Enterprise Risk Management Challenges- Valutrics
Enterprise Risk Management (ERM) aims to manage multiple risk events that can occur simultaneously, with some being downside
risk events and others being upside risk events. In these cases, management needs to measure the net impact of all risk events combined.
Risk categories, for most companies, include financial risk, strategic risk, and operational risk. The definitions of these risk categories are as follows:
• Financial risk. Unexpected changes in external markets, prices, rates, and liquidity supply and demand.This includes market risk,credit risk,and liquidity risk.
• Strategic risk. Unexpected changes in key elements of strategy formulation or execution.
• Operational risk. Unexpected changes in elements related to operations, such as human resources, technology, processes, and disasters.
There is one additional risk category—insurance risk, which generally applies only to insurance companies. Insurance risk involves poor performance of the pricing, underwriting, reserving, or setting of required capital for insurance products. Including all risk categories is critical .
Key risks can reside in any of the risk categories. Ignoring a risk category, or not having a balanced focus among all risk categories, can expose the company to excessive risk and result in focusing limited risk mitigation resources on the wrong priorities.
Surprisingly, the vast majority of enterprise risk management programs focus all, or most, of their attention only on financial risks. The primary evidence of this imbalance is the lack of a sufficiently robust approach to quantifying strategic and operational risks. There are three main causes of this neglect:
1. Inability to quantify strategic and operational risks
2. Myth regarding importance of financial risks
3. Financial analyst bias
Inability to Quantify Strategic and Operational Risks
One basis for this imbalance is an inability to quantify strategic and operational risks. For financial risks, there is a large amount of objective market data to use in developing risk scenarios, which include quantitative impacts on financial results.However,forstrategic andoperationalrisks,which are heavilydependent on the specific makeup of the organization impacted, there is far less data available. In addition, popular quantification methods do not adequately support strategic and operational risks. The quantification methods either do not provide any quantification, or worse, they dramatically understate the severity of the risk.
Myth Regarding Importance of Financial Risks
A second source of the disproportional focus on financial risks is the belief that financial risks are the mostimportantrisks—that they are the majority of the risks that most threaten the organization. This is not supported by experience, and in fact, quite the opposite is true. Research studies consistently show that strategic and operational risks represent the majority of the key risks for a company and also comprise the biggest threats.
A research study published in December 2009, which I directed and coauthored, examinedthe distribution of risksby risk category. The analysis was based on the occurrence of negative events, related to public companies, appearing on the front page of the Wall Street Journal in 2006. Only 1 percent of such front-page news were financial risks, while approximately two-thirds (64 percent) were strategic risks and approximately one-third (35 percent) were operational risks.
Similar results are found in other industry research, confirming that the source of significant risk events for companies is, in decreasing order: strategic risk, operational risk, and financial risk. In an 18-year study by the
Corporate Executive Board Company shows the root causes for one-year market capitalization declines of 50 percent or more, involving the top 20 percent of the Fortune 1000. Approximately two-thirds (65 percent) were strategic, 20 percent were operational (including legal and compliance risks categorized as operational), and only 15 percent were financial. However, even the 15 percent may be overstated, because many if not all of the risks categorized as financial appear to be operational, specifically human resources-related (such as performance risk, which is management or staff not performing their function as expected).
Part of the myth that financial risks are the most important is based on an incorrect approach to risk categorization and definition; in confusing the source of a risk with its outcome, risks that are either in whole or in part strategic or operational risks are frequently miscategorized as exclusively financial risks. One example is the global financial crisis that began in the United States in 2007. There were multiple sources of risk that led to the financial crisis, many of which were not financial risks.
Financial Analyst Bias
A third cause of the lack of appropriate focus on nonfinancial risks is financial analyst bias.Most of those doing the modeling share a financial-centric mind-set. Their education is focused on financial risk. Their training and certification is in financial risk. Their experience is only with financial risk. Even the name and purview of their department may limit them to financial risk. In addition, their techniques cannot readily handle strategic and operational risks; their methods work best when there is a wealth of objective quantitative data available, which is not the case with strategic and operational risks.
The lack of sufficient inclusion of non-financial risks may be the result of one or a combination of the previously mentioned factors. Whatever the reason, this represents a dangerous flaw in most enterprise risk management activities . The importance of this cannot be overstated. These partially quantitative enterprise risk management programs fail to quantify the vast majority of the key risks in terms of their individual and collective contribution to the overall volatility of the organization, in terms of the key metrics.
These partially quantitative enterprise risk management models give the strong impression that they are not incomplete, causing management to erroneously rely on, and misinterpret, the information. This false impression is given by the level of precision implied by the data handed to management by the financial modelers (also known as financial analysts or simply modelers) of these flawed enterprise risk management models. The modelers routinely provide outputs from their models showing the volatility of key metrics, presented in a way that implies a high degree of accuracy; one example is showing the figure out to a large number of significant digits.
