Why do some companies grow steadily larger, and others bounce up and down? Why do some stay the course, while others collapse? Managing the firm’s internal risk is a good start. Call it Murphy’s Law, chaos theory or entropy — things happen. If the firm anticipates and effectively manages those things, then stability and growth are sustained. If not, well, do you recall the fraudulent trader Nick Leeson who brought down Barings Bank, Britain’s oldest investment house? If only it had Dana Michael, W’82, who is Senior Operational Risk Manager at Swiss Re. Dana, who also serves on the Board of Directors of the Wharton Club of New York, shares insights to keep your organization on the up and up.

What is operational risk management?

Operational risk is the risk that a mistake is made, causing the company to suffer an economic loss or a financial recording error. Operational risk management (ORM) is a new discipline and only one component of an overall enterprise risk management program. Enterprise risk includes all the risks that can affect an organization, such as credit, insurance, merging, liquidity, regulatory and investment risks. Swiss Re, as a large specialized organization, retains departments to manage all these different aspects of risk. For example, we have actuaries who monitor investment portfolio risk ─ I’m in the operational risk aspect of it.

What is the key to managing operational risk?

It is to make sure you do what you plan to do. An example would be when we give a quote — we require that a second person looks at the quote, a four-eye review, to make sure that errors are not being made. If someone accidentally misplaces a decimal point, then a profitable treaty becomes a loss treaty. So, by having someone else look at it, we avoid that little error or mistake. “Treaty” is a reinsurance term for the contracts we negotiate with our customers. When reinsurance began 100 years ago, agreements were often on the back of an envelope. Someone would say, “OK, I’m taking half of your risk, and if a loss happens, I’ll pay you for half. In exchange, I get half of your premium.” These formerly informal contracts became known as “treaties.”

Are you implementing these controls for Swiss Re’s clients?

No. Operational risk is within Swiss Re. We’re in the business of taking on customers’ insured risk, say, of hurricanes, and we receive premiums allowing us to pay off those claims. But we are not in the business and do not get paid a premium for accidentally writing our treaty wrong — so that is something that we try to get as close to zero as possible.

As a large international reinsurance company, we are the subject, ultimately, of Solvency II over in Europe. Solvency II is kind of the insurance equivalent to the Basel regulations in the banking sector. Solvency II basically says, “OK, you have certain types of risks out there. You need to place in reserve a certain amount of your capital to cover those risks. After you set aside your capital for those risks, how much excess capital do you have?” As part of Solvency II, one of the things we’re doing is something called “Risk and Control Related Behavior.” We require that our executive management in our different divisions take responsibility for their risks from an operational standpoint, and make sure the controls around those are in place. It’s a “Tone at the Top” type of view of the world that management needs to own things, to make sure things are working, that you cannot rely on your auditors to find problems, and that you need to know your problems yourself and take care of them. We rolled out this initiative within the past two years, and now, it can affect our top management’s compensation. If they manage their own risks, then they should get the full bonus, but if for example, they write a treaty at half of the price that they should have, then that’s going to affect their compensation. If someone’s been identified as not having managed risks well in the past, they become very motivated to turn that around.

How do you train managers to maintain their controls?

How they manage controls is different, based on their product lines, but we want them to demonstrate positive risk-control related behavior, including having all the key risks identified for their areas. Managers can be blindsided by a problem they never thought about, so they need to think outside of the box and determine what their risks are. We have something called an “incident reporting process,where, if the controls break down, they need to write a report on that saying, “We failed to give it a second review, and as a result, the client ended up getting a quote that was wrong. Ultimately, the client didn’t make us stand by the quote, but still, we made
a mistake and need to fix it, going forward.” So, the whole risk and control behavior aspect is all around owning what your risks are, identifying when there are problems and fixing those problems.

The owners of the World Trade Center brought a suit against Swiss Re in 2006, which Swiss Re won.

We had given a binder (a high-level quote) that said we would cover its business. The full contract, which hadn’t been written yet, would have contained all the specifics, such as the amount of claims to be paid out, if one event or two events occurred, based on the amount of time in between the events or based on the cause. With the World Trade Center, the situation was that two planes went into the two buildings. If it was considered two events, we would have had to pay out more insurance claims than if it was considered one event. Our argument was simply that, whether or not the second plane hit was a different event from the first plane hit, there was no contract in place. Because it was a binder, without all the specifics written down, it was based on what was standard or customary for that type of quote. Luckily, we did end up winning it; it would’ve caused a couple of billion dollars of loss for Swiss Re had we lost the suit.

In terms of the operations risk, what worked?

It might have been more of what went wrong, because in theory, when we give the binder, it should go to contract as soon as possible so that the terms are clear. We had bad luck after binding, because there wasn’t time.

