Enterprise Risk Management: Theory and Practice

Enterprise Risk Management: Theory and Practice

After completing this reading, you should be able to:

  • Define enterprise risk management (ERM) and explain how implementing ERM practices and policies can create shareholder value, both at the macro and micro levels.
  • Explain how a company can determine its optimal amount of risk through the use of credit rating targets.
  • Describe the development and implementation of an ERM system, as well as the challenges to the implementation of an ERM system.
  • Describe the role of and issues with correlation in risk aggregation and describe typical properties of a firm’s market risk, credit risk, and operational risk distributions.
  • Distinguish between regulatory and economic capital and explain the use of economic capital in the corporate decision-making process.

What is Enterprise Risk Management?

Enterprise risk management is a holistic approach to risk management where all risks are viewed together within a coordinated and strategic framework. It differs from the more traditional silo approach where firms seek to manage one risk at a time, on a largely compartmentalized and decentralized basis.

ERM is essentially the use of a common risk management framework to manage risk across an organization. Although organizations have differentiated frameworks, there are three permanent features: people, rules, and tools. “People” stands for individuals with defined responsibilities. These individuals employ repeatable processes (rules) and technology (tools) to mitigate risk.

ERM creates value for companies both at the “macro” or company-wide level and “micro” or business-unit level.

The Macro Benefits of Enterprise Risk Management

At the macro level, ERM creates value by giving senior management the capacity to quantify and manage the risk-return tradeoff that faces an entire firm. By quantifying risk, management is able to come up with an optimal risk-return tradeoff. In turn, this guarantees steady access to the capital markets and other resources it needs to implement its strategy and business plan.

In that regard, firms have an incentive to manage risk to avoid a situation where they are forced to pass up potentially profitable (positive NPV) projects due to a lack of capital. We can demonstrate the importance of ERM by exploring one of the most contentious issues in finance: Are markets perfect or imperfect?

In a perfect market, a company’s cost of capital is determined solely by its systematic (undiversifiable) risk as measured by beta. Diversifiable risks do not count as far as the cost of capital is concerned. This is because it is assumed that the providers of capital (investors) hold well-diversified portfolios and, therefore, largely ignore a firm’s diversifiable risks when making their investment decision. What this means is that efforts to manage total risk are a waste of corporate resources.

In the real world, however, there’s information asymmetry and markets are far from perfect. A bad outcome resulting from a risk considered “diversifiable” can trigger a significant effect on a firm’s cost of capital.

Example: Macro Benefits of ERM

Consider a company that prides itself on its ability to continually identify and reap big from new projects. In the current year, the company (and its investors) expects operating cash flow of $100 million. What will happen if the company ends up reporting a loss of $50 million? First, this means that there will be a cash flow shortfall of $150 million in the eyes of investors. Such an outcome can set in motion events that will collectively result in a loss in company value.

For starters, investors will adjust their expectations of future cash flows and earnings downward. These investors will express their displeasure by selling off a company’s stock, a move that will result in a reduction in market capitalization. In these circumstances, the loss in value will likely surpass $150 million. Even if operating cash flow rebounds quickly, there could be other, longer-lasting effects. For example, let’s assume that true to its mantra, a company has a number of strategic investment opportunities that require immediate funding. Unless the firm has considerable cash reserves or unused debt capacity, it may have no choice but to turn to the capital markets for support.

Investors will likely demand a significantly higher risk premium for any new debt or equity issued. If the new cost of capital is high enough, management may have little choice but to cut investment. This inability to fund strategic investments on a timely basis can result in a permanent reduction in shareholder value, even if the cash shortfall is temporary.

By investing in a robust ERM framework, a company can avoid such an outcome and protect its strategic plan. The company will be able to come up with ways of hedging the diversifiable risk.

The Micro Benefits of Enterprise Risk Management

In order to successfully optimize the risk-return tradeoff, ERM must be practiced not just at a firm level but also at the project level. A firm must evaluate the risk of every prospective project and how such risks affect its overall risk. In fact, a company should take on a project that increases its total risk only if the project provides an adequate return on capital after compensating for the costs associated with the increase in risk. In other words, the risk-return tradeoff has to be part and parcel of every corporate decision.

To realize the micro benefits of ERM, risk evaluation of new projects must be decentralized. In a centralized structure, any given project must pass through the chief risk officer who initiates the evaluation of the risk-return tradeoff and approves a project only if they are satisfied that it meets all the risk-related thresholds. In a decentralized structure, the risk-return evaluation process starts at the business unit level with line managers and project “sponsors” playing a starring role.

