Enterprise Risk Management and Future Trends

After completing this reading, you should be able to:

• Describe Enterprise Risk Management (ERM) and compare an ERM program with a traditional silo-based risk management program.
• Describe the motivations for a firm to adopt an ERM initiative.
• Explain best practices for the governance and implementation of an ERM program.
• Describe risk culture, explain characteristics of strong corporate risk culture, and describe challenges to the establishment of a strong risk culture at a firm.
• Explain the role of scenario analysis in the implementation of an ERM program and describe its advantages and disadvantages.
• Explain the use of scenario analysis in stress testing programs and in capital planning.

A company must analyze risks with each risk type to define and measure the risk, aggregate the risk within diverse business lines, and develop hedging strategies.

However, companies should address each of their significant risks and the interdependence of risks. Since risks are highly dynamic and correlated, an integrated approach is required to manage them. Suboptimal performance may result from a fragmented approach towards risk management in which case, risk is managed in organizational silos. If the interdependence of risks such as credit risk, market risk, operational risk, etc. is not considered in the risk management activities, attempts to address risks are bound to remain inefficient and faulty.

Enterprise Risk Management (ERM)

Enterprise risk management (ERM) is responsible for organizing and coordinating an integrated risk management framework for a firm. It establishes policies and directives for managing risks across business units and provides the senior management with overall control and monitoring of an organization’s exposure to significant risks and incorporates them into strategic decisions. ERM, therefore, goes beyond silo-based risk management by providing a broader and consistent enterprise view of risk. Therefore, it pinpoints the significant threats facing a firm’s life and its core operations.

Motivations for a Firm to Adopt an ERM Initiative

• Risks between and among different silos are highly dynamic and correlated.
• Suboptimal performance may result from a fragmented approach towards risk management in which risk is managed in organizational silos.
• If the interdependence of various risks such as credit risk and market risk is not captured in risk metrics, such metrics are faulty, misleading, and unhelpful.

Since ERM integrates risks of business units, it most often requires a centralized risk management unit so as to provide the Board of Directors and the CEO with an organization-level risk report.

Due to an integration of risk management functions and strategies to deal with risks and their transfer, the ERM approach diversifies risks within an organization across business units. This approach departs from the tendency of the silo technique of risk management to use financial instruments separately for business units and take a portfolio view accounting for all the units together. As such, this approach optimizes the use of derivatives, insurances, etc. to hedge and transfer risks.

By integrating risk management activities with business processes, ERM improves the functioning of business units and influences business decisions.

ERM changes the outlook of risk management from a defensive approach to a strategic offensive tool for making an organization more profitable.

Comparison of ERM Program with Traditional Silo-Based Risk Management Program

$$ \begin{array}{l|l} \textbf{Enterprise Risk Management} & \textbf{Traditional Silo-Based Risk Management} \\ \hline \begin{array}{l} \text{Risk management is executed as an integrated unit} \\ \text{using global risk management and chief risk} \\ \text{officer (CRO).} \end{array} & \begin{array}{l} \text{Risk management is executed in isolated parts of a firm.} \\ \text{firm.} \end{array} \\ \hline \begin{array}{l} \text{Risks are viewed across business lines by} \\ \text{looking at the diversification and the} \\ \text{concentration of the risk.} \end{array} & \begin{array}{l} \text{Risks are viewed at business lines, type of risk,} \\ \text{and functional silos.} \end{array} \\ \hline \begin{array}{l} \text{Rational risk management is based on } \\ \text{cross-universal metrics such as VaR and} \\ \text{scenario Analysis to aggregate risk.} \end{array} & \begin{array}{l} \text{Various risk metrics are used, which cannot be} \\ \text{compared.} \end{array} \\ \hline \begin{array}{l} \text{It is easy to measure and track enterprise risk} \\ \text{since the risk is aggregated across multiple risk-} \\ \text{types.} \end{array} & \begin{array}{l} \text{Seeing the bigger picture of risks is not} \\ \text{possible, if at all, the risks are aggregated.} \end{array} \\ \hline \begin{array}{l} \text{It is possible to reduce the costs of risk transfer} \\ \text{and integrating instruments.} \end{array} & \begin{array}{l} \text{Risks are managed differently using} \\ \text{diverse instruments, making it costly.} \end{array} \\ \hline \begin{array}{l} \text{Each risk management approach is viewed as} \\ \text{one component of a total cost of risk,} \\ \text{measured in a single currency with the} \\ \text{inclusion of risk/reward and cost/benefit} \\ \text{optimization using the same currency.} \end{array} & \begin{array}{l} \text{Each risk management approach is often treated} \\ \text{separately without optimizing the strategy.} \end{array} \\ \hline \begin{array}{l} \text{It is possible to integrate risk management} \\ \text{with balance sheet management, capital} \\ \text{management, and financing strategies.} \end{array} & \begin{array}{l} \text{It is impossible to integrate the management} \\ \text{and transfer of risk with balance sheet} \\ \text{management and financing strategies.} \end{array} \\ \end{array} $$

