Risk Culture
After completing this reading, you should be able to: Carry out a comparison... Read More
After completing this reading, you should be able to:
Enterprise risk management is a holistic approach to risk management where all risks are viewed together within a coordinated and strategic framework. It differs from the more traditional silo approach where firms seek to manage one risk at a time, on a largely compartmentalized and decentralized basis.
ERM is essentially the use of a common risk management framework to manage risk across an organization. Although organizations have differentiated frameworks, there are three permanent features: people, rules, and tools. “People” stands for individuals with defined responsibilities. These individuals employ repeatable processes (rules) and technology (tools) to mitigate risk.
ERM creates value for companies both at the “macro” or company-wide level and “micro” or business-unit level.
At the macro level, ERM creates value by giving senior management the capacity to quantify and manage the risk-return tradeoff that faces an entire firm. By quantifying risk, management is able to come up with an optimal risk-return tradeoff. In turn, this guarantees steady access to the capital markets and other resources it needs to implement its strategy and business plan.
In that regard, firms have an incentive to manage risk to avoid a situation where they are forced to pass up potentially profitable (positive NPV) projects due to a lack of capital. We can demonstrate the importance of ERM by exploring one of the most contentious issues in finance: Are markets perfect or imperfect?
In a perfect market, a company’s cost of capital is determined solely by its systematic (undiversifiable) risk as measured by beta. Diversifiable risks do not count as far as the cost of capital is concerned. This is because it is assumed that the providers of capital (investors) hold well-diversified portfolios and, therefore, largely ignore a firm’s diversifiable risks when making their investment decision. What this means is that efforts to manage total risk are a waste of corporate resources.
In the real world, however, there’s information asymmetry and markets are far from perfect. A bad outcome resulting from a risk considered “diversifiable” can trigger a significant effect on a firm’s cost of capital.
Consider a company that prides itself on its ability to continually identify and reap big from new projects. In the current year, the company (and its investors) expects operating cash flow of $100 million. What will happen if the company ends up reporting a loss of $50 million? First, this means that there will be a cash flow shortfall of $150 million in the eyes of investors. Such an outcome can set in motion events that will collectively result in a loss in company value.
For starters, investors will adjust their expectations of future cash flows and earnings downward. These investors will express their displeasure by selling off a company’s stock, a move that will result in a reduction in market capitalization. In these circumstances, the loss in value will likely surpass $150 million. Even if operating cash flow rebounds quickly, there could be other, longer-lasting effects. For example, let’s assume that true to its mantra, a company has a number of strategic investment opportunities that require immediate funding. Unless the firm has considerable cash reserves or unused debt capacity, it may have no choice but to turn to the capital markets for support.
Investors will likely demand a significantly higher risk premium for any new debt or equity issued. If the new cost of capital is high enough, management may have little choice but to cut investment. This inability to fund strategic investments on a timely basis can result in a permanent reduction in shareholder value, even if the cash shortfall is temporary.
By investing in a robust ERM framework, a company can avoid such an outcome and protect its strategic plan. The company will be able to come up with ways of hedging the diversifiable risk.
In order to successfully optimize the risk-return tradeoff, ERM must be practiced not just at a firm level but also at the project level. A firm must evaluate the risk of every prospective project and how such risks affect its overall risk. In fact, a company should take on a project that increases its total risk only if the project provides an adequate return on capital after compensating for the costs associated with the increase in risk. In other words, the risk-return tradeoff has to be part and parcel of every corporate decision.
To realize the micro benefits of ERM, risk evaluation of new projects must be decentralized. In a centralized structure, any given project must pass through the chief risk officer who initiates the evaluation of the risk-return tradeoff and approves a project only if they are satisfied that it meets all the risk-related thresholds. In a decentralized structure, the risk-return evaluation process starts at the business unit level with line managers and project “sponsors” playing a starring role.
