RISK MANAGEMENT: THE CASE FOR AN ENTERPRISE WIDE APPROACH
Enterprise Risk Management is a relatively new term that is quickly becoming viewed as the ultimate approach to risk management. Since the mid-1990s, enterprise risk management has emerged as a concept and as a management function within corporation.(Geneva) Enterprise-wide risk management looks within and across business lines and activities of the organization as a whole to consider how one area of the firm may affect the risks of other business lines and the enterprise as a whole. This approach is in marked contrast with the silo approach to risk management, which considers the risks of activities or business lines in isolation, without considering how those risks interrelate and affect other business lines. While individual business lines or activities should continue to enhance their own risk-management practices, as organizations gain in complexity it is important to provide the critical oversight that can come only from an enterprise-wide risk-management approach.
According to the Casualty Actuarial Society (CAS), enterprise risk management defined as “ the process by which organizations in all industries assess, control, exploit, finance and monitor risks from all sources for the purpose of increasing the organization’s short and long term value to its stakeholders.’’ A truly holistic, integrated, future-focused and process oriented approach helps an organization manage all key business risks and opportunities with the intent of maximizing shareholder value for the enterprise as a whole. (KPMG,2001)
Furthermore, to understand enterprise risk management within organization, it is important to recognize the distinction between risk measurement and risk management. Risk management entails the quantification of risk exposures and quantification can be a variety of forms – value-at-risk, earning-at-risk, stress scenario analysis, duration gaps-depending on the type of risk being measured and degree of sophistication of the estimates. On the other side, Risk management refers to the overall process that a financial institution follows to define a business strategy, to identify the risks to which it is exposed, to quantify those risks, and to understand and control the nature of the risks it faces. According to FRBNY review “enterprise risk management involves not only an attempt to quantify risk across a diversified firm, but also a much broader process of business decision making and of support to management in order to make informed decisions about the extent of risk taken both individual lines and by the firm as a whole.”
However, no enterprise operates in a risk free environment, and even enterprise risk management does not create such an environment. Rather, enterprise risk management enables management to operate more effectively in environments filled with risks. According to KPMG 2001 report “enterprise risk management provides enhanced capability to:
· Align risk appetite and strategy
· Link growth, risk and return
· Enhance risk response and decisions
· Minimize operational surprises and losses
· Identify and manage cross-enterprise risks
· Provide integrated responses to multiple risks
· Seize opportunities
· Rationalize capital
So enterprise risk management helps an organization to achieve its performance and profitability targets and prevent loss of resources. And it helps an organization to ensure that it complies with law and regulations, effective reporting and avoiding damage to its reputation and other consequences. All together it help an entity get to where it wants to go and avoid pitfalls and surprises along the way. ( Steinberg and Averson)
Moreover, one of the main reason why the risk management has received as much on going attention is that corporate disasters seems to occur on a regular basis to remind us of the perils of “not getting it right”. (Lam J ,Erisk 2001) These can be related to natural catastrophes, accidents, human error or fraud and traditionally companies have been able to transfer such kind of risk to insurance companies. (Geneva) But few years ago, risk management problems led to the collapse of baring, kidder and confederation life, as well as huge losses related to derivatives trading at other companies. So as a result of these wake-up calls and internal risk reviews, leading companies now using enterprise wide risk management approach or overall risk management approach to business risks instead of traditional approach of risk management.
As risk management help to improve bottom line positions by cost reduction and improving the likelihood of overall business success and other side speculative risk management failures such as Baring, Piper alpha and the sea Empress disaster grab headlines but many organizations suffer large cumulative losses from myriad of lesser incidents. According to Waring and Glendon (2002) objectives of risk management may be summarized as eliminating, reducing and controlling pure risk and gaining enhanced utility or benefit from speculative risk. As an enterprise point of view both pure and speculative risks often interact e.g. an organization’s financial investment and business risks are likely to adversely affected by uncontrolled security risks or IT risks. So it is therefore advantageous that both sets of risk management objectives should be considered in a holistic way.
