# 25

Risk management is difficult, but even when it’s easy, companies and policymakers often do something other than optimal risk mitigation. This isn’t puzzling, once we realize that the incentives in place give the decisionmakers the leeway, or even positive incentives, to behave sub-optimally. There are three types that seem most relevant, along with a few (anonymized) stories from when I was working in reinsurance of how they play out in practice.

### Sleeping Pills

Occasionally, a small insurance company would purchase reinsurance for things that didn’t make business sense for their company. I might have seen a home insurance company in Ohio that had fifty million dollars in reserve, then would buy reinsurance for hurricanes that covered all losses greater than ten and less than twenty five million dollars. Yes, there are hurricanes that impact Ohio, such as Xenia in 1974 and Ike in 2008, but they weren’t large enough to even hit the minimum for this type of policy. Not only that, but the company had money in reserves to cover this incredibly unlikely loss, and buying reinsurance isn't cheap. Let’s say that between brokers, transaction costs, and everything else, it cost them a hundred thousand dollars to cover an expected loss of ten thousand dollars.

Noticing this, I asked why they wanted this policy. My boss told me it was a sleeping pill. He explained that the CEO of the insurance company would get really nervous and unhappy every time a hurricane was approaching the US, and decided this CEO didn’t want to worry anymore. That isn’t unreasonable - most people who buy travel insurance to cover their $1,000 vacation could just accept the risk, but they prefer not to worry. In general, buying risk mitigation isn’t worth the cost in expected value terms, but they are worthwhile because they can buy off the worry. In this case, it’s less innocuous, since the CEO was using company money to buy what amounted to personal sleeping pills. It happens because the CEO won’t ever be blamed for hedging the risk, and it cost the company a hundred thousand dollars per year, which was not enough for shareholders to notice. ### Theater Tickets Once, we received a request from a client to train them in using the terrorism risk model they licensed. That’s not unusual, but they said that they wanted us to first come and install the software, then do a half day training. This seemed weird, since they had been licensing the software for several years, and we assumed they would have already installed it. They hadn’t. The software licenses weren’t cheap - I don’t remember the client or the amount, but it was easily a six-figure sum every year. Why did they pay if they didn’t even use the model? It was what Bruce Schnier calls “Security Theater,” referring to acts that do nothing to change the risk, but look good. In this case, they wanted to tell their shareholders in their annual report that they had a model for assessing their terrorism risk, and six-figures was cheap to be able to put on the show of risk-management and mitigation for their shareholders. In this case, they didn’t even need to put on a show - just waving the tickets they bought was enough. They paid money not to mitigate risk, but simply to make it look like they did. ### Staying Out of the Pool There’s another phenomenon where managers don’t want to take risks that are good for the company but risky for their division - and their careers. The typical version is explained in a 1966 article in Harvard Business Review, "Utility theory, insights into risk taking." They asked managers if they’d take a 50-50 chance on a project that would either make$300,000, or lose $60,000, and the managers mostly said no. The reason this is a bad decision is that even if the company prefers to avoid large risks, the company should want middle-managers to be taking smaller risks. They want small risks because there are lots of them, and in aggregate - by pooling the risks - the company is far better off having managers take them. For a single bet, the expected return is$120,000, but there’s a 50% chance of not only not coming out even, but actually losing money. If 6 managers took similar (uncorrelated) bets, the expected value is six times as large - it scales linearly - but the probability of losing money in that case is , or under 2%.

Reinsurance is actually a place that understands this far better than most. Since they explicitly model the risks of the insurance contracts, and the entire reason insurance works is risk pooling, they are far better equipped to handle the problem. Still, underwriters get paid their bonus based on their performance, one that likely won’t materialize if they are net negative for the year. So even here, you see a hesitation for the individuals to get into the (risk) pool.

### Conclusion

None of these are new insights or issues. All of them are simple combinations of a principal-agent issue and risk aversion. Still, in addition to reinforcing the ideas, they are worth thinking about when we have one person or group of people mitigate risks for others. The obvious places are in the corporate world, and in government, and if you look around, you’ll see that these dynamics are all common.

# 25

New Comment

Note that there's a few more aspects to risk analysis that can be relevant:

1) Risk distribution. A lot of outcomes are correlated in various ways, and models which don't take this into account will sum the risks incorrectly. Ohio hurricane insurance tends to be safe most years, but all pays out at once when it hits. Laying off the risk earlier than a naive calculation would suggest is wise.

2) Threshold of Misery. At some point, bigger or more losses don't hurt any more. Paying to reinsure some of the risk, if you're going to be bankrupt anyway, is wasted (from the shareholder perspective; it's certainly kind to customers and may be required by regulators). If a manager will be fired for a $60K loss, they may as well take a$200K risk (if they have to take any risk at all, that is).

Absolutely true - they are slightly less related to principle agent problems, but I can add stories illustrating these, because I have some good ones.

Re: Risk distribution, there's a great game that someone suggested to understand what 100 year floods look like, since people complain they happen every year. Get a room full of, say, 40 people, and give them each 2 dice. Tell them snake-eyes is a flood, then have everyone roll, and to call out if there was a flood. Then roll and announce again. And again. Yes, many "years" will have no floods, but some will have 2 or even 3 - because the risk isn't highly correlated across areas.

Re: Threshold of misery, I knew an underwriter who said they would write New York City nuclear terrorism insurance whenever they had the chance, at basically any price. His reasoning? He lives and works in NYC, so if a nuclear bomb goes off, he's dead, and the fact that he lost money isn't what matters. Otherwise he collects premiums.

Good post. I like these examples, though I find the names you've given to each type to not that be that evocative and I expect to struggle to remember them or explain them to others. For example, sleeping pills do something real. Perhaps you mean something like sugar (placebo) pills? Or antibiotics for a cold?

Sleeping pills is the right analogy: they are buying peace of mind, and actually truly getting the benefit of "less stress"

But sleeping pills aren't just about stress, they're very concretely about putting you to sleep which they do.

Yeah, I could see giving sleeping pills as a phenomenon a different name, but (while I am unsure,) in the industry I think the term is well known, so I'm sticking with it.

Still, I'm open to better suggestions, but sugar pill / placebo doesn't seem better, since it's much less clear as an analogy.

That's orthogonal to my comment.