The Risk Culture

Risk culture refers to defined norms and traditions of how an individual or a group of individuals within a firm can identify, understand, and discuss the risks that confront a firm and the firm’s risk appetite. Strong risk culture in a firm makes ERM most effective.

Post-financial crisis reports of 2007-2009 emphasized that lack of risk culture led to risk management failure in large financial institutions. Other signs of lack of risk culture include money laundering and embargo breaches. Absence of risk culture leads to dire consequences, emphasizing the need by firms to establish and maintain a risk culture.

Creating a risk culture can be challenging because it involves different stakeholders: individuals, the whole enterprise, and individual groups.

The risk perspective of each layer can overlap, creating a gap between the stated goals of an enterprise and the employees. Moreover, risk culture is not easily reared in the way of investigating enterprise progress.

Forming a view of risk culture in an institution assists in taking note of the risk appetite of the institution. One of the approaches in viewing risk culture is using the critical risk culture indicators.

The Risk Culture Indicators

The Financial Stability Board (FSB) has indicated four key risk culture indicators which include:

1.   Incentives

This can be seen in terms of risk-related compensations, which should support a firm’s risk appetite and desired risk culture.

2.   The Tone from the Top

The leadership tone of a firm should be able to go in line with the firm’s core value and communicate and assess business strategies relative to risk appetite.

3.   Accountability

There should be a clear expectation of monitoring and accountability of risks for significant risks in a firm.

4.   Effective Communication and Challenge

There should be clear communication among individuals. Divergence of views should be tolerated and risk management approached with open discussions among a firm’s stakeholders.

The indicators set by FSB are just broad internal culture indicators.

The firm should also consider the environmental (external) culture indicators, which include:

1. Regulatory standards
2. Professional Standards
3. Risk or Corruption indices in a country
4. Economic cycles such as the credit cycle

Modern firms have started addressing the issue of risk using the stated internal indicators or by conducting surveys to know the level of risk culture in their respective firms.

Characteristics of a Strong Risk Culture

Risk culture is a key element of an organization’s enterprise risk management framework, which encompasses the general awareness, attitudes, and behavior of an organization’s employees toward risk and how risk is managed within an organization. It is a key indicator of how widely an organization’s risk management policies and practices have been adopted.

Risk-Related Behavior

Strong risk culture has generally been associated with more desirable risk-related behavior (e.g., speaking up) and less undesirable behavior.

Personal Characteristics

Personal characteristics are important when it comes to strong risk culture. Long-tenured and less risk-tolerant employees and employees with a positive attitude towards risk management are more likely to display desirable risk-related behavior. Those with high personal risk tolerance are more likely to display undesirable risk-related behavior.

Risk Structures

Good risk structures such as policies, controls, IT infrastructure, training, and remuneration systems, etc. appear to support a strong culture and ultimately a less undesirable risk behavior. Good risk structures do not necessarily guarantee good behavior. There have been suggestions that structures such as remuneration are interpreted through the lens of culture.

Staff Ranking

Senior staffs tend to have a significantly more favorable perception of culture than junior staff. This highlights the importance of anonymous and independent risk culture assessments where staff feel safe enough to reveal their true beliefs.

Challenges Facing the Establishment of a Strong Risk Culture in a Firm

Some challenges stand in the way of developing sound risk management. These are:

1. Conflict Between Risk Indicator and Risk Level

The industry wishes to identify indicators, which show the level of their risk culture. However, sometimes these indicators can be used as levers of behavior change comprising the purpose of the indicators and hence the risk culture.

2. Lack of Enough Education

To develop a robust risk culture, the firm should employ simple language in the definition of risk management terms, key concepts, and the role of ERM stakeholders.

