Print Email Download Reference This Send to Kindle Reddit This
submit to reddit

Enterprise Risk Management techniques within a business

Enterprise risk management (ERM) is a recent risk management technique where a portfolio of risks is managed in a holistic manner. ERM has inspired interests from various parties including corporate executives, regulators, and rating agencies. Under the ERM framework, corporations take on necessary risks to pursue their strategic objectives within their respective risk appetite. The core of the ERM process is efficient risk integration. Inter-relations among risks and risk prioritization are highlighted in the risk integration process under ERM. Certain risk measures and aggregation methods are usually involved in its implementation. Effective risk reporting and communications in a well-designed organizational structure are also essential for the success of ERM. Being an evolving process, the ultimate goal of ERM is to move beyond the initial incentive of fulfilling compliance need to achieving real economic value.

Note: * in the main text suggests possible cross-references to other entries in the encyclopedia. The same term which appears multiple times is only marked once.

WHAT IS ERM?

Definition

Enterprise risk management (ERM) is a recent risk management technique practiced increasingly by large corporations in all industries throughout the world. It was listed as one of the twenty breakthrough ideas for 2004 in Harvard Business Review [1]. ERM reflects the change of mindset in risk management over the past decades. Business leaders realize that certain risks are inevitable in order to create value through operations and some risks are indeed precious opportunities if effectively exploited and managed. In pursuit of the above, a corporation’s risk management practice should be carried out in a holistic fashion, aligned with its strategic objectives. It flows from the recognition that a dollar spent on risk is a dollar cost to the firm regardless of whether this risk arises in the finance arena or in the context of a physical calamity such as a fire. ERM proposes that the firm address these risks in a unified manner.

The prevailing definition of ERM adopted by most corporations is the one proposed by Committee of Sponsoring Organizations of the Treadway Commission (COSO) in their 2004 ERM framework [2]. It intended to establish key concepts, principles and techniques of ERM. In this framework, ERM is defined as “a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” This definition highlights that ERM reaches to the highest level of the organizational structure and is directly related to the corporations’ business strategies. The concept of risk appetite is a crucial component of the definition. Risk appetite reflects the firm’s willingness and ability to take on risks in order to achieve the objective. Once it is established, all subsequent risk management decisions will be made within the corporation’s risk appetite. Thus, the articulation of risk appetite greatly affects the robustness and success of an ERM process. Different themes of business objectives are applied to determine risk appetite. Among the most common ones are solvency concerns, ratings concerns, and earnings volatility concerns [3]. The themes directing the risk appetite process should be consistent with the corporation’s risk culture and overall strategies.

Despite its wide acceptance, the COSO definition is not the only available definition. For example, Casualty Actuarial Society (CAS) offered an alternative definition in its 2003 overview of ERM. In CAS’s definition, “ERM is the discipline by which an organization in any industry assesses, controls, exploits, finances, and monitors risks from all sources for the purpose of increasing the organizations’ short- and long-term value to its stakeholders.” [4] There are indications that ERM definition is gradually becoming organization specific. Individual corporations may define ERM uniquely according to their own understanding and objectives. Ai (2006) suggested that creating a clear, firm-tailored definition is an important precursor to the firm implementing a successful ERM framework. In fact, a 2006 survey of US corporations identified that lack of an unambiguous understanding of ERM is the one obstacle preventing companies from putting ERM in place [5].

Current development of ERM

As a rising management discipline, current development of ERM varies across industries and corporations. The insurance industry, financial institutions, and the energy industry are among the industry sectors where ERM has seen relatively advanced development in a broad range of corporations [6]. The enforcement of ERM in these industries was originally stimulated by regulatory requirements. Recently, more corporations in other industries, and even the public sector, are becoming aware of the potential value of ERM and risk managers are increasingly bringing it to top executives’ agendas. According to a 2006 survey of US corporations, over two thirds of the surveyed companies either have an ERM program in place or are seriously considering adopting one [5]. An earlier survey of Canadian companies obtained similar results. It found that over a third of the sample companies were practicing ERM in 2003 and an even larger portion of the sample companies were moving in that direction [7].

