Enterprise Risk Management (ERM) practitioners often struggle with thematic challenges cutting across both industry and geography. These difficulties include capturing all categories of risk with metrics that reflect an organization’s decision style and performance measurement methods, avoiding the trap of being perceived as bureaucracy or redundant, informing critical strategic considerations for investment of capital and resources in the various lines of business, ensuring that ERM is part of the fabric of the business and not a parallel process or after-thought, and articulating the targeted levels of risk exposure by risk category and line of business and providing a method to accurately assess these levels.
To a large extent, meeting these hurdles depends on finding a “flavor” of ERM which aligns with business goals, assesses key risks with the right metrics, and leverages effective processes already in use at the business unit level.
The following desired attributes for an ERM program will guide our approach:
- ERM frameworks must capture all risk categories and assess them in a manner that resonates with key decision makers.
- Risk management processes should leverage existing, effective business processes and minimize overlap.
- ERM should guide future capital allocation decisions across business lines or products.
- An effective framework should provide risk-adjusted business valuations and performance measurements.
- Risk management should be embedded in operations, tactics and strategy.
- ERM should include the management of “upside” risks and drive the achievement of business objectives.
- ERM should articulate and operationalize risk tolerances relating to risk categories and specific levels of exposure at the business unit and enterprise levels.
- A risk management framework should be able to adapt to new technology, changing markets and new ways of doing business. A robust framework should include learning mechanisms and account for the “meta-risk” of cognitive biases among SMEs and risk managers.
The Eightfold Path
Buddhism famously offers a means to end suffering through the Noble Eightfold Path. It is said about these eight precepts that action is more important than intellectual knowledge, but to apply the path correctly it must be properly understood.
In this spirit, we describe eight key objectives, which help realize the attributes of the prior section. As in the Eightfold Path, we emphasize real-world implementation over academic or “pie in the sky” notions.
1. Develop a framework to illuminate the risk profile of the organization in an accurate and comprehensive manner.
As many ERM practitioners have long argued, risk management should focus on risks to objectives, whether they are avoidance of adverse outcomes or ensuring business performance. The new COSO release echoes this sentiment and it is indeed a logical one. If there are challenges and uncertainties relating to the desired future state of an organization, it is ERM’s role to help reveal that risk profile, the associated mitigations, and any variable factors which strongly influence performance. Often a change of culture, driven by vocal C-suite endorsement, is needed for such a view of ERM to become part of the “organizational intelligence.”
Once the idea of management of both upside and downside is accepted, the next hurdle is to make sure the assessment of risk across the organization is comprehensive, for those risk instances and risk categories which “move the needle” or may inhibit the attainment of business objectives.
The construction of a comprehensive risk inventory is often aided by proper design of a risk taxonomy with perhaps four to six mutually exclusive, collectively exhaustive broad risk categories, with various drill-down sub-categories within each bucket. The taxonomy can prompt SMEs to consider and identify the specific instances of each category/sub-category most relevant to the company.
To make sure all critical risks are captured and assessed in the proper manner, it is necessary to get buy-in and input from SMEs regarding the identified risks, quantification, and mitigation assessments. SMEs should provide inputs to enable the risk function to model risk scenarios or distributions and should be asked to sign off on the resulting model output.
2. Ensure that duplication of existing processes is minimized, that the partnership between lines of business (LOBs) and the ERM function is mutually beneficial, and the metrics and methods of the LOBs are leveraged to the company’s benefit.
Subject matter experts and first line of defense members do not necessarily have risk management in their formal job descriptions. We must be sensitive to their time, and above all, strive not to waste it with redundant processes and tools. If a particular business line has an approach that can potentially be expanded to the enterprise to the benefit of the ERM program, it is important to capitalize on this opportunity.
LOBs will often have their own customized, detailed analysis of which a subset can be mapped or “translated” into risk exposure, risk response, and messaging information at the enterprise level. If the LOBs represent a daunting mix of businesses, services and jargon, it is still likely that a common financial language already exists. In a for-profit company this includes earnings and long-term franchise value. In nonprofits it might include endowment size, measures for charitable goals or metrics for beneficiary satisfaction.
However, it is occasionally necessary that some ERM ideas or processes will overlap with those more granular methods at the LOB level. We must do our best to explain the need for a consistent approach to develop a portfolio view for management and the board.
3. For a risk metric and reward metric of interest, construct an efficient frontier of business mixes that shows the optimal allocation across LOBs for each given level of risk.
This objective is only practical for the quantitatively advanced organization which can produce stochastic distributions of a reward metric (e.g. earnings), dynamically linked with a risk metric, at each of its LOBs.
Given an enterprise model which simulates stochastic results as a function of an arbitrary allocation across LOBs, the critical question is then: For a fixed, specific level of risk (e.g., first percentile of earnings being $X, possibly negative), what allocation to the LOBs produces the highest mean level of earnings?
