Very few organizations find enterprise risk management implementation easy--it requires a rare combination of organizational consensus, strong executive management and an appreciation for various program sensitivities. Despite the effort required, however, ERM is worth it because it forces most organizations to step back and identify their risks, which is one of the first steps to protecting capital and driving shareholder value. As boards and executive management evaluate ERM, however, they usually come away with more questions than answers. While each company faces specific concerns, the more challenging ERM issues are generally consistent across companies and are largely unrelated to industry, geography, regulation or competitive landscapes. By examining some of these common ERM challenges, as well as the creative solutions that have been applied by other organizations, management will be better equipped to develop and revamp their own enterprise risk management programs.
1. Assessing ERM's Value
The issue: In an economy driven by positive return on investment, organizations often struggle to demonstrate sufficient ERM value to justify implementation costs. While traditional investment decisions are evaluated using common risk and reward metrics such as return on equity (ROE), return on assets (ROA) and risk adjusted return on capital (RAROC), ERM value drivers are less prescriptive. Despite growing guidance, ERM remains largely voluntary, resulting in a value proposition void of compliance language and regulatory encouragement.
Potential solution: Many organizations establish ERM value, risks and costs using a traditional business case. The typical business case looks at ERM value in four categories.
The first is shareholder value added, such as equity premium driven by positive public perception, an improved credit rating or risk score, and the integration of risk results with operations. Next is avoided risk, such as reduced volatility through hedging or insurance products and reduced risk through incremental controls. Another category is hard dollar savings such as risk infrastructure and process consolidation, reduced insurance and costs, and reduced regulatory capital requirements. Finally, other qualitative benefits can include improved risk transparency and awareness, improved risk management coordination and accountability, improved risk and financial statement metrics, and the elimination of siloed risk management activities.
After evaluating a program's potential value, many companies then look at ERM implementation costs and risks. While most companies manage risk as a matter of standard business practice, ERM programs typically involve enhanced risk assessment processes, risk and business integration, and governance concerns. These activities may require new resources, technologies, policies and process enhancements--all of which assume varying degrees of capital expenditures.
As an alternative to the business case, management may implement ERM on a pilot basis or as an ERM "lite" program. This program typically involves a prominent business unit with large financial risk and a business unit with higher nonfinancial exposures such as strategic, reputation or operational risk.
2. Privilege
The issue: An ERM program allows management to quantify the company's risks. As risk information becomes increasingly event-driven and dollar-based, company lawyers may raise issues regarding risk distribution to external regulators, auditors and constituents. Organizations must balance risk visibility and legal exposure.
Potential solution: The easiest way to provide risk insight while protecting sensitive information is to gather and report risk data according to broad categories without providing specifics regarding contracts, legal cases, projects, events, counterparties and products. Alternatively, risk information (e.g., severity) may be documented in qualitative terms with no link to specific dollars or dollar ranges. While the more conservative approach is more commonly applied by companies, the industry appears to be moving towards greater risk transparency.
Companies with a more liberal approach typically manage data sensitivity issues using several techniques. For example, companies can conduct all risk assessment activities under legal supervision, with the objective of making the output privileged.
Alternative ERM risk assessment approaches where privilege is not available or where the company does not wish to involve counsel include producing multiple risk reports and distributing them according to business need (e.g., provide a detailed version to the board and small executive team and a broader report to a larger distribution) and relying on "confidential" and "for internal use only" protections.
3. Defining Risk
The issue: One of the biggest challenges is establishing a consistent and commonly applied risk nomenclature. Any inconsistencies between risk definitions or methodologies are likely to jeopardize the program?s success.
Potential solution: Establishing a formal risk management framework and common risk nomenclature can be accomplished through working groups comprised of at least one representative from each significant business unit and shared service function. The most critical goal of the group is to establish the definition of risk itself. While each risk category may be distinct, the definition of risk must be consistent and supported by clear guidance. The group must also create a risk inventory and supporting risk taxonomy to further define and rank all the risks faced by the organization.