Who are Swiss Re’s major customers?

Swiss Re sells reinsurance protection to insurance companies so they can meet  their clients’ needs. Swiss Re is the second largest reinsurer worldwide, and has a strong capital base to meet the needs of insurance companies’ retail coverage. We cover a lot of
different risks. Sometimes I don’t realize what we’re covering until after I’ve dug into something. Then, I’ll install operational risk concepts that are similar across whole divisions, as well as specific controls based on different risk profiles.

From the standpoint of our customers, reinsurance is a transfer of risk arrangement. Say, Travelers Insurance wants to limit its hurricane exposure in the United States. It brings in Swiss Re, and Swiss Re says, “OK, we’ll take $2 billion worth of hurricane exposure from you.” Then, the hurricane hits, and it limits Travelers’ exposure.

Where we benefit is that we pick up big blocks of risks that are diversified worldwide. We may do hurricanes in the United States, windstorms in Europe and typhoons in Asia. So, it may be bad in the United States one year, and bad in Asia another year, but overall, it diversifies our risk. For example, we had an $800 million loss from Hurricane Sandy, but from our standpoint, that was actually not a bad outcome. However, we had close to $2 billion losses when it came to the tsunami in Japan, and the Christchurch earthquake a year ago, which hit our profitability. Swiss Re also issues catastrophe bonds. In exchange for a higher yield, if a major hurricane hits and a lot of claims are paid out, the bond will pay less principal back. This allows us to transfer some risk to the financial markets. The financial markets like that, because it’s an uncorrelated risk to other things like interest rates.

Can you share a day in the life of a senior operational risk manager?

I focus on the reinsurance business of North America, working with the reinsurance leaders to make sure they have their controls in place, have identified problems and understand where the risks are. I will go in and review risks of particular areas and try to help them with that. I do conference calls with Europe and Zurich and other offices worldwide. Recently, I visited our operations in Brazil. In order to meet Brazilian regulations, which require capital to be maintained there, and to stay closer to our clients’ requirements, we bought an agricultural insurance firm two years ago. So, I went there in March to look at its controls and operations.

In 2005, some financial institutions decided that they did not understand the derivative transactions occurring on their trading floors and exited those deals. Is that an example of ORM?

That may be more a matter of managing strategic risk. Swiss Re had a situation like that — we wrote a couple of credit default swaps back in 2007. Then, when 2008 hit, we took a loss of about $1.5 billion, and our stock price dropped dramatically — we ended up having to borrow money from Warren Buffett. He made a pretty penny — a 15% coupon rate, 20% early elimination — and if we didn’t pay it back on time, he would get 20% of the company. Our choice to write this business was more of a strategic decision. It wasn’t a case of someone not referring the investment to the right person to get an approval.

Does recognizing and effectively managing risks actually give rise to more daring, more creativity?

There’s an operational saying I’ve heard. Does having brakes on the car mean you go slower or faster?

Faster?

Exactly. Because if you have no brakes on the car, you have to drive very slowly, and coast to a stop so you don’t crash the car. By having those brakes, those controls, you can drive a lot faster and brake to slow down when you need to. This allows you to reach your destination faster. Having controls around operations actually allows you to do more and take more risks. One of the controls we have is worldwide credit limits on how much risk we want to take — so, let’s say, in Japan, we want to have only a $1 billion exposure for earthquakes, because Japan has earthquakes all the time. That allows us to write the $1 billion of business in Japan, but not go beyond that, because we decided in advance that we don’t have to lose sleep at night that we have taken excessive exposure. We know that, if we take a $1 billion hit, then the market will be fine with that. But if we took a $20 billion hit, our capital would get beaten up.

Is there a book that inspires you?

The Autobiography of Benjamin Franklin. Besides Franklin being the founder of the University, it’s interesting to see the way he establishes his paradigm in why he did certain things and how he valued his life.

How did you become Chairman of the worldwide Wharton Alumni Association?

After Wharton, I worked in Hartford. I didn’t know anyone in the area, so I joined a few groups to get to know people, and one of those was the Wharton Club of Hartford. We were a startup; I started out as a Board Member, and became Treasurer, and then became President of the Club. We had 100 people in the Club paying dues, out of 600 people in the Hartford area. When I moved to New York City, I joined the national Wharton Board.

What volunteering have you done recently?

I currently Co-Chair a Penn Alumnus National Benchmarking Committee, where we take on topics that the Alumni Relations Office is interested in. We try to find information from the surveys on what’s being done at other schools and provide feedback. I played saxophone in the Penn Band, and the fun thing about that is, at homecoming, band alumni can sit with the band and go on Franklin Field with their families during the halftime show. What my kids and I do is help spell out the word “Pennsylvania” in script form across the whole field. It’s fun.