In order for decentralization of the evaluation of the risk-return tradeoff to bear fruit:
Decentralization of the risk-return tradeoff is associated with three main benefits:
Every firm has to strive to establish the optimal amount of bearable risk. Failure to do so would lead to one of these two outcomes:
For these reasons, many companies identify a level of earnings or cash flow that they want to maintain under almost all circumstances. The aim of this move is to optimize a firm’s risk portfolio, limit the probability of distress, and maximize firm value. It is important to note that the goal is not to minimize or eliminate, but rather to limit the probability of distress to a level that management and the board agrees is likely to maximize firm value.
This begs the question: how does a company identify the optimal level of risk that maximizes firm value? Many companies achieve this by identifying a level of earnings or cash flow that they want to maintain under almost all circumstances (i.e., with an agreed-upon level of statistical confidence, say 95%, over a one-year period). They then design their risk management programs to ensure the firm achieves that minimum. It is common for the minimum cash flow amount to be called a “threshold.”
Many companies use bond ratings to define this threshold. For example, the management of a company, currently rated A, may estimate that the firm would have to start giving up valuable projects if its rating falls to Ba. In line with this, the firm would adopt a financial and risk management policy that aims to limit to an acceptably low level the probability that a firm’s rating will fall to Ba or lower. Although it may be difficult to estimate the actual probability of moving from an A rating to a Ba rating within a specified period, the firm can work with average probability data supplied by rating agencies. For example, a study by Moody’s using data from 1920 to 2005 has revealed that the average probability of a company rated A having its rating drop to Ba or lower within a year’s time is 0.99% (we add up the probabilities of ending up with a rating equal to or lower than Ba along the row that corresponds to the initial rating of A).
$$ \textbf{Table 1 – Transition Matrix from Moody’s} $$
$$\small{\begin{array}{l|cccccccc}
& \textbf{Rating to} & & & & & & & \\\hline
\textbf{Rating from} & \textbf{Aaa} & \textbf{Aa} & \textbf{A} & \textbf{Baa} & \textbf{Ba} & \textbf{B} & \textbf{Caa-c} & \textbf{Default} \\
\textbf{Aaa} & 91.75\% & 7.26\% & 0.79\% & 0.17\% & 0.02\% & 0.00\% & 0.00\% & 0.00\% \\
\textbf{Aa} & 1.32\% & 90.71\% & 6.92\% & 0.75\% & 0.19\% & 0.04\% & 0.01\% & 0.06\% \\
\textbf{A} & 0.08\% & 3.02\% & 90.24\% & 5.67\% & 0.76\% & 0.12\% & 0.03\% & 0.08\% \\
\textbf{Baa} & 0.05\% & 0.33\% & 5.05\% & 87.50\% & 5.72\% & 0.86\% & 0.18\% & 0.31\% \\
\textbf{Ba} & 0.01\% & 0.09\% & 0.59\% & 6.70\% & 82.58\% & 7.83 \%& 0.72\% & 1.48\% \\
\textbf{B} & 0.00\% & 0.07\% & 0.20\% & 0.80\% & 7.29\% & 7.29\% & 6.23\% & 4.78\% \\
\textbf{Caa-c} & 0.00\% & 0.03\% & 0.06\% & 0.23\% & 1.07\% & 1.07\% & 75.24\% & 15.69\%
\end{array}}$$
Average one-year rating transition matrix, 1920-2005, conditional upon no rating withdrawal. Source: Moody’s Default and Recovery Rates of Corporate Bond Issuers, 1920-2005, March 2006.
Financial institutions, such as banks and insurance companies, tend to target a much lower probability of distress compared to the typical industrial firm. That’s because their liabilities – including deposits and insurance contracts – are highly credit-sensitive and a rating downgrade can have a devastating effect on their financial standing and even threaten their status as a “going concern.”
Apart from rating downgrades, companies also use the following to establish the optimal level of risk:
When working out acceptable levels of volatility, many firms often go a step further and calculate the value at risk, i.e., the amount of the loss that is expected, with some pre-specified probability level, to be reached or exceeded during a defined time period. For example, let’s assume that a portfolio of securities has a one-year VaR at a 5% probability level of $10 million. What this means is that there is a 5% chance that the portfolio will have a loss that exceeds $10 million in the next year. It would also be correct to say the firm is 95% confident that the loss over the next year will be no more than $10 million.