A common thread of enterprise risk management is that the overall risks of the organization are managed in aggregate, rather than independently. Risk is also viewed as a potential profit opportunity, rather than as something simply to be minimized or eliminated. The level of decision-making under enterprise risk management is also shifted, from the insurance risk manger, who would generally seek to control risk, to the chief executive officer, or board of directors, who would be willing to embrace profitable risk opportunities (Kawamoto 2001)
Basically, there are few components of enterprise risk management which organization needs to be consider .For example corporate governance, line management, portfolio management, data and technology resources, risk transfer and stakeholders management. Moreover a range of external and internal factors can cause the outcomes of company’s activities to depart from those sets down in its corporate objectives. (Geneva) From company point of view there are some external factors those relate to in the market place in which company competes but some of the external factors are beyond the control of management, although active enterprise risk management require that there are systems in place to make a company more resilient and adaptable to major changes.
And Issues of risk management and corporate governance are closely connected. Corporate governance is the responsibility of corporate management to ensure that an effective risk management programme in place. The aim of corporate governance should be to ensure that the company meets not just objectives of its shareholders, but also has regard to interests of other individuals and groups with a ‘stake’ in the company. Whereas line management and portfolio management are equally important from the point of view to managing risk, perhaps line management is the most important phase for assessing and pricing risk is at its inception. In the pursuit of new business and growth opportunities, line management must align its business strategy with corporate risk policy and to support the portfolio risk management objectives, risk transfer strategies should be executes to lower the cost of hedging undesirable risks, as well as to in crease the organisation’s capacity to originate desirable but concentrated risks. To reduce undesirable risks management should evaluate derivatives, insurance and hybrid products on a consistent basis and select the select the most cost –effective alternative.
E.g., Honeywell and Mead have executed alternative risk transfer (ART) products that combine traditional insurance protection with financial risk protection. As overall risks of an enterprise are an integral part of its corporate strategy, one way of managing these risks is through the choice of the corporate strategy itself. Moreover, risk analytics and, data and technology resources are also equal important components in enterprise wide risk management approach. The development of advanced risk analytics has supported the quantification and management of credit, market and operational risks on a more consistent basis where as the greatest challenges for enterprise risk management is the aggregation of the underlying portfolio and market data. Mainly portfolio data help to find out the risk positions that are captured in front and back office systems. Market data include prices, volatilities, and correlations. (Lam J , Erisk 2001)
Furthermore, risk management is not only an internal management process, but it should be used to improve risk transparency to key stake holders. It includes the duties of Directors such as periodic reports and updates on the major risks faced by the organization. Regulators need to know that sound practices are in place and also an equity analysts and rating agencies need risk information to develop their investment and credit options. So during communicating and reporting to these key stakeholders, an important objective for management is to assure them that appropriate risk management strategies are in affect. In addition to these a number of other factors have also contributed to the development of enterprise risk management. Recent technology advancement in computing power provide the powerful modelling tools necessary to perform sophisticated risk analysis for hazard risks, such as catastrophes, for financial risks, such interest rate rise movements and for the other risks. Insurers are also developing an expertise in, and a focus on, financial risk management. Some insurers are beginning to provide policies that coordinate financial and pure risk. (Either loss or no loss).
Insurers are beginning to utilize the financial markets themselves through the securitization on insurance risk. (D’arcy S, 2001)
According to the risk magazine “enterprise risk management is fast becoming the best standard because the traditional approach has not produces results’’.
Over time, it has been increasingly apparent that fragmented approach or “managing risk by silos”, doesn’t work properly because risk are highly interdependent and cannot be segmented and managed solely by independent units. Since the enterprise risk management involves a wide area of organization operation, and integrates a wide variety of different types of risks face by organization. So in most cases, a team approach is used, because one person not always able to expertise in handle entire role .In team approach enterprise use the different expertise from different areas, including traditional risk management, financial risk management, management information systems, auditing, planning and line operations. Basically, team approach not allowed managers to focus on particular area of business e.g., traditional risk manger can’t remain concentrate only on hazard risk. In order for the team to be effective each area will have to understand the risks, the language and the approach of other area. Moreover, team leader will also need to have a basic understanding of all the steps involved in the entire process and methodology used by each area.(D’arcy S ,2001)
This specialty area developed its own terminology and techniques for addressing risk. Moreover if enterprise use segmented approach then it doesn’t provide senior management and the board with aggregated risk reporting and this realization has tend to the trend toward enterprise risk management which is supported by internal demand, external developments and advances in risk management methodology.(Lam J ,Erisk 2001).