Different stages of ERM implementation have been identified. According to a 2005 survey conducted of Canadian and US organizations, ERM implementation can be broken down into three stages based on the level of development [8]. Stage one is ERM strategy development, where corporations define key concepts, make ERM policies and establish the risk management framework. The second stage is ERM strategy implementation. Corporations at this stage implement the established ERM framework in their overall strategies and operations. The third stage of ERM is monitoring and maintaining the system. At this stage, ERM sustainability is the main focus achieved by effective internal and/or external evaluations. Only a small number of corporations, mainly in insurance, financial and utility industries, are at this stage of ERM practice. It is worth noting that ERM is a continuous evolving process, by no means limited to the above identified three stages. As more in-depth understanding and techniques are developed, corporations will move upward to higher stages and more advanced stages are also likely to emerge.

ERM IMPLEMENTATION

Notwithstanding the attractiveness of ERM conceptually, corporations are often challenged to put it into effect. One of the main challenges in ERM implementation is to manage the totality of corporation risks as a portfolio rather than as individual silos as is traditionally done. Several specific aspects of ERM implementation together with present challenges are considered below.

Determinants of ERM

Although ERM is largely considered as the most advanced risk management concept and toolkit, it is carried out at different paces by corporations. Studies have examined corporate characteristics that appear to be determinants of ERM adoption. For example, Liebenberg and Hoyt (2003) [9] find that firms with greater financial leverage are more likely to appoint a Chief Risk Officer (CRO), to signal their adoption of ERM. In another study, factors including presence of CRO, board independence, Chief Executive Officer (CEO) and Chief Financial Officer (CFO) support for ERM, use of Big Four auditors, and entity size are found to be positively related to the stage of ERM adoption [6]. These factors reflect ERM’s role in corporate governance. Launch and pursuit of the ERM process lead to better corporate governance, which is desired by both external and internal constituencies.

Operationalization of ERM

The core of the challenge lies in operationalizing ERM in practice. Integration of risks is not merely a procedure of stacking all risks together, but rather a procedure of fully recognizing the inter-relations among risks and prioritizing risks to create true economic value. Important components of this procedure include risk identification, risk measurement, risk aggregation, risk prioritization and risk communication.

Risk identification

The four major categories of risks considered under an ERM framework are hazard risk, financial risk, operational risk*, and strategic risk [4]. Hazard risk refers to physical risks whose financial consequences are traditionally mitigated by purchasing insurance policies. Examples of hazard risk include fire, theft, business interruption, liability claims, etc. Financial risk refers to those risks involving capital and financial market. Market risk (interest rate risk, commodity risk, foreign exchange risk) and credit risk (default risk) are among the most important financial risks. This type of risk is usually hedged by financial instruments, such as derivatives. Operational risk is a nascent risk category and has inspired increasing interest. Operational risk includes internal fraud, external fraud, employment practices and workplace safety, clients, products and business practices, damage to physical assets, business disruption and system failures, and execution, delivery and process management [10]. The newly released Basel Capital Accord II [10] first drew attention to operational risk in the banking industry. The impact soon spreads to other industries and now operational risk is ranked as the most important risk domain by US corporation executives [5]. However, given the complex and dynamic nature of operational risk, there is no easy access to the solution. Its management requires sophisticated and innovative risk management techniques. Lastly, strategic risk is more directly related to the corporation’s overall strategies. It includes reputation risk, competition risk, regulatory risk, etc. The management of strategic risk does not fall automatically into standard categories of risk management techniques. Specific risks perceived by each corporation need to be identified and managed customarily.

The identification of the above four categories of risks is not meant to suggest separate management of each category. Rather, under ERM, identification of individual risks should facilitate successive prioritization and aggregation of risks to best achieve business objectives within the corporation’s risk appetite. Moreover, not all risks likely to face the corporation fall into one of the above major categories. Any event that can potentially affect the corporations’ objectives is considered a risk under ERM. Therefore, proper objective identification is the prerequisite for risk identification. Business objectives can be described by certain key performance indicators (KPIs), usually financial measures such as return on equity (ROE), operating income, earnings per share (EPS) and others for specific industries, e.g. risk adjusted return on capital (RAROC) and risk based capital (RBC) for financial and insurance industries [4]. By means of these company performance measures, risks are recognized according to the strategic goals established for each company, which is the first step to implement a sound ERM process

Risk aggregation and risk measures*

A central step towards operationalizing ERM is risk integration. Holmer and Zenios (1995) [11] is among the earliest studies that shed light on value created by process integration/ holistic management. In their work, an approach that integrates different parts of the production process (designing, pricing, and manufacturing) was proposed to improve productivity of financial intermediaries. Although risk management was rarely involved in that work, the underlying rationale is essentially the same.