VaR can be established both at the portfolio level and at the firm level. Going by the data in table 1, for example, a firm rated A would have to compute its firm-level VaR at a probability level of 0.08%. The company would then have to hold buffer equity capital equal to the VaR.
A firm faces a tradeoff whenever the amount of buffer equity it holds is linked to firm volatility or the VaR. As the VaR or volatility increases, the firm requires more capital to achieve the same probability of default. This tradeoff becomes steeper if management decides to reduce the targeted probability of default, say, from 2% to 1.5%.
The development of a conceptual framework can be summarized in four steps:
Implementation of ERM is a challenging process. As such, it requires everybody in a firm to have a firm understanding of the framework and how it creates value. Managers must emphasize to everyone involved that it is not an academic exercise but rather a tool that will help the firm execute its strategy and have a trickledown effect on everyone in terms of their professional reputation and career prospects. To make ERM implementation a success, management should consider attaching the so-called “performance sweeteners” to ERM targets. For example, all members of a business unit may be promised a bonus if they manage to keep return levels above a given threshold.
A common practice for banks is to classify all risks into one of three categories: market, credit, and operational. However, a firm must ensure that all risks it is exposed to fall in one of these three categories. In most cases, operational risk is used as the catch-all category that includes all risks not considered market or credit risks.
Once all of a company’s major risks have been identified, the firm must come up with a consistent way to measure its exposure to these risks. In the absence of a consistent approach, the firm could find itself in a tricky situation where two business units (or more), exposed to the same risk, are allocated different amounts of capital. That would almost certainly create tension and conflict within the firm.
In addition, information on all the identified risks must be collected and continuously updated. In this regard, a firm must have a centralized IT system that allows different business units to forward their own data but in a format that allows aggregation of common risks. In practice, most firms have a decentralized IT system where business units use incompatible computer systems.
Over the years, there have been major corporate scandals blamed on the failure to conduct thorough “inventories” of risks. Business units often resist risk monitoring efforts because they are seen as time-consuming and distractive. In that regard, the 1997 derivatives scandal at Union Bank of Switzerland provides a perfect example. The bank’s equity derivatives department was an entity in its own right; it did not fall under the purview of the rules and regulations that we would otherwise expect to find in a large bank. One of the department’s risk managers took high-risk positions with very little monitoring or supervision. In the end, the bank lost more than $400 million.
Credit ratings undoubtedly offer a useful device for keeping a company’s risk in check. It is, nevertheless, important to bear in mind that ratings do have some limitations when used as a key part of value-maximizing risk management and capital structure policy. For starters, ratings rely on “accounting” ratios and analysts’ subjective judgment. Therefore, the resulting estimates of a firm’s probability of default may not be reliable. It is not uncommon to find a situation where a firm feels confident that the underlying economics of its risk management and capital structure warrants bear an A rating, but it still ends up getting a lower rating from agencies. Such a situation can play out if rating agencies apply misleading accounting-based criteria. When something like this happens, a firm should make business decisions based on its own economics-based analysis. At the same time, it should try to sell its thinking to rating agencies.
On one hand, a focus on cash flows means that a firm focuses on its economic value and successfully locks in the targeted probability of default. On the other hand, such an approach could also result in more volatile accounting earnings. To see how this can come about, let’s consider the current accounting treatment of derivatives. Consider a firm that uses derivatives to hedge an economic exposure but fails to qualify for hedge accounting. In these circumstances, the derivatives hedge could reduce the volatility of firm value but at the same time increase the volatility of accounting earnings. For this reason, a firm that implements ERM could be forced to contend with higher earnings volatility compared with a firm that does not.
A firm that categorizes its total risk exposure into market, credit, and operational risk begins by measuring each of these risks individually. Next, the firm calculates the VaR with respect to each category and then aggregates the VaRs to produce a firm-wide VaR. This exercise comes with two main challenges:
The three categories of risk have different distributions. Whereas market risk behaves very much like the returns on a portfolio of securities that have a “normal” or symmetric distribution, both credit and operational risk have asymmetric distributions, with operational risk having a particularly fat tail. What this implies is that while it is appropriate to use the normal distribution to estimate the VaR of market risk, such an approach is not appropriate for credit and operational risks.