Actual crisis and significant losses often create the internal demand for enterprise risk management. These internal issues are likely to be followed by critical assessments from auditors and regulators. And sometimes technological advancement and globalisation lead to enterprise create change to cope with external environments and its no wonder that innovation is so difficult for established firm because they employ highly capable people and then set the to work within process and business model. Furthermore Basel II accord stated that by the end of 2006, a financial services company must carry a predetermined amount of capital to offset the level of risk found in company. Unlike the first version of this regulation in 1988,Basel II accord addresses not only capital risk but also an operational risk, including the risk It systems create for an enterprise .so in a way it mandates some form of enterprise risk management. As mentioned in CIO magazine David Weymouth, CIO of Barclays, the U.K.-based financial services company said “We’ve spent something like [$251 million] on a regulatory program. Non compliance is a huge risk we need to manage.” So as the regulation change which directly affect the organization for managing risk according to new regulations.(Berinato S.2003) .so this process of evaluating risk management performance is complex and difficult .For example ,decision to retain or transfer are best evaluated over several years rather than annually because of the averaging effect of random losses. (Kensicki P,2001)
Although, there are number of other factors have also play a vital role in development of enterprise risk management. For Example, recent advances in computing power provide the powerful modeling tolls necessary to perform sophisticated risk analysis for hazard risks, such as catastrophes, for financial risks, such as interest rate movements, and for other risks. on the other side, availability of extensive data bases of financial and other information allows users to examine historical information to determine trends, correlations and other relationship among variables that is essential to enterprise risk management.
How organization uses tools and techniques when they use enterprise wide approach? This is an important question to consider. But before that enterprise should know what the risk they facing and how do they compare with competitors and how the risk changing based on changes in business environment, what level of risk should they take and lastly how should they manage those risk, these are all play a very vital role when they decide any tool or techniques which they use in enterprise wide approach. And for the answer of these all questions’ organization are collecting and analyzing risk information using a variety of basic tools. Some of basic tools are Identification/Assessment, categorizations tools and financial quantifications tools.
Identification/assessment tools enables a management team to collectively identify and assess the risk facing the organization. Risks includes strategic risk, operational risk, reputation risk, regulatory or contractual risk, financial risk, information risk and lastly new risk (these might include risks from new competitors or emerging business model, relationship risk and others).These tools also enable the team to evaluate each risk according to its “likelihood” and its “magnitude”. Where categorization tools help organizations group and priorities their risks, by industry or within an entity. So having an proper categorization of risk an important for task for an enterprise when they use these approach. And financial quantification tools help organization to understand the potential impact of risks. Value-at-risk and option theory are most commonly use models which are available to evaluate risk in financial area.
As mention in KPMG enterprise risk management report, “organization approach to risk management may be centralized at corporate level or decentralized among divisions or processes, depending on the nature of the risks in question and organization preferences of management” But there is no right or wrong way to organize these risks. Centralized risks management mainly focus on risks that affect most if not all functions and processes (for example reputation) and other side Decentralized risk are those which are significant only within particular process which could be manage by separate division or that particular process line but nonetheless that affect the organization’s ability to successfully implement its strategies overall. No matter whether risks are managed in centralized manner, in a decentralized manner, or combination of both, a new organizational trend is to create ERM “program office” and appoint chief risk officers (CROs) who are responsible for developing and managing risk management strategy.
CRO plays a very vital role in risk management of an enterprise, and CRO is the person who is responsible for developing and implementing an enterprise wise risk management strategy that includes all aspects of risk. CRO is also responsible for number of other responsibilities that are as follow. (Lam J,Erisk 2001)
· Developing risk management policies, including the quantification of management’s risk appetite through specific risk limits.