This problem is rampant in the financial services sector, where it is even more common to find this imbalance in the quantification of key risks. One example, from the banking sector, is the ‘‘Value-at-Risk’’ (VaR) metric. VaR is often defined as the maximum amount of capital that can be lost in a single day, within a given small predefined likelihood. Another example, at insurance companies, is the ‘‘economic capital’’ metric, which is the amount of capital needed on hand today to limit the probability of ruin, over a given time horizon, to within a given small predefined likelihood. In both of these examples, these numbers are commonly provided to management in number form that includes a large number of significant digits, implying a high level of accuracy (e.g., a number is shown as $35,455,809, rather than $35 million). In addition, these numbers are often provided without the proper disclaimers of incompleteness regarding overall firm volatility. This offers an incorrect representation to management, despite being quite unintentional, that this (financial-only) volatility represents the bulk, or even the totality, of the risk exposures about which management needs to be concerned.
This is alarming because of the dangerous nature of ignoring the majority of the key risks in the metrics, and particularly so because this is often occurring under the guise of an enterprise risk management program . . . yet the word enterprise seems ignored. However, what is even more shocking is that what the (usually) math-savvy modelers are doing violates a basic mathematical concept we all learned in elementary school—the rule of significant digits. See ‘‘Significant Digits.’’
Modelers in partially quantitative enterprise risk management activities are violating the rule of significant digits. They are omitting the impacts of strategic and operational risks from the enterprise risk management metrics, which purport to be holistic or all-inclusive, and then presenting these metrics with only the financial sources of risks included, and out to a high degree of significant digits. From the available research data, it seems clear that financial risks are certainly not the totality of the key risk exposure, and they are not even the majority of it. The research suggests that, on average, financial risks are likely to represent only a small percentage (at most, 15 percent) of the total volatility of the enterprise and that the strategic and operational risks account for the majority of the volatility. Therefore, if modelers are providing enterprise risk management metrics to management representing the total firm risk exposure but the metrics only include financial risk exposure, it is as if they are presenting the sum of two numbers to management:
Total enterprise risk exposure = (Risk exposure from financial risks)
– (Risk exposure from non-financialrisks)
where:
a) The risk exposure from financial risks is calculated out to a large number of significant digits, and
b) The risk exposure from non-financial risks is estimated as zero
In some financial services companies, rather than use zero, they estimate the non-financial risk exposure as an arbitrary percentage (e.g., 15 percent) of the financial risk exposure. This is almost as bad a practice, and certainly still violates the significant digits rule, because the large number of significant digits in the financial risk exposure number is masquerading as a highly accurate number worthy of our respect and attention. In fact, it is not that useful a number and should be afforded the level of disrespect that it deserves.
The only defense offered by these modelers as to why they do not attempt to quantify strategic and operational risks is related to the first reason stated earlier—an inability to quantify. However, they verbalize their argument a bit differently, saying that ‘‘you can’t quantify strategic and operational risks with accuracy.’’What they mean,of course, is that it is not possible to quantify these risks with the same level of accuracy as financial risks. And that may be true, but that doesn’t justify not estimating them at all, considering they represent the larger component, which, as shown earlier, is an egregious alternative that violates the business purpose of the enterprise risk management metric in question.
Key Risk Focus
Enterprise risk management is not intended to include a comprehensive list of potential risks, which could range in the hundreds or thousands. Enterprise risk management is strategic in nature and is focused on a relatively small list of risks that have the largest potential impact to the firm. For a company’s first time through the enterprise risk management process cycle, a reasonable number of key risks may be in the range of 10 to 30. Approximately 10 risks might be appropriate for a pilot exercise, if management wants to build buy-in before implementation. However, 20 to 30 risks are needed to produce a robust set of results to rely on for decision making. The specific number of key risks that is appropriate for the enterprise depends on a proper categorization and definition of risks and also on finding an appropriate cut-off point during the qualitative risk assessment process.
However, the number of key risks does not depend on the size of the organization. In other words, just because one company is 10 times the size of another does not imply that it has 10 times the number of key risks. If the two companies are otherwise identical, they will have approximately the same number of key risks (the number of key risks may not be exactly the same, because, for example, the larger company may have more key risks related to reputational issues). This is because the number of key risks is merely a reasonable number of risks on which senior management can focus, at a given time, in a priority manner. It is based on people and their reasonable limits of focus. There is only one CEO, one board of directors, and one senior management team. The magnitude of the impact of the key risks will vary significantly by company size, but the number of key risks should not vary that much.