In order for decentralization of the evaluation of the risk-return tradeoff to bear fruit:

  • Managers proposing new projects must evaluate all major risks in the context of the marginal impact of the projects on a firm’s total risk.
  • The chief risk officer must establish how each and every business unit contributes to a firm’s total risk. This gives individual unit managers an incentive to monitor the risk of every project they decide to bring to the table.

Decentralization of the risk-return tradeoff is associated with three main benefits:

  1. It cultivates a strong risk culture where project appraisal is considered incomplete in the absence of detailed risk analysis. Risk is not accounted for in an ad hoc, subjective way and is never ignored.
  2. Every risk is owned in the sense that someone is always held to account with respect to a project’s performance.
  3. It improves the risk analysis process by ensuring that each risk is assessed by those closest to it. Individual business units will usually have a much better understanding of the risks of a unit than the chief risk officer and senior management, especially during the early stages of a project.

How Can a Company Determine Its Optimal Amount of Risk Through the Use of Credit Rating Targets?

Every firm has to strive to establish the optimal amount of bearable risk. Failure to do so would lead to one of these two outcomes:

  1. A firm could end up holding a buffer stock of equity that’s too little to see it through a period marked by a sharp drop in cash flow. This would mean passing up positive NPV projects at a time when it needs to demonstrate resilience and stability, leading to a permanent loss in value.
  2. A firm could end up holding a buffer stock of equity that’s too large, a situation that also comes with costs. For starters, a firm could forego some positive NPV projects because it believes that there’s a need to hold some liquid capital even when in reality, there isn’t such a need. Excess cash is deemed to be low-value by investors. Studies have shown that for larger, mature companies, the last dollar of “excess” cash is valued by the market at as little as 60 cents.

For these reasons, many companies identify a level of earnings or cash flow that they want to maintain under almost all circumstances. The aim of this move is to optimize a firm’s risk portfolio, limit the probability of distress, and maximize firm value. It is important to note that the goal is not to minimize or eliminate, but rather to limit the probability of distress to a level that management and the board agrees is likely to maximize firm value.

This begs the question: how does a company identify the optimal level of risk that maximizes firm value? Many companies achieve this by identifying a level of earnings or cash flow that they want to maintain under almost all circumstances (i.e., with an agreed-upon level of statistical confidence, say 95%, over a one-year period). They then design their risk management programs to ensure the firm achieves that minimum. It is common for the minimum cash flow amount to be called a “threshold.”

Many companies use bond ratings to define this threshold. For example, the management of a company, currently rated A, may estimate that the firm would have to start giving up valuable projects if its rating falls to Ba. In line with this, the firm would adopt a financial and risk management policy that aims to limit to an acceptably low level the probability that a firm’s rating will fall to Ba or lower. Although it may be difficult to estimate the actual probability of moving from an A rating to a Ba rating within a specified period, the firm can work with average probability data supplied by rating agencies. For example, a study by Moody’s using data from 1920 to 2005 has revealed that the average probability of a company rated A having its rating drop to Ba or lower within a year’s time is 0.99% (we add up the probabilities of ending up with a rating equal to or lower than Ba along the row that corresponds to the initial rating of A).

$$ \textbf{Table 1 – Transition Matrix from Moody’s} $$

& \textbf{Rating to} & & & & & & & \\\hline
\textbf{Rating from} & \textbf{Aaa} & \textbf{Aa} & \textbf{A} & \textbf{Baa} & \textbf{Ba} & \textbf{B} & \textbf{Caa-c} & \textbf{Default} \\
\textbf{Aaa} & 91.75\% & 7.26\% & 0.79\% & 0.17\% & 0.02\% & 0.00\% & 0.00\% & 0.00\% \\
\textbf{Aa} & 1.32\% & 90.71\% & 6.92\% & 0.75\% & 0.19\% & 0.04\% & 0.01\% & 0.06\% \\
\textbf{A} & 0.08\% & 3.02\% & 90.24\% & 5.67\% & 0.76\% & 0.12\% & 0.03\% & 0.08\% \\
\textbf{Baa} & 0.05\% & 0.33\% & 5.05\% & 87.50\% & 5.72\% & 0.86\% & 0.18\% & 0.31\% \\
\textbf{Ba} & 0.01\% & 0.09\% & 0.59\% & 6.70\% & 82.58\% & 7.83 \%& 0.72\% & 1.48\% \\
\textbf{B} & 0.00\% & 0.07\% & 0.20\% & 0.80\% & 7.29\% & 7.29\% & 6.23\% & 4.78\% \\
\textbf{Caa-c} & 0.00\% & 0.03\% & 0.06\% & 0.23\% & 1.07\% & 1.07\% & 75.24\% & 15.69\% 

Average one-year rating transition matrix, 1920-2005, conditional upon no rating withdrawal. Source: Moody’s Default and Recovery Rates of Corporate Bond Issuers, 1920-2005, March 2006.