· Providing the overall leadership, vision, and direction for enterprise risk management
· Establishing an integrated risk management framework for all aspects of risks across the organization
· Allocation economic capital to business activities based on risk and optimizing the company’s risk portfolio through business activities and risk transfer strategies
· Developing the analytical systems and data management capabilities to support the risk management program
These are all basic responsibilities of CRO and in most of the cases CRO reports CFO or CEO and some CROs have direct reporting to Board of Directors as well. and other functions that the CRO is commonly responsible for include capital management, risk analytics and reporting and the heads of risk management at the business units. Pamela G.Rogers, assistant treasurer, Roebuck &co. notes that “ just as companies have revenue and profit strategies, there’s got to be a risk strategy ,and CRO need to set it”(KPMG,2001)
For the successful implementation of enterprise-wide risk management some of the elements play very important role. One is a clearly articulated risk management goals that provide a foundation for the enterprise-wide risk management program and for related training and communication. Secondly, common risk language is also play considerable role because it enables individuals throughout the organization to conduct meaningful cross-functional discussions about risk. And lastly individual should clearly understand their role in the risk assessment and risk management framework for a successful implementation of enterprise-wide risk management.(Cumming and Hirtle 2001)
Lastly, enterprise risk management is all about optimising the process with which risks are taken and managed and use of enterprise risk management approach become important because of organisation have started suffering huge losses, e.g., Orange county, Baring bank, Sumitomo corp. and others. Moreover risk management is fundament element of corporate governance. Management is responsible for establishing and operating the risk management framework on behalf of board. Enterprise risk management brings many benefits as a result of its structures, consistent and coordinated approach. On the other side losses are inevitable, but one must keep learning from the past. Risk itself is not bad, but risk that is misplaced, mismanaged, misunderstood or unintended is bad. So each enterprise needs to assess to best suitable method which suit best to its objectives
References
1. Berinato S, “Enterprise risk Management, Risk rewards: Are you on board with enterprise risk management? You had better be. it’s the future of how businesses will be run” Published by CIO Magazine Nov Issue ,http://www.cio.com/archive/110104/html
2. Coleman L, (May 2005) “ Enterprise risk strategy: managing business risks with modern finance techniques” Published by University of Melbourne http://unimelb.edu.au
3. Cumming C and Hirtle B, (March, 2001)FRBNY economic policy review, “The challenges of risk management in diversified financial companies”
4. D’Arcy S , (May 2001 )“ Enterprise Risk Management” Journal of Risk management of Korea, volume 12,number 1
5. Dickinson G, (July 2001) “ Enterprise Risk Management: Its origins and conceptual foundation” The Geneva Papers on Risk and insurance, Vol.26, No.3(July 2001) 360-366
6. Federal reserve board, (July 14, 2004) “Using Enterprise wide risk management to Effectively Execute Business Strategies” at risk management association and consumer banker association retail risk conference, Chicago http://www.federalreserve.gov/boarddocs/speeches/2004/20040716/default.htm
7. Jacobson R; Aaker D (Jun 1987)“ The role of risk in explaining differences in profitability” the academy of management journal , Vol. 30, No. 2,( Jun 1987),277-296
8. KPMG, (Nov 2001) “ Enterprise Risk Management: An emerging model for building shareholder value” http://www.kpmg.com.au
9. Lam j, (March 2000), “ Enterprise-wide risk management and role of the chief risk officer” Erisk.net
10. Marphatia A “Risk management in financial services industy: An overview”
11. Module Reader, (2005-06) “Business Risk Management” Glasgow Caledonian University
12. Riskreports.com “ the risk spectrum”
13. Russell A, Shire Pharmaceuticals Group Plc “ Case study: Enterprise Risk Management
14. Steinberg and Averson (2003) COSO, Executive summary committee of sponsoring organizations of the trade way omission “enterprise risk management framework” http://erm.coso.org
15. Schmit J; Roth K, (Sep 1990) “ Cost effectiveness of risk management practices” the journal of risk and insurance, Vol. 57 , No.3(sep 1990),455-470
16. Tillinghast-Towers Perrins ,(2001) , “Enterprise Risk Management: An analytic approach” http://www.tillinghast.com
17. The institute of Internal Auditors, (September 29,2004) “The role of internal auditing in enterprise-wide risk management” http:// www.theiia.org
18. Waring A and Glendon (2002) “ Managing risk, critical issues for survival and success into the 21st century” Thompson Learning
19. Young P; Blanch E(2005) “ Enterprise Risk Management: Another Perspective”, reader, Glasgow Caledonian University reader