This is in stark contrast to the way many companies try to approach enterprise risk management. Many companies mistakenly believe that enterprise risk management is merely an extension of a Sarbanes-Oxley (SOX) exercise. The Sarbanes-Oxley Act passed in response to a wave of financial reporting scandals. In trying to comply with SOX, most companies created lists of every possible risk to financial reporting accuracy.
The list of risks often numbered in the hundreds or even thousands for the larger companies. Each risk was tracked against information on its mitigation, including assignment of a risk owner. SOX compliance became a quarterly routine of verification that the risks were adequately mitigated.
When enterprise risk management came along, many companies wrongly assumed it was similar to SOX, with which they were familiar, with the only difference being that enterprise risk management applied to all risks rather than just inaccurate financial reporting. Compounding this issue, some technology vendors reinforce this false notion by capitalizing on the software needs of maintaining an exhaustive list of every potential risk for every company process. Similarly, some audit firms further
Integrated across Risk Types
companies have traditionally managed each type of risk in isolation, rather than on an integrated basis: The information technology (IT) department deals with technology-related risks; the human resources (HR) department manages people-related risks; the investment department covers market and credit risk; and so on. Unfortunately, this ‘‘silo’’ approach to risk management has three disadvantages. Silo risk management is:
1. Incomplete
2. Inefficient
3. Internally inconsistent
Incomplete
The most dangerous weakness of silo risk management is that it provides an incomplete representation of the risk profile. Silo risk management does capture the most basic type of risk event—where one risk scenario occurs at a time. This provides the most fundamental picture of a given risk and how it can impact the enterprise. However, it is important to also measure the impact of multiple risks occurring at the same time. There are three reasons why limiting risk measurement to silo risk scenarios is incomplete:
1. Ignores real-world complexity. It is unrealistic for only one risk event to occur at a time. This may be true for worst-case scenarios, where each one is so unlikely to occur. However, many risks considered in an enterprise risk management program are of moderate likelihood. For only a single moderate risk scenario to occur at a time is like having everything happen precisely as you expect for every aspect of your business, except one. For example, your product strategy, your distribution strategy, your marketing strategy, your human resources plan, and so forth all go perfectly . . . except your technology update program is a little behind schedule. Reality involves far more uncertainty than that.
2. Omits the largest threats. Multiple risk events occurring simultaneously can result in some of the largest threats to a company’s survival.
After the first event, the enterprise is in a weakened state, increasing the likelihood of some secondary events occurring. In addition, risks can interact to exacerbate each other. A research study performed by Deloitte
Research called ‘‘Disarming the Value Killers: A Risk Management Study’’ revealed that over 80 percent of the 100 largest losses in shareholder value (over the 10-year study period, 1994–2003) were the result of two or more risks interacting.
This is also intuitive. Consider competitive boxers in the heavyweight division. They are often said to be able to ‘‘take a punch,’’ which means a competitor can land a single solid blow to their chin and yet they can stay on their feet. But what can result in a knockout? It’s usually a combination punch. This is a barrage of multiple blows occurring in rapid succession.
Also consider people you may have known or heard about whose lives suddenly went into a downward spiral. Often it is not just one unlucky event that caused their downfall, but rather two or more shocks to the system that sends them reeling. It’s the same for organizations. So, if you are not capturing multiple simultaneous risk events, then you may be missing something that could potentially ruin the firm.
3. Does not capture offsetting risks. Multiple risk events can offset each other. Our definition of risk includes both downside and upside risk events, so one event can offset the financial impact of another. For example, consider that one downside risk event lowers sales growth by some amount, but another upside risk event occurs that increases sales growth by an equal, and offsetting, amount. This seems fairly straightforward.
What may be surprising is that even two downside risk events can offset each other, to some degree. For an example, see ‘‘Downside Risk Events Can Partially Offset Each Other.’’
Inefficient
Silo risk management results in various inefficiencies. The most important of these inefficiencies are:
• Overpaying. The lack of awareness and coordination often present in silo risk management can result in the separate purchasing of hedges for related risk exposures in multiple parts of the company. This can increase the overall cost of mitigation, as opposed to that which could be achieved by buying in bulk.
• Under-communicating. The absence of a centralized approach and appropriately structured risk governance impedes information sharing.
This inhibits the development of best practices in risk management. In particular, and most costly, is the inability to effectively share lessons learned from costly mistakes, potentially dooming other departments to repeat the same error.
In contrast, a robust enterprise risk management program is integrated, removes these inefficiencies, and results in appropriate bulk purchasing of hedges and sharing of information enterprise-wide.
Internally Inconsistent
A third disadvantage of silo risk management is that the organization may be making internally inconsistent projections regarding the market. Different business segments, developing explicit or implicit risk scenarios independently, may be making different assumptions, for example, about the direction of the economy or sector growth. As a result, different areas may unknowingly be making bets that are at cross-purposes.
