What is ERM?

After completing this reading, you should be able to:

• Describe enterprise risk management (ERM) and compare and contrast differing definitions of ERM.
• Compare the benefits and costs of ERM and describe the motivations for a firm to adopt an ERM initiative.
• Describe the role and responsibilities of a chief risk officer (CRO) and assess how the CRO should interact with other senior management.
• Describe the key components of an ERM program.

Companies should address each of their significant risks and the interdependence of risks. Since risks are highly dynamic and correlated with each other, an integrated approach is required in their management. Suboptimal performance may result from a fragmented approach toward risk management in which risk is managed in organizational silos. If the interdependence of risks such as credit risk, market risk, operational risk, etc. is not captured in the risk management activities, the attempts to address risks are bound to remain inefficient and faulty.

Enterprise risk management (ERM) is responsible for organizing and coordinating an integrated risk management framework for a firm. It establishes policies and directives for managing risks across business units and provides the senior management with overall control and monitoring of an organization’s exposure to significant risks. Since individual risk functions have different measures and methodologies of measuring and reporting risks, the management may not have a clear picture of a firm’s total risk exposure. Top management should have information about the indicators of risk, the priority with which the risks are to be addressed, actual losses in the past, and their assessment and regulatory requirements as well as corporate risk policies. ERM is effective in providing the management with a firm-wide picture of the risks that the business units face.

Definition

ERM can be defined as a holistic plan-based risk management strategy where a firm identifies and methodically addresses the potential risks to the achievement of strategic objectives, taking the interrelationships among various risks into account.

Alternative Definitions

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defined ERM in 2004 as follows:

“ERM is a process, effected by an entity’s board of directors, management and other personnel applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

According to the Organization of  Standardization (ISO 31000): Risk is the “effect of uncertainty on objectives” and risk management refers to “coordinated activities to direct and control an organization with regard to risk.”

Benefits of ERM

• Since ERM integrates risks of business units, it most often requires a centralized risk management unit for providing the board of directors and the CEO  and organization-level risk reports.
• Due to the integration of risk management functions and strategies to deal with risks and their transfer, the ERM approach diversifies risks within an organization across business units. This approach avoids the tendency of the silo approach of risk management to use financial instruments separately for business units. Instead, it takes a portfolio view that accounts for all the units together. Therefore, this approach optimizes the use of derivatives, insurances, etc. to hedge and transfer risks.
• By integrating risk management activities with business processes, ERM improves the functioning of business units and influences business decisions.
• ERM changes the outlook of risk management from a defensive approach to a strategic offensive tool for making the organization more profitable.

Organizational Efficiency

ERM approach to risk management and the presence of the chief risk officer in a firm enable the integration of risk management activities across business units and allow efficient management of risk interdependencies. Since almost all firms have finance, audit, and compliance functions, the ERM function enables them to function in a cohesive manner.

Risk Reporting

In the silo approach to risk management, each business unit has its own measure of risk and methodology for reporting risk. These reports may not represent the overall organizational risk and may be contradictory. Since the board of directors needs to address the risks in their order of priority so that the overall business conforms to the risk appetite, it needs to have an organization-level perspective of the risks and their impacts on turnover. ERM function can provide the board with such details. Besides, it can bring policy exceptions, risk limit breaches, and priority of individual business risks to the attention of the board.

Business Performance

An integrated top-down approach to risk management furnished by the ERM function provides directives for rationalizing key business decisions such as resource allocation, competitive pricing, product differentiation, etc.  A portfolio view of all risks leads to adequate handling of risk interdependencies and efficient risk hedging as well as risk transfer. ERM function enables companies to make risk-adjusted decisions on the basis of company-wide risk exposures and strategies to mitigate or handle them. This, in turn, improves the performance and efficiency of the company.

The board of directors, regulators, and auditors are concerned with an organization’s methods of risk management and the effectiveness of such methods. Further, the availability of a wide range of risk transfer products such as credit derivatives, etc., direct pressure from rating agencies and stakeholders, and availability of measures such as VaR ( value at risk ) that can be used in almost all business units, have made it less acceptable to manage risk in obsolete ways.

The Chief Risk Officer

Chief Risk Officer (CRO) reports directly to the board of directors on the overall risk exposure of a firm and risk mitigation methods. In addition, the CRO is the leader of the ERM function in a firm. Moreover, the CRO supervises an organization’s risk management framework and lays down policies and directives for integrating business units’ risks into a portfolio structure. Further, note that the CRO devices risk indicators to present an overall report of business risk and key exposures to the board of directors. Aside from the roles cited so far, the CRO is also responsible for resource and capital allocation based on a firm’s priorities and risk-adjusted returns possible from investments. Lastly, the CRO reports a firm’s key risk exposures, the methodology of risk management, and the firm’s long-term financial health prospects to the stakeholders such as the board of directors, regulators, etc.