4. Risk Assessment Method
The issue: Enterprise risk assessments are performed using a variety of approaches and tools, including surveys, interviews and historical analysis. Each approach offers its own value and drawbacks that must be closely reviewed to determine organization suitability.
Potential solution: The risk assessment method employed is largely based on the number of respondents surveyed, corporate culture and--perhaps most relevant--organizational familiarity with risk management. Face-to-face assessments are helpful as they facilitate risk management education and guidance, encourage discussion and allow for data collection. Conversely, automated tools can be applied by organizations with broad risk management knowledge or a predisposition for technology-based tools.
In addition, the risk assessment method is generally tailored to the audience. For example, many organizations administer executive risk assessments using a group interview session and apply individual techniques to management or technical personnel.
5. Qualitative Versus Quantitative
The issue: A key decision for many organizations is whether risks are assessed using qualitative or quantitative metrics. The decision is generally driven by the organization?s industry, commitment to ERM, its view regarding privilege and overall cost.
The qualitative method provides management with general indicators rather than specific risk scores. Qualitative results are commonly presented as red, yellow and green light, or high, medium and low risks. Qualitative assessments may be open to interpretation, guided by descriptors (e.g., assess red light or high risk where the exposure represents a catastrophic exposure) or framed using broad dollar ranges (e.g., a green light indicates an exposure less than $10 million).
Qualitative risk assessments are frequently favored because they require less sophisticated risk aggregation methods, mathematical support and user training, which means lower implementation costs. Conversely, qualitative results are commonly criticized for their limited alignment with key financial statement and budgetary indicators. Additionally, some critics suggest qualitative results are generally more difficult to interpret, which limits management?s ability to assign accountability and remediate.
Potential solution: While companies predominately apply the qualitative risk assessment approach, the industry appears to be shifting towards quantitative risk measurement. Companies that transition to the quantitative method typically do so using a phased approach and will apply narrow risk ranges that expand the risk severity scale from three categories (e.g., high, medium and low) to five or more (e.g., very high, high, moderate, low and very low) and adjust narrative or dollar ranges accordingly. Frequently, they will also use a separate risk severity scale for financial risks and nonfinancial risks such as strategic or reputational exposures.
6. Time Horizon
The issue: The time horizon of ERM risk assessment is largely based on the organization's intent to use ERM risk results and its willingness to invest in risk management.
Many companies use ERM results for quarterly or year-end planning, while more sophisticated companies integrate ERM results into annual budgeting and longer-term strategic planning processes.
The shorter-term time horizon (less than 12 months) is generally preferred as it requires less user training, provides increased risk estimation accuracy and is generally less expensive than the longer-term alternative. The longer-term solution is applied where management values risk visibility beyond the annual financial reporting period and additional time to remediate. Regardless of the approach, the risk assessment time horizon must be consistent with intended ERM program objectives.
Potential solution: Despite its ease, companies appear to be shifting from the short-term risk assessment to a longer-term or hybrid solution. Additionally, companies are increasingly utilizing a rolling time horizon (e.g., 12-18 months) to mitigate annual assessment limitations--namely reduced risk visibility and time to mitigate as the year progresses (e.g., the fourth quarter risk assessment covers three months of remaining risk).
7. Multiple Potential Scenarios
The issue: Consider the following scenario: The ERM team asks a respondent to assess the likelihood of counterparty default and its subsequent loss impact during the current fiscal year. The respondent determines that there is a 100% probability of at least one counterparty default with a low financial impact over the defined time horizon (high probability/low impact event). There is also a 5% probability of at least one counterparty default with a significant financial impact (low probability/high impact event) and several default scenarios with varying loss severity estimates (moderate probability/moderate impact).
This situation highlights an issue associated with basic risk assessment methods?most risks have multiple event likelihoods and risk severities.