One sensible way to unify and integrate different types of risks is to derive the total risk (loss) distribution. The process starts with individual risks, which, as random outcomes, are usually represented by certain distribution functions technically. An aggregated risk distribution for the entire corporation can be derived from these individual risk distributions. Some risk measure is then developed to reflect the risk level. The risk measure can be denoted in dollar terms, in the form of capital requirements. In essence, risk management and capital management are two sides of a coin under ERM as the aim here is to create optimal returns using available capital by bearing risks [12].

Aggregated risk distribution functions essentially contain two parts: the marginal distributions for individual risks and the inter-relations between the risks. Marginal distributions are found for each identified individual risk through parametric models, non-parametric models or stochastic simulations [13]. Parametric models fit data in certain pre-determined distribution functions. Nonparametric models rely on histogram or kernel density estimation of historical data. Stochastic simulations methods (Monte Carlo Markov Chain simulation) start by generating random numbers through repeated runs. Stochastic simulation methods have become more and more popular in both academia and practice.

There are also multiple ways to capture the inter-relations among risks. A simple approach is through variance-covariance matrices. Correlations between different risks are either calculated based on historical data or conjectured by domain experts. Alternatively, structure simulation models can be employed to link possibly correlated risks to common factors [4]. For example, different types of market risks may be driven by the same macro-economic conditions. These macroeconomic conditions thus result in the interactions among market risks. Inter-relations among risks can be exploited to determine natural hedges and place early warnings on catastrophic events where different types of risks strike together, which may lead to real economic benefits created by ERM.

At a slightly more sophisticated level, dependence structures can be modeled by using a copula. A copula is a flexible tool to capture the dependence structure among risks. Suppose we have two risks X and Y with distribution functions FX(x) and FY(y). Denote the joint distribution function by FX,Y(x,y). Then the copula is defined as (1) [14]. Thus, we can derive the joint distribution function from marginal distribution functions by using copula. Various types of copulas (for example, normal copula or student-t copula) can be employed together with different choice of marginal distributions to model dependency.

Quantile-based measures are perhaps the most prevalent risk measures currently. This class of risk measures focus on the tail area of the distribution functions, i.e., those events occurring with low probabilities but are associated with large losses should they occur. These risk measures reflect an intention to protect shareholder value in time of default or insolvency. The well known Value-at-Risk (VaR)* measure is of this type. VaR is the maximum loss suffered at a given confidence level (e.g. 95%) over a certain period of time (e.g. 1 trading day). Mathematically, we define VaR at the α confidence level as the α-quantile of the loss distribution function F(X), or (2). Although VaR measures are extensively employed, especially in financial risk management, doubts have been raised on VAR’s ability to depict a complete risk picture as a valid risk measure [13]. One of the most important concerns is that VaR fails to satisfy the sub-additivity property desired by any coherent risk measure. A closely related alternative measure is proposed to make up for the possible shortcomings of VaR, namely, Expected Shortfall (or loosely, Tail-VaR). Expected Shortfall takes into account not only the probability of adverse events as VaR but also the average magnitude of these events. Mathematically,(3), where α is the confidence level.

Further considerations lead to other classes of risk measures. For example, the so-called “spectral risk measures” [16] incorporate a weighting function to describe different degrees of risk aversions on quantiles. In this sense, Expected Shortfall is seen as imperfect since it assigns equal weight () to the entire (1-α) region (and a weight of zero outside the region), indicating risk neutrality rather than risk aversion in the region. Moreover, an important risk measure based on distorted distribution functions was developed by Wang (2000, 2002) [17] [18]. The distorted decumulative distribution functions S*(x) are produced by applying a function g (.) to the original loss decumulative distribution function S(x) (S(x)=1-F(x) (4)): S*(x) = g [S(x)] (5), where g is an increasing function with g(0)=0 and g(1)=1. Wang (2000, 2002) [17] [18] suggest specific choices of distortion function g(.): (6) and (7), where is the standard normal distribution function, Q is the student-t distribution function, and is the market price of risk parameter. These are known as Wang’s one factor and two factor transform. A coherent risk measure can then be developed by taking expectation against the distorted distribution function.