3. Time and Space

The risk culture might not have developed in all parts of a firm. Moreover, an enterprise can fail to detect early signs of risk due to lack of proper identification mechanism when multiple signals occur.

4. Cursive Data

Lack of adequate data undermines the development of risk culture to analyze the level of risk culture in an enterprise. However, in the coming years, technological processes such as machine learning have enabled the gathering of enormous data for analyzing signs of risk.

5. Culture cycle

The true nature of an organization’s risk culture is perhaps visible only during times of stress. A risk culture that seems strong today may not survive a crisis in the future. In an effort to withstand buffeting like this, regulators want risk managers to bear real weight within firms; however, as memories of the last crisis fade, this weight diminishes.

Scenario Analysis

Scenario analysis involves visualizing a framework, developing a coherent explanation of why variables do change and assessing its impact on a firm’s risk portfolios.

A scenario analysis should be distinguished from sensitivity testing, which involves varying one parameter or variable in a risk model to determine how sensitive the model is to the variation. Scenario analysis and Sensitivity testing are the primary identification tools of the ERM, which come in handy since the probabilistic risk metrics such as VaR proved to be weak.

Scenario analysis might be qualitative, but many firms have come up with excellent ways of building quantitative models to assess the effect of each scenario on their portfolios and businesses.

Scenario analyses assist firms to determine the impact of unfavorable events and events that do not have historical data.

Advantages of Scenario Analysis

1. There is no need to consider risk frequency beyond its soundness
2. Scenarios can take the form of transparent and intuitive explanations.
3. It challenges a firm to imagine the worst and control the effects.
4. It enables the firms to identify warning signals and build contingency plans for the risk.
5. Scenario analysis does not depend on historical data. Instead, it can be based on either past events or forward-looking hypotheteses
6. Firms have the freedom to make scenario analysis as complicated or straightforward as they want, without the regulator’s interference.

Disadvantages of Scenario Analysis

1. In scenario analysis, it is difficult to determine the probability of events because it does not lead to risk quantification.
2. The future scenarios can become complicated with many choices in place.
3. The extent of firms’ imagination is limited. For example, scenarios might underestimate the effect of an extreme loss occurrence or remove significant risk exposures.
4. The number of appropriate situations that can be developed is limited.
5. The last central crisis often motivates the scenarios chosen; imaginative future scenarios may be dismissed as inappropriate.
6. Scenario analyses are different in terms of quality and sophistication, and so their credibility and assumptions can be challenging to analyze.
7. The applicability of scenario analysis depends on the accuracy, comprehensiveness, and predictive qualities of the firm’s stress test program.

Scenario analysis had been one of the risk management tools even before the global financial crisis. For instance, banks used the short-run selection of historical and hypothetical occurrences from listed events. They compared them with their portfolios to determine which variable applied to the current portfolios and tried to offer an explanation.

After the global financial crisis, banks realized that they had been ignoring the integrated risks along the business lines, the interaction of risks, and behavioral change of market participants in times of stress. Moreover, evidence showed that scenario analysis of that time was not thorough.

Therefore, regulators have reiterated the need for financial institutions to demonstrate their capability to withstand adverse scenarios after the financial crisis. For instance, US regulators insist that big banks should use macroeconomic stress scenarios such as reduction of GDP and employment across their enterprise exposures.

Scenario analysis is applied to stress testing. For instance, if a bank can prove that it can maintain minimum levels of capital ratios and raise capital in a time of stress, then it must revise the business plans of its various departments while lowering its level of risk appetite.

The US stress tests mushroomed when the Supervisory Capital Assessment (SCAP) was conducted in 2009 (after the crisis), whose outcomes assured banks of their stability. From 2011 going forward, the Dodd-Frank Act catalyzed the US Federal Reserve to conduct two annual stress tests using scenario analysis. These tests include:

1. Dodd-Frank Act stress test (DFAST) which is executed in mid-year for the banks with assets above $ 10 billion.
2. Comprehensive Capital Analysis and Reviews (CCAR) which is conducted at the end of each year for the banks with assets above USD 50 billion.

Both of the above methods require banks to develop their scenarios and supervisory situations. However, DFAST is less demanding and applies fewer capital assumptions as compared to CCAR.

