看人家如何分類風險與解決問題的智慧
能不能控制?
如何設立風險管理機制
短中長期對策
有哪些心理陷阱與常見問題 

風險管理是門給贏家老闆的帝王學,不適合年幼無知的打工仔與層次格調太低的(boss, seafood and guru)

Managing Risks: A New Framework
Robert S. Kaplan(平衡計分卡)  Anette Mikes


The Six Mistakes Executives Make in Risk Management
Nassim N. Taleb(黑天鵝作者), Daniel G. Goldstein, and Mark W. Spitznagel






Risk management is too often treated as a compliance issue that can be solved by drawing up lots of rules and making sure that all employees follow them. But rules-based risk management will not diminish either the likelihood or the impact of a disaster such as Deepwater Horizon, just as it did not prevent the failure of many financial institutions during the 2007–2008 credit crisis.
風險管理不能光靠制定規則,還要看看外部環境變化如何影響組織整提營運與策略的運作(導致內部人員是否遵守規定..)
looking at how organizations can identify and prepare for non-preventable risks that arise externally to their strategy and operations.

要靠(平等溝通)對話而非(由上而下)制定規則
Managing Risk: Rules or Dialogue?
人們通常不願意討論風險(呸呸呸,烏鴉嘴),直到太遲
individuals have strong cognitive biases that discourage them from thinking about and discussing risk until it’s too late.(如果公司文化又是保密防諜/官大學問大/命令式的那種高階主管通常也不願意或沒有分享資訊的習慣)


三種類型的風險
Category I: Preventable risks. (營運層次/內部)
These are internal risks, arising from within the organization, that are controllable and ought to be eliminated or avoided. Examples are the risks from employees’ and managers’ unauthorized, illegal, unethical, incorrect, or inappropriate actions and the risks from breakdowns in routine operational processes.
This risk category is best managed through active prevention: monitoring operational processes and guiding people’s behaviors and decisions toward desired norms.
這類對於公司沒有任何好處,要有嚴謹的內控內稽規範人員遵守規定(可以用rule 來管控風險)

Category II: Strategy risks. (外部/策略、產業與business層次)
A company voluntarily accepts some risk in order to generate superior returns from its strategy. 高風險才有高報酬No guts, no glory.
Strategy risks are quite different from preventable risks because they are not inherently undesirable. Strategy risks cannot be managed through a rules-based control model. Instead, you need a risk-management system designed to reduce the probability that the assumed risks actually materialize and to improve the company’s ability to manage or contain the risk events should they occur.(沒有辦法用rule來管控風險,需要有一套系統或制度(精算?)讓公司能夠比對手更有效的管理這類風險enable companies to take on higher-risk, higher-reward ventures than could competitors with less effective risk management.)

Category III: External risks. (外部環境,包含天災與政經巨變,公司個體無法掌控)
Some risks arise from events outside the company and are beyond its influence or control. Sources of these risks include natural and political disasters and major macroeconomic shifts. External risks require yet another approach. Because companies cannot prevent such events from occurring, their management must focus on identification (they tend to be obvious in hindsight) and mitigation of their impact.

公司的風險管理要依據以上三類加以剪裁量身訂做



 

為何風險管理不給力

Risk mitigation is painful, not a natural act for humans to perform.
人通常難以對未來與事前-想清楚/規畫周詳(通常是走一步算一步)
告訴老闆種種疑慮與可能對策也很難讓上級幫你升官加薪

People overestimate their ability to influence events that, in fact, are heavily determined by chance. We tend to be overconfident about the accuracy of our forecasts and risk assessments and far too narrow in our assessment of the range of outcomes that may occur.(太過高估自己的預測)
We also anchor our estimates to readily available evidence despite the known danger of making linear extrapolations from recent history to a highly uncertain and variable future.(依據過去已知經驗進行線性推估未來情勢)
因為事前的猜測與預估說的不清不楚,所以事後總能穿鑿附會/推卸責任(欸,沒有人能夠正確預測未來,無須苛求與苛責任何人…)
Organizational biases also inhibit our ability to discuss risk and failure.組織官僚與政治氣息讓人更難討論可能出錯的風險:大家只是透過開會來完成了一個決策與管理風險的動作,實際上是另一回事
Groupthink is especially likely if the team is led by an overbearing or overconfident manager who wants to minimize conflict, delay, and challenges to his or her authority.

Firms actually incubate risk through the normalization of deviance, as they learn to tolerate apparently minor failures and defects and treat early warning signals as false alarms rather than alerts to imminent danger.現實決策情境是:太多資訊,難以判斷哪些是狼來了真實訊號亦或誤警
Rules about what to do and what not to do won’t help here. In fact, they usually have the opposite effect, encouraging a checklist mentality that inhibits challenge and discussion. Managing strategy risks and external risks requires very different approaches.