Potential solution: There are two common approaches to the problem. Under the most basic approach, respondents provide a loss severity based on their best estimates. For example, the organization recognizes a significant investment loss four times per year. The respondent then estimates severity considering all four potential loss events, portfolio sizes, historical loss records and the company's investment stress test results. If the respondent estimates $100,000 in loss severity, it roughly equates to $25,000 per loss event.
The more advanced method requires the respondent to identify a distinct loss severity for all potential events and calculate a mathematical average. To minimize computational requirements, companies often limit the number of likelihood scenarios and potential outcomes (e.g., unlikely, moderately likely, likely, very likely, probable).
The decision to pursue a basic or more complex method is largely based on an organization's familiarly with probability and loss concepts, the risk assessment method employed (e.g., in person or technology-based) and the level of sophistication supporting risk tolerance definition.
8. ERM Ownership
The issue: The question regarding who should "own" ERM is often unclear and commonly disputed at the board, audit committee and management levels.
Potential solution: In most programs, risk is primarily owned by line management with oversight from independent risk, compliance and management oversight functions. The broader question regarding ERM program ownership is less decisive and largely based on board and audit committee accountability, established risk management function and infrastructure, and corporate risk philosophy.
While there is no one single industry practice with respect to organization structure, ERM administration should generally be held by risk management followed by internal audit, finance/treasury, legal and various supporting departments (e.g., compliance, strategic planning).
9. Risk Reporting
The issue: Organizations often struggle with two risk reporting issues: 1) what information should be shared with various internal and external constituents, and 2) how should risk be communicated.
Potential solution: Most organizations have multiple risk owners with varying accountabilities and needs. As such, leading companies establish risk packages commensurate with recipient responsibilities and specified delegation of authorities. Common risk packages are created for the board/audit committee, management risk oversight committee, business unit leaders and line management. Reports are typically generated from a common risk database and taxonomy where information varies based on recipient accountability, risk type and organizational impact.
Board reports, for example, typically present risks that exceed a defined threshold, describe high value strategic, emerging and unquantified exposures, and exclude superfluous information. Business unit and line reports, on the other hand, may illustrate mid-level exposures, tactical risks and transactional compliance data.
The external reporting issue is often less challenging. Public organizations are often required to share certain risk information through financial statements, annual meetings, quarterly earnings announcements, public presentations and various regulatory responses. While external reporting requirements are fairly prescriptive, organizations attempt to use ERM results to formulate or support risk assertions.
Barring prescriptive external reporting requirements, organizations vary with respect to internal risk reporting format. To the extent an organization applies dollar-based results, management generally selects between one and three format options: specifically, expected loss, loss severity or a combination. Loss severity is typically applied by companies that prefer to view maximum potential loss unadjusted for probability of occurrence. Opponents suggest loss severity overstates required risk remediation activities and related capital. As a compromise, many organizations report a combination of risk results and designate one primary metric to allocate capital (usually expected loss).
10. Simulations and Stress Tests
The issue: Stress tests allow management to assess the degree that business operations may be negatively affected by prescribed events and gauge the organization's ability to respond. While the concept is intuitive, organizations often struggle to balance the need for meaningful simulation and stress tests against a nearly infinite number of potential scenarios. Similarly, organizations frequently struggle to identify and predict unknown or unlikely risks (also known as black swans or game changers).
Potential solution: While there is no industry consensus regarding the number and type of simulations to perform, bank regulatory guidance requires financial institutions to stress test ?base case? forecasts under "worst case" and other macroeconomic scenarios. While worst case is not specifically defined, examples suggest stress tests represent "extreme" scenarios rather than catastrophic events. In fact, most banks calculate value-at-risk and economic capital thresholds using a two (95% confidence) or three (99%) standard deviation test rather than a doomsday scenario.
Organizations typically address black swan events through periodic and highly targeted brainstorming sessions where these events are inventoried and reviewed to determine what management action will be required. The brainstorming session is typically limited to executives and performed during an off-site retreat or during a regularly scheduled leadership/risk oversight committee meeting.
10 Common ERM Challenges
|