The Federal Reserve outlines three crucial macroeconomic scenarios for supervisory purposes:

• Baseline Scenario: This scenario reflects the economic consensus determined by bank economists. It represents the expected or ‘normal’ economic conditions.
• Adverse Scenario: In this scenario, the economy experiences a moderate downturn. While it is not as severe as the severely adverse scenario, it still involves economic challenges, such as reduced economic growth or increased risks.
• Severely Adverse Scenario: This is the most extreme of the three scenarios and encompasses conditions like a global recession and a significant decrease in demand. It depicts an exceptionally difficult economic environment characterized by widespread economic turmoil.

CCAR requires banks to anticipate how these scenarios will impact their income statements and balance sheets over nine quarters. In addition to this, they must also:

1. Give a detailed assessment of capital sourcing and utilization over the planning period.
2. Submit the descriptions of the firm’s procedures and ways of controlling the capital adequacy of the firm
3. Submit a detailed copy of the capital policy
4. Descriptions of the expected changes in business loans that might affect the capital adequacy of the firm.

In each of the stated scenarios, each bank must prove its capacity to maintain minimum levels of capital ratios and raise capital in a time of stress. They also need to predict the behavior of all risk factors impacting their portfolios.

In Europe, stress testing using scenario analysis has developed. A good example is the European Banking Authority (EBA). Even then, it is not as improved as it is in the US. EBA is more static, less complicated, and more flexible in altering risk and business strategies as compared to CCAR because it includes a large number of banks.

ERM and Strategic Formulations

Enterprise risk managers must take part in strategy formulation. One of the latest industries to encourage the application of ERM is corporate planning and strategy. ERM builds a secure link between risk and reward.

Stochastic stress testing is the latest stress testing technique. It provides the practicality of the strategy that ERM applies. Moreover, technology development has made positive scenario simulation easy. This has facilitated macroeconomic stress testing as a part of panning activities such as growth plans and strategic risk management.

Question

GlobalBank, a multinational banking organization, is undergoing a significant transformation in its risk management structure. Historically operating with a traditional silo-based risk management approach, the board recognizes the limitations of this method and is evaluating the implementation of an Enterprise Risk Management (ERM) program. The Chief Risk Officer (CRO) is tasked with contrasting the two approaches, focusing on strategic alignment, capital allocation, risk interdependencies, and organizational culture.

What distinguishes GlobalBank’s potential implementation of an ERM program from its current silo-based risk management approach?

A. ERM would continue to manage risks in separate silos but with more frequent reporting to the board.

B. ERM would identify risk interdependencies and facilitate capital allocation based on a unified risk view, while the silo approach would prioritize risks independently.

C. ERM would place a greater emphasis on external risks, while the silo-based approach would focus on aligning risk management with strategic objectives.

D. ERM would replace all risk management functions, making individual risk assessments obsolete, whereas the silo-based approach emphasizes continuous risk assessments.

Solution

The correct answer is B.

Enterprise Risk Management (ERM) promotes an integrated approach to managing risk that considers the interdependencies between various types of risk. It facilitates strategic capital allocation by looking at the organization’s risk profile holistically, rather than prioritizing risks independently as in the silo-based approach. This distinction encapsulates the fundamental difference between ERM and the traditional silo-based approach and aligns with the specific focus requested by GlobalBank’s board.

A is incorrect because ERM does not simply involve managing risks in separate silos with more frequent reporting; it represents a fundamental shift to a more integrated and strategic view of risk across the organization.

C is incorrect because ERM, not the silo-based approach, typically focuses on aligning risk management with strategic objectives. The assertion about the emphasis on external risks in ERM is also not a defining characteristic of the approach.

D is incorrect because ERM does not replace all risk management functions or make individual risk assessments obsolete. Rather, it enhances risk management by considering how different risks interact and influence one another, something that is overlooked in a silo-based approach.

Things to Remember

• ERM promotes a culture of shared responsibility and collaboration, aiming for a 360-degree view of organizational risk, while the silo-based approach can lead to disjointed and uncoordinated risk management efforts.
• While ERM provides a platform for strategic decision-making by integrating risk across the entire organization, the silo-based approach may create redundancies and inconsistencies, often overlooking interdependencies between risks.
• Implementing ERM often involves leveraging technological tools and frameworks that can dynamically adapt to changes in the risk environment, fostering agility and responsiveness.
• Silo-based risk management may result in suboptimal capital allocation due to a lack of an integrated view of risk, potentially exposing the organization to unforeseen vulnerabilities.