Managing Strategy Risks
Each approach requires quite different structures and roles for a risk-management function, but all three encourage employees to challenge existing assumptions and debate risk information.

Independent experts.
找外部專家來當魔鬼代言人
航太業JPL的例子
Establish a risk review board made up of independent technical experts whose role is to challenge project engineers’ design, risk-assessment, and risk-mitigation decisions. The experts ensure that evaluations of risk take place periodically throughout the product-development cycle.

The meetings, both constructive and confrontational, are not intended to inhibit the project team from pursuing highly ambitious missions and designs. But they force engineers to think in advance about how they will describe and defend their design decisions and whether they have sufficiently considered likely failures and defects. The board members, acting as devil’s advocates, counterbalance the engineers’ natural overconfidence, helping to avoid escalation of commitment to projects with unacceptable levels of risk.

Facilitators.
設立總部單位,幫助彙整資訊與避免見樹不見林
能源業
Since no single staff group has the knowledge to perform operational-level risk management across diverse functions, firms may deploy a relatively small central risk-management group that collects information from operating managers. This increases managers’ awareness of the risks that have been taken on across the organization and provides decision makers with a full picture of the company’s risk profile.
They runs dozens of workshops each year at which employees from all levels and functions identify and rank the principal risks they see to the company’s strategic objectives. Employees use an anonymous voting technology to rate each risk, on a scale of 1 to 5, in terms of its impact, the likelihood of occurrence, and the strength of existing controls.

之所以要成立專責RM單位,而不是讓各單位權責合一(風險自負)是因為
The danger from embedding risk managers within the line organization is that they “go native”—becoming deal makers rather than deal questioners.
分開扮演攻守與黑白臉,免得單位主管精神認知錯亂、或自行衡量風險(為了績效吃案/忽視風險)
The corporate-level capital-planning process allocates hundreds of millions of dollars, principally to projects that reduce risk effectively and efficiently. The risk group draws upon technical experts to challenge line engineers’ investment plans and risk assessments and to provide independent expert oversight to the resource allocation process. At the annual capital allocation meeting, line managers have to defend their proposals in front of their peers and top executives. Managers want their projects to attract funding in the risk-based capital planning process, so they learn to overcome their bias to hide or minimize the risks in their areas of accountability.

Embedded experts.
內部專家協助評估投資風險,銀行
Risk managers, embedded within the line organization, report to both line executives and a centralized, independent risk-management function. The face-to-face contact with line managers enables the market-savvy risk managers to continually ask “what if” questions, challenging the assumptions of portfolio managers and forcing them to look at different scenarios. Risk managers assess how proposed trades affect the risk of the entire investment portfolio, not only under normal circumstances but also under times of extreme stress, when the correlations of returns across different asset classes escalate.


Avoiding the Function Trap
各種risk會各自歸類分發給IT、營運部門、財務部門
Such organizational silos disperse both information and responsibility for effective risk management. They inhibit discussion of how different risks interact. 讓資訊沒流通與忽視風險的連動

Managers can develop a companywide risk perspective by anchoring their discussions in strategic planning. 在公司層級的策略規劃,討論公司的風險樣貌與地圖
範例福斯汽車

個別單一風險的管制卡
 
公司策略目標與各項風險的態勢


Managing the Uncontrollable (天災與政經巨變)
External risks lie largely outside the company’s control; companies should focus on identifying them, assessing their potential impact, and figuring out how best to mitigate their effects should they occur. Some external risk events are sufficiently imminent that managers can manage them as they do their strategy risks. For example, global financial crisis.

Most external risk events, however, require a different analytic approach either because their probability of occurrence is very low or because managers find it difficult to envision them during their normal strategy processes. We have identified several different sources of external risks:

Natural and economic disasters with immediate impact.
These risks are predictable in a general way, although their timing is usually not (a large earthquake will hit someday in California, but there is no telling exactly where or when). They may be anticipated only by relatively weak signals. Examples include natural disasters such as the 2010 Icelandic volcano eruption that closed European airspace for a week and economic disasters such as the bursting of a major asset price bubble. When these risks occur, their effects are typically drastic and immediate, as we saw in the disruption from the Japanese earthquake and tsunami in 2011.

Geopolitical and environmental changes with long-term impact.
These include political shifts such as major policy changes, coups, revolutions, and wars; long-term environmental changes such as global warming; and depletion of critical natural resources such as fresh water.