Financial institutions, such as banks and insurance companies, tend to target a much lower probability of distress compared to the typical industrial firm. That’s because their liabilities – including deposits and insurance contracts – are highly credit-sensitive and a rating downgrade can have a devastating effect on their financial standing and even threaten their status as a “going concern.”   

Apart from rating downgrades, companies also use the following to establish the optimal level of risk:

  • Establishing the probability of default within a specified period of, say, a year. A different probability of default corresponds to each level of buffer equity. That means that by choosing a given level of equity, the management is also effectively choosing a probability of default that it believes to be optimal. From the table above, we can see that the probability of default for a firm rated A over a one-year period is 0.08%. To maintain its rating, the company must maintain the level of buffer equity that makes its probability of default equal to 0.08%.
  • Identifying scenarios that could impose large costs on the company while stopping short of causing a rating downgrade. Such scenarios may include high levels of volatility in earnings and capital. Although such scenarios may not “hit the alarm bells” loud enough to cause a rating downgrade, they could contribute to an increase in overall risk and hence the required level of capital.

When working out acceptable levels of volatility, many firms often go a step further and calculate the value at risk, i.e., the amount of the loss that is expected, with some pre-specified probability level, to be reached or exceeded during a defined time period. For example, let’s assume that a portfolio of securities has a one-year VaR at a 5% probability level of $10 million. What this means is that there is a 5% chance that the portfolio will have a loss that exceeds $10 million in the next year. It would also be correct to say the firm is 95% confident that the loss over the next year will be no more than $10 million.

VaR can be established both at the portfolio level and at the firm level. Going by the data in table 1, for example, a firm rated A would have to compute its firm-level VaR at a probability level of 0.08%. The company would then have to hold buffer equity capital equal to the VaR.

Important Observation

A firm faces a tradeoff whenever the amount of buffer equity it holds is linked to firm volatility or the VaR. As the VaR or volatility increases, the firm requires more capital to achieve the same probability of default. This tradeoff becomes steeper if management decides to reduce the targeted probability of default, say, from 2% to 1.5%.

Development and Implementation of an ERM System

The development of a conceptual framework can be summarized in four steps:

  1. Management determines a firm’s risk appetite – the level of risk that a firm is prepared to accept in pursuit of its objective. While at it, management also determines the probability of financial distress that maximizes the value of the firm. As before, financial distress is defined as a situation where a firm is forced to pass up positive NPV projects due to lack of adequate resources. If management chooses to use credit ratings as the primary indicator of financial risk, a firm determines an optimal or target rating.
  2. Given a firm’s target rating, the firm estimates the amount of capital (cost) it needs to reduce the probability of financial distress.
  3. Management determines the optimal mix of capital and risk that is expected to yield its target rating.
  4. Management decentralizes the risk-capital tradeoff with the help of a capital allocation and performance evaluation system. This gives managers an incentive to make investment and operating decisions that optimize this tradeoff.

Implementing ERM

Implementation of ERM is a challenging process. As such, it requires everybody in a firm to have a firm understanding of the framework and how it creates value. Managers must emphasize to everyone involved that it is not an academic exercise but rather a tool that will help the firm execute its strategy and have a trickledown effect on everyone in terms of their professional reputation and career prospects. To make ERM implementation a success, management should consider attaching the so-called “performance sweeteners” to ERM targets. For example, all members of a business unit may be promised a bonus if they manage to keep return levels above a given threshold.

Challenges to the Implementation of an ERM System

1. The Risk Identification Problem

A common practice for banks is to classify all risks into one of three categories: market, credit, and operational. However, a firm must ensure that all risks it is exposed to fall in one of these three categories. In most cases, operational risk is used as the catch-all category that includes all risks not considered market or credit risks.