This can be considered a form of enterprise risk-reward optimization (ERRO). The general situation is that we wish to find the optimal allocation of some resource (e.g., invested assets or capital levels) that maximizes the reward metric for a given level of risk. Of course, both the reward metric (e.g., median EBITDA) and the risk metric (e.g., fifth percentile CTE of EBITDA) can be defined in many ways and each combination may lead to a different optimal allocation.
4. Enable risk-reward based valuation, and risk-adjusted hurdle rates or spreads of business lines.
As in the previous objective, this is feasible for the quantitatively advanced organization with stochastic earnings distributions for its LOBs. For a particular business, one simulates many years (e.g., 20 to 30) of earnings or free cash flows, and takes the present value (PV) of this earnings stream, at a discount rate equal to, for example, a risk-free rate or weighted average cost of capital. This is repeated for many simulations (e.g., 10,000) and the average of the PVs across all the simulations is regarded as a valuation of the business, V.
With the help of finance and subject matter experts, we then form a fixed, best estimate multi-year earnings forecast for the business unit under consideration (extending the financial plan to the model time horizon). We then determine the discount rate, d, that equates the present value of the stream of projected earnings in this best estimate forecast to the valuation of the business, V. This discount rate can be viewed as a risk-adjusted hurdle rate for the business.
5. Embed ERM in daily decisions, strategic planning and capital allocation.
An atmosphere of intellectual honesty is necessary to truly make ERM part of the business decision process. This honesty extends to the members of the ERM team and one area where this is of particular importance is quantitative modeling. Two financial modeling experts, Emanual Derman and Paul Wilmott described a Financial Modeler’s Manifesto and stated, “Our experience in the financial arena has taught us to be very humble in applying mathematics…and to be extremely wary of ambitious theories, which are in the end trying to model human behavior. We like simplicity, but we like to remember that it is our models that are simple, not the world.”
A powerful technique for strategic risk management makes use of the logical framework approach (LFA) for both risk identification and management of execution of business objectives. LFA consists of carefully linking a high-level goal or outcome to smaller sub-projects and those key assumptions that must be true for the success of individual tasks and the presumption that the tasks “add up” to the ultimate goal. Looking at risks to assumptions and strategic execution risks for the sub-projects is an effective way to identify threats, challenges, and factors around strategic execution. When ERM begins with strategy discussion there is a much greater chance of positive reception.
An approach to define economic capital and find the allocation that maximizes return on economic capital can be used at those companies with advanced modeling capability. In addition, if actual return on economic capital can be calculated for a specific business over the prior year, this can be used as a foundation for linking compensation to risk-adjusted returns.
6. Make growth in stock price and strategic risk management central themes of ERM.
ERM must include robust management of downside or adverse events and exposures including hazard, legal, regulatory, operational and reputation; however, this requirement does not preclude it from contributing to “upside management” in the spirit of the recent update to COSO’s framework.
A risk manager might begin with identifying objectives and factors that affect stock price, or internal valuation, the most and consider what uncertainties threaten attainment of goals or “move” those factors.
7. Establish a comprehensive risk appetite and limit system, with monitoring, reporting and remediation protocols.
It is often the case that failed attempts to develop risk appetite and limit frameworks provide strong evidence that “perfect is the enemy of good.” Many risk managers have been stopped in their tracks by an unrealistic hope for a fully quantitative approach that mathematically links all enterprise statements to line-level limits.
Combining both qualitative and quantitative methods, as well as using both bottom-up and top-down approaches may represent the best chance for success. To ensure buy-in and pragmatic values for limits, an analysis of historical exposure levels and strategic decisions should inform initial calibration efforts.
8. Make ERM a nimble, continuous process that recognizes cognitive biases and builds in learning mechanisms to enable evolution and adaptation.
This goal includes regular review of the ERM processes, risk manifestation, mitigation performance and post-mortems of business events which have significant impact, on the upside or downside.
In assessing risk exposures methods should be implemented to raise awareness of and reduce the presence of cognitive bias. Drawing on decades of research in psychology that resulted in a Nobel Prize in Economic Sciences, Daniel Kahneman delves into cognitive bias in Thinking, Fast and Slow.
The framework must honestly assess its own gaps and strive to address them continuously. From time to time it may be necessary to modify or strengthen risk or mitigation assessment methods or revise risk appetite or limits.
The Way Forward
It is difficult to achieve effective ERM, let alone enable clear contributions to company value, without the essential foundations of a healthy risk culture and vocal ERM support from management.
The way forward may be different for various companies but it is likely that emerging risk sensing is an important element of the successful framework and will be a critical tool to stay on top of the constantly evolving risk landscape, whether the key risks are cyberthreats, disruptive technologies, political uncertainty or global shifts in climate or business practices.
The Greek philosopher Heraclitus said “change is the only constant in life.” This is certainly true for risk and reward as well. There will soon be time where yet another vision of ERM must be proposed.
Realistically, we cannot hope to reach an ideal state for ERM. The true reward of such a pursuit is ERM’s increased value to the company and the advancement of the discipline itself.