Competitive risks with medium-term impact.
These include the emergence of disruptive technologies (such as the internet, smartphones, and bar codes) and radical strategic moves by industry players (such as the entry of Amazon into book retailing and Apple into the mobile phone and consumer electronics industries).


Approaches for external risk.
Tail-risk stress tests.
極端事件壓力測試(看組織承受的門檻for Natural and economic disasters with immediate impact.以備不時之需)
Stress-testing helps companies assess major changes in one or two specific variables whose effects would be major and immediate, although the exact timing is not forecastable. Financial services firms use stress tests to assess, for example, how an event such as the tripling of oil prices, a large swing in exchange or interest rates, or the default of a major institution or sovereign country would affect trading positions and investments.

Scenario planning.
情境推演預估(for 中長期5-10of Geopolitical and environmental changes)
This tool is suited for long-range analysis, typically five to 10 years out. Originally developed at Shell Oil in the 1960s, scenario analysis is a systematic process for defining the plausible boundaries of future states of the world. Participants examine political, economic, technological, social, regulatory, and environmental forces and select some number of drivers—typically four—that would have the biggest impact on the company. Some companies explicitly draw on the expertise in their advisory boards to inform them about significant trends, outside the company’s and industry’s day-to-day focus, that should be considered in their scenarios.
For each of the selected drivers, participants estimate maximum and minimum anticipated values over five to 10 years. Combining the extreme values for each of four drivers leads to 16 scenarios. About half tend to be implausible and are discarded; participants then assess how their firm’s strategy would perform in the remaining scenarios. If managers see that their strategy is contingent on a generally optimistic view, they can modify it to accommodate pessimistic scenarios or develop plans for how they would change their strategy should early indicators show an increasing likelihood of events turning against it.

War-gaming.
盤推演for Competitive risks with medium-term impact. 找出自己相對於對手的長短處、雙方各自的脆弱與可能策略;短期1-3
War-gaming assesses a firm’s vulnerability to disruptive technologies or changes in competitors’ strategies. In a war-game, the company assigns three or four teams the task of devising plausible near-term strategies or actions that existing or potential competitors might adopt during the next one or two years—a shorter time horizon than that of scenario analysis. The teams then meet to examine how clever competitors could attack the company’s strategy. The process helps to overcome the bias of leaders to ignore evidence that runs counter to their current beliefs, including the possibility of actions that competitors might take to disrupt their strategy.

經過以上分析,接下來是
買保險或進行投資分散避險hedging
工程投資準備,降低損失


The Leadership Challenge
Managing risk is very different from managing strategy. Risk management focuses on the negative—threats and failures rather than opportunities and successes. It runs exactly counter to the “can do” culture most leadership teams try to foster when implementing strategy. And many leaders have a tendency to discount the future; they’re reluctant to spend time and money now to avoid an uncertain future problem that might occur down the road, on someone else’s watch. Moreover, mitigating risk typically involves dispersing resources and diversifying investments, just the opposite of the intense focus of a successful strategy. Managers may find it antithetical to their culture to champion processes that identify the risks to the strategies they helped to formulate.
根本的問題
1.人性-喜歡討論正面成功機會甚於負面失敗可能(往往追求全壘打與曾經輝煌而非忍耐存活到最後)
2.(鼓勵冒險犯難的)組織文化衝突
3.策略與資源的兩難-要集中賭一把還是把資源用分散風險

A company’s ability to weather storms depends very much on how seriously executives take their risk-management function when the sun is shining and no clouds are on the horizon.(要看頭目與掌舵的對於風險的偏好與認知取捨)
Further, executives routinely ignored risk managers’ warnings.


--------------------------------------------------------------------------------- 

The Six Mistakes Executives Make in Risk Management
Nassim N. Taleb(黑天鵝作者), Daniel G. Goldstein, and Mark W. Spitznagel

1. We think we can manage risk by predicting extreme events.
This is the worst error we make, for a couple of reasons. One, we have an abysmal record of predicting Black Swan events. Two, by focusing our attention on a few extreme scenarios, we neglect other possibilities. In the process, we become more vulnerable.
It’s more effective to focus on the consequences—that is, to evaluate the possible impact of extreme events. Realizing this, energy companies have finally shifted from predicting when accidents in nuclear plants might happen to preparing for the eventualities. In the same way, try to gauge how your company will be affected, compared with competitors, by dramatic changes in the environment. Will a small but unexpected fall in demand or supply affect your company a great deal? If so, it won’t be able to withstand sharp drops in orders, sudden rises in inventory, and so on.