Once all of a company’s major risks have been identified, the firm must come up with a consistent way to measure its exposure to these risks. In the absence of a consistent approach, the firm could find itself in a tricky situation where two business units (or more), exposed to the same risk, are allocated different amounts of capital. That would almost certainly create tension and conflict within the firm.

In addition, information on all the identified risks must be collected and continuously updated. In this regard, a firm must have a centralized IT system that allows different business units to forward their own data but in a format that allows aggregation of common risks. In practice, most firms have a decentralized IT system where business units use incompatible computer systems.

Over the years, there have been major corporate scandals blamed on the failure to conduct thorough “inventories” of risks. Business units often resist risk monitoring efforts because they are seen as time-consuming and distractive. In that regard, the 1997 derivatives scandal at Union Bank of Switzerland provides a perfect example. The bank’s equity derivatives department was an entity in its own right; it did not fall under the purview of the rules and regulations that we would otherwise expect to find in a large bank. One of the department’s risk managers took high-risk positions with very little monitoring or supervision. In the end, the bank lost more than $400 million.

2. The Credit Rating Problem

Credit ratings undoubtedly offer a useful device for keeping a company’s risk in check. It is, nevertheless, important to bear in mind that ratings do have some limitations when used as a key part of value-maximizing risk management and capital structure policy. For starters, ratings rely on “accounting” ratios and analysts’ subjective judgment. Therefore, the resulting estimates of a firm’s probability of default may not be reliable. It is not uncommon to find a situation where a firm feels confident that the underlying economics of its risk management and capital structure warrants bear an A rating, but it still ends up getting a lower rating from agencies. Such a situation can play out if rating agencies apply misleading accounting-based criteria. When something like this happens, a firm should make business decisions based on its own economics-based analysis. At the same time, it should try to sell its thinking to rating agencies.

3. The Accounting Problem

On one hand, a focus on cash flows means that a firm focuses on its economic value and successfully locks in the targeted probability of default. On the other hand, such an approach could also result in more volatile accounting earnings. To see how this can come about, let’s consider the current accounting treatment of derivatives. Consider a firm that uses derivatives to hedge an economic exposure but fails to qualify for hedge accounting. In these circumstances, the derivatives hedge could reduce the volatility of firm value but at the same time increase the volatility of accounting earnings. For this reason, a firm that implements ERM could be forced to contend with higher earnings volatility compared with a firm that does not.

The Role of and Issues With Correlation in Risk Aggregation

A firm that categorizes its total risk exposure into market, credit, and operational risk begins by measuring each of these risks individually. Next, the firm calculates the VaR with respect to each category and then aggregates the VaRs to produce a firm-wide VaR. This exercise comes with two main challenges:

1. Different Distributions

The three categories of risk have different distributions. Whereas market risk behaves very much like the returns on a portfolio of securities that have a “normal” or symmetric distribution, both credit and operational risk have asymmetric distributions, with operational risk having a particularly fat tail. What this implies is that while it is appropriate to use the normal distribution to estimate the VaR of market risk, such an approach is not appropriate for credit and operational risks.

a comparison of market, credit, and operational risk distributions2. Correlation

A firm must estimate the correlations across these risk categories. At present, we do not yet have a way to measure the correlation with good enough accuracy. Instead of relying on their own estimates, companies tend to use averages of correlations used by other firms. Whether a firm works with internally developed correlation estimates or industrial values, management must always bear in mind that correlations tend to increase in periods of stress.

Regulatory and Economic Capital

From the perspective of ERM, Economic capital (EC) refers to the amount of risk capital that a firm estimates it will need in order to achieve its optimal credit rating and maximize firm value. On the other hand, regulatory capital reflects the amount of capital that a firm needs, given regulatory guidance and rules.

A firm that practices ERM may find itself in one of the following two scenarios:

Scenario 1: Economic Capital Substantially Exceeds Regulatory Capital

In this case, the firm is able to meet its regulatory requirements as part of its ERM objectives and maximizes firm value without any issues. In this case, the regulatory requirements are not considered binding and do not affect a firm’s decisions.

Scenario 2: Regulatory Capital Substantially Exceeds Economic Capital

If regulatory capital requirements are greater than economic capital requirements, then a firm will have excess capital on hand. Some firms call this excess capital “stranded” capital. If all of the competitors of a firm are subject to the same onerous regulatory capital requirements, the stranded capital the firm is forced to hold is considered a regulatory tax since it has little justification from an economic point of view. But if some potential competitors could offer the same products/services as the firm and somehow get away with less regulatory capital, these less-regulated competitors will have a competitive advantage. In this case, it is upon management to explore ways to grow its portfolio of activities in a way that requires less regulatory capital.