For the CRO to discharge their roles effectively, an organization should allow them direct access to the board of directors. The presence of the CRO, and a dedicated risk management function have increased the efficiency with which organizations tackle their risk exposures. The option to let the CEO or the CFO assume the CRO’s roles may lead to detrimental consequences for a firm’s long-term economic help because the function of a CEO to improve business profits may lead inspire to undermine the risk associated with returns.

The necessary skills and qualities that a CRO should have are as follows:

• Leadership skills to lead the ERM function and the ability to spot and hire able risk professionals.
• Technical skills to manage all types of risks an organization is exposed to, and the ability to frame risk management policies.
• Reporting and consultation skills to present the risk status of a firm to the board in simple terms.
• Ability to persuade business units to steer themselves in the direction of gaining long-term risk-adjusted momentum for a firm.
• Ability to steer an organization in the direction benefitting stakeholders besides improving the value of the firm’s assets.

Components of ERM

Corporate Governance

Appropriate organizational processes, policies, and directives related to the measurement and management of risk should be laid down by the board of directors and the management of the firm. Regulatory requirements and penalties associated with non-compliance force the management to take risk management very seriously. From the viewpoint of enterprise risk management, the board of directors should:

• Define the risk appetite of the firm, leverages that the firm should acquire, target debt rating, etc.
• Ensure that proper risk management personnel and practices are in place.
• Establish the framework of enterprise risk management alongside the allocation of roles and responsibilities.
• Devise measures and methodologies of handling risks such as market risk, credit risk, etc. in an integrated fashion.
• Create benchmarks, based on industry-wide practices, for the company’s internal assessment and audit processes.
• Not only pay lip service to the risk management function but should also fortify the risk culture by methods such as risk-adjusted return-based compensation.

Line Management

Line management should consider the corporate risk policy while making business decisions. In addition, line management should steer business strategies in the direction that is the most suitable for increasing risk-adjusted returns. Risks related to business lines should be priced into products and services. Further, business decisions should be made after accounting for expected losses, opportunity costs, long-term profitability, and required expertise as well as resources to align risks with corporate risk policies. Audit and review functions should be premised upon due diligence. Most importantly, risk-adjusted returns and pricing should be taken into consideration for assessing growth opportunities.

Portfolio Management

The risk management function should not assess and handle the risks of business units individually. Rather, for ensuring internal diversification and for optimizing overall company returns, individual units should be considered together as parts of a portfolio, and specific risks and return limits should be set for them. The integration of risk management functions can help in the creation of natural hedges within a company, thus reducing transaction costs. Thus, the ERM function associates the shareholder value creation process with risk management.

Risk Transfer

Financial instruments such as options, futures, and insurance can be used to reduce and transfer risks that are undesirable for a firm. A portfolio view of risks helps to assess the combination of financial products that provide the most cost-effective solution to the risk reduction and transfer problem. Integrated risk management also helps to use natural hedging strategies that exist in the risk portfolio. For example, a firm may hedge part of its currency risks by matching its payables with receivables. Firms should structure their business policy to reduce the accumulation of high amounts of risk in certain areas where risk-adjusted returns are not promising.

Risk Analytics

Advanced technology and risk management techniques can be used to calculate the cost of risk reduction and transfer through financial products. Risk management strategies should be based on comparative advantage and risks should only be transferred if the cost involved is not more than the cost incurred by holding it. Therefore, risk analytics provides methods to assess cost-effectiveness in hedging and transferring risk as well as increasing risk-adjusted returns, risk-adjusted net present value, etc.

Data and Technology Resources

Data from underlying businesses and the market should be aggregated to make a fair assessment of business lines and risk management functions associated with them. ERM should ensure this aggregation and should also lay down principles and strict guidelines to preserve and improve the quality of data fed into risk management systems. An organization should have a good quality of software and technological assets to be used for the risk management function.

Stakeholder Management

Since the ultimate goal of a firm should be stakeholder value maximization, appropriate risk management policies that make the entire process transparent to the stakeholders should be established. The board of directors should have periodic reports about the risk exposures of a firm while the regulators should be assured that the firm is complying with all industry standards. Communication of risk management methods, along with the assurance of their integrity and appropriateness, is absolutely essential for a firm’s healthy continuation of the business.

Practice Question

A small, upcoming credit rating agency is in the process of establishing the methodology it will use to assess the creditworthiness of both domestic and foreign banks operating in the region. The following are benefits of bringing each bank’s ERM capabilities into the assessment except:

A. The banks’ risk management capabilities could give important clues about their ability to meet long-term financial obligations.

B. The agency could be able to come up with a tailored methodology that takes each institution’s business lines (rather than a “one size for all” approach) into account.

C. Assessing risk management procedures would be inexpensive.

D. Developing ERM assessment skills may give the rating agency a competitive edge in the market.

The correct answer is C.

Statement C above is incorrect since the assessment of risk management procedures across an entire organization would likely involve substantial costs that would, in turn, increase the cost of the credit agency itself.