Risk management is difficult, but even when it’s easy, companies and policymakers often do something other than optimal risk mitigation. This isn’t puzzling, once we realize that the incentives in place give the decisionmakers the leeway, or even positive incentives, to behave sub-optimally. There are three types that seem most relevant, along with a few (anonymized) stories from when I was working in reinsurance of how they play out in practice.
Occasionally, a small insurance company would purchase reinsurance for things that didn’t make business sense for their company. I might have seen a home insurance company in Ohio that had fifty million dollars in reserve, then would buy reinsurance for hurricanes that covered all losses greater than ten and less than twenty five million dollars. Yes, there are hurricanes that impact Ohio, such as Xenia in 1974 and Ike in 2008, but they weren’t large enough to even hit the minimum for this type of policy. Not only that, but the company had money in reserves to cover this incredibly unlikely loss, and buying reinsurance isn't cheap. Let’s say that between brokers, transaction costs, and everything else, it cost them a hundred thousand dollars to cover an expected loss of ten thousand dollars.
Noticing this, I asked why they wanted this policy. My boss told me it was a sleeping pill. He explained that the CEO of the insurance company would get really nervous and unhappy every time a hurricane was approaching the US, and decided this CEO didn’t want to worry anymore. That isn’t unreasonable - most people who buy travel insurance to cover their $1,000 vacation could just accept the risk, but they prefer not to worry.
In general, buying risk mitigation isn’t worth the cost in expected value terms, but they are worthwhile because they can buy off the worry. In this case, it’s less innocuous, since the CEO was using company money to buy what amounted to personal sleeping pills. It happens because the CEO won’t ever be blamed for hedging the risk, and it cost the company a hundred thousand dollars per year, which was not enough for shareholders to notice.
Once, we received a request from a client to train them in using the terrorism risk model they licensed. That’s not unusual, but they said that they wanted us to first come and install the software, then do a half day training. This seemed weird, since they had been licensing the software for several years, and we assumed they would have already installed it. They hadn’t.
The software licenses weren’t cheap - I don’t remember the client or the amount, but it was easily a six-figure sum every year. Why did they pay if they didn’t even use the model? It was what Bruce Schnier calls “Security Theater,” referring to acts that do nothing to change the risk, but look good. In this case, they wanted to tell their shareholders in their annual report that they had a model for assessing their terrorism risk, and six-figures was cheap to be able to put on the show of risk-management and mitigation for their shareholders. In this case, they didn’t even need to put on a show - just waving the tickets they bought was enough. They paid money not to mitigate risk, but simply to make it look like they did.
Staying Out of the Pool
There’s another phenomenon where managers don’t want to take risks that are good for the company but risky for their division - and their careers. The typical version is explained in a 1966 article in Harvard Business Review, "Utility theory, insights into risk taking." They asked managers if they’d take a 50-50 chance on a project that would either make $300,000, or lose $60,000, and the managers mostly said no.
The reason this is a bad decision is that even if the company prefers to avoid large risks, the company should want middle-managers to be taking smaller risks. They want small risks because there are lots of them, and in aggregate - by pooling the risks - the company is far better off having managers take them. For a single bet, the expected return is $120,000, but there’s a 50% chance of not only not coming out even, but actually losing money. If 6 managers took similar (uncorrelated) bets, the expected value is six times as large - it scales linearly - but the probability of losing money in that case is , or under 2%.
Reinsurance is actually a place that understands this far better than most. Since they explicitly model the risks of the insurance contracts, and the entire reason insurance works is risk pooling, they are far better equipped to handle the problem. Still, underwriters get paid their bonus based on their performance, one that likely won’t materialize if they are net negative for the year. So even here, you see a hesitation for the individuals to get into the (risk) pool.
None of these are new insights or issues. All of them are simple combinations of a principal-agent issue and risk aversion. Still, in addition to reinforcing the ideas, they are worth thinking about when we have one person or group of people mitigate risks for others. The obvious places are in the corporate world, and in government, and if you look around, you’ll see that these dynamics are all common.