2. We are convinced that studying the past will help us manage risk.
Risk managers mistakenly use hindsight as foresight. Alas, our research shows that past events don’t bear any relation to future shocks. World War I, the attacks of September 11, 2001—major events like those didn’t have predecessors. The same is true of price changes. Until the late 1980s, the worst decline in stock prices in a single day had been around 10%. Yet prices tumbled by 23% on October 19, 1987. Why then would anyone have expected a meltdown after that to be only as little as 23%? History fools many.

Because of socioeconomic randomness, there’s no such thing as a “typical” failure or a “typical” success. There are typical heights and weights, but there’s no such thing as a typical victory or catastrophe. We have to predict both an event and its magnitude, which is tough because impacts aren’t typical in complex systems. For instance, when we studied the pharmaceuticals industry, we found that most sales forecasts don’t correlate with new drug sales. Even when companies had predicted success, they underestimated drugs’ sales by 22 times! Predicting major changes is almost impossible.


3. We don’t listen to advice about what we shouldn’t do.
Recommendations of the “don’t” kind are usually more robust than “dos.” For instance, telling someone not to smoke outweighs any other health-related advice you can provide. “The harmful effects of smoking are roughly equivalent to the combined good ones of every medical intervention developed since World War II.

Psychologists distinguish between acts of commission and those of omission. Although their impact is the same in economic terms—a dollar not lost is a dollar earned—risk managers don’t treat them equally. They place a greater emphasis on earning profits than they do on avoiding losses. However, a company can be successful by preventing losses while its rivals go bust—and it can then take market share from them. In chess, grand masters focus on avoiding errors; rookies try to win. Similarly, risk managers don’t like not to invest and thereby conserve value. But consider where you would be today if your investment portfolio had remained intact over the past two years, when everyone else’s fell by 40%. Not losing almost half your retirement is undoubtedly a victory.


4. We assume that risk can be measured by standard deviation.
standard deviation—used extensively in finance as a measure of investment risk—shouldn’t be used in risk management. The standard deviation corresponds to the square root of average squared variations—not average variations. The use of squares and square roots makes the measure complicated. It only means that, in a world of tame randomness, around two-thirds of changes should fall within certain limits (the –1 and +1 standard deviations) and that variations in excess of seven standard deviations are practically impossible. However, this is inapplicable in real life, where movements can exceed 10, 20, or sometimes even 30 standard deviations. Risk managers should avoid using methods and measures connected to standard deviation, such as regression models, R-squares, and betas.


5. We don’t appreciate that what’s mathematically equivalent isn’t psychologically so.
Providing a best-case scenario usually increases the appetite for risk. Always look for the different ways in which risk can be presented to ensure that you aren’t being taken in by the framing or the math.

If you tell investors that, on average, they will lose all their money only every 30 years, they are more likely to invest than if you tell them they have a 3.3% chance of losing a certain amount each year.

The same is true of airplane rides. We asked participants in an experiment: “You are on vacation in a foreign country and are considering flying the national airline to see a special island you have always wondered about. Safety statistics in this country show that if you flew this airline once a year there would be one crash every 1,000 years on average. If you don’t take the trip, it is extremely unlikely you’ll revisit this part of the world again. Would you take the flight?” All the respondents said they would.

We then changed the second sentence so it read: “Safety statistics show that, on average, one in 1,000 flights on this airline has crashed.” Only 70% of the sample said they would take the flight. In both cases, the chance of a crash is 1 in 1,000; the latter formulation simply sounds more risky.


6. We are taught that efficiency and maximizing shareholder value don’t tolerate redundancy.
In companies, redundancy consists of apparent inefficiency: idle capacities, unused parts, and money that isn’t put to work. The opposite is leverage, which we are taught is good. It isn’t; debt makes companies—and the economic system—fragile. If you are highly leveraged, you could go under if your company misses a sales forecast, interest rates change, or other risks crop up. If you aren’t carrying debt on your books, you can cope better with changes.

Overspecialization hampers companies’ evolution. David Ricardo’s theory of comparative advantage recommended that for optimal efficiency, one country should specialize in making wine, another in manufacturing clothes, and so on. Arguments like this ignore unexpected changes. What will happen if the price of wine collapses? In the 1800s many cultures in Arizona and New Mexico vanished because they depended on a few crops that couldn’t survive changes in the environment.…


Remember that the biggest risk lies within us: We overestimate our abilities and underestimate what can go wrong. The ancients considered hubris the greatest defect, and the gods punished it mercilessly. Look at the number of heroes who faced fatal retribution for their hubris: Achilles and Agamemnon died as a price of their arrogance; Xerxes failed because of his conceit when he attacked Greece; and many generals throughout history have died for not recognizing their limits. Any corporation that doesn’t recognize its Achilles’ heel is fated to die because of it.



沒有留言:

張貼留言