Rather than the focus solely on the tails, as quantile-based risk measures do, sometimes risk measures are designed to account for other parts of the distribution functions. Measures based on standard deviations (variance) belong to this class. In constructing these measures, an “on-going” concern rather than a solvency concern is often the primary focus [4].

In practice, simplified approaches are sometimes adopted to obtain the aggregated risk measure rather than relying on the total loss distribution and develop the risk measure as described above. For example, one can derive the portfolio VaR as a weighted sum of VaR for each component risk which implies perfect correlation between risks. Or sometimes, multivariate normality is assumed for the individual risk components and a VaR measure is obtained accordingly. However, these simplified measures should be used with caution since they may lead to biased total risk estimation [14].

Risk prioritization

To realize risk integration, ERM also advocates risk prioritization. Risk prioritization stems from the fact that risks are not equally important to corporations. Prioritization should reflect different aspects of the company’s strategies and risk management philosophy, e.g., cost to handle that risk, contract restrictions on that risk, management’s risk preference, etc. A two dimensional risk map is often used (See Figure 1) in ranking the risks. The vertical axis represents impact of the underlying risks (the severity of losses) and the horizontal axis represents likelihood of the underlying risks (the frequency of losses). Different alert levels and risk management strategies are placed on each quarter panel. The low likelihood, low impact area usually needs minimum alarm, the high likelihood, low impact area should be dealt with accordingly by the risk management team, the low likelihood, high impact area requires for high attention and the high likelihood, high impact area can be disastrous to the corporation and thus demands full alert and tight control [19]. According to the ranking suggested by the risk map, corporations may want to prioritize those risks with high impact, as they are the kind of risks that may bring down the entire corporation once incurred. Risk management activities should then be executed according to priority and characteristics of risks.

(Figure 1 insert about here)

Alternatively, risks can also be ranked and prioritized based on their respective impacts on KPIs [4]. As we explained above, KPIs describe corporations’ strategic targets. The ultimate aim of ERM is to assist corporations in achieving these strategic targets by managing risks in the most effective way. Thus, risks that have higher potential influence on KPIs (or other chosen measures of objectives) should be prioritized and treated with focus.

Risk reporting and risk communications*

Despite the extensive attention given to the technical aspects, ERM is not just about tons of numbers and stacks of risk reports. A key factor for success is effective risk communication from the board and executive management to operational units and across different business departments of corporations. One way to improve risk communication is through a well-designed risk reporting system [20]. The risk reporting system should both provide succinct summaries of critical risk information covering the broad range of corporate risks for board members and executives, and allow access to more detailed information for those responsible for specific risks at the operational level. Moreover, both qualitative and quantitative analysis should be incorporated into this single system. ERM softwares are developed for this purpose. For example, an ERM dashboard, an interface providing “role-based information to key decision makers” is recommended for risk reporting [20]. Risk registers are also used widely for risk reporting and management. Risk registers record relevant information including risks, risk assessments, impact on KPIs, risk management tools and responsible personnel, to keep track of the risk management activities and allow interactions among different parties [19]. There are other commercial ERM softwares in development for use of general or particular corporations.

ERM AND COMPLIANCE*

ERM at first arises from corporations’ continuous efforts for compliance with laws and regulations. To this end, ERM is seen more as an efficient internal control process. Within a corporation, it is often conducted with internal control function and supervised by internal auditors. The most significant regulatory forces responsible for the prosperity of ERM are the Sarbanes Oxley Act of 2002, Basel Capital Accord II and rating criteria set forth by Standard & Poor’s.

Sarbanes Oxley Act of 2002

In the US, the Sarbanes Oxley Act of 2002 [21] greatly raised compliance difficulty for corporations. Section 404 of the act rules the corporations’ internal control activities over financial reporting and disclosure to the public. External auditors are also involved through assessing and attesting corporations’ internal control effects. Corporations have invested great amount of time and money to comply with the act. In this process, they turn to ERM as a solution to adequate and efficient internal control, rather than for general risk management purposes. On a separate note, Sarbanes Oxley Act itself poses as a great operational risk (compliance risk) to most corporations. As far as this is concerned, ERM lends itself to an effectively toolkit for managing this type of risk in corporations’ overall risk portfolio.