How a Firm Can Use Economic Capital to Make Decisions

If there were no costs associated with stockpiling equity capital, firms would never turn down a risky project because there would always be funds to offset losses in case of an adverse outcome. In the end, adverse outcomes would not have a material impact on a firm’s investment policy. In the real world, however, there are always significant costs associated with holding funds. If the market perceives that a company has excess economic capital that’s not been put into productive use, the assumption will be that the management has run out of ideas on how to use the available capital and generate a return. As a consequence, the market will reduce such a firm’s value.

When a company decides to take on a new risky activity, there will automatically be an increase in the probability of financial distress. An effective way to avoid the additional costs of a new project is to raise enough additional capital such that the new risky activity has no effect on the probability of financial distress.

Example: Raising Capital to Maintain the Same Risk Targets

Invesco Inc. prides itself on its ability to generate above-average returns on its projects. A new promising investment opportunity has come up, expected to last one year. Before the company takes on the new investment, the VaR estimate used to set the firm’s capital stands at $50 billion. The new investment has increased this VaR estimate to $50.5 billion. What does the firm need to do to ensure that it retains the same probability of financial distress it had before it undertook the new risky activity?


Invesco Inc. would have to do two things:

  1. Raise $500 million in new capital.
  2. Invest this capital in such a way that the investment does not increase the risk of the firm. Otherwise, there would be a further increase in firm VaR.

If the cost of capital is 10% per year, having an additional $500 million for the duration of the project would come with a cost of $50 million. This means that the new project would need to generate an additional $50 million to maintain the economic capital of the firm. Equivalently, the expected benefit of the new project would need to be reduced by $50 million as compensation for the incremental risk to the firm.

Although the incremental impact of a new project on a firm’s economic capital may appear rather straightforward on paper, the practical part comes with several difficulties. Perhaps, the most important is the fact that the firm will have to consider the correlation between the new project and the other projects already underway. If the new project is less than perfectly correlated with other projects, the incremental increase in the VaR will be less. For such a project, the company may try to negotiate a lower cost of capital.

Practice Question

In decentralizing the risk-return tradeoff in a company, managers are required to perform which of the following activities?

A. Conducting a firm’s audit.

B. Delegating duties.

C. Hiring a third party to conduct a firm’s audit.

D. Highlighting new important projects.

The correct answer is D.

The first three activities are important activities but are not required during the decentralizing of the risk-return trade-off.

Managers are supposed to highlight important projects that can help mitigate risks. By quantifying risk, the management is able to come up with an optimal risk-return tradeoff which, in turn, assures steady access to the capital markets and other resources it needs to implement its strategy and business plan. This is part of the macro benefits of ERM.

Shop CFA® Exam Prep

Offered by AnalystPrep

Featured Shop FRM® Exam Prep Learn with Us

    Subscribe to our newsletter and keep up with the latest and greatest tips for success
    Shop Actuarial Exams Prep Shop Graduate Admission Exam Prep

    Daniel Glyn
    Daniel Glyn
    I have finished my FRM1 thanks to AnalystPrep. And now using AnalystPrep for my FRM2 preparation. Professor Forjan is brilliant. He gives such good explanations and analogies. And more than anything makes learning fun. A big thank you to Analystprep and Professor Forjan. 5 stars all the way!
    michael walshe
    michael walshe
    Professor James' videos are excellent for understanding the underlying theories behind financial engineering / financial analysis. The AnalystPrep videos were better than any of the others that I searched through on YouTube for providing a clear explanation of some concepts, such as Portfolio theory, CAPM, and Arbitrage Pricing theory. Watching these cleared up many of the unclarities I had in my head. Highly recommended.
    Nyka Smith
    Nyka Smith
    Every concept is very well explained by Nilay Arun. kudos to you man!
    Badr Moubile
    Badr Moubile
    Very helpfull!
    Agustin Olcese
    Agustin Olcese
    Excellent explantions, very clear!
    Jaak Jay
    Jaak Jay
    Awesome content, kudos to Prof.James Frojan
    sindhushree reddy
    sindhushree reddy
    Crisp and short ppt of Frm chapters and great explanation with examples.

    Leave a Comment