A firm must estimate the correlations across these risk categories. At present, we do not yet have a way to measure the correlation with good enough accuracy. Instead of relying on their own estimates, companies tend to use averages of correlations used by other firms. Whether a firm works with internally developed correlation estimates or industrial values, management must always bear in mind that correlations tend to increase in periods of stress.
From the perspective of ERM, Economic capital (EC) refers to the amount of risk capital that a firm estimates it will need in order to achieve its optimal credit rating and maximize firm value. On the other hand, regulatory capital reflects the amount of capital that a firm needs, given regulatory guidance and rules.
A firm that practices ERM may find itself in one of the following two scenarios:
In this case, the firm is able to meet its regulatory requirements as part of its ERM objectives and maximizes firm value without any issues. In this case, the regulatory requirements are not considered binding and do not affect a firm’s decisions.
If regulatory capital requirements are greater than economic capital requirements, then a firm will have excess capital on hand. Some firms call this excess capital “stranded” capital. If all of the competitors of a firm are subject to the same onerous regulatory capital requirements, the stranded capital the firm is forced to hold is considered a regulatory tax since it has little justification from an economic point of view. But if some potential competitors could offer the same products/services as the firm and somehow get away with less regulatory capital, these less-regulated competitors will have a competitive advantage. In this case, it is upon management to explore ways to grow its portfolio of activities in a way that requires less regulatory capital.
If there were no costs associated with stockpiling equity capital, firms would never turn down a risky project because there would always be funds to offset losses in case of an adverse outcome. In the end, adverse outcomes would not have a material impact on a firm’s investment policy. In the real world, however, there are always significant costs associated with holding funds. If the market perceives that a company has excess economic capital that’s not been put into productive use, the assumption will be that the management has run out of ideas on how to use the available capital and generate a return. As a consequence, the market will reduce such a firm’s value.
When a company decides to take on a new risky activity, there will automatically be an increase in the probability of financial distress. An effective way to avoid the additional costs of a new project is to raise enough additional capital such that the new risky activity has no effect on the probability of financial distress.
Invesco Inc. prides itself on its ability to generate above-average returns on its projects. A new promising investment opportunity has come up, expected to last one year. Before the company takes on the new investment, the VaR estimate used to set the firm’s capital stands at $50 billion. The new investment has increased this VaR estimate to $50.5 billion. What does the firm need to do to ensure that it retains the same probability of financial distress it had before it undertook the new risky activity?
Invesco Inc. would have to do two things:
If the cost of capital is 10% per year, having an additional $500 million for the duration of the project would come with a cost of $50 million. This means that the new project would need to generate an additional $50 million to maintain the economic capital of the firm. Equivalently, the expected benefit of the new project would need to be reduced by $50 million as compensation for the incremental risk to the firm.
Although the incremental impact of a new project on a firm’s economic capital may appear rather straightforward on paper, the practical part comes with several difficulties. Perhaps, the most important is the fact that the firm will have to consider the correlation between the new project and the other projects already underway. If the new project is less than perfectly correlated with other projects, the incremental increase in the VaR will be less. For such a project, the company may try to negotiate a lower cost of capital.
Practice Question
In decentralizing the risk-return tradeoff in a company, managers are required to perform which of the following activities?
A. Conducting a firm’s audit.
B. Delegating duties.
C. Hiring a third party to conduct a firm’s audit.
D. Highlighting new important projects.
The correct answer is D.
The first three activities are important activities but are not required during the decentralizing of the risk-return trade-off.
Managers are supposed to highlight important projects that can help mitigate risks. By quantifying risk, the management is able to come up with an optimal risk-return tradeoff which, in turn, assures steady access to the capital markets and other resources it needs to implement its strategy and business plan. This is part of the macro benefits of ERM.