In contrast, an integrated approach would facilitate a single set of internally consistent market projections, and reconcile all bets on market direction, enterprise-wide.
Aggregated Metrics
Another implication of the word enterprise in enterprise risk management is the ability to aggregate exposure metrics and risk decision making to the enterprise level. There are two main aggregate pieces of enterprise risk management information at the enterprise level. One is a calculated metric of aggregate risk exposure and the other is a management decision defining the target level of aggregate risk exposure.
The first is a calculated metric, or set of metrics, that aggregates the risk exposures to the enterprise level. This is called enterprise risk exposure. Assume that company value is one of the enterprise risk management metrics. This will be defined later in this chapter (see ‘‘Company Value’’), but for now consider it simply as an internal valuation, performed by management, to calculate the value of the company to its primary stakeholder. The enterprise risk exposure may be expressed, for example, as ‘‘We currently have a 10 percent chance of losing 15 percent or more of our company value.’’ This is just one example.
There are usually multiple metrics, each with multiple thresholds, and corresponding likelihoods. This is a calculated metric, or set of numbers, at one point in time.
The second aggregate element—the counterpart to enterprise risk exposure—is a quantitative definition, set by management, of the amount of enterprise risk exposure that is acceptable. This is called risk appetite. Another term for this is risk tolerance, which is used by Standard & Poor’s. Risk appetite is the target level of enterprise risk exposure. Risk appetite is what management wants enterprise risk exposure to be,at the limit. Continuing our company value metric example, management may define risk appetite as ‘‘We want no more than a 7 percent chance of losing 15 percent or more of our company value.’’ Again, this example involves just one data point, whereas, mirroring enterprise risk exposure, risk appetite is a set of defined targets for a set of metrics.
In this example, management defines risk appetite below the current enterprise risk exposure level, indicating a desire to reduce the level of risk.
Because likelihood and severity go hand in hand, even our single data point definition of risk appetite can be expressed in two ways. In our example, management expressed a desire to reduce the likelihood, from 10 percent to 7 percent, of suffering a loss of 15 percent or more in company value. They focused on a specific level of severity—a loss of 15 percent or more—and wanted this to be less likely. This is the most common choice, because management focus is on the severity of events more than the likelihood.
Management is well aware of the outcomes they would like to avoid. Nevertheless, management can express the desire for a reduction in risk by fixing the likelihood and targeting a lower corresponding severity. For example, management can define risk appetite as ‘‘We want a 10 percent chance to correspond to, at the maximum, losing 12 percent or more of our company value.’’ This is equally valid.
Most companies still use silo risk management and do not yet have either of these aggregate elements. However, they are such a fundamental part of enterprise risk management that without these two elements, the ERM program cannot perform its primary function, which is to manage enterprise risk exposure to within risk appetite. In our example, management is indicating that they wish to lower enterprise risk exposure from its current 10 percent likelihood to within a 7 percent likelihood of crossing a threshold of a loss of 15 percent or more of company value.
The ability to produce aggregate information at the enterprise level—and particularly enterprise risk exposure and risk appetite—is not critical only because it supports the primary function of enterprise risk management. It is also of vital importance because this should be the first step, chronologically, in the risk decisionmaking process. Information on risk exposures and risk appetite should first be produced at the enterprise level, and then cascaded downward through the organization, in a type of allocation or budgeting process. For example, risk appetite is allocated or budgeted downward to determine risk limits. The type of risk limits set varies by organization, and can include geographic areas, business segments, and/or individual risks.
When this is implemented in the correct chronological order, it turns the risk management process upside-down, or more accurately, right-side-up, for the first time. Traditional risk management assesses risks at the local business unit or risk level, and decides on mitigation based on local business management’s judgment, instinct, or, even worse, arbitrary rules of thumb established long ago forother purposes. Using a traditionalrisk management approachcan result in under-mitigating some risks, which can be disastrous if such a risk event occurs and the company is not adequately protected. However, a more common and immediate consequence of the traditional risk management bottom-up approach is the converse—many risks are over-mitigated. This results in waste, as resources are unwittingly spent on excess mitigation which management would have vetoed, if the proper information had been available.
In contrast, enterprise risk management introduces a logical approach based on the overall volatility of the enterprise and the desired level of enterprise stability, or shock resistance, desired by management. This is more sensible, because this is how the shareholders and other key stakeholders perceive the volatility: in the way that it expresses itself at the enterprise level. Once the two essential aggregate counterparts of information—enterprise risk exposure and risk appetite—are determined, lower-level decisions can be made at the business segment, business unit, or risk level, depending on the specific risk culture of the organization, and how they choose to allocate their aggregate enterprise ‘‘risk budget’’ down through the organization.