Basel Capital Accord II

Basel Capital Accord II [10] has also likely contributed to the development of ERM. This new Basel Capital Accord describes clearly the determination of capital requirements for the banking industry from the regulatory point of view. Besides minimum capital requirements, it also highlights the importance of supervisory review process of management of major risks. For the first time, Basel II explicitly reflects regulatory interest in operational risk. Regulatory capital requirements and review process should stipulate ERM adoption by corporations, to attain unification of risk and capital management, and to fulfill compliance needs.

Rating agency

Compared to the previous two forces, rating agencies have a more direct influence on promoting ERM practice. Rating agencies have always been a major constituency for corporations. Standard & Poor’s (S&P) started to evaluate ERM practice and incorporate it in the rating process for insurers in 2005 [22] and refined the criteria in 2006 [23]. The rating criteria span important components of the ERM process. Risk management culture, risk control techniques, methodologies and principles employed by risk models and the ability to deal with emerging risks all contribute to insurers’ overall ERM assessment. S&P also gives positive weight to the articulation of risk appetite (and resulting risk tolerance, risk limits, etc.), which further demonstrates the fundamental role of risk appetite in the ERM process.

In 2006, S&P extends its ERM evaluation to the financial industry by developing rating criteria specifically for financial institutions [24]. The ERM assessment framework is built up in three dimensions: infrastructure, policies, and methodology. The evaluation process focus on five aspects: risk governance, operational risk, market risk, credit risk, and funding and liquidity. Among those, risk governance includes risk culture, risk appetite, risk aggregation/quantification and risk disclosure. Highly rated financial institutions are those that use effective methodologies and procedures to control each important category of risks, and have a holistic view of the overall risk profile. S&P’s rating will undoubtedly encourage continuous adoption and elaboration of ERM in these industries. In the foreseeable future, it is very likely that rating agencies may start to establish rating criteria for general industries, which will provide even stronger incentive for all corporations to advance aggressively in the ERM process.

ERM FUTURE – VALUE CREATION (CONCLUSION)

ERM practices may have been initially driven by compliance needs, however ERM development should continue to serve an internal control function for better corporate governance. Moreover, the forces upon which ERM thrives are related to the potential economic values generated by better managing risks under identified objectives. One common objective for the majority of corporations is to maximize firm value. ERM is the framework where corporations optimize the risk/return relationships for their businesses. This optimization is achieved through alignment of corporate strategic goals and risk appetite. At the operational level, the alignment guides virtually all activities conducted by the corporation. Specific risks are identified and measured. They are prioritized and integrated by recognizing the inter-relations and relative influences. Risk management strategies are developed for the portfolio of risks. The effects are assessed and communicated. In this way, ERM cuts waste of resources caused by inadequate communication and cooperation under silo-based risk management framework. ERM also increases the capacity and frees space for new opportunities to be explored. Other than these two primary sources of value, more effective risk management also creates benefits from higher credit ratings, lower distress costs, more favorable contract provisions, etc.

Testing the added value of ERM itself is another presented challenge. Wang (2002) [18] proposes that value creation can be calculated as the increase in economic value of the portfolio after implementing ERM, where economic value is obtained by discounting the expected total profit/loss taken against the distorted distribution function (by two-factor Wang’s transform). Zenios (2001) [25] demonstrates from an operations research perspective that effective integration of risks under ERM will create value by pushing out the risk/award frontier of the entire portfolio. More theoretical and empirical analysis is needed to demonstrate/test the added value from ERM.

We conclude on a final note of the evolving nature of ERM. ERM is still at its early stage of development for the most part. Conceptual and practical frameworks are still being constructed through gathered efforts from regulators, industries and academia. More advanced methodologies, techniques and tools are emerging every day. Therefore, some of the aspects (e.g., what ERM really is, the real effect, how it can be best implemented, etc.) described are necessarily vague and debatable due to the lack of consensus regarding exactly what constitute effective ERM and lack of evidences regarding the empirical benefits of different implementation scenarios of ERM. It is the hope that most of the ambiguity will resolve itself as this process goes on and more concrete and analytical discussions can then be carried out.

Print Email Download Reference This Send to Kindle Reddit This

Share This Essay

To share this essay on Reddit, Facebook, Twitter, or Google+ just click on the buttons below:

Request Removal

If you are the original writer of this essay and no longer wish to have the essay published on the UK Essays website then please click on the link below to request removal:

Request the removal of this